Slashdot Mirror

← Back to Stories (view on slashdot.org)

New York Times Site Pop-Up Says Your Computer Is Infected

Posted by timothy on from the if-you're-reading-this-you-have-a-virus dept.

Zott writes "Apparently, 'some readers' of the New York Times site are getting a bit more with their news: an apparently syndicated adware popup with a faux virus scan of the user's computer indicating they are infected, and a link to go download a fix now. It's entertaining when a Mac user gets it, but clearly downloading an .exe file isn't a good way to keep your computer clean ..." Update: 09/14 03:20 GMT by T : Troy encountered this malware, "and did basic forensics. Summary: iframe ad then series of HTML/JS redirects, ending at a fake virus scanner page with a "Scan" link (made to look like a dialog box button) that downloaded malware." Nice explanation!

10 of 403 comments (clear)

  1. News? Where? by SilverHatHacker · · Score: 5, Interesting

    What exactly makes this different from any of the other hundreds of sites with the same popup? Is it just because this is a large, well-known website like the New York Times?

    --
    Funny may not give karma, but +5 Informative never made anyone snort coffee out their nose.
  2. Re:It's very entertaining. by PlusFiveTroll · · Score: 5, Interesting

    FF + Adblock is my way to avoid it (and still get the sites I need .js to run on).

    This crap has been going on for a few years now with the 'AntiVirus XP' scam (http://www.theregister.co.uk/2008/08/22/anatomy_of_a_hack/) that seems to strike major sites every few months. Just goes to show the ad distributers have no control ( or don't want it) over what goes in to their distribution network.
     
     

    Sad this is, people fall for it all the time :(

  3. Re:It happens on Linux too by Darkness404 · · Score: 4, Interesting

    I wonder when they will start searching user agent strings and making it look native (Classic on pre-XP, Luna on XP and Aero on Vista/7, and Aqua on OS X). A dialogue that looks like the Ubuntu install software window could fool a lot of users....

    --
    Taxation is legalized theft, no more, no less.
  4. Re:Happened to my Parents by QuantumG · · Score: 3, Interesting

    As I write this I'm trying to figure out how to do that in Firefox.. ya know, that whole "fix it yourself" open source thing. Nicest thing I can say about Firefox: at least the code is better than Open Office.

    --
    How we know is more important than what we know.
  5. Re:I have seen these before, by lorenlal · · Score: 4, Interesting

    I've seen this pop up before... On my roommate's computer. It appears a lot like a Windows Vista secure desktop warning by taking up the whole screen with a darkened border. The message follows a format that looks a lot like other Vista menus and messages. To the user, it doesn't look like it's a message from the website... But rather from Windows.

    I could easily see how most people could click the screen (literally anywhere) where it asks to download a fix called "install.exe." Plus, if you are one of the poor users who uses the terrible AV solution, that seems to have an agreement with anyone with a large user base, you're totally screwed because this virus seems quite effective at knocking it dead out.

    I'm more concerned with the fact that this is popping up in what are normally quite trustworthy sources. I was initially afraid that Yahoo had sold out, it just seems like they got the same treatment as the NYTimes. This speaks more to the vulnerabilities of the webservers that are hosting these sites to me. Does anyone know what platform they're sitting on? I'd like to know if there's a hole out there that I should concern my company with... I'm totally serious.

  6. Re:It's very entertaining. by Orion+Blastar · · Score: 3, Interesting

    Yes I downloaded Combofix from bleepingcomputer.

    I am not sure why it would be flagged as a false positive. I am suspicious of any program that says I have to shut down my AV software in order for it to run.

    Luckily both Unhackme and Spysweeper removed it, and was able to restore my control panel as well. I noticed that ComboFix was not in the Add/Remove programs and I tried the "Combofix /u" to uninstall it only to be greeted with a file not found error.

    I looked in the program files directory and it was not there, but on the root directory of my system under c:\combofix\ hidden as a system file with copies of iexplore.exe and other files. Easy enough to delete, but the uninstall didn't seem to work. Maybe the combofix.exe file was deleted as a virus?

    Spysweeper reported it as Mal/Pack-A, Virus/Test, and one other I forgot, and Unhackme said it was the FU Rootkit. Kapersky said it was Trojan.Win32.Inject.ph. I would think Combofix would have been whitelisted by now as a false positive and removed from the detections, but apparently it has not.

    Users need to be warned about false positives if that is indeed the case. I did a web search and it turned up web sites suggesting using Combofix, so I suspect it may be indeed a false positive. I can recall the BartPE and Retrago WinPE boot tools had some of their automated programs got detected as hack tools and removed via AV software as well. Maybe those Hack tools are effective at removing stuff the non-Hack tools don't?

    --
    Remember, Slashdot does not have a -1 disagree moderation, and no, troll, flamebait, and overrated are not substitutes.
  7. Once again with the "nofix" by symbolset · · Score: 5, Interesting

    If you can confirm that there was malware on the system there is no cure except to start with a clean image - preferably one you stored with an imaging tool like the free Clonezilla prior to accessing any network at all or any untrusted media. Putting a clean image on can take 5-30 minutes, and is certain to remove all traces of infestation. It's actually quicker than scanning. Once you've got a confirmed hit your only business using a compromised machine is an inspection of the features that got the user into trouble so you can turn those off after you image, and capture for them a more suitable image.

    There's a tired old nag about no software being secure but really one thing is for certain: once an app has been running that's known to be infested it got there because the maker knew something the user didn't. Among the other things the user doesn't know are how many other applications the malware infested, how many running services were leveraged with local privilege escalation, how many rootkits of various sorts were installed. Most modern malware immediately upon installation scans the local system and sniffs the network. They look up components and download a cocktail of toxic code that's both tailored to the specific machine and randomly generated so as to be unique. There's a management system that auto-permutes millions of vile code variants every day, and uses a genetic algorithm to determine which of the little beasties is the most efficient. This is not your dad's malware ecosystem.

    Pretending to remove malware is nothing short of malpractice. All you're doing is helping the bad guys by pointing out which modules survive a cursory attempt at cleaning.

    --
    Help stamp out iliturcy.
  8. Re:I expected better. by LordLimecat · · Score: 4, Interesting

    This is a NYTimes issue just as rotten meat is the supermarkets problem--whether or not its because of a rotten vendor. If you go with your attitude, we can never blame anyone-- Honda may get some parts manufactured at a 3rd party foundry, so theyre not to blame for defects! Dell uses Foxconn for their power supplies, so you cant blame Dell for computers that crap out in 2 years! Sony outsources its battery manufacturing to Taiwan, its not THEIR fault the batteries can catch fire, honest!

  9. NYT Reacts to adds with story by dk90406 · · Score: 4, Interesting

    The story is somewhat weak. It suggests running Avast and MS Malicious Software Removal Tool.

  10. Re:Microsoft's model is to blame. by Rick17JJ · · Score: 3, Interesting

    Users of Debian Linux, or a Debian derived distro such as Ubuntu Linux, have always had a safe official place to download free software from. We can use the apt-get command to quickly and easily download whatever free software we want from the more than 25,000 free software packages available in the official Debian repositories.

    Synaptic is an easy to use point-and-click GUI front end for apt-get. Synaptic can easily download and install, upgrade, or uninstall various programs from the official repositories, while reliably taking care of all dependencies automatically.

    Windows users do not have a similar place to go to, or built-in tools to use, to easily download and upgrade reputable, safe, non-Microsoft software. However, for installing an occasional commercial paid for software program on a Linux computer, that would still be downloaded from a companies website. As far as I know, it is just the free open source software programs that are available in the main official Debian repositories.

    That is my rough understanding, of how the Debian repositories work. As a desktop Linux user, I am glad that I do not have to download software from god knows where, in response to some pop-up. If I did suddenly decide that I needed new software or an upgrade, I would generally stick to using Synaptic or apt-get to download the software for me from the official repositories, instead of using an advertising script on a script enabled web page to download whatever it is from who knows where.

    There are also a few reputable, reasonably well known, commercial software companies, with Linux software, that I have bought software from, for my home computer.

    The lack of something like Synaptic and apt-get, and the Debian repositories, is a severe shortcoming of Windows.

    http://en.wikipedia.org/wiki/Debian