On Saturday evening, Avast displayed a malware warning as I loaded a nytimes.com article. After some digging, here’s the malware I found.
nytimes.com article pages include an ad placement with the HTML DOM ID
adxBigAd. From loading a few articles, they seem to rotate between a banner and an iframe. On this article, a 300x250 iframe was inlining this URL:
?id=21610438 (note: I don’t recommend visiting it, and URLs are not linked where possible).
A comment gave the campaign ID as
Vonage01_1163613_nyt12, though it was obviously unrelated to Vonage. tradenton.com was registered Sept. 2, 2009, so it may have had a previous owner.
As anyone who has looked at phishing links knows, this is nasty on a couple levels. It’s
eval()‘ing escaped code, which is almost never needed to serve an ad. Note that the variable
action_URL is defined but never used. After unescaping the code, this is what’s being run:
What’s served by
Now we’re talking. Requesting that
sex-and-the-city.cn actually serves a HTTP 302 Redirect to
1/?sess=%3DGQx3jzwMi02MyZpcD0yMDguNzUuNTcuMTIxJnRpbWU9MTI1NjgwMI0MaQ%3DN. And we hit pay dirt. It’s a fake page for a non-existent antivirus app, which is actually malware. Titled “My computer Online Scan”, this page displays this JS alert:
Then resizes the browser window into a full-screen application-style, as if it had become a virus scanner. Some highlights from the static content and JS on this page:
Dont close this window, if your want you PC to be protected. 353 trojans You need to remove this threat as soon as possible! Scan procedures finished. 431 Probably harmfull items was found!
Here’s a screen shot:
Here’s full HTML source in a gist viewer. As usual, these phishers haven’t sprung for spelling or grammar checkers.
The page also uses IP-based geocoding by inlining its own iframe called
geoip.php, which has city-level granularity (though it was off by 1,000 miles for me). The “Full System Cleanup” link goes to
/download.php?id=2006-63 on the same server, which serves a file called
That redirects to
/download/Scanner-b4ba2_2006-63.exe, a static file with the checksum
6c5b5669151337ca51ec45b1f5785d02. Running strings on this 167 KB program - too small for any virus scanner - has it requesting administrator privileges, though I haven’t done detailed forensics.
As of Sept. 12, 2009,
harlingens.com resolved to 184.108.40.206.
sex-and-the-city.cn resolved to 220.127.116.11.
protection-check07.com had 3 A records: 18.104.22.168, 22.214.171.124, 126.96.36.199. Also, I changed indentation and spacing for readability, so checksums on gist may not match source files.