Monday, March 12, 2012

326 Censoring or Hacking? "this site may harm your computer"-

Censoring or Hacking? "this site may harm your computer"

Google's message "this site may harm your computer" stops access to a website.

Item 1 suggests that Google may use this message to censor politically incorrect web sites. But it's more likely that those websites were hacked by political opponents (including, possibly, intelligence agencies or government bodies policing the internet). Items 2-5 tell how it's done, and how to protect your site.

(1) Is Google censoring politically incorrect web sites?
(2) Google's "this site may harm your computer" warns of a Hacked website
(3) How to remove the "This site may harm your computer" warning
(4) Antivirus scanning might not find the bad code
(5) Someone hacked your server - with Javascript injections

(1) Is Google censoring politically incorrect web sites?

From: Sami Joseph <sajoseph2005@yahoo.com> Date: 12.06.2010 11:50 PM

A snippet from the AMERICAN FREE PRESS • JUNE 14 & 21, 2010

IS GOOGLE CENSORING POLITICALLY INCORRECT WEB SITES?

Google does quality control to warn users that "this site may harm your computer." About 1.3 percent of websites are considered harmful or "suspicious," because they may contain so-called "malware" or malicious software that steals information from a web visitor's computer. Pages dedicated to the USS Liberty must have been developed by well-organized terrorists, because 15 of the top 20 sites that mention "May 30, 2010 USS Liberty Memorial" set off Google's red flag. If you click, a warning page screams "continue at your own risk." If you go ahead, another deep, bright-red warning tries to scare the pants off the curious. "Your computer can be infected just by browsing to a site with malware, without any further action on your part." Three times is a charm, so if you ignore warnings number one and two, a third pops up asking, "Are you sure you wish to go to this site?" If you are feeling like a daredevil, positive that you want to know the USS Liberty crew list provided by rosspub.com, you will be redirected to CNN's web site.

(2) Google's "this site may harm your computer" warns of a Hacked website

http://www.codinghorror.com/blog/2007/05/this-site-may-harm-your-computer.html

Coding Horror

by Jeff Atwood

May 10, 2007

This Site May Harm Your Computer

The Ghost In The Browser: Analysis of Web-based Malware (pdf) describes how Google is leveraging their overwhelming search dominance to combat browser malware installations. In a blog entry last summer, Matt Cutts

Given how much I hate web pages that install malicious software or abuse browser security holes, I'd like it if we did even more to protect our users.

Apparently, they've done even more to protect users since then. Here's a Google search result tagged with the ominous warning "This site may harm your computer":

Clicking "This site may harm your computer" leads to a Google support page. Attempting to click through to the actual website results in an interstitial warning, offering no way to click through:

I think this is a fairly effective method of warning away most rational users from a clearly evil website. Of course, users who desire whatever media, software, or pornography the site is hawking can still type the URL in their address bar. Users will find a way to see the dancing bunnies if they really, really want to, no matter how many warnings and barriers you blast in front of them.

If you want to see what's behind that URL, fair warning: in addition to being outright dangerous for a machine that's not patched to the gills, it's NSFW in a big way. A little investigation showed that it's doing the following:

 Attempts to use the remote data services ActiveX control.

 Shows a spoof HTML page with the text "windows media player cannot play video file; Click here to download missing Video ActiveX object". The download runs setup.exe.

 Runs Javascript with exploit sniffing code.

If you accept that Google wields the immense power of being the de-facto start page for the internet, then maybe this kind of policing effort comes with the territory. To do nothing-- to let these purely evil sites show up in Google results with no warning whatsoever-- would be irresponsible. Although a person might be performing questionable searches to get this page in their results, it's irrelevant. Despite the individual ethics of the person using that one computer, a compromised computer will be used for attacks and spam against everyone.

Still, I'm a little curious. Why does Google deploy the ultimate weapon of search delisting on sites using black-hat SEO techniques to game search rankings, while known evil malware sites get stern warning interstitials instead? I brought up the Google result by doing a direct search on the domain name. The very same search produces no results on live.com or ask.com. Clearly that site has been delisted by everyone except Google. The domain still has a PageRank of four. I applaud the effort, but what value does keeping a site like that in your search index have for users?

Even if your web site is not evil, it's possible for others to inject malicious code into your page if you're not careful. The Google whitepaper provides three external vectors that can turn a good web page to the dark side:

 Compromised webservers can insert malicious code into all HTML pages served

 Pages which allow user-contributed HTML, where the HTML hasn't been properly sanitized

 The use of questionable advertising content, or compromised ad servers

It's scary how many ways this can happen. I strongly urge you to read the whitepaper to get all the gory details.

Google's paper says one in ten webpages contains malicious code. The most direct way to address malware delivered via web pages is to increase the security of the operating system and the browser, so "drive-by downloads" cannot happen without the user's explicit consent. But a problem as large as malware should be attacked on multiple fronts. Search engines are in a unique position to help index and identify malicious webpages, and prevent them from being accessible in search results. It's encouraging to read about Google's architecture for automatically identifying malicious URLs. I don't think it's fair to call this Google policing the web; it's just good, ethical business to filter out the evil.

Comments ...

I am very, very happy that google does this from a website admin point of view.

A few weeks ago I logged in to my site via a hotel (5 star I might add) to check mail and traffic etc. No problem, logged out and enjoyed my hoiday.

A couple of weeks later I get several emails from Google saying that my site is hosting malware, huh? They gotta be kidding!? But sure enough I went to the page they mention and my virus checker and IE started going mental showing warnings left, right and center.

I nearly died! I quickly checked the page html and a single line of javascript was inserted, I checked the update time and it was on the same day as I logged into that PC at the hotel. I then found that they had updated one other page. Someone had added some spyware to the hotel's pc which somehow detected that I had logged into a website and then FTPed updates to a couple of pages (this was in my ftp log). I didn't even use an FTP connection, just a webpage admin tool.

Google then had my site listed with the above warning, which of course meant my traffic went into free-fall. I then followed the procedure to clear my site.

So I went into lock-down mode and changed all my passwords to practically everything. My partner also changed all the passwords on everything she visited as well.

So yes, I lost quite a bit of traffic for about a month or so but I prefer that than having my visitors get infected via simply visiting my site.

So two things, never EVER trust any PC other than your own, and Google, for me, is still a friendly giant. Kevin on May 14, 2007 3:47 AM ...

Let me tell you guys what happened to me yesterday.

I run a celebrity blog and went searching for info on a female singer. I followed a link via Google to her website and I got the above warning. I had seen that warning on previous sites and stayed away. However, when I saw it for this site, which I had just visited about 2 weeks earlier I ignore it and clicked the link.

The site was moving slowly and after about a minute or so my computer shut down and restarted. When I got back to desktop I had a error saying my comp was infected and there was a NEW anti virus software on my computer that shut down my McAfee virus software.

To save my life I cannot remember the name of this software but I did a search on how to remove it and nothing worked as it installs an icon in your tray that keeps re-installing it, even after you un-install it. As a last resort I had to do a system restore which solved the problem- hopefully.

So my advice is heed that WARNING when you see it- I should have.
 JBL on February 13, 2008 4:14 AM

The instructions on how to fix this are at Matt Cutts blog, which I linked in an earlier comment.

http://www.mattcutts.com/blog/closing-the-loop-on-malware/

Use the Google webmaster tools!

http://www.google.com/webmasters/

Some features of the Google webmaster tools:
--
* New: Request a malware review from Google and we'll evaluate your site.
* New: Check the status of your review.
* If we feel the site is still harmful, we'll provide an updated list of remaining dangerous URLs
* If we've determined the site to be clean, you can expect removal of malware messages in the near future (usually within 24 hours).
-- Jeff Atwood on February 27, 2008 1:28 AM ...

(3) How to remove the "This site may harm your computer" warning

http://25yearsofprogramming.com/blog/20071223.htm

How to remove the "This site may harm your computer" warning from your website's listings in Google search results, step by step

 If you are looking for information about a similar but not identical warning from Internet Explorer, see Notes at the bottom of this page.

What is the warning?

Google puts this warning flag in its search results for pages where its automated web crawler was attacked by viruses or spyware when it visited the page. The purpose of the warning is to help protect web surfers who are using Google search results, by steering them away from malicious pages. Yahoo also provides similar warnings on its result pages.

The warning is not a punishment or penalty, and it does not mean that Google, Yahoo, or StopBadware think you designed your site to be malicious. They all know that the overwhelming majority of webmasters do not create malicious pages on purpose and that you probably didn't, either. But they also don't want to send their customers to dangerous pages, and they do require you to do the necessary cleanup before they start referring visitors again.

You are probably wondering what happened to your site that got it flagged.

Why is your site flagged?

Here are reasons why your website can be flagged with the "This site may harm your computer" warning in Google search results:

1.Your site was hacked. This is the most common reason for the badware flag. If someone can trick your server into allowing them to modify files in your site, they can insert malicious code into your web pages or database tables, or they can alter your .htaccess or your HTML or JavaScript code so your site automatically redirects visitors to a malicious site.

2.A site other than yours got hacked, but it is affecting the content on your pages. Let's say your pages have normally harmless iframes or JavaScript that are pulled into a visitor's browser from the other website by using the property (in the HTML code) "src=http://othersite", or they use PHP code that resides on another website but is included into your pages before being served, with a PHP include(). If the other website gets hacked, your pages can turn dangerous, too, if the content that the other site was supposed to be sending out (advertisements, hit counters, top 10 lists ...) gets replaced by viruses, spyware, or other bad things. Whenever you use content from another website on your pages, you are dependent on that other site staying clean.

3.Your pages trigger the loading of Flash .swf files that are scripted to do malicious things or that are out of date and exploitable. Flash advertising is a common problem area.

4.(Your site contains an outlink to another site that has badware on it.) This was once a major reason for being flagged. That might not be true anymore, but it is still worthwhile to check your outlinks to make sure you are not linking to malicious sites, or to a site that got hacked and has turned malicious.

StopBadware and Google describe the criteria they use to determine whether a website is contributing to the badware problem.

The Firefox 3+ and Chrome browsers use data from the Google Safe Browsing Service to warn users about suspected malicious sites. If your site is flagged in Google search results, Firefox 3 users are getting a warning that says, "Reported Attack Site!", and they are blocked from going there. ...

(4) Antivirus scanning might not find the bad code

http://25yearsofprogramming.com/blog/20071223.htm

Why antivirus scanning might not find the bad code

The first idea that occurs to many webmasters is to do an AV scan on the site, but in many cases that will not find the problem. The next sections explain why. ...

A) Scanning your website files on the server

Scanning your server with an antivirus program will only work if the site is actually hosting the virus, which it often isn't.

More likely, the virus itself is hosted on another computer. Your pages have been injected with iframe or JavaScript code that refers indirectly (with src=) to the virus on the other website. Thus, the AV program on your server sees only iframes and JavaScript which don't trigger virus alerts because they aren't viruses.

The remote viruses aren't pulled in until the page is loaded into a visitor's browser. Then their browser fetches the code referred to by the src= property, and then they get a virus alert.

If you scan your site with an antivirus program and it finds no viruses, that does not mean the site is clean.  ...

14) JavaScript redirects

JavaScript is another way your page can automatically redirect visitors to a different website. While examining the JavaScript in your site, look for code like the following. It can be in the JavaScript code in your pages, or, increasingly common, injected into your .js files that are called by your pages:

window.location="http://unknownsite.com/"
window.location.replace("http://unknownsite.com/")

15) Meta-refresh redirects

An HTML meta-refresh is yet another way to automatically redirect visitors to a different website. Look for code like this within the <head></head> sections of your documents:

<meta http-equiv="refresh" content="0; url=http://unknownsite.com/">
<meta http-equiv="location" content="0;url=http://unknownsite.com/">

These examples redirect to the other page after 0 seconds. ...

18) DNS cache poisoning

People think of website addresses as text like http://website.com, but web addresses are really numbers called IP addresses. Before a browser can fetch a web page from a site, it must first send a query to a DNS Server to get the site's correct numeric address.

Occasionally, someone manages to inject bad data into a DNS server so the IP address translations it returns are wrong. If someone tries to visit your website but their browser gets your IP address from a poisoned DNS server, they will be sent to a completely wrong website. That site might have malicious content, which could cause your site to be flagged for badware.  ...

(5) Someone hacked your server - with Javascript injections

http://www.webmasterworld.com/google/3279998.htm

Welcome to WebmasterWorld Guest from 124.171.202.63
 
"This site may harm your computer" - says Google

selomelo

#:3280000 11:03 pm on Mar 12, 2007 (utc 0)

When checking my daily logs, I noticed a strange referral, and checking Google serps I saw this strange message:"This site may harm your computer"

The referrer is as follows: "http://www.google.dk/interstitial?url=http://www.mysite

The site in question has currently a PR6, contains nothing but plain text pages.

Is there any idea as to how this can happen?

Thank you in advance.

tedster

#:3280028 11:35 pm on Mar 12, 2007 (utc 0)

It happens because someone hacked your server. The steps you need to take to remove the notice are explained in the Google notice itself, which ends you to StopBadware.org

selomelo

#:3280056 12:22 am on Mar 13, 2007 (utc 0)

Thank you Tedster,

For the last two hours or so, I am sweating cold out of fear of being banned by Google.

The site in question is my cherished one, and is performing excellently (at #2 or 3) for many keywords.

Upon checking, I noticed that a javascript code was inserted at the beginning of my index.html page (before the <head> tag. The code is an hexadecimal code. When converted to ASCII, it reveals an iframe pointing to an internet address that attempts to download a program (that crushes on my ME system).

Also, I noticed that the page was modified on March 2nd. That is to say, my homepage is running with that code for the last 10 days!

I immediately removed the code, and reported it to stopbadware.org.

Now, I am really trembling lest it may harm my site's ranking in the eyes of Google permanently. ):

I removed the IP address - we don't
want to spread viruses here either!

[edited by: tedster at 2:41 am (utc) on Mar. 13, 2007]

tedster

#:3280176 2:54 am on Mar 13, 2007 (utc 0)

That javascripted iframe injection is really making the rounds right now. Be vigilant and be grateful to Google and to BadWare.org for taking up the battle.

CainIV

#:3280264 5:10 am on Mar 13, 2007 (utc 0)

Tighten up security on the server, change your passwords, and explain to google what has happened, your ranks should be fine.

Jalinder

#:3280280 5:36 am on Mar 13, 2007 (utc 0)

I am also facing same Javascript iframe injection problem: [webmasterworld.com...]

The iframe code is not in our files ... but it still appears on user's computers, above our HTML code.

How did you solve it?

selomelo

#:3280820 5:59 pm on Mar 13, 2007 (utc 0)

Jalinder:

I read your post. It seems somehow different. In my case, it is isoleted to a single html file (hopefully), and therefore easily corrected. I simply removed the virus loading script from the html page. That is to say, my page is not infected. It only attempts to download the virus into the user's computer. On the other hand, your server seems infected. I cannot call myself knowledgeable, but I think that you may need some virus checking software on the server side.

followgreg

#:3280823 6:04 pm on Mar 13, 2007 (utc 0)

I can't find words for those who do that. We had similar issues not so long ago. The Iframe was not embedded into JS though.

We had to clean up the whole server and even buy another one just in case. It was a nightmare for 15 days. (from end of feb to 1 week ago).

I am still not sure how they managed to do that, so many times, randomly for so long, with 3 server admins sniffing around.

It attacked static files ending in *index.* all accounts were infected at the same time.

the iframe was redirecting to sites in russia. I still can't figure out why/how/when these sites will be banned forever, not talking about banning form Google but removing privilege of operating a domain.

If someone has more info about the procedures these hackers use it will be welcome I guess.  ... ==

http://StopBadware.org/

Welcome to StopBadware
Posted by at

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.

Subscribe to: Post Comments (Atom)