Italian law firm knowingly serves up infected web pages

If you got a call from a legitimate security source informing you that your website was infected, would you take action?

I certainly would, which is why I am rather frustrated when we take time to reach out to an organisation about a web infection, and they deliberately choose to do nothing about it.

Case in point: In January, Sophos contacted a Milan-based law firm, specialists in Intellectual Property, to inform them that its site was infected with Mal/Iframe-Gen.

Image of code
Turns out that they have not acted on the information we provided. In fact, if you look below, it looks like they haven’t updated their site since November last year. We contact the firm again yesterday, and they are simply uninterested in dealing with the infection on their website.

pob@LinuxRed:~/nv$ wget -S
--2011-03-23 15:50:21--
Resolving NN.NNN.NN.NN
Connecting to|NN.NN.NN.NN|:80... connected.
HTTP request sent, awaiting response...
HTTP/1.1 200 OK
Content-Type: text/html
Last-Modified: Sat, 27 Nov 2010 05:21:35 GMT
Accept-Ranges: bytes
ETag: "c024c3f5f28dcb1:0"
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Wed, 23 Mar 2011 15:50:20 GMT
Connection: keep-alive
Content-Length: 6172
Length: 6172 (6.0K)
Saving to: `index.html'

100%[======================================>] 6,172 --.-K/s in 0.09s

2011-03-23 15:50:21 (70.1 KB/s) - `index.html' saved [6172/6172]

Sophos detects the page as:

>>> Virus 'Mal/Iframe-Gen' found in file index.html

Most, though not all, Mal/Iframe-Gen infections are due to SQL injections. To find out more about web server security should consult this paper written by my colleague Fraser.

Advice to website owners: there are people out there like us who want to let you know when something is amiss. The communication method needs to be easy and straightforward. Please provide contact details on your sites to a webmaster or web administrator.

Oh, and when you are informed by a security company that you are infected, look into it and fix it quickly. Should you choose to ignore it, you are knowingly serving up infected pages to the public. That is perhaps not illegal in some parts of the world, but it probably should be.