We frequently clean blacklisted websites and submit reconsideration requests to have them de-listed. We have encountered many kinds of blacklist warnings including search engines, anti-virus programs, firewalls and and e-mail spam.
Recently I came across an interesting case where Google was flagging a website due to unwanted software. We were able to get to the bottom of the issue and remove the unwanted malware from the website. In the process we learned a few things and wanted to share them with you as well.
Unwanted Software Warning
This is a new and uncommon warning issued by Google that was only recently distinguished from their regular “Malicious Attack Page” category. It’s a bit peculiar because there are no warnings or notifications in Google search results but it’s made quite clear that something is amiss when you try to visit the domain. In almost all cases this warning is caused by malvertising: where adware, spyware or other malware is delivered through third party ads.
Protection from malvertising (and problems associated with unverified third party content) was a primary reason for the creation of ad blocking and content filtering software. The danger of malvertising continues to be a large motivator for the use of ad blocking browser extensions.
Recovering from Malicious Ad Networks
We started seeing cases of “Unwanted Software” warnings pop up a few months ago. Almost all of them seemed to be video streaming websites that used a wide variety of lower quality and cheap advertising networks.
The solution for these cases is pretty straightforward:
- Determine all ad networks the affected website is a part of and check whether or not there have been reported cases of malvertising on them, then disable those ad networks.
- In many cases (depending on the ad networks used) it’s recommended to disable all advertisements entirely to get rid of this warning.
- Be a bit more careful going forward with regard to which scripts you let run on your domain. Choosing to include third party scripts on your site is often a risk because you can’t ensure their security.
Unwanted Software With No Ads?
In our reviews however, we noticed something a bit peculiar. While it’s understandable to have a new warning targeting malvertising activities, what if the website doesn’t leverage ads? At first glance it didn’t make sense and naturally we had to investigate to understand why this would happen.
I began working on our customer’s website by first checking it out to see what I was working with. I was specifically interested in the ad networks it was using. It turns out that the website didn’t have ads.
I hadn’t seen a case like this before. For those wondering, malvertisting is exceptionally difficult to troubleshoot because it’s so difficult to detect. The way ad networks work is that they push a variety of ads to your website at some frequency and it can be very difficult to find the particular culprit that’s presenting the issue.
I ran through all the usual steps to see if I could track down what was causing this issue. I found no modified core files, nothing weird in .htaccess and no suspicious plugins. Process of elimination lead me to believe it was either in the theme or, worse, something server level.
Investigating the Source
When debriefing our research team on this new type of Google warning, my colleague Denis mentioned that good ole’ Redleg’s File Viewer could be of assistance. Using this viewer, we were able to better understand what was going on:
The URL being flagged was ./wp-includes/activate.html but I could have sworn I already looked in that directory. I double checked and activate.html was nowhere to be seen.
If activate.html doesn’t exist… what if I try going to any other URL that doesn’t exist? Sure enough, all the 404 pages generated were redirected to another infected website which prompted visitors with a download of a suspicious file called Site.exe:
Naturally, I was curious and wanted to find out about this Site.exe file. What does it do? Both Firefox and Chrome wouldn’t even let me download it because it was obvious malware.
Site.exe – More Than “Unwanted Software”
Fortunately, the trusty wget command came to my aid and I was able to upload it to VirusTotal:
It looks to be a version of the Kazy trojan, commonly associated with phishing e-mails that tricks the user into downloading adware, spyware and keyloggers onto their machines.
Searching the website with this additional information I found the following code in the theme:
Every 404 page that the website generated would redirect the visitor to a different website which prompted the download of that obvious spyware. That’s definitely one way to make use of the 404 pages.
Removing this code solved the issue for this website but unfortunately other infected websites are still likely being misused in this attack. If you are a website owner be sure that you are using regular security monitoring.
New Google Blacklist Page – Unwanted Software
While it’s been out for a few months, this blacklist warning is definitely new when compared to the various other blacklist notifications Google has pushed out over the years. It does seem though that it’s not specifically targeting malvertising, but specifically the phenomenon known as Drive By Downloads.
A drive-by download will usually take advantage of (or “exploit”) a browser, app, or operating system that is out of date and has a security flaw.
This makes perfect sense. This warning is now sometimes used as an alternative to the This Site May Harm Your Computer and Visiting This Site May Harm Your Computer warnings. Perhaps this is improved logic to target the advent of malvertising, or an approach from Google to use language that average website visitors will better understand. Perhaps it is improved logic targeting the advent of malvertising. Whatever the specifics are, this is a new form of blacklisting and we need to be aware of it.