Back to previous post: Open Thread 181

Go to Making Light's front page.

Forward to next post: Annals of Environmental Repair

Subscribe (via RSS) to this post's comment thread. (What does this mean? Here's a quick introduction.)

February 22, 2013

SFWA Website — Malware Warning
Posted by Jim Macdonald at 02:29 PM * 48 comments

As I try to go to the SFWA website via Google, I get this warning:

Warning - visiting this web site may harm your computer!
Suggestions:

Return to the previous page

and pick another result.
Try another search to find what you’re looking for.

Or you can continue to http://www.sfwa.org/2013/02/guest-post-the-importance-of-pie-cooking-the-books-with-james-d-macdonald/ at your own risk. For detailed information about the problems we found, visit Google’s Safe Browsing diagnostic page for this site.

For more information about how to protect yourself from harmful software online, you can visit StopBadware.org.

If you are the owner of this web site, you can request a review of your site using Google’s Webmaster Tools. More information about the review process is available in Google’s Webmaster Help Center.
Advisory provided by Google

Now I am sad, for I was ego-scanning for my Lime Pie recipe over there.
Comments on SFWA Website -- Malware Warning:
#1 ::: Stefan Jones ::: (view all by) ::: February 22, 2013, 02:48 PM:

Michelle Obama is behind this. She HATES pie! And freedom!

#2 ::: guthrie ::: (view all by) ::: February 22, 2013, 02:51 PM:

Looks fine in IE 8.
It is a bit like the small rant I had to a friend a few days ago, after chrome kept reminding me that the hotmail sign in page was http and therefore unsafe and that I should only use such websites that used https and did I wish to continue? I understand it is a legitimate concern, but being told off by my browser for something that is outwith my ability to affect is really annoying.

Or is google trying to make everyone paranoid?

#3 ::: Jim Macdonald ::: (view all by) ::: February 22, 2013, 02:56 PM:

Michelle Obama? No, I think it's more likely Mayor Bloomberg.

Actually there was a DDOS attack on the SFWA site a little while ago. I wonder if this is related?

#4 ::: Carol Witt ::: (view all by) ::: February 22, 2013, 03:07 PM:

John Scalzi mentioned that the site was fixed a couple of days ago, but it can take time for Google et al. to catch up. Something similar happened a week or two ago at Television without Pity.

#5 ::: Carol Witt, gnomed ::: (view all by) ::: February 22, 2013, 03:07 PM:

For a link to the place of tweeting.

#6 ::: Lisa L. Spangenberg ::: (view all by) ::: February 22, 2013, 03:09 PM:

The SFWA twitter feed is worth taking a peak at:

https://twitter.com/sfwa

They indicate that there's a secondary attack, that they have identified the malware and removed it and are waiting for Google to re-scan the site.

Google has a fairly clear procedure for Webmaster's to follow:

http://support.google.com/webmasters/bin/answer.py?hl=en&answer=163634

#7 ::: Steven Gould ::: (view all by) ::: February 22, 2013, 03:10 PM:

There was embedded trojans. I don't know the nature of the attack, but they were found and dealt with, but the Malware warning persists for a period of time after, so they are waiting for it to clear.

Alas, as of right now, it is still there. I use my ipad to read it when this warning is up, as IOS seems pretty immune for the time being.

#8 ::: Steven Gould ::: (view all by) ::: February 22, 2013, 03:14 PM:

I should rephrase: the warning will go away as soon as Google rescans the site and confirms the absence of the trojans.

#9 ::: Ken Houghton ::: (view all by) ::: February 22, 2013, 03:29 PM:

"as soon as Google...confirms the absence of the trojans"

Such a setup. Cannot decide between "Again with the contraception mandate!" and "yeah, USC grads can be a security risk."

But good to know it's fixed.

#10 ::: joann ::: (view all by) ::: February 22, 2013, 03:53 PM:

Ken Houghton #7:

Or, we blew *all* the asteroids away?

#11 ::: Serge Broom ::: (view all by) ::: February 22, 2013, 04:00 PM:

Trojans? Elaan of Troyius's henchmen?

#12 ::: Jim Macdonald ::: (view all by) ::: February 22, 2013, 04:02 PM:

As Laoco├Ân said, "Embedded whats?"

#13 ::: Randolph ::: (view all by) ::: February 22, 2013, 04:04 PM:

Google's page on the site says, "The last time Google visited this site was on 2013-02-21, and the last time suspicious content was found on this site was on 2013-02-21."

I think it's still infected, or else Google is showing a false alarm.

Once the site is disinfected, you can request that Google review it here.

#14 ::: Tom Whitmore ::: (view all by) ::: February 22, 2013, 04:08 PM:

Randolph -- it's now 2012-02-22, and it's quite possible it's been corrected since the last visit by Google yesterday.

#15 ::: Brooks Moses ::: (view all by) ::: February 22, 2013, 04:23 PM:

Tom @14: Yes, but John Scalzi's twitter-post saying "the problem at SFWA is solved" was from the 20th, so the Google scan postdates that claim.

With that said, Google's page is also saying, "This site is not currently listed as suspicious," so it looks like Google is confirming that the problem is fixed. The two instances of "on 2013-02-21" in the sentence Randolph @13 quoted must refer to an earlier and later scan on the same day.

#16 ::: Brooks Moses ::: (view all by) ::: February 22, 2013, 04:28 PM:

I do note that the "This site may harm your computer" warning is still up on search results (c.f. this version of same), but that's probably a matter of taking a day or so for cached information to propagate across the search servers.

#17 ::: Christopher Wright ::: (view all by) ::: February 22, 2013, 04:30 PM:

When one of my sites got this message I had to go to a Google tool that re-scanned the site once I'd cleaned up the malware (it had been hacked).

But this is the second time in a few months that the SFWA site has been DDOS'd (they tweeted that this morning) and now this. Does someone have a grudge?

#19 ::: Jim Macdonald ::: (view all by) ::: February 22, 2013, 05:37 PM:

"Does someone have a grudge?"

Any number of scammers who don't like Writer Beware. Or someone who thinks that SFWA is giving entirely too many awards to Girls. Or, some random teenager in Dubrovnik whose bots noticed a vulnerable site.

#20 ::: -dsr- ::: (view all by) ::: February 22, 2013, 06:58 PM:

Hey! It says there will be a new Crossman book this year!

That would have been worth braving the malware by itself.

#21 ::: Brooks Moses ::: (view all by) ::: February 22, 2013, 08:07 PM:

For what it's worth, the "This site may harm your computer" warning is no longer showing up on the search link I previously posted. So this looks to be properly cleared up now.

#22 ::: Daniel Martin ::: (view all by) ::: February 22, 2013, 08:13 PM:

Google really does rescan rather quickly. It's not now saying that that page is infected, and clearly the earlier reports that things had been cleaned up were premature.

#23 ::: Daniel Martin ::: (view all by) ::: February 22, 2013, 08:19 PM:

Also, seeing simultaneous reports of "Google reports site X laden with malware" and "site X looks fine to me as I visit it with the browser and OS combination most targeted by malware authors" (e.g. comment #2) makes me want to bang my head on the table.

#24 ::: Lisa Spangenberg ::: (view all by) ::: February 22, 2013, 08:42 PM:

I am seeing repeated attempts to deliver a malware payload java exploit on some of the sites I herd. By repeated, I mean in the thousands in a few hours.

It's a Windows script that tries brute force on various ports, and looks for Java on the server.

N.B. Java not JavaScript.

#25 ::: Randolph ::: (view all by) ::: February 22, 2013, 08:58 PM:

FWIW, I don't think this was aimed specifically at SFWA. Cracking sites and installing malware is an industrial process.

#26 ::: Kevin Riggle ::: (view all by) ::: February 22, 2013, 11:51 PM:

Thank you to Jim for not linking directly to the site. In my line of work we also munge the URLs, as

hxxp :// www(.)sfwa(.)org / 2013 / 02 / guest-post-the-importance-of-pie-cooking-the-books-with-james-d-macdonald/

to prevent people from easily copying-and-pasting (or their mail clients from easily linkifying) and visiting a malicious URL. (Even the best of us screw up and click on something we didn't mean to occasionally, and it's a pain to have to burn down your system and rebuild it when it happens.)

If Google says there is malware on a site, or you hear a report, DO NOT VISIT IT.

Malware, much like carbon monoxide, may be imperceptible -- odorless, tasteless, and invisible to the naked eye. guthrie @2, please make sure your antivirus is up to date and run a full scan immediately.

If you want to know why people automate this kind of thing, this report released a couple days ago is a fascinating look at just some of the hijinks they get up to.

#27 ::: Jim Macdonald ::: (view all by) ::: February 23, 2013, 01:11 AM:

What line of work are you in, Kevin?

#28 ::: Tom Whitmore ::: (view all by) ::: February 23, 2013, 01:21 AM:

His website is pretty fascinating, Jim, and links from his name -- I found it by Googling his name, which may have been slightly paranoid but fits into exactly what he was saying! When I looked back here after clicking through the second g-hit, to a personal website, his name showed up here as my having visited the link.

A roundabout way of saying: cool that you drop by here, Kevin R!

#29 ::: Dave Bell ::: (view all by) ::: February 23, 2013, 01:57 AM:

The last time I got one of these warnings, it was for a download page on the Adobe site.

#30 ::: Kevin Riggle ::: (view all by) ::: February 24, 2013, 01:29 AM:

Jim Macdonald @27: These days, web security. (This is a pretty recent development.) I'm a bit more on the side of writing software to help us coordinate response than doing active forensics myself.

Tom Whitmore @28: A bit creepy, but thanks for the welcome! I've been hanging around here on and off for a while -- more of a lurker than a poster, but I read a lot. It's a good place, with a lot of smart people.

Dave Bell @29: If a malware alert pops up, there's a strong chance it's legit, even for a big site like Adobe. Big sites get hacked, small sites get hacked -- everybody gets hacked. It's not something I'd take chances with.

#31 ::: Jim Macdonald ::: (view all by) ::: February 24, 2013, 10:29 AM:

It has long been one of my precepts: Never ignore a warning, even if it doesn't make any sense to you at the time.

#32 ::: Cheryl ::: (view all by) ::: February 24, 2013, 12:19 PM:

@31 Jim

One of the things that drives me most insane about my family members is the insistence on justification for everything. When what I'm saying is something like, "Stop!! Hit the brake!" or "Don't touch that button!"*, it is not the time to say, "Why?" while continuing to do what you are doing.

*not hypothetical events

#33 ::: Jacque ::: (view all by) ::: February 25, 2013, 02:06 PM:

Cheryl: I got in big trouble with an acquaintance when I failed to immediately comply with the command, "Hand me that shoe!"

#34 ::: Rikibeth ::: (view all by) ::: February 25, 2013, 05:45 PM:

Jacque: I'm betting that whatever it was had a lot of legs, or poison pinchers?

#35 ::: Jacque ::: (view all by) ::: February 26, 2013, 12:55 PM:

Rikibeth: Six legs and a high squick value. Something with which I blessedly don't encounter much in my native habitat.

#36 ::: Cheryl ::: (view all by) ::: February 26, 2013, 03:18 PM:

Jacque: a hitch-sized hole in the bumper and a broken windshield-wiper motor, here.

It's an even worse habit when combined with moving vehicles.

#37 ::: Jacque ::: (view all by) ::: February 27, 2013, 11:39 AM:

Cheryl: It's an even worse habit when combined with moving vehicles.

Especially with pedestrians in the equation. There's a really bad intersection near my house wherein, if the pedestrian is standing on the opposite corner waiting to cross, they are exactly in the oncoming driver's blind spot. More than once I've had to step lively to keep from getting hit (and this is not counting the drivers who simply won't stop to allow a pedestrian the right of way).

Riding out of there in a friend's car, I've had to speak up more than once: "Stop! Pedestrian! Watch out!" It's fascinating how long it takes for that message to penetrate.

#38 ::: Dave Bell ::: (view all by) ::: February 27, 2013, 02:08 PM:

Kevin Riggle @30

There's an Adobe Flash Player update out, patches a couple of zero-day exploits. The download instructions recommend that you turn off your virus scanner...

One wonders what the hell they are playing at.

#39 ::: Jeremy Leader ::: (view all by) ::: February 27, 2013, 03:26 PM:

Dave Bell @38: I had the impression that it was fairly common for critical software updates to suggest turning off one's virus scanner, probably because "alters installed software" is a characteristic shared by malware and critical software updates.

More and more I'm coming to believe that our malware-detection ecosystem resembles a mammalian immune system, complete with allergies, auto-immune diseases, and so forth.

#40 ::: Kevin Riggle ::: (view all by) ::: February 27, 2013, 06:58 PM:

I haven't seen a virus scanner recently which is actually so oversensitive that it needs to be turned off when software updates are installed in quite some time.

The instruction still persists, though.

Jeremy Leader @39: Quite.

#41 ::: Kevin Riggle has been gnomed ::: (view all by) ::: February 27, 2013, 07:00 PM:

Probably for spaces. (A nice demonstration of that allergy response.) Would the gnomes like some gluten-free parmesan-and-sundried-tomato-flavored brown rice chips?

#42 ::: Michael I ::: (view all by) ::: February 27, 2013, 07:42 PM:

Jeremy@39

The update installation file for my browser often triggers my virus scanner (Norton) if I download on the day of release. It's one of the "known issues" in the current version's release notes.

(For some reason it doesn't trigger the scanner if I wait a few days and then download.)

#44 ::: Jim Macdonald ::: (view all by) ::: February 28, 2013, 11:52 PM:

Oh, goodie. Who wants to tell 'em?

#45 ::: Jim Macdonald ::: (view all by) ::: March 01, 2013, 12:11 AM:
"This site my harm your computer" notifiation

It is important that you feel safe when you search the web. We're continuously working to identify dangerous sites and increase protection for our users. The following warning message appears beneath the title of search results we've identified as sites that may install malicious software on your computer: "This site may harm your computer."

And I wonder who'll tell Google that they misspelled "Notification"?

#46 ::: Nicole J. LeBoeuf-Little ::: (view all by) ::: March 02, 2013, 01:23 AM:

Jim @43 - They knew already. I came to tell us-over-here.

All better now! or at least so @sfwa declared about 11 hours ago...

@44 - Google, however, are probably beyond help.

#47 ::: Jim Macdonald ::: (view all by) ::: March 11, 2013, 08:01 PM:

We now find that writerbeware [dot] com is a reported attack site.

Registered through: GoDaddy.com, LLC (http://www.godaddy.com)

Domain Name: WRITERBEWARE[dot]COM

Created on: 15-Oct-03

Expires on: 15-Oct-13

Last Updated on: 02-Oct-12

Registrant:

SFWA, Inc.

PO Box 877

Chestertown, Maryland 21620-0877

United States

Administrative Contact:

Webmaster, SFWA webmaster@sfwa.org

SFWA, Inc.

PO Box 877

Chestertown, Maryland 21620-0877

United States

8883227392

Technical Contact:

Webmaster, SFWA webmaster@sfwa.org

SFWA, Inc.

PO Box 877

Chestertown, Maryland 21620-0877

United States

8883227392

Domain servers in listed order:

NS11.DOMAINCONTROL.COM

NS12.DOMAINCONTROL.COM

#48 ::: Christopher Davis ::: (view all by) ::: March 15, 2013, 02:51 PM:

Jim (#45): That (as well as the "my" for "may" error you didn't point out) seems to be fixed now.

Welcome to Making Light's comment section. The moderators are Avram Grumer, Jim Macdonald, Teresa & Patrick Nielsen Hayden, and Abi Sutherland. Abi is the moderator most frequently onsite. She's also the kindest. Teresa is the theoretician. Are you feeling lucky?

If you are a spammer, your fate is in the hands of Jim Macdonald, and your foot shall slide in due time.

Comments containing more than seven URLs will be held for approval. If you want to comment on a thread that's been closed, please post to the most recent "Open Thread" discussion.

You can subscribe (via RSS) to this particular comment thread. (If this option is baffling, here's a quick introduction.)

Post a comment.
(Real e-mail addresses and URLs only, please.)

HTML Tags:
<strong>Strong</strong> = Strong
<em>Emphasized</em> = Emphasized
<a href="http://www.url.com">Linked text</a> = Linked text

Spelling reference:
Tolkien. Minuscule. Gandhi. Millennium. Delany. Embarrassment. Publishers Weekly. Occurrence. Asimov. Weird. Connoisseur. Accommodate. Hierarchy. Deity. Etiquette. Pharaoh. Teresa. Its. Macdonald. Nielsen Hayden. It's. Fluorosphere. Barack. More here.















(You must preview before posting.)

Dire legal notice
Making Light copyright 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014 by Patrick & Teresa Nielsen Hayden. All rights reserved.