New York Times Site Pop-Up Says Your Computer Is Infected 403
Zott writes "Apparently, 'some readers' of the New York Times site are getting a bit more with their news: an apparently syndicated adware popup with a faux virus scan of the user's computer indicating they are infected, and a link to go download a fix now. It's entertaining when a Mac user gets it, but clearly downloading an .exe file isn't a good way to keep your computer clean ..." Update: 09/14 03:20 GMT by T : Troy encountered this malware, "and did basic forensics. Summary: iframe ad then series of HTML/JS redirects, ending at a fake virus scanner page with a "Scan" link (made to look like a dialog box button) that downloaded malware." Nice explanation!
News? Where? (Score:5, Interesting)
Re:It's very entertaining. (Score:5, Interesting)
FF + Adblock is my way to avoid it (and still get the sites I need .js to run on).
This crap has been going on for a few years now with the 'AntiVirus XP' scam (http://www.theregister.co.uk/2008/08/22/anatomy_of_a_hack/) that seems to strike major sites every few months. Just goes to show the ad distributers have no control ( or don't want it) over what goes in to their distribution network.
Sad this is, people fall for it all the time :(
So... (Score:1, Interesting)
Re:It happens on Linux too (Score:5, Interesting)
Re:It's very entertaining. (Score:3, Interesting)
It seems you can never fully remove a McAfee program without formatting and restarting. I'd probably just get a new hard drive, install Windows XP and McAfee on it, pass the system through, then swap in my normal drive. But, I am an IT nerd.
Re:Happened to my Parents (Score:4, Interesting)
As I write this I'm trying to figure out how to do that in Firefox.. ya know, that whole "fix it yourself" open source thing. Nicest thing I can say about Firefox: at least the code is better than Open Office.
Re:Ads and proxy placement (Score:3, Interesting)
They reviewed the advertisements with their clients directly. There were a few hundred per day and it was a manageable problem. Now, advertisements may be served by proxies and selected from among tens of thousands of potential ads, designed to be targeted to readers in specific geographic regions, income levels, purchasing habits, interests, age categories, gender, education level, or other factors.
Surely a good ad proxy works something like an online dating service? If they're just throwing anything and everything at you, why use a middleman in the first place? So what criteria made them think these particular ads were acceptable for a major newspaper? Personally, I don't consider them acceptable for any site (and yes, I've seen the ads in question on the Times -- my reaction when I saw them was to immediately run a spyware scan, which turned up negative).
And God help us if the New York Times is so desperate for cash that it can't rap its ad partners' knuckles when they screw up. How would you like to be the ad-serving agency that has to tell its clients, "We just lost the New York Times?" If you won't give a client of that stature the full red-carpet treatment, you deserve to go out of business. But by the same token, if the Times won't exercise its clout as a customer, then it deserves all the blame we can heap on it.
Hopefully the paper will run a statement addressing this issue on Monday and it won't be an issue any longer.
Re:I have seen these before, (Score:5, Interesting)
I've seen this pop up before... On my roommate's computer. It appears a lot like a Windows Vista secure desktop warning by taking up the whole screen with a darkened border. The message follows a format that looks a lot like other Vista menus and messages. To the user, it doesn't look like it's a message from the website... But rather from Windows.
I could easily see how most people could click the screen (literally anywhere) where it asks to download a fix called "install.exe." Plus, if you are one of the poor users who uses the terrible AV solution [mcafee.com], that seems to have an agreement with anyone with a large user base, you're totally screwed because this virus seems quite effective at knocking it dead out.
I'm more concerned with the fact that this is popping up in what are normally quite trustworthy sources. I was initially afraid that Yahoo had sold out, it just seems like they got the same treatment as the NYTimes. This speaks more to the vulnerabilities of the webservers that are hosting these sites to me. Does anyone know what platform they're sitting on? I'd like to know if there's a hole out there that I should concern my company with... I'm totally serious.
Re:Ouch (Score:3, Interesting)
I installed a Linux distribution on a friend's laptop a few years ago, and have heard *nothing* from her, other than occasionally that it's working just fine. She uses my wife's office several times a week, which means that she has lots of opportunities to ask for help, or to complain if she sees something not working to her satisfaction.
Re:It's very entertaining. (Score:3, Interesting)
Yes, Imagex supports XP SP3 just fine. It's the automated distribution tools that do not work, for XP to use an image with more than one PC you still need to use sysprep and a custom install setup. The automated tools work with Vista up.
Imagex.exe will make an image of any hard drive or subset of any hard drive that windows can read.
What the GP was talking about was building a WinPE disk (WAIK will help you do that much for XP, pretty easy too), booting into it, and using imagex to image the drive, then formatting the drive and applying the image you just made back to the drive. Depending on how big your hard drive is, the whole process should not take more than a half hour or less, imagex is surprisingly quick. Just be sure you don't try to store your image file on the same drive you format, or you will have erased your image in the process.
I'm also not 100% convinced this process will remove a rootkit either, as a rootkit simply ties into a critical system file, which would be copied by imagex. He may be right though, and it wouldn't hurt anything as long as you don't make the mistake I just warned you about.
Re:Use NoScript, not just AdBlockPlus (Score:3, Interesting)
I just installed NoScript after getting redirected to the phony page. I reviewed all my browsing this morning and didn't see any particularly "dangerous" sites. One of them was, of course, nytimes.com. Little did I know....
As a user of Firefox on Linux, having my computer display a Windows-styled desktop folder and informing me that it was scanning my dll collection was both amusing and alarming.
For the curious, the browser is hijacked with Javascript and redirected to the phony scanning page which suggests using "Personal Viruscan." A bit of research this morning suggested it has been making the circuit this year but not on mainstream sites like the Times. However this site [411-spyware.com] reports encountering the malware on a NY Times page as early as Septamber 7th. That person found it on a page about Jay-Z; I was reading the editorial columnists.
I grepped my Firefox _CACHE_ files for "virus," found the Javascript code there, but couldn't seem to attach it to a URL using "about:cache". Any hints?
Now I'm running noscript and pushing all requests through a Squid proxy on my firewall. At least I'll have a log to see what requests I've made. I'm guessing this came through the Times's ad syndication system, but I couldn't track down the source. I already run Adblock Plus and have a number of custom rules to block sites like brightcove.com and revsci.net.
Comment removed (Score:3, Interesting)
Re:It's very entertaining. (Score:4, Interesting)
Yes I downloaded Combofix from bleepingcomputer.
I am not sure why it would be flagged as a false positive. I am suspicious of any program that says I have to shut down my AV software in order for it to run.
Luckily both Unhackme and Spysweeper removed it, and was able to restore my control panel as well. I noticed that ComboFix was not in the Add/Remove programs and I tried the "Combofix /u" to uninstall it only to be greeted with a file not found error.
I looked in the program files directory and it was not there, but on the root directory of my system under c:\combofix\ hidden as a system file with copies of iexplore.exe and other files. Easy enough to delete, but the uninstall didn't seem to work. Maybe the combofix.exe file was deleted as a virus?
Spysweeper reported it as Mal/Pack-A, Virus/Test, and one other I forgot, and Unhackme said it was the FU Rootkit. Kapersky said it was Trojan.Win32.Inject.ph. I would think Combofix would have been whitelisted by now as a false positive and removed from the detections, but apparently it has not.
Users need to be warned about false positives if that is indeed the case. I did a web search and it turned up web sites suggesting using Combofix, so I suspect it may be indeed a false positive. I can recall the BartPE and Retrago WinPE boot tools had some of their automated programs got detected as hack tools and removed via AV software as well. Maybe those Hack tools are effective at removing stuff the non-Hack tools don't?
Re:Happened to my Parents (Score:3, Interesting)
You've never heard of Mozilla or Netscape, have you?
Netscape > Mozilla > Phoenix/Firebird > Firefox.
Mozilla was an offshoot of Netscape, which eventually folded leaving the Mozilla Organization behind, and the Mozilla browser became Firebird and then Firefox. Developement on the Mozilla browser itself began in 1998, which is when Netscape created the Mozilla Organization.
History man, history.
BTW, Netscape rocked until it sucked, Mozilla was the re-write (which was a stupid decision, if they had just fixed what was wrong with Netscape it would still be around, and probably be better and have a higher market share than FF), and it all went from there.
Re:on Firefox, install NoScript (Score:3, Interesting)
Then, if I see something that isn't "right" on Firefox I can paste the URL into the other browser and examine unscathed.
This is less technical, and I do enjoy browsing much more without ads or other noise candy...
Once again with the "nofix" (Score:5, Interesting)
If you can confirm that there was malware on the system there is no cure except to start with a clean image - preferably one you stored with an imaging tool like the free Clonezilla [clonezilla.org] prior to accessing any network at all or any untrusted media. Putting a clean image on can take 5-30 minutes, and is certain to remove all traces of infestation. It's actually quicker than scanning. Once you've got a confirmed hit your only business using a compromised machine is an inspection of the features that got the user into trouble so you can turn those off after you image, and capture for them a more suitable image.
There's a tired old nag about no software being secure but really one thing is for certain: once an app has been running that's known to be infested it got there because the maker knew something the user didn't. Among the other things the user doesn't know are how many other applications the malware infested, how many running services were leveraged with local privilege escalation, how many rootkits of various sorts were installed. Most modern malware immediately upon installation scans the local system and sniffs the network. They look up components and download a cocktail of toxic code that's both tailored to the specific machine and randomly generated so as to be unique. There's a management system that auto-permutes millions of vile code variants every day, and uses a genetic algorithm to determine which of the little beasties is the most efficient. This is not your dad's malware ecosystem.
Pretending to remove malware is nothing short of malpractice. All you're doing is helping the bad guys by pointing out which modules survive a cursory attempt at cleaning.
Re:I expected better. (Score:5, Interesting)
Re:I expected better. (Score:3, Interesting)
Re:It's very entertaining. (Score:2, Interesting)
Linux machines however, are fine on their own
NYT Reacts to adds with story (Score:5, Interesting)
Re:Microsoft's model is to blame. (Score:3, Interesting)
The lack of any managed repository of vetted and verified software is, to me, the number one reason Windows sucks so hard.
So you're advocating the iPhone-style app store, with obscure fascist rules determining who is blessed and who is not? I'm assuming you're not suggesting that Microsoft should be the only source of all possible software for running on Windows; that most definitely won't work due to the diversity of things that people do with computers. Well, thinking about it you might actually be advocating that, in the misguided belief that the Linux Distributor model works well; it only does if you want OSS - not always a great option, alas - and if you're content with being stuck with old versions. In short, if you need commercial software then you're still downloading executables (or other packages).
There are 4 models possible:
The central model doesn't scale too well, especially when apps get really big, so the real choice for me is between whether you require signatures or not. Ho hum.
Re:I have seen these before, (Score:3, Interesting)
An interesting note: you can configure UAC to require a Ctrl-Alt-Del before it shows you the prompt. Obviously this is a level of paranoia that most users don't want to deal with (similar to the way that in in XP they made it so home accounts don't need to press Ctrl-Alt-Del to reach the login screen anymore) which is why it's not the default, but it's intended to protect against exactly this situation. Ctrl-Alt-Del triggers a software interrupt, so unless your kernel has been tampered with (by which time you're already totally fucked) you know the next propmpt you see will be a real one.
Ironically, this option for UAC doesn't even add any security in the default UAC mode (where you only need to OK the elevation). It's for people who are either standard users or have UAC configured to ask their password even though they're members of the Administrators group. It just prevents a malicious program from presenting a false UAC dialog and getting you to reveal an Administrator's password.
Yes, slightly OT. The secure desktop is used by a couple other high-integrity components besides UAC, but I'd be highly suspicious of anything that displayed the SD unexpectedly. If I had this setting on, I wouldn't even wonder. That said, the kind of person who would make UAC more secure, never mind would actually know how, isn't the intended target of that kind of scam anyhow.
Re:Microsoft's model is to blame. (Score:4, Interesting)
Synaptic is an easy to use point-and-click GUI front end for apt-get. Synaptic can easily download and install, upgrade, or uninstall various programs from the official repositories, while reliably taking care of all dependencies automatically.
Windows users do not have a similar place to go to, or built-in tools to use, to easily download and upgrade reputable, safe, non-Microsoft software. However, for installing an occasional commercial paid for software program on a Linux computer, that would still be downloaded from a companies website. As far as I know, it is just the free open source software programs that are available in the main official Debian repositories.
That is my rough understanding, of how the Debian repositories work. As a desktop Linux user, I am glad that I do not have to download software from god knows where, in response to some pop-up. If I did suddenly decide that I needed new software or an upgrade, I would generally stick to using Synaptic or apt-get to download the software for me from the official repositories, instead of using an advertising script on a script enabled web page to download whatever it is from who knows where.
There are also a few reputable, reasonably well known, commercial software companies, with Linux software, that I have bought software from, for my home computer.
The lack of something like Synaptic and apt-get, and the Debian repositories, is a severe shortcoming of Windows.
http://en.wikipedia.org/wiki/Debian
False dichotomy (Score:3, Interesting)
Of course, "absolute free-for-all" and "Apple-style App Store" are not the only two choices. You sort of get it this later in the post, but of course the main concept left out here is the Linux repository concept. You can be reasonably sure that apps in the repository have been vetted for viruses, etc (at least you can with Debian)... and yet, if you really want to get software somewhere else, you can... but it's buyer beware.
It's not even true that Linux repositories are all OSS (Deb certainly has a "non-free" repository), and even if it were, the OSS-ness of the repository is certainly not an essential feature. Microsoft could certainly come up with a repository of software for Windows that was all closed-source, yet still vetted for malware.