According to Internet security company Dasient, 5.8 million pages over 640,000 sites were infected with malware in the third quarter of 2009, whilst Google revealed that the number of entries on the Google Safe Browsing Malware List has doubled in the last year.
But what is Malware and what do you do if your website is infected?
What is Malware?
Malware (short for Malicious Software) is software designed to penetrate a computer without the owner’s authority. When done so, the software can have an extraordinary amount of control over the computer.
Passed on through spam, phishing emails or infected websites, malware can gather personal information that can then be abused, from financial theft to the stealing of a person’s identity. The resources of a computer can also be stolen; as a hijacked machine is added to a network of other hijacked machines (a botnet), then a computer can be used to send emails (usually spam), take control of other computers or to distribute more malware.
Whilst some types are malware are more dangerous than others, even the less risky variety can cause your computer to slow down and become very unresponsive.
What if your site is infected?
As mentioned above, malware can be passed on through websites which have been infected themselves, most of which is done so without the owner’s permission or knowledge. So what do you do if your website is distributing malware?
Generally if your site has been infected by Malware you will receive a message when you try and enter the site that looks like:
If you see this, sign in to your Google Webmasters Tools account (register for free at https://www.google.com/webmasters/), choose your website and view the account.
At the bottom of the left-hand side menu, click the labs button and then click the link called “Malware Details” (recently discussed at /blog/search-engine-news/google/google-webmaster-tools-expands-to-combat-malware-and-provide-a-googlebot-view/) .You will then be able to see if Google has exposed any malware on your website. If you are lucky, the message that will pop up will be “Google has not detected any malware on this site.”, if not you will get a message that Google has found some Malware which means you will need to identify and clean the site.
To start cleaning your site you need to understand that the Malware could take the form of Invisible Frames (iframes) or Obfuscated Code.
Iframes
Iframes create small windows on your page so another page can be loaded inside the embedded window. Whilst iframes can be used for genuine purposes, when hackers do this, they make it invisible to the visitor and to the website owners. To check your site for iframes, look at the code of all pages for a frame with the specifications width=”0″ and height=”0″ and then remove this. Remember to look over all of your pages.
Obfuscated code
Obfuscated code is a source that has been created to be difficult to understand and is designed to be hidden within the normal code of your website. Again not all obfuscated code is necessarily, but if you understand the code of your site and see unintelligible code, this may indicate an attack.
There are times when the obfuscated code can be easy to discover because it uses either “hex” or “unicode/wide” characters. For hex characters, you will see strings of percent signs with two characters after them (e.g. %AA%BB%CC). For unicode characters, you will see strings of “\u” with four characters after (e.g. \u0048\u0069\u0021). These blocks of encoded text can take up several paragraphs.
If you do not fully understand the code on your site, refer it to the person who wrote it or someone who does understand it.
If you find your site has been hacked and discover either iframes or obfuscated code, take the site offline then remove all of the malicious code.
Once all of the code is cleaned off the site, you can request a review from Google, again through Google Webmasters Tools.
Preventing future attacks
Of course, removing the code will keep your site clean for now, but as it has been hacked, it can be hacked again, so remember these simple rules:
- Use strong passwords.
- Use a vulnerability auditing scanner to scan your site for security vulnerabilities (free and professional available).
- Make sure all your software is up to date.
Share this post
Google put out this good article about IFRAME/HTML Malware here
https://googleonlinesecurity.blogspot.com/2008/02/all-your-iframe-are-point-to-us.htmlMy sites were infected and reinfected until I secured my FTP traffic by using WinSCP.
1 Comment