Our systems at Barracuda Labs scan millions of websites every day to detect domains that are serving malicious content. Beginning on August 5, 2013, our systems detected a website from the Google app engine server providing drive-by download adware to its visitors: [http]://java-update.appspot.com, and on August 6, 2013, another similar website was found to serve the same adware: [http]://updateplayer.appspot.com. Both sites are still active as of today (August 19, 2013).
(Updates: As of August 20, 2013, Google engineers had noticed and blocked these two phishing sites. )
The first website java-update[.]appspot[.]com presented a well-crafted page for a free Java download–very similar to the official Java download page from Oracle's Java page. All links on this phishing website lead to a few redirects and finally trigger a download action for an executable file “Setup.exe”. If a user tries to install this 289Kb executable file, it will break immediately by saying you do not have the minimum requirements. But in fact, a “Solimba AdWare” has installed into the system. See the VirusTotal analysis for this executable file here: 9 (out of 46) anti-virus vendors say it is a Solimba Adware.
Picture of phishing site java-update[.]appspot[.]com
The path of redirections are:
=> [http]://java-update.appspot.com
==>[http]://quercus-redirect.appspot.com/?id=eT2QmzjMIWuXeW4ueRjMIWuXeTbQmG-0N-0N
===> [http]://flv.hs4dmr.com/aff_c?offer_id=44&aff_id=1002&url_id=76&aff_sub=1928984742
====> [http]://flv.hs1dmr.com/aff_c?offer_id=44&aff_id=1002&url_id=76&aff_sub=1928984742
=====> [http]://dl.down324.com/n/8326f16e-dd66-11e2-a752-00259033c1da/Setup.exe?tid=102f3b55dccc5eeceff5af6d1e9825
Similarly, the other site with the Google app engine domain [http]://updateplayer.appspot.com hoaxed visitors to install a media player by displaying a message saying “A Media Player Update is Required to View this Content”. Once a user clicks the download button, a chain of redirects started and finally a “Setup.exe” is downloaded; again this executable file is a Solimba Adware. Its VirusTotal analysis is here: 7 (out of 46) anti-virus vendors say it is a Solimba Adware.
Interestingly, this phishing site had updated its page last week to be nicer and more real to attract additional downloads.
Picture of phishing page updateplayer[.]appspot[.]com on Aug 6th
Picture of phishing page updateplayer[.]appspot[.]com on Aug 10th
The path of redirections is similar but shorter:
=> [http]://updateplayer.appspot.com
==> [http]://flv.hs1dmr.com/aff_c?offer_id=44&aff_id=1002&url_id=38&aff_sub=1849995996
===> [http]://dl.down324.com/n/88593b14-d4e3-11e2-a752-00259033c1da/Setup.exe?tid=102c03024d15eaf0195abe7f680a25
Appspot.com is the domain for the Google App engine and customers can register and host their websites there. The involved domains – hs1dmr.com, hs4dmr.com and down324.com – were privately registered with GoDaddy very recently, created on June 14, 2013, June 20, 2013, and July 17, 2013, respectively. The associated IP address of down324.com is 95.211.134.97 (located in Amsterdam, Netherlands), which also hosts dl.flvplayer123.com and has been reported several times for serving this adware.
As always, Barracuda Labs suggests Internet users to be very careful when clicking links on any websites, and do not install executable files unless extremely necessary. If installing a software is unavoidable, install an anti-virus software before installing anything else. Meanwhile, when buying any anti-virus or other software, go to local office stores (such as Best Buy, Staples, etc.) to get hard copies, or download them from famous vendor websites, such as Microsoft.com, Adobe.com, McAfee.com, or oracle.com, etc.
Christine Barry ist Senior Chief Blogger und Social Media Manager bei Barracuda. In dieser Rolle hilft sie, Barracuda-Geschichten zum Leben zu erwecken und die Kommunikation zwischen der Öffentlichkeit und den internen Barracuda-Teams zu erleichtern. Bevor sie zu Barracuda kam, war Christine über 15 Jahre lang als Außendiensttechnikerin und Projektmanagerin für K12- und KMU-Kunden tätig. Sie hat mehrere Abschlüsse in Technologie, einen Bachelor of Arts und einen Master of Business Administration. Sie ist Absolventin der University of Michigan.
Vernetzen Sie sich hier auf LinkedIn mit Christine.
Hey Jason,
Thanks for catching this. Our internal systems have disabled these applications. Might not be a bad idea to get you guys in touch with some of the folks that run abuse prevention for Google’s Cloud Platform. Let me know if you’re interested.
Chris Ramsdale
Product Manager, Google Cloud Platform
Sure, Chris, we’d like to contact to see if we can work something out.