15 May 2012

Malware, SEO and You

Internet Marketing Ninjas CEO Jim Boykin asked me to develop a post for his blog about viruses and malware. Now computer security is an old, familiar topic for me. Back in the day, I was a technical writer for Microsoft’s IT Group, where I created white papers and other documents on anti-malware products and strategies. Later, in 2009, when I authored the blog for Bing Webmaster Center, I used that IT security background to write a four-part series called The merciless malignancy of malware (yeah, I liked lilting alliteration a lot), which included posts on:

Check them out. Most of the information is still highly relevant and timely for today.

I will admit that the material in those 2009 blog posts were Microsoft-solution- and Bing-warning-centric. Now that I am writing for Internet Marketing Ninjas, I can look into how Google handles the issue of malware on websites. But wait – how is this relevant to an SEO-oriented blog? Ah, yes, there is a connection.

Webmasters have to be highly vigilant about protecting their sites from hacker-originated malware attacks so their sites don’t become a new vector for the malware infections. And one of the vectors through which a site may become exposed to malware is via a client computer’s administrator access to the web server! If you are the webmaster or the SEO and you have admin access to the production site, any corrupted or malicious browser-based plugins, Trojan horses, viruses, worms and more that have infected your computer may also potentially infect your website, which in turn can then infect your website’s visitors. It’s imperative that you keep your web server admin client computer clean.

Implications of malware

Way back when, the point of most malware was to be blatantly disruptive and destructive. Hackers today usually work to install malware for economic reasons. These days, that means using stealthy, malicious technology and expertise intended to secretly gather users’ identity information and send it to a location where hackers can gather it and either sell it to networks of identity thieves or use it themselves to steal money and/or open credit accounts in the users’ name. The other big use of malware these days is to set up hidden networks that can be used as storage locations for child pornography, stolen entertainment media files, or perhaps use infected zombie computers as weapons in distributed denial of service attacks (or the threat of such, which can be worth huge amounts of extortion money). It’s all nasty stuff.

So what happens when your website becomes a vector for malware? Well, in terms of Google search, its crawler, googlebot, will no doubt detect the infection (Google will typically report on such findings in its Webmaster Tools). As such, they have several ways in which they handle infected pages within their search engine results pages (SERPs).

I have no technical, insider information on how Google specifically handles detected malware in the SERPs, but I can make some educated guesses, given my past search engine background. Most likely, Google classifies the malware it finds on sites during googlebot crawls either into one of several categories or as ratings on a scale, ranging from “largely benign” (such as adware) to “highly dangerous to data integrity” or “highly infectious across systems” types of threats. According to Google’s public statements about hacker- and malware-damaged websites, they give two levels of warnings to searchers inserted as links within their SERPs:

An educated guess would assume that mostly benign junk falls beneath the threshold of generating any SERP warning. A compromised (aka hacked) page that includes changed content, inserted links or newly added pages to a site, especially changes that may try phishing tricks or other means of deceiving site visitors without attempting to load any malicious malware, will probably be tagged with the “compromised” warning above.

On the other hand, a site that does attempt to install malware is probably classified by the type of malware infection attempted. I’d imagine that pages infected with the most malicious and dangerous malware are most probably blocked from showing in the SERPs altogether, whereas pages infected by less infectious, less dangerous malware continue to show in the SERPs, but receive the “harm your computer” warning and have the link to the site deactivated. At least, I’d hope that would be the case. I’d hate to think that Google, after detecting the most dangerous and malicious malware infections, would continue to display the URLs of such pages to its users, regardless if those URLs are hot or not. After all, who can resist the urge to push the shiny red button even when we know it’s dangerous?

Google SERP samples

Check out the following clipping from a Google SERP. This image shows the first three organic links on Page 1 results for the query “cheap cialis online” run on my computer on 5/10/2012 (given Google’s use of personalized results and continuous algo updates, your mileage may vary with the same query):

Google SERP warnings on "cheap cialis online" query

Note the first SERP listing’s <title> tag text and the inserted exact match query terms used nonsensically within the <meta> description tag’s snippet text (a field that has no keyword relevance!). An examination of the page’s source code shows the page’s <title> and <meta> description are clear of any reference to “cialis”, yet there it is in the SERP. Is it a Google error? Not likely. I can’t say for sure, but this result could be due to cross-site scripting or a man-in-the-middle-types of attacks. Whatever the cause, the SERP listing shows the page to be compromised, and yet no “page compromised” warning is presented (probably because Google did not detect any malware and the hack work was not algorithmically detected).

The second result in the clipping does contain a linked warning line within the SERP listing. Considering the site’s domain name, I’d imagine it is indeed hacked. At least the third site listed in the SERP clipping is a legit (if there can be a legit) online provider of prescription pharmaceuticals without the required prescription!

Finding an example of a malware warning was tougher, but I found one:

Google SERP warning for possible malware

A navigational search using the query “gogo2me.net” showed the SERP listing for a well-known, malware-infected site, along with the linked Google warning line. Google more actively intervenes in malware cases. Clicking the site link in the SERP does not go the dangerous site. Instead, it brings up a Google-generated, interstitial warning page. In fact, there’s no link at all to take you to the malware-infected URL. And this appears to be a good thing.

Google interstitial malware warning page

Note the second result in the previous SERP image. Google offers what they call a Safe Browsing Diagnostics page (this link shows details from the gogo2me.net site) to report helpful information on pages detected to be malware vectors. The Google Online Security team discusses the Safe Browsing Diagnostics page in detail in a 2008 blog post. In fact, Google places a link to the corrupted site’s Safe Browsing Diagnostics page on the interstitial page as well, so you can’t miss its contents:

Google Safe Browsing Diagnostics page

In 2007, Matt Cutts wrote a blog post in which he addressed Google’s historical interest in protecting its users from malware threats, and included several links as reference material.

It appears Google does a good job at detecting and, when necessary, intervening in the behalf of users to protect them from malware. They also generate warnings about compromised pages, but they appear to be less effective in managing that. What’s not publicly known is whether they block the most dangerously infected pages from appearing in the SERPs or just block linked access to them via the interstitial pages. I hope it is the latter, but we’ll likely never know. Google knows that malware creators are always testing to see how Google handles their work, and any specific words from Google about that issue could only help malware become more stealthy.

Back to SEO relevance

So why is this important for SEO? Let’s rephrase the question: Why are malware warnings important for online marketing? Ah, now it becomes clear. Let’s answer that question with some metaphorical questions: How many customers will walk into a brick-and-mortar shop that have fire suppression sprinklers running? How many customer will open the door when signs warn that the store is being fumigated or has a gas leak? And if the business is in the process of being robbed and the doors have been locked by security, customers who wanted to come in are actively blocked! Bottom line: your online business will be in jeopardy if you are not vigilant about hackers and malware. Google will make it clear your business is untrustworthy and dangerous. And that makes this all relevant to SEO.

What do you do?

Here are some basic steps you can take to prevent your online business from being effectively shut down by hackers and malware:

  • Run a virus scan on your web server. If you suspect your site has been hacked, review Google’s information on cleaning your site.
  • Run a high-quality, Internet security (anti-virus and anti-spyware) utility on every client computer that uses elevated rights to connect to your production web server and scan those computers regularly for malware.
  • Regularly monitor your Webmaster Tools accounts in Bing and Google for malware reports.
  • Check your site’s malware history on the Google Safe Browsing diagnostic page (in the browser search bar, substitute your page’s URL for the default sample URL used).
  • Review the anti-malware best practices advice from Bing (both posts) and Google.
  • If SERP listings identify your site as compromised or malware-infected, thoroughly clean up the site, and then request a malware review from Bing and Google to clear your SERP listings of any unnecessary warnings.

For more information about malware, including statistics, preventative best practices, de-blacklisting and more, check out StopBadware.org.

Malware is dangerous stuff, not only to your site’s visitors (you never help your cause by infecting your potential customers!), but also to the reputation and availability of your online business in search. Take careful precautions, be vigilant about protecting your website, and if the worst does happen, attack the problem quickly and judiciously. Bad decisions are often made during a panic, so be careful.


  1. Tedel May 15, 2012 at 8:56 AM

    Well, you can also use Linux to reduce the chances of getting a virus in your machine, don’t you think? I hear Linux is not 100% virus-free any more, but it is still way safer than Windows in this.

    1. Rick DeJarnette May 15, 2012 at 3:54 PM


      Thanks for writing. The vast majority of web servers are already running Linux, and given the number of security threats that exist today for those web servers, running Linux as your sole security measure is not a viable solution. This post is not an argument about which OS is best (I’m waiting for OS X folks to jump in here now). Instead, this post is about recognizing that online security is about vigilance and threat management. Awareness is key, and with the proper proactive steps taken, your site can avoid being ruined first in code by hackers and malware, and then in reputation by Google SERP warnings. That’s the takeaway I wanted to present.

Leave a Reply