Avast caught it

[darth]

While reading the New York Times on line, Twice in two days it caught the following "js:redirect-ah[trj]". The paper run a story on the malware.

See http://mediamemo.allthingsd.com/20090913/home-delivery-the-new-york-times-serves-up-some-malware/.

Thank you Avast.

[Lisandro]

Generally, avast detection is accurate in these cases.
Isn't it an encrypted/obfuscated script or iframe?
Wasn't the site hacked?
Maybe you could contact its webmaster.

Also, please, check if there are infected gif images (resolved as infected server generated messages): http://forum.avast.com/index.php?topic=45658.0

Please, edit the links to not-live ones (change http for hxxp, for instance or add spaces between the url).

Check here how to clean and make a website secure.

The vast majority of malware today is distributed over the web, mostly by means of hacked (otherwise legitimate) sites. The attacker usually injects malicious some scripts into some (or all) pages on the site, waiting for an unsuspecting user to visit the site and possible infect his/her machine.

And this is where avast’s detection capabilities really excel. Its abilities to detect these web-based malicious scripts are second to none, and thanks to the Web Shield and Script Blocking providers, they are used exactly when needed, doing an excellent job stopping the web-based malware right on the entry point.

[darth]

According to the story in the NY Times, to the best of my understanding, the site was hacked.

I realy don't know much about iframes or stuff like that.  Thanks for the suggestion, to notify the Web Master, although since they published the malware article, in thier online addition; they have apparently rectified the matter.

It has not happen  again  so far.

[YoKenny]

Fake anti-virus attack hits New York Times website readers
http://www.sophos.com/blogs/gc/g/2009/09/14/fake-antivirus-attack-hits-york-times-website-readers

[Gopher John]

NYT apologizes http://www.nytimes.com/2009/09/13/business/media/13note.html?hp

FWIW, I visited NYT yesterday and received no alarm (and no redirection, pop up, or infection) using Firefox with NoScript and AdBlock Plus (NYT was not whitelisted in these extensions).  Probably, this requires JavaScript to work???

[DavidR]

If the script is on the page, it doesn't have to run for avast to actually detect it. So even with firefox & noscript, avast should alert even if the redirect script isn't run.

[Gopher John]

If the script is on the page, it doesn't have to run for avast to actually detect it. So even with firefox & noscript, avast should alert even if the redirect script isn't run.

Interesting, so that means that the site must have been sanitized before I visited.  These fake antivirus programs have been around for a while.  My sister-inlaw's computer was infected about 2 weeks ago, from some unknown source.  It had AVG 8.5 on it.  They surfed as Admin, sadly.

By the time I got to it yesterday, the machine was virtually unusable.  I safe-booted, downloaded Malwarebytes and cleaned a ton of stuff, running Malwarebytes 3 times rebooting into safe mode between each time.  Did the same with Spybot Search & Destroy which found a few more.  Uninstalled AVG via Add/Remove.  On reboot, ran AVGremover.  I then installed Avast Home for her, registered it and updated the definitions.  Ran a full Avast scan and it found a couple of nasties in the Restore files and quarintined them.  Set up limited WinXP Pro user accounts for them to surf with, and a new admin account with passwords on all.  Avast has it's own password added.  By then it was late.  When I get back over there, I'll eliminate all the Windows Restore files and then create a new restore point.  I also will update from WinXP Pro SP2 to SP3.

It seemed fine when I left, but is there anything I'm missing?

[DavidR]

Effectively it would have to be cleaned or avast would alert, simple as that, as its pro-active protection may stop the complete page loading if it is part of the main page code.

[Gopher John]

Thank you, David.

[DavidR]

You're welcome.