New York Times Site Pop-Up Says Your Computer Is Infected

Zott writes "Apparently, 'some readers' of the New York Times site are getting a bit more with their news: an apparently syndicated adware popup with a faux virus scan of the user's computer indicating they are infected, and a link to go download a fix now. It's entertaining when a Mac user gets it, but clearly downloading an .exe file isn't a good way to keep your computer clean ..." Update: 09/14 03:20 GMT by T : Troy encountered this malware, "and did basic forensics. Summary: iframe ad then series of HTML/JS redirects, ending at a fake virus scanner page with a "Scan" link (made to look like a dialog box button) that downloaded malware." Nice explanation!

Re:It's very entertaining.

The newest version of the "Antivirus 2010" software is a pain in the ass to get rid of. It rootkits the system and makes manual removal pretty much impossible without a WinPE boot disk of some kind, and even then it's difficult to find all the instances. There's one tool I found to remove it and most of its kin, and that is combofix. It successfully cleans Antivirus 2010 and a host of other rootkit-based malware in a process I can only describe as "magic". I'm just posting this to help out others that have spent way too much time trying to get rid of this crap off of friend/family computers.

Re:Happened to my Parents

Would that be this one? That's pretty darned old. Reminds me a bit of the title text display bug that used to hit XKCD et al.

Re:It's very entertaining.

[Z34107]

I completely agree with "combofix rocks." My job at the college I attend is pretty much removing that virus 24/7 from student laptops, and I've learned a few things:

1) McAfee sucks. We supply a copy of the Enterprise version to students, and a patched installation is required for internet access. Somehow, we're still inundated every semester with the latest flavor of AntiVirus ModelYear.

2) ComboFix is amazing. It's simple, but it automates a lot of tools that are a bit of a pain to use on their own. Ten minutes, and most malware is somewhat neutered.

3) MalwareBytes is amazing. ComboFix always misses stuff, but it lets us install MalwareBytes (also free) which finishes the job. I haven't seen any virus MB couldn't remove.

It's usually faster to run ComboFix + MalwareBytes (half hour between the tools in most cases) than it is to nuke it from orbit and reinstall Windows. Unless you're paranoid, two programs will take care of your end of your extended family's implied social support contract.

Re:News? Where?

[Jahava]

What exactly makes this different from any of the other hundreds of sites with the same popup? Is it just because this is a large, well-known website like the New York Times?

That's my impression. I think the interesting thing here is that the presumption that reputable websites have reputable advertisements has been violated. NYT's advertising policies include the following paragraph:

The Times may decline to accept advertising that is misleading, inaccurate or fraudulent; that makes unfair competitive claims; or that fails to comply with its standards of decency and dignity.

Granted, they don't outright state that the content is prohibited, but they do imply a stance against this type of advertising. This is a clear violation of that intention, and they took the appropriate response. I'd be most interested in knowing if this particular advertisement was intentionally approved, "slipped through" accidentally, or was injected illicitly (e.g., their advertising server was hacked, etc.).

Re:It's very entertaining.

[Z34107]

In a perfect world, we would do that, but we get too many machines in and out to make that feasible. Then, there's all the normal luser problems: I don't know where my files are, I have no install media, I have no keys, I deleted my recover partition to save space, etc.

The foolproof way to remove the AntiVirus ModelYear rootkit is: Make a file-based image of the hard disk. By design, it hides from the file system, meaning it will not be included in a image made by a tool like ImageX from Microsoft's free WAIK. Gather an image and apply it to the same hard disk, and the rootkit's gone.

If you're adventurous, ImageX lets you mount the image file on a clean PC to do offline scans of its files and registry hives. You can clean a computer without ever booting it.

But, that's generally overkill. AntiVirus ModelYear rootkit isn't the nasty kind of hardware-hypervisor rootkit - it runs at kernel privileges. So does MalwareBytes. To be dangerous, it has to run at a higher privilege level than the removal tools.

For family members that promise me food, I go the extra mile and do the clean install for them. Staff machines we just re-image.

CNN...

[CryptoJones]

has also been doing this for the past two days.

Re:HOSTS file and noscript

[Rick17JJ]

I have been using the latest version of the MVPS modified hosts file on both my Linux computer and on my Windows XP computer. However,instead of using the 06-14-06 version which davidshewitt linked to, I have been using the much newer Sept-02-2009 version instead. One link is for, what at the moment, is the latest version of the modified hosts file and the other link is to the installation instructions and general information.

http://www.mvps.org/winhelp2002/hosts.htm
http://www.mvps.org/winhelp2002/hosts.txt

I recently also started using the NoScript add-on and also the Adblock Plus add-on for Firefox on both my Linux computer and on my Windows XP computer. But, perhaps using both the ad blocking host file, plus Adbock Plus, is redundant and unnecessary. With the NoScript ad-on, I occasionally click on the icon, which has now been added to the lower right corner of Firefox. After clicking on that, I can choose whether to temporarily or permanently allow a particular web site scripts.

I do nearly all of my Internet browsing from my Linux box. But, when I occasionally actually dare to use my Windows XP computer to browse the Internet, I use Sandboxie to sandbox my default browser, which in my case happens to be Firefox. I am not an expert on any of this, and am not a regular Security Now listener, but here are a couple of episodes that are about Sandboxie.

http://www.grc.com/sn/sn-172.htm
http://www.grc.com/sn/sn-174.htm