New York Times Site Pop-Up Says Your Computer Is Infected

Zott writes "Apparently, 'some readers' of the New York Times site are getting a bit more with their news: an apparently syndicated adware popup with a faux virus scan of the user's computer indicating they are infected, and a link to go download a fix now. It's entertaining when a Mac user gets it, but clearly downloading an .exe file isn't a good way to keep your computer clean ..." Update: 09/14 03:20 GMT by T : Troy encountered this malware, "and did basic forensics. Summary: iframe ad then series of HTML/JS redirects, ending at a fake virus scanner page with a "Scan" link (made to look like a dialog box button) that downloaded malware." Nice explanation!

It's very entertaining.

I think it's actually more entertaining when I don't get it at all on any platform, because I disabled javascript.

Re:It's very entertaining.

[davidphogan74]

You make people use McAfee to get online? That would be enough to make me transfer.

Re:It's very entertaining.

[davidshewitt]

It successfully cleans Antivirus 2010 and a host of other rootkit-based malware in a process I can only describe as "magic".

How do you know that it successfully cleans it out? Most viruses are closed-source, so you have no idea what's in them. Some are very, very clever, and hide in ways that software cannot detect, especially the rootkits. My policy is that the only way to be SURE that the virus is gone is to format the drive and reinstall the OS. Especially so if you don't know what the cleanup software is doing (a.k.a. "magic").

Re:It's very entertaining.

[Deathlizard]

We Use F-secure here. I wish we didn't, especially when they tell us not to go to known malware sites to test if their protection is working (even though a studest is going to do just that). Makes you feel really secure doesn't it? I really wish we were running either Avira Antivir or Microsoft Forefront, since they seem to have the highest detection rates against roges so far, but we decided to give F-secure a second chance. I don't know why.

Anyway, Since we have a laptop program at the college, our answer is simple. You're getting a new hard drive and we will move your favorites, My Documents and anything on your desktop. I know students don't like this option, but they REALLY won't like their credit card being stolen, or worse; their identity. Usually when I explain to them that this method is the safest option and that ID theft has happened to students (Guess what! if you pay for Antivirus 360 at 79.95, it still doesn't work AND they got your $79.95 AND they got your CC number and all the info they need to start swiping away your credit score!!) they agree with it, but some just don't care as long as they can download movies ("My Friends Hot Mom". "Milf Hunter", ETC) or music (from Gnutella, where the music is usually trojans or piggybacking some sort of virus) all day. Most will be back infected within the month as well.

The worst one so far is TDSS.F. It runs a rogue DCHP server across your network and tries to infect anyone that connects through it. It also adds autorun entries to infect across hard and flash drives and likes to install file fixer pro, which encrypts all your files. Luckily, Bradford Campus Manager detects the DHCP rogue and denies them access (That's why many campuses do this registration now.) but our virus scanner always misses it.

Re:It's very entertaining.

[Culture20]

It's usually faster to run ComboFix + MalwareBytes (half hour between the tools in most cases) than it is to nuke it from orbit and reinstall Windows. Unless you're paranoid, two programs will take care of your end of your extended family's implied social support contract.

It used to be A rocked, and then A and B rocked. Then B started to suck, so we used A & C, then malware defeated A, so we used D & C (C had to be used second), with a splash of E. A came back with a new version, and we'll call it F. F'n rocked! Then it sucked. etc.

I could never be bothered figuring out which version of what software _really_ cleans up this week's malware. I always would nuke from orbit (after judiciously backing up data using the drive as a neutered USB disk).

Re:It's very entertaining.

[mysidia]

They need to take responsibility for what they publish on their own sites.

I'd like to see a class action suit against the NY Times or the ad network they use by users who were infected.

Based on NYT negligently allowing advertisers to inject code into their web site.

I can understand users getting hit with fake dialogs after clicking on an ad.

But I believe web sites have a duty to take standard precautions and avoid loading remote script code

I differentiate ad content from code. It's not rocket science -- when the advertiser uploads their ad unit, sanitize the input, so the upload cannot contain any javascript, SCRIPT, IFARME, FRAME, or other unexpected tags or tag attributes, for that matter, or any remote loading. Only approved 'safe' HTML tags such as IMG. And any images referred must be uploaded and served from the ad network (again, no remote loading).

Again, it's not rocket science to sanitize input. There's really no excuse for not doing it, other than negligently ignoring security issues, and possible harm malicious ads can do...

Re:It's very entertaining.

[Deathlizard]

although a lot of files still do the false extension stuff, that's not the case with the MP3's were seeing.

These are perfectly legitimate MP3 files. They are not rebadged WMP files. They will play music. they play on an mp3 player. How they work is that they usually have ID3 tag data which tries to exploit WMP or Winamp to execute code or connect to a malicious site. We also see the WMA's disguised as MP3's as well, but the ID3 MP3's have been getting more popular as of late.

as for hiding file extentions. There is a set of laws that I follow.

Laws of computer stupidity
1) 99% of computer users do not know what they are doing.
2) computer users do not read.
3) If a computer user can click on it, they will.

Disabling "hide file extensions" doesn't solve anything because of all of the above.

1) They don't know why that file has an .exe at the end or care for that matter. explaining it to them goes in one ear and out the other.

2) Since they dont read, I'd bet you can make a file called "brittany spears does the nasty dance while going down on her new chihuahua and this file will wipe your hard drive clean.exe" and people would open it because all they read is "brittany spears" and "nasty dance".

3) If it's something they downloaded, they will click on it regardless if the extension is real or fake. This happened to me while I was researching a file I absoletly knew was a virus solely on the icon displayed to me. (in my case, it was the folder icon and instinctively clicked on it to go into the folder. Yes I show file extensions. I also fooled four other techs with this simple test using this icon and it showed the file ext for them too.)

Happened to my Parents

[QuantumG]

What really annoys me is that these things are most effective because they use javascript alerts to freeze the browser. If you could just browse away from the crap, I could teach my parents just to ignore it.

"Javascript alerts are not tab modal" has been a known bug in Firefox going on 9 years now. It's not just an annoyance, it's a security bug, fix it!

 

Re:Happened to my Parents

[QuantumG]

Dude, the ticket was filed in 2000.. so it was around for at least that long.. the bug most likely goes back to the Netscape days.

Re:And they wonder...

[Aurisor]

The New York Times is one of the most respected publications in the world. It's not going anywhere.

Re:News? Where?

[petermgreen]

Not exactly news but nonetheless a sad indictment of the state of online advertising that even big sites with a reputation to uphold are using adverts from seedy advert networks who tolerate this shit.

Ads and proxy placement

[bsandersen]

The concern I have over the long term is that sites like the NYT may not know what advertisements will appear because they are placed by bulk-buying proxies that dispense them at page-load time, probably based on evil-cookie trails or other demographic markers. So, the question becomes: how should a presumably high-integrity site such as a major news outlet ensure quality when they've outsourced advertisement delivery?

Review of each possible advertisement would be onerous, but failure to have some standards in place will eventually lead to malware (or worse) injected into unsuspecting reader's machines. I just chuckled when it popped up. I run Macs at home. But, when things like this happen to family members running PCs (and we get the phone call) it stops being funny pretty quickly.

Is there a business case for reviewing advertisements (and the associated mobile code whether it be FLASH, etc.) for a 21st century "Good Housekeeping Seal of Approval"? After all, the NYT and others are just one virus (or porn advertisement) away from a PR nightmare.

Re:Ads and proxy placement

[bsandersen]

So we're OK with major newspapers having absolutely no standards at all these days?

I believe I said the opposite; I said a failure to have standards will cause problems.

What do you suppose people did back in the days before you could get ads via RSS feed?

They reviewed the advertisements with their clients directly. There were a few hundred per day and it was a manageable problem. Now, advertisements may be served by proxies and selected from among tens of thousands of potential ads, designed to be targeted to readers in specific geographic regions, income levels, purchasing habits, interests, age categories, gender, education level, or other factors.

The point of my post was that the combinatorial explosion of possible advertisement choices to be served-up on my specific page load may not be easily reviewable by NYT staff a priori.

Re:It happens on Linux too

[eric31415927]

Two years ago, I got my 67-year-old mother online with a Debian (stable) box for web browsing, emailing, and printing.
At least twice in these two years, she has come across web pages warning that her operating system has been infected with a virus.
The web pages make it look like she has an infected Windows system - similar to the link from the NYT web page.

I reassure her each time that her computer has not been infected, and it is not likely to ever be infected so long as she is careful with her password.
I would like Firefox (or in her case IceWeasel) to have a plugin to avoid loading pages that look like Windows Explorer.
This would save people like my mother and businesses like the NYT from undue stress.

Re:It happens on Linux too

[Darkness404]

Yeah, but how many more Mac users or Linux users (who in general are "immune" to viruses and other malware due to their lower marketshare and in general better security) would be fooled into running a strange program if it looked exactly like something that they were running? An "update" to Firefox or Safari? No Mac user is going to download something that looks like XP, and a lot of Vista users would be suspicious if it looks like XP.

HOSTS file and noscript

[davidshewitt]

...seem to do the trick for me. I put this huge list of malicious sites into my HOSTS file, so most ads never even show up. http://www.grc.com/sn/hosts_mvps_org.txt

Mod parent up

[Thinboy00]

Would that be this one? That's pretty darned old. Reminds me a bit of the title text display bug that used to hit XKCD et al.

link is highly germane to the discussion

Microsoft's model is to blame.

[rantingkitten]

but clearly downloading an .exe file isn't a good way to keep your computer clean ...

Then how else are Windows users supposed to get new software? Downloading and installing random executables from god-knows-where is the expected method in Windows. Then people wonder why Windows users get infected with all kinds of crap.

The lack of any managed repository of vetted and verified software is, to me, the number one reason Windows sucks so hard, A plain vanilla Windows install does absolutely nothing on its own -- you're expected to go find all the software you need, and this trains users to believe that downloading and installing random crap is just fine.

Combine that with Windows' propensity for getting up in your face about every little detail -- THIS SOFTWARE NEEDS UPDATING! YOUR FIREWALL SETTINGS AREN'T CORRECT SOME OTHER SOFTWARE NEEDS UPDATING! CLICK HERE TO GET NEW VIRUS DEFINITIONS! CLICK ME! CLICK ME! CLICK ME! -- and it's easy to understand how this happens.

The entire Windows model is built around mindless, unnecessary alerts and "download and install now" crap. How are you supposed to teach users which are legitimate and which are not, and what's okay to download and what isn't, when the culture of the OS itself encourages you to do all the wrong things?