Befuddle Malware Warning

[befuddle]

Tweet

I’ve worryingly received an email from Google saying my Befuddle drunk celebrity pages, “can cause users to be infected with malicious software.” As a result, “This site may harm your computer” message is printed on the search pages and the link goes to a warning page.

The email gives three example urls but it applies to many and to be honest I can’t see anything wrong. (Search for britney spears drunk). Google does say, “in many cases the webmaster is unaware because the site displays content from an ad network that has a malicious advertiser.”

My pages do contain advertising from a third party, Claxon media. I don’t know if they are to blame or not but they’ll be the first bit of code to be removed.

Now, firstly, I have to say that I have not updated Befuddle in a long long time. Seven times since 2005 in fact! Twice in March 2007, three times in January, once in December 2006 and then it was back in January 2006 before the last update.

Despite the low frequency of updates it still receives credible traffic as it receives up to 4,000 visitors each day. At its peak it had 125,000 visitors a day just as Paris Hilton became globally famous.

Now updating Befuddle is not going to be easy. It hasn’t moved with the times. It’s not written with a CMS or using server side scripting.

It’s flat HTML all crafted by hand. The site was launched in February 2000 and the code and design hasn’t progressed much since then.

Editing all my pages is going to be a painful manual chore. On top of that, I don’t even know what I need to remove. There’s no guarantee that if I remove all the advertising, that I have removed the problem.

I’ve just looked at my analytics stats and can quickly see that my Befuddle traffic has reduced by 2,700 visitors to 900 overnight.

Now it’s a race against time. I’ve got 10 days before my two week holiday abroad to save Befuddle.

It is an old site that I’ve grown out of. But I am fond of it and you always have to respect having thousands viewing something you’ve built.

If I don’t move quick, Google may drop the site for good. It could be a blessing in disguise but if the site is to close I want it to be my choice.

[Elaine]

Ray - just had a quick look and it seems not all your pages are affected - just that one and then it leads to a page promoting Stopbadware.org! Don't know how exactly it works, but I'd start there - good luck

[befuddle]

Hi Elaine, it appears to be all the celebrity pages. Typically if you do a search for "celebrity name drunk" ie "victoria beckham drunk" you will find Befuddle top of Google if I've got the pages.

I'm currently doing lots of search and replaces to remove content from the pages except the images and titles and some navigation, so they'll start to look a bit bare.

There's thousands of pages though. It's the pages that are within the directories that are going to take me hours to edit and republish - and I should be somewhere else right now.
I may just have to remove them completely if it takes too long.

[moredial]

Hi Befuddle

I assume you are on a PC?

Download notetab from Award-Winning NoteTab Text Editors and HTML Editors

This has a script where you can do global search and replace on files on your hard disk - very powerful and you have to be careful that what you select is unique to what you need to change.

Check the specs, you may find the free version does this or pay the pennies for the pro version. It is a great html/script editor so is well worth the investment. The std version is more a text editor than html so not recommended.

Also have a read of this thread Terrible! My adwords account has been hacked in for more info on the malware, including a link to the pdf paper which explains what the google script is searching for and reporting.

[Tom]

Hi,

I actually had this on one of my old sites a while ago. It was very annoying and quite embarrassing. My problem was that someone had hacked the server I was hosting on or maybe brute force guessed my ftp details I don't know. Another reason to pay for a dedicated servers perhaps... But they added iframe code to some of the internal pages of the site. The ones that only google would ever find anyway! But that made no difference to Google. I had no idea my site had been hacked until all traffic was stopped by this warning page.

Anyway after many appeals to Google (stopbadware.org) and about a month I eventually gave up and bought another domain and did a 301 redirect to that instead which circumnavigated the problem I think and my new site got listed and traffic sent as normal. Quicker than waiting for Google to sort it anyway, and as the site was also a collection of static HTML pages it would have been a mission to sort. I had of course removed the iframes by this point! It was just getting rid of the warning page that took the time for me.

I don't know if you've got the same iframe issue, but that might be a start, if you look for them in your code. Like the poster above said, you can probably do a find a replace to some extent, once you've worked out what you're looking for.

I would have a look but I don't want to risk this computer picking up any nasties if I visit :O

Good luck!

Tom

[tbp]

Have you looked at Google Webmaster Tools?

As part of Googles new dialogue with webmasters they say they will usually put a message up about what the problem is when they give a site a malicious content warning. Doesn't happen for everyone, but worth taking a look and seeing if they tell you whats wrong.

[befuddle]

Hi tbp, thanks for the tip but unfortunately Google hasn't sent me a message via there.

[tbp]

Have a look at the following post from Matt Cutts blog, might be of some help.

Info about malware warnings and how to appeal them

[darrenb]

Same thing as Tom mentioned happened to one of my sites (luckily a very small one).

Hacked the server and inserted some code at the bottom of my pages.

Didn't realise until i received the email like you described from Google, got it sorted removing the unwanted code and submitted the site to be checked at stopbadware.org within a couple of days it was back to normal.

[befuddle]

Thanks for your messages. I've not spotted anything untoward in my source code. I can only assume it's the third party advertising network that I use but I can't back that theory up.

[tbp]

I had a look at your page, and didn't see anything initially.

However, I wondered whether it could be your stats counter. I googled "extreme-dm.com" and "badware" and sure enough a lot of the results show people who had the warning attached to their sites and couldn't work out why, but they also had the same counter.

Couldn't find a direct answer eg yes having this counter marks your site as badware, but it seems a coincidence that its on all the pages that have it.

I would try removing the javascript that puts the counter on the page completely, submit it to google for checking, and I think that your warning will probably be removed. Looks like google are marking this particular counter as badware for some reason.

[befuddle]

Hmm, Google with its Google Analytics marks another counter as malware. Oh well, I'll remove it. I don't use it much now but I did like it for historical purposes.

Here's some stats for prosterity...

Period: 1373 Days
Unique Visitors 9,176,541
Counting since 10 December 2003 / 20:36 *
Highest day 31,077 / 12 Dec, Fri, 2003
Highest Week 441,018 / Wk 09, 2006
Highest Month 481,264 / Jan, 2004
Top keyword hilton

* This counter was installed after the "Paris Hilton" video period of November 2003, when traffic was crazy.

[befuddle]

This story has been featured in the 'The Register' after I was interviewed by Dan Goodin, from San Francisco.

Google malware watchdogs bite mom-and-pop shops | The Register

One morning last week, Alan Jay, director of Digital Spy, woke up to discover that Google was warning millions of web surfers that his UK-based entertainment news site was one "that may harm your computer."

Those brave enough to click on the Google link anyway were invited to learn more about malware by visiting a page at StopBadware.org that said Digital Spy "has been determined by Google's testing to be a site that hosts or distributes badware." Users who still wanted to access the site had no choice but to cut-and-paste its url into their browser address bar.
Image of Google page showing warning for Befuddled.co.uk. It reads in part: "Warning - visiting this web site may harm your computer!"

Google issues thousands of "harmful web site" warnings, often without notifying site operators.

Jay managed to get the warning removed five days later after tracing the problem to tainted banner ads that were served by one of the four advertising networks used by Digital Spy. Throughout the entire time, Jay says, Google and StopBadware refused to identify the source of the badware.


"We've been completely left in the dark, and we're in a situation where people think we have done something wrong," he says. "So Google’s policy here seems to be to punish an innocent site but not provide information to allow an advertising network to find out what the advert is that is causing the problem and stop it delivering elsewhere in the network."

Banner badware
Jay's experience comes as cyber crooks increasingly look to legitimate third-party ad networks as a vehicle for distributing software that silently installs Trojans and other forms of malware while an end user surfs presumably safe sites.

Last week, it was revealed that a company owned by Yahoo dished out an estimated 12 million ads on sites such as MySpace and PhotoBucket that installed a back door on unpatched Windows machines. Several days later, Roger Thompson of Exploit Prevention Labs said in a blog post that a banner ad infected a test machine while it surfed FaceBook. Malware-laced ads date back at least 14 months, when banners running on MySpace infected more than 1 million users with adware.

"How come they pick on me, for example, but they don't pick on ... one of the really big sites?" Jay asked. "They don't appear to have penalized any of the sites that were subject to this last week."

Few law-abiding denizens of the net have a problem with Google using its considerable computing heft to sniff out malicious sites and warn its users to stay away. Regrettably, such initiative is sorely lacking at Yahoo and Microsoft's Live.com. But the experience of Jay and others like him expose some of the pitfalls of a system that frequently doesn't inform webmasters of its findings, fails to provide enough information for them to identify the source, and, in the minds of many operators of smaller sites, gives large websites an unlimited number of get-out-of-jail-free cards.

The Internet is Large

A Google spokeswoman says the company uses an objective set of criteria to label potentially harmful sites that is applied to equally large and small sites.

"Clearly, the Internet is very large and we cannot constantly monitor all sites," she says. "We select a daily subset of the Internet to investigate." She declined to say whether MySpace, PhotoBucket, FaceBook or other large sites known to have served tainted ads has ever been flagged, citing a policy of not discussing individual sites.

She also said company representatives send email to several addresses associated with the site being flagged so webmasters will know of the malware warning as soon as possible. She added that a feature known as Google Webmaster Tools provides a list of specific URLs to help site operators pinpoint the source of the problem. She also acknowledged that Google security watchdogs are still hammering out their policy for malware delivered via banners.

"Malicious content delivered by ad networks is a relatively new threat, and we are looking at different approaches to help site owners with this issue while protecting our users," she says.

That's little comfort for people like Raymond Theakston, operator of Befuddle.co.uk, a site that offers pictures of Britney Spears and other celebrities as they are spotted drinking alcohol, often to excess.

On September 12, Google sent him an email that said some pages of his site "can cause users to be infected with malicious software." The email pointed to three offending URLs, and Theakston says he has scoured their html for iframes or other scripts that attackers could have added without his knowledge. When he came up empty-handed, he dumped the ad network he had been using for years and removed a statistics counter that someone told him might be suspect.

He is awaiting a rescan of his site, and if it comes up clean, Google says it will remove the warning. But after 10 days of being branded a parasite, Theakston says the damage has been done.

The site averaged 1,648 unique visitors per day during the first week of September, but a week after the Google warning began, unique visitors dropped to an average of 619.

"Traffic has gone down a lot," says Theakston, who lives in Leeds and by day works as a senior tester for a large telecommunications company. "Fortunately, I don't rely on the site for revenue anymore."

A Free Pass For MySpace?

Google's claims of impartiality notwithstanding, several malware specialists say they have a hard time believing web destinations generating millions of dollars in revenue would tolerate the treatment Google metes out on smaller sites.

"I'm sure they have an exclusion in there for sites like MySpace," says Eric Sites, a researcher at security provider Sunbelt-Software.

He notes that ad-driven malware is especially hard to catch because banners are frequently programmed to unload toxic payloads only in certain timezones during certain hours. Add to that the highly decentralized nature of affiliate advertising - in which one network hands banners off to another network, which in turn distributes them through a third - and even Google, which seems to have eyes everywhere, may be unable to track offenders competently.

"I think the Google process is actually flawed," says Thompson, the Exploit Prevention Labs researcher who, having watched several small sites struggle to undo the stigma that's resulted from Google's warning, says he sympathizes with the operators.

"This poor guy got nailed through no fault of his own, and now he's tainted," Thompson says. "Arguably, this guy was never infected in the first place. He was just unfortunate enough to have a bad banner ad. That can happen to FaceBook, and it can happen to anyone."

[Dynamoo]

I can't see anything on your site at present that looks iffy.

From what I've read on the topic, the process seems very accurate and it's quite likely that there was something on the site, either a dodgy advertising banner or perhaps a code injection. However, those pages are no longer on the server.

tdp already mentioned this Matt Cutts posting - Info about malware warnings and how to appeal them

Also see Got malware? Google will help you find it. which refers to the Google webmaster console and how to track down the pages.

Ad banners can be a nightmare - Falk AG had a spate of bad banners a couple of years back (see Falk AG / falkag.net Serving Viruses and Trojans) - it seems to be a problem with advertising networks that allow complex banners that might have javascript or ActiveX exploits.

[Barry]

Ray did you ever get this sorted and if so how. As I am in a panick because I have it on my main site as of today!!

Bummer.

Any help would be great.

Ta