Knowing an Infected Website When You See It

Whenever I’m interviewing security experts about some new malware or zero-day attack, I ask them how they know if a site is infected and can harm you. It’s not an easy question to answer because oftentimes, you don’t know. It is easy to revert back to the standard “don’t click on links in email” advice — which is always very good advice, by the way — but it doesn’t help you when you are looking for information online and you are led to an unknown website. Heck, your favorite sites aren’t immune to infection, either.

So, of course, the most important thing is to always make sure your security software is running and updated. That’s the biggest safety net (and it has certainly saved my computer on days when I visited an otherwise trusted site only to find out later the site was infected with malware). But there have to be other ways to tell if a site is infected or not, right?

But it isn’t just other sites. It might be your site causing the problem. You think you are safe but your security system is telling you otherwise (or if it isn’t your security system, your customers may alert you something is wrong).

In most cases, the execution of malware is completely invisible to the visitor of a website, who sees the site as appearing to operate as usual. However, whether you can see it or not, cybercriminals can indeed inject malicious scripts into the original code of a website, which redirects visitors of the website to malicious URLs and from there, malware is downloaded and executed on the victim’s computer. So how can you tell if your computer is infected? And how can you clean up or, better yet, avoid an infection?

To answer some of those questions, the researchers at Kaspersky Labs came up with a very helpful report that provides detailed instructions on how to tell if your site is infected, as well as how the bad guys manage to infect your site, and ways to prevent and fix problems. For example, to figure out whether or not your site is infected, the report said:

The most reliable sign of every single infection will be the presence of malicious/suspicious code in one or more files on the server – mainly HTML, PHP or JS files, but recently also ASP/ASPX. It’s not easy to find this code and it requires at least a basic knowledge of programming and website development. In order to familiarize the reader with what the malicious code may look like, below are some examples of most common web injections.

It is one of the most thorough explanations of what is going on behind the scenes on your website and network that I’ve seen yet. An infected site can do irreparable damage to your business if the site goes down for any period of time or, worse yet, if your customers end up with malware on their computer after coming to your site and refuse to return (I think twice about visiting a business whose site tried to poison my computer).

If I had a single quibble with the piece, I’d say the prevention advice doesn’t really provide anything new. Strong passwords? Frequent backups? Good security system? Well, yeah, that’s what everybody should be doing from the get-go. If security were really that simple, we’d all have perfectly clean computers all the time — and we know that isn’t true. I was hoping for something different there, but I guess best practices are the best and easiest defense.