March 12, 2013
Criminals are using stolen logins and passwords to connect to servers via FTP. They upload a shell and use it to modify the .htaccess file and embed a malignant script into web pages.
As a result, site visitors get a web page that contains links to a variety of malicious applications. In particular, this is how Trojan.Hosts malware has been spreading recently.
It should be noted that the Trojans of this family are also spread using other techniques. There are several affiliate programs under which cybercriminals are paid remuneration if they manage to extort money from users whose systems are compromised by Trojan.Hosts. Thus, these Trojans can get onto computers with the aid of backdoors and malignant downloaders.
Doctor Web would like to remind you that Trojan.Hosts programs modify the hosts file located in the Windows system directory and used by an operating system to map hostnames to IP addresses If the file is compromised, a user attempting to visit a popular site is redirected to a web page created by criminals.
In early 2013 the threat spread at almost epidemic magnitude. The outbreak remained at its peak in January and mid-February when as many as 9,500 computer infections were being registered every 24 hours. In early March, the number of infected machines per day declined slightly; for example, on March 11 only 7,658 instances of infection were discovered (the number indicates cases when the Trojan modifies the hosts file on an infected computer).
The threat's spreading rate is illustrated in the diagram below.
Dr.Web successfully removes most known Trojan.Hosts versions. Moreover, Dr.Web 8.0 products incorporate a special routine to protect the hosts file. To configure this feature, switch to the administrative mode and select Tools → Settings → Preventive protection → Level of suspicious activity blocking → Custom (by default, writing to the hosts file is blocked).
In addition, the IP addresses of compromised websites are promptly added to the Dr.Web database, so access to these resources is blocked by Dr.Web SpIDer Gate. If your anti-virus has blocked access to a popular site, Doctor Web recommends that you scan the hard drives of your computer for viruses.
If you do not use resident Dr.Web protection and your computer has been compromised by this malware, use the free utility Dr.Web CureIt! to perform a full scan of your machine and delete irrelevant information from the \Windows\System32\Drivers\etc\hosts file, if necessary.
Tell us what you think
You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.