Jump to content
beamzer

Malware on Digital Digest Mirror

Recommended Posts

On of our users triggered the IDS with InstallCore traffic, this was because she installed ImgBurn. I decided to replay here actions on a Virtual Machine.
Mirror 1 (top choice) from Digital Digest serves the file with added malware when you click their "Click here to Download" button.
This redirects to:
hxxp://www.fedutmit.com/i%3Epp8vg3v7ov/Setup_ImgBurn_2.5.8.0_XJx8ZB_dlm.exe

Which has a SHA256sum of:

1c37adfd742cd71799d571895937223ffa233737ede5cfbdeee1c6cf6f0cac92  Setup_ImgBurn_2.5.8.0_XJx8ZB_dlm_2771745258.exe

and contains the InstallCore malware:

https://www.virustotal.com/#/file/1c37adfd742cd71799d571895937223ffa233737ede5cfbdeee1c6cf6f0cac92/detection

I went on with the installation, making sure not to click on special offers.
Norton AV was offered (nice, offering AV an injecting malware in the same install) but nothing else.

On the virtual PC Fapfoma/Unwaders was trying to be installed, see screenshots.

 

We will be blocking ImgBurn for all our users to prevent this from happening again.
 

Screenshot 2018-12-28 at 18.03.42.png

Screenshot 2018-12-28 at 18.13.09.png

Screenshot 2018-12-28 at 18.18.02.png

Share this post


Link to post
Share on other sites

Not an IMGburn problem you clicked the 'download IMGburn with download manager' advertisement. Notice the '_XJx8ZB_dlm_2771745258.exe' in the file name? That shouldn't be there. At best it should be Setup_Imgburn_2.5.8.0.exe, or close to it. But sure as hell not that random name you have.

Verstuurd vanaf mijn Nexus 6P met Tapatalk

Share this post


Link to post
Share on other sites

Indeed, all 3rd party mirrors were sent perfectly clean installers. You should complain to digital digest if they're messing with things or offering harmful files.

Share this post


Link to post
Share on other sites

That's way to easy, Digital Digest is presented as #1 download site, top choice. You have a responsibility where you send your users to. I suppose you get money from them, can't think of any other reason why you would present this kind of dodgy site to your users. And if people complain about malware it's their own fault. Look at the screenshot from Digital Digest, people should not click the big download button, but the very little here at the end of the tucked away text in the lower left corner?

Please take your users seriously and remove dodgy download sites. There are multiple complaints about malware on that download site, doing nothing about it and actively participating in sending users over there is unethical and might even be an offense.

Screenshot 2019-01-03 at 21.48.52.png

Screenshot 2018-12-28 at 16.53.13.png

Share this post


Link to post
Share on other sites

I do not get the same download page you do (mine is fine) and I’ve passed on user concerns about the one offering the download manager bundle on multiple occasions. That’s why I’m recommending you contact them directly yourself.

Removing them from the mirror list isn’t an option. They host this website - always have done.

Share this post


Link to post
Share on other sites

About that hosting part, LUK. Shoot me a DM, let me know your hosting specs, bandwidth a usage monthly and your annual bill. Although I'm Belgian based, I'm partnered with a hosting firm and have direct access to dns registration. Maybe I can help, so you CAN get them off the list.

Verstuurd vanaf mijn Nexus 7 met Tapatalk

Share this post


Link to post
Share on other sites

Digital Digest have been in contact and I understand the link should be 'clean' now. Again, I can't test it because it's always been 'clean' for me - must be a location thing.

 

Share this post


Link to post
Share on other sites

I just checked, and the link is indeed clean (confirmed with SHA-1 sum).

Thanks for fixing this.

Share this post


Link to post
Share on other sites

Excellent, though the offer stands LUK! :-)

Verstuurd vanaf mijn Nexus 6P met Tapatalk

Share this post


Link to post
Share on other sites

×

Important Information

By using this site, you agree to our Terms of Use.