Internet Domain Registry

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Monday, 14 September 2009

In Brief: The New York Times fake anti-virus redirect

Posted on 17:54 by Unknown
Several people have emailed asking if the fake anti-virus products I mentioned in today's blog article, US Open and VMAs top rogue anti-virus efforts, was the same fake anti-virus that was reported as being launched from advertisements at the New York Times website over the weekend. The truth is, I didn't know! So I looked into it.

The New York Times fessed up that they were having problems in This note on September 13th:

Some NYTimes.com readers have seen a pop-up box warning them about a virus and directing them to a site that claims to offer antivirus software. We believe this was generated by an unauthorized advertisement and are working to prevent the problem from recurring. If you see such a warning, we suggest that you not click on it. Instead, quit and restart your Web browser. Questions and comments can be sent to webeditor@nytimes.com.


A second NYT story today tells only SLIGHTLY more information:
http://bits.blogs.nytimes.com/2009/09/14/times-site-was-victim-of-a-malicious-ad-swap/?hpw, see also: http://gadgetwise.blogs.nytimes.com/2009/09/14/what-to-do-if-you-saw-an-antivirus-pop-up-ad/


A new advertising network that fed ads to the NYT ran "normal" ads for about a week, then suddenly started advertising malware sites over the weekend. An ad, that at least part of the time redirected to russell-brand.cn, contained hostile javascript, which redirected to the actual fake AV site.

Some of the domains involved included:

protection-check07.com which resolved to IP address 88.198.107.25. That IP was also used by:

antivirusonlinescan03.com
antispywarescanner07.com
antispywarescanner08.com
best-antivirus03.com
best-spyware-scan01.com
best-spyware-scan03.com
intellectual-vir-scan08.com
intellectual-vir-scan09.com
malwareinternetscanner03.com
online-antivir-scan09.com
protection-check07.com
quick-virus-scanner01.com
quick-virus-scanner02.com
quick-virus-scanner08.com
reliable-scanner02.com
reliable-scanner05.com


These actually were shared across several IPs, including:

78.46.251.43 - Berlin, Germany, "your-server.de"
88.198.107.25 - Sweden, - "your-server.de"
88.198.120.177 - your-server.de
91.212.107.5 - Cyprus - Ricomm
91.212.127.200 - UK - Telos Solutions
94.102.51.26 - Netherlands - Ecatel

As I was not a first-hand witness, I'm going to wrap this up short as promised by pointing to a few other blogs:

http://ddanchev.blogspot.com/2009/09/ukrainian-fan-club-features.html


http://troy.yort.com/anatomy-of-a-malware-ad-on-nytimes-com
Email ThisBlogThis!Share to XShare to Facebook
Posted in fake av, malware | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • 2009 Year in Review
    As 2009 comes to a close I wanted to take a minute to thank all of the people who have been helpful to this blog this year, and to share bac...
  • Top Brands Imitated by Malicious Spam
    WebSense recently released an InfoGraphic titled "Top Five Subject Lines in Phishing Emails." for January 1, 2013 through Septemb...
  • New BBC spam mocks Georgia's President, Spreads New Virus
    This morning we've received more than 300 copies of a new "BBC" spam campaign which mocks Georgia's President and spreads ...
  • A New Year and Anti-Virus Products Are Still Losing
    One of our most popular blog posts in 2008 was back in August - Anti-Virus Products Still Fail on Fresh Viruses . I'm sad to report tha...
  • Digital Certificates Update
    A quick update from the previous post. The Digital Certificates spam campaign against Merrill Lynch continues, but the good guys seem to be ...
  • ATM Cashers in 26 Countries steal $40M
    CBS News in New York has a video on their website this morning title Cyber-attacks behind possibly record-breaking bank heist . Former FBI ...
  • Amero to Replace Dollar? Could Storm Worm Be Right?
    According to the newest version of the Storm Worm, the Amero is about to replace the dollar: The U.S. Government began to realize the plan t...
  • FAL$E HOPE$ @ CHRI$TMA$
    FAL$E HOPE$ was a Federal Trade Commission operation announced on December 12, 2006, which cracked down on Bogus Business Opportunities. C...
  • New Year's Waledac Card
    We haven't seen a new version of Waledac since Independence Day (July 4, 2009), but it looks like its back! I'm on vacation today, s...
  • Minipost: NY Zeus "At Large" Codreanu and Adam captured
    We've previously posted about the FBI's Operation ACHing Mule (that's A-C-H as in Automated-Clearing-House, the way American ba...

Categories

  • china
  • computer security careers
  • conficker
  • cyberwar
  • digital certificates
  • facebook
  • fake av
  • gumblar
  • koobface
  • law enforcement
  • malware
  • pharmaceuticals
  • phishing
  • public policy
  • spam
  • twitter
  • twitter malware
  • waledac
  • zbot

Blog Archive

  • ►  2013 (21)
    • ►  December (4)
    • ►  November (1)
    • ►  October (1)
    • ►  September (1)
    • ►  August (3)
    • ►  July (1)
    • ►  June (1)
    • ►  May (5)
    • ►  April (3)
    • ►  March (1)
  • ►  2012 (18)
    • ►  August (1)
    • ►  June (1)
    • ►  May (7)
    • ►  April (2)
    • ►  March (7)
  • ►  2011 (28)
    • ►  November (3)
    • ►  October (1)
    • ►  August (4)
    • ►  July (6)
    • ►  June (1)
    • ►  May (2)
    • ►  April (2)
    • ►  March (6)
    • ►  February (1)
    • ►  January (2)
  • ►  2010 (80)
    • ►  December (6)
    • ►  November (10)
    • ►  October (6)
    • ►  September (12)
    • ►  August (5)
    • ►  July (4)
    • ►  June (11)
    • ►  April (7)
    • ►  March (8)
    • ►  February (4)
    • ►  January (7)
  • ▼  2009 (92)
    • ►  December (12)
    • ►  November (11)
    • ►  October (16)
    • ▼  September (7)
      • FBI Director Mueller, and remember Special Agent S...
      • In Brief: The New York Times fake anti-virus redirect
      • US Open and Video Music Awards top rogue anti-viru...
      • IRS Version of Zeus Bot continues
      • Tien Truong Nguyen pleads Guilty
      • Bell Canada phish - still about the Cards
      • Koobface wrecks Search results
    • ►  July (5)
    • ►  June (10)
    • ►  May (2)
    • ►  April (6)
    • ►  March (7)
    • ►  February (6)
    • ►  January (10)
  • ►  2008 (101)
    • ►  December (7)
    • ►  November (17)
    • ►  October (11)
    • ►  September (10)
    • ►  August (22)
    • ►  July (12)
    • ►  June (3)
    • ►  May (7)
    • ►  April (5)
    • ►  March (2)
    • ►  February (1)
    • ►  January (4)
  • ►  2007 (31)
    • ►  December (3)
    • ►  November (9)
    • ►  October (3)
    • ►  September (2)
    • ►  August (5)
    • ►  July (5)
    • ►  January (4)
  • ►  2006 (5)
    • ►  December (2)
    • ►  October (3)
Powered by Blogger.

About Me

Unknown
View my complete profile