Spammy websites distributing adware as Java or other kinds of software updates are nothing new but researchers have recently noticed two sites pushing that malware to users through sites that leverage Google’s App Engine.
Both sites were started just over a week ago and make use of the appspot.com address, a domain Google runs to help its users develop and deploy applications, according to Jason Ding, a research scientist at Barracuda Labs.
In a post on the company’s research blog, Ding describes the two sites, java-update[.]appspot[.].com and [http]://updateplayer.appspot.com. The first models itself after a free Java download site and as Ding notes, looks remarkably similar to Oracle’s official Java site. Links on that site will eventually trigger a download of “setup.exe,” which will try to install and drop Solimba adware onto the machine.
The second URL also drops what appears to be Solimba on infected machines, except instead of trying to trick users into downloading Java, they attempt to convince users that their media player needs to be updated. After the user is duped into downloading it, they download the same “setup.exe.”
According to Barracuda, both sites, which are still online, route users through a series of redirects, through several private websites – hs1dmr.com, hs4dmr.com and down324.com – that were registered with GoDaddy in June and July, before downloading the adware. Whoever set up those sites is passing them through Google’s App Engine to hide their suspicious-sounding URLs.
Adware, the bloated software that thrives on plaguing its users with ads, continues to be a problem in darker corners of the Internet.
Solimba was famously last seen in 2012 zipped with malware that promised users it would install the then-new Windows 8 onto machines via a browser window. The adware is usually bundled on top of malware and in some cases – like this one and the Windows 8 scam – passed off as a fake media player or Java update.