Thursday, October 29, 2009

Do machines dream of electric malware?

We've explored Google's anti-malware processes several times recently, as well as our efforts to work with webmasters to help protect their users. However, there's been some confusion about the objectivity of our scanning and flagging procedures.

Google uses fully automated systems to scan the Internet for potentially dangerous sites. These systems help detect sites infected with malware and then add a warning that appears in Google search results and in many web browsers. We flag sites in this way to help protect users who might visit them. The warning is a cautionary page, and we never prevent users from viewing the affected site if they choose. It's important to note that sites are often compromised without the webmaster's knowledge, so we provide affected webmasters with further information on the issues we've identified — including showing snippets of the malicious code we find. We also offer free resources in Google Webmaster Tools to help site owners clean their sites and request a re-scan.

Site owners sometimes say that we've made a mistake and that their site does not contain malware. For example, the recent appearance of a malware warning on sparked discussion about how Google flags websites. Our scanners — which are automated and indifferent to a site's subject matter — first found a malicious ad on the domain at approximately 3:47 a.m. PT on October 17, 2009. Over several days, the scanners detected thousands of URLs with suspicious content in other domains.

Malicious content can be very difficult to detect. A previous post on this blog offered tips for finding hidden malware and cleaning up websites. There are also good tips on Google's Webmaster Central Blog. If a webmaster has indeed removed the malicious content and filed a malware review request in Webmaster Tools, the warning label will be removed shortly. If it persists, however, it's very likely that dangerous content remains. Our scanners are highly accurate, and false positives are extremely rare.

When Google's automated systems detect dangerous content on a site, an email is sent to several administrative email addresses at the site, as well as to the corresponding Webmaster Tools account if one exists. We sent a notification to at 11:01 a.m. PT on October 17, just as any compromised site would receive. The email includes an explanation of how the site may have become compromised and unknowingly been distributing malware. It also describes the process of removing malware from the site and getting the Google warning removed from the site. A copy of the message sent to the addresses associated with infected sites is below:

We recently discovered that some of your pages can cause users to be infected with malicious software. We have begun showing a warning page to users who visit these pages by clicking a search result on
We strongly encourage you to investigate this immediately to protect your visitors. Although some sites intentionally distribute malicious software, in many cases the webmaster is unaware because:
1) the site was compromised
2) the site doesn't monitor for malicious user-contributed content
3) the site displays content from an ad network that has a malicious advertiser

If your site was compromised, it's important to not only remove the malicious (and usually hidden) content from your pages, but to also identify and fix the vulnerability. We suggest contacting your hosting provider if you are unsure of how to proceed. StopBadware also has a resource page for securing compromised sites: Once you've secured your site, you can request that the warning be removed by visiting and requesting a review. If your site is no longer harmful to users, we will remove the warning.

As the email says, the fastest way for a site to be removed from the malware list is for the webmaster to file a review request via Google Webmaster Tools. Google's automated scanners will periodically re-examine the site even if no such request is received, but the process will take longer. did not file a review request, but our scanners reviewed the site on October 23 and removed the malware warning after finding that the malicious ad was gone.

Malicious display ads are an increasingly common way for sites to unknowingly distribute malware. We recently wrote about the steps that Google takes to help protect our advertising networks. Also, other publishers have recently written about their experiences with deceptive display ads.

Thursday, October 22, 2009

Best Practices for Verifying and Cleaning up a Compromised Site

As part of Cyber Security Awareness Month, Google's Anti-Malware Team is publishing a series of educational blog posts inspired by questions we've received from users. October is a great time to brush up on cyber security tips and ensure you're taking the necessary steps to protect your computer, website, and personal information. For general cyber security tips, check out our online security educational series or visit To learn more about malware detection and site cleanup, visit the Webmaster Tools Help Center and Forum.

In our last post in this series, we explained Google's malware scanning process and how malware warning reviews work. It's not always clear to webmasters how to go about cleaning up their sites once they've been compromised, so this time we thought we'd share some best practices.

1) Verify Your Site with Google Webmaster Tools

If you have added and verified your site's ownership with Google Webmaster Tools, you can view a partial list of URLs where our system has detected suspicious content on your site, as well as samples of the malicious code. Once you've thoroughly cleaned up your site and addressed the vulnerability that allowed it to be compromised, it's easy to request a review through Webmaster Tools. We recognize that some site owners may want to use these tools even if they haven't already signed up with Webmaster Tools. For that reason, we enable you to verify ownership of your sites at any time, even if our systems have listed them as potentially dangerous.

2) If Your Site Has Been Compromised, Perform a Comprehensive Cleanup

If any part of your site has been compromised, thoroughly check all pages on the site for harmful code or content — not just the example pages listed in Webmaster Tools. Be sure to identify and address the underlying vulnerability that led to the compromise, or else reinfection is likely to occur.

Remember to Check Your Web Server Configuration

In addition to checking the contents of your site's pages and web server source code, remember to check that your web server configuration has not been modified by any intruders. If your web server has been compromised, your site's error pages can be modified to include custom HTML that actually redirects visitors to malicious sites.

Deleted & Error Pages: Dark Corners of Your Website Where Malware May Be Lurking

When a page is deleted from a site, the web server returns an error code (usually 404: Not Found) when requests to the "deleted" URLs are made. In addition to the error code in the HTTP header, the web server may send a custom error page or "Not Found" page, usually intended to help users find what they are looking for. If your site is infected, its error page can contain arbitrary HTML that exposes your visitors to malware. You can search our Webmaster Forum for information about how others are dealing with similar problems. The recently-launched malware samples feature in Google Webmaster Tools could also come in handy.

3) If You Switch Hosting Providers, Disable Access to the Old Version of Your Site

When a site is moved to a different hosting provider, the DNS records are updated such that the domain name points to a new IP address. In some cases, DNS caching can cause your domain name to continue resolving to the old IP address for some visitors even after the site has moved. For this reason, we recommend instructing your former hosting provider to stop serving any content for your site. This may cause some visitors to experience server errors for a few hours, but can protect them from visiting a potentially dangerous web server.

As always, our Webmaster Forum and StopBadware's BadwareBusters can be good sources of help and information when cleaning up a compromised site.

Friday, October 16, 2009

Protecting Users and Ads from Malware

As part of Cyber Security Awareness Month, we're highlighting cyber security tips and features to help ensure you're taking the necessary steps to protect your computer, website, and personal information. For general cyber security tips, check out our online security educational series or visit

At Google, we always aim to provide users with useful, relevant information. Readers of this blog know that we also work hard to detect malicious content on the web and protect users from harm. But did you know that we strive for the same level of relevance, and work equally as hard to protect users, in our online advertising business?

The mainstream media has recently picked up on the topic of malvertising (malware-infected advertising). Google's Anti-Malvertising Team works hard in this area and would like to take this time to share some important safety tips. We work closely with the Anti-Malware Team to identify trends and improve automated detection systems. We also educate users, develop policies and act as a liaison between the online security and online advertising communities.

Whether you're a web publisher who accepts ads on your website, or a home user who enjoys browsing the wide variety of advertising-supported content available on the web, we expect the resources below will help protect you from malvertising.

What is "Malvertising?"
"Malvertising" = malware + advertising. Haven't heard of it? The terminology may be new, but we can all understand the concept. Although malware distributors have attempted to spread malware through online ads for years, ever-improving prevention and detection methods have made it unlikely for most Internet users to have encountered a "bad ad" firsthand. However, it's important to make sure that you (and your computer) are properly prepared in case you encounter any source of malware on the web — whether it is an infected ad, a hacked site, a dangerous link, or someone who is pretending to be someone they're not.
We created earlier this year as a resource for all members of the online ecosystem. contains tips designed for publishers, ad operations teams, and Internet users to help protect their websites, networks, and computers.

Tips for Web Publishers: Know Who You're Working With, Perform Comprehensive QA, & Have a Plan in Place includes a custom search engine to help individual ad networks, publishers, and ad operations teams conduct quick background checks on prospective advertisers. It indexes a variety of independent, third party sites that track possible attempts to distribute malware through advertising. It is intended to be used as one of the steps in a publisher's background check process.

In some recent cases, infected ads that had already been caught and publicized by security researchers have remained active within some advertising systems.'s malvertising research engine makes it easier for the online advertising and security communities to share information and collaborate to help protect users from emerging threats.

For more detailed guidance on the following tips, visit
  • Pay close attention to all agencies and advertisers with whom you work.
  • Perform due diligence by thoroughly checking prospective partners' references and credentials.
  • Perform comprehensive QA on all ad creatives.
  • Protect your own computer and website from infection.
  • Be aware that various ad networks and exchanges may have significantly different standards for the prevention and detection of malware. No automatic detection system, however robust, can substitute for your own vigilance. However, we strongly advise against exposing your site to harm by using networks or exchanges without strong anti-malware security measures in place.
  • Ensure your Ad Operations team has an incident response plan in place (for guidance, visit
Tips for Users: Protect Your Computer, Update Regularly, and Avoid Getting Tricked
  • Make sure your browser, operating system, software and plugins are all updated regularly (enable auto-updates when possible).
  • Be aware that malware can be disguised as antivirus/antispyware software in order to trick people into buying or downloading it. Fake (and harmful) software of this kind is known in the web security community as "rogue security software." How to avoid getting tricked? Always research a company's reputation before downloading its software or visiting its website, and be wary of unexpected warnings from products you haven't installed yourself. You can view a list of some legitimate free security scans at
  • Exercise caution whenever you're prompted to download an email attachment, follow an instant message link, install a plug-in, or download an unfamiliar piece of software.
Protecting the Free Availability of Online Content
In addition to providing visibility to advertisers, revenue to publishers, and information to users, the online advertising business model also enables anyone with an Internet connection to access an entire world of content for free. By increasing our vigilance as a community, we can help to keep online ads safe and preserve the wide access to information that advertising enables.

Monday, October 12, 2009

Show Me the Malware!

As part of Cyber Security Awareness Month, we're highlighting cyber security tips and features to help ensure you're taking the necessary steps to protect your computer, website, and personal information. For general cyber security tips, check out our online security educational series or visit To learn more about malware detection and site cleanup, visit the Webmaster Tools Help Center and Forum.

To help protect users against malware threats, Google has built automated scanners that detect malware on websites we've indexed. Pages that are identified as dangerous by these scanners are accompanied by warnings in Google search results, and browsers such as Google Chrome, Firefox, and Safari also use our data to show similar warnings to people attempting to visit suspicious sites.

While it is important to protect users, we also know that most of these sites are not intentionally distributing malware. We understand the frustration of webmasters whose sites have been compromised without their knowledge and who discover that their site has been flagged. We proactively offer help to these webmasters: we send email to site administrators when we encounter suspicious content, we provide a list of infected pages in Webmaster Tools, and we maintain a service that allows webmasters to notify us when they have cleaned their sites. Read more about this process in the previous post on this blog.

We're happy to announce that we've launched a feature that enables Google to provide even more detailed help to webmasters. Webmaster Tools now provides webmasters with samples of the malicious code that Google's automated scanners detected on their sites. These samples — which typically take the form of injected HTML tags, JavaScript, or embedded Flash files — are available in the "Malware details" Labs feature in Webmaster Tools. (
UPDATE: The 'Malware details' feature graduated from Labs and is now part of the default Webmaster Tools interface. You can access it in the regular menu under 'Diagnostics'). Registered webmasters (registration is free) of infected sites do not need to specially enable the feature — they will find links to it on the Webmaster Tools dashboard. Webmasters will see a list of their pages that we found to be involved in malware distribution and samples of the malicious content that Google's scanners encountered on each infected page. In certain situations we can identify the underlying cause of the malicious code, and we'll provide these details when possible. We hope that the additional information will assist webmasters and help prevent their visitors from being exposed to malware.

Malware details for your site

Malware details for a particular page

While we're excited to offer this feature, we caution webmasters to use the tool only as a starting point in their site clean-up process. Google's scanners may not be able to provide malware samples in all cases, and the malware samples may not be a complete list of all the malware on the page. More importantly, we advise against simply removing the examples that are displayed in Webmaster Tools. If the underlying vulnerability is not identified and patched, it is likely that the site will be compromised again.

In addition to helping the webmasters of sites with malware warnings, this new detail is also designed to promote the general health of the web. In some cases, our automatic scanners find questionable content on a site but do not have enough data to add it to the malware list. The new "Malware details" feature will highlight these instances to webmasters early on to help them identify and address security vulnerabilities more quickly.

We hope you never have cause to use this feature, but if you do, it should help you quickly purge malware from your site and help protect its visitors. We plan to improve our algorithms in the upcoming months to provide even greater coverage, more accurate vulnerability identification, and faster delivery to webmasters.

Friday, October 9, 2009

The Malware Warning Review Process

As part of Cyber Security Awareness Month, Google's Anti-Malware Team is publishing a series of educational blog posts inspired by questions we've received from users. October is a great time to brush up on cyber security tips and ensure you're taking the necessary steps to protect your computer, website, and personal information. For general cyber security tips, check out our online security educational series or visit To learn more about malware detection and site cleanup, visit the Webmaster Tools Help Center and Forum.

Google's anti-malware efforts are designed to be helpful to both webmasters and website visitors. Google continuously scans our web index for pages that could be dangerous to site visitors. When we find such pages, we flag them as harmful in our search results, and also provide this data to several browsers so that users of these browsers will receive warnings directly. We undertake this process as part of our security philosophy: we believe that if we all work together to identify threats and stamp them out, we can make the web a safer place for everyone. While we believe these processes are important steps in helping to protect our users, we also understand the frustration felt by the webmasters of flagged sites. This is why we notify webmasters as soon as we discover that their sites have been compromised. Additionally, we provide webmasters with a tool to file a review once they have cleaned their site. The review process works as follows.

Part 1: The webmaster's job: The first step is site cleanup. The webmaster should remove all harmful content from the site. We realize that it can be tricky to find all the infections on a website, and webmasters should look thoroughly if the warning label persists. Keep in mind that if your site contains elements from another website that may have been compromised, it will remain flagged. This is because your site could still introduce harm to visitors. To prevent reinfection, the webmaster should also identify and fix the underlying software vulnerability that led to site compromise in the first place. For a guide on how to do this, visit

Once a webmaster has cleaned up the site, a Malware Review can be filed with Google's Webmaster Tools (please note that a Malware Review request is not the same as an Index Reinclusion request). The process for Malware Review is as follows:
  1. Log in to Webmaster Tools.
  2. From the Tool's home page click on the link to the site that is being flagged. This will bring you to the site's Dashboard.
  3. There should be a large red banner across the top of the dashboard that says "This site may be distributing malware." Clicking on the link that says "More Details" expands the dashboard to reveal a list of pages on the site that were found to be malicious.
  4. Below this list is a link that says "Request a review." A webmaster can fill out this form and click the "Request a review" button to initiate the review process.
More detailed instructions can be found here.

Part 2: Our job: Upon receiving a Malware Review request, an automated set of algorithms verifies that the site has been cleaned. These algorithms revisit a subset of both the malicious and non-malicious pages that were scanned when the site was originally flagged. Additionally, these algorithms test some pages that were not originally scanned. If none of the tested pages are found to be malicious, the site is deemed to be safe, and warnings are removed from search results. A typical appeal takes only several hours to complete, although in some cases the process may take up to one day.

In addition to processing appeal requests from webmasters, we also rescan compromised sites periodically.

We encourage webmasters of infected sites to quickly clean their web pages and proactively request reviews through Webmaster Tools. After the site has been thoroughly cleaned and reviewed, it will no longer show a warning on Google's search results pages or through the browsers making use of our data.