downdimgd.com – Win32/DomaIQ Malware

Computers

I recently came across a website that would redirect users via an ad network to a site posing as a Java update page. The site as since been notified and fixed, but here are the details.
 
After sitting on a page for a little bit, the page would eventually redirect to a page that looked something like the page below (more details below). So you would be on a page you normally would visit, then in a few seconds, boom, you would be asked to install some malicious software!
 

downdimgd-com-page2

 
This page, would prompt the user to download and install a file called Java.exe. This file, after being scanned on virustotal.com, showed that it was a DomaIQ adware/malware variant.
 

Avast Win32:DomaIQ-CK [PUP]
ESET-NOD32 a variant of Win32/DomaIQ.BB
F-Prot W32/DomaIQ.C.gen!Eldorado
Kaspersky not-a-virus:HEUR:AdWare.MSIL.DomaIQ.heur
Malwarebytes PUP.Optional.DomaIQ
VIPRE DomaIQ (fs)

 

If you happened to actually run the installer and installed the malware, I recommend using Malwarebytes Anti-Malware to remove these types of nuisances. Malwarebytes offers a free version that you can use; check out their site, https://www.malwarebytes.org/ for more information.

 
And now for the technical stuff…
 
When you are first redirected to the page, there is a popup telling you that your Java version is out of date. When you click on OK, you are prompted to download a Java.exe application.
 

downdimgd-com-page1

 
If you download the application you will see it is signed and valid to be run, the application is signed by Clovermedia SL.
 

java.exe-signature

 
It looks like the file is very recent version of the application because the sign date is June 12, 2014 (the same day).
 
The hashes for the file are as follows:

MD5 f0650efde761dfa8b02525606ea9a2f3
SHA1 7650dddc3ea3454171b3e838381baa5a55bc8332
SHA256 649e1a4f2afc69be56b96549650403e16ec28cd7035fff4e65b13da50df15e22

 
For even more information on the file, visit the virustotal page, here.
 
If you look at the URL for the page, it is set to http://www.downdimgd.com. This was my telltale for it not being a real Java update on my initial viewing of the page.
 

The full url is
Uri: www.downdimgd.com
Page: /US/index.php
Parameters:
dv1=10523998
dv2=
dv3=
dv4=zqsye-US
sec_id=qWJ8vBQjIEzEzreaz9tov0poz3iSC9s6Y3RmIaRrCnYR7BX87cCKqZsRNasrPBw0DlpefAXdNauePw%EB%EB
marketing_fid=MTQwMjYxOTc4Mi02ZTcwNDM0ODAyNGM5OThlNzc2ZGY2YzRjYjJlMzU0Zg==

 
The site appears to be hosted in Amsterdam (information listed below) but the name servers seem to be located in the US, by Namecheap, Inc. I have notified Namecheap of the malicious site.
 

inetnum:         91.218.112.0 - 91.218.115.255
netname:         BERMOSCOM-NET
descr:           BerMosCom GmbH
country:         RU
org:             ORG-BG35-RIPE
admin-c:         ANSH13-RIPE
tech-c:          ANSH13-RIPE
status:          ASSIGNED PI
mnt-by:          RIPE-NCC-END-MNT
mnt-lower:       RIPE-NCC-END-MNT
mnt-by:          BERMOSCOM-MNT
mnt-routes:      BERMOSCOM-MNT
mnt-domains:     BERMOSCOM-MNT
source:          RIPE # Filtered

organisation:    ORG-BG35-RIPE
org-name:        BerMosCom GmbH
org-type:        OTHER
address:         Siegfriedstr. 49-60
address:         10365 Berlin, Germany
mnt-ref:         BERMOSCOM-MNT
mnt-by:          BERMOSCOM-MNT
source:          RIPE # Filtered

person:          Andrey Shevchenko
address:         Mir Telematiki
address:         19/2 Lva Tolstogo st.
address:         Moscow 119034
address:         Russia
abuse-mailbox:   abuse@hostkey.ru
phone:           +7(499)2463587
nic-hdl:         ANSH13-RIPE
mnt-by:          MTLM-MNT
source:          RIPE # Filtered

route:           91.218.115.0/24
descr:           BermosCOD
origin:          AS49335
mnt-by:          BERMOSCOM-MNT
source:          RIPE # Filtered

 
Bottom line, if you are presented with a page like this, check the URL. Especially these days as more and more malware is being spread by fake sites. The same tactic is used to trick people to enter in bank login information, etc.
 
Checking the URL is ALWAYS the first line of defense. And if you are unsure about a website, odds are if it immediately tries to get you to download something it’s probably malicious.
 
Be safe out there folks!

2 comments

  1. Thank you for posting this. I have this file popping up too nearly every day. I’m using Kaspersky. Can you tell me how to get rid of it from showing up as a needed update while using the internet?

    Reply

    1. Generally this is caused by the website you are on, so there may not be anything you can do directly. If you actually installed the software, or multiple sites have this issue for you, you may want to make sure you do not have any malicious adware installed. I would run Malwarebytes or some other anti-malware software to check your system. But other than that, from what I have seen, this is an issue caused by various ad networks on specific websites so it shouldn’t be too wide spread unless you something is installed on your system.

      If you know of a specific website that has the issue, you should also notify the websites owners if at all possible.

      Hope that helps!

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *