Update | 8:51 a.m. Adding some responses to reader comments at the end.
Update | 2:34 p.m. Adding explanation from the Times Company at the end.
Update | 2:59 p.m. Adding additional information and instructions on what to do if your computer was affected.
Update | 5:13 p.m. Adding more information on antivirus applications that can help fix or avoid malware.
Update | 9:50 p.m. We have published an article with more detail on how these ads appeared on NYTimes.com.
Some nasty ads have hit the Web browsers of visitors to NYTimes.com and some other sites in recent days. The ads, which are not authorized or endorsed by The Times, can hijack a person’s browser and make it appear as if a scan for viruses is running. The ads then promote “antivirus” software that is itself virus-like. The Times believes it has eliminated these ads, but if they popped up on your screen, here’s what you need to know about your computer’s security.
According to Rik Ferguson of the security-software maker Trend Micro, a malicious ad sparked a pop-up window with a bogus claim that the PC was infected with malware. It urged the user to run a system scan with its “Personal Antivirus” program — a convincing-looking ruse, but a complete fake — to clean out the infection.
If you closed this box, you should be O.K., though it’s a good idea to empty your browser cache — which stores temporary copies of many of the files used by your browser to render Web sites and, thus, can store malicious content. (Instructions on clearing the cache in several types and versions of browsers can be found here.)
You should also run a scan with legitimate antivirus software just in case. If you see a box but find you can’t close it on a Windows machine, hit Ctrl+Alt+Delete to bring up the Task Manager, find the browser in the list of running processes and shut it down — or even reboot your machine.
If you did click to “scan” your machine for problems, the program will tell you that it supposedly detected 38 threats. Not true. What it actually did was install a so-called Trojan horse that’s a classic example of rogue antivirus software, also known as “scareware,” a growing menace on the Internet.
This particular program appears to be designed to convince people to purchase fake antivirus software -– and will likely display messages, at random intervals, with information about more fake problems and demands for money. Mr. Ferguson’s initial analysis shows that the program does not have the ability to “phone home” to the attacker to get instructions to do anything worse (like deposit programs designed to steal data from your PC).
It does not appear that this attack poses a threat to Mac or Linux computers, since the downloads they try to push appear to work only on Windows machines. However, it’s a good idea to to make sure you’re clean by running a (legitimate) antivirus scan just in case, since in other similar attacks, “click or not, the user could still get infected,” said Neil Daswani, a founder of Dasient, a security firm that specializes in Web site security issues.
If you don’t have antivirus software installed, it’s time to get some. The big brand names in the field, Symantec, McAfee and Trend Micro, are able to detect and remove this program, as can the free antivirus programs AVG 8.5 Free and Avast Antivirus. (For a complete list of products that can take care of this threat, visit this site.)
Also free and effective at detecting and removing the attack is Microsoft’s Malicious Software Removal Tool, which checks for the most common malicious programs on the Internet.
Keep in mind that the attackers are constantly changing their code to try to evade antivirus defenses, so you’ll need to keep your security software up-to-date with the latest malware definitions. It can be helpful to use a tool for blocking known malicious Web pages; the top security suites include such tools, but there are also free programs from Trend Micro and from McAfee.
When installing a new security program, you should disconnect from the Internet and any backup devices and, if possible, install it from a CD-ROM. Some malicious programs, often known as malware, are programmed to block the downloading of antivirus programs from the Web.
To help protect against malware distributed via Web sites, make sure your computer’s operating system, Web browser and third-party programs like Adobe Flash Player are up to date and that you have downloaded the most recent security patches (some directions are here). It is also a good idea to use Internet Explorer 8 or the most recent version of Firefox, Chrome or Safari, which all provide some protection against Web threats.
Update: Thanks for all of the feedback on this. We hope to be able to add more detailed information about any potential infections soon. And separately we are of course looking to explain how this happened and what is being done to prevent it from happening again. Stay tuned.
Update: The Times Company says it was the victim of someone who posed as a legitimate advertiser, then switched to distributing the fake virus warnings.
