New York Times Site Pop-Up Says Your Computer Is Infected

Zott writes "Apparently, 'some readers' of the New York Times site are getting a bit more with their news: an apparently syndicated adware popup with a faux virus scan of the user's computer indicating they are infected, and a link to go download a fix now. It's entertaining when a Mac user gets it, but clearly downloading an .exe file isn't a good way to keep your computer clean ..." Update: 09/14 03:20 GMT by T : Troy encountered this malware, "and did basic forensics. Summary: iframe ad then series of HTML/JS redirects, ending at a fake virus scanner page with a "Scan" link (made to look like a dialog box button) that downloaded malware." Nice explanation!

It's very entertaining.

I think it's actually more entertaining when I don't get it at all on any platform, because I disabled javascript.

Re:It's very entertaining.

[PlusFiveTroll]

FF + Adblock is my way to avoid it (and still get the sites I need .js to run on).

This crap has been going on for a few years now with the 'AntiVirus XP' scam (http://www.theregister.co.uk/2008/08/22/anatomy_of_a_hack/) that seems to strike major sites every few months. Just goes to show the ad distributers have no control ( or don't want it) over what goes in to their distribution network.
 
 

Sad this is, people fall for it all the time :(

Re:It's very entertaining.

The newest version of the "Antivirus 2010" software is a pain in the ass to get rid of. It rootkits the system and makes manual removal pretty much impossible without a WinPE boot disk of some kind, and even then it's difficult to find all the instances. There's one tool I found to remove it and most of its kin, and that is combofix. It successfully cleans Antivirus 2010 and a host of other rootkit-based malware in a process I can only describe as "magic". I'm just posting this to help out others that have spent way too much time trying to get rid of this crap off of friend/family computers.

Re:It's very entertaining.

[Z34107]

I completely agree with "combofix rocks." My job at the college I attend is pretty much removing that virus 24/7 from student laptops, and I've learned a few things:

1) McAfee sucks. We supply a copy of the Enterprise version to students, and a patched installation is required for internet access. Somehow, we're still inundated every semester with the latest flavor of AntiVirus ModelYear.

2) ComboFix is amazing. It's simple, but it automates a lot of tools that are a bit of a pain to use on their own. Ten minutes, and most malware is somewhat neutered.

3) MalwareBytes is amazing. ComboFix always misses stuff, but it lets us install MalwareBytes (also free) which finishes the job. I haven't seen any virus MB couldn't remove.

It's usually faster to run ComboFix + MalwareBytes (half hour between the tools in most cases) than it is to nuke it from orbit and reinstall Windows. Unless you're paranoid, two programs will take care of your end of your extended family's implied social support contract.

Re:It's very entertaining.

[Hojima]

I personally use Comodo firewall, and it's one hell of delicate security guard. I have to turn it off when I install anything because I will be there all day clicking approve. It's not annoying when you know how to use it and change its settings (takes a nominal amount of time). I've had a lot of instances now when I even purposely download sketchy .exe files, and it alerts me right away about suspicious activity in the computer. Best of all it's free.

Re:It's very entertaining.

[davidphogan74]

You make people use McAfee to get online? That would be enough to make me transfer.

Re:It's very entertaining.

[Z34107]

In a perfect world, we would do that, but we get too many machines in and out to make that feasible. Then, there's all the normal luser problems: I don't know where my files are, I have no install media, I have no keys, I deleted my recover partition to save space, etc.

The foolproof way to remove the AntiVirus ModelYear rootkit is: Make a file-based image of the hard disk. By design, it hides from the file system, meaning it will not be included in a image made by a tool like ImageX from Microsoft's free WAIK. Gather an image and apply it to the same hard disk, and the rootkit's gone.

If you're adventurous, ImageX lets you mount the image file on a clean PC to do offline scans of its files and registry hives. You can clean a computer without ever booting it.

But, that's generally overkill. AntiVirus ModelYear rootkit isn't the nasty kind of hardware-hypervisor rootkit - it runs at kernel privileges. So does MalwareBytes. To be dangerous, it has to run at a higher privilege level than the removal tools.

For family members that promise me food, I go the extra mile and do the clean install for them. Staff machines we just re-image.

Re:It's very entertaining.

[Culture20]

It's usually faster to run ComboFix + MalwareBytes (half hour between the tools in most cases) than it is to nuke it from orbit and reinstall Windows. Unless you're paranoid, two programs will take care of your end of your extended family's implied social support contract.

It used to be A rocked, and then A and B rocked. Then B started to suck, so we used A & C, then malware defeated A, so we used D & C (C had to be used second), with a splash of E. A came back with a new version, and we'll call it F. F'n rocked! Then it sucked. etc.

I could never be bothered figuring out which version of what software _really_ cleans up this week's malware. I always would nuke from orbit (after judiciously backing up data using the drive as a neutered USB disk).

Re:It's very entertaining.

[mysidia]

They need to take responsibility for what they publish on their own sites.

I'd like to see a class action suit against the NY Times or the ad network they use by users who were infected.

Based on NYT negligently allowing advertisers to inject code into their web site.

I can understand users getting hit with fake dialogs after clicking on an ad.

But I believe web sites have a duty to take standard precautions and avoid loading remote script code

I differentiate ad content from code. It's not rocket science -- when the advertiser uploads their ad unit, sanitize the input, so the upload cannot contain any javascript, SCRIPT, IFARME, FRAME, or other unexpected tags or tag attributes, for that matter, or any remote loading. Only approved 'safe' HTML tags such as IMG. And any images referred must be uploaded and served from the ad network (again, no remote loading).

Again, it's not rocket science to sanitize input. There's really no excuse for not doing it, other than negligently ignoring security issues, and possible harm malicious ads can do...

News? Where?

[SilverHatHacker]

What exactly makes this different from any of the other hundreds of sites with the same popup? Is it just because this is a large, well-known website like the New York Times?

Re:News? Where?

[petermgreen]

Not exactly news but nonetheless a sad indictment of the state of online advertising that even big sites with a reputation to uphold are using adverts from seedy advert networks who tolerate this shit.

Re:News? Where?

[Jahava]

What exactly makes this different from any of the other hundreds of sites with the same popup? Is it just because this is a large, well-known website like the New York Times?

That's my impression. I think the interesting thing here is that the presumption that reputable websites have reputable advertisements has been violated. NYT's advertising policies include the following paragraph:

The Times may decline to accept advertising that is misleading, inaccurate or fraudulent; that makes unfair competitive claims; or that fails to comply with its standards of decency and dignity.

Granted, they don't outright state that the content is prohibited, but they do imply a stance against this type of advertising. This is a clear violation of that intention, and they took the appropriate response. I'd be most interested in knowing if this particular advertisement was intentionally approved, "slipped through" accidentally, or was injected illicitly (e.g., their advertising server was hacked, etc.).

I saw it

[HangingChad]

But when it starts telling me the C:\ drive on my Linux box is infected it's hard to stop laughing.

Still was a job to get rid of the circle jerk pop ups.

Re:I saw it

[DoofusOfDeath]

But when it starts telling me the C:\ drive on my Linux box is infected it's hard to stop laughing.

You moron, it was complaining about your .wine directory!

And they wonder...

[PC+and+Sony+Fanboy]

And they wonder - Why is print media dying?

Because they can't adapt properly. Seriously guys, filter your ads!

Re:And they wonder...

[Aurisor]

The New York Times is one of the most respected publications in the world. It's not going anywhere.

Re:And they wonder...

[wampus]

Yeah, I was sitting over breakfast reading the Sunday Times and this popped up. Doomed.

Re:And they wonder...

[Bigjeff5]

Yup, they're "too big to fail", while the rest of us are "too small to succeed".

Gotta love the government, creating oportunities (for the already super-rich) at every turn!

Happened to my Parents

[QuantumG]

What really annoys me is that these things are most effective because they use javascript alerts to freeze the browser. If you could just browse away from the crap, I could teach my parents just to ignore it.

"Javascript alerts are not tab modal" has been a known bug in Firefox going on 9 years now. It's not just an annoyance, it's a security bug, fix it!

 

Re:Happened to my Parents

Would that be this one? That's pretty darned old. Reminds me a bit of the title text display bug that used to hit XKCD et al.

Re:Happened to my Parents

[Ilgaz]

If you used the evil closed source Opera browser, you would have "stop executing scripts from this page" option right below that javascript popup.

It is interesting since nobody really cares who takes what from other browsers, no "patent" or anything, especially from Opera side. It must be very easy to implement, why don't they do it? It is not some high tech JIT compiler either, a basic checkbox.

Damn right

but clearly downloading an .exe file isn't a good way to keep your computer clean ..."

Absolutely, .com, .bat and .scr are the only way to go!

In my day ...

[PPH]

... if we wanted to catch a virus from the New York Times, we had to read a copy that some hobo had used for a blanket.

Now you kids stay off my lawn!

it has been happening all weekend

[fermion]

It really is a good social attack, reminiscent of the days when advertisers put 'click ok to continue' buttons to trick users to a promotional web site.

In this case, it runs a mock scan, states the computer is infected, and then pretends to offer help. The exe file sometimes gets downloaded. From the way I have seen IE work lately, I would not think the file would download without user intervention, but, the page does a good job of scaring users, so I suspect some might download the files.

The malware site is protection-check07com

malwareurl.com has the owner listed as Elton John, perhaps on can think that this is pseudonym. Kind of lends credence to rules that require valid information on domain name registrations.

In any case, this is where the address is listed. Looks residential, so maybe that is fake as well. I hope the protection-check people are not setting up some poor sod. Ha, protection check.

Of course this does bring up two issues. Everyone is afraid of viruses, so it easy to translate that fear into irrational action. It might make us think about some activities that went on this past weekend. Second, such attacks work on mimicking the theme of certain systems, so perhaps one countermeasure is to allow users to vary they theme. This might be very good for corporate machines, as firms might like custom themes. On Macs and *nix, of course, the attack did not work because the web page did not integrate into the background, an elephant is going to look quite conspicuous in a field of leopards.

Re:I expected better.

[Ron_Fitzgerald]

Unfortunately this has nothing to do with New York Times' security and that is the whole problem. New York Times hires an 'ad agency' which is quite a bullshit term in this case if you ask me. They embed some open ended script from said firm and then at that point have no idea what is being displayed. This 'firm' may even rent or sell the embedded space to yet another company so then even the firm has no idea what ad is being displayed. All these automated, unmonitored and unregulated ads on pages are a huge security hole but in the name of profit, who really cares?

Re:It happens on Linux too

[Darkness404]

I wonder when they will start searching user agent strings and making it look native (Classic on pre-XP, Luna on XP and Aero on Vista/7, and Aqua on OS X). A dialogue that looks like the Ubuntu install software window could fool a lot of users....

Ads and proxy placement

[bsandersen]

The concern I have over the long term is that sites like the NYT may not know what advertisements will appear because they are placed by bulk-buying proxies that dispense them at page-load time, probably based on evil-cookie trails or other demographic markers. So, the question becomes: how should a presumably high-integrity site such as a major news outlet ensure quality when they've outsourced advertisement delivery?

Review of each possible advertisement would be onerous, but failure to have some standards in place will eventually lead to malware (or worse) injected into unsuspecting reader's machines. I just chuckled when it popped up. I run Macs at home. But, when things like this happen to family members running PCs (and we get the phone call) it stops being funny pretty quickly.

Is there a business case for reviewing advertisements (and the associated mobile code whether it be FLASH, etc.) for a 21st century "Good Housekeeping Seal of Approval"? After all, the NYT and others are just one virus (or porn advertisement) away from a PR nightmare.

Re:It happens on Linux too

[eric31415927]

Two years ago, I got my 67-year-old mother online with a Debian (stable) box for web browsing, emailing, and printing.
At least twice in these two years, she has come across web pages warning that her operating system has been infected with a virus.
The web pages make it look like she has an infected Windows system - similar to the link from the NYT web page.

I reassure her each time that her computer has not been infected, and it is not likely to ever be infected so long as she is careful with her password.
I would like Firefox (or in her case IceWeasel) to have a plugin to avoid loading pages that look like Windows Explorer.
This would save people like my mother and businesses like the NYT from undue stress.

CNN...

[CryptoJones]

has also been doing this for the past two days.

HOSTS file and noscript

[davidshewitt]

...seem to do the trick for me. I put this huge list of malicious sites into my HOSTS file, so most ads never even show up. http://www.grc.com/sn/hosts_mvps_org.txt

Re:HOSTS file and noscript

[Rick17JJ]

I have been using the latest version of the MVPS modified hosts file on both my Linux computer and on my Windows XP computer. However,instead of using the 06-14-06 version which davidshewitt linked to, I have been using the much newer Sept-02-2009 version instead. One link is for, what at the moment, is the latest version of the modified hosts file and the other link is to the installation instructions and general information.

http://www.mvps.org/winhelp2002/hosts.htm
http://www.mvps.org/winhelp2002/hosts.txt

I recently also started using the NoScript add-on and also the Adblock Plus add-on for Firefox on both my Linux computer and on my Windows XP computer. But, perhaps using both the ad blocking host file, plus Adbock Plus, is redundant and unnecessary. With the NoScript ad-on, I occasionally click on the icon, which has now been added to the lower right corner of Firefox. After clicking on that, I can choose whether to temporarily or permanently allow a particular web site scripts.

I do nearly all of my Internet browsing from my Linux box. But, when I occasionally actually dare to use my Windows XP computer to browse the Internet, I use Sandboxie to sandbox my default browser, which in my case happens to be Firefox. I am not an expert on any of this, and am not a regular Security Now listener, but here are a couple of episodes that are about Sandboxie.

http://www.grc.com/sn/sn-172.htm
http://www.grc.com/sn/sn-174.htm

Re:I have seen these before,

[lorenlal]

I've seen this pop up before... On my roommate's computer. It appears a lot like a Windows Vista secure desktop warning by taking up the whole screen with a darkened border. The message follows a format that looks a lot like other Vista menus and messages. To the user, it doesn't look like it's a message from the website... But rather from Windows.

I could easily see how most people could click the screen (literally anywhere) where it asks to download a fix called "install.exe." Plus, if you are one of the poor users who uses the terrible AV solution, that seems to have an agreement with anyone with a large user base, you're totally screwed because this virus seems quite effective at knocking it dead out.

I'm more concerned with the fact that this is popping up in what are normally quite trustworthy sources. I was initially afraid that Yahoo had sold out, it just seems like they got the same treatment as the NYTimes. This speaks more to the vulnerabilities of the webservers that are hosting these sites to me. Does anyone know what platform they're sitting on? I'd like to know if there's a hole out there that I should concern my company with... I'm totally serious.

Re:Funny

[Yvan256]

I've renamed my "Macintosh HD" to "C:" to accommodate the viruses, but they still won't run!

Once again with the "nofix"

[symbolset]

If you can confirm that there was malware on the system there is no cure except to start with a clean image - preferably one you stored with an imaging tool like the free Clonezilla prior to accessing any network at all or any untrusted media. Putting a clean image on can take 5-30 minutes, and is certain to remove all traces of infestation. It's actually quicker than scanning. Once you've got a confirmed hit your only business using a compromised machine is an inspection of the features that got the user into trouble so you can turn those off after you image, and capture for them a more suitable image.

There's a tired old nag about no software being secure but really one thing is for certain: once an app has been running that's known to be infested it got there because the maker knew something the user didn't. Among the other things the user doesn't know are how many other applications the malware infested, how many running services were leveraged with local privilege escalation, how many rootkits of various sorts were installed. Most modern malware immediately upon installation scans the local system and sniffs the network. They look up components and download a cocktail of toxic code that's both tailored to the specific machine and randomly generated so as to be unique. There's a management system that auto-permutes millions of vile code variants every day, and uses a genetic algorithm to determine which of the little beasties is the most efficient. This is not your dad's malware ecosystem.

Pretending to remove malware is nothing short of malpractice. All you're doing is helping the bad guys by pointing out which modules survive a cursory attempt at cleaning.

Re:Once again with the "nofix"

[Z34107]

Download the Microsoft WAIK and install it. Use ImageX to create a file-based .WIM image of your system and files.

Then, download dd for Windows. Use it to copy the first 512 bytes or the first cluster of Partition0 on the hard disk Windows is installed on. This will capture your boot sector.

If you're trying to use this for daily backups, ImageX won't work... You could always schedule robocopy to run daily/weekly instead. (It's included with Vista and up, but you can download it for XP.)

If you're not using it for daily backups, ImageX still requires "mucking about with special image files," but you can use ImageX to mount .WIM files into a directory, meaning you can use Windows Explorer or whatever tool browse and modify the file system.

Instead of DD, you could always use a Vista and above install disc or make a Windows PE disc with the WAIK and run bootsect. "Bootsect /nt52 all mbr" will get you a clean NTLDR boot sector, and "bootsect /n560 all mbr" will get you a Vista BCD-based bootsector. Of course, that only works if you're using either of those as your bootloader, but if you are, you don't even need DD.

Re:I expected better.

[LordLimecat]

This is a NYTimes issue just as rotten meat is the supermarkets problem--whether or not its because of a rotten vendor. If you go with your attitude, we can never blame anyone-- Honda may get some parts manufactured at a 3rd party foundry, so theyre not to blame for defects! Dell uses Foxconn for their power supplies, so you cant blame Dell for computers that crap out in 2 years! Sony outsources its battery manufacturing to Taiwan, its not THEIR fault the batteries can catch fire, honest!

NYT Reacts to adds with story

[dk90406]

The story is somewhat weak. It suggests running Avast and MS Malicious Software Removal Tool.