Infected Website? Think: What Would Ellen Ripley Do?
Websites are compromised all the time; in fact you can’t go a day without a popular site being uncovered as a source of malware infection.
Usually, it's malware being served up through adverts on the site, so in that sense it’s not really the website that’s at fault - it’s the ad provider.
This has happened to numerous big name sites in the past, recently some visitors to the Huffington Post website were greeted by a Hugo Boss advert that installed a version of the Cryptolocker ransomware.
Neither the Huffington Post or Hugo Boss were involved with the malware, but what generally happens is that a malware producer creates a fake ad, and bids for placement through a legitimate ad distribution network (Google DoubleClick or Merchenta for example).
This ad will normally be indistinguishable from a legitimate advert, and will contain no malware at this point, so it gets through the ad networks filters without a hitch.
Just before the ad goes live and is inserted into a webpage, a ‘minor revision’ is made…
As ads are generally flash based and executed automatically by your browser, anything they present is ran automatically, and without a good Anti-Virus package you’re a sitting duck.
Now, as I know that all the readers of this fantastic blog use the terrific Sophos Endpoint Protection product, I can be sure that this will never happen to any of you lovely people.
However, there is another way that malware can be distributed from a website that doesn’t involve ad networks, and as Flash is not used, it can slip through the net if the bad guys do it right.
A good (bad?) example of this is the recent history of the Jamie Oliver website, hacked three times in four months (a good technical write-up can be found here) .
Instead of using an ad, part of the web page directed the user's browser to go to a second site and run a script that used flaws in older versions of Java, Silverlight and Flash to install multiple pieces of malware.
Now, while good Anti-Virus software should protect you against the majority of these unwanted programs, some could get through. This is because Anti-Virus software generally relies on signatures for malware (every program can be identified by a unique finger print, based on a number of factors).
If the fingerprint isn’t known to belong to bad software, Anti-Virus scanners will ignore it. And if the Anti-Virus companies have never seen the software before, they can’t generate a fingerprint.
The observant people out there will have noticed that I mentioned older versions of flash, java and Silverlight. If you had up to date versions installed, then none of this would affect you, even if you had no Anti-Virus installed.
Avoiding a computer virus can, in some ways, be thought of in the same terms as making sure you don’t catch the flu. Stay healthy (stay patched and up to date), get your vaccinations (install Anti-Virus), and avoid the infected (stay away from any dodgy websites). Do two out of the three and you should be ok, all three and I’d be very surprised if you were infected by a web borne virus.
To take this analogy one step further, what do you do with the source of the infection? In the real world, a source of bacteriological infection (water in the case of cholera, or tainted meat for a number of other bugs) would be sterilised, and if that failed then it would be destroyed.
We at TSG tend to follow the same principles; we attempt a clean-up using standard virus removal tools, and if this fails, we follow the guidance of the philosopher Ellen Ripley, and nuke it from orbit.
It’s the only way to be sure.
Now, we don’t generally get on the phone to the Prime Minister and ask to borrow Trident for an hour (I have been tempted…), but we do format the system (PC or Server) back to a factory fresh, no operating system state and restore from known good backups.
We do this because we have learnt the hard way that you rarely get a second chance with malware, and you need to make sure it’s gone, quickly.
There must be a reason why Mr Oliver’s site has been hacked three times, I hope it’s not down to poor passwords, or out of date software, but if they need some help our number is at the bottom of the page…