A weekend of malware

Autocade warning

I’m prepared to eat humble pie if one of our sites is actually distributing malware (naturally without any knowledge or action on our part). According to Google, Autocade is doing just that, as of the 23rd:

Of the 3 pages we tested on the site over the past 90 days, 3 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2010-10-23, and the last time suspicious content was found on this site was on 2010-10-23.
   Malicious software is hosted on 1 domain(s), including requestbusforward.co.cc/.
   1 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including globals1696.ipq.co/.

   Immediately, I did the following:

  • searched for the domain (requestbusforward.co.cc) that was the source of the malware, and found that there were accusations toward Gizmodo and Gawker of doing exactly the same thing;
  • notified people on Twitter that there could be a problem with Autocade;
  • confirmed on a machine that is infected (which we were about to nuke) that the message was correct (it happened exactly as Google stated);
  • began backing up the database of the legit data along with the images;
  • informed our web host, Rackspace, of the notice and asked for an immediate check whether the server had been hacked;
  • did a Google News search and came up empty for news about either Gizmodo or Gawker being infected (which you would expect given these are popular websites);
  • better safe than sorry, nuked the infected PC with a hard-drive format. (Thank goodness for long weekends.)

   Rackspace’s Joe Kirby reports that he has seen no hacking activity at the server end. I’ve requested a review from Google and we’re still going to upgrade Mediawiki, which Autocade is run on.
   I’m willing to keep an open mind about whether Google was accurate this time (I can confirm it was not accurate about this blog), given that the scenario could be reproduced, albeit on an already infected machine.
   It still strikes me as odd that there is nothing on Google News or Google Blog Search about an infected Gizmodo or Gawker, which you would expect to make some sort of a splash.


You may also like




One thought on “A weekend of malware

Leave a Reply

Your email address will not be published. Required fields are marked *