Last weekend the news site NYTimes.com was displaying Ads that contained malware. This was causing some users of the website to receive a pop-up or full-screen message telling them that their computer was infected by a virus, and that they needed to "scan now". They would then be prompted to download and install the "scanning utility" which was actually the virus itself.
Troy Davis has done an Anatomy on the Malware distribution itself if you wish to read it. Although he does not go much into explaining how the ad itself would have displayed, only what the ad code does.
I have three theories on how such code could have been displayed on the website.
One, it either was placed there by the malware author by purchasing authentic ads, and there was no ad review process.
Two, an already existing advertising account was compromised, and updated to include the malware code thus bypassing the review process (or there is no review process at all)
Finally, there is the possibility that the ad code was being displayed for a legit company, but stored offsite. Their website registration expired, and was quickly grabbed by the malware author. The author then uploaded to that site his own script, causing NYTimes.com to automatically run the code without alerting anyone (except the victims).
In either of the three scenarios I find that this is a very common issue on many ad driven websites these days. This is just one more thing erroding the trust of the internet, and if left unchecked will start a breakdown of paid by ad websites, and web e-commerce.
If you ever receive a pop-up or full screen message while browsing the web telling you that your system is infected. Immediately close all browser windows by using the X in the top right corner. If you cannot find the X, or if the X does not work try using the Alt+F4 combination on your keyboard if you are using Windows, and Command+Q on Macintosh. If this still fails use your task manager to kill the browser process.
After closing the browser, it is strongly recommended to run your Anti-virus product by going through your start menu.
Last Updated: 09/14/2009 11:15 AM