My Website is infected with Malware - What's next?

Legitimate websites are being targeted for malware infections. Reason, large number of users visit their websites and hence these websites can be misused to easily spread or distribute malware to large number of users. If a website is infected with malware it may belong to one of the following scenarios

• Scenario-1: Website infected with Malware - but not blacklisted by search engines or not blocked by browsers
• Scenario-2: Website infected with Malware - blacklisted by search engines and blocked by browsers

Irrespective of the scenarios mentioned above you need to take the following necessary activities:

Corrective Action -> Cause Analysis 

                       -> Preventive Action -> Continuous Assessment

For Scenario-2, in addition to the above mentioned activities, some additional steps need to be taken to salvage the lost pride. Read “Request Malware Review - Why” section for more details.

Corrective Action

The objective of corrective action is to clear the malware and any malware related links from the infected website. Follow the below mentioned most common corrective steps to clean the infected website and system.

1. Bring down the website
2. Know the details of the malware infection
• Infected Pages
• Pages linked to the infected pages
3. Restore the infected pages with respective clean pages from the backup. It is always recommended to restore entire website (all pages), all files referred in the web pages and its database from a clean back-up set. 
4. Follow the necessary steps to clean the infection in your web server with respect to registry, configuration, settings, etc. to ensure there is no single back-door program left in the system. This step would vary with the infection.

Through the above mentioned steps, you can just fix or clean the infection in your web server. However, you cannot prevent the malware infection from happening again as hackers continue to attack and compromise the security weakness again.

Cause Analysis (Possible Causes)

There are multiple ways (exploitation of security weakness) by which a website can be compromised. You need to take appropriate steps (read as control measures) to fix those security weakness to prevent the incident from happening again. Some of the most common ways of malware or malware links being introduced into a website are as follows:

• Exploit “SQL Injection” related vulnerabilities
• Exploit Cross-Site Script(XSS) Injection related vulnerabilities
• Exploit default passwords or weak passwords to compromise the web server
• Exploit known software vulnerabilities at Operating System, Web Server (IIS, Apache, etc.), other sub-systems, 3rd party software being used in the website, and so on to compromise the web server.

A cause analysis of the incident could reveal the security vulnerabilities that could have been used to infect your website.

Preventive Action

Follow the preventive action associated with most common vulnerabilities listed below to reduce the risk of getting infected again.

SQL Injection

To prevent “SQL Injection” attacks, follow the most common preventive control measures mentioned below:

• Strict input validation for all user entered data (Never trust user input)
• Use parameterized SQL or Stored Procedures (Avoid dynamic SQL construction)
• Use limited access account to connect website application to the database (Avoid using accounts with admin privileges)
• Encrypt connection strings and database passwords (Avoid storing sensitive data in plain text)
• Use custom error pages (Limit the information revealed through error and unhandled exceptions)

Cross Site Script Injection

To prevent “injection” attacks, follow the most common preventive control measures mentioned below:

• Strict input validation for all user entered data based on white-list of allowed regular expressions. Especially, for the user data that would be displayed in web pages as responses, comments, blog, etc.
• Reject all known bad inputs
• In case certain HTML tags are allowed in input fields for formatting, sanitize all other sensitive HTML tags and make them potentially safe.

Default and Weak Passwords

To prevent attacks exploiting “default and weak password”, follow the most common preventive control measures mentioned below:

• Change the default password of built-in or default accounts of FTP Server, OS, and so on to compromise the website hosted server
• Use strong passwords. Passwords
• should be at least 8 characters in length
• should contain a mix of alpha, numeric and special characters
• Change passwords frequently 

Software Vulnerabilities

To prevent attacks exploiting “Software Vulnerabilities”, follow the most common preventive control measures mentioned below:

• Test and implement the latest service pack and security fixes for the respective Operating System, Web Server, Database Server, etc as and when released by Software Vendors
• Upgrade older, discontinued or unsupported software versions to newer versions

Continuous Assessment (Monitoring)

As threat scenarios evolve, a continuous vigil and check on the intact of preventive and corrective action is inevitable. The following activities should help to assess the security status of the website:

• Vulnerability Assessment - To assess the impact of vulnerabilities related to security settings of OS, Web Server, and Patch Update and so on.
• Recommended Frequency: Quarterly or Half-Yearly based on business dependency on the website
• Penetration Testing - To assess the impact of vulnerabilities related to SQL Injection, XSS, and password strength and so on.
• Recommended Frequency: Quarterly or Half-Yearly based on business dependency on the website
• Website Monitoring & Malware Detection - To assess the up-to-date status of the website with respect to malware infections, malware links, unauthorized changes and so on.
• Recommended Frequency: Daily or Weekly based on business dependency on the website.

Request Malware Review - Why?

If your website has been already blacklisted for containing Malware or links to Malware, the search engines may flag them accordingly in search results containing your website URL with a warning message. The warning message would vary with different search engines. For example,

• Google Search Listing -> “This site may harm your computer.”
• Yahoo Search Listing -> “Warning: Dangerous Downloads”
• Bing -> A Note pops up with “Careful! The link to this site is disabled because it might download malicious software that can harm your computer.”

All popular browsers may also detect malware content in the website being accessed and also to check against blacklisted websites and accordingly block access to the website. The warning message by the browsers also vary as follows:

• Internet Explorer -> “This website has been reported as unsafe”
• Firefox -> “Reported Attack Site!”
• Safari -> “Warning: Visiting this site may harm your computer”
• Chrome -> “Warning: Visiting this site may harm your computer!”
• Opera -> “Fraud Warning”

If your infected website belongs to scenario-2, subsequent to cleaning your website for any Malware and Malware links, you need to submit “Request for Malware Review” with different search engines through different processes. This review process is a must to remove the warning messages for your website URL related search results in respective search engines.

This would be covered in detail in our next article “Request Malware Review - Process and Steps”.