Slashdot Mirror
New York Times Site Pop-Up Says Your Computer Is Infected
Zott writes "Apparently, 'some readers' of the New York Times site are getting a bit more with their news: an apparently syndicated adware popup with a faux virus scan of the user's computer indicating they are infected, and a link to go download a fix now. It's entertaining when a Mac user gets it, but clearly downloading an .exe file isn't a good way to keep your computer clean ..." Update: 09/14 03:20 GMT by T : Troy encountered this malware, "and did basic forensics. Summary: iframe ad then series of HTML/JS redirects, ending at a fake virus scanner page with a "Scan" link (made to look like a dialog box button) that downloaded malware." Nice explanation!
I think it's actually more entertaining when I don't get it at all on any platform, because I disabled javascript.
Ouch for all those who are de facto family computer technical support.
I downloaded the exe and, sure enough, it said I had a virus. Ha! I knew downloading files from pop up ads would pay off one day. And it sure did. Big time.
while using stumble upon, a pop up "scans my C drive" and informs me of multiple threats and then tells me to download XYZ software to get rid of it. One of them wouldn't even let me close the window. I had to open a terminal and killall to get rid of it.
My AVG anti-virus caught this, but I would have thought the NY Times would have had better security.
What exactly makes this different from any of the other hundreds of sites with the same popup? Is it just because this is a large, well-known website like the New York Times?
Funny may not give karma, but +5 Informative never made anyone snort coffee out their nose.
But when it starts telling me the C:\ drive on my Linux box is infected it's hard to stop laughing.
Still was a job to get rid of the circle jerk pop ups.
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
I was getting this message while using Linux. It would show me the pop up and then send me to a web page that looked just like Windows Explorer. I was surprised to see it on a site like the New York Times.
And they wonder - Why is print media dying?
Because they can't adapt properly. Seriously guys, filter your ads!
I was hit by this issue earlier today, more info with some malware URLs available on metafilter here.
What really annoys me is that these things are most effective because they use javascript alerts to freeze the browser. If you could just browse away from the crap, I could teach my parents just to ignore it.
"Javascript alerts are not tab modal" has been a known bug in Firefox going on 9 years now. It's not just an annoyance, it's a security bug, fix it!
How we know is more important than what we know.
but clearly downloading an .exe file isn't a good way to keep your computer clean ..."
Absolutely, .com, .bat and .scr are the only way to go!
Unreal. Seriously NY times?!
Hahahahahahahaha!
We have seen this before so why whine now? Defend yourselves with commonsense and firewalls and Antivirus.
Having a Mac or a Linux system won't save you any longer so get on the stick!
So thats why my Ubuntu is acting weird lately.
I get these occasionally as well me being a mac user it's humorous to see my "c:" drive being scanned ...
... if we wanted to catch a virus from the New York Times, we had to read a copy that some hobo had used for a blanket.
Now you kids stay off my lawn!
Have gnu, will travel.
In this case, it runs a mock scan, states the computer is infected, and then pretends to offer help. The exe file sometimes gets downloaded. From the way I have seen IE work lately, I would not think the file would download without user intervention, but, the page does a good job of scaring users, so I suspect some might download the files.
The malware site is protection-check07com
malwareurl.com has the owner listed as Elton John, perhaps on can think that this is pseudonym. Kind of lends credence to rules that require valid information on domain name registrations.
In any case, this is where the address is listed. Looks residential, so maybe that is fake as well. I hope the protection-check people are not setting up some poor sod. Ha, protection check.
Of course this does bring up two issues. Everyone is afraid of viruses, so it easy to translate that fear into irrational action. It might make us think about some activities that went on this past weekend. Second, such attacks work on mimicking the theme of certain systems, so perhaps one countermeasure is to allow users to vary they theme. This might be very good for corporate machines, as firms might like custom themes. On Macs and *nix, of course, the attack did not work because the web page did not integrate into the background, an elephant is going to look quite conspicuous in a field of leopards.
"She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
I really have to thank the N.Y. times for going far above and beyond the call of duty and notifying their readers of virus infected computers.
Best 40 bucks I ever spent, I can now browse the web with confidence with my shiny new AntiVirus 2010 Enterprise.
The concern I have over the long term is that sites like the NYT may not know what advertisements will appear because they are placed by bulk-buying proxies that dispense them at page-load time, probably based on evil-cookie trails or other demographic markers. So, the question becomes: how should a presumably high-integrity site such as a major news outlet ensure quality when they've outsourced advertisement delivery?
Review of each possible advertisement would be onerous, but failure to have some standards in place will eventually lead to malware (or worse) injected into unsuspecting reader's machines. I just chuckled when it popped up. I run Macs at home. But, when things like this happen to family members running PCs (and we get the phone call) it stops being funny pretty quickly.
Is there a business case for reviewing advertisements (and the associated mobile code whether it be FLASH, etc.) for a 21st century "Good Housekeeping Seal of Approval"? After all, the NYT and others are just one virus (or porn advertisement) away from a PR nightmare.
--- Bill Hicks
I had the popup (despite FF w/adblock enabled) while reading a story this morning.
I never even considered that the Times would be running something like this so I launched into cleansing mode. I wasted an hour hunting for malware or a virus that was not there. Thanks a lot!
I have FF 3.5.3 and AdBlock, the latest Flash and Java, AND the latest MVPS Hosts file, and it came up anyway. Three hours after I added the two sites involved to my Hosts file, the redirect happened again... but this time, it stalled.
Bottom line: Signature- and site-based detection can always be defeated.
If its an online popup its not print media. Its online. The lack of filtering of online ads is not a cause of print media's death. However, online ads in and of themselves are a cause of print media's death.
your DVD player has a cup holder like your computer, click here."
I could understand this if it were a News Corp paper like the WSJ, but a lie intended to induce fear and take money from people on the NY Times, seems out of place.
A few days ago, my wife hit the same thing following a link in a perfectly benign google search result! she would have had no idea how to untangle this by herself, since I had failed to turn off firefox restore on error so killing and restarting firefox got right back to the problem.
First truthful article is a pop-up.
Believe or not, some high end virtual machines, even including MS unmaintained Virtual PC does assign themselves to .exe files and conveniently run them!
Apple knows this possibility and that is why your Safari alerts you when you download an .exe file, not like they don't know their own OS. :)
BTW, if the virus mentioned is the one I saw, don't play around with these guys since it was one of the rare times Kaspersky online scanner missed the virus (trojan) offered, I submitted it to them and they included hours later as some variant. That means we aren't dealing with some complete idiots here, they know how to morph their code so a high end AV like Kaspersky can miss it. (Mine was from Haaretz, IL English newspaper)
NYtimes.com is usually on my exceptions list, but not today...
Anybody know what the malware sites are, either by DNS name or IP address?
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
It seems to be back with a vengeance. Of course, I knew better than to click on it. I was really concerned that they already had my computer; but apparently they didn't.
You can't "view source" on their code, because it changes windows too fast. Ethereal, and its "follow stream" feature solve that problem. I was able to examine the code. I didn't really delve into it; but it looks like they've found some weaknesses in the scripts that allow you to somehow fake out the pop-up blocker.
Viewing the source allowed me to see the site they pull the JS from, and I simply redirect it to localhost now. That's a short-term fix of course. They really need to close the loophole that this code exploits.
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
I have popups turned off in the browser, as well as disallowing resize of windows, etc. (This is under Javascript/Advanced settings.) But somehow these things still happen and I believe it is because of Flash. I wonder why there is not a similar Flash/Advanced options? Who's fault is it, the browser/plugin developer or Flash itself? Integration of Flash and the browser has been done long ago. Isn't it about time we (users) get some control over what it is allowed to do? Is there any browser that has such options for Flash?
has also been doing this for the past two days.
"Chance favors the prepared mind." ~Me
...seem to do the trick for me. I put this huge list of malicious sites into my HOSTS file, so most ads never even show up. http://www.grc.com/sn/hosts_mvps_org.txt
i got it this morning using opera. oh the humanity. didn't click on it though. i was reminded of this: http://www.p2p-zone.com/underground/showthread.php?t=24701
I opened the local paper rag yesterday and my local physician was telling me I had swine flu.
Task Mangler
What more needs to be said.
This is not news worthy.
Actually, the NY Times has had a mental infection for so long that me and many others abandoned it. Obviously they've lost enough professionalism that their advertising and IT staff have degraded to the point that this kind of thing can get through.
I like the way TFA ends with "Questions and comments can be sent to adtraffic@nytimes.com.can be sent to adtraffic@nytimes.com."
In other words: the folks at advertising gave us, editorial staff, a hard time. Now please flood their mail boxes and we'll call it even.
Would that be this one? That's pretty darned old. Reminds me a bit of the title text display bug that used to hit XKCD et al.
link is highly germane to the discussion
$ make available
I can't understand how the people publishing these adds can get enough money to pay for the add space. There can't be that many stupid people can there?
Comment removed based on user account deletion
I was shocked this happened. I use a Mac, so it didn't catch me - but I'd like to learn how this happened.
LOL...I read this article first on the Huffington Post. When I clicked on the story, it brought up this web site: http://mediamemo.allthingsd.com/20090913/home-delivery-the-new-york-times-serves-up-some-malware/ Lo and behold 3/4 of the way down on the right side under sponsored Links was this ad: Fix Hard Driveâ Fix Hard Drive in 3 Mins. Download Repair Tool (Recommended) ScanErrors.com Well, I don't know if this is a good or bad site, but from the looks of the comments, one wonders. Would anyone in their right minds download a program that supposedly scans their hard disk without knowing who their getting the app from? Oh...Wait a minute...Sorry...Dumb Question.
Isn't it sad how the parent misspelled the wrong goatse URL (it's .fr now)?
$ make available
The New York Times is one of the most respected publications in the world. It's not going anywhere.
Yeah my parrot 'respects' that liberal trash rag every time he craps on it. He respects is superior absorbency as his cage liner.
I will not be pushed, filed, stamped, indexed, briefed, debriefed or numbered. My life is my own.
it will block this kind of crap - I never see it...
http://noscript.net/
For even better browsing, install Privoxy, and see no advertising, for free!
http://www.privoxy.org/
Ask Me About... The 80's!
happened to me this morning and I called NY Times immediately. Got screenshots and saved the .exe for kicks
Warned friends to stay away after that. The executable didn't seem to include a payload though, dummy file.
http://s559.photobucket.com/albums/ss36/MooPii/PAV_driveby/?albumview=slideshow
I've gotten this ad twice in the last two days, using Firefox with Adblock Plus and pop-up blocking. This is the line in the nytimes.com article that was responsible the second time:
That loads a page from tradeon.com, which loads a javascript file from harlingens.com which uses a JavaScript redirect to sex-and-the-city.cn. That page sets a cookie and does an HTTP 302 redirect to protection-check07. (Last time it was best-antivirus07.com)
Apparently Adblock isn't blocking the particular iframe that's responsible. I have the particular files I received in this series of redirects, if anyone is interested. I got all this information using the HttpFox plugin.
If you can confirm that there was malware on the system there is no cure except to start with a clean image - preferably one you stored with an imaging tool like the free Clonezilla prior to accessing any network at all or any untrusted media. Putting a clean image on can take 5-30 minutes, and is certain to remove all traces of infestation. It's actually quicker than scanning. Once you've got a confirmed hit your only business using a compromised machine is an inspection of the features that got the user into trouble so you can turn those off after you image, and capture for them a more suitable image.
There's a tired old nag about no software being secure but really one thing is for certain: once an app has been running that's known to be infested it got there because the maker knew something the user didn't. Among the other things the user doesn't know are how many other applications the malware infested, how many running services were leveraged with local privilege escalation, how many rootkits of various sorts were installed. Most modern malware immediately upon installation scans the local system and sniffs the network. They look up components and download a cocktail of toxic code that's both tailored to the specific machine and randomly generated so as to be unique. There's a management system that auto-permutes millions of vile code variants every day, and uses a genetic algorithm to determine which of the little beasties is the most efficient. This is not your dad's malware ecosystem.
Pretending to remove malware is nothing short of malpractice. All you're doing is helping the bad guys by pointing out which modules survive a cursory attempt at cleaning.
Help stamp out iliturcy.
It's even more entertaining to see this system "scan" your windows-files when are running a different operating system ...
If I paid for a website and I got crap like this, I'd be mighty angry. The New York Times is now officially a malware vector.
...started complaining about pop ups from the NYTimes website at least two days ago. You don't often see things like that on high-profile websites, so it caught me by surprise. I initially thought some form of malware was responsible for the popup.
I have often wondered why they haven't followed the money trail to find the people behind the "Antivirus 20xx" nonsense. I know I would certainly like to read a news story about the untimely death of the people involved.
They (FBI, and their equivalents in the dozen other countries widely affected) know exactly where it's coming from, it's just not in their jurisdiction.
Code from within the 2009 version: ..." - http://sunbeltblog.blogspot.com/2009/01/russian-don-infect-themselves.html
"00420214 - Don`t install on Rus:; 00420234 - Russian or Ukrainian Windows detected. Exiting
"In the early and mid-1990s, criminal groups provided protection to businesses and enforced contracts when the state was too weak and corrupt to do so. In the process, they actually helped sustain private enterprise, albeit at a high cost to business. The emergence of an economic market for private protectionâ"in which criminal groups compete among themselves as well as with other newly formed private security agentsâ"has stabilized the business-criminal relationship. Recently, criminal networks have taken a more businesslike approach to maximizing profit" - http://www.worldpolicy.org/journal/articles/wpj04-1/sokolov.htm
The following article is the best writeup I've seen thus far on this threat, and provides some insight on the financials:
"If these stats are to be believed, one affiliate was able to install 154,825 copies of AV XP 08 in ten days' time, and 2,772 of those copies were actually purchased by the victims. This only represents a one to two percent conversion rate, but with the generous commission structure, was enough to earn the affiliate $146,525.25 for that time period. At that rate, the affiliate could be expected to earn over 5 million U.S. dollars a year, simply by maintaining a large botnet and forcing AV XP 08 installs on 10,000 to 20,000 computers a day." - http://www.secureworks.com/research/threats/rogue-antivirus-part-2/
Kinda makes a guy reconsider his chosen career... Until you consider the mortality rate of Mafiya members, and the hordes of angry noobs wherever you go ;)
but clearly downloading an .exe file isn't a good way to keep your computer clean ...
Then how else are Windows users supposed to get new software? Downloading and installing random executables from god-knows-where is the expected method in Windows. Then people wonder why Windows users get infected with all kinds of crap.
The lack of any managed repository of vetted and verified software is, to me, the number one reason Windows sucks so hard, A plain vanilla Windows install does absolutely nothing on its own -- you're expected to go find all the software you need, and this trains users to believe that downloading and installing random crap is just fine.
Combine that with Windows' propensity for getting up in your face about every little detail -- THIS SOFTWARE NEEDS UPDATING! YOUR FIREWALL SETTINGS AREN'T CORRECT SOME OTHER SOFTWARE NEEDS UPDATING! CLICK HERE TO GET NEW VIRUS DEFINITIONS! CLICK ME! CLICK ME! CLICK ME! -- and it's easy to understand how this happens.
The entire Windows model is built around mindless, unnecessary alerts and "download and install now" crap. How are you supposed to teach users which are legitimate and which are not, and what's okay to download and what isn't, when the culture of the OS itself encourages you to do all the wrong things?
mirrorshades radio -- darkwave, industrial, futurepop, ebm.
you do know it has an "installation mode," right?
I bloody hope so, any internet 'security' software which requires you to turn it off when you install software is a bit like a car's brakes which fail under load i.e. when they are required the most!
The people responsible for combofix have done the lot of us a great big favor. Combofix saved my ass a couple of times.
The story is somewhat weak. It suggests running Avast and MS Malicious Software Removal Tool.
a comment that the NYT sucks all-around. They gave up the ghost in the credibility department years ago.
Where I come from the content of the New York Times is considered malware.
Muslim community leaders warn of backlash from tomorrow morning's terrorist attack.
Shouldn't all reputable sites have some kind of fitering system for their ads? Hey maybe there is a business opertunity if people can be sold the idea that ad's can be served securely (using a third pary).
How about CleanAds.com?
http://gadgetwise.blogs.nytimes.com/2009/09/14/what-to-do-if-you-saw-an-antivirus-pop-up-ad/?hp
yesterday I got this fake when visiting www.tvgids.nl. As I use Linux, for me it is of academic interest only, but I thought it dangerous enough to inform the administrator of that site.
Paai
No need to install any other software to remove that JUNK. Just run the restore to a previous check point.
Positive cash flow.
Most of the tips presented here to fix virus threats are ineffective now days. In this day of virus attacks it is practically (not always) a waste of time to try and clean a PC while the actual infected OS is running! Instead try this: PULL THE HARD DISK AND SLAVE IT UP TO A NON-INFECTED PC and SCAN IT with updated Anti-Virus and Malwarebytes and then EMPTY ALL THE TEMP FOLDERS. I do about 10 or 15 a week and this is the only way to efficiently clean them. In about 20% of the cases the viruses have done so much damage the PC no longer boots or various OS components no longer work correctly if it does boot.
And for rantingkitten (above): do you realize that there are many new methods of infection that users cannot control? I have seen some popular web sites (such as Verizon, Facebook and USA Today) that will infect a PC just by surfing to it. Why would you "cut people off" for things they no longer can control? What a presumptuous dick.
Of course, "absolute free-for-all" and "Apple-style App Store" are not the only two choices. You sort of get it this later in the post, but of course the main concept left out here is the Linux repository concept. You can be reasonably sure that apps in the repository have been vetted for viruses, etc (at least you can with Debian)... and yet, if you really want to get software somewhere else, you can... but it's buyer beware.
It's not even true that Linux repositories are all OSS (Deb certainly has a "non-free" repository), and even if it were, the OSS-ness of the repository is certainly not an essential feature. Microsoft could certainly come up with a repository of software for Windows that was all closed-source, yet still vetted for malware.
I got this popup yesterday and I was worried because the only thing I had open was the NY Times website. I figured I had some kind of adware launching browser windows. I wouldn't have expected something like this from a venerable website like the Times.
I don't see any ads on the NYT pages. I do, however, use NoScript and AdBlockPlus. And incidents like this show all the more reason to use them.
Yes.
I think some of us (hey, I was one of them) were hoping NYT had the clout to get away with Just Saying No to such bullshit. The ad business really sucks right now, because of the standard practice is the webmasters allow the advertisers to do anything to the page. You script src="somewhere" and there's just no telling what it's going to do. And the only way this can ever change, if if people say Fuck That to the standard practice. I am far too small to say no to that and still get paid to run ads (the advertisers' response would be "see ya"), but I hoped NYT wasn't. Looks like my hopes were in vain. We're fucked. Everyone is fucked.
If NYT is not allowed to prevent this problem, then who is?
Actually, there's an answer to that, but it's the answer no one wants to hear. The only people who are allowed to prevent these problems, are the users. The so-called fanatics (who aren't really fanatics) are correct: turn off javascript. You can't trust any website that runs ads, because the websites aren't in charge of what's on their pages.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
It is amazing what decent graphics, adequate grammar and well designed social engineering can get people to do.
This is yet another variation of a series of malware packages I've seen over the last few years. You get to them through compromised websites or links. They attempt to scare you into downloading and paying for a package to 'solve' the problem. Because the graphics look 'real' and the grammar/spelling is decent, some people wonder if there machine IS infected.
I ran into one of these when a coworker on a MAC called to say that his machine was infected. They had been doing a Google search and found a link that brought up a very scary 'You are infected' screen, complete with 'scan' results. I made a lot of screen prints of the warning messages that popped up when I tried to close the screen using 'normal' means of ending the program. Somebody had a lot of 'fun' coming up with a web page that opened windows when you tried closing them.
Every few days I go to the Symantec site and look under the ThreatCon section for 'Misleading Applications' to get an idea of the current threats. They usually have screen prints of the windows.
"I think it's actually more entertaining when I don't get it at all on any platform, because I disabled javascript." - by Anonymous Coward on Sunday September 13, @08:02PM (#29408785)
Dead on RIGHT: I have said this time & again here, & most of all, here:
----
HOW TO SECURE Windows 2000/XP/Server 2003 & even VISTA, plus, make it "Fun-to-Do", via CIS Tool Guidance (& beyond):
http://www.tcmagazine.com/forums/index.php?s=33555fc937017deab726a927c1c4a7fd&showtopic=2662
----
AND, most of us all KNOW it - javascript can be the "harbinger of doom", on maliciously coded websites script tags OR in adbanners themselves, & this is just another evidence thereof:
----
THE NEXT ADBANNER YOU CLICK ON MAY BE A VIRUS:
http://it.slashdot.org/story/09/06/15/2056219/The-Next-Ad-You-Click-May-Be-a-Virus
----
I prefer Opera in this case (even over FireFox + NoScript, for example) because it has this "built in natively", via rightclicks on pages (after setting javascript + frames/iframes usage off too, GLOBALLY, first in Tools/Preferences menus first), & then? Then you "make exceptions sites" like e-commerce or online banking sites (that DEMAND you use javascript).
Anyhow/anyways:
You've got the right idea for how to stop MOST of all what hits you nowadays online (via HTML email that allows script tags &/or webpages that do so (& yes, even malicious adbanners, which the hosting providers for these apparently do NOT check on for malicious content in them)).
APK
P.S.=> Again & I cannot stress this enough: Yes - For SOME websites you need javascript on for, + have no choice but to use scripting on them, or you cannot use them fully or at all, period - those you make exceptions for, however you do so, & with browsers that allow for it (FF & Opera do, albeit, addons are needed for FF)
(Yes, & those you have to "take your chances on" too, as to NOT being infested/infected, such as e-commerce sites or online banking ones, but, odds are they hire "TOP NOTCH" administrators & other personnel involved w/ said website material who DO check on this hopefully, to mitigate ANY wrongdoing due to negligence on their parts)
BOTTOM-LINE: In limiting your javascript usage & WHERE YOU USE IT ONLINE? You severely 'cut down' on the inability to identify where you may have somehow gotten a scripted malware attacking you, because you only use javascript on so many sites anyhow (rather than them ALL, which would make it tough to identify where you might have drawn in the infestor into your system)... apk
Ask anyone that is in the business of day in day out removing infections for systems that users want up in place with no reinstalls and we ALL use combofix and malwarebytes.
You can install or not or worry but as those in the know and we all use combofix.
The reason the commercial opps will never whitelist combofix, is many customers crawl up their asses when their paid money failed to prevent infection and they noted the guy that charged them $100 bucks at the computer repair place used combofix not their trash non-preventative and barely able to fix anything after the fact crapware.
1. User logs onto Ubuntu box
2. Log in script copies VMWare iamge from read-only partition to user space
3. Auto runs vmplayer + Windows image
4. (Ubuntu box auto shuts down at 21:30 every day)
Peace.
By some accident I disabled noscript and got this error too.
I have never seen one of these since I have been running exclusively Linux for the last few years. I thought it's so funny that I couldn't resist the chance of a screen shot: http://i4.photobucket.com/albums/y103/mathfield/my_virus_problem.png
Of course, turning on NOSCRIPT and it goes away.
The only possible interpretation of any research whatever in the 'social sciences' is: some do, some don't
Virtual PC Mac, last shipped version (7.0.3) release notes:
"This update fixes a vulnerability that an attacker can use to overwrite the contents of your computer's memory with malicious code."
Most amazing thing is, it is actually an emulator/hypervisor ,not really something like VirtualBox. Respect to MS really. :)
I think it's actually more entertaining when I don't get it at all on any platform, because I disabled javascript.
I'm getting a popup that shows a window that looks exactly like the windows XP theme showing your mycomputer file with C:\ drive and Cd drive as well as you A: floppy drive witch I don't have. It also showed a full scan bar underneath the drive icons showing 63 infected files, I was very impressed and click on the disinfect link on the bottom of the window thinking it would hot link me to a website but instead it showed a save or open download window with a .exe file. Evil popup
I work in the IT deparment at a school. It is amazing how many idiots just click away on random pop-ups and install random crap,
just because the "pop-ups told them to". They get some obviously fake virus scan saying they have a virus, when its actually just a pop-up.
Then they download the real computer virus because the pop-up told them to. Now I spend alot of time removing the malware from infected (broken) Windows
machines. People Are Idiots, as they drool on the keyboards, they install random viruses just because some mysterious popup told them to!!