Friday, March 05, 2010

Identifying And Removing HTML / JavaScript / XML Based Malware From Your Blog

Occasionally, in the recently discovered social engineering blog attacks that involve shiny blog accessories, we've seen reports of aggressively protected malware, that's being installed on some blogs.

When a misbehaving HTML gadget is the source of the problem, it's sometimes possible to click on the "Quick Edit" icon for the gadget, and click "Remove". Alternatively, go to "Page Elements", and click on the "Edit" link for the gadget in question. This does not always work so simply, however.

If you can't remove a recently installed gadget, because you get redirected when trying to use the "Layout" button from the dashboard, or the "Remove" button from the "Page Elements" wizard, you may have to be imaginative.
  • Use a well protected browser - minimally, one which blocks scripts from any non Blogger / Google domain, to clean your blog. This is the simplest possibility here.
  • Use an HTTP text proxy, to examine the blog code.
  • Remove the code manually.
    1. Use a protected browser or proxy server to access the blog, and "View Source".
    2. Look in the source, and find the offending gadget / module. If it was installed as an "HTML / JavaScript" or Blogger "Add a Gadget" (XML) gadget, look at the code carefully, and look for "Gadgetnn" and "HTMLnn", where "nn" will be the sequential number for that HTML / XML gadget. This is important.
    3. Manually access the Layout "Edit HTML" wizard for the blog.
    4. Do not check "Expand widget templates" - just "Edit HTML".
    5. Look in the code, carefully, for each "Gadgetnn" or "HTMLnn" entry.
      <div class='widget Gadget' id='Gadget1' />
      or
      <div class='widget HTML' id='HTML1' />
    6. Remove that line of code.
    7. Save.
  • As always, please backup the template before and after you do this cleanup!


If you cannot find an obvious culprit from a quick "View Source", then start removing all "HTML / JavaScript" gadgets, and all XML gadgets (possibly including some installed from the Blogger "Add a Gadget" wizard), installed most recently ("recently", in some cases, being 2 - 3 months back).
  1. Remove a gadget.
  2. Clear browser cache.
  3. Test.
  4. If no improvement, repeat.
Alternatively, just remove all accessories and gadgets - then re install and test everything, one by one.
  1. Add a gadget back.
  2. Clear browser cache.
  3. Test.
  4. If a problem is seen, remove that gadget and identify it.
  5. Repeat.
It's your blog, and your decision which way to go. Barring any obvious suspects, I think I'd try the latter.

If you do put some accessories back, or add anything more, keep an eye on what you add, and check your blog frequently. A lot of the complaints this week appears to involve hacks that may have been installed 2 or 3 months ago. Watch out for smart code, that doesn't activate (reactivate) the hacking immediately when installed.


It appears that some malware may be included in some gadgets installed by the Blogger "Add a Gadget" wizard. If you find removing any Blogger gadgets to provide you any relief, please report your findings in my article Some Hijack Malware Is Being Claimed To Be Blogger Provided. Your details, provided there, would be greatly appreciated.


>> Top

6 comments:

The Work Organizer said...

Thank you for helping me get to the code. Once I saw the evil meanies, I cut them out of there! THANK YOU for keeping me calm enough to snoop around.

Sai Lealea said...

Many thanks for your advice. I was successful in getting rid of the suspect gadgets which had subverted by blog. Much appreciated.

cik bella said...

yess.i did it! thanks soo much!finally i can view my blog without the warning that my blog contain malware!!yeaaa!!!!thanks yaaaa

Allegretto said...

Thanks for your advice. I'm preparing to have a go at it.

Christian Conservative said...

Thanks... hate it when jerks pull stuff like that.

zana said...

thanks for helping.