New York Times Site Pop-Up Says Your Computer Is Infected

Zott writes "Apparently, 'some readers' of the New York Times site are getting a bit more with their news: an apparently syndicated adware popup with a faux virus scan of the user's computer indicating they are infected, and a link to go download a fix now. It's entertaining when a Mac user gets it, but clearly downloading an .exe file isn't a good way to keep your computer clean ..." Update: 09/14 03:20 GMT by T : Troy encountered this malware, "and did basic forensics. Summary: iframe ad then series of HTML/JS redirects, ending at a fake virus scanner page with a "Scan" link (made to look like a dialog box button) that downloaded malware." Nice explanation!

It's very entertaining.

I think it's actually more entertaining when I don't get it at all on any platform, because I disabled javascript.

Re:It's very entertaining.

[davidphogan74]

You make people use McAfee to get online? That would be enough to make me transfer.

Re:It's very entertaining.

[davidshewitt]

It successfully cleans Antivirus 2010 and a host of other rootkit-based malware in a process I can only describe as "magic".

How do you know that it successfully cleans it out? Most viruses are closed-source, so you have no idea what's in them. Some are very, very clever, and hide in ways that software cannot detect, especially the rootkits. My policy is that the only way to be SURE that the virus is gone is to format the drive and reinstall the OS. Especially so if you don't know what the cleanup software is doing (a.k.a. "magic").

Re:It's very entertaining.

[Orion+Blastar]

Sorry after installing Combofix, my AV program Spysweeper reported three viruses just got installed, and Unhackme reported one rootkit got installed on my system from software from that link. Also it seems to have destroyed the control panel and I cannot Add/Remove programs anymore.

I think that anti-malware software needs to be peer reviewed by reliable sources before we decide to use it or not. This seems to be just as bad as a fake "infected" ad infecting your system.

Lucky for me that I was able to remove the threats by other AV software.

Re:It's very entertaining.

Owning a Mac is like owning a car when you live on a tiny island. You can drive, but you can't actually go anywhere.

Re:It's very entertaining.

[Deathlizard]

We Use F-secure here. I wish we didn't, especially when they tell us not to go to known malware sites to test if their protection is working (even though a studest is going to do just that). Makes you feel really secure doesn't it? I really wish we were running either Avira Antivir or Microsoft Forefront, since they seem to have the highest detection rates against roges so far, but we decided to give F-secure a second chance. I don't know why.

Anyway, Since we have a laptop program at the college, our answer is simple. You're getting a new hard drive and we will move your favorites, My Documents and anything on your desktop. I know students don't like this option, but they REALLY won't like their credit card being stolen, or worse; their identity. Usually when I explain to them that this method is the safest option and that ID theft has happened to students (Guess what! if you pay for Antivirus 360 at 79.95, it still doesn't work AND they got your $79.95 AND they got your CC number and all the info they need to start swiping away your credit score!!) they agree with it, but some just don't care as long as they can download movies ("My Friends Hot Mom". "Milf Hunter", ETC) or music (from Gnutella, where the music is usually trojans or piggybacking some sort of virus) all day. Most will be back infected within the month as well.

The worst one so far is TDSS.F. It runs a rogue DCHP server across your network and tries to infect anyone that connects through it. It also adds autorun entries to infect across hard and flash drives and likes to install file fixer pro, which encrypts all your files. Luckily, Bradford Campus Manager detects the DHCP rogue and denies them access (That's why many campuses do this registration now.) but our virus scanner always misses it.

Re:It's very entertaining.

[Culture20]

It's usually faster to run ComboFix + MalwareBytes (half hour between the tools in most cases) than it is to nuke it from orbit and reinstall Windows. Unless you're paranoid, two programs will take care of your end of your extended family's implied social support contract.

It used to be A rocked, and then A and B rocked. Then B started to suck, so we used A & C, then malware defeated A, so we used D & C (C had to be used second), with a splash of E. A came back with a new version, and we'll call it F. F'n rocked! Then it sucked. etc.

I could never be bothered figuring out which version of what software _really_ cleans up this week's malware. I always would nuke from orbit (after judiciously backing up data using the drive as a neutered USB disk).

Re:It's very entertaining.

[erroneus]

That is generally my approach. Once a machine is compromised, I insist that they are reinstalled from absolute scratch. Following that, I take an image file of that machine in perfect working order. And during checkups, if the machine is still in good order, I take another snapshot.

All applications should be reinstallable and all data should be stored on servers that are backed up routinely.

If those basic rules are followed, an infected machine is something of an embarrassment to the user and an inconvenience to the IT person. At worst, cleaning up the collateral damage like getting your IP addresses off of block lists because the infected machine had been spewing spam. (Followed closely by better firewall rules at the gateway...)

Windows is just going to have these problems. Mac OS X is going to have these problems. And if Linux ever gets popular on the desktop, it will have these problems. While Windows certainly has its problems, the biggest weakness is the user, and no amount of software tools or other preventative measures will fix that. In the immortal words of Ron White, "You can't fix stupid."

Re:It's very entertaining.

[bigstrat2003]

I get so tired of the extra effort it takes to keep her system running. Damnit, we paid *extra* for Microsoftt software, we paid *extra* for many of the programs she depends on. My workstations are so much less labor-intensive and get so much more work done...

Let's be fair. The problem (no offense) is just as much your wife as it is her system, if not more. If you were using the same system, you would have few issues, if any, because you'd be more conscious of what you do on there. The many techies who successfully run clean Windows installs (of which I am one) are living proof of this. The biggest security flaw in every system is the user, and even in an OS with perfect security, there will still be virus-laden machines. We'll never see the day where all users care enough to learn to tell when something is a legit program, and when it's malware posing as a legit program.

Re:It's very entertaining.

[mysidia]

They need to take responsibility for what they publish on their own sites.

I'd like to see a class action suit against the NY Times or the ad network they use by users who were infected.

Based on NYT negligently allowing advertisers to inject code into their web site.

I can understand users getting hit with fake dialogs after clicking on an ad.

But I believe web sites have a duty to take standard precautions and avoid loading remote script code

I differentiate ad content from code. It's not rocket science -- when the advertiser uploads their ad unit, sanitize the input, so the upload cannot contain any javascript, SCRIPT, IFARME, FRAME, or other unexpected tags or tag attributes, for that matter, or any remote loading. Only approved 'safe' HTML tags such as IMG. And any images referred must be uploaded and served from the ad network (again, no remote loading).

Again, it's not rocket science to sanitize input. There's really no excuse for not doing it, other than negligently ignoring security issues, and possible harm malicious ads can do...

Re:It's very entertaining.

[Mr.+Freeman]

"1) McAfee sucks. We supply a copy of the Enterprise version to students, and a patched installation is required for internet access."

It sucks and yet you require it on every student machine. Sounds to me like this isn't a student problem.

Re:It's very entertaining.

[Undead+Waffle]

It's fairly common these days... just to make sure people aren't connecting malware infested crap that hasn't been patched in years. Usually some form of anti-virus is required and sometimes they go a little overboard by requiring everyone turn on auto updates for windows machines. There was a slashdot discussion about it a little while back including quite a bit of discussion about Cisco Clean Access, the program some colleges are using for this authentication.

Re:It's very entertaining.

[rantingkitten]

The foolproof way to remove the AntiVirus ModelYear rootkit is: Make a file-based image of the hard disk. By design, it hides from the file system, meaning it will not be included in a image made by a tool like ImageX from Microsoft's free WAIK. Gather an image and apply it to the same hard disk, and the rootkit's gone.

I don't want to sound like "that guy", but really, that sounds like an awful lot of trouble to go through to protect an operating system that is, by design, vulnerable to such BS. The actual foolproof way to deal with these problems is to stop fixing them. Once users realise they can't just call someone to fix problems they caused themselves, they'll either wise up or use an OS that doesn't actively encourage this sort of behavior.

Yes, yes, that's a utopian ideal, it won't work in the real world, I know, I know. But really, by going through such enormous pains to protect users from not only their own stupidity but the shittiness of their operating system, you are empowering them to continue doing whatever stupid shit got them in trouble in the first place, because they'll think "support can always clean it up..."

In my company there comes a point when I just cut users off. They've inflicted whatever problem upon themselves, we've addressed it twice -- this is the third strike and they're out. It's not worth it to anyone to continue supporting people who insist on screwing themselves over, and the number one way they screw themselves over is by using an OS that allows them to screw themselves over so easily.

Okay, so I guess I do sound like "that guy". But how long are you going to continue mounting these Herculean efforts to rescue idiots from their own incompetence with a system that encourages their incompetence?

Re:It's very entertaining.

[Deathlizard]

although a lot of files still do the false extension stuff, that's not the case with the MP3's were seeing.

These are perfectly legitimate MP3 files. They are not rebadged WMP files. They will play music. they play on an mp3 player. How they work is that they usually have ID3 tag data which tries to exploit WMP or Winamp to execute code or connect to a malicious site. We also see the WMA's disguised as MP3's as well, but the ID3 MP3's have been getting more popular as of late.

as for hiding file extentions. There is a set of laws that I follow.

Laws of computer stupidity
1) 99% of computer users do not know what they are doing.
2) computer users do not read.
3) If a computer user can click on it, they will.

Disabling "hide file extensions" doesn't solve anything because of all of the above.

1) They don't know why that file has an .exe at the end or care for that matter. explaining it to them goes in one ear and out the other.

2) Since they dont read, I'd bet you can make a file called "brittany spears does the nasty dance while going down on her new chihuahua and this file will wipe your hard drive clean.exe" and people would open it because all they read is "brittany spears" and "nasty dance".

3) If it's something they downloaded, they will click on it regardless if the extension is real or fake. This happened to me while I was researching a file I absoletly knew was a virus solely on the icon displayed to me. (in my case, it was the folder icon and instinctively clicked on it to go into the folder. Yes I show file extensions. I also fooled four other techs with this simple test using this icon and it showed the file ext for them too.)

Happened to my Parents

[QuantumG]

What really annoys me is that these things are most effective because they use javascript alerts to freeze the browser. If you could just browse away from the crap, I could teach my parents just to ignore it.

"Javascript alerts are not tab modal" has been a known bug in Firefox going on 9 years now. It's not just an annoyance, it's a security bug, fix it!

 

Re:Happened to my Parents

[QuantumG]

Dude, the ticket was filed in 2000.. so it was around for at least that long.. the bug most likely goes back to the Netscape days.

Re:Happened to my Parents

[QuantumG]

That's the idea, but don't get your hopes up. Although I currently have the perseverance to get through the code, I doubt I'll have the perseverance to get through the politics.

Re:And they wonder...

[Aurisor]

The New York Times is one of the most respected publications in the world. It's not going anywhere.

Re:And they wonder...

And they wonder - Why is print media dying?

Because they can't adapt properly. Seriously guys, filter your ads!

Exactly! We should help hurry old media to its demise so we can all count on the Almighty Bloggers for news! Because we all know it's far more trustworthy to get our news from a bunch of people who sit on their asses and regurgitate news articles written by people who actually go out and do investigative reporting for old media! So, once old media is killed, we can all...

Hang on, that's not right...

Re:News? Where?

[petermgreen]

Not exactly news but nonetheless a sad indictment of the state of online advertising that even big sites with a reputation to uphold are using adverts from seedy advert networks who tolerate this shit.

Ads and proxy placement

[bsandersen]

The concern I have over the long term is that sites like the NYT may not know what advertisements will appear because they are placed by bulk-buying proxies that dispense them at page-load time, probably based on evil-cookie trails or other demographic markers. So, the question becomes: how should a presumably high-integrity site such as a major news outlet ensure quality when they've outsourced advertisement delivery?

Review of each possible advertisement would be onerous, but failure to have some standards in place will eventually lead to malware (or worse) injected into unsuspecting reader's machines. I just chuckled when it popped up. I run Macs at home. But, when things like this happen to family members running PCs (and we get the phone call) it stops being funny pretty quickly.

Is there a business case for reviewing advertisements (and the associated mobile code whether it be FLASH, etc.) for a 21st century "Good Housekeeping Seal of Approval"? After all, the NYT and others are just one virus (or porn advertisement) away from a PR nightmare.

Re:Ads and proxy placement

[PCM2]

Review of each possible advertisement would be onerous

Seriously? So we're OK with major newspapers having absolutely no standards at all these days? What do you suppose people did back in the days before you could get ads via RSS feed?

Re:Ads and proxy placement

[bsandersen]

So we're OK with major newspapers having absolutely no standards at all these days?

I believe I said the opposite; I said a failure to have standards will cause problems.

What do you suppose people did back in the days before you could get ads via RSS feed?

They reviewed the advertisements with their clients directly. There were a few hundred per day and it was a manageable problem. Now, advertisements may be served by proxies and selected from among tens of thousands of potential ads, designed to be targeted to readers in specific geographic regions, income levels, purchasing habits, interests, age categories, gender, education level, or other factors.

The point of my post was that the combinatorial explosion of possible advertisement choices to be served-up on my specific page load may not be easily reviewable by NYT staff a priori.

Re:And they wonder...

Well they just stopped being a respected publication after running these deceptive ads on their site. Seriously, it's the print equivalent of an ad announcing false tougher laws on car emissions with (conveniently) an address where you can get your car checked against the "new" limits.

When you take the readership that you slowing acquired over the years through hard work, and suddenly serve it on a platter to crooks to make a few bucks, it's sign that things are going downhill.

Re:It happens on Linux too

[eric31415927]

Two years ago, I got my 67-year-old mother online with a Debian (stable) box for web browsing, emailing, and printing.
At least twice in these two years, she has come across web pages warning that her operating system has been infected with a virus.
The web pages make it look like she has an infected Windows system - similar to the link from the NYT web page.

I reassure her each time that her computer has not been infected, and it is not likely to ever be infected so long as she is careful with her password.
I would like Firefox (or in her case IceWeasel) to have a plugin to avoid loading pages that look like Windows Explorer.
This would save people like my mother and businesses like the NYT from undue stress.

Re:News? Where?

[rm999]

I think this case is semi-interesting because it conveniently parallels the slow death of the media as we know it. The idea is that people used to look to newspapers like the New York Times for trustworthy news; now, these sources mislead (lie?) to their users and mess up their expensive computers in the process.

Of course, I agree with you that it is misleading to accuse just the NYT - 1000s of sites run these misleading ads, and many probably don't mean to (including the NYT, I'm sure). I would call this a non-story - the obvious reaction from the NYT will be "we did not mean to run these ads, it's the online ad providers' fault, and we have made sure the ads won't be run again." And then no one will care anymore. Yawn.

Re:It happens on Linux too

[Darkness404]

Yeah, but how many more Mac users or Linux users (who in general are "immune" to viruses and other malware due to their lower marketshare and in general better security) would be fooled into running a strange program if it looked exactly like something that they were running? An "update" to Firefox or Safari? No Mac user is going to download something that looks like XP, and a lot of Vista users would be suspicious if it looks like XP.

Re:News? Where?

[Bruce+Perens]

Let me guess. Your preferred news service is FOX, right?

HOSTS file and noscript

[davidshewitt]

...seem to do the trick for me. I put this huge list of malicious sites into my HOSTS file, so most ads never even show up. http://www.grc.com/sn/hosts_mvps_org.txt

Mod parent up

[Thinboy00]

Would that be this one? That's pretty darned old. Reminds me a bit of the title text display bug that used to hit XKCD et al.

link is highly germane to the discussion

Re:And they wonder...

[swilly]

Do you expect the government to bail the NYT out as well?

Yes I do. I also expect the phrase "too big to fail" to be used as justification.

Re:News? Where?

[lgw]

Talk about a reach to bash Reagan! There has never been such a thing as an unbiased news source. That's some sort of urban legend or somehting. For a while, some news sources tried to present you with the biased view for both sides of an issue, which at least counts as making an effort at being unbiased, but even that seems to have fallen out of fashion. What you can find is sites that are severely biased about stuff you don't care about, and so don't make any effort to spin stuff that you do.

Microsoft's model is to blame.

[rantingkitten]

but clearly downloading an .exe file isn't a good way to keep your computer clean ...

Then how else are Windows users supposed to get new software? Downloading and installing random executables from god-knows-where is the expected method in Windows. Then people wonder why Windows users get infected with all kinds of crap.

The lack of any managed repository of vetted and verified software is, to me, the number one reason Windows sucks so hard, A plain vanilla Windows install does absolutely nothing on its own -- you're expected to go find all the software you need, and this trains users to believe that downloading and installing random crap is just fine.

Combine that with Windows' propensity for getting up in your face about every little detail -- THIS SOFTWARE NEEDS UPDATING! YOUR FIREWALL SETTINGS AREN'T CORRECT SOME OTHER SOFTWARE NEEDS UPDATING! CLICK HERE TO GET NEW VIRUS DEFINITIONS! CLICK ME! CLICK ME! CLICK ME! -- and it's easy to understand how this happens.

The entire Windows model is built around mindless, unnecessary alerts and "download and install now" crap. How are you supposed to teach users which are legitimate and which are not, and what's okay to download and what isn't, when the culture of the OS itself encourages you to do all the wrong things?