How the old game blog died

It appears that a few days ago a trojan appeared on the main site. It was spotted by a visitor using Avast (if you run any kind of browsers based antivirus it will have warned you).  As far as I can tell it was a WordPress vulnerability. WordPress was up to date, but it is constantly targeted by malware writers. I cannot afford the risk that my site will ever be added to a malware blacklist, so I removed WordPress completely.

About the trojan, and safety

As the name suggests, a trojan does not harm you itself, but is designed to sneak in other stuff. Obviously I don’t know what, as I am not going to sit back and watch.  I also could not find any reference to its name so left a message on my web hosts’s boards, and that now shows up in Google if anyone else searches.  This one created a file called “recatpcha.php” (it looks like the innocent “recaptcha” but spelled slightly differently) that included a “post” command to send some data somewhere. It also injected some javascript into the index page.

Javascript is specifically designed to be impossible to change your computer.  It is also limited in what data it can find – mainly stuff like screen size, browser type, etc. So a trojan can only send whatever it can find and use that to trick you into clicking on a regular virus (e.g. it finds you run Chrome, so later someone sends a fake email saying “chrome update – click here”). So the trojan itself is not the direct problem, you still need to get a separate virus by the usual methods (clicking to run a bad download) or be tricked into giving your bank details to a fake site – the usual malware methods.

Global politics and why it might be harmless

A lot of (most?) trojans don’t result in anything bad happening: they are sent out by virus writers trying to get lucky by stumbling on something interesting. For example, according to Reuters yesterday, it is likely that the US and Israeli governments jointly created the Conficker worm in order to infect millions of machines around the world, purely so that one of them would get close enough to the Iranian nuclear facilities so they could used the Stuxnet virus and disable them. All this malware did was look for signs that you were maybe in Iran, and if so then look for other signs, and so on. (The Conficker link is a new theory, but the fact that the US and Israel create Stuxnet is fairly well established. That’s right, our governments create viruses.) The trojan could be looking for something specific, or just sending anything it can find in order to make email spam more effective. So the trojan of itself would have done nothing.

Javascript

This is where the new game engine has been a real help. Two months ago I could not read Javascript, but now I am familiar with the basics of how it works, so I can see roughly what the trojan did. Its code was designed to be as unreadable as possible, but in order to do anything at some point it has to use a recognizable Javascript command. In this case, most of the code had variables that tried to all look the same: either upper case I, number 1, or lower case “l” and the target URL was stored in base 64 so it would look like garbage. But the final stage was in the php file, using “eval(base64_decode” to de-convert the URL, and then it used  ”POST” to send the data there.  What data? As I said, Javascript is designed to minimize what malware can do, so this would be mostly data that your browser might innocently supply: whether you use Internet Explorer or Firefox, XP or Linux, that kind of thing.
Conclusion

This is the first time something like this has happened. Three yeqars ago there was breielfy a virus warning abiout Adventure Game Studio, but it was a false positive, and the virus company in question patched their virus list the next day. Anyway, I now use a browser scanner to detect any future problems instantly. The malware was only there for a few days, and this is a very quiet period (nothing is happening until the new game engine is ready) so I doubt that more than one or two people accessed the main site in that time, and security programs like Avast would have flagged it up immediately. And as I said, in order to do any actual harm the user would then need to also respond to whatever virus or phishing scam was then created based on the limited data sent by the trojan. So probably no harm was done to anyone.

It just goes to show that the old rules still apply: have all patches up to date, run a virus checker, beware of emails asking for data, and never click on anything suspicious.