Friday, October 24, 2008 at 2:47 PM
(Cross-posted from the Google Online Security Blog.)"This site may harm your computer"
You may have seen those words in Google search results — but what do they mean? If you click the search result link you get another warning page instead of the website you were expecting. But if the web page was your grandmother's baking blog, you're still confused. Surely your grandmother hasn't been secretly honing her l33t computer hacking skills at night school. Google must have made a mistake and your grandmother's web page is just fine...
I work with the team that helps put the warning in Google's search results, so let me try to explain. The good news is that your grandmother is still kind and loves turtles. She isn't trying to start a botnet or steal credit card numbers. The bad news is that her website or the server that it runs on probably has a security vulnerability, most likely from some out-of-date software. That vulnerability has been exploited and malicious code has been added to your grandmother's website. It's most likely an invisible script or iframe that pulls content from another website that tries to attack any computer that views the page. If the attack succeeds, then viruses, spyware, key loggers, botnets, and other nasty stuff will get installed.If you see the warning on a site in Google's search results, it's a good idea to pay attention to it. Google has automatic scanners that are constantly looking for these sorts of web pages. I help build the scanners and continue to be surprised by how accurate they are. There is almost certainly something wrong with the website even if it is run by someone you trust. The automatic scanners make unbiased decisions based on the malicious content of the pages, not the reputation of the webmaster.
Servers are just like your home computer and need constant updating. There are lots of tools that make building a website easy, but each one adds some risk of being exploited. Even if you're diligent and keep all your website components updated, your web host may not be. They control your website's server and may not have installed the most recent OS patches. And it's not just innocent grandmothers that this happens to. There have been warnings on the websites of banks, sports teams, and corporate and government websites.
Uh-oh... I need help!
Now that we understand what the malware label means in search results, what do you do if you're a webmaster and Google's scanners have found malware on your site?
There are some resources to help clean things up. The Google Webmaster Central blog has some tips and a quick security checklist for webmasters. Stopbadware.org has great information, and their forums have a number of helpful and knowledgeable volunteers who may be able to help (sometimes I'm one of them). You can also use the Google SafeBrowsing diagnostics page for your site (http://www.google.com/safebrowsing/diagnostic?site=<site-name-here>) to see specific information about what Google's automatic scanners have found. If your site has been flagged, Google's Webmaster Tools lists some of the URLs that were scanned and found to be infected.
Once you've cleaned up your website, use Google's Webmaster Tools to request a malware review. The automatic systems will rescan your website and the warning will be removed if the malware is gone.
Advance warning
I often hear webmasters asking Google for advance warning before a malware label is put on their website. When the label is applied, Google usually emails the website owners and then posts a warning in Google's Webmaster Tools. But no warning is given ahead of time - before the label is applied - so a webmaster can't quickly clean up the site before a warning is applied.
But, look at the situation from the user's point of view. As a user, I'd be pretty annoyed if Google sent me to a site it knew was dangerous. Even a short delay would expose some users to that risk, and it doesn't seem justified. I know it's frustrating for a webmaster to see a malware label on their website. But, ultimately, protecting users against malware makes the internet a safer place and everyone benefits, both webmasters and users.
Google's Webmaster Tools has started a test to provide warnings to webmasters that their server software may be vulnerable. Responding to that warning and updating server software can prevent your website from being compromised with malware. The best way to avoid a malware label is to never have any malware on the site!
Reviews
You can request a review via Google's Webmaster Tools and you can see the status of the review there. If you think the review is taking too long, make sure to check the status. Finding all the malware on a site is difficult and the automated scanners are far more accurate than humans. The scanners may have found something you've missed and the review may have failed. If your site has a malware label, Google's Webmaster Tools will also list some sample URLs that have problems. This is not a full list of all of the problem URLs (because that's often very, very long), but it should get you started.
Finally, don't confuse a malware review with a request for reconsideration. If Google's automated scanners find malware on your website, the site will usually not be removed from search results. There is also a different process that removes spammy websites from Google search results. If that's happened and you disagree with Google, you should submit a reconsideration request. But if your site has a malware label, a reconsideration request won't do any good — for malware you need to file a malware review from the Overview page.
How long will a review take?Webmasters are eager to have a Google malware label removed from their site and often ask how long a review of the site will take. Both the original scanning and the review process are fully automated. The systems analyze large portions of the internet, which is big place, so the review may not happen immediately. Ideally, the label will be removed within a few hours. At its longest, the process should take a day or so.
26 comments:
I have seen this warning and wondered about it. I'm wondering how someone can put malicious software on your website? How do they get access to your website?
Thanks
Hi,
I'm trying to find out how to include our paper in the news section. I can't find it anywhere. I tried Googling it, but couldn't find it. It's how I got here.
Any help?
Thanks,
Dave
This is an excellent post. I've been concerned about malware knowing that its possible for websites to be hacked, and as the owner and webmaster of my own startup, I don't have an IT department or person to turn to. Thanks Google for making my work easier.
This malware thingy happened on three of my sites! It may have been down to an unhappy x employee who had remote access to the sites? strange that each site became infected at more or less the same time. Thanks to google they fixed the problem but my sites where down for 3-4 days!
I closed all remote access down and changed all passwords, happy to say no problems since.
Dean c
Thanks for your post on this subject, Oliver...and thanks for providing so many details and insights into Google's efforts to obliterate malware.
As a webmaster who recently had two websites flagged for malware though, I'd like to share a bit of feedback and a few suggestions. Hopefully your team can take the time to consider the issues faced not only by end users who are victimized by malware, but also by web sites that are exploited by hackers -- and often pay the highest cost from the damage they do.
So here are a few of my concerns and observations:
1. With the introduction of Firefox 3, this has become an even bigger issue for webmasters than it was before, since Firefox all but bans users from visiting sites that are flagged for malware by Google.
2. I understand why you cannot necessarily give webmasters warning at this stage (though I hope the pilot program is successful). What I think you can do, however, is provide a less opaque review process. A few ideas there:
* Provide a status report for the review and an estimated timeframe.
* Offer a tool that runs a "test" check on the flagged content, so that the webmaster can ensure it has been fixed. I understand that it might require more resources to do a full check that clears a site, but it would be helpful if a tool could at least tell the webmaster that it appears the problem has been resolved. I'd hate to wait 24 hours for a review only to find I missed a spot and I was still under the malware warning.
* Provide some mechanism for interface or discussion with someone in support, or some sort of means to expedite the process. I would gladly have paid a fee to expedite the process for our website.
In conclusion, I strongly urge you to consider how you handle these situations and find out how you can make the process less onerous for websites, which are themselves usually victims rather than perpetrators of attacks.
Thanks for listening.
I'm a bit skeptical of the explanation because one of my sites was compromised via an exploit in CopperMine photo gallery to add an iframes tag that included a site with malware.
Some of the compromised pages were flagged right away but others weren't flagged until about three weeks after it was fixed and it took several more weeks for the flag to be removed.
This delay is very damaging both in allowing users to be exposed, and in commercial damage even when a webmaster responds and corrects the situation right away.
Hi Oliver,
Actually, I'm slightly confused by your blog, even though it was fairly comprehensive (in fairness, it might be my own ignorance). I don't understand why you don't just remove the particular result from your SERP's when you know that the site has been compromised - rather than leave it in and risk people clicking on it?
I say this, because I'm CEO of a new Global Address Book website called http://wikiworldbook.com and over the last 6 months of a steep learning curve, I know that Google chooses not to index some sites at all or to "temporarily" remove pages or whole sites from your SERP's when they have transgressed in some way (my developer and I have concluded that this is sometimes difficult to figure out...).
So if Google isn't aiming to show results to every site or every page all of the time, why does it need to show these results at all? After all, the website owners should respond pretty quickly when they disappear from your results.
The post is really good and helpful. now i know how to interpret those warning messages :)
www.eclicks.co.cc
Hi,
I do not know if it is the right place to ask about that, but anyhow.
I have a website (small one) that it is used to get 100 visit a day from google with different keyword. From on day to another the visit from google are zero. Why ? It looks like my website from the first, second, third page goes to the 50, 180, 200.
What have I done wrong ?
thx
When the malware is coming from Google Ads though, and I have to remove all my Google ads and upload the whole site - and then wait for a review - and explain to my clients that Google was the doorway, it's very frustrating.
I have some web content at the free web hosting site www.freewebtown.com
I am absolutely sure that there is no malware on my site.
However, it seems that Google has blocked the entire freewebtown domain as an "attack site".
I find that unfortunate. Probably someone is abusing that free service to post some malware. Then, Google should block the sites on the domain where it has found malware, not the whole domain. (If Google found malware on someone's site on AOL, would it block the entire AOL domain? Yahoo)
Freewebtown is the best free web hosting service I have found, with a lot of space available per person, no ads put on the pages (unlike other free services, such as Geocities), no file size limit. Unlike Google Sites, you can use FTP to upload content created elsewhere.
I am sure that the vast majority of sites on Freewebtown are legitimate, with no malware. Should all the good sites be blocked, due to a few bad ones? Just block the bad ones!
I am a teacher, earn no money from the sites, it is something I use to provide information and help to my students. (Being for young students, it is important that the pages not have ads on them.) Freewebtown is the best host I could find for that.
I sure hope that Google stops blocking the whole domain!
Is anyone reading from Google, who could change that policy, or suggest it?
Can Google contact me for removing a bad cache? I know this is off-topic, but I am kinda desperate and don't know how to get through to you guys.
Could Google delete an old cache still floating around on my site. I am an older person with minimal computer skills and I am desperate to have this cache deleted.
Hello,
Does anyone from Google read this blog??
I would really like a response to my previous post, regarding what seems to be the total blockage by Google of the whole domain of www.freewebtown.com.
It really seems unfortunate, that all content, on what seems to be the best free web hosting service, is being reported as "attack site" by Google "Safe Browsing", and blocked from both Google Chrome, and the much more popular Firefox 3.
Google--please just block the sites you found that have malware, not whole domains (unless it is clear that a whole domain only exists for the purpose of spreading malware, certainly not the case here).
I really don't know whether they ever read this blog though, so we may be talking to ourselves. Does anyone know of a way to contact the folks who run that "Google Safe Browsing" service? An e-mail address? Web page to leave feedback for those folks?
Really pleased you made this post. Thanks a lot
Brian
Great New Posts
Hello,
recently my site was hacked, especially my forum, which I have since deleted for good.
Despite all these files on my server having disappeared, I'm still seeing them in Google's cache of my site.
I think these things are seriously still affecting my rankings as most of them where for pornography sites.
My site is http://play-electric-guitar.net - I don't see anywhere in webmaster tools where I can get Google to look again and re-evaluate my site.
Can someone help me please.
it is good guidelines and tips. thanks to share
Google seems to be copying Scandoo (see http://www.scandoo.com), which ironically uses Google.
Today EVERY search result came up with that label. What's up with that?
Anybody know what's going on today (Jan. 31, 2009)? All of a sudden google thinks every single page has malware (including this blog page). Google's malware warning is broken.
Jims comments (oct 08) spot on.
Instructions for a malware review suggest a relatively quick process. In reality it is slow and there is no means of following progress.
Considering the importance of the matter to other web users there is no email contact point with Google, just going round and round in infinite "help" pages.
The idea that Google sends out "Warning" emails to a selection of "potential" owner email addresses is silly.
Google have also a problem
http://safebrowsing.clients.google.com/safebrowsing/diagnostic?client=Firefox&en=en&site=googleanalytlcs.net/
Actually, I think a good chunk of malware affecting Google blogs comes from malicious blogs deliberately set up to steal information and compromise the Google network of legitimate blogs.
I have been blogging for three years now and all of a sudden there has been one problem after another with blogs.
Malicious code is being set up on blogs where the user profiles are hidden, these malicious blogs then spam legitimate blogs with comments using bots in some cases and help to spread spyware, malware and facilitate in compromising blogs set up in good faith.
Hopefully, Google will do something soon about these troubleseome blogs as it is getting to be quite annoying.
Hello. Can help me somebody with my site www.kubik.ro. I receve a message and I don't know fix it. Please help me if you can. Thanks
The non-profit website I am supporting was flagged in June as a malware site. The server admin and myself fixed all the problems we could find. I submitted a request for review 5x over the last 4 months, with no response from Google or stopbadware.org. Google's search results shows the site has been clean for over 90 days, but it has not been removed from the hacker list. Can someone please help!
site: http://www.dlpoa.org
Post a Comment