Thursday, September 1, 2011

Malware Alert Search

Yesterday, Google slapped a malware alert on the Internet Search Challenge blog.  Maybe you saw that message too, blocking access to this site.

The problem turned out to be an image in a blog post from last February, ironically, a search challenge about spam and phishing. The problem was the original image was associated with a site tagged as a malware threat.

If you ever get a similar message from Google about your own blog, this description may help you work through the problem.

Looking at the code for the image, there wasn't really a threat, but it triggered a stock response from Google indicating that internetsearchchallenge.blogspot.com was "a site known to distribute malware."

Not true, but not something to take lightly, either.

One lesson learned is not to link to images via 'unvetted' urls. In this case the culprit url was worldcorrespondents.com, where I found the image. Back in February, to save time I just linked to the image. I won't do that again.

Getting Google to remove the alert involved the greater challenge. Included in the report I received was this information:
Malicious software is hosted on 1 domain(s), including guide-securesoft.ru/.

1 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including worldcorrespondents.com/.

If you are the owner of this web site, you can request a review of your site using Google Webmaster Tools. More information about the review process is available in Google's Webmaster's Tools Help.


How do I find the page(s) affected with those urls? I clicked on Google's Webmaster Help Center where they suggested quarantining the site. Since blogger (blogspot.com) is the host, I couldn't find a way to contact the provider about taking down the site. In the blogger dashboard I found where I could delete the site, but thought that too extreme an action. So quarantining was off the table for the time being.

Searching further, I found a way I could remove the offending page(s) from Google's search results, but I still didn't know the identity of those culprit pages, the first step in cleaning up the site. Webmaster Help was not proving very helpful.

Then I found this in Webmaster Help:

If your site has been infected with malware, check the Malware page in Webmaster Tools. (On the site dashboard, click Diagnostics and then click Malware.) This page lists sample URLs from your site that have been identified as containing malicious code.

That sounded like what I needed [competency: careful reading and understanding something about the problem]. But how to find the dashboard in Webmaster Tools? [competency: search strategy] I did a Google search for google webmaster tools dashboard [competency: keyword querying].  Looking through the search results [competency: browsing], that brought me to www.google.com/webmasters/tools/.

To continue I had to log in to my Google account [competency: persistence]. This made an interesting browsing challenge. What link to click? Nowhere are any of these keywords listed: dashboard, diagnostics, malware. After a bunch of fruitless forays, I clicked on the link to my site, which was listed on the webmaster tools page [competency: browsing]. Only then did I see the term 'dashboard' along with urls where Google detected the problem. Bingo!

It was a manual process to eliminate the offending material, but now armed with the url of the blog post where the problem was found, I could log in to blogger, easily find that page and either edit or delete it. Since this page still gets many hits, I chose to search the html code for a reference to worldcorrespondents.com (none was found for the other link) and simply delete that code.

I replaced the 'tainted' image with a 'clean' one from 21cif.com.

Then I had to request Google to re-examine the blog to see if the malware threat was completely removed. It was and now you can see this page without fear that your computer is going to be attacked.

Finally, I ran a malware scan on my computer and found none.

No comments: