New York Times Site Pop-Up Says Your Computer Is Infected 403
Zott writes "Apparently, 'some readers' of the New York Times site are getting a bit more with their news: an apparently syndicated adware popup with a faux virus scan of the user's computer indicating they are infected, and a link to go download a fix now. It's entertaining when a Mac user gets it, but clearly downloading an .exe file isn't a good way to keep your computer clean ..." Update: 09/14 03:20 GMT by T : Troy encountered this malware, "and did basic forensics. Summary: iframe ad then series of HTML/JS redirects, ending at a fake virus scanner page with a "Scan" link (made to look like a dialog box button) that downloaded malware." Nice explanation!
Re:It's very entertaining. (Score:5, Informative)
The newest version of the "Antivirus 2010" software is a pain in the ass to get rid of. It rootkits the system and makes manual removal pretty much impossible without a WinPE boot disk of some kind, and even then it's difficult to find all the instances. There's one tool I found to remove it and most of its kin, and that is combofix [bleepingcomputer.com]. It successfully cleans Antivirus 2010 and a host of other rootkit-based malware in a process I can only describe as "magic". I'm just posting this to help out others that have spent way too much time trying to get rid of this crap off of friend/family computers.
it has been happening all weekend (Score:5, Informative)
In this case, it runs a mock scan, states the computer is infected, and then pretends to offer help. The exe file sometimes gets downloaded. From the way I have seen IE work lately, I would not think the file would download without user intervention, but, the page does a good job of scaring users, so I suspect some might download the files.
The malware site is protection-check07com
malwareurl.com [malwareurl.com] has the owner listed as Elton John, perhaps on can think that this is pseudonym. Kind of lends credence to rules that require valid information on domain name registrations.
In any case, this is where the address is listed [google.com]. Looks residential, so maybe that is fake as well. I hope the protection-check people are not setting up some poor sod. Ha, protection check.
Of course this does bring up two issues. Everyone is afraid of viruses, so it easy to translate that fear into irrational action. It might make us think about some activities that went on this past weekend. Second, such attacks work on mimicking the theme of certain systems, so perhaps one countermeasure is to allow users to vary they theme. This might be very good for corporate machines, as firms might like custom themes. On Macs and *nix, of course, the attack did not work because the web page did not integrate into the background, an elephant is going to look quite conspicuous in a field of leopards.
Re:I expected better. (Score:5, Informative)
Re:Happened to my Parents (Score:5, Informative)
Would that be this one [mozilla.org]? That's pretty darned old. Reminds me a bit of the title text display bug that used to hit XKCD et al.
Re:It's very entertaining. (Score:5, Informative)
I completely agree with "combofix rocks." My job at the college I attend is pretty much removing that virus 24/7 from student laptops, and I've learned a few things:
1) McAfee sucks. We supply a copy of the Enterprise version to students, and a patched installation is required for internet access. Somehow, we're still inundated every semester with the latest flavor of AntiVirus ModelYear.
2) ComboFix is amazing. It's simple, but it automates a lot of tools that are a bit of a pain to use on their own. Ten minutes, and most malware is somewhat neutered.
3) MalwareBytes is amazing. ComboFix always misses stuff, but it lets us install MalwareBytes (also free) which finishes the job. I haven't seen any virus MB couldn't remove.
It's usually faster to run ComboFix + MalwareBytes (half hour between the tools in most cases) than it is to nuke it from orbit and reinstall Windows. Unless you're paranoid, two programs will take care of your end of your extended family's implied social support contract.
Re:News? Where? (Score:5, Informative)
What exactly makes this different from any of the other hundreds of sites with the same popup? Is it just because this is a large, well-known website like the New York Times?
That's my impression. I think the interesting thing here is that the presumption that reputable websites have reputable advertisements has been violated. NYT's advertising policies [whsites.net] include the following paragraph [whsites.net]:
The Times may decline to accept advertising that is misleading, inaccurate or fraudulent; that makes unfair competitive claims; or that fails to comply with its standards of decency and dignity.
Granted, they don't outright state that the content is prohibited, but they do imply a stance against this type of advertising. This is a clear violation of that intention, and they took the appropriate response. I'd be most interested in knowing if this particular advertisement was intentionally approved, "slipped through" accidentally, or was injected illicitly (e.g., their advertising server was hacked, etc.).
Re:It's very entertaining. (Score:5, Informative)
I personally use Comodo firewall, and it's one hell of delicate security guard. I have to turn it off when I install anything because I will be there all day clicking approve. It's not annoying when you know how to use it and change its settings (takes a nominal amount of time). I've had a lot of instances now when I even purposely download sketchy .exe files, and it alerts me right away about suspicious activity in the computer. Best of all it's free.
Re:It's very entertaining. (Score:5, Informative)
In a perfect world, we would do that, but we get too many machines in and out to make that feasible. Then, there's all the normal luser problems: I don't know where my files are, I have no install media, I have no keys, I deleted my recover partition to save space, etc.
The foolproof way to remove the AntiVirus ModelYear rootkit is: Make a file-based image of the hard disk. By design, it hides from the file system, meaning it will not be included in a image made by a tool like ImageX from Microsoft's free WAIK. Gather an image and apply it to the same hard disk, and the rootkit's gone.
If you're adventurous, ImageX lets you mount the image file on a clean PC to do offline scans of its files and registry hives. You can clean a computer without ever booting it.
But, that's generally overkill. AntiVirus ModelYear rootkit isn't the nasty kind of hardware-hypervisor rootkit - it runs at kernel privileges. So does MalwareBytes. To be dangerous, it has to run at a higher privilege level than the removal tools.
For family members that promise me food, I go the extra mile and do the clean install for them. Staff machines we just re-image.
Comment removed (Score:4, Informative)
Re:It's very entertaining. (Score:3, Informative)
I personally loathe McAfee - it interferes with ComboFix. But, I'm not IT, and you can technically remove it after your machine passes registration.
Re:I expected better. (Score:3, Informative)
They actually appear to embed the ad code directly into the page (you can see which campaigns the ads are for; the one that hit me was for Vonyage, near the bottom of the page). In my case, it wrote a weakly obfuscated script that redirected the whole page to sex-and-the-city.cn (... err, yeah) which redirected to protection-check07.
Poor NYT, they now have a special rule in my ad filters.
Re:Happened to my Parents (Score:5, Informative)
If you used the evil closed source Opera browser, you would have "stop executing scripts from this page" option right below that javascript popup.
It is interesting since nobody really cares who takes what from other browsers, no "patent" or anything, especially from Opera side. It must be very easy to implement, why don't they do it? It is not some high tech JIT compiler either, a basic checkbox.
some macs can run that exe (Score:2, Informative)
Believe or not, some high end virtual machines, even including MS unmaintained Virtual PC does assign themselves to .exe files and conveniently run them!
Apple knows this possibility and that is why your Safari alerts you when you download an .exe file, not like they don't know their own OS. :)
BTW, if the virus mentioned is the one I saw, don't play around with these guys since it was one of the rare times Kaspersky online scanner missed the virus (trojan) offered, I submitted it to them and they included hours later as some variant. That means we aren't dealing with some complete idiots here, they know how to morph their code so a high end AV like Kaspersky can miss it. (Mine was from Haaretz, IL English newspaper)
CNN... (Score:5, Informative)
Re:And they wonder... (Score:2, Informative)
The New York Times is one of the most respected publications in the world. It's not going anywhere.
You do know that the New York Times is bleeding red ink on a scale similar to GM and Chrysler, right? Do you expect the government to bail the NYT out as well?
I've never understood how the NYT is a "respected" publication. They have had a reputation for "reporting" stories of the way they would like things to be rather than how they actually are since the 1930's (Pulitzer prize for reporting that the Ukrainian famine wasn't happening, when in fact it was, more recently a star reporter reporting from West Virginia without ever leaving New York City).
Re:It's very entertaining. (Score:3, Informative)
Sorry after installing Combofix, my AV program Spysweeper reported three viruses just got installed
Combofix is pretty much a glorified batch file that automates the operation of programs like GMER. Some of these programs are considered "hacking tools" by AV vendors. Another reason I hate McAfee: it will automagically "clean" my flash drive of most of my antivirus tools.
If you downloaded ComboFix from bleepingcomputer.com, it's a false positive.
Re:And they wonder... (Score:2, Informative)
You do know that the New York Times is bleeding red ink on a scale similar to GM and Chrysler, right?
Well, they can just print in black ink!
Seriously, how is New York Times bleeding red ink like GM and Chrysler? I'm looking at their 2008 financial statements [nytco.com]. The only reason it's showing net loss is because of impairment charges of goodwill. [bizjournals.com]
Here's their 2009 2nd quarter result [huffingtonpost.com].
Re:I saw it (Score:2, Informative)
Yah, the "C" drive on a Linux box is \.
Boot partition is mounted to \boot, though you could change that if you wanted.
Linux maps to folders - actually Windows does too, they just came up with the special folder names of A-Z, which they called "drive letters", back in the DOS days, with the prompt being whatever you wanted, but the default was C:\>. C: designated the drive letter the media was mounted to, and \ designating the root of the drive. Linux just does \ and calls it good.
You can mount a drive to a folder in Windows too if you want, it's just not the default way of doing it (for Windows), and I don't think you'll get it to work for the boot partition. Drive letters are ingrained into Windows.
Re:It's very entertaining. (Score:4, Informative)
No, we have no central management of the enterprise AV. Yes, it is painful. But, IT is a separate department - they make policy, we live with it, though they're all nice, smart people who are just hung up on McAfee for some reason.
Our DHCP server compares your MAC address against a list of "registered" machines. If there's no match, meaning your machine is unregistered, you get an IP address within a special "unregistered" subnet. The subnet is denied internet access, and any HTTP requests are redirected to the local registration website.
The registration website gives you a link to the McAfee installer. You then have to download and run a custom "validator" program that checks for the presence of McAfee, and then adds your MAC address to the approved list.
Yes, this can easily be circumvented, but how many people know how to do MAC sniffing/spoofing? Those that can probably aren't going to get viruses on their Winboxen.
Re:It's very entertaining. (Score:4, Informative)
This.
The discovery that it removed the rootkit was a happy accident. After a few unhappy incidents related to the aforementioned "luser problems," we've taken to making such a CYA image of every laptop that passes through our fingers, just in case.
After a scan found the TDSS rootkit on a laptop, I decided it would be easier to disinfect the backup image. I discovered none of the hidden TDSS* were even in the image, and concluded that the obfuscation techniques worked all too well.
Although the infected system files were indeed still in the image, the bulk of the rootkit hides in these hidden TDSS(garbage characters) files, which were not gathered, leaving the rootkit neutered.
Re:And they wonder... (Score:1, Informative)
As somone who used to review ads, this isn't as easy as it sounds. When you review the ad it points to one place, then once it goes live, they just redirect it to what they actually want to show.
Re:And they wonder... (Score:4, Informative)
Did you read those financial statements? The stockholder's equity is down almost $1 billion, or 60%, since 2005. They have more debt than their balance now (which was not so just a few years ago), they lost their ass in 2006 (net loss of $500+ million), gained a little in 2007, and lost most of what they gained in 2008. They had a net loss of $57 million in 2008. Contrast that with 2007 where they had a net profit of $200 million. That's pretty tight with revenues of over $3 billion.
Did you read that financial statemnet at all? It's downright depressing. Did you read where the $40 million 2Q profit came from? They are cutting nearly $500 million out of their budget this year, and yet that has produced only $40 million in profit. Analysts aren't impressed, because revenues are down by 20% of the already low number they were anticipating.
What happens when they run out of things to cut? They've got $1 billion in debt and are only making $20-40 million a quarter. The belt is tight and getting tighter, things are not exactly going well at NYT.
Bleeding is the right word, they only look ok right now because they were hemorraging a few years ago.
Re:How dumb are these people? (Score:1, Informative)
A computer compromised can be a lot of cash for a botnet organization. They buy and sell clients by the thousands, and there are a lot of things a botnet computer can do for revenue for a bot-herder. A couple:
ID theft, scan victim's machine, grab saved passwords.
Blackmail, especially if a machine is on a business network and there are business assets available via shares that a blackhat can manually get into.
Keyloggers and screenshot takers can mean good cash in compromised MMO accounts. WoW account theft is an economy in itself.
DDoS attacks and protection rackets are lucrative, and the only person that gets punished is the computer's owner.
Distributed use for cracking keys. There are still a lot of RSA keys out that are 512-768 bits that would prove to be highly sought after by black hats. Even if they don't crack the key, the keyspace exhausted allows a bigger botnet a larger chance.
A compromised machine means big cash for the person who does it, and major pain for the victim. To boot, usually the people doing it are in countries with governments indifferent or hostile to the US, so there is no way they will get anything other than a high five from their local government.
Of course, the cash from these things above is easily laundered, then used to make ads. I've seen a lot of top named sites get stung by a malware ad on a third party rotater. Perhaps its time for people to reconsider letting a third party put what it wants on their site without prior approval?
Re:News? Where? (Score:1, Informative)
Following the money trail? (Score:2, Informative)
I have often wondered why they haven't followed the money trail to find the people behind the "Antivirus 20xx" nonsense. I know I would certainly like to read a news story about the untimely death of the people involved.
They (FBI, and their equivalents in the dozen other countries widely affected) know exactly where it's coming from, it's just not in their jurisdiction.
Code from within the 2009 version: ..." - http://sunbeltblog.blogspot.com/2009/01/russian-don-infect-themselves.html [blogspot.com]
"00420214 - Don`t install on Rus:; 00420234 - Russian or Ukrainian Windows detected. Exiting
"In the early and mid-1990s, criminal groups provided protection to businesses and enforced contracts when the state was too weak and corrupt to do so. In the process, they actually helped sustain private enterprise, albeit at a high cost to business. The emergence of an economic market for private protectionâ"in which criminal groups compete among themselves as well as with other newly formed private security agentsâ"has stabilized the business-criminal relationship. Recently, criminal networks have taken a more businesslike approach to maximizing profit" - http://www.worldpolicy.org/journal/articles/wpj04-1/sokolov.htm [worldpolicy.org]
The following article is the best writeup I've seen thus far on this threat, and provides some insight on the financials:
"If these stats are to be believed, one affiliate was able to install 154,825 copies of AV XP 08 in ten days' time, and 2,772 of those copies were actually purchased by the victims. This only represents a one to two percent conversion rate, but with the generous commission structure, was enough to earn the affiliate $146,525.25 for that time period. At that rate, the affiliate could be expected to earn over 5 million U.S. dollars a year, simply by maintaining a large botnet and forcing AV XP 08 installs on 10,000 to 20,000 computers a day." - http://www.secureworks.com/research/threats/rogue-antivirus-part-2/ [secureworks.com]
Kinda makes a guy reconsider his chosen career... Until you consider the mortality rate of Mafiya members, and the hordes of angry noobs wherever you go ;)
Re:HOSTS file and noscript (Score:2, Informative)
http://www.mvps.org/winhelp2002/hosts.txt [mvps.org]
Re:HOSTS file and noscript (Score:5, Informative)
http://www.mvps.org/winhelp2002/hosts.htm
http://www.mvps.org/winhelp2002/hosts.txt
I recently also started using the NoScript add-on and also the Adblock Plus add-on for Firefox on both my Linux computer and on my Windows XP computer. But, perhaps using both the ad blocking host file, plus Adbock Plus, is redundant and unnecessary. With the NoScript ad-on, I occasionally click on the icon, which has now been added to the lower right corner of Firefox. After clicking on that, I can choose whether to temporarily or permanently allow a particular web site scripts.
I do nearly all of my Internet browsing from my Linux box. But, when I occasionally actually dare to use my Windows XP computer to browse the Internet, I use Sandboxie to sandbox my default browser, which in my case happens to be Firefox. I am not an expert on any of this, and am not a regular Security Now listener, but here are a couple of episodes that are about Sandboxie.
http://www.grc.com/sn/sn-172.htm
http://www.grc.com/sn/sn-174.htm
Re:It's very entertaining. (Score:4, Informative)
Re:It's very entertaining. (Score:3, Informative)
Ironically enough, IE has support for a form of whitelist-by-site. Basically, use the "Security Zones" feature (Security tab of Internet Options, or just double-click where it says "Internet | Protected Mode" in the status bar) and turn the permissions on the Internet zone way down. Like, no scripting, no plugins, no redirects, no downloads, etc. Disable unencrypted form submissions and turn on every signature check, or however you want to do it - just lock it down. No Flash or any other ActiveX (they're plugins), no .NET or Java (there might be a vulnerability), no JavaScript or VBScript, etc. In essence, make the Internet Zone act like the Restricted Sites Zone.
Then, go to the Trusted Sites Zone and put the settings where you want them to be (probably a little more secure than the default, depending on how paranoid you are about sites that you know) and put sites that you trust in that Zone. It's a bit more work, sure, but maintaining a whitelist always is. Besides, of the sites that you actually want to execute scripts and plugins, you probably have a handful that you visit regularly, and the rest can default to lock-down mode until you check them out. It might even be possible to use the Restricted Sites Zone as a "greylist" of sorts, if you set its security options similar to the default for Internet Zone. This would give you three tiers of trust, with the important point being that the default security Zone is the most-locked one.
As an extra benefit, this will function as a form of phishing protection - a URL that looks like it's legit (due to Unicode characters above 0x007F that have the same appearance as ASCII characters) will get thrown into the locked-down zone.
Re:Once again with the "nofix" (Score:5, Informative)
Download the Microsoft WAIK and install it. Use ImageX to create a file-based .WIM image of your system and files.
Then, download dd for Windows. Use it to copy the first 512 bytes or the first cluster of Partition0 on the hard disk Windows is installed on. This will capture your boot sector.
If you're trying to use this for daily backups, ImageX won't work... You could always schedule robocopy to run daily/weekly instead. (It's included with Vista and up, but you can download it for XP.)
If you're not using it for daily backups, ImageX still requires "mucking about with special image files," but you can use ImageX to mount .WIM files into a directory, meaning you can use Windows Explorer or whatever tool browse and modify the file system.
Instead of DD, you could always use a Vista and above install disc or make a Windows PE disc with the WAIK and run bootsect. "Bootsect /nt52 all mbr" will get you a clean NTLDR boot sector, and "bootsect /n560 all mbr" will get you a Vista BCD-based bootsector. Of course, that only works if you're using either of those as your bootloader, but if you are, you don't even need DD.