More on Troj/JSRedir-AK

Since first releasing detection (2 days ago) for Troj/JSRedir-AK SophosLabs have seen thousands of websites affected by it. Since blogging yesterday we have seen a few minor variants and have had to update the our detection.

One of the updates has been to detect the malicious script when appended to HTML files within script tags as well as being appended to JavaScript files.

Sophos has been contacting owners of affected websites and one of the main methods for infection is via compromised FTP credentials. My colleague over at the Unmask Parasites. Blog has also reported seeing large numbers of sites affected. Affected websites should:

  • Delete or restore from backup infected files.
  • Patch all software on the box.
  • Change all password especially FTP ones (and restrict FTP access to a minimum).
  • Review logs and policies to prevent another breach.

Merry Christmas and have a Happy New Year.