Reveton / "FBI Virus"

Hello,

I know there's some threads already covering the issue of the infamous "Reveton" ransomware, but I have a bit of a different issue...

I am not looking for instructions on how to remove Reveton from a PC. I already know how to do this. What I'd like to know is how to remove it from the web server it is using to disseminate itself.

I work for an ethnic media organization. We have a website where our editorial staff post articles daily. This morning, I received an e-mail from one of our editors notifying me that a story he had posted was infecting anyone who clicked on it with some kind of "FBI Virus". Upon further investigation, I realized that this was the work of Reveton.

I verified that Reveton was being installed on our viewer's machines via our website, specifically the article page that he had posted. When I opened the article in an isolated test environment, a Java applet was loaded and Reveton immediately took over the machine.

I spent all day trying to figure out how it was infecting people who visited the page. I thoroughly examined the page's source code as well as server-side PHP scripts, but I wasn't able to find any obfuscated or fishy looking code. I tried using Firebug to debug the page, but it didn't provide me with any useful information, either.

I SSH'd into our web server and tried grepping through the files to identify any suspicious code, but didn't come up with anything. I also searched the entire server for exe, jar and class files, in case the actual Reveton executable was hiding somewhere on the server. I was again unable to find anything.

I submitted our site to a series of malware scanning sites, which oddly enough, reported that the site was malware-free.

Finally, I decided to install a packet sniffer on the test machine and try infecting myself again, this time paying attention to the packets to see if I could intercept the transmission of the malware and pinpoint it's origin on our webserver. No dice; for whatever odd reason, the page was no longer loading any Java applets and Reveton refused to show it's face this time around.

I suspected that it might have been deployed via a banner ad which got rotated off the page since my initial test. We use the OpenX ad delivery server. I logged in to the ad server backend and went over the ad zones that are used on article pages. I checked all the banners, but none of them appeared to be harboring any malicious Java applets. They're all ordinary images.

At this point I'm really stumped. I spent hours searching all over the web to see if I could find out how to identify and remove a Reveton infection on a webserver, but came up with nothing. The only pages I found were those that provided instructions on how to remove the virus from an infected PC. Nobody seems to know how to remove it from a web server and eliminate it at the source rather than waiting for it infect people and removing it from their machine instead.

Does anyone here happen to know how to find Reveton on my server? It's a linux server running CentOS. Our website uses the Movable Type content management system (and yes, I know it's a horrible system). I would really appreciate any help I can get as I spent all day trying to find this damn thing and I'm worried that it's sitting somewhere on our server waiting to pop up and infect more of our viewers. I don't want people to stop visiting our site because it's infected with malware!

Thanks for taking the time to read and respond to this thread.

 

Sorry to bump this thread like this, but I haven't gotten any replies in a couple of days. Can anyone help me out, or is this a lost cause? I would really appreciate some feedback... Thanks

 

FYI: I figured out what it was, and I want to share this with everyone here in case anyone else is having a similar issue.

The malware was being delivered through our OpenX ad delivery server. We run an outdated version of OpenX which is vulnerable to SQL injection. The attacker had injected a malicious iframe into the append and prepend fields of the banner ads.

I found some very useful tips on how to harden OpenX on this site: http://mandagreen.com/hardening-openx/#comment-5920

Basically what I did was delete all the values of the append and prepend fields (since we weren't using them for anything anyways - you might not want to do this if you are) and then set the character limit on them to 0 to prevent future injection.

It is somehwat of a bandaid solution that doesn't solve the underlying problem (OpenX's vulnerability to SQL injection attacks) but it has prevented all injection attacks since being implemented. Ultimately, the long term solution is still to upgrade our ad delivery system to the latest version of OpenX or switch to a different platform, but since we're a non-profit with a very limited budget that just isn't an option at the moment.

Hope this information helps anyone else who is facing the same problem.

Cheers!