Internet Domain Registry

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Monday, 14 September 2009

In Brief: The New York Times fake anti-virus redirect

Posted on 17:54 by Unknown
Several people have emailed asking if the fake anti-virus products I mentioned in today's blog article, US Open and VMAs top rogue anti-virus efforts, was the same fake anti-virus that was reported as being launched from advertisements at the New York Times website over the weekend. The truth is, I didn't know! So I looked into it.

The New York Times fessed up that they were having problems in This note on September 13th:

Some NYTimes.com readers have seen a pop-up box warning them about a virus and directing them to a site that claims to offer antivirus software. We believe this was generated by an unauthorized advertisement and are working to prevent the problem from recurring. If you see such a warning, we suggest that you not click on it. Instead, quit and restart your Web browser. Questions and comments can be sent to webeditor@nytimes.com.


A second NYT story today tells only SLIGHTLY more information:
http://bits.blogs.nytimes.com/2009/09/14/times-site-was-victim-of-a-malicious-ad-swap/?hpw, see also: http://gadgetwise.blogs.nytimes.com/2009/09/14/what-to-do-if-you-saw-an-antivirus-pop-up-ad/


A new advertising network that fed ads to the NYT ran "normal" ads for about a week, then suddenly started advertising malware sites over the weekend. An ad, that at least part of the time redirected to russell-brand.cn, contained hostile javascript, which redirected to the actual fake AV site.

Some of the domains involved included:

protection-check07.com which resolved to IP address 88.198.107.25. That IP was also used by:

antivirusonlinescan03.com
antispywarescanner07.com
antispywarescanner08.com
best-antivirus03.com
best-spyware-scan01.com
best-spyware-scan03.com
intellectual-vir-scan08.com
intellectual-vir-scan09.com
malwareinternetscanner03.com
online-antivir-scan09.com
protection-check07.com
quick-virus-scanner01.com
quick-virus-scanner02.com
quick-virus-scanner08.com
reliable-scanner02.com
reliable-scanner05.com


These actually were shared across several IPs, including:

78.46.251.43 - Berlin, Germany, "your-server.de"
88.198.107.25 - Sweden, - "your-server.de"
88.198.120.177 - your-server.de
91.212.107.5 - Cyprus - Ricomm
91.212.127.200 - UK - Telos Solutions
94.102.51.26 - Netherlands - Ecatel

As I was not a first-hand witness, I'm going to wrap this up short as promised by pointing to a few other blogs:

http://ddanchev.blogspot.com/2009/09/ukrainian-fan-club-features.html


http://troy.yort.com/anatomy-of-a-malware-ad-on-nytimes-com
Email ThisBlogThis!Share to XShare to Facebook
Posted in fake av, malware | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • Happy New Year! Here's a Virus! (New Year's Postcard malware)
    I've been busy this week looking at the various defacements (see ComputerWorld , and ABC News ) and other cyber attacks (see yesterday...
  • From Russia, With Love . . . new Postcard spam spies on your PC
    Isn't it nice to have friends who send you postcards? The UAB Spam Data Mine is especially fortunate in that way. Beginning the evenin...
  • Top Brands Imitated by Malicious Spam
    WebSense recently released an InfoGraphic titled "Top Five Subject Lines in Phishing Emails." for January 1, 2013 through Septemb...
  • New Year's Waledac Card
    We haven't seen a new version of Waledac since Independence Day (July 4, 2009), but it looks like its back! I'm on vacation today, s...
  • Tempting Photo Attachments Lead to Fake AV
    One of today's largest malicious spam campaigns continued an occasional theme we've been seeing for a few weeks. A subject line, fo...
  • What about the Social Security Numbers? (The Utah Data Breach and your SSN)
    The Utah Data Breach This week the continuing saga of the Utah Medicaid Data Breach continued to unfold. If you haven't been following...
  • Stop the Rumors: Quit SMSing about WalMart Gang Initiations
    My daughter and her teenage friend were sitting on the couch watching TV today when they began getting text messages on their phone. Here...
  • Minipost: IPR Center celebrates Cyber Monday
    The National Intellectual Property Rights Center (IPR Center) announced today that in celebration of Cyber Monday, they have Seized 82 Domai...
  • ACH Spammer switches to Shortened URLs
    For many weeks now the spammers behind one particular malware family have been fighting a running battle to keep their malware-hosting domai...
  • Work at Home . . . for a Criminal?
    How do you tell if a "Work at Home" invitation is a scam? Here's a clue: It comes in your email. In today's Blog, I tho...

Categories

  • china
  • computer security careers
  • conficker
  • cyberwar
  • digital certificates
  • facebook
  • fake av
  • gumblar
  • koobface
  • law enforcement
  • malware
  • pharmaceuticals
  • phishing
  • public policy
  • spam
  • twitter
  • twitter malware
  • waledac
  • zbot

Blog Archive

  • ►  2013 (21)
    • ►  December (4)
    • ►  November (1)
    • ►  October (1)
    • ►  September (1)
    • ►  August (3)
    • ►  July (1)
    • ►  June (1)
    • ►  May (5)
    • ►  April (3)
    • ►  March (1)
  • ►  2012 (18)
    • ►  August (1)
    • ►  June (1)
    • ►  May (7)
    • ►  April (2)
    • ►  March (7)
  • ►  2011 (28)
    • ►  November (3)
    • ►  October (1)
    • ►  August (4)
    • ►  July (6)
    • ►  June (1)
    • ►  May (2)
    • ►  April (2)
    • ►  March (6)
    • ►  February (1)
    • ►  January (2)
  • ►  2010 (80)
    • ►  December (6)
    • ►  November (10)
    • ►  October (6)
    • ►  September (12)
    • ►  August (5)
    • ►  July (4)
    • ►  June (11)
    • ►  April (7)
    • ►  March (8)
    • ►  February (4)
    • ►  January (7)
  • ▼  2009 (92)
    • ►  December (12)
    • ►  November (11)
    • ►  October (16)
    • ▼  September (7)
      • FBI Director Mueller, and remember Special Agent S...
      • In Brief: The New York Times fake anti-virus redirect
      • US Open and Video Music Awards top rogue anti-viru...
      • IRS Version of Zeus Bot continues
      • Tien Truong Nguyen pleads Guilty
      • Bell Canada phish - still about the Cards
      • Koobface wrecks Search results
    • ►  July (5)
    • ►  June (10)
    • ►  May (2)
    • ►  April (6)
    • ►  March (7)
    • ►  February (6)
    • ►  January (10)
  • ►  2008 (101)
    • ►  December (7)
    • ►  November (17)
    • ►  October (11)
    • ►  September (10)
    • ►  August (22)
    • ►  July (12)
    • ►  June (3)
    • ►  May (7)
    • ►  April (5)
    • ►  March (2)
    • ►  February (1)
    • ►  January (4)
  • ►  2007 (31)
    • ►  December (3)
    • ►  November (9)
    • ►  October (3)
    • ►  September (2)
    • ►  August (5)
    • ►  July (5)
    • ►  January (4)
  • ►  2006 (5)
    • ►  December (2)
    • ►  October (3)
Powered by Blogger.

About Me

Unknown
View my complete profile