Adware via Google App Engine Sites

Thursday, August 22, 2013 @ 04:08 PM gHale


Two sites spam-centric websites are pushing the usual malware to users through sites that leverage Google’s App Engine.

Both sites just started over a week ago and make use of the appspot.com address, a domain Google runs to help its users develop and deploy applications, said Jason Ding, a research scientist at Barracuda Labs.

RELATED STORIES
Unauthorized YouTube Ads via Plugins
Browser Extensions Steal Account Info
Mac Attack: Ransomware Targets Safari
Ransomware Forces Survey on Victim

In a post on the company’s research blog, Ding describes the two sites, java-update[.]appspot[.].com and [http]://updateplayer.appspot.com.

The first site models itself after a free Java download site and as Ding said, looks similar to Oracle’s official Java site. Links on that site will eventually trigger a download of “setup.exe,” which will try to install and drop Solimba adware onto the machine.

The second URL also drops what appears to be Solimba on infected machines, except instead of trying to trick users into downloading Java, they attempt to convince users their media player needs an update. After the user downloads, they send up seeing the same “setup.exe.”

Barracuda researchers said both sites, which are still online, route users through a series of redirects, through several private websites – hs1dmr.com, hs4dmr.com and down324.com –registered with GoDaddy in June and July, before downloading the adware. Whoever set up those sites is passing them through Google’s App Engine to hide their suspicious-sounding URLs.

Adware, which thrives on hitting its users with ads, continues to be a problem on the Internet.

Solimba last hit the market in 2012 zipped with malware that promised users it would install the then-new Windows 8 onto machines via a browser window. The adware usually bundles on top of malware and in some cases – like this one and the Windows 8 case – passed off as a fake media player or Java update.



Leave a Reply

You must be logged in to post a comment.