New York Times Site Pop-Up Says Your Computer Is Infected 403
Zott writes "Apparently, 'some readers' of the New York Times site are getting a bit more with their news: an apparently syndicated adware popup with a faux virus scan of the user's computer indicating they are infected, and a link to go download a fix now. It's entertaining when a Mac user gets it, but clearly downloading an .exe file isn't a good way to keep your computer clean ..." Update: 09/14 03:20 GMT by T : Troy encountered this malware, "and did basic forensics. Summary: iframe ad then series of HTML/JS redirects, ending at a fake virus scanner page with a "Scan" link (made to look like a dialog box button) that downloaded malware." Nice explanation!
It's very entertaining. (Score:5, Insightful)
I think it's actually more entertaining when I don't get it at all on any platform, because I disabled javascript.
Re:It's very entertaining. (Score:5, Interesting)
FF + Adblock is my way to avoid it (and still get the sites I need .js to run on).
This crap has been going on for a few years now with the 'AntiVirus XP' scam (http://www.theregister.co.uk/2008/08/22/anatomy_of_a_hack/) that seems to strike major sites every few months. Just goes to show the ad distributers have no control ( or don't want it) over what goes in to their distribution network.
Sad this is, people fall for it all the time :(
Re:It's very entertaining. (Score:5, Informative)
The newest version of the "Antivirus 2010" software is a pain in the ass to get rid of. It rootkits the system and makes manual removal pretty much impossible without a WinPE boot disk of some kind, and even then it's difficult to find all the instances. There's one tool I found to remove it and most of its kin, and that is combofix [bleepingcomputer.com]. It successfully cleans Antivirus 2010 and a host of other rootkit-based malware in a process I can only describe as "magic". I'm just posting this to help out others that have spent way too much time trying to get rid of this crap off of friend/family computers.
Re:It's very entertaining. (Score:5, Informative)
I completely agree with "combofix rocks." My job at the college I attend is pretty much removing that virus 24/7 from student laptops, and I've learned a few things:
1) McAfee sucks. We supply a copy of the Enterprise version to students, and a patched installation is required for internet access. Somehow, we're still inundated every semester with the latest flavor of AntiVirus ModelYear.
2) ComboFix is amazing. It's simple, but it automates a lot of tools that are a bit of a pain to use on their own. Ten minutes, and most malware is somewhat neutered.
3) MalwareBytes is amazing. ComboFix always misses stuff, but it lets us install MalwareBytes (also free) which finishes the job. I haven't seen any virus MB couldn't remove.
It's usually faster to run ComboFix + MalwareBytes (half hour between the tools in most cases) than it is to nuke it from orbit and reinstall Windows. Unless you're paranoid, two programs will take care of your end of your extended family's implied social support contract.
Re:It's very entertaining. (Score:5, Insightful)
You make people use McAfee to get online? That would be enough to make me transfer.
Re: (Score:3, Informative)
I personally loathe McAfee - it interferes with ComboFix. But, I'm not IT, and you can technically remove it after your machine passes registration.
Re: (Score:3, Interesting)
It seems you can never fully remove a McAfee program without formatting and restarting. I'd probably just get a new hard drive, install Windows XP and McAfee on it, pass the system through, then swap in my normal drive. But, I am an IT nerd.
Re: (Score:3, Insightful)
Sorry after installing Combofix, my AV program Spysweeper reported three viruses just got installed, and Unhackme reported one rootkit got installed on my system from software from that link. Also it seems to have destroyed the control panel and I cannot Add/Remove programs anymore.
I think that anti-malware software needs to be peer reviewed by reliable sources before we decide to use it or not. This seems to be just as bad as a fake "infected" ad infecting your system.
Lucky for me that I was able to remove
Re: (Score:3, Informative)
Sorry after installing Combofix, my AV program Spysweeper reported three viruses just got installed
Combofix is pretty much a glorified batch file that automates the operation of programs like GMER. Some of these programs are considered "hacking tools" by AV vendors. Another reason I hate McAfee: it will automagically "clean" my flash drive of most of my antivirus tools.
If you downloaded ComboFix from bleepingcomputer.com, it's a false positive.
Re:It's very entertaining. (Score:4, Interesting)
Yes I downloaded Combofix from bleepingcomputer.
I am not sure why it would be flagged as a false positive. I am suspicious of any program that says I have to shut down my AV software in order for it to run.
Luckily both Unhackme and Spysweeper removed it, and was able to restore my control panel as well. I noticed that ComboFix was not in the Add/Remove programs and I tried the "Combofix /u" to uninstall it only to be greeted with a file not found error.
I looked in the program files directory and it was not there, but on the root directory of my system under c:\combofix\ hidden as a system file with copies of iexplore.exe and other files. Easy enough to delete, but the uninstall didn't seem to work. Maybe the combofix.exe file was deleted as a virus?
Spysweeper reported it as Mal/Pack-A, Virus/Test, and one other I forgot, and Unhackme said it was the FU Rootkit. Kapersky said it was Trojan.Win32.Inject.ph. I would think Combofix would have been whitelisted by now as a false positive and removed from the detections, but apparently it has not.
Users need to be warned about false positives if that is indeed the case. I did a web search and it turned up web sites suggesting using Combofix, so I suspect it may be indeed a false positive. I can recall the BartPE and Retrago WinPE boot tools had some of their automated programs got detected as hack tools and removed via AV software as well. Maybe those Hack tools are effective at removing stuff the non-Hack tools don't?
Re:It's very entertaining. (Score:4, Informative)
Re:It's very entertaining. (Score:4, Insightful)
We Use F-secure here. I wish we didn't, especially when they tell us not to go to known malware sites to test if their protection is working (even though a studest is going to do just that). Makes you feel really secure doesn't it? I really wish we were running either Avira Antivir or Microsoft Forefront, since they seem to have the highest detection rates against roges so far, but we decided to give F-secure a second chance. I don't know why.
Anyway, Since we have a laptop program at the college, our answer is simple. You're getting a new hard drive and we will move your favorites, My Documents and anything on your desktop. I know students don't like this option, but they REALLY won't like their credit card being stolen, or worse; their identity. Usually when I explain to them that this method is the safest option and that ID theft has happened to students (Guess what! if you pay for Antivirus 360 at 79.95, it still doesn't work AND they got your $79.95 AND they got your CC number and all the info they need to start swiping away your credit score!!) they agree with it, but some just don't care as long as they can download movies ("My Friends Hot Mom". "Milf Hunter", ETC) or music (from Gnutella, where the music is usually trojans or piggybacking some sort of virus) all day. Most will be back infected within the month as well.
The worst one so far is TDSS.F. It runs a rogue DCHP server across your network and tries to infect anyone that connects through it. It also adds autorun entries to infect across hard and flash drives and likes to install file fixer pro, which encrypts all your files. Luckily, Bradford Campus Manager detects the DHCP rogue and denies them access (That's why many campuses do this registration [slashdot.org] now.) but our virus scanner always misses it.
Re:It's very entertaining. (Score:4, Insightful)
although a lot of files still do the false extension stuff, that's not the case with the MP3's were seeing.
These are perfectly legitimate MP3 files. They are not rebadged WMP files. They will play music. they play on an mp3 player. How they work is that they usually have ID3 tag data which tries to exploit WMP or Winamp to execute code or connect to a malicious site. We also see the WMA's disguised as MP3's as well, but the ID3 MP3's have been getting more popular as of late.
as for hiding file extentions. There is a set of laws that I follow.
Laws of computer stupidity
1) 99% of computer users do not know what they are doing.
2) computer users do not read.
3) If a computer user can click on it, they will.
Disabling "hide file extensions" doesn't solve anything because of all of the above.
1) They don't know why that file has an .exe at the end or care for that matter. explaining it to them goes in one ear and out the other.
2) Since they dont read, I'd bet you can make a file called "brittany spears does the nasty dance while going down on her new chihuahua and this file will wipe your hard drive clean.exe" and people would open it because all they read is "brittany spears" and "nasty dance".
3) If it's something they downloaded, they will click on it regardless if the extension is real or fake. This happened to me while I was researching a file I absoletly knew was a virus solely on the icon displayed to me. (in my case, it was the folder icon and instinctively clicked on it to go into the folder. Yes I show file extensions. I also fooled four other techs with this simple test using this icon and it showed the file ext for them too.)
Re:It's very entertaining. (Score:5, Insightful)
It's usually faster to run ComboFix + MalwareBytes (half hour between the tools in most cases) than it is to nuke it from orbit and reinstall Windows. Unless you're paranoid, two programs will take care of your end of your extended family's implied social support contract.
It used to be A rocked, and then A and B rocked. Then B started to suck, so we used A & C, then malware defeated A, so we used D & C (C had to be used second), with a splash of E. A came back with a new version, and we'll call it F. F'n rocked! Then it sucked. etc.
I could never be bothered figuring out which version of what software _really_ cleans up this week's malware. I always would nuke from orbit (after judiciously backing up data using the drive as a neutered USB disk).
Once again with the "nofix" (Score:5, Interesting)
If you can confirm that there was malware on the system there is no cure except to start with a clean image - preferably one you stored with an imaging tool like the free Clonezilla [clonezilla.org] prior to accessing any network at all or any untrusted media. Putting a clean image on can take 5-30 minutes, and is certain to remove all traces of infestation. It's actually quicker than scanning. Once you've got a confirmed hit your only business using a compromised machine is an inspection of the features that got the user into trouble so you can turn those off after you image, and capture for them a more suitable image.
There's a tired old nag about no software being secure but really one thing is for certain: once an app has been running that's known to be infested it got there because the maker knew something the user didn't. Among the other things the user doesn't know are how many other applications the malware infested, how many running services were leveraged with local privilege escalation, how many rootkits of various sorts were installed. Most modern malware immediately upon installation scans the local system and sniffs the network. They look up components and download a cocktail of toxic code that's both tailored to the specific machine and randomly generated so as to be unique. There's a management system that auto-permutes millions of vile code variants every day, and uses a genetic algorithm to determine which of the little beasties is the most efficient. This is not your dad's malware ecosystem.
Pretending to remove malware is nothing short of malpractice. All you're doing is helping the bad guys by pointing out which modules survive a cursory attempt at cleaning.
Re:Once again with the "nofix" (Score:5, Informative)
Download the Microsoft WAIK and install it. Use ImageX to create a file-based .WIM image of your system and files.
Then, download dd for Windows. Use it to copy the first 512 bytes or the first cluster of Partition0 on the hard disk Windows is installed on. This will capture your boot sector.
If you're trying to use this for daily backups, ImageX won't work... You could always schedule robocopy to run daily/weekly instead. (It's included with Vista and up, but you can download it for XP.)
If you're not using it for daily backups, ImageX still requires "mucking about with special image files," but you can use ImageX to mount .WIM files into a directory, meaning you can use Windows Explorer or whatever tool browse and modify the file system.
Instead of DD, you could always use a Vista and above install disc or make a Windows PE disc with the WAIK and run bootsect. "Bootsect /nt52 all mbr" will get you a clean NTLDR boot sector, and "bootsect /n560 all mbr" will get you a Vista BCD-based bootsector. Of course, that only works if you're using either of those as your bootloader, but if you are, you don't even need DD.
Re: (Score:3, Insightful)
It sucks and yet you require it on every student machine. Sounds to me like this isn't a student problem.
Re: (Score:3)
Well, from an IT administrator that manages McAfee Enterprise, it does indeed suck royal balls at doing its primary job (catching virii).
However it does excel at pointy hair boss reporting, which is often key to getting funding for said product. It is also easy to manage and update via ePolicy Orchestrator (ePO).
The other "corporate" option is Norton/Symantec product which sucks balls and then licks colons.
And this weeks "AV" "best" choice which then "sucks" next week isn't really an option for TRUE enterpr
Re:It's very entertaining. (Score:5, Informative)
I personally use Comodo firewall, and it's one hell of delicate security guard. I have to turn it off when I install anything because I will be there all day clicking approve. It's not annoying when you know how to use it and change its settings (takes a nominal amount of time). I've had a lot of instances now when I even purposely download sketchy .exe files, and it alerts me right away about suspicious activity in the computer. Best of all it's free.
Re:It's very entertaining. (Score:4, Informative)
No, we have no central management of the enterprise AV. Yes, it is painful. But, IT is a separate department - they make policy, we live with it, though they're all nice, smart people who are just hung up on McAfee for some reason.
Our DHCP server compares your MAC address against a list of "registered" machines. If there's no match, meaning your machine is unregistered, you get an IP address within a special "unregistered" subnet. The subnet is denied internet access, and any HTTP requests are redirected to the local registration website.
The registration website gives you a link to the McAfee installer. You then have to download and run a custom "validator" program that checks for the presence of McAfee, and then adds your MAC address to the approved list.
Yes, this can easily be circumvented, but how many people know how to do MAC sniffing/spoofing? Those that can probably aren't going to get viruses on their Winboxen.
Re: (Score:2)
Best to bite the bullet, and talk the client into a drive formatting and OS reinstall. Given that opportunity, you can also go ahead and do some system optimization, and with a vanilla-install source, get rid of manufacturer-installed bloatcrap. For about the same amount of time (and thus, price) that it would take to do whatever you can to ensure a clean system, they get a much better job. The system will probably be running
Re:It's very entertaining. (Score:5, Informative)
In a perfect world, we would do that, but we get too many machines in and out to make that feasible. Then, there's all the normal luser problems: I don't know where my files are, I have no install media, I have no keys, I deleted my recover partition to save space, etc.
The foolproof way to remove the AntiVirus ModelYear rootkit is: Make a file-based image of the hard disk. By design, it hides from the file system, meaning it will not be included in a image made by a tool like ImageX from Microsoft's free WAIK. Gather an image and apply it to the same hard disk, and the rootkit's gone.
If you're adventurous, ImageX lets you mount the image file on a clean PC to do offline scans of its files and registry hives. You can clean a computer without ever booting it.
But, that's generally overkill. AntiVirus ModelYear rootkit isn't the nasty kind of hardware-hypervisor rootkit - it runs at kernel privileges. So does MalwareBytes. To be dangerous, it has to run at a higher privilege level than the removal tools.
For family members that promise me food, I go the extra mile and do the clean install for them. Staff machines we just re-image.
Re: (Score:3, Insightful)
I don't want to sound like "that guy", but really, that sounds like an awful lot of trouble to go through to protect an operating system that is, by design, vulnerable to such BS. The act
Re: (Score:3, Interesting)
Yes, Imagex supports XP SP3 just fine. It's the automated distribution tools that do not work, for XP to use an image with more than one PC you still need to use sysprep and a custom install setup. The automated tools work with Vista up.
Imagex.exe will make an image of any hard drive or subset of any hard drive that windows can read.
What the GP was talking about was building a WinPE disk (WAIK will help you do that much for XP, pretty easy too), booting into it, and using imagex to image the drive, then f
Re:It's very entertaining. (Score:4, Informative)
This.
The discovery that it removed the rootkit was a happy accident. After a few unhappy incidents related to the aforementioned "luser problems," we've taken to making such a CYA image of every laptop that passes through our fingers, just in case.
After a scan found the TDSS rootkit on a laptop, I decided it would be easier to disinfect the backup image. I discovered none of the hidden TDSS* were even in the image, and concluded that the obfuscation techniques worked all too well.
Although the infected system files were indeed still in the image, the bulk of the rootkit hides in these hidden TDSS(garbage characters) files, which were not gathered, leaving the rootkit neutered.
Re: (Score:3, Insightful)
That is generally my approach. Once a machine is compromised, I insist that they are reinstalled from absolute scratch. Following that, I take an image file of that machine in perfect working order. And during checkups, if the machine is still in good order, I take another snapshot.
All applications should be reinstallable and all data should be stored on servers that are backed up routinely.
If those basic rules are followed, an infected machine is something of an embarrassment to the user and an inconven
Re: (Score:3, Insightful)
I get so tired of the extra effort it takes to keep her system running. Damnit, we paid *extra* for Microsoftt software, we paid *extra* for many of the programs she depends on. My workstations are so much less labor-intensive and get so much more work done...
Let's be fair. The problem (no offense) is just as much your wife as it is her system, if not more. If you were using the same system, you would have few issues, if any, because you'd be more conscious of what you do on there. The many techies who successfully run clean Windows installs (of which I am one) are living proof of this. The biggest security flaw in every system is the user, and even in an OS with perfect security, there will still be virus-laden machines. We'll never see the day where all users
Re: (Score:3, Insightful)
It successfully cleans Antivirus 2010 and a host of other rootkit-based malware in a process I can only describe as "magic".
How do you know that it successfully cleans it out? Most viruses are closed-source, so you have no idea what's in them. Some are very, very clever, and hide in ways that software cannot detect, especially the rootkits. My policy is that the only way to be SURE that the virus is gone is to format the drive and reinstall the OS. Especially so if you don't know what the cleanup software is doing (a.k.a. "magic").
Wrong, PFT... (Score:2)
Bottom line: Signature- and site-based detection can always be defeated.
Re:It's very entertaining. (Score:4, Insightful)
They need to take responsibility for what they publish on their own sites.
I'd like to see a class action suit against the NY Times or the ad network they use by users who were infected.
Based on NYT negligently allowing advertisers to inject code into their web site.
I can understand users getting hit with fake dialogs after clicking on an ad.
But I believe web sites have a duty to take standard precautions and avoid loading remote script code
I differentiate ad content from code. It's not rocket science -- when the advertiser uploads their ad unit, sanitize the input, so the upload cannot contain any javascript, SCRIPT, IFARME, FRAME, or other unexpected tags or tag attributes, for that matter, or any remote loading. Only approved 'safe' HTML tags such as IMG. And any images referred must be uploaded and served from the ad network (again, no remote loading).
Again, it's not rocket science to sanitize input. There's really no excuse for not doing it, other than negligently ignoring security issues, and possible harm malicious ads can do...
Comment removed (Score:4, Informative)
Re: (Score:3, Informative)
Ironically enough, IE has support for a form of whitelist-by-site. Basically, use the "Security Zones" feature (Security tab of Internet Options, or just double-click where it says "Internet | Protected Mode" in the status bar) and turn the permissions on the Internet zone way down. Like, no scripting, no plugins, no redirects, no downloads, etc. Disable unencrypted form submissions and turn on every signature check, or however you want to do it - just lock it down. No Flash or any other ActiveX (they're pl
Re: (Score:3, Interesting)
I just installed NoScript after getting redirected to the phony page. I reviewed all my browsing this morning and didn't see any particularly "dangerous" sites. One of them was, of course, nytimes.com. Little did I know....
As a user of Firefox on Linux, having my computer display a Windows-styled desktop folder and informing me that it was scanning my dll collection was both amusing and alarming.
For the curious, the browser is hijacked with Javascript and redirected to the phony scanning page which sugge
News? Where? (Score:5, Interesting)
Re: (Score:2)
Re:News? Where? (Score:5, Insightful)
Not exactly news but nonetheless a sad indictment of the state of online advertising that even big sites with a reputation to uphold are using adverts from seedy advert networks who tolerate this shit.
Re:News? Where? (Score:5, Informative)
What exactly makes this different from any of the other hundreds of sites with the same popup? Is it just because this is a large, well-known website like the New York Times?
That's my impression. I think the interesting thing here is that the presumption that reputable websites have reputable advertisements has been violated. NYT's advertising policies [whsites.net] include the following paragraph [whsites.net]:
The Times may decline to accept advertising that is misleading, inaccurate or fraudulent; that makes unfair competitive claims; or that fails to comply with its standards of decency and dignity.
Granted, they don't outright state that the content is prohibited, but they do imply a stance against this type of advertising. This is a clear violation of that intention, and they took the appropriate response. I'd be most interested in knowing if this particular advertisement was intentionally approved, "slipped through" accidentally, or was injected illicitly (e.g., their advertising server was hacked, etc.).
Re: (Score:2)
Yes, a large website with high traffic and a reputation to maintain. Be assured, somewhere someone ate dinner standing up tonight.
Re: (Score:2, Insightful)
I think this case is semi-interesting because it conveniently parallels the slow death of the media as we know it. The idea is that people used to look to newspapers like the New York Times for trustworthy news; now, these sources mislead (lie?) to their users and mess up their expensive computers in the process.
Of course, I agree with you that it is misleading to accuse just the NYT - 1000s of sites run these misleading ads, and many probably don't mean to (including the NYT, I'm sure). I would call this a
Re: (Score:3, Insightful)
Talk about a reach to bash Reagan! There has never been such a thing as an unbiased news source. That's some sort of urban legend or somehting. For a while, some news sources tried to present you with the biased view for both sides of an issue, which at least counts as making an effort at being unbiased, but even that seems to have fallen out of fashion. What you can find is sites that are severely biased about stuff you don't care about, and so don't make any effort to spin stuff that you do.
I saw it (Score:5, Funny)
But when it starts telling me the C:\ drive on my Linux box is infected it's hard to stop laughing.
Still was a job to get rid of the circle jerk pop ups.
Re: (Score:2)
Still was a job to get rid of the circle jerk pop ups.
If not for that, I'd bookmark the ad!
Re:I saw it (Score:5, Funny)
But when it starts telling me the C:\ drive on my Linux box is infected it's hard to stop laughing.
You moron, it was complaining about your .wine directory!
Re: (Score:2)
Re: (Score:2)
You just got wooshed, since there are no drive letters in Linux.
some macs can run that exe (Score:2, Informative)
Believe or not, some high end virtual machines, even including MS unmaintained Virtual PC does assign themselves to .exe files and conveniently run them!
Apple knows this possibility and that is why your Safari alerts you when you download an .exe file, not like they don't know their own OS. :)
BTW, if the virus mentioned is the one I saw, don't play around with these guys since it was one of the rare times Kaspersky online scanner missed the virus (trojan) offered, I submitted it to them and they included ho
And they wonder... (Score:5, Funny)
Because they can't adapt properly. Seriously guys, filter your ads!
Re: (Score:2)
Wait...what?
Re:And they wonder... (Score:5, Insightful)
The New York Times is one of the most respected publications in the world. It's not going anywhere.
Re:And they wonder... (Score:5, Funny)
Yup, they're "too big to fail", while the rest of us are "too small to succeed".
Gotta love the government, creating oportunities (for the already super-rich) at every turn!
Re:And they wonder... (Score:4, Informative)
Did you read those financial statements? The stockholder's equity is down almost $1 billion, or 60%, since 2005. They have more debt than their balance now (which was not so just a few years ago), they lost their ass in 2006 (net loss of $500+ million), gained a little in 2007, and lost most of what they gained in 2008. They had a net loss of $57 million in 2008. Contrast that with 2007 where they had a net profit of $200 million. That's pretty tight with revenues of over $3 billion.
Did you read that financial statemnet at all? It's downright depressing. Did you read where the $40 million 2Q profit came from? They are cutting nearly $500 million out of their budget this year, and yet that has produced only $40 million in profit. Analysts aren't impressed, because revenues are down by 20% of the already low number they were anticipating.
What happens when they run out of things to cut? They've got $1 billion in debt and are only making $20-40 million a quarter. The belt is tight and getting tighter, things are not exactly going well at NYT.
Bleeding is the right word, they only look ok right now because they were hemorraging a few years ago.
Re:And they wonder... (Score:5, Funny)
Yeah, I was sitting over breakfast reading the Sunday Times and this popped up. Doomed.
More info on metafilter (Score:2)
I was hit by this issue earlier today, more info with some malware URLs available on metafilter here [metafilter.com].
Happened to my Parents (Score:5, Insightful)
What really annoys me is that these things are most effective because they use javascript alerts to freeze the browser. If you could just browse away from the crap, I could teach my parents just to ignore it.
"Javascript alerts are not tab modal" has been a known bug in Firefox going on 9 years now. It's not just an annoyance, it's a security bug, fix it!
Re:Happened to my Parents (Score:5, Informative)
Would that be this one [mozilla.org]? That's pretty darned old. Reminds me a bit of the title text display bug that used to hit XKCD et al.
Mod parent up (Score:4, Insightful)
Would that be this one [mozilla.org]? That's pretty darned old. Reminds me a bit of the title text display bug that used to hit XKCD et al.
link is highly germane to the discussion
Re:Happened to my Parents (Score:5, Informative)
If you used the evil closed source Opera browser, you would have "stop executing scripts from this page" option right below that javascript popup.
It is interesting since nobody really cares who takes what from other browsers, no "patent" or anything, especially from Opera side. It must be very easy to implement, why don't they do it? It is not some high tech JIT compiler either, a basic checkbox.
Re:Happened to my Parents (Score:4, Interesting)
As I write this I'm trying to figure out how to do that in Firefox.. ya know, that whole "fix it yourself" open source thing. Nicest thing I can say about Firefox: at least the code is better than Open Office.
Re: (Score:3, Insightful)
That's the idea, but don't get your hopes up. Although I currently have the perseverance to get through the code, I doubt I'll have the perseverance to get through the politics.
Re: (Score:2)
A rose by any other name....
Re:Happened to my Parents (Score:4, Insightful)
Dude, the ticket was filed in 2000.. so it was around for at least that long.. the bug most likely goes back to the Netscape days.
Re: (Score:3, Interesting)
You've never heard of Mozilla or Netscape, have you?
Netscape > Mozilla > Phoenix/Firebird > Firefox.
Mozilla was an offshoot of Netscape, which eventually folded leaving the Mozilla Organization behind, and the Mozilla browser became Firebird and then Firefox. Developement on the Mozilla browser itself began in 1998, which is when Netscape created the Mozilla Organization.
History man, history.
BTW, Netscape rocked until it sucked, Mozilla was the re-write (which was a stupid decision, if they had ju
Re: (Score:3, Interesting)
Then, if I see something that isn't "right" on Firefox I can paste the URL into the other browser and examine unscathed.
This is less technical, and I do enjoy browsing much more without ads or other noise candy...
Damn right (Score:5, Funny)
but clearly downloading an .exe file isn't a good way to keep your computer clean ..."
Absolutely, .com, .bat and .scr are the only way to go!
Re: (Score:3, Interesting)
Funny (Score:2, Funny)
Re:Funny (Score:5, Funny)
I've renamed my "Macintosh HD" to "C:" to accommodate the viruses, but they still won't run!
In my day ... (Score:5, Funny)
... if we wanted to catch a virus from the New York Times, we had to read a copy that some hobo had used for a blanket.
Now you kids stay off my lawn!
it has been happening all weekend (Score:5, Informative)
In this case, it runs a mock scan, states the computer is infected, and then pretends to offer help. The exe file sometimes gets downloaded. From the way I have seen IE work lately, I would not think the file would download without user intervention, but, the page does a good job of scaring users, so I suspect some might download the files.
The malware site is protection-check07com
malwareurl.com [malwareurl.com] has the owner listed as Elton John, perhaps on can think that this is pseudonym. Kind of lends credence to rules that require valid information on domain name registrations.
In any case, this is where the address is listed [google.com]. Looks residential, so maybe that is fake as well. I hope the protection-check people are not setting up some poor sod. Ha, protection check.
Of course this does bring up two issues. Everyone is afraid of viruses, so it easy to translate that fear into irrational action. It might make us think about some activities that went on this past weekend. Second, such attacks work on mimicking the theme of certain systems, so perhaps one countermeasure is to allow users to vary they theme. This might be very good for corporate machines, as firms might like custom themes. On Macs and *nix, of course, the attack did not work because the web page did not integrate into the background, an elephant is going to look quite conspicuous in a field of leopards.
I Applaud (Score:3, Funny)
I really have to thank the N.Y. times for going far above and beyond the call of duty and notifying their readers of virus infected computers.
Best 40 bucks I ever spent, I can now browse the web with confidence with my shiny new AntiVirus 2010 Enterprise.
Ads and proxy placement (Score:5, Insightful)
The concern I have over the long term is that sites like the NYT may not know what advertisements will appear because they are placed by bulk-buying proxies that dispense them at page-load time, probably based on evil-cookie trails or other demographic markers. So, the question becomes: how should a presumably high-integrity site such as a major news outlet ensure quality when they've outsourced advertisement delivery?
Review of each possible advertisement would be onerous, but failure to have some standards in place will eventually lead to malware (or worse) injected into unsuspecting reader's machines. I just chuckled when it popped up. I run Macs at home. But, when things like this happen to family members running PCs (and we get the phone call) it stops being funny pretty quickly.
Is there a business case for reviewing advertisements (and the associated mobile code whether it be FLASH, etc.) for a 21st century "Good Housekeeping Seal of Approval"? After all, the NYT and others are just one virus (or porn advertisement) away from a PR nightmare.
Re: (Score:3, Insightful)
Review of each possible advertisement would be onerous
Seriously? So we're OK with major newspapers having absolutely no standards at all these days? What do you suppose people did back in the days before you could get ads via RSS feed?
Re:Ads and proxy placement (Score:4, Insightful)
So we're OK with major newspapers having absolutely no standards at all these days?
I believe I said the opposite; I said a failure to have standards will cause problems.
What do you suppose people did back in the days before you could get ads via RSS feed?
They reviewed the advertisements with their clients directly. There were a few hundred per day and it was a manageable problem. Now, advertisements may be served by proxies and selected from among tens of thousands of potential ads, designed to be targeted to readers in specific geographic regions, income levels, purchasing habits, interests, age categories, gender, education level, or other factors.
The point of my post was that the combinatorial explosion of possible advertisement choices to be served-up on my specific page load may not be easily reviewable by NYT staff a priori.
Re: (Score:3, Interesting)
They reviewed the advertisements with their clients directly. There were a few hundred per day and it was a manageable problem. Now, advertisements may be served by proxies and selected from among tens of thousands of potential ads, designed to be targeted to readers in specific geographic regions, income levels, purchasing habits, interests, age categories, gender, education level, or other factors.
Surely a good ad proxy works something like an online dating service? If they're just throwing anything and everything at you, why use a middleman in the first place? So what criteria made them think these particular ads were acceptable for a major newspaper? Personally, I don't consider them acceptable for any site (and yes, I've seen the ads in question on the Times -- my reaction when I saw them was to immediately run a spyware scan, which turned up negative).
And God help us if the New York Times is so d
F-U New York Times! (Score:4, Funny)
I had the popup (despite FF w/adblock enabled) while reading a story this morning.
I never even considered that the Times would be running something like this so I launched into cleansing mode. I wasted an hour hunting for malware or a virus that was not there. Thanks a lot!
Not even a News Corp paper! (Score:2)
CNN... (Score:5, Informative)
HOSTS file and noscript (Score:5, Insightful)
Re: (Score:3)
Re:HOSTS file and noscript (Score:5, Informative)
http://www.mvps.org/winhelp2002/hosts.htm
http://www.mvps.org/winhelp2002/hosts.txt
I recently also started using the NoScript add-on and also the Adblock Plus add-on for Firefox on both my Linux computer and on my Windows XP computer. But, perhaps using both the ad blocking host file, plus Adbock Plus, is redundant and unnecessary. With the NoScript ad-on, I occasionally click on the icon, which has now been added to the lower right corner of Firefox. After clicking on that, I can choose whether to temporarily or permanently allow a particular web site scripts.
I do nearly all of my Internet browsing from my Linux box. But, when I occasionally actually dare to use my Windows XP computer to browse the Internet, I use Sandboxie to sandbox my default browser, which in my case happens to be Firefox. I am not an expert on any of this, and am not a regular Security Now listener, but here are a couple of episodes that are about Sandboxie.
http://www.grc.com/sn/sn-172.htm
http://www.grc.com/sn/sn-174.htm
Microsoft's model is to blame. (Score:4, Insightful)
Then how else are Windows users supposed to get new software? Downloading and installing random executables from god-knows-where is the expected method in Windows. Then people wonder why Windows users get infected with all kinds of crap.
The lack of any managed repository of vetted and verified software is, to me, the number one reason Windows sucks so hard, A plain vanilla Windows install does absolutely nothing on its own -- you're expected to go find all the software you need, and this trains users to believe that downloading and installing random crap is just fine.
Combine that with Windows' propensity for getting up in your face about every little detail -- THIS SOFTWARE NEEDS UPDATING! YOUR FIREWALL SETTINGS AREN'T CORRECT SOME OTHER SOFTWARE NEEDS UPDATING! CLICK HERE TO GET NEW VIRUS DEFINITIONS! CLICK ME! CLICK ME! CLICK ME! -- and it's easy to understand how this happens.
The entire Windows model is built around mindless, unnecessary alerts and "download and install now" crap. How are you supposed to teach users which are legitimate and which are not, and what's okay to download and what isn't, when the culture of the OS itself encourages you to do all the wrong things?
Re: (Score:3, Interesting)
The lack of any managed repository of vetted and verified software is, to me, the number one reason Windows sucks so hard.
So you're advocating the iPhone-style app store, with obscure fascist rules determining who is blessed and who is not? I'm assuming you're not suggesting that Microsoft should be the only source of all possible software for running on Windows; that most definitely won't work due to the diversity of things that people do with computers. Well, thinking about it you might actually be advocating that, in the misguided belief that the Linux Distributor model works well; it only does if you want OSS - not always
False dichotomy (Score:3, Interesting)
Of course, "absolute free-for-all" and "Apple-style App Store" are not the only two choices. You sort of get it this later in the post, but of course the main concept left out here is the Linux repository concept. You can be reasonably sure that apps in the repository have been vetted for viruses, etc (at least you can with Debian)... and yet, if you really want to get software somewhere el
Re:Microsoft's model is to blame. (Score:4, Interesting)
Synaptic is an easy to use point-and-click GUI front end for apt-get. Synaptic can easily download and install, upgrade, or uninstall various programs from the official repositories, while reliably taking care of all dependencies automatically.
Windows users do not have a similar place to go to, or built-in tools to use, to easily download and upgrade reputable, safe, non-Microsoft software. However, for installing an occasional commercial paid for software program on a Linux computer, that would still be downloaded from a companies website. As far as I know, it is just the free open source software programs that are available in the main official Debian repositories.
That is my rough understanding, of how the Debian repositories work. As a desktop Linux user, I am glad that I do not have to download software from god knows where, in response to some pop-up. If I did suddenly decide that I needed new software or an upgrade, I would generally stick to using Synaptic or apt-get to download the software for me from the official repositories, instead of using an advertising script on a script enabled web page to download whatever it is from who knows where.
There are also a few reputable, reasonably well known, commercial software companies, with Linux software, that I have bought software from, for my home computer.
The lack of something like Synaptic and apt-get, and the Debian repositories, is a severe shortcoming of Windows.
http://en.wikipedia.org/wiki/Debian
NYT Reacts to adds with story (Score:5, Interesting)
Re: (Score:2)
Windows XP with luna theme by any chance?
I wonder when the scum will switch to aeroglass themed ads.
Re:It happens on Linux too (Score:5, Interesting)
Re: (Score:2)
Re:It happens on Linux too (Score:4, Insightful)
Re:It happens on Linux too (Score:5, Insightful)
Two years ago, I got my 67-year-old mother online with a Debian (stable) box for web browsing, emailing, and printing.
At least twice in these two years, she has come across web pages warning that her operating system has been infected with a virus.
The web pages make it look like she has an infected Windows system - similar to the link from the NYT web page.
I reassure her each time that her computer has not been infected, and it is not likely to ever be infected so long as she is careful with her password.
I would like Firefox (or in her case IceWeasel) to have a plugin to avoid loading pages that look like Windows Explorer.
This would save people like my mother and businesses like the NYT from undue stress.
Re:I expected better. (Score:5, Informative)
Re: (Score:3, Informative)
They actually appear to embed the ad code directly into the page (you can see which campaigns the ads are for; the one that hit me was for Vonyage, near the bottom of the page). In my case, it wrote a weakly obfuscated script that redirected the whole page to sex-and-the-city.cn (... err, yeah) which redirected to protection-check07.
Poor NYT, they now have a special rule in my ad filters.
Re:I expected better. (Score:5, Interesting)
Re: (Score:3, Interesting)
Re: (Score:2)
I would have thought the NY Times would have had better security.
As my sibling points out, this is what happens when you allow an unknown entity to inject arbitrary content into your page.
It actually makes me wonder what the contract for these ad agencies (DoubleClick, etc) looks like. When somebody like the New York Times signs up with them, does the ad company waive all potential liability? For example, if the NYT was sued for distributing malware by somebody who's computer was infected, would the NYT be
Re: (Score:2)
I always find it interesting how it can scan the "C" drive on my Linux box.
Re:I have seen these before, (Score:5, Interesting)
I've seen this pop up before... On my roommate's computer. It appears a lot like a Windows Vista secure desktop warning by taking up the whole screen with a darkened border. The message follows a format that looks a lot like other Vista menus and messages. To the user, it doesn't look like it's a message from the website... But rather from Windows.
I could easily see how most people could click the screen (literally anywhere) where it asks to download a fix called "install.exe." Plus, if you are one of the poor users who uses the terrible AV solution [mcafee.com], that seems to have an agreement with anyone with a large user base, you're totally screwed because this virus seems quite effective at knocking it dead out.
I'm more concerned with the fact that this is popping up in what are normally quite trustworthy sources. I was initially afraid that Yahoo had sold out, it just seems like they got the same treatment as the NYTimes. This speaks more to the vulnerabilities of the webservers that are hosting these sites to me. Does anyone know what platform they're sitting on? I'd like to know if there's a hole out there that I should concern my company with... I'm totally serious.
Re: (Score:3, Interesting)
An interesting note: you can configure UAC to require a Ctrl-Alt-Del before it shows you the prompt. Obviously this is a level of paranoia that most users don't want to deal with (similar to the way that in in XP they made it so home accounts don't need to press Ctrl-Alt-Del to reach the login screen anymore) which is why it's not the default, but it's intended to protect against exactly this situation. Ctrl-Alt-Del triggers a software interrupt, so unless your kernel has been tampered with (by which time y
Re: (Score:3, Interesting)
I installed a Linux distribution on a friend's laptop a few years ago, and have heard *nothing* from her, other than occasionally that it's working just fine. She uses my wife's office several times a week, which means that she has lots of opportunities to ask for help, or to complain if she sees something not working to her satisfaction.
Re: (Score:3, Funny)