Thumb Wars: Sucuri Acquires Google Webmaster Tools

Today Sucuri unofficially acquires Google Webmaster Tools.

Google Webmaster Tools

In an effort to combine forces of good, Sucuri officials challenged Google to a thumb wrestling war. Here is a breakdown of the event.

Over The Top

In a best-of-5 style tournament, the competition got heated. The underdog had fought well, and stayed in it to win it, they weren’t letting the big dog walk away with this. In what turned into an exciting but nerve recking competition, the tournament was at a 2-2 going into the final match. With great confidence, Matt Cutts from the Google team belted out that, “Google does no harm, but that doesn’t extend to your thumbs.” He was so confident that he bet the ranch, saying “winner takes all, including Google Webmaster Tools”.

The room went silent. You could see sweat on the faces of each of the competitors, no more than on the faces of our trusty Labs team. They knew what this meant. It was go hard now or go home empty handed.

The last match was about to start, and you could see white knuckles showing from the great pressure in grip arrangements. It was time, thumbs were arched, and hats were turned backwards. This could be the very moment where everything changed.

The start was called, and Google aggressively launched their attack, a quick launch sneak pin attack, but the Sucuri competitor saw it a mile away. Google missed their kill shot and Sucuri took advantage with an over-arching attack from the top ropes. Sucuri slammed down with the power of Zeus…Google was in trouble.

Coming to an End

One quick glance to the right and you could see Matt’s face twisted in horror. One quick glance to the left and you could see the Sucuri CTO, Daniel Cid, his face emotionless as he enjoyed his popcorn.

You could see the strain and distress across faces of team Google as they realized what was happening, as they realized how it was about to go down. The tip of their thumb was moving from shades of red to signs of failed purple. The counter by Sucuri was risky, but as strong as Eddie Bravo’s triangle to beat Royler Gracie in 1993. This was epic. You could just imagine what was going through team Google’s mind, “Sergey will never understand”

The crowd. Silent. Almost as if the hand of death had grabbed their shoulder. Stuck in sudden disbelief as to what was transpiring, and in complete anticipation as to what was next.

The referee started to count. It was as if slow motion was being called in slow motion. The ref kept counting, and counting. Then you had it. As quick as it had started, it was over.

Sucuri had won. On the line was Google Webmaster Tools which will now slowly be migrated to Sucuri Labs over the coming weeks.

In this moment of great triumph, the David-sized security firm looks forward to expanding website security efforts to all webmasters across the world, with the inclusion of this Goliath-sized prize.

No Fooling Around

If you’re interested in helping fight the good fight, make sure to check out our open job requisitions.

If you have questions about this fever dream of a completely fake post, please leave them in the comments below.

Understanding Google’s Blacklist – Cleaning Your Hacked Website and Removing From Blacklist

Today we found an interesting case where Google was blacklisting a client’s site but not sharing the reason why. The fact they were sharing very little info should not be new, but what we found as we dove a little deeper should be. The idea is to provide you webmasters with the required insight to understand what is going on, and how to troubleshoot things when your website is blacklisted.

Get Your Bearing

While investigating the website, we found that some Google shortened URLs were being loaded and redirecting to http://bls.pw/. Two of the goo.gl links were pointing to Wikipedia images, their icon to be specific, and one was redirecting to http://bls.pw/ shortener.

goo.gl/9yBTe - http://bits.wikimedia.org/favicon/wikipedia.ico
goo.gl/hNVXP - http://bits.wikimedia.org/favicon/wikipedia.ico?2x2
goo.gl/24vi1 - http://bls.pw/

A quick search for this last URL took us to /wp-content/themes/Site’sTheme/css/iefix.sct. As malware writers like to do, it was trying to trick us into believing it was good code. In this case, the Sizzle CSS Selector Engine code (Real code here) was the target:

Sucuri  Sizzle CSS Selector Engine Modified III

Read More

Google Bots Doing SQL Injection Attacks

One of the things we have to be very sensitive about when writing rules for our CloudProxy Website Firewall is to never block any major search engine bot (ie., Google, Bing, Yahoo, etc..).

To date, we’ve been pretty good about this, but every now and then you come across unique scenarios like the one in this post, that make you scratch your head and think, what if a legitimate search engine bot was being used to attack the site? Should we still allow the attack to go through?

This is exactly what happened a few days ago on a client site; we began blocking certain Google’s IP addresses requests because they were in fact SQL injection attacks. Yes, Google bots were actually attacking a website.

Read More

Google Transparency Report – Malware Distribution

Google just released their Malware Distribution Transparency Report, sharing the amount of sites compromised or distributing malware detected by their systems (Safe Browsing program).

Google’s Safe Browsing program started in 2006 and since has become one of the most useful blacklists to detect and report on compromised sites. They flag around 10,000 different sites per day, which are being used for over 1 billion browser (Chrome, Firefox And Safari) users.

What is really scary from their report is the amount of legitimate compromised sites hosting malware compared to sites developed by the bad guys for malicious purposes. For example, in the first week of Jun/2013, 37,000 legitimate sites were compromised to host malware. At the same time, they only identified around 4,000 sites that were developed for the unique purpose of infecting people.


Read More

New Google Chrome Blacklist Warning for Macs

If you go to a site that is Blacklisted by Google, you will see a new (and prettier) malware warning now if you are using a Mac:

The Website Ahead Contains Malware!
Google Chrome Has Blocked access to site.com for now.
Even if you have visited this site safely in the past, visiting it now may infect your Mac with malware.

Nothing major has changed, but we found this new wording to be more clear for the end user. So good move from the Google/Chrome team.

Dealing with WordPress Malware

A few months back I contributed to a post with Smashing Magazine on the top 4 WordPress Infections, it was released yesterday, and it couldn’t have been at a better time. If any one attended WordCamp Las Vegas you might even find some similarities. Fortunately in the process of preparing for the event and working with the team, we were able to compile a bit more information expanding on the things we originally discussed in the last post. It’s perfect timing for a number of reasons, and will complement this post very nicely.

WordPress Malware
The idea of this post, like many in the past, is to outline and discuss this past weekend’s presentation. In the process, hopefully you take something away. Unfortunately, the presentation was capped off with a live attack and hack, and I won’t be able to include that in this post, but I promise it’s coming.

**Note: If you plan to be at WordCamp Philadelphia 2012 you might be in for some treats, just saying. And if you don’t have it on the calendar, you should.

Read More

Website Cross-contamination: Blackhat SEO Spam Malware

We recently posted about Website Cross-Contamination which we see quite a bit of in shared hosting environments. This post is a follow up with a nice sample of an SEO Spam infection that uses multiple sites in a shared environment to push their campaign.

We received a clean up request from a customer who was clearly infected with Blackhat SEO Spam:

Read More

Ask Sucuri: How Long Does It Take For a Site To Be Removed From Google’s Blacklist? – Updated

If you have any questions about malware, blacklisting, or security in general, send it over to us: contact@sucuri.net and we will answer here. For all the “Ask Sucuri” answers, click here

This is an update to our previous post about Google blacklisting. We have some updated numbers to share.

Question: My site was hacked and we cleaned and secured it properly. We also scanned it, and it is showing up as clean. However, it is still blacklisted by Google. How long until they remove us?

Answer: This is a very common question. In fact, every time we clear a hacked site, their owner asks us the same question: How long until that scary red warning sign is gone?

To give a solid answer to our clients, we started to time how long it takes from when the review submission is requested, until the site is reviewed and removed by Google. We have now measured a few hundred blacklist removals and we have some good numbers to back up our tests.

Current Results:

  • Average time from submission to removal: 440 minutes (about 7 hours)
  • Maximum time: 792 (13 hours)
  • Minimum time: 290 (a bit less than 5 hours)

On average, it takes Google around 7 hours to clear your “bad” website from their lists. For our lucky clients, it takes roughly 5-6 hours. Another important point that some people forget is that you need to request a review! Google will not automatically remove a site once cleaned.

How do you increase your odds of getting cleared faster?

  1. Make sure to clean everything up!
  2. Do not remove the infected files, fix them. If you remove them, they will 404, and a 404 will delay the verification (even if you need to leave the file with a 0-size, don’t remove it until after the site is de-listed).
  3. Follow best practices to increase security on your site so that you minimize the risk of reinfection.

That’s it. Let us know if you have any questions or comments.


Is your site hacked? Blacklisted? We are here to help! We can get your sites cleaned up and secured right away!

Will Google blacklist itself?

We were analyzing an infected site today and their Google blacklist diagnostic said the following:

Has this site hosted malware?

Yes, this site has hosted malicious software over the past 90 days. It infected 3 domain(s), including site.com/, google.com/.

Hum… So Google.com was somehow infected as well? I know it is probably some small sub site from within Google, but I found it interesting that they listed Google’s main domain in there.

If you look at Google’s own diagnostic page, it says:

31 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2011-03-28, and the last time suspicious content was found on this site was on 2011-03-28.

 
Has this site acted as an intermediary resulting in further distribution of malware?

Over the past 90 days, google.com appeared to function as an intermediary for the infection of 71 site(s) including our-pretty-pets.blogspot.com/, daum.net/, portovelhodownload.blogspot.com/.

 
Has this site hosted malware?

Yes, this site has hosted malicious software over the past 90 days. It infected 72 domain(s), including tamansoftware.co.cc/, agusnih.co.cc/, duniamisteri.co.cc/.

Let’s see if Google actually blacklists themselves :)

Google blacklist – No way to request a review for the last two days

We are seeing a big issue on Google for the last few days. Whenever a site got blacklisted, you had the option to request a review after the site was clean. Something like that:

Request blacklist review Google

Read More