Slashdot Mirror
New York Times Site Pop-Up Says Your Computer Is Infected
Zott writes "Apparently, 'some readers' of the New York Times site are getting a bit more with their news: an apparently syndicated adware popup with a faux virus scan of the user's computer indicating they are infected, and a link to go download a fix now. It's entertaining when a Mac user gets it, but clearly downloading an .exe file isn't a good way to keep your computer clean ..." Update: 09/14 03:20 GMT by T : Troy encountered this malware, "and did basic forensics. Summary: iframe ad then series of HTML/JS redirects, ending at a fake virus scanner page with a "Scan" link (made to look like a dialog box button) that downloaded malware." Nice explanation!
I think it's actually more entertaining when I don't get it at all on any platform, because I disabled javascript.
Ouch for all those who are de facto family computer technical support.
while using stumble upon, a pop up "scans my C drive" and informs me of multiple threats and then tells me to download XYZ software to get rid of it. One of them wouldn't even let me close the window. I had to open a terminal and killall to get rid of it.
My AVG anti-virus caught this, but I would have thought the NY Times would have had better security.
What exactly makes this different from any of the other hundreds of sites with the same popup? Is it just because this is a large, well-known website like the New York Times?
Funny may not give karma, but +5 Informative never made anyone snort coffee out their nose.
But when it starts telling me the C:\ drive on my Linux box is infected it's hard to stop laughing.
Still was a job to get rid of the circle jerk pop ups.
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
I was getting this message while using Linux. It would show me the pop up and then send me to a web page that looked just like Windows Explorer. I was surprised to see it on a site like the New York Times.
And they wonder - Why is print media dying?
Because they can't adapt properly. Seriously guys, filter your ads!
I was hit by this issue earlier today, more info with some malware URLs available on metafilter here.
What really annoys me is that these things are most effective because they use javascript alerts to freeze the browser. If you could just browse away from the crap, I could teach my parents just to ignore it.
"Javascript alerts are not tab modal" has been a known bug in Firefox going on 9 years now. It's not just an annoyance, it's a security bug, fix it!
How we know is more important than what we know.
but clearly downloading an .exe file isn't a good way to keep your computer clean ..."
Absolutely, .com, .bat and .scr are the only way to go!
So thats why my Ubuntu is acting weird lately.
I get these occasionally as well me being a mac user it's humorous to see my "c:" drive being scanned ...
... if we wanted to catch a virus from the New York Times, we had to read a copy that some hobo had used for a blanket.
Now you kids stay off my lawn!
Have gnu, will travel.
In this case, it runs a mock scan, states the computer is infected, and then pretends to offer help. The exe file sometimes gets downloaded. From the way I have seen IE work lately, I would not think the file would download without user intervention, but, the page does a good job of scaring users, so I suspect some might download the files.
The malware site is protection-check07com
malwareurl.com has the owner listed as Elton John, perhaps on can think that this is pseudonym. Kind of lends credence to rules that require valid information on domain name registrations.
In any case, this is where the address is listed. Looks residential, so maybe that is fake as well. I hope the protection-check people are not setting up some poor sod. Ha, protection check.
Of course this does bring up two issues. Everyone is afraid of viruses, so it easy to translate that fear into irrational action. It might make us think about some activities that went on this past weekend. Second, such attacks work on mimicking the theme of certain systems, so perhaps one countermeasure is to allow users to vary they theme. This might be very good for corporate machines, as firms might like custom themes. On Macs and *nix, of course, the attack did not work because the web page did not integrate into the background, an elephant is going to look quite conspicuous in a field of leopards.
"She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
I really have to thank the N.Y. times for going far above and beyond the call of duty and notifying their readers of virus infected computers.
Best 40 bucks I ever spent, I can now browse the web with confidence with my shiny new AntiVirus 2010 Enterprise.
The concern I have over the long term is that sites like the NYT may not know what advertisements will appear because they are placed by bulk-buying proxies that dispense them at page-load time, probably based on evil-cookie trails or other demographic markers. So, the question becomes: how should a presumably high-integrity site such as a major news outlet ensure quality when they've outsourced advertisement delivery?
Review of each possible advertisement would be onerous, but failure to have some standards in place will eventually lead to malware (or worse) injected into unsuspecting reader's machines. I just chuckled when it popped up. I run Macs at home. But, when things like this happen to family members running PCs (and we get the phone call) it stops being funny pretty quickly.
Is there a business case for reviewing advertisements (and the associated mobile code whether it be FLASH, etc.) for a 21st century "Good Housekeeping Seal of Approval"? After all, the NYT and others are just one virus (or porn advertisement) away from a PR nightmare.
I had the popup (despite FF w/adblock enabled) while reading a story this morning.
I never even considered that the Times would be running something like this so I launched into cleansing mode. I wasted an hour hunting for malware or a virus that was not there. Thanks a lot!
I have FF 3.5.3 and AdBlock, the latest Flash and Java, AND the latest MVPS Hosts file, and it came up anyway. Three hours after I added the two sites involved to my Hosts file, the redirect happened again... but this time, it stalled.
Bottom line: Signature- and site-based detection can always be defeated.
I could understand this if it were a News Corp paper like the WSJ, but a lie intended to induce fear and take money from people on the NY Times, seems out of place.
A few days ago, my wife hit the same thing following a link in a perfectly benign google search result! she would have had no idea how to untangle this by herself, since I had failed to turn off firefox restore on error so killing and restarting firefox got right back to the problem.
Believe or not, some high end virtual machines, even including MS unmaintained Virtual PC does assign themselves to .exe files and conveniently run them!
Apple knows this possibility and that is why your Safari alerts you when you download an .exe file, not like they don't know their own OS. :)
BTW, if the virus mentioned is the one I saw, don't play around with these guys since it was one of the rare times Kaspersky online scanner missed the virus (trojan) offered, I submitted it to them and they included hours later as some variant. That means we aren't dealing with some complete idiots here, they know how to morph their code so a high end AV like Kaspersky can miss it. (Mine was from Haaretz, IL English newspaper)
NYtimes.com is usually on my exceptions list, but not today...
Anybody know what the malware sites are, either by DNS name or IP address?
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
It seems to be back with a vengeance. Of course, I knew better than to click on it. I was really concerned that they already had my computer; but apparently they didn't.
You can't "view source" on their code, because it changes windows too fast. Ethereal, and its "follow stream" feature solve that problem. I was able to examine the code. I didn't really delve into it; but it looks like they've found some weaknesses in the scripts that allow you to somehow fake out the pop-up blocker.
Viewing the source allowed me to see the site they pull the JS from, and I simply redirect it to localhost now. That's a short-term fix of course. They really need to close the loophole that this code exploits.
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
has also been doing this for the past two days.
"Chance favors the prepared mind." ~Me
...seem to do the trick for me. I put this huge list of malicious sites into my HOSTS file, so most ads never even show up. http://www.grc.com/sn/hosts_mvps_org.txt
i got it this morning using opera. oh the humanity. didn't click on it though. i was reminded of this: http://www.p2p-zone.com/underground/showthread.php?t=24701
I opened the local paper rag yesterday and my local physician was telling me I had swine flu.
Task Mangler
What more needs to be said.
This is not news worthy.
I like the way TFA ends with "Questions and comments can be sent to adtraffic@nytimes.com.can be sent to adtraffic@nytimes.com."
In other words: the folks at advertising gave us, editorial staff, a hard time. Now please flood their mail boxes and we'll call it even.
Would that be this one? That's pretty darned old. Reminds me a bit of the title text display bug that used to hit XKCD et al.
link is highly germane to the discussion
$ make available
Comment removed based on user account deletion
I was shocked this happened. I use a Mac, so it didn't catch me - but I'd like to learn how this happened.
LOL...I read this article first on the Huffington Post. When I clicked on the story, it brought up this web site: http://mediamemo.allthingsd.com/20090913/home-delivery-the-new-york-times-serves-up-some-malware/ Lo and behold 3/4 of the way down on the right side under sponsored Links was this ad: Fix Hard Driveâ Fix Hard Drive in 3 Mins. Download Repair Tool (Recommended) ScanErrors.com Well, I don't know if this is a good or bad site, but from the looks of the comments, one wonders. Would anyone in their right minds download a program that supposedly scans their hard disk without knowing who their getting the app from? Oh...Wait a minute...Sorry...Dumb Question.
Isn't it sad how the parent misspelled the wrong goatse URL (it's .fr now)?
$ make available
it will block this kind of crap - I never see it...
http://noscript.net/
For even better browsing, install Privoxy, and see no advertising, for free!
http://www.privoxy.org/
Ask Me About... The 80's!
happened to me this morning and I called NY Times immediately. Got screenshots and saved the .exe for kicks
Warned friends to stay away after that. The executable didn't seem to include a payload though, dummy file.
http://s559.photobucket.com/albums/ss36/MooPii/PAV_driveby/?albumview=slideshow
I've gotten this ad twice in the last two days, using Firefox with Adblock Plus and pop-up blocking. This is the line in the nytimes.com article that was responsible the second time:
That loads a page from tradeon.com, which loads a javascript file from harlingens.com which uses a JavaScript redirect to sex-and-the-city.cn. That page sets a cookie and does an HTTP 302 redirect to protection-check07. (Last time it was best-antivirus07.com)
Apparently Adblock isn't blocking the particular iframe that's responsible. I have the particular files I received in this series of redirects, if anyone is interested. I got all this information using the HttpFox plugin.
If you can confirm that there was malware on the system there is no cure except to start with a clean image - preferably one you stored with an imaging tool like the free Clonezilla prior to accessing any network at all or any untrusted media. Putting a clean image on can take 5-30 minutes, and is certain to remove all traces of infestation. It's actually quicker than scanning. Once you've got a confirmed hit your only business using a compromised machine is an inspection of the features that got the user into trouble so you can turn those off after you image, and capture for them a more suitable image.
There's a tired old nag about no software being secure but really one thing is for certain: once an app has been running that's known to be infested it got there because the maker knew something the user didn't. Among the other things the user doesn't know are how many other applications the malware infested, how many running services were leveraged with local privilege escalation, how many rootkits of various sorts were installed. Most modern malware immediately upon installation scans the local system and sniffs the network. They look up components and download a cocktail of toxic code that's both tailored to the specific machine and randomly generated so as to be unique. There's a management system that auto-permutes millions of vile code variants every day, and uses a genetic algorithm to determine which of the little beasties is the most efficient. This is not your dad's malware ecosystem.
Pretending to remove malware is nothing short of malpractice. All you're doing is helping the bad guys by pointing out which modules survive a cursory attempt at cleaning.
Help stamp out iliturcy.
If I paid for a website and I got crap like this, I'd be mighty angry. The New York Times is now officially a malware vector.
A computer compromised can be a lot of cash for a botnet organization. They buy and sell clients by the thousands, and there are a lot of things a botnet computer can do for revenue for a bot-herder. A couple:
ID theft, scan victim's machine, grab saved passwords.
Blackmail, especially if a machine is on a business network and there are business assets available via shares that a blackhat can manually get into.
Keyloggers and screenshot takers can mean good cash in compromised MMO accounts. WoW account theft is an economy in itself.
DDoS attacks and protection rackets are lucrative, and the only person that gets punished is the computer's owner.
Distributed use for cracking keys. There are still a lot of RSA keys out that are 512-768 bits that would prove to be highly sought after by black hats. Even if they don't crack the key, the keyspace exhausted allows a bigger botnet a larger chance.
A compromised machine means big cash for the person who does it, and major pain for the victim. To boot, usually the people doing it are in countries with governments indifferent or hostile to the US, so there is no way they will get anything other than a high five from their local government.
Of course, the cash from these things above is easily laundered, then used to make ads. I've seen a lot of top named sites get stung by a malware ad on a third party rotater. Perhaps its time for people to reconsider letting a third party put what it wants on their site without prior approval?
...started complaining about pop ups from the NYTimes website at least two days ago. You don't often see things like that on high-profile websites, so it caught me by surprise. I initially thought some form of malware was responsible for the popup.
I have often wondered why they haven't followed the money trail to find the people behind the "Antivirus 20xx" nonsense. I know I would certainly like to read a news story about the untimely death of the people involved.
They (FBI, and their equivalents in the dozen other countries widely affected) know exactly where it's coming from, it's just not in their jurisdiction.
Code from within the 2009 version: ..." - http://sunbeltblog.blogspot.com/2009/01/russian-don-infect-themselves.html
"00420214 - Don`t install on Rus:; 00420234 - Russian or Ukrainian Windows detected. Exiting
"In the early and mid-1990s, criminal groups provided protection to businesses and enforced contracts when the state was too weak and corrupt to do so. In the process, they actually helped sustain private enterprise, albeit at a high cost to business. The emergence of an economic market for private protectionâ"in which criminal groups compete among themselves as well as with other newly formed private security agentsâ"has stabilized the business-criminal relationship. Recently, criminal networks have taken a more businesslike approach to maximizing profit" - http://www.worldpolicy.org/journal/articles/wpj04-1/sokolov.htm
The following article is the best writeup I've seen thus far on this threat, and provides some insight on the financials:
"If these stats are to be believed, one affiliate was able to install 154,825 copies of AV XP 08 in ten days' time, and 2,772 of those copies were actually purchased by the victims. This only represents a one to two percent conversion rate, but with the generous commission structure, was enough to earn the affiliate $146,525.25 for that time period. At that rate, the affiliate could be expected to earn over 5 million U.S. dollars a year, simply by maintaining a large botnet and forcing AV XP 08 installs on 10,000 to 20,000 computers a day." - http://www.secureworks.com/research/threats/rogue-antivirus-part-2/
Kinda makes a guy reconsider his chosen career... Until you consider the mortality rate of Mafiya members, and the hordes of angry noobs wherever you go ;)
but clearly downloading an .exe file isn't a good way to keep your computer clean ...
Then how else are Windows users supposed to get new software? Downloading and installing random executables from god-knows-where is the expected method in Windows. Then people wonder why Windows users get infected with all kinds of crap.
The lack of any managed repository of vetted and verified software is, to me, the number one reason Windows sucks so hard, A plain vanilla Windows install does absolutely nothing on its own -- you're expected to go find all the software you need, and this trains users to believe that downloading and installing random crap is just fine.
Combine that with Windows' propensity for getting up in your face about every little detail -- THIS SOFTWARE NEEDS UPDATING! YOUR FIREWALL SETTINGS AREN'T CORRECT SOME OTHER SOFTWARE NEEDS UPDATING! CLICK HERE TO GET NEW VIRUS DEFINITIONS! CLICK ME! CLICK ME! CLICK ME! -- and it's easy to understand how this happens.
The entire Windows model is built around mindless, unnecessary alerts and "download and install now" crap. How are you supposed to teach users which are legitimate and which are not, and what's okay to download and what isn't, when the culture of the OS itself encourages you to do all the wrong things?
mirrorshades radio -- darkwave, industrial, futurepop, ebm.
you do know it has an "installation mode," right?
I bloody hope so, any internet 'security' software which requires you to turn it off when you install software is a bit like a car's brakes which fail under load i.e. when they are required the most!
The people responsible for combofix have done the lot of us a great big favor. Combofix saved my ass a couple of times.
The story is somewhat weak. It suggests running Avast and MS Malicious Software Removal Tool.
http://gadgetwise.blogs.nytimes.com/2009/09/14/what-to-do-if-you-saw-an-antivirus-pop-up-ad/?hp
This is what happened to me. At first I didnt know if I was running something I didnt want through wine, but then a page popped up with the scan tool that looked just like the explorer window and windows search fields.
Of course, "absolute free-for-all" and "Apple-style App Store" are not the only two choices. You sort of get it this later in the post, but of course the main concept left out here is the Linux repository concept. You can be reasonably sure that apps in the repository have been vetted for viruses, etc (at least you can with Debian)... and yet, if you really want to get software somewhere else, you can... but it's buyer beware.
It's not even true that Linux repositories are all OSS (Deb certainly has a "non-free" repository), and even if it were, the OSS-ness of the repository is certainly not an essential feature. Microsoft could certainly come up with a repository of software for Windows that was all closed-source, yet still vetted for malware.
I got this popup yesterday and I was worried because the only thing I had open was the NY Times website. I figured I had some kind of adware launching browser windows. I wouldn't have expected something like this from a venerable website like the Times.
I don't see any ads on the NYT pages. I do, however, use NoScript and AdBlockPlus. And incidents like this show all the more reason to use them.
Yes.
I think some of us (hey, I was one of them) were hoping NYT had the clout to get away with Just Saying No to such bullshit. The ad business really sucks right now, because of the standard practice is the webmasters allow the advertisers to do anything to the page. You script src="somewhere" and there's just no telling what it's going to do. And the only way this can ever change, if if people say Fuck That to the standard practice. I am far too small to say no to that and still get paid to run ads (the advertisers' response would be "see ya"), but I hoped NYT wasn't. Looks like my hopes were in vain. We're fucked. Everyone is fucked.
If NYT is not allowed to prevent this problem, then who is?
Actually, there's an answer to that, but it's the answer no one wants to hear. The only people who are allowed to prevent these problems, are the users. The so-called fanatics (who aren't really fanatics) are correct: turn off javascript. You can't trust any website that runs ads, because the websites aren't in charge of what's on their pages.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
It is amazing what decent graphics, adequate grammar and well designed social engineering can get people to do.
This is yet another variation of a series of malware packages I've seen over the last few years. You get to them through compromised websites or links. They attempt to scare you into downloading and paying for a package to 'solve' the problem. Because the graphics look 'real' and the grammar/spelling is decent, some people wonder if there machine IS infected.
I ran into one of these when a coworker on a MAC called to say that his machine was infected. They had been doing a Google search and found a link that brought up a very scary 'You are infected' screen, complete with 'scan' results. I made a lot of screen prints of the warning messages that popped up when I tried to close the screen using 'normal' means of ending the program. Somebody had a lot of 'fun' coming up with a web page that opened windows when you tried closing them.
Every few days I go to the Symantec site and look under the ThreatCon section for 'Misleading Applications' to get an idea of the current threats. They usually have screen prints of the windows.
By some accident I disabled noscript and got this error too.
I have never seen one of these since I have been running exclusively Linux for the last few years. I thought it's so funny that I couldn't resist the chance of a screen shot: http://i4.photobucket.com/albums/y103/mathfield/my_virus_problem.png
Of course, turning on NOSCRIPT and it goes away.
The only possible interpretation of any research whatever in the 'social sciences' is: some do, some don't
Virtual PC Mac, last shipped version (7.0.3) release notes:
"This update fixes a vulnerability that an attacker can use to overwrite the contents of your computer's memory with malicious code."
Most amazing thing is, it is actually an emulator/hypervisor ,not really something like VirtualBox. Respect to MS really. :)