Drudge Report accused of serving malware, again

Drudge says a Senate committee has falsely accused the conservative news aggregation site of spreading malware, but a CNET reader says it's true.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
3 min read

A CNET reader grabbed this screenshot of what looks like a fake antivirus warning that popped up on Drudge Report. CNET reader

For the second time in less than six months, visitors to the Drudge Report say they got malware in addition to the Web site's usual sensational headlines.

Matt Drudge denied that his site was infecting visitors, however it's likely that the malware is coming from ads delivered by a third-party ad network and not the site itself.

"I can personally vouch for disinfecting my mom's desktop yesterday after visiting this Web page, even taking a screenshot after beginning remedial steps to address the attempted infection," a CNET reader wrote in an e-mail early on Tuesday. "I'm an IT professional in South Carolina so I know and understand the technology involved."

The screenshot the reader provided to CNET shows a pop-up warning the viewer that the system is infected with malware and looks like a typical fake antivirus warning that criminals use to scare people into paying for software they don't need.

The reader, who asked to remain anonymous, said he did not know exactly where on the site his mother had clicked before the fake warning appeared.

It's very possible that the malware came via an ad. Many Web sites outsource the serving of their ads. Ad networks and ad delivery firms have been used to deliver malware to sites since last year, affecting sites as prominent as The New York Times.

After the newspaper got hit last September, the Drudge Report, a conservative news aggregator that sometimes authors stories, was one of a group of sites affected by malware hidden in ads distributed by Google's DoubleClick, YieldManager, and ValueClick's Fastclick network, according to IDG News Service. In that case, the ads dropped a variant of the Win32/Alureon Trojan horse onto machines that grabs other malware to install on the machine.

In the latest incident, the Drudge Report said it had been accused of spreading malware by a Senate committee and posted a denial on its site.

"The Senate's Committee on Environment and Public Works issued an urgent e-mail late Monday claiming the Drudge Report is 'responsible for the many viruses popping up throughout the Senate.' The committee ordered hill staff: 'Try to avoid' the Drudge Report 'for now,'" the Drudge Report said in a statement at around 8:50 a.m. PST. "On Monday Drudge served over 29 million pages with not one e-mail complaint received about 'pop-ups,' or the site serving 'viruses.'"

Update 11:58 a.m. PST: A spokesperson for the Senate committee said officials were looking at Drudge Report and WhitePages.com as possible sources of the malware that affected Senate computers.

"The Senate Help Desk, in discussing a recent increase in the number of virus infections in Senate computers, mentioned that it might be associated with pop-up ads appearing through certain websites, and they cited DrudgeReport.com and WhitePages.com as possible examples," the spokesperson said in an e-mail statement. "Our non-partisan systems administrator notified both Majority and Minority staff that this issue had been brought to her attention. It is still not exactly clear where the increase in viruses is coming from, and staff have been advised to be cautious with outside Web sites at all times."

A spokesperson for WhitePages.com did not immediately return an e-mail seeking comment.

Meanwhile, Sophos is detecting the .exe file proactively as Mal/EncPk-NP, according to Sophos researcher Boris Lau. The jar-cache10802-tmp appears to be a malicious applet class file, he wrote in an e-mail. Lau said he has written detection of it as "Troj/JavaDl-G" and that it will take some further investigation to confirm precisely what it is doing.

"This will be a problem (for sites) as long as JavaScript and Active Content, like Flash ads, are allowed" on sites, said Mary Landesman, a senior security researcher at ScanSafe.