SophosLabs has seen more malware that modifies a user’s html files in an effort to escape on to the internet.
In the past we’ve seen Fujacks malware inserting a Fujif payload, though this has tailed off since the author’s arrest in February. But now we’ve seen Troj/Glibma-A search for ASP, HTML, HTM and PHP files on several of the infected computer’s drives and attempts to append a <SCRIPT> tag to them, with the script’s source pointing at more remotely-hosted malware – these modified files are detected as Troj/Glibif-Fam.
In this way, if an infected computer has access to pages that end up on a website, that site suddenly starts hosting links to malware.
As well as detecting the malware, Sophos is blocking the URLs using our web appliance, and SophosLabs will continue to monitor activity on the sites to analyse any more malware that appears there.