Slashdot Mirror
New York Times Site Pop-Up Says Your Computer Is Infected
Zott writes "Apparently, 'some readers' of the New York Times site are getting a bit more with their news: an apparently syndicated adware popup with a faux virus scan of the user's computer indicating they are infected, and a link to go download a fix now. It's entertaining when a Mac user gets it, but clearly downloading an .exe file isn't a good way to keep your computer clean ..." Update: 09/14 03:20 GMT by T : Troy encountered this malware, "and did basic forensics. Summary: iframe ad then series of HTML/JS redirects, ending at a fake virus scanner page with a "Scan" link (made to look like a dialog box button) that downloaded malware." Nice explanation!
I think it's actually more entertaining when I don't get it at all on any platform, because I disabled javascript.
What exactly makes this different from any of the other hundreds of sites with the same popup? Is it just because this is a large, well-known website like the New York Times?
Funny may not give karma, but +5 Informative never made anyone snort coffee out their nose.
But when it starts telling me the C:\ drive on my Linux box is infected it's hard to stop laughing.
Still was a job to get rid of the circle jerk pop ups.
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
And they wonder - Why is print media dying?
Because they can't adapt properly. Seriously guys, filter your ads!
What really annoys me is that these things are most effective because they use javascript alerts to freeze the browser. If you could just browse away from the crap, I could teach my parents just to ignore it.
"Javascript alerts are not tab modal" has been a known bug in Firefox going on 9 years now. It's not just an annoyance, it's a security bug, fix it!
How we know is more important than what we know.
but clearly downloading an .exe file isn't a good way to keep your computer clean ..."
Absolutely, .com, .bat and .scr are the only way to go!
I get these occasionally as well me being a mac user it's humorous to see my "c:" drive being scanned ...
... if we wanted to catch a virus from the New York Times, we had to read a copy that some hobo had used for a blanket.
Now you kids stay off my lawn!
Have gnu, will travel.
In this case, it runs a mock scan, states the computer is infected, and then pretends to offer help. The exe file sometimes gets downloaded. From the way I have seen IE work lately, I would not think the file would download without user intervention, but, the page does a good job of scaring users, so I suspect some might download the files.
The malware site is protection-check07com
malwareurl.com has the owner listed as Elton John, perhaps on can think that this is pseudonym. Kind of lends credence to rules that require valid information on domain name registrations.
In any case, this is where the address is listed. Looks residential, so maybe that is fake as well. I hope the protection-check people are not setting up some poor sod. Ha, protection check.
Of course this does bring up two issues. Everyone is afraid of viruses, so it easy to translate that fear into irrational action. It might make us think about some activities that went on this past weekend. Second, such attacks work on mimicking the theme of certain systems, so perhaps one countermeasure is to allow users to vary they theme. This might be very good for corporate machines, as firms might like custom themes. On Macs and *nix, of course, the attack did not work because the web page did not integrate into the background, an elephant is going to look quite conspicuous in a field of leopards.
"She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
I really have to thank the N.Y. times for going far above and beyond the call of duty and notifying their readers of virus infected computers.
Best 40 bucks I ever spent, I can now browse the web with confidence with my shiny new AntiVirus 2010 Enterprise.
Unfortunately this has nothing to do with New York Times' security and that is the whole problem. New York Times hires an 'ad agency' which is quite a bullshit term in this case if you ask me. They embed some open ended script from said firm and then at that point have no idea what is being displayed. This 'firm' may even rent or sell the embedded space to yet another company so then even the firm has no idea what ad is being displayed. All these automated, unmonitored and unregulated ads on pages are a huge security hole but in the name of profit, who really cares?
~ Ron Fitzgerald
I wonder when they will start searching user agent strings and making it look native (Classic on pre-XP, Luna on XP and Aero on Vista/7, and Aqua on OS X). A dialogue that looks like the Ubuntu install software window could fool a lot of users....
Taxation is legalized theft, no more, no less.
The concern I have over the long term is that sites like the NYT may not know what advertisements will appear because they are placed by bulk-buying proxies that dispense them at page-load time, probably based on evil-cookie trails or other demographic markers. So, the question becomes: how should a presumably high-integrity site such as a major news outlet ensure quality when they've outsourced advertisement delivery?
Review of each possible advertisement would be onerous, but failure to have some standards in place will eventually lead to malware (or worse) injected into unsuspecting reader's machines. I just chuckled when it popped up. I run Macs at home. But, when things like this happen to family members running PCs (and we get the phone call) it stops being funny pretty quickly.
Is there a business case for reviewing advertisements (and the associated mobile code whether it be FLASH, etc.) for a 21st century "Good Housekeeping Seal of Approval"? After all, the NYT and others are just one virus (or porn advertisement) away from a PR nightmare.
Two years ago, I got my 67-year-old mother online with a Debian (stable) box for web browsing, emailing, and printing.
At least twice in these two years, she has come across web pages warning that her operating system has been infected with a virus.
The web pages make it look like she has an infected Windows system - similar to the link from the NYT web page.
I reassure her each time that her computer has not been infected, and it is not likely to ever be infected so long as she is careful with her password.
I would like Firefox (or in her case IceWeasel) to have a plugin to avoid loading pages that look like Windows Explorer.
This would save people like my mother and businesses like the NYT from undue stress.
I had the popup (despite FF w/adblock enabled) while reading a story this morning.
I never even considered that the Times would be running something like this so I launched into cleansing mode. I wasted an hour hunting for malware or a virus that was not there. Thanks a lot!
They actually appear to embed the ad code directly into the page (you can see which campaigns the ads are for; the one that hit me was for Vonyage, near the bottom of the page). In my case, it wrote a weakly obfuscated script that redirected the whole page to sex-and-the-city.cn (... err, yeah) which redirected to protection-check07.
Poor NYT, they now have a special rule in my ad filters.
Yeah, but how many more Mac users or Linux users (who in general are "immune" to viruses and other malware due to their lower marketshare and in general better security) would be fooled into running a strange program if it looked exactly like something that they were running? An "update" to Firefox or Safari? No Mac user is going to download something that looks like XP, and a lot of Vista users would be suspicious if it looks like XP.
Taxation is legalized theft, no more, no less.
Believe or not, some high end virtual machines, even including MS unmaintained Virtual PC does assign themselves to .exe files and conveniently run them!
Apple knows this possibility and that is why your Safari alerts you when you download an .exe file, not like they don't know their own OS. :)
BTW, if the virus mentioned is the one I saw, don't play around with these guys since it was one of the rare times Kaspersky online scanner missed the virus (trojan) offered, I submitted it to them and they included hours later as some variant. That means we aren't dealing with some complete idiots here, they know how to morph their code so a high end AV like Kaspersky can miss it. (Mine was from Haaretz, IL English newspaper)
has also been doing this for the past two days.
"Chance favors the prepared mind." ~Me
...seem to do the trick for me. I put this huge list of malicious sites into my HOSTS file, so most ads never even show up. http://www.grc.com/sn/hosts_mvps_org.txt
I opened the local paper rag yesterday and my local physician was telling me I had swine flu.
Task Mangler
I've seen this pop up before... On my roommate's computer. It appears a lot like a Windows Vista secure desktop warning by taking up the whole screen with a darkened border. The message follows a format that looks a lot like other Vista menus and messages. To the user, it doesn't look like it's a message from the website... But rather from Windows.
I could easily see how most people could click the screen (literally anywhere) where it asks to download a fix called "install.exe." Plus, if you are one of the poor users who uses the terrible AV solution, that seems to have an agreement with anyone with a large user base, you're totally screwed because this virus seems quite effective at knocking it dead out.
I'm more concerned with the fact that this is popping up in what are normally quite trustworthy sources. I was initially afraid that Yahoo had sold out, it just seems like they got the same treatment as the NYTimes. This speaks more to the vulnerabilities of the webservers that are hosting these sites to me. Does anyone know what platform they're sitting on? I'd like to know if there's a hole out there that I should concern my company with... I'm totally serious.
I installed a Linux distribution on a friend's laptop a few years ago, and have heard *nothing* from her, other than occasionally that it's working just fine. She uses my wife's office several times a week, which means that she has lots of opportunities to ask for help, or to complain if she sees something not working to her satisfaction.
Would that be this one? That's pretty darned old. Reminds me a bit of the title text display bug that used to hit XKCD et al.
link is highly germane to the discussion
$ make available
I just installed NoScript after getting redirected to the phony page. I reviewed all my browsing this morning and didn't see any particularly "dangerous" sites. One of them was, of course, nytimes.com. Little did I know....
As a user of Firefox on Linux, having my computer display a Windows-styled desktop folder and informing me that it was scanning my dll collection was both amusing and alarming.
For the curious, the browser is hijacked with Javascript and redirected to the phony scanning page which suggests using "Personal Viruscan." A bit of research this morning suggested it has been making the circuit this year but not on mainstream sites like the Times. However this site reports encountering the malware on a NY Times page as early as Septamber 7th. That person found it on a page about Jay-Z; I was reading the editorial columnists.
I grepped my Firefox _CACHE_ files for "virus," found the Javascript code there, but couldn't seem to attach it to a URL using "about:cache". Any hints?
Now I'm running noscript and pushing all requests through a Squid proxy on my firewall. At least I'll have a log to see what requests I've made. I'm guessing this came through the Times's ad syndication system, but I couldn't track down the source. I already run Adblock Plus and have a number of custom rules to block sites like brightcove.com and revsci.net.
Comment removed based on user account deletion
You are correct - and it is a shame that NoScript doesn't have a more friendly version for novices. What I do is install NoScript and Privoxy on Firefox and leave the default OS browser (IE, Safari) untouched.
Then, if I see something that isn't "right" on Firefox I can paste the URL into the other browser and examine unscathed.
This is less technical, and I do enjoy browsing much more without ads or other noise candy...
Ask Me About... The 80's!
If you can confirm that there was malware on the system there is no cure except to start with a clean image - preferably one you stored with an imaging tool like the free Clonezilla prior to accessing any network at all or any untrusted media. Putting a clean image on can take 5-30 minutes, and is certain to remove all traces of infestation. It's actually quicker than scanning. Once you've got a confirmed hit your only business using a compromised machine is an inspection of the features that got the user into trouble so you can turn those off after you image, and capture for them a more suitable image.
There's a tired old nag about no software being secure but really one thing is for certain: once an app has been running that's known to be infested it got there because the maker knew something the user didn't. Among the other things the user doesn't know are how many other applications the malware infested, how many running services were leveraged with local privilege escalation, how many rootkits of various sorts were installed. Most modern malware immediately upon installation scans the local system and sniffs the network. They look up components and download a cocktail of toxic code that's both tailored to the specific machine and randomly generated so as to be unique. There's a management system that auto-permutes millions of vile code variants every day, and uses a genetic algorithm to determine which of the little beasties is the most efficient. This is not your dad's malware ecosystem.
Pretending to remove malware is nothing short of malpractice. All you're doing is helping the bad guys by pointing out which modules survive a cursory attempt at cleaning.
Help stamp out iliturcy.
I have often wondered why they haven't followed the money trail to find the people behind the "Antivirus 20xx" nonsense. I know I would certainly like to read a news story about the untimely death of the people involved.
They (FBI, and their equivalents in the dozen other countries widely affected) know exactly where it's coming from, it's just not in their jurisdiction.
Code from within the 2009 version: ..." - http://sunbeltblog.blogspot.com/2009/01/russian-don-infect-themselves.html
"00420214 - Don`t install on Rus:; 00420234 - Russian or Ukrainian Windows detected. Exiting
"In the early and mid-1990s, criminal groups provided protection to businesses and enforced contracts when the state was too weak and corrupt to do so. In the process, they actually helped sustain private enterprise, albeit at a high cost to business. The emergence of an economic market for private protectionâ"in which criminal groups compete among themselves as well as with other newly formed private security agentsâ"has stabilized the business-criminal relationship. Recently, criminal networks have taken a more businesslike approach to maximizing profit" - http://www.worldpolicy.org/journal/articles/wpj04-1/sokolov.htm
The following article is the best writeup I've seen thus far on this threat, and provides some insight on the financials:
"If these stats are to be believed, one affiliate was able to install 154,825 copies of AV XP 08 in ten days' time, and 2,772 of those copies were actually purchased by the victims. This only represents a one to two percent conversion rate, but with the generous commission structure, was enough to earn the affiliate $146,525.25 for that time period. At that rate, the affiliate could be expected to earn over 5 million U.S. dollars a year, simply by maintaining a large botnet and forcing AV XP 08 installs on 10,000 to 20,000 computers a day." - http://www.secureworks.com/research/threats/rogue-antivirus-part-2/
Kinda makes a guy reconsider his chosen career... Until you consider the mortality rate of Mafiya members, and the hordes of angry noobs wherever you go ;)
This is a NYTimes issue just as rotten meat is the supermarkets problem--whether or not its because of a rotten vendor. If you go with your attitude, we can never blame anyone-- Honda may get some parts manufactured at a 3rd party foundry, so theyre not to blame for defects! Dell uses Foxconn for their power supplies, so you cant blame Dell for computers that crap out in 2 years! Sony outsources its battery manufacturing to Taiwan, its not THEIR fault the batteries can catch fire, honest!
Many media websites do this including MSNBC.com. Ironically, they just had a story posted a few days ago about the recent rise in prevalence of the teeth whitening and weight loss ads and on the page the article was posted they had a teeth whitening ad. Supposedly the rise in prevalence of those ads is due to the economy (cheaper ads). The web of companies running those ads, buying the ads and then using the ads on their sites is pretty complex.
this nation, under God, shall have a new birth of freedom. -- Lincoln, Gettysburg Address
She had someone else put Windows back on, and doesn't want to hurt your feelings.
but clearly downloading an .exe file isn't a good way to keep your computer clean ...
Then how else are Windows users supposed to get new software? Downloading and installing random executables from god-knows-where is the expected method in Windows. Then people wonder why Windows users get infected with all kinds of crap.
The lack of any managed repository of vetted and verified software is, to me, the number one reason Windows sucks so hard, A plain vanilla Windows install does absolutely nothing on its own -- you're expected to go find all the software you need, and this trains users to believe that downloading and installing random crap is just fine.
Combine that with Windows' propensity for getting up in your face about every little detail -- THIS SOFTWARE NEEDS UPDATING! YOUR FIREWALL SETTINGS AREN'T CORRECT SOME OTHER SOFTWARE NEEDS UPDATING! CLICK HERE TO GET NEW VIRUS DEFINITIONS! CLICK ME! CLICK ME! CLICK ME! -- and it's easy to understand how this happens.
The entire Windows model is built around mindless, unnecessary alerts and "download and install now" crap. How are you supposed to teach users which are legitimate and which are not, and what's okay to download and what isn't, when the culture of the OS itself encourages you to do all the wrong things?
mirrorshades radio -- darkwave, industrial, futurepop, ebm.
The story is somewhat weak. It suggests running Avast and MS Malicious Software Removal Tool.
An interesting note: you can configure UAC to require a Ctrl-Alt-Del before it shows you the prompt. Obviously this is a level of paranoia that most users don't want to deal with (similar to the way that in in XP they made it so home accounts don't need to press Ctrl-Alt-Del to reach the login screen anymore) which is why it's not the default, but it's intended to protect against exactly this situation. Ctrl-Alt-Del triggers a software interrupt, so unless your kernel has been tampered with (by which time you're already totally fucked) you know the next propmpt you see will be a real one.
Ironically, this option for UAC doesn't even add any security in the default UAC mode (where you only need to OK the elevation). It's for people who are either standard users or have UAC configured to ask their password even though they're members of the Administrators group. It just prevents a malicious program from presenting a false UAC dialog and getting you to reveal an Administrator's password.
Yes, slightly OT. The secure desktop is used by a couple other high-integrity components besides UAC, but I'd be highly suspicious of anything that displayed the SD unexpectedly. If I had this setting on, I wouldn't even wonder. That said, the kind of person who would make UAC more secure, never mind would actually know how, isn't the intended target of that kind of scam anyhow.
There's no place I could be, since I've found Serenity...
Of course, "absolute free-for-all" and "Apple-style App Store" are not the only two choices. You sort of get it this later in the post, but of course the main concept left out here is the Linux repository concept. You can be reasonably sure that apps in the repository have been vetted for viruses, etc (at least you can with Debian)... and yet, if you really want to get software somewhere else, you can... but it's buyer beware.
It's not even true that Linux repositories are all OSS (Deb certainly has a "non-free" repository), and even if it were, the OSS-ness of the repository is certainly not an essential feature. Microsoft could certainly come up with a repository of software for Windows that was all closed-source, yet still vetted for malware.