beamzer Posted January 3, 2019 Posted January 3, 2019 On of our users triggered the IDS with InstallCore traffic, this was because she installed ImgBurn. I decided to replay here actions on a Virtual Machine. Mirror 1 (top choice) from Digital Digest serves the file with added malware when you click their "Click here to Download" button. This redirects to: hxxp://www.fedutmit.com/i%3Epp8vg3v7ov/Setup_ImgBurn_2.5.8.0_XJx8ZB_dlm.exe Which has a SHA256sum of: 1c37adfd742cd71799d571895937223ffa233737ede5cfbdeee1c6cf6f0cac92 Setup_ImgBurn_2.5.8.0_XJx8ZB_dlm_2771745258.exe and contains the InstallCore malware: https://www.virustotal.com/#/file/1c37adfd742cd71799d571895937223ffa233737ede5cfbdeee1c6cf6f0cac92/detection I went on with the installation, making sure not to click on special offers. Norton AV was offered (nice, offering AV an injecting malware in the same install) but nothing else. On the virtual PC Fapfoma/Unwaders was trying to be installed, see screenshots. We will be blocking ImgBurn for all our users to prevent this from happening again.
Ch3vr0n Posted January 3, 2019 Posted January 3, 2019 Not an IMGburn problem you clicked the 'download IMGburn with download manager' advertisement. Notice the '_XJx8ZB_dlm_2771745258.exe' in the file name? That shouldn't be there. At best it should be Setup_Imgburn_2.5.8.0.exe, or close to it. But sure as hell not that random name you have.Verstuurd vanaf mijn Nexus 6P met Tapatalk
LIGHTNING UK! Posted January 3, 2019 Posted January 3, 2019 Indeed, all 3rd party mirrors were sent perfectly clean installers. You should complain to digital digest if they're messing with things or offering harmful files.
beamzer Posted January 3, 2019 Author Posted January 3, 2019 That's way to easy, Digital Digest is presented as #1 download site, top choice. You have a responsibility where you send your users to. I suppose you get money from them, can't think of any other reason why you would present this kind of dodgy site to your users. And if people complain about malware it's their own fault. Look at the screenshot from Digital Digest, people should not click the big download button, but the very little here at the end of the tucked away text in the lower left corner? Please take your users seriously and remove dodgy download sites. There are multiple complaints about malware on that download site, doing nothing about it and actively participating in sending users over there is unethical and might even be an offense.
LIGHTNING UK! Posted January 3, 2019 Posted January 3, 2019 I do not get the same download page you do (mine is fine) and I’ve passed on user concerns about the one offering the download manager bundle on multiple occasions. That’s why I’m recommending you contact them directly yourself. Removing them from the mirror list isn’t an option. They host this website - always have done.
Ch3vr0n Posted January 3, 2019 Posted January 3, 2019 About that hosting part, LUK. Shoot me a DM, let me know your hosting specs, bandwidth a usage monthly and your annual bill. Although I'm Belgian based, I'm partnered with a hosting firm and have direct access to dns registration. Maybe I can help, so you CAN get them off the list.Verstuurd vanaf mijn Nexus 7 met Tapatalk
LIGHTNING UK! Posted January 4, 2019 Posted January 4, 2019 Digital Digest have been in contact and I understand the link should be 'clean' now. Again, I can't test it because it's always been 'clean' for me - must be a location thing.
beamzer Posted January 4, 2019 Author Posted January 4, 2019 I just checked, and the link is indeed clean (confirmed with SHA-1 sum). Thanks for fixing this.
Ch3vr0n Posted January 4, 2019 Posted January 4, 2019 Excellent, though the offer stands LUK! :-)Verstuurd vanaf mijn Nexus 6P met Tapatalk
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now