Announcements
An Important Site Announcement
During the past few weeks many of you may have noticed the site wasn't functioning at optimal health. A few weeks ago, we started getting reports that many of you were seeing malware, trojan horses and other virus warnings when you visited the site. Our initial efforts to resolve this were unsuccessful and since that time we've been working diligently behind the scenes to diagnose exactly what was happening to the site and how we could fix it.
In an nutshell, our site was infected with sophisticated and malicious malware that we had great difficulty eradicating despite constant and numerous efforts.
We realize that many of you had your own computers infected as a result and for this we apologize.
Now, after weeks of working on the problem, and having taken the site offline for the past 24 hours, we believe the site is now clean and it's safe to begin browsing blogTO again.
For those of you interested in learning more about the issue, I have put together this FAQ that will hopefully answer most of your questions.
I'M STILL SEEING MALWARE WARNINGS. WHY?
If you're still seeing malware warnings please notify me immediately at tim [at] blogto [dotcom]. We believe the malware has been removed, however, so it's possible that If you're still seeing malware warnings it could be from a cached page or from Google (as the site was temporarily flagged as a distributor of malware). Last night we asked Google to review the site again and it appears they agree with us that the site is now clean. Google have removed the warnings, so hopefully these messages will disappear soon if you're still seeing them.
HOW DO I KNOW IF MY COMPUTER WAS INFECTED?
If your computer has been infected, we recommend installing anti-virus software or updating the virus definitions of your existing one and running a full scan. We also suggest running an anti-spyware on top of that to double check your computer is clean from any traces of the malware. We also strongly recommend switching to a securer, better browser like Firefox or Safari, and keeping your Adobe Acrobat Reader software up to date.
IF I VISITED THE SITE OVER THE PAST FEW WEEKS, DOES THAT MEAN I'M INFECTED?
Not necessarily. For those of you who have good anti-virus software installed it's likely that your computer prevented the infection without you even knowing about it. Also, you're much more likely to have been infected if you use a PC/Windows rather than a Mac.
WHAT DID THE MALWARE LOOK LIKE?
Most of the weird things you might have seen on the site were related to the malware. This might have included the home page being turned into an ad for Viagra, the ShareThis button or Google Search bar appearing at the top of the page, and pop-ups prompting you to download a suspicious PDF.
WHAT SPECIFICALLY WAS THE SOURCE OF THE MALWARE?
To the best of our knowledge, the site was hacked with the r57shell backdoor which is made in PHP and created by Russian hackers. The hacker (and we have no idea if they were Russian or from somewhere else) used it to infect 2 main javascript files on the site with malicious javascript code commonly named JSRedirector that loaded malware that exploits a vulnerability in Internet Explorer and Adobe Acrobat Reader which is recognized by anti-virus software under different names like JS:Pdfka-WD or Trojan.Script.Iframer
WHAT DID YOU DO TO TRY TO RESOLVE THE ISSUE?
In the first few days of the attack, many of you sent us screenshots that helped us pinpoint the infected files. After reviewing the files we were able to locate the malicious code and remove it. Unfortunately, however, the code kept getting inserted. We even created a script to remove the code as soon as it appeared, but this didn't prove to be a viable solution.
Since we don't have a web security expert on staff, we sought the help of an external web security expert who provided addition tools for us to diagnose the issue. What we realized is that despite our best efforts we still had a vulnerability in our server that was allowing the malicious code to be continuously re-inserted. We undertook a number of fixes and upgrades in order to eliminate the vulnerability, but these proved to be unsuccessful.
We also consulted constantly with our web hosting provider, but they were unable to provide any meaningful solutions.
HOW DID YOU FINALLY RESOLVE THE ISSUE?
We believe the issue is now resolved after applying additional fixes and, most importantly, moving to a new server. Moving to a new server caused the site to be inaccessible for the last 24 hours.
WHY DIDN'T YOU SHUT DOWN THE SITE WHEN YOU FIRST FOUND OUT IT WAS INFECTED?
Hindsight is 20/20 as they say and if we knew then what we know now we certainly would have handled things differently. The fact is that on numerous occasions we thought we had resolved the issue and it was only through repeated emails from some of you that we realized how sophisticated the breach was and that the latest effort was not successful. Every day we thought that we had a solution and therefore didn't think shutting down the site was necessary as we were being very proactive in eradicating the malware. Obviously, at a certain point we had to acknowledge that things had gotten out of hand and that it was no longer appropriate to keep the site live, which is why we took the site down yesterday.
WHY DIDN'T YOU COMMUNICATE WHAT WAS GOING ON?
We definitely could have handled things better. Many of you emailed us and sent us messages via Twitter which we responded to directly. In hindsight, we should have posted something on the site.
WHAT NEXT?
We're very grateful that you care enough about the site to read this FAQ and hope to earn your trust that blogTO will offer a safe, malware-free web browsing experience going forward. We, of course, will continue to monitor the situation and will work at resolving further issues should they arise.
Discussion
92 Comments
Sort By Oldest First / Newest First
Subscribe
When the button Malware warning popped up I thought Safari made a mistake and just continued browsing!
Plus, this is so not cool. Totally unacceptable that you knew and yet did not shut down the site right away. Weeks? How many of your readers were infected?
I DIDNT THINK SO.
the morning brew is a great start to the day!
nick
My work comp was infected last week and i had the IT folks yelling at me. We couldn't figure out how it happened. I had no idea blogto was most likely the cause
if you have a windows/system32/lowsec folder on your drive, you have it still
also, a u.exe file in your C: root folder
it can be removed only with a boot cd that allows you to change registry settings and delete files without starting the operating system
http://www.microsoft.com/securityessentials/ is actually really good, <5MB, low-resource utilization and FREE.
you're not alone in that decision either as plenty of other sites out there have done the same, although that doesn't excuse blogto by any means.
Also, I agree with an above comment that this message should be available from the front page without scrolling for a while.
(And the torontoist has been posting some pretty great articles lately . . . )
Anyway, if you run the SpyBot program, it'll find the problem but it won't be able to delete the file until you restart your computer after selecting the option which enables SpyBot to scan your computer before things are loaded up. Worked each time for me.
http://www.safer-networking.org/index2.html
And yes, the diligent thing to do was to suspend the website to ensure us readers didn't get infected when you firat discovered the problem.
Anne Marie: $200!? Cripes woman, I would've fixed your
computer for a dinner date at The Keg! That's half the cost and you get great company!
It's unfortunate but people have to do their own due diligence when on the web.
What was the malware identified and what steps can readers take to remove it? This should be something listed here I think.
Does this mean what I think it means? Is Darren in TO really gone?
What was the content of said PDF file?
Was the malware ad related?
Information is key here. I hate to break this to you but I care less that YOU HAD malware and fixed it than if I HAVE malware and how to identify it.
But, boy! Were we working hard behind the scenes to fix OUR problem. Just not yours.
What a bunch of creeps you are.
Don't be such a baby, I couldn't care less if I offend the child like sensibilities of every dummy on the web.
Also, don't mix up my questions with those of other posts. I don't care why blogto did what they did and why. I also didn't have any problems with the site other than it being down. Give your head a shake and read before the lump of coal in your skull commands you to rabble onto your keyboard.
I love the site, so I'm not leaving or anything drastic, but really feel let down.
All these poor buggers who had to pay to fix their machines ought to go the class action route to recover their funds, being that you knew of the threat for weeks and did nothing to prevent the spread.
Try Malware Bytes, it cleaned my system
You should post a genuine apology to all those people your site infected, people who you allowed to get infected by taking no action or even warning people. You knew what was happening and yet did nothing. Sure you might have been scrabbling around behind the scenes but that did nothing to protect the people who continued to visit your site unaware of the dangers.
Whatever your problems were and however you were trying to handle them there is not excuse for allowing people to continue visiting the site after you knew there was a serious problem. Hugely disappointing.
One message for the Mac folks here though -- stop being so cocky, because current attacks directed at Flash, Adobe Reader, and other applications you run mean you are definitively not immune to these problems, and continuing to think you are roughly places you in the CRT iMac era. Get with it and start taking this stuff seriously.
Re: Flash alternatives, the whole point is the lack of alternatives and the ubiquity Flash enjoys combined with the lax posture, updates from Adobe -- all of us have to take it (and similar widgets we've come to grudgingly accept) seriously as a chink in our armour, no matter what our platform. If you to go to Firefox, check out the "Flashblock" plug-in which lets you block or whitelist this stuff as you see fit.
Seriously, this should be the first post on the site for at least a week, if you are serious about wanting to protect your readership and not just trying to sweep this under the rug.
P.S. Let's keep the Mac vs PC debate for another forum. This comment thread is not the place guys.
It's a testament to the quality of your site that I keep returning despite all this workaround, but that you *knew* for weeks and didn't tell your readers, nor take more drastic action? Very. Bad. Decision making.
Many companies have done so and productivity has gone up without the fear of malwares.
Malware bytes is a great malware cleanser and it's free, do a search on download.com.
Well first the TTC apologizes for shitting on their riders , now you idiots "apologize" for infecting your readers . What is next ? i am curious and not fuc kin amused.
fail blog
You got some respect to earn back blogto
Poor decision making, Blog To. It shows how you view your readers.
Coincidentally (or not) my laptop got a virus 2 weeks ago that required a reformatting.. Symatec didn't catch it in time.
I use a Mac, so was unaffected by whatever issue you were having (thankfully), but I think for non-Mac users you need to do more. The "Important Site Announcement" link is very easily missed. It should be at the top of the page or coloured red to draw attention to it.
You guys dropped the ball on this and, like Giambrone, don't seem to be doing your best to make things right with your constituency, some (many?) of whom seem to have been negatively impacted by your lack of appropriate security and action.
FWIW, your statement is incorrect in that anyone with a good antivirus program shouldn't have had a problem. I use a non-Microsoft, slightly more secure browser (Opera), and was running a completely up to date version of Norton Antivirus when infected by your site. I'd start by urging ALL folks who have visited BlogTO in the past few weeks particularly on PCs to get their computers properly scanned by at least two different malware/antivirus tools to be sure they're not infected.
If it was ad based AdBlock Plus + FireFox may have saved me. I recommend this combo to everyone. And it works on PCs, imagine that.
In the meanwhile, everyone reading this, and especially everyone who got infected with whatever it was more than once, should check for security updates to their browsers, Flash plugins, and PDF viewers. If those updates aren't forthcoming, ditch what you've got and switch to something that's properly maintained.
This is a good example of the fact that a site that's been clean for years can one day serve you up an exploit.
The details still belong up in the body of the article, though.
I wouldn't blame Adobe, a problem in the application should not be able to damage proper operating system.
And that MSE actually isn't bad, on top of being free and easily available:
http://en.wikipedia.org/wiki/Security_Essentials#Reviews
Thank you Tim for providing us with the malware info. If those were the exploits used is your team aware of what malware was delievered? In the "WHAT DID THE MALWARE LOOK LIKE" section you mention the symptoms of "most" of the malware, is there any more that could be more subtle and dangerous?
By differently they mean they'll handle it exactly the same as before. They'll keep the site up and not make mention of the virus and let countless number of viewers get infected with the virus until they triumphantly claim they beat the beast!
Considering I completely reinstalled Windows a few days ago thanks to having a virus causing crap on my computer, it's unlikely I am getting warnings because I haven't cleared my cache since the last time your site failed to protect its readers.