NY Times Website Infected With Fake Antivirus

The New York Times Website became the victim of a malicious Internet-based advertisement over the weekend. Users of certain sections of NYTimes.com encountered notifications that they were infected with malware and needed to install the antivirus software linked from the notification. And if you've dealt with a user, friend, or family member who's fallen for this sort of ruse, then you know the AV software is really just malware posing as AV.

John H. Sawyer, Contributing Writer, Dark Reading

September 15, 2009

2 Min Read
Dark Reading logo in a gray background | Dark Reading

The New York Times Website became the victim of a malicious Internet-based advertisement over the weekend. Users of certain sections of NYTimes.com encountered notifications that they were infected with malware and needed to install the antivirus software linked from the notification. And if you've dealt with a user, friend, or family member who's fallen for this sort of ruse, then you know the AV software is really just malware posing as AV.Computerworld had a good story on the incident and Dancho Danchev, as always, has a good analysis of some background sites and IPs associated with the attack that link to other known fake AV and "malvertisment" campaigns.

I've discussed how one of the major flaws with antivirus is the fact it relies on blacklisting, or blocking known bad things. A recent study shows I'm not alone, but blacklisting isn't something to turn your back on just yet.

There are many blacklists available, but one of my favorites comes from the Emerging Threats project. Emerging Threats is an open source, community-based effort for producing bleeding-edge Snort IDS signatures and firewall rules. The project has an active mailing list where contributors share Snort signatures that they've just written based on a new malware sample, or on an attack they just analyzed.

One of the rule sets that Emerging Threats publishes is a list of known Russian Business Network (RBN) IP addresses. If you're unfamiliar with the RBN, take the time to read the Wikipedia RBN page to learn more. I think the best statement is the quote from VeriSign describing RBN as "the baddest of the bad."

If you were using the RBN rule set for blocking or simply detection, you would have prevented -- or at least have logged -- the malvertisement attack coming from the New York Times Website. This is because the IPs associated with the attack were in the RBN list (as mentioned in an e-mail to the Emerging Threats list this morning).

So while many will still say blacklists are not effective, they do help in cases like these. Would your IPS or AV have blocked the attack? If so, do you know if it did it because it identified the attack, or because it knew it was coming from an RBN IP?

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.

About the Author

John H. Sawyer

Contributing Writer, Dark Reading

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights