10 replies to this topic

[hector]

Today, was browsing nytimes.com, and suddenly redirected to best-antivirus03.com for the usual fake online scan, but quick MBAM 1.41 scan revealed nothing, and google search only indicated it was a rogue site, but no details about possible nature of infection, removal etc. So far, no signs of trouble, but I remain on guard. Wingnut attack on Times? LOL

[Fatdcuk]

Yeah they are sprouting up all over the place

If you did'nt consent to installing the trojan file then the fake scanner page would not have infected you,here is an explaination i gave back a while to someone with a very simmilar query.
http://www.malwarebytes.org/forums/index.p...st&p=109708

[TomCC]

Norton Antivirus detected it as title: "An intrusion attempt by brest-antivirus03.com was blocked." "Network traffic from best-antivirus03.com matches the signature of a known attack." It attempts to download & run a 166,820 byte file "Scanner-xxxxxx_2006-63.exe", where the x's are random alphanumerics. The file did download on another computer where ClamAV did not detect it; notably, Norton did not detect a virus in the file.

Browsing back to the same page later on does not pick up the virus, so it hides itself.

[musafir]

Fatdcuk, on Sep 12 2009, 08:34 PM, said:

Yeah they are sprouting up all over the place

If you did'nt consent to installing the trojan file then the fake scanner page would not have infected you,here is an explaination i gave back a while to someone with a very simmilar query.
http://www.malwarebytes.org/forums/index.p...st&p=109708

Re: Trojan best-antivirus03.com, on August 13th you wrote:
One issue occuring is that these fake scanner pages make it difficult to navigate away from the consented file download prompt by normal means of closing the webpage or using backpage.One sure fire way is to invoke taskmanager and terminate all iexplore.exe's that are running.This will kill the fake scanner page stone cold dead"

I encountered this pop up when visiting NYTimes website.

I'm running Win XP (svc Pack3). When I went to the task manager I could see no "iexplore.exe" in the list of open processes.

Please advise. Thank you.

[hector]

To Fatdcuk: Having helped a few friends with similar attacks, I knew if I didn't allow the download that I wouldn't be infected - at least for now these trojans are trojans: you have to invite them in.

To Tom CC: Thanks for the details from NAV. Odd that it detected an attack signature in the network traffic but no virus in the payload.

To musafir: I can't say why iexplore.exe was not visible in Task Manager, but another way to kill a process is to enter Alt-F4. That sometimes works for sites or programs that refuse to close.

[Jaxryley]

Seems to give a different named/numbered installer at every download and installs Personal Antivirus.
Installer not hit from rc.

http://best-antivirus03.com/1/?sess=pmT05jzxMi0xJmlwPTIxMS4yNi45Mi4yMDImdGltZT0xMjUzNkAMPQZN
http://best-antivirus03.com/download.php?id=2013-1

Scanner-8d5d_2013-1.exe
No hits at jottis.
File size: 167936 bytes

http://rapidshare.de/files/48331573/Scanner-8d5d_2013-1.rar.html

[taupehat]

Ran into this on my Mac running both Firefox and Safari. Tested on a Linux box. Seems to me that the NYT got itself compromised there. I called (not easy to find someone at this hour) and let them know that they had a problem. Redirect seems to be gone now.

Hope they decide it's worth their while to go after these scumbags. NYT should be big enough to do the job if they have the stones. Heck, if nothing else it'd be a great story: "how we followed the money and brought down a virus crew."

Sigh, if only. I doubt they'll do it though.

[JenD]

It seems nytimes.com is still compromised, if indeed that was the problem. I have been redirected to these "best antivirus" websites several times today, the most recent time being just five minutes ago. It seems entirely random which links trigger it, and it is difficult to reproduce the results by following the same link again. This last time, however, the redirect failed because the best-antivirus03 address was invalid. I'm using XP + the most recent version of Firefox.

Jen D.

[taupehat]

JenD, on Sep 12 2009, 08:34 PM, said:

It seems nytimes.com is still compromised, if indeed that was the problem. I have been redirected to these "best antivirus" websites several times today, the most recent time being just five minutes ago. It seems entirely random which links trigger it, and it is difficult to reproduce the results by following the same link again. This last time, however, the redirect failed because the best-antivirus03 address was invalid. I'm using XP + the most recent version of Firefox.

Jen D.

Weird. I do hope the NYT gets this figured out (if you google best-antivirus03.com you'll see other people on other forums complaining about the same thing, all pointing back at nytimes.com) really soon. They're a pretty high-profile website after all, and I'm sure somebody's granny is falling for this every minute.

[Fatdcuk]

Thanks Jax,

Have now added the URL for harvesting

[taupehat]

http://www.nytimes.com/2009/09/13/business.../13note.html?hp

Looks like they owned up to it.