Saturday, December 3, 2011

Malware Infection on Websites

Malware is a type of software that attempts to steal your personal information or use your computer to do things that you do not intend. Malware infections quite often lead to harsh consequences, causing victim’s computer become slow or unresponsive. Malware is usually spyware, deceptive adware, etc. Common malwares are free screen savers that secretly generate advertisements, malicious web browser toolbars that take your browser to different pages than the ones you expect or could be key logger programs that can transmit your personal data to others.

Detecting the Malware

Malwares affect client systems but use innocent webservers to reach a large number of clients. You may not have any evil intentions but someone might have secretly modified your web pages on your website, by injecting malicious code, insert iframes, adding links to a different website which actually hosts the malware in it or caused due to the third party ads that appear on your website. Quickly detecting malware on your website and removing it will avoid dangers to your visitors and reputation of your site.
Let us look at few ways to detect the presence of malware on your website:
  • Check Google’s search results for your website, a warning message saying “This Site May Harm Your Computer” would be displayed near the title of the web page if any malware is found.
  • Use Microsoft Webmaster tools to scan your website to find out all rogue pages on your site that are possibly infected with malware and identify external links on your site that point to pages hosting malware.
  • Scan your website at McAfee Site Advisor to obtain a detailed report of possible malware issues and malicious links on your website.

Removing the Malware

Once it is confirmed that your website is infected with malware, you have to stop all advertising media on your website and make the whole site offline temporarily so further damage can be prevented until you are sure that your site is free of malware.
The first step when you find a malware on your site is to do a thorough check for more malwares. There could be other pages on your site that download and install rogue programs on the user’s computer without his/her consent. Check your server logs for any suspicious activity, like failed login attempts, remote command execution, unknown user accounts, etc.
You have to check mainly for attacks which would be the main reason for such behaviors. Your website will become more vulnerable to attacks when you are not using the latest security updates. When a hacker gains access to your website, he would modify webpages so that his malicious code gets executed and the spam links get displayed or redirect to a malicious website when people view your web pages.
If the malware in your website is injected due to hacking attacks, check the HTML source code of your web page for suspicious blocks of JavaScript code or hyperlinks that point to bad neighborhoods hosting malware. Look for any recently modified and uploaded files on your web server.
Most of the hackers would not place the malware on the infected website, instead they would inject a redirect code on the legitimate website so identify such recent activity on your website where user content can be added. Discard the pages which are suspected to have malware and redesign these pages.
Update your web server software and website software, install all latest patches available. Perform manual checks instead of depending on just antivirus software because generally, the antivirus software will only check for malwares installed or present on your system.
Key prevention measures to be taken in common suspected areas for malware behavior:
  • Downloads available on your site: Scan your web server for malicious server files.
  • Automatic redirects from your site: The redirect code is typically an I-frame that will silently attack the visitor’s browser with the browser specific exploits. Anti-virus scans on your web server or website will rarely detect this redirect code hence perform manual checks in the web page source code.
  • Third party advertisements present on your site: Use only reputed, conscientious advertisement providers and regularly monitor them to be sure they stay clean.
  • Malicious links posted in your site due to user activities: You can begin checking your site by making a list of all links to external sites. Then verify that you’ve intentionally put those links on your site. Next check your web pages for any obfuscated code.
  • Hacking attacks on the site: Keep monitoring the web logs for hacking activities by any Web monitoring tools.

Removing the Flaw

Use encrypted protocols like SSH and SFTP for file transfer instead of clear text protocols like telnet or FTP. Telnet and FTP are both considered insecure, since they transmit user credentials in a way that anyone with access to the network can read, hence they are called clear text protocol. SSH and SFTP are based on an encrypted protocol which prevents network sniffing.
Use strong password policies in your website so that no one can break into user accounts and mess up.
Configure your website not to allow users to link directly to any form of executable files or to insert JavaScript into the user modifiable areas.
The malware may have been inserted into your application through some vulnerability in your code. Detecting this and fixing it may be the most important step to take. This will be discussed in more detail in more articles to come in the next few issues.

Monitoring the Website

Update any software you use on your web server, and make sure you are always running the most recent versions, with recent security patches. Perform regular scans on your site for security vulnerabilities using any vulnerability auditing scanners. Use security updated management tools to track down missing patches and apply those patches instantly. Actively monitor areas in your website, which is affected by user activities for suspicious links or executable files. Run webmaster tools frequently to review about any malware in your website.

No comments:

Post a Comment