{"id":1022,"date":"2013-02-13T11:32:14","date_gmt":"2013-02-13T16:32:14","guid":{"rendered":"http:\/\/blog.nccomputertech.com\/?p=1022"},"modified":"2013-02-13T11:32:14","modified_gmt":"2013-02-13T16:32:14","slug":"avast-blog-malware-on-la-times","status":"publish","type":"post","link":"https:\/\/nccomputertech.com\/techtalk\/2013\/02\/13\/avast-blog-malware-on-la-times\/","title":{"rendered":"avast! blog \u00bb Malware on LA Times"},"content":{"rendered":"<p>Yesterday evening (Prague time) I spotted a curious question on Twitter from journalist Brian Krebs asking about possible malware on one of LA Times websites:<\/p>\n<p style=\"text-align:center;\"><a href=\"http:\/\/blog.avast.com\/2013\/02\/08\/malware-on-la-times\/?p_pro=0&amp;p_vep=7&amp;p_ves=0&amp;p_lqa=0&amp;p_lqe=0&amp;p_lsu=24&amp;p_lst=0&amp;p_lex=346&amp;p_lng=en&amp;p_lid=en-us&amp;p_elm=80&amp;p_var=%252Ffa%252Fen-us%252Fother%252Ftoaster-virus-update_news_malware-on-la-times.html\"><img src='http:\/\/nccomputertech.files.wordpress.com\/2013\/02\/krebs1.jpg' alt='' \/><\/a><\/p>\n<p>It made me wonder, because having such detection would definitely provoke few of our users to claim a false positive in avast!<br \/>\nThere was an incident earlier this week where Google Safe Browsing system overreacted a bit and killed the domain of an ad provider, causing malware warnings on multiple large sites, including the LA Times. This was just a false alarm, no malware was distributed by the affected sites and it also shows why false alarms can induce risky behavior of the users \u2013 if they\u2019re convinced that they \u201cknow what they\u2019re doing\u201d and then they\u2019re also assured that it is safe to enter the site despite the warnings, they may do so on another occasion when there\u2019s real attack aiming at them.<br \/>\nSo I thought we\u2019re talking about that, because, as I also checked, according to this list, LA Times is the 4th biggest newspaper in USA, and according to Alexa, its website is 7th biggest newspaper website, so we would expect lots of telemetry records and also some FP reports.<br \/>\nWith a bit of distrust I dug in our telemetry collected from our dear CommunityIQ users and yes, it was there. Fortunately for most of the users, only one of the low-profile websites was infected, so the assumed number of the infected people is not really high. But! I checked yesterday\u2019s stats, then day-before-yesterday and the result was a bit of shocker! We have consecutive reports of malicious iframes on their sub-site from 23rd of December and it is still working there while I\u2019m writing this blog.<\/p>\n<p style=\"text-align:center;\"><a href=\"http:\/\/blog.avast.com\/2013\/02\/08\/malware-on-la-times\/?p_pro=0&amp;p_vep=7&amp;p_ves=0&amp;p_lqa=0&amp;p_lqe=0&amp;p_lsu=24&amp;p_lst=0&amp;p_lex=346&amp;p_lng=en&amp;p_lid=en-us&amp;p_elm=80&amp;p_var=%252Ffa%252Fen-us%252Fother%252Ftoaster-virus-update_news_malware-on-la-times.html\"><img src='http:\/\/nccomputertech.files.wordpress.com\/2013\/02\/injected_iframe.jpg' alt='' \/><\/a><\/p>\n<p>The iframe points to intermediary ip site, which immediately redirects to domain hosting Black Hole 2 exploit kit. Websites used in this attack are hosted in USA (intermediary, most probably hacked) and Netherlands (colocation, domain used from some free Chilean provider, maybe also hacked).<\/p>\n<p style=\"text-align:center;\"><a href=\"http:\/\/blog.avast.com\/2013\/02\/08\/malware-on-la-times\/?p_pro=0&amp;p_vep=7&amp;p_ves=0&amp;p_lqa=0&amp;p_lqe=0&amp;p_lsu=24&amp;p_lst=0&amp;p_lex=346&amp;p_lng=en&amp;p_lid=en-us&amp;p_elm=80&amp;p_var=%252Ffa%252Fen-us%252Fother%252Ftoaster-virus-update_news_malware-on-la-times.html\"><img src='http:\/\/nccomputertech.files.wordpress.com\/2013\/02\/fiddler.jpg' alt='' \/><\/a><\/p>\n<p>There was a lot written about the Black Hole kit \u2013 in simple terms it\u2019s a bunch of malicious modules which try to exploit various browsers plugins\u2019 vulnerabilities. As we checked last time, only about third of our user-base have these fully updated \u2013 the rest are in danger visiting such site without a modern AV, which, despite what some self-called experts say, is not something you should give up.<br \/>\nBefore posting this blog, we wanted to verify our telemetry because sometimes we may get false telemetry data \u2013 it may be sent from the already hijacked machine. Proxies, etc\/hosts rewrites, malicious network drivers, even hacked routers, all of these may create false telemetry submits. After a while, we were pretty sure it is not the case, but most of the automated tools still verified the site as clean. Only by some manual verification we were able to record Fiddler session which clearly shows how the infection runs.<br \/>\nBecause we were getting both the clean replies and also the replies with the malicious iframe inserted (see the screenshot above), we\u2019re pretty sure we\u2019re seeing the HTTP server with installed malicious module, which changes the file on the fly \u2013 they\u2019re unmodified on the disk so that the admins see only clean files and uploading \u2018verified clean\u2019 file would not fix anything. The malicious modules were first described by Unmask Parasites and later also in Eric Romang blog \u2013 identified as Darkleech. This module does contact its command &amp; control server to get new iframe data from time to time, making us create newer and newer network blocks.<br \/>\nWe also tried today to contact the IT department of the Tribune (owners of LA Times), but were not yet successful. Finding real human contact on commercial websites today seems like a task for people with much more time on their hands than ours.<br \/>\nLast word \u2013 as usual we assure you that we had our users protected \u2013 we had the detections on the infected website, all the intermediary sites and also the destination sites were blocked, we also detect various parts of the exploit kits and also the binaries were detected or blocked by our Autosandbox technology.<br \/>\nvia <a href=\"http:\/\/blog.avast.com\/2013\/02\/08\/malware-on-la-times\/?p_pro=0&amp;p_vep=7&amp;p_ves=0&amp;p_lqa=0&amp;p_lqe=0&amp;p_lsu=24&amp;p_lst=0&amp;p_lex=346&amp;p_lng=en&amp;p_lid=en-us&amp;p_elm=80&amp;p_var=%252Ffa%252Fen-us%252Fother%252Ftoaster-virus-update_news_malware-on-la-times.html\" target=\"_blank\">avast! blog \u00bb Malware on LA Times<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Yesterday evening (Prague time) I spotted a curious question on Twitter from journalist Brian Krebs asking about possible malware on [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_feature_clip_id":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"jetpack_post_was_ever_published":false},"categories":[7],"tags":[341,451,514,600],"class_list":["post-1022","post","type-post","status-publish","format-standard","hentry","category-security","tag-exploit","tag-hacked","tag-iframe","tag-la-times"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/papNkV-gu","jetpack-related-posts":[{"id":7608,"url":"https:\/\/nccomputertech.com\/techtalk\/2015\/02\/12\/virustotal-tackles-the-tricky-false-positives-problem-plaguing-antivirus-software\/","url_meta":{"origin":1022,"position":0},"title":"VirusTotal tackles the tricky false positives problem plaguing antivirus software","author":"NCCT","date":"February 12, 2015","format":false,"excerpt":"VirusTotal, a Google-owned online malware scanning service, is creating a whitelist of products from large software vendors to reduce bad detections by antivirus programs. False positive detections are common in the antivirus industry. They occur when a benign program is wrongfully flagged as malicious due to an overly broad detection\u2026","rel":"","context":"In &quot;Security&quot;","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":7150,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/12\/17\/russian-malware-targets-wordpress-users-over-100000-sites-infected\/","url_meta":{"origin":1022,"position":1},"title":"Russian malware targets WordPress users, over 100,000 sites infected","author":"NCCT","date":"December 17, 2014","format":false,"excerpt":"Our blog was not affected...NCCT. A Russian malware dubbed SoakSoak has infected nearly 100,000 WordPress websites since Sunday, prompting Google to blacklist over 11,000 of those domains (the number is increasing), according to a report from cybersecurity firm Sucuri. The malware exploits a previously-known vulnerability in a WordPress plugin called\u2026","rel":"","context":"In &quot;Security&quot;","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":7648,"url":"https:\/\/nccomputertech.com\/techtalk\/2015\/02\/26\/chrome-security-update-warns-against-sneaky-software-downloads-as-well-as-malware\/","url_meta":{"origin":1022,"position":2},"title":"Chrome security update warns against sneaky software downloads as well as malware","author":"NCCT","date":"February 26, 2015","format":false,"excerpt":"Google is adding a new warning to Chrome in its continuing efforts to protect users from harmful actors on the web. The new red flag for Google\u2019s browser warns you when you\u2019re about to visit a site that encourages users to download harmful and unwanted software. Chrome isn\u2019t the only\u2026","rel":"","context":"In &quot;Security&quot;","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":7570,"url":"https:\/\/nccomputertech.com\/techtalk\/2015\/02\/05\/malicious-advertisements-on-major-sites-compromised-many-many-pcs\/","url_meta":{"origin":1022,"position":3},"title":"Malicious advertisements on major sites compromised many, many PCs","author":"NCCT","date":"February 5, 2015","format":false,"excerpt":"Attackers who have slipped malicious advertisements onto major websites over the last month have potentially compromised large numbers of computers. Several security vendors have documented attacks involving malicious advertisements, which automatically redirect victims to other websites or pages that silently attack their computer and install malware. \u201cWe certainly see malvertising\u2026","rel":"","context":"In &quot;Security&quot;","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":3197,"url":"https:\/\/nccomputertech.com\/techtalk\/2013\/08\/19\/malware-hijacks-mobile-ad-networks-to-siphon-money\/","url_meta":{"origin":1022,"position":4},"title":"Malware hijacks mobile ad networks to siphon money","author":"NCCT","date":"August 19, 2013","format":false,"excerpt":"Asian cybercriminals have figured out an unusual way to use the architecture of a mobile ad network to siphon money from their victims. The new method represents another step in the evolution of mobile malware, which is booming with more smartphones shipping than PCs. Mobile ad networks open up the\u2026","rel":"","context":"In &quot;Security&quot;","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":5750,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/06\/11\/one-click-test-finds-gameover-zeus-infections-on-pcs\/","url_meta":{"origin":1022,"position":5},"title":"One-click test finds Gameover Zeus infections on PCs","author":"NCCT","date":"June 11, 2014","format":false,"excerpt":"Users can test by simply visiting a Web page if their computers have been infected with Gameover Zeus, a sophisticated online banking Trojan that law enforcement officers temporarily disrupted last week. The one-click test was developed by security researchers from antivirus vendor F-Secure and takes advantage of the malware\u2019s aggressive\u2026","rel":"","context":"In &quot;Security&quot;","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/1022","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/comments?post=1022"}],"version-history":[{"count":0,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/1022\/revisions"}],"wp:attachment":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/media?parent=1022"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/categories?post=1022"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/tags?post=1022"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}