I recently came across a website that would redirect users via an ad network to a site posing as a Java update page. The site as since been notified and fixed, but here are the details.
After sitting on a page for a little bit, the page would eventually redirect to a page that looked something like the page below (more details below). So you would be on a page you normally would visit, then in a few seconds, boom, you would be asked to install some malicious software!
This page, would prompt the user to download and install a file called Java.exe. This file, after being scanned on virustotal.com, showed that it was a DomaIQ adware/malware variant.
|ESET-NOD32||a variant of Win32/DomaIQ.BB|
And now for the technical stuff…
When you are first redirected to the page, there is a popup telling you that your Java version is out of date. When you click on OK, you are prompted to download a Java.exe application.
If you download the application you will see it is signed and valid to be run, the application is signed by Clovermedia SL.
It looks like the file is very recent version of the application because the sign date is June 12, 2014 (the same day).
The hashes for the file are as follows:
For even more information on the file, visit the virustotal page, here.
If you look at the URL for the page, it is set to http://www.downdimgd.com. This was my telltale for it not being a real Java update on my initial viewing of the page.
The site appears to be hosted in Amsterdam (information listed below) but the name servers seem to be located in the US, by Namecheap, Inc. I have notified Namecheap of the malicious site.
inetnum: 18.104.22.168 - 22.214.171.124 netname: BERMOSCOM-NET descr: BerMosCom GmbH country: RU org: ORG-BG35-RIPE admin-c: ANSH13-RIPE tech-c: ANSH13-RIPE status: ASSIGNED PI mnt-by: RIPE-NCC-END-MNT mnt-lower: RIPE-NCC-END-MNT mnt-by: BERMOSCOM-MNT mnt-routes: BERMOSCOM-MNT mnt-domains: BERMOSCOM-MNT source: RIPE # Filtered organisation: ORG-BG35-RIPE org-name: BerMosCom GmbH org-type: OTHER address: Siegfriedstr. 49-60 address: 10365 Berlin, Germany mnt-ref: BERMOSCOM-MNT mnt-by: BERMOSCOM-MNT source: RIPE # Filtered person: Andrey Shevchenko address: Mir Telematiki address: 19/2 Lva Tolstogo st. address: Moscow 119034 address: Russia abuse-mailbox: firstname.lastname@example.org phone: +7(499)2463587 nic-hdl: ANSH13-RIPE mnt-by: MTLM-MNT source: RIPE # Filtered route: 126.96.36.199/24 descr: BermosCOD origin: AS49335 mnt-by: BERMOSCOM-MNT source: RIPE # Filtered
Bottom line, if you are presented with a page like this, check the URL. Especially these days as more and more malware is being spread by fake sites. The same tactic is used to trick people to enter in bank login information, etc.
Checking the URL is ALWAYS the first line of defense. And if you are unsure about a website, odds are if it immediately tries to get you to download something it’s probably malicious.
Be safe out there folks!