Update on the New York Times malicious ads attack

As you have probably read in Graham’s blog, over the weekend attackers managed to poison an ad-stream such that users browsing the New York Times web site where hit with malware (see New York Times alert).

This attack provides a perfect demonstration of how being able to inject malicious content into ad content is a powerful way of hitting a large audience. Inspecting the ad script earlier this morning revealed it was still serving up malicious content.

Those who have read Troy Davis’ analysis of this attack over the weekend, will notice the .cn site used in the redirect is different. Instead of 'sex-in-the-city.cn' we now have 'russell-brand.cn' (though both appear to be hosted on the same IP). Similarly the the rogue security site to which the user is ultimately redirected is now ‘online-antivir-scan09.com‘.

The scripts used in the rogue security site to trick the user into downloading and installing the fake AV malware where proactively detected as Mal/FakeAvJs-A. Additionally, Troj/FakeAV-AAS and Troj/JSRedir-W detections have been added for the fake AV malware and the malicious ads content respectively. And of course, the rogue sites used in the attack are all suitable blacklisted for those using the Sophos Web Appliance.

Update: As of 2pm GMT, the ad content appears to no longer contain malicious content.