Can a virus alter a file without altering the timestamp?
February 23, 2012 1:53 AM Subscribe
Can a virus alter a file without altering the timestamp?
I just got a virus alert on my computer Backdoor:PHP/Webshell.A from a file that has been sitting on my computer apparently unchanged since May 2011.
I looked at the history and is also found early this morning a couple of hits for VirTools:JS/Obfuscator.Q which it says creates viruses.
These are all files from a client's website. I looked at the Webshell file on the live server and its fine (the whole site wouldn't work if it wasn't!)
I checked one of the Obfuscator files on the live server and it does appear to be infected (the client has a habit of installing off-the shelf software and then abandoning it and not installing updates or removing it when he's done with it!). I'm currently checking the rest of the site the file I checked has a modified date of 2006...
So my questions would be:
1. If these "viruses" have been on my system since May 2011, why are they only being picked up now?
2. Can a virus infect* a file without changing the modified timestamp on the file (ie, is it possible that these viruses are new and not as old as 6 years?!)
3. Can the javascript "virus" or php trojan actually harm my PC? I'm not running webserver on it, not even locally. always assumed not but now I'm not so sure.
in this case infecting seems to be injecting javascript into html files and in the case of the php one, the entire file was replaced with malicious code
I just got a virus alert on my computer Backdoor:PHP/Webshell.A from a file that has been sitting on my computer apparently unchanged since May 2011.
I looked at the history and is also found early this morning a couple of hits for VirTools:JS/Obfuscator.Q which it says creates viruses.
These are all files from a client's website. I looked at the Webshell file on the live server and its fine (the whole site wouldn't work if it wasn't!)
I checked one of the Obfuscator files on the live server and it does appear to be infected (the client has a habit of installing off-the shelf software and then abandoning it and not installing updates or removing it when he's done with it!). I'm currently checking the rest of the site the file I checked has a modified date of 2006...
So my questions would be:
1. If these "viruses" have been on my system since May 2011, why are they only being picked up now?
2. Can a virus infect* a file without changing the modified timestamp on the file (ie, is it possible that these viruses are new and not as old as 6 years?!)
3. Can the javascript "virus" or php trojan actually harm my PC? I'm not running webserver on it, not even locally. always assumed not but now I'm not so sure.
in this case infecting seems to be injecting javascript into html files and in the case of the php one, the entire file was replaced with malicious code
Touch (or comparable utilities) is available on all modern operating systems. Adding "Bad Touch" ability to malware is trivially easy.
posted by radwolf76 at 4:08 AM on February 23, 2012 [1 favorite]
posted by radwolf76 at 4:08 AM on February 23, 2012 [1 favorite]
Yes, it's relatively trivial to alter a file without altering the timestamp, both through the filesystem and by bypassing it entirely to write directly to the disk.
Not all virus scanners pick up every threat, and some threats - especially ones that are not directly harmful to the host platform - are not going to be immediately detected by every scanner, and may well never be detected by many scanners. It becomes progressively more difficult to accurately scan and flag for N viruses for M platforms than it is for N viruses on 1 platform. The stuff that isn't expected to be found on that platform will not be a priority for virus researchers.
If you do not have PHP on your computer, and it is a PHP script with a trojan, there is no practical risk to your computer, unless you later transfer that file to a system that has PHP *and* you execute the script. Your web browser almost certainly can execute JavaScript, however, so there is a significant risk there.
posted by jgreco at 4:45 AM on February 23, 2012
Not all virus scanners pick up every threat, and some threats - especially ones that are not directly harmful to the host platform - are not going to be immediately detected by every scanner, and may well never be detected by many scanners. It becomes progressively more difficult to accurately scan and flag for N viruses for M platforms than it is for N viruses on 1 platform. The stuff that isn't expected to be found on that platform will not be a priority for virus researchers.
If you do not have PHP on your computer, and it is a PHP script with a trojan, there is no practical risk to your computer, unless you later transfer that file to a system that has PHP *and* you execute the script. Your web browser almost certainly can execute JavaScript, however, so there is a significant risk there.
posted by jgreco at 4:45 AM on February 23, 2012
Yeah, the higher likelihood is what jgreco said - the virus scanner you're using just got updated to detect a signature in that file as a virus. So the file hasn't changed, but the set of things that the virus scanner detects has, so suddenly it's flagging something that wasn't there before.
And no, a PHP trojan is of no practical danger to your PC; having a webshell (if it's truly a web shell) available on your client's server may be of danger to their server, depending on how it's secured, but those are the contextual issues that a virus scanner can't be aware of.
posted by jferg at 7:26 AM on February 23, 2012
And no, a PHP trojan is of no practical danger to your PC; having a webshell (if it's truly a web shell) available on your client's server may be of danger to their server, depending on how it's secured, but those are the contextual issues that a virus scanner can't be aware of.
posted by jferg at 7:26 AM on February 23, 2012
If that's something I thought of doing before submitting late papers in university (not that I did it), I assume the virus makers have thought of it as well.
posted by Chaussette and the Pussy Cats at 9:38 AM on February 23, 2012
posted by Chaussette and the Pussy Cats at 9:38 AM on February 23, 2012
« Older Is there such a thing as project aggregation... | Suggestions for a document database that runs on... Newer »
This thread is closed to new comments.
posted by telstar at 2:52 AM on February 23, 2012