Tips on recognizing and defeating website malware

The Internet is already a general service in the Philippines, benefiting nearly 30 million Filipinos for everything from looking for a place, reading news, shopping and connecting with others through social networks.

Lately, however, virus authors have been creating malicious software that is specifically targeted to infect websites. The idea is to infect a website and let the infection spread by infecting the PCs of the site's visitors. Unfortunately, website administrators might not know their sites are infected.

Marta Janus, Security Researcher at Kaspersky Lab, a leading developer of secure content and threat management solutions, said in a report there were incidences of website owners complaining that a Kaspersky Lab product incorrectly blocks access to their portal and it must be a false alarm as they do not host any malicious content.

"Unfortunately, in most cases they are wrong and malicious scripts can indeed be found within their websites, injected into their sites' original code," said Janus

"These scripts redirect visitors to malicious websites. In most cases, the execution of malware is completely invisible to the user, who sees the website appearing to operate as usual," she said.

This is a result of drive-by download where the computer becomes infected just by visiting a website which contains malicious code.

Malicious code exploits vulnerabilities in software running on the user's computer (like Java, Flash, PDF viewers, browser plugins, etc.) to silently install itself on an attacked machine.

Janus said that the cybercriminals who created the codes have different evil goals. These include widening their targets for spamming and phishing, stealing content and passwords, hijacking Internet traffic, promoting illegal activities, among others.

"Generally speaking, there's nothing new here. It's indirect financial gain that drives cybercriminals to infect websites," said Janus.

Identifying the culprit

There are ways for website administrators to identify if their website has been infected. Among the most obvious ones are:

1. users complain that the website is blocked by the browser or security software

2. website is blacklisted by Google or added to some other database of malicious URLs

3. significant change in traffic and/or drop in search engine rankings

4. website doesn't work properly, displays errors and warnings; and

5. after visiting the website, computers show strange behavior.

The infections usually remain unnoticed for a long time, often because of the level of sophistication of the malware. Some of these malware's codes are usually obfuscated or obscured, thus misleading the administrator that their website is still clean.

"If you do not notice any of the above mentioned symptoms it's a good indication that your server is clean, but always be on alert for any suspicious activities," Janus warned.

Cleaning tools

When an infection is indeed found, there are still ways to remove it. Janus said if there are any symptoms of possible infection, the website has to be deactivated until the problem has been resolved. This is really essential, as every moment of delay acts in favor of the cybercriminals, exposing more potential victims to the problem and spreading the infection over the Internet. The administrator also needs to check the server logs to see if there are any suspicious activities, like strange requests from IP addresses located in unusual countries, and so on.

Other methods of fighting malware in an infected site include backing up content, website scanning using online or installed security applications, and manually removing them. The latter method is one where the website administrator needs to be very careful with. This means having to look at all the codes in their website and finding out codes that look obscure and unreadable.

"Code obfuscation is a common technique for malware writers and it's relatively unusual for any other website-related software. If you haven't obfuscated the code yourself, you have every reason to be suspicious about it. Do be careful, though -- not all obfuscated code will prove malicious!" Janus said.

Website security basics

Nothing beats having all the preventive measures than just the cure for malware attacks. Janus emphasized on a number of basics that website administrators must have if they are to ensure the safety and security of their websites and their visitors:

Use of strong passwords

However trivial it may sound, this really is the foundation of server security. Passwords should not only be changed after any malware incident and/or attack on the server -- you should change them on a regular basis - say, once a month. A good password should meet specific criteria.

Being up-to-date

The next thing to remember is to perform regular updates. Cybercriminals tend to exploit vulnerabilities in software, no matter whether the malware is aimed at PC users or at websites and web servers. All the software that you manage from your server account should be the newest possible versions and every single security patch should be applied as soon as they are released. Keeping all software fully patched and up-to-date will decrease the risk of an exploit-based attack. A regularly updated list of known vulnerabilities can be found on

Creating frequent backups

Having a clean copy of server content will certainly save you a great deal of time and effort -- not to mention that a fairly recent backup may prove very useful when dealing with other problems, as well as infection.

Regular file scanning

Even if there are no visible infection symptoms, it's good practice to scan all server files once in a while.

Taking care of PC security

As a great deal of website malware is spread with the use of infected PCs, the security of the desktop computer used to manage your website is one of the most important aspects of website security. Keeping your computer clean and safe at all times will significantly improve the chances of your website staying safe and clean as well.

Server hardening

If you own the server, you should pay attention to configuring it as securely as possible. Such activity may include, but is not limited to:

1. removing all unused software

2. disabling all unnecessary services and modules

3. setting appropriate policies for users and groups

4. setting secure permissions / restricting access to certain files and directories

5. disabling directory browsing

6. collecting log files, which are checked for suspicious activity on a regular basis, and

7. using encryption and secure protocols.

Join the CSO newsletter!

Error: Please check your email address.

Tags securitymalwarekaspersky lab

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Computerworld Philippines staff

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place