Malware on Digital Digest Mirror

[beamzer]

On of our users triggered the IDS with InstallCore traffic, this was because she installed ImgBurn. I decided to replay here actions on a Virtual Machine.
Mirror 1 (top choice) from Digital Digest serves the file with added malware when you click their "Click here to Download" button.
This redirects to:
hxxp://www.fedutmit.com/i%3Epp8vg3v7ov/Setup_ImgBurn_2.5.8.0_XJx8ZB_dlm.exe

Which has a SHA256sum of:

1c37adfd742cd71799d571895937223ffa233737ede5cfbdeee1c6cf6f0cac92  Setup_ImgBurn_2.5.8.0_XJx8ZB_dlm_2771745258.exe

and contains the InstallCore malware:

https://www.virustotal.com/#/file/1c37adfd742cd71799d571895937223ffa233737ede5cfbdeee1c6cf6f0cac92/detection

I went on with the installation, making sure not to click on special offers.
Norton AV was offered (nice, offering AV an injecting malware in the same install) but nothing else.

On the virtual PC Fapfoma/Unwaders was trying to be installed, see screenshots.

 

We will be blocking ImgBurn for all our users to prevent this from happening again.
 

[Ch3vr0n]

Not an IMGburn problem you clicked the 'download IMGburn with download manager' advertisement. Notice the '_XJx8ZB_dlm_2771745258.exe' in the file name? That shouldn't be there. At best it should be Setup_Imgburn_2.5.8.0.exe, or close to it. But sure as hell not that random name you have.

Verstuurd vanaf mijn Nexus 6P met Tapatalk

[LIGHTNING UK!]

Indeed, all 3rd party mirrors were sent perfectly clean installers. You should complain to digital digest if they're messing with things or offering harmful files.

[beamzer]

That's way to easy, Digital Digest is presented as #1 download site, top choice. You have a responsibility where you send your users to. I suppose you get money from them, can't think of any other reason why you would present this kind of dodgy site to your users. And if people complain about malware it's their own fault. Look at the screenshot from Digital Digest, people should not click the big download button, but the very little here at the end of the tucked away text in the lower left corner?

Please take your users seriously and remove dodgy download sites. There are multiple complaints about malware on that download site, doing nothing about it and actively participating in sending users over there is unethical and might even be an offense.

[LIGHTNING UK!]

I do not get the same download page you do (mine is fine) and I’ve passed on user concerns about the one offering the download manager bundle on multiple occasions. That’s why I’m recommending you contact them directly yourself.

Removing them from the mirror list isn’t an option. They host this website - always have done.

[Ch3vr0n]

About that hosting part, LUK. Shoot me a DM, let me know your hosting specs, bandwidth a usage monthly and your annual bill. Although I'm Belgian based, I'm partnered with a hosting firm and have direct access to dns registration. Maybe I can help, so you CAN get them off the list.

Verstuurd vanaf mijn Nexus 7 met Tapatalk

[LIGHTNING UK!]

Digital Digest have been in contact and I understand the link should be 'clean' now. Again, I can't test it because it's always been 'clean' for me - must be a location thing.

 

[beamzer]

I just checked, and the link is indeed clean (confirmed with SHA-1 sum).

Thanks for fixing this.

[Ch3vr0n]

Excellent, though the offer stands LUK! :-)

Verstuurd vanaf mijn Nexus 6P met Tapatalk