The merciless malignancy of malware Part 4 (SEM 101)

OK, so I totally geeked out with my recommendations on how to better secure your webmaster computing environment. As a result, I had too much material for one post and thus had to split it up into two pieces. Let's wrap up this long series of posts on malware by finishing up with the last of the security recommendations.

In Part 1 of this series on malware, we discussed how to detect a malware infection on your website using tools like Bing's Webmaster Center. The Part 2 post covered the resources and strategies for identifying the types and locations of malware code that typically affect websites with advice on how to remove it. The Part 3 post began the run-down through 10 recommendations (well, the first 5, anyway!) on how to better secure your workstation and web server computers to prevent the malware from coming back. Today's post, Part 4, finishes the list, and then includes information on what steps you can take to get that pesky malware warning message removed from your recently cleaned site in the Bing index.

Recommendations continued

Getting rid of malware is only part of the battle. Hardening your security practices to keep it away is just as important. Let's continue the list of recommended security strategies started in the previous post.

6. Run Microsoft Update

I am presuming with this recommendation that you are running a modern Microsoft Windows operating system. Regularly run Microsoft Update on every Windows-based computer you use to touch your website. When you do so, I recommend that you click Custom to see the total list of available updates for your computer rather than seeing only the High Priority updates. Always keep current with the latest High Priority updates and strongly consider applying others updates as well.

Note that the second Tuesday of every month is commonly referred to as "Patch Tuesday" for Microsoft Update, and time should be set aside on those dates to make sure all Windows-based systems in your web server infrastructure get the necessary security updates. Occasionally Microsoft, when necessary, also provides high-priority security updates ahead of this schedule, so it pays to stay on top of these releases as they occur. Signing up to receive Microsoft Technical Security Notifications can help!

7. Update non-Microsoft applications, too

Applications that touch the Internet are at least as vulnerable to security holes as are web browsers and operating systems. Some major software manufacturers are beginning to build into their applications an online update system analogous to Microsoft Update. But not all have this feature yet, and not all that do perform the update automatically. It's a really good idea to scan for and plug the often nasty security holes in the applications on your workstation through a software updating tool. I like the Secunia Software Inspector tool (check the licensing requirements for commercial use, but it's free for many users), but there are many other choices out there. Be sure that the web applications you use are checked in that process. The bottom line is you need to regularly check for and install any software updates on all of the computers associated with your website.

Keep in mind that software manufacturers regularly release updates for their products when they discover faulty features and security holes. The hacker community makes a point of studying those patches to learn what exploits the updates fix. If you don't stay current with software updates, your computer may become vulnerable to reverse-engineered exploits.

8. Improve your wireless security

Many computers these days, especially laptops, are connected to the Internet only by wireless connections. If you work in a big organization with a security-conscious IT shop, you're probably fine (while you're at work, anyway). But many small shops and even more home users install their new Wi-Fi routers using default settings across the board. Hackers have developed such efficient wireless security cracking tools over the past decade that paranoia is no longer considered irrational or delusional behavior among IT security folks. (But if tin foil hats come out, all bets are off.)

There are several things you can do to improve the security of your wireless network router. Dig up the user's manual for that old router and learn how to do all of the following:

  • Update the device firmware. Go to the router manufacturer's website and browse to the Downloads page for your model (typically within the site's Support section) to see if you have the latest firmware release. If not, download it and install it. You may get new functional features and/or have known security holes resolved. Either way, look into it. The router's manufacturer put it out there for a reason!
  • Change the administrator password from the manufacturer's default (using the tips in Create strong passwords). Hackers typically know the default administrator password for various routers. Leaving yours with the default is honestly no better than disabling the admin password altogether.
  • Change the network's Service Set Identifier (SSID) friendly name from its default to a name of your own choosing. Then once done, then disable the SSID broadcast so that the wireless network is hidden. It's harder to crack a wireless network if you don't see it, especially when you don't know its name!
  • Enable media access control (MAC) address filtering so that only computers and devices whose MAC addresses you specify can access the network. All others are denied access.
  • Exclusively use Wi-Fi Protected Access version 2 (WPA2) security with Advanced Encryption Standard (AES) encryption for the most secure connections. Forget relying upon Wired Equivalent Privacy (WEP) or WPA using Temporal Key Integrity Protocol (TKIP) encryption for security. Modern wireless security cracking tools can break these encryption schemes in minutes, even with the longest keys.
  • Enable advanced routing features such as SPI (as discussed in tip #3 in the previous post). If your wireless router doesn't support SPI, it's probably using old technology and it may be time to shop for a new, more secure Wi-Fi router.

Note that none of these changes by themselves will sufficiently upgrade your wireless security, but the aggregate value of implementing them all will make your wireless network much more difficult to crack. And unless you are dealing with extremely determined hackers with an abundance of both technical resources and time to focus on cracking your specific, secured network, they will almost always move on to another of the ubiquitous, softer targets in the wifisphere.

9. Protect your website's configuration files

Ensure that the sensitive configuration files of your web server and your web applications aren't accessible to unauthorized, external users. Place them in directories that are not served to the public and then disable directory browsing on your web server. Refer to your web server documentation for specific instructions on how to do this. I also recommend researching additional methods of securing your web server, such as IIS or Apache, from attack.

10. Perform data validation on user input

If your website accepts user input, ensure it is validated before processing or displaying it back to the user. For example, if you have a login form that accepts user names and passwords that are checked against a database, ensure that the input is scrubbed of any unexpected or invalid characters that might offer malicious manipulation of the database. Also, if user input is accepted and displayed (such as on forums), ensure users aren't able to modify the source code of the webpage, such as adding script for running <iframe> HTML code.

Also be sure that input from backend systems is validated. This protects the users of your website, even if attackers "only" managed to break into a backend system, like your database. For more information on similar, related website attacks, look into the topic of cross-site scripting (XSS).

Bonus tip: Backup your clean web content

Once you've ensured your site's content and source code is clean, back it up! Disaster recovery is not just about fires, floods, and earthquakes. A sudden, major malware infection ranks right up there in terms of potential business outages, so protect your work, your site, your business, and your customers who depend on you with proper, functional backups of clean code.

Even more information on securing servers

To be ultra secure, you might simply consider flattening and rebuilding the server from scratch. But don't simply rebuild it to the way it was – remember, it was hacked in that state! Put in place all of the hardening steps mentioned earlier, as well as triple-checking all of your permissions settings, before putting the server back in service online. For more information on dealing with hacked servers, check out What to Do If Your Website Has Been Hacked by Phishers.

Request removal of the Bing malware warning

Once you've resolved your malware infection, closed the security vulnerabilities that allowed your computer to be successfully attacked, and uploaded your cleaned-up source code to your web server, you've got one more job to do. It's time to request that Bing re-evaluate your website for malware. Here's how:

  1. Open the Bing support form.
  2. In the resulting Windows Bing Support web form, type your full name and email addresses in the text boxes provided.
  3. In the Service: Bing drop-down list, select My Site has a malware warning.
  4. In the new drop-down list that appears below, select the option that best matches your specific situation (in this case, that'll be The malware has been removed.
  5. Complete the remainder of the form, adding as much detail as possible in the comments text box to help the support team resolve your request. Once completed, type the characters shown in the security image, and then click Submit.

By following this procedure, Bing will rescan your website to check that the malware has been removed. If confirmed, your content can then be reincluded in normal search results. Once done, keep monitoring your site's malware status in the Crawl Issues tool of Bing's Webmaster Center, just to be sure you stay on top of any new issues.

If you have any questions or comments about malware, please feel free to post them in our General Questions forum. For regular SEM and SEO questions and suggestions, please go to our SEM forum. See you again soon…

-- Rick DeJarnette, Bing Webmaster Center