Slashdot Mirror
New York Times Site Pop-Up Says Your Computer Is Infected
Zott writes "Apparently, 'some readers' of the New York Times site are getting a bit more with their news: an apparently syndicated adware popup with a faux virus scan of the user's computer indicating they are infected, and a link to go download a fix now. It's entertaining when a Mac user gets it, but clearly downloading an .exe file isn't a good way to keep your computer clean ..." Update: 09/14 03:20 GMT by T : Troy encountered this malware, "and did basic forensics. Summary: iframe ad then series of HTML/JS redirects, ending at a fake virus scanner page with a "Scan" link (made to look like a dialog box button) that downloaded malware." Nice explanation!
The newest version of the "Antivirus 2010" software is a pain in the ass to get rid of. It rootkits the system and makes manual removal pretty much impossible without a WinPE boot disk of some kind, and even then it's difficult to find all the instances. There's one tool I found to remove it and most of its kin, and that is combofix. It successfully cleans Antivirus 2010 and a host of other rootkit-based malware in a process I can only describe as "magic". I'm just posting this to help out others that have spent way too much time trying to get rid of this crap off of friend/family computers.
In this case, it runs a mock scan, states the computer is infected, and then pretends to offer help. The exe file sometimes gets downloaded. From the way I have seen IE work lately, I would not think the file would download without user intervention, but, the page does a good job of scaring users, so I suspect some might download the files.
The malware site is protection-check07com
malwareurl.com has the owner listed as Elton John, perhaps on can think that this is pseudonym. Kind of lends credence to rules that require valid information on domain name registrations.
In any case, this is where the address is listed. Looks residential, so maybe that is fake as well. I hope the protection-check people are not setting up some poor sod. Ha, protection check.
Of course this does bring up two issues. Everyone is afraid of viruses, so it easy to translate that fear into irrational action. It might make us think about some activities that went on this past weekend. Second, such attacks work on mimicking the theme of certain systems, so perhaps one countermeasure is to allow users to vary they theme. This might be very good for corporate machines, as firms might like custom themes. On Macs and *nix, of course, the attack did not work because the web page did not integrate into the background, an elephant is going to look quite conspicuous in a field of leopards.
"She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
Unfortunately this has nothing to do with New York Times' security and that is the whole problem. New York Times hires an 'ad agency' which is quite a bullshit term in this case if you ask me. They embed some open ended script from said firm and then at that point have no idea what is being displayed. This 'firm' may even rent or sell the embedded space to yet another company so then even the firm has no idea what ad is being displayed. All these automated, unmonitored and unregulated ads on pages are a huge security hole but in the name of profit, who really cares?
~ Ron Fitzgerald
Would that be this one? That's pretty darned old. Reminds me a bit of the title text display bug that used to hit XKCD et al.
I completely agree with "combofix rocks." My job at the college I attend is pretty much removing that virus 24/7 from student laptops, and I've learned a few things:
1) McAfee sucks. We supply a copy of the Enterprise version to students, and a patched installation is required for internet access. Somehow, we're still inundated every semester with the latest flavor of AntiVirus ModelYear.
2) ComboFix is amazing. It's simple, but it automates a lot of tools that are a bit of a pain to use on their own. Ten minutes, and most malware is somewhat neutered.
3) MalwareBytes is amazing. ComboFix always misses stuff, but it lets us install MalwareBytes (also free) which finishes the job. I haven't seen any virus MB couldn't remove.
It's usually faster to run ComboFix + MalwareBytes (half hour between the tools in most cases) than it is to nuke it from orbit and reinstall Windows. Unless you're paranoid, two programs will take care of your end of your extended family's implied social support contract.
DATABASE WOW WOW
What exactly makes this different from any of the other hundreds of sites with the same popup? Is it just because this is a large, well-known website like the New York Times?
That's my impression. I think the interesting thing here is that the presumption that reputable websites have reputable advertisements has been violated. NYT's advertising policies include the following paragraph:
The Times may decline to accept advertising that is misleading, inaccurate or fraudulent; that makes unfair competitive claims; or that fails to comply with its standards of decency and dignity.
Granted, they don't outright state that the content is prohibited, but they do imply a stance against this type of advertising. This is a clear violation of that intention, and they took the appropriate response. I'd be most interested in knowing if this particular advertisement was intentionally approved, "slipped through" accidentally, or was injected illicitly (e.g., their advertising server was hacked, etc.).
I personally use Comodo firewall, and it's one hell of delicate security guard. I have to turn it off when I install anything because I will be there all day clicking approve. It's not annoying when you know how to use it and change its settings (takes a nominal amount of time). I've had a lot of instances now when I even purposely download sketchy .exe files, and it alerts me right away about suspicious activity in the computer. Best of all it's free.
Help fight spam
In a perfect world, we would do that, but we get too many machines in and out to make that feasible. Then, there's all the normal luser problems: I don't know where my files are, I have no install media, I have no keys, I deleted my recover partition to save space, etc.
The foolproof way to remove the AntiVirus ModelYear rootkit is: Make a file-based image of the hard disk. By design, it hides from the file system, meaning it will not be included in a image made by a tool like ImageX from Microsoft's free WAIK. Gather an image and apply it to the same hard disk, and the rootkit's gone.
If you're adventurous, ImageX lets you mount the image file on a clean PC to do offline scans of its files and registry hives. You can clean a computer without ever booting it.
But, that's generally overkill. AntiVirus ModelYear rootkit isn't the nasty kind of hardware-hypervisor rootkit - it runs at kernel privileges. So does MalwareBytes. To be dangerous, it has to run at a higher privilege level than the removal tools.
For family members that promise me food, I go the extra mile and do the clean install for them. Staff machines we just re-image.
DATABASE WOW WOW
If you used the evil closed source Opera browser, you would have "stop executing scripts from this page" option right below that javascript popup.
It is interesting since nobody really cares who takes what from other browsers, no "patent" or anything, especially from Opera side. It must be very easy to implement, why don't they do it? It is not some high tech JIT compiler either, a basic checkbox.
has also been doing this for the past two days.
"Chance favors the prepared mind." ~Me
I have been using the latest version of the MVPS modified hosts file on both my Linux computer and on my Windows XP computer. However,instead of using the 06-14-06 version which davidshewitt linked to, I have been using the much newer Sept-02-2009 version instead. One link is for, what at the moment, is the latest version of the modified hosts file and the other link is to the installation instructions and general information.
http://www.mvps.org/winhelp2002/hosts.htm
http://www.mvps.org/winhelp2002/hosts.txt
I recently also started using the NoScript add-on and also the Adblock Plus add-on for Firefox on both my Linux computer and on my Windows XP computer. But, perhaps using both the ad blocking host file, plus Adbock Plus, is redundant and unnecessary. With the NoScript ad-on, I occasionally click on the icon, which has now been added to the lower right corner of Firefox. After clicking on that, I can choose whether to temporarily or permanently allow a particular web site scripts.
I do nearly all of my Internet browsing from my Linux box. But, when I occasionally actually dare to use my Windows XP computer to browse the Internet, I use Sandboxie to sandbox my default browser, which in my case happens to be Firefox. I am not an expert on any of this, and am not a regular Security Now listener, but here are a couple of episodes that are about Sandboxie.
http://www.grc.com/sn/sn-172.htm
http://www.grc.com/sn/sn-174.htm
Download the Microsoft WAIK and install it. Use ImageX to create a file-based .WIM image of your system and files.
Then, download dd for Windows. Use it to copy the first 512 bytes or the first cluster of Partition0 on the hard disk Windows is installed on. This will capture your boot sector.
If you're trying to use this for daily backups, ImageX won't work... You could always schedule robocopy to run daily/weekly instead. (It's included with Vista and up, but you can download it for XP.)
If you're not using it for daily backups, ImageX still requires "mucking about with special image files," but you can use ImageX to mount .WIM files into a directory, meaning you can use Windows Explorer or whatever tool browse and modify the file system.
Instead of DD, you could always use a Vista and above install disc or make a Windows PE disc with the WAIK and run bootsect. "Bootsect /nt52 all mbr" will get you a clean NTLDR boot sector, and "bootsect /n560 all mbr" will get you a Vista BCD-based bootsector. Of course, that only works if you're using either of those as your bootloader, but if you are, you don't even need DD.
DATABASE WOW WOW