Update: the domain has since switched to update95.com.
Site Analysis
update85.com was purchased from Namecheap with WhoisGuard protection. Its server runs nginx and is currently located at 75.101.138.50 in the Amazon cloud. AWS and WhoisGuard is a pattern that's repeated with the other names and IPs as well. Take note, devs, even the bad guys are moving to the cloud.
The original pop-under URL:
http://update85.com/flashplayer/pro4/indexd1.php?&_mcnc&af=04f021240deadbeef5cf746771e3d54d&of=gTPB-5-usa%20%20&p=y&al=WARNING!%20Your%20Flash%20Player%20may%20be%20out%20of%20date.%20Please%20update%20to%20continueThe URL contains parameters for analytics and tailoring the warning message that the page displays.
The "af" parameter is an identifying hash that's later used as a unique name for the executable payload.
Somewhat ironically, the "al" parameter containing the warning message is vulnerable to XSS.
update85.com/flashplayer/pro4/indexd1.php?al=WARNING!'); alert('xssIt's possible some of the other parameters, such as those logged for analytics, may be vulnerable to persistent XSS or SQLi as well.
Analyzing the source for the landing page gives us some inline JS, links to various pages (such as software licensing terms), and the link to the dropper program. The source for these files can be downloaded here (scroll down, click grey 'download' button, and wait for the timer to finish).
The inline javascript injects two remote scripts:
1) New Relic analytics code, including rum.js used for page timing measurements. Their New Relic api-key is e981baeb5e and their appID is 2056962.
2) 46.51.162.142/giq.js, which passes tracking information to a remote PHP logger located at pixeltrk.info/log.php with the following GET parameters:
'd' = document.location.hostnameIt also contains the following comment:
'r' = escape(document.referrer)
'l' = escape(window.navigator.language)
'u' = escape(window.navigator.userAgent)
'loc' = escape(document.location.href)
//beta versionb - live to be hosted on: d1cebafy1ctaaq.cloudfront.net/1pixeltrk.info resolves to 46.51.162.142 and is also an nginx, WhoisGuard'd AWS instance (located in the Ireland cloud).
Uninstall, Contact, and Terms
The uninstall page simply tells you to remove Flash Player Pro from your Add & Remove Programs option in the control panel. It then gives the following disclaimer:
Upon uninstall of the software certain data such as folders, files, registry keys, and cookies, may remain on your machine.The licensing terms page is an agreement between you and "Download4Free.org." It's the general cover-my-ass legal license.
Finally, the contact information lists:
info@download4free.org
1601 Main St. Suite 90-151
Willimantic, CT
06226The pages also say they were built using WYSIWYG Builder 8, so I lol'd. Download4Free.org is located at 184.168.221.42, registered with GoDaddy's Domains By Proxy, and is hosted at GoDaddy as well. It's an IIS 7.5 server running ASP.net 4.0.30319. It's had some other SEO domains hosted on it as well.
File Analysis
If you click through the BS, you're eventually rewarded with a download of Flash Player Pro, served on nicdls.com. It is located at 176.31.90.48 in Spain, runs nginx and PHP/5.4.7-1~dotdeb.0, and was registered using Whois Privacy Service from DonDominio.com.
You can download your own copy from the live site here or download my copy of the executable from here (click grey 'download' button and wait for the timer to finish).
The executable that gets sent is a windows exe dropper. The name of the file depends upon your unique hash from the af parameter mentioned earlier, and follows the format V.unique_hash.
ham@meat:~/code$ file spam/V.04f021240deadbeef5cf746771e3d54dI haven't busted out IDA or anything yet, but a quick look at the file's strings shows calls to registry edits and drops to a temp folder. Running it through Virustotal showed a detection ratio of 11/46, meaning 11 antivirus products found it to be malicious. Most AVs detected it as W32/DomaIQ.A. You can view its results for yourself here.
spam/V.04f021240deadbeef5cf746771e3d54d: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
