<\/a><\/p>\nIt made me wonder, because having such detection would definitely provoke few of our users to claim a false positive in avast!
\nThere was an incident earlier this week where Google Safe Browsing system overreacted a bit and killed the domain of an ad provider, causing malware warnings on multiple large sites, including the LA Times. This was just a false alarm, no malware was distributed by the affected sites and it also shows why false alarms can induce risky behavior of the users \u2013 if they\u2019re convinced that they \u201cknow what they\u2019re doing\u201d and then they\u2019re also assured that it is safe to enter the site despite the warnings, they may do so on another occasion when there\u2019s real attack aiming at them.
\nSo I thought we\u2019re talking about that, because, as I also checked, according to this list, LA Times is the 4th biggest newspaper in USA, and according to Alexa, its website is 7th biggest newspaper website, so we would expect lots of telemetry records and also some FP reports.
\nWith a bit of distrust I dug in our telemetry collected from our dear CommunityIQ users and yes, it was there. Fortunately for most of the users, only one of the low-profile websites was infected, so the assumed number of the infected people is not really high. But! I checked yesterday\u2019s stats, then day-before-yesterday and the result was a bit of shocker! We have consecutive reports of malicious iframes on their sub-site from 23rd of December and it is still working there while I\u2019m writing this blog.<\/p>\n
The iframe points to intermediary ip site, which immediately redirects to domain hosting Black Hole 2 exploit kit. Websites used in this attack are hosted in USA (intermediary, most probably hacked) and Netherlands (colocation, domain used from some free Chilean provider, maybe also hacked).<\/p>\n There was a lot written about the Black Hole kit \u2013 in simple terms it\u2019s a bunch of malicious modules which try to exploit various browsers plugins\u2019 vulnerabilities. As we checked last time, only about third of our user-base have these fully updated \u2013 the rest are in danger visiting such site without a modern AV, which, despite what some self-called experts say, is not something you should give up. Yesterday evening (Prague time) I spotted a curious question on Twitter from journalist Brian Krebs asking about possible malware on […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[7],"tags":[341,451,514,600],"class_list":["post-1022","post","type-post","status-publish","format-standard","hentry","category-security","tag-exploit","tag-hacked","tag-iframe","tag-la-times"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/papNkV-gu","jetpack-related-posts":[{"id":9930,"url":"https:\/\/nccomputertech.com\/techtalk\/2025\/05\/16\/fbi-says-toss-your-old-router\/","url_meta":{"origin":1022,"position":0},"title":"FBI Says Toss Your Old Router","author":"NCCT","date":"May 16, 2025","format":false,"excerpt":"https:\/\/youtu.be\/scR199zRjvA On Security Now, Steve talks about the FBI's suggestion that we should be tossing out our old routers.","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/scR199zRjvA\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":9655,"url":"https:\/\/nccomputertech.com\/techtalk\/2021\/03\/09\/fuquay-varina-and-holly-springs-computer-repair\/","url_meta":{"origin":1022,"position":1},"title":"Fuquay Varina and Holly Springs Computer Repair","author":"NCCT","date":"March 9, 2021","format":false,"excerpt":"Welcome to our blog. NC Computer Tech services Fuquay Varina, Holly Springs, and surrounding NC areas. We offer prompt, professional, courteous service with over twenty years of experience dealing with residential and small business clients offering them solutions and fixing their computer and network issues at reasonable rates. Our services\u2026","rel":"","context":"In "Technology"","block_context":{"text":"Technology","link":"https:\/\/nccomputertech.com\/techtalk\/category\/technology\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":9374,"url":"https:\/\/nccomputertech.com\/techtalk\/2018\/07\/08\/this-week-in-tech-674-go-dung-beetles\/","url_meta":{"origin":1022,"position":2},"title":"This Week in Tech 674: Go Dung Beetles!","author":"NCCT","date":"July 8, 2018","format":false,"excerpt":"https:\/\/youtu.be\/AUy6JMi1pRw Survival of the Richest, Failing Facial Recognition Tech, \/r\/thanosdidnothingwrong, and More! -- Billionaires prepare for the coming apocalypse: have you bought your missile silo condo yet? -- London police's facial recognition fail: pilot program results in 98% false positive rate, zero arrests. --Amazon expanding its cashierless Amazon Go stores.\u2026","rel":"","context":"In "Technology"","block_context":{"text":"Technology","link":"https:\/\/nccomputertech.com\/techtalk\/category\/technology\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/AUy6JMi1pRw\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":9804,"url":"https:\/\/nccomputertech.com\/techtalk\/2024\/11\/08\/maximum-iceland-scenario-data-caps-3rd-party-android-stores-nuclear-amazon\/","url_meta":{"origin":1022,"position":3},"title":"Maximum Iceland Scenario – Data Caps, 3rd Party Android Stores, Nuclear Amazon","author":"NCCT","date":"November 8, 2024","format":false,"excerpt":"https:\/\/youtu.be\/P5MkCwktKz0 Data Caps, 3rd Party Android Stores, Nuclear Amazon \u2022 Google must crack open Android for third-party stores, rules Epic judge \u2022 Google asks 9th Circuit for emergency stay, says Epic ruling \u2018is dangerous\u2019 \u2022 Canceling subscriptions is about to get easier \u2022 The FCC is looking into the impact\u2026","rel":"","context":"In "Software"","block_context":{"text":"Software","link":"https:\/\/nccomputertech.com\/techtalk\/category\/software\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/P5MkCwktKz0\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":9307,"url":"https:\/\/nccomputertech.com\/techtalk\/2018\/03\/11\/this-week-in-tech-657-dadgum-cell-phone\/","url_meta":{"origin":1022,"position":4},"title":"This Week in Tech 657: DadGum Cell Phone","author":"NCCT","date":"March 11, 2018","format":false,"excerpt":"https:\/\/youtu.be\/KGrJJj_8YHU SXSW features killer robots and killer barbeque. Alexa's spontaneous laugh makes us afraid of an AI takeover. Amazon wants to take over your checking account. Can blockchain reinvent fintech? Android users more loyal than iOS users. Is AI really all that smart? Apple hires M. Night Shyamalan. Millennials love\u2026","rel":"","context":"In "Social Media"","block_context":{"text":"Social Media","link":"https:\/\/nccomputertech.com\/techtalk\/category\/social-media\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/KGrJJj_8YHU\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":9511,"url":"https:\/\/nccomputertech.com\/techtalk\/2019\/01\/22\/millsplain-it-to-me-this-week-in-tech-702\/","url_meta":{"origin":1022,"position":5},"title":"Millsplain It to Me – This Week in Tech 702","author":"NCCT","date":"January 22, 2019","format":false,"excerpt":"https:\/\/youtu.be\/EtTfFJVBZ6s -Apple's Tim Cook Calls for Data Privacy. -773M Passwords Pwned - How to Find Out If Yours Was. -Amazon Tries to Make Alexa Sound \"Newsy.\" -Google Buys Fossil. -74% of Facebook Users are Clueless. -Facebook's 10 Year Challenge. -Atari Founder Making Alexa Board Games. -Stop Using Windows Phone! -Tokyo\u2026","rel":"","context":"In "Apple"","block_context":{"text":"Apple","link":"https:\/\/nccomputertech.com\/techtalk\/category\/apple\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/EtTfFJVBZ6s\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]}],"_links":{"self":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/1022","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/comments?post=1022"}],"version-history":[{"count":0,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/1022\/revisions"}],"wp:attachment":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/media?parent=1022"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/categories?post=1022"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/tags?post=1022"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
<\/a><\/p>\n
<\/a><\/p>\n
\nBefore posting this blog, we wanted to verify our telemetry because sometimes we may get false telemetry data \u2013 it may be sent from the already hijacked machine. Proxies, etc\/hosts rewrites, malicious network drivers, even hacked routers, all of these may create false telemetry submits. After a while, we were pretty sure it is not the case, but most of the automated tools still verified the site as clean. Only by some manual verification we were able to record Fiddler session which clearly shows how the infection runs.
\nBecause we were getting both the clean replies and also the replies with the malicious iframe inserted (see the screenshot above), we\u2019re pretty sure we\u2019re seeing the HTTP server with installed malicious module, which changes the file on the fly \u2013 they\u2019re unmodified on the disk so that the admins see only clean files and uploading \u2018verified clean\u2019 file would not fix anything. The malicious modules were first described by Unmask Parasites and later also in Eric Romang blog \u2013 identified as Darkleech. This module does contact its command & control server to get new iframe data from time to time, making us create newer and newer network blocks.
\nWe also tried today to contact the IT department of the Tribune (owners of LA Times), but were not yet successful. Finding real human contact on commercial websites today seems like a task for people with much more time on their hands than ours.
\nLast word \u2013 as usual we assure you that we had our users protected \u2013 we had the detections on the infected website, all the intermediary sites and also the destination sites were blocked, we also detect various parts of the exploit kits and also the binaries were detected or blocked by our Autosandbox technology.
\nvia avast! blog \u00bb Malware on LA Times<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"