Tip:
Highlight text to annotate it
X
[MUSIC PLAYING]
MAILE OHYE: Hi, I'm Maile Ohye.
Moving forward in our series of videos on hacked site recovery,
you're now ready to assess the damage.
This video is tailored to those who
received a message that their site was infected with malware
and who have a fairly technical background in viewing source
code and running commands in the terminal.
To help and to share his expertise in fighting malware,
I'm joined with an engineer on Google's Safe Browsing
team, Lucas Ballard.
LUCAS BALLARD: Hi, Maile.
MAILE OHYE: Thanks for offering to help.
Thus far, we've heard an overview of hacking
and confirmed that our site was compromised to serve malware.
Now we're ready to assess the damage.
But before we go any further, can you
explain what exactly is malware?
LUCAS BALLARD: Sure.
Malware is a general term for malicious software
that is designed to harm a computer or network.
Malware includes things like viruses, worms, spyware, key
loggers, and Trojan horses.
To protect everyone on the web from malicious software,
the Google Safe Browsing team runs internet-wide scanners
to find harmful pages.
Our automatic scanners determine whether pages
are infected by detecting malicious content.
The reputation of the webmaster is not a factor in the process.
If your site was infected with malware, you're not alone.
We find about 10,000 newly infected websites each day.
MAILE OHYE: That's helpful to know.
Can you also provide a concrete example
of what it means for a site to be infected with malware?
LUCAS BALLARD: Of course.
Whenever legitimate sites are labeled as "infected
with malware," it's because Google
has determined that when a user visits these sites,
their browser will automatically visit another site that
will attack the browser.
Typically, the browser visits this attack site
because the legitimate site, or one of the resources
included by the legitimate site, has
been modified to include content from the attack site.
We alert users to malware pages because when a user visits
the infected page, content from an attack site
will exploit a vulnerability in the user's browser.
Once the exploit is successful, malicious software
is automatically loaded onto the user's computer
without their knowledge.
The malicious software may be spyware to gather
users' banking credentials or malware
that uses the infected computer to send spam.
With the user's computer compromised,
the hacker has added another node
in their malware network, which can
be used to attack other computers or websites.
MAILE OHYE: Your example really demonstrates
how malware spreads like an infectious disease.
Please explain how site owners can
learn if their site is infected with malware
or if their site was involved infecting others.
LUCAS BALLARD: OK.
Google Safe Browsing publicly displays this information
to all users, regardless of whether you're
the verified site owner.
Let's go to our laptop and navigate to Google Safe
Browsing diagnostic page.
It's at www.google.com/safebrowsing/diagnostic?site=
and then your site.
For example, I might add googleonlinesecurity.blogspot.com.
Here, you can see the current status of your site with regard
to whether users can safely browse your pages.
My team runs the scanners responsible for generating
this data.
Thankfully, our online security blog is safe.
Let's take a look at a site infected with malware
to show more information on what each of you might be seeing.
The type of information you'll see on the Safe Browsing
diagnostic page is the site's current status, meaning,
is the site likely to be safe?
Or is it suspicious and dangerous for users?
Sites infected with malware are obviously listed as suspicious.
Below that, in what happened when Google visited the site,
we display more detailed information.
For example, you could see which attack sites
would be included from your site.
You can also view information about the attack site itself.
Again, the attack site is used to actually host the malware
to infect users and check if your site was included
in a larger malware network.
Clicking on the attack site or network
brings you to more information within Safe Browsing.
The last bit of information on this page
shows whether your site was used as an intermediary
to infect other sites or to host malware.
MAILE OHYE: Thanks, Lucas.
Moving forward, now that we understand malware,
can you explain how to safely investigate
the damage on our own site?
LUCAS BALLARD: Good question.
I'm glad you asked.
Before you view pages, delete files, or modify your site,
let's start with several tips for investigating malware.
First, please do not use your browser
to open an infected web page.
As mentioned earlier, malware often
spreads by exploiting browser vulnerabilities.
Opening an infected web page in your browser
is just asking for trouble.
Second, it's very helpful when investigating malicious code
to have server access.
Because some malware is configured so that it only
displays based on the user agent, cookies, referrer,
time of day, operating system, or browser version,
it's good to see the actual source
code of the page for better understanding of its content
and behavior.
Third, there are a couple useful tools
for conducting diagnostic HTTP requests, or page fetches,
for assessing the damage to your site.
Because hackers often configure redirects from legitimate sites
to attack sites, just looking at a page's source code
may be insufficient for detecting redirects.
You'll need to actually fetch the page.
Two helpful, often freely available tools,
are Wget and cURL.
Both Wget and cURL make HTTP requests,
and they can be configured to include, refer,
user agent, or browser information.
These capabilities are helpful to reveal
some of the sophisticated techniques hackers use
to avoid detection.
For example, the hacker may configure the site
to only redirect to malicious content
when the URL is requested from a search result page,
meaning that if the user searched on google.com,
their request for a page will include a Google referrer.
By only serving malicious content
to users with a Google referrer, the hacker
has targeted more real people and can better
prevent detection from webmasters and malware
scanners.
Searching for Wget and cURL should
return resources further explaining their usage.
MAILE OHYE: To recap what you've covered--
when investigating malware on our site, one,
don't open the page in a browser.
Two, view the source code of the page on a file system.
And three, look for redirects and check source code
through Wget or cURL.
LUCAS BALLARD: Well, we already visited the Safe Browsing
Diagnostic Page to gain a high level
view of how our affected our site.
The next place to look is the malware section
of Webmaster Tools.
MAILE OHYE: As a verified owner of my site,
I'll log-in to Webmaster Tools, select My Site,
Diagnostics, then Malware.
Lucas, can you tell us more about the information
your team displays on this page?
LUCAS BALLARD: Definitely.
The Malware page is comprised of two buttons
at the top, Download Table and Request a Review.
You'll use the Request a Review button
once your site is malware free.
Before we get there though, we'll
need to assess the damage.
The table on this page shows a sample
of the infected URLs from your site,
the type of infection our scanners recognize,
and the most recent date it was detected.
Clicking on the URL leads to the Malware Details page
with specific action items.
Some URL examples lack an infection type.
While our scanners detected the URL as malicious,
we were unable to identify the specific behavior.
For the others, I'll give an in-depth explanation
of each infection type in an individual video.
After each sample URL in Webmaster Tools
is investigated, the last action of this step
is to more generally assess the damage to your site.
MAILE OHYE: Yes.
A File System Damage Assessment is the last video
to watch in this step.
File System Damage Assessment helps
you compile a list of files that were modified or added
by the cyber criminal to aid in clean-up in the steps ahead.
Thanks Lucas.
Everyone, for each malware type on your site,
please check out Lucas's corresponding videos on topics
like server configuration, SQL injection, and error template.
Once you've investigated the damage for all malware types
on your site, make sure to perform a General File System
Assessment.
When these actions are completed,
advance to the next step-- identify the vulnerability
We're getting closer to recovery.
Keep up the great work.