Question about a URL

[Near_Far 4]

Windows 8 computer, running ESS 7.0.302, up to date with sigs.  I was using the Opera browser, up to date version 17.  I went to a website and while there was redirected to a site telling me to update java.  I don't have Java installed at all.  The website I was reading was:  

 

http://blog.the-ebook-reader.com/2013/10/26/sony-withdrawing-from-ebook-reader-market-entirely-in-us/

 

It just happened to me again on this netbook that I am currrently using.  I was redirected to a page saying an outdated Java plugin was detected, and there was a popup window in the middle of the screen with an OK button I could click on to update the java.  I also don't have Java on the netbook, I uninstalled it.  It had never been installed on the Windows 8 laptop at all.  

 

In both cases I closed the tab without clicking on anything on the page. 

 

The url of the supposed java update page is:

 

javeupdatecaa.com/download/chrome.php

 

I had this url checked at virustotal.com, and here is the report:

 

https://www.virustotal.com/en/url/5c04d1a6246bedb563b565dfe30220d265fe23b068cdbf9c923e4e4825d6fb11/analysis/1382826267/

 

I scanned the Windows 8 machine with Malwarebytes, nothing showed up.  I am currently running a full scan with ESS.  

 

Do I have anything to worry about here?  

 

I've been to the same url with the blog post in the Firefox browser and I don't get the java message there.  

 

The ESS scan on the Windows 8 machine is completed and doesn't show any problems.  

[Arakasi 549]

Go here :
 

hxxp://www.java.com/en/download/installed.jsp?detect=jre&try=1

 

Report back what it states on that page.

Let us know if it says : " This plugin is vulnerable and should be updated." Or if it says you do not have java installed.

None of the java shows up in Programs and Features either ?

[Arakasi 549]

If none of that holds true, it is a phishing attempt.

I would always close it, and manually handle java yourself from www.java.com.

 

If your running ESET software, upon clicking it would most likely block the connection, ESET is a very good phishing protection. One of the best.

[Near_Far 4]

Arakasi, you're quick to respond.  

 

That link shows as I expected, no java.   Java is not in my list of Programs and Features.   To be exact: We are unable to verify if Java is currently installed and enabled in your browser.  

 

This was in the Opera browser.  Firefox wants me to click on a red button to verify, which I'm not going to do.  

 

 It was never installed on the Windows 8 machine.   We've only had it a few months, and I decided not to install java at all, and to uninstall it from the Windows 7 netbook.  I've never missed it.  

 

ESET didn't block the site on the Windows 8 machine or the Windows 7 machine.  In fact, the virus total report says ESET finds no problems with the site.  

 

Maybe the original url (the blog) tried to run a java script and was unable to, and hence sent me to a java download page.  This happened both times on my first visit to that blog page using the Opera browser.  I was trying to verify whether or not this "javeupdate" was a legitimate Oracle page or not.  What concerns me is the spelling of the url I was sent to..."jave" rather than "java".  

[Near_Far 4]

My Opera history list labels the link as "Please update java",  

[Marcos 5,074]

I've blocked the website as it downloads a potentially unwanted application.

[Near_Far 4]

Thanks, Marcos.  Is there any possibility anything got into my computer just from that web page being open?   I didn't click on anything on the page.  I just closed it by using the 'x' on the tab.  

[Marcos 5,074]

When I tried it, only potentially unwanted applications that don't pose any threat were downloaded

[Near_Far 4]

Do you mean they were downloaded just from you having the page open?  As in a 'drive by' downloading situation?  

[Near_Far 4]

Did you have to click on something on the page to make something download, or did it happen without your doing anything to initiate a download?

[Arakasi 549]

Run a full scan with ESET Near_Far , and it will ensure you, your system is safe. That is all you need to do.

if you dont have a current license, use the online scanner:
hxxp://www.eset.com/int/home/products/online-scanner/

Edited October 27, 2013 by Arakasi

[Marcos 5,074]

Did you have to click on something on the page to make something download, or did it happen without your doing anything to initiate a download?

 

I clicked the "Agree and start free download" button.

[Near_Far 4]

OK, thanks for clarifying that, Marcos.  I didn't do that.  

 

Arakasi, I ran full scans on both rigs today, and everything was fine.  It's odd that the redirect only ever showed up only in the Opera 17 browser and only the first time the original blog page was visited.  There must have been some java script on that page that caused that behavior only in this browser.  That's beyond my understanding anyway.  

 

Thanks, guys.  Looks like all is good here.  

[Pierre (aka Terdef) 2]

Hi all,

 

This is a fake Java update.

Drive-by download of an old Java update with a repack of the installer.

Used to download and install adware, toolbars, web browser plugin, hijack of the starting page and the search engine within the browser, PUP like false antivirus (crapware), etc. ...

 

The trap is at xxxx :// javeupdatecaa.com/download/chrome.php

 

On the bottom of this trap page, we can read :

 

Disclaimer: This site is distributing an install manager that will manage the installation of your selected software. In addition to managing the installation of your selected software, this install manager will make recommendations for additional free software that you may be interested in. Additional software may include toolbars, browser add-ons, game applications, anti-virus applications and other types of applications. You are not required to install any additional software to receive your selected software. You can completely remove the program at any time in Windows 'Add/Remove Programs'.

 

 

javeupdatecaa.com has nothing to do with Oracle, the owner and publisher of Java.

The owner’s name is hidden by means of a privacy mechanism located in Panama in this domain name.

The domain was created on 24.10.2013, that is to say there are three days at the time of writing this message.

 

After clicking on the button, the download starts and it is a file called Java.exe that is downloaded from the website 123mediaplayer.com

The owner’s name is hidden by means of a privacy mechanism

Created 25.09.2012

Iles Baléares

Serveur 54.200.111.209 (dedicated server)

 

New - today:

download from cloudsvr12.com

A domain created on 30.10.2013, less than 24 hours.

The owner’s name is hidden by means of a privacy mechanism

Iles Baléares

Serveur 146.185.156.77

Who is the sponsor (who benefits from the crime)? A priori, it would be DSNR Media Group which have many affiliate sites like peperonity.com, youtube.com, allsp.ch, t411.me, fr.dilandau.eu etc.. ... (800 domains identified).

 

virustotal 2 - from 123mediaplayer.com

virustotal 2 - from cloudsvr12.com

At the time of my scan :

AntiVir     APPL/DomaIQ.Gen7     20131028

Avast     Win32:DomaIQ-AN [PUP]     20131028

DrWeb     Trojan.Packed.24553     20131028

ESET-NOD32     MSIL/DomaIQ.B     20131028

Fortinet     Adware/DomaIQ     20131028

Kingsoft     Win32.Troj.Generic.a.(kcloud)     20130829

Malwarebytes     PUP.Optional.BundleInstaller.A     20131028

McAfee     Adware-DomaIQ     20131028

Norman     DomaIQ.CERT     20131028

SUPERAntiSpyware     PUP.DomaIQ/Variant     20131028

TrendMicro-HouseCall     TROJ_GEN.F47V1025     20131028

VIPRE     DomaIQ (fs)     20131028

Compromised systems are : Windows 2000, Windows 7, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Server 2008, Windows Vista, Windows XP

 

My page (French) with screen shots

Alerte Java - Fausses mises à jour - Octobre 2013

 

My forum thread (French)

Alerte Java - Fausses mises à jour - Octobre 2013

 

 

If you clicked on the button on the fake update and it was done:

1 / My anti-malware procedure (in French)

ESET must have something similar (and all the support and decontamination forums also)

Décontamination anti-malwares

2 / Actual update Java (French)

Quelle est ma version de Java - Mise à jour ou Installation de Java

Regards

Pierre Pinard - Pierre (aka Terdef)

Assiste.com since 1997

Security of computers and Internet browsing

Protection against cybercrime and new technologies dirty tricks

Privacy protection

Edited October 31, 2013 by Pierre (aka Terdef)

[Arakasi 549]

Thank you Pierre & Welcome to the forums.

[Near_Far 4]

When I first ran across this url, I googled it and came up with nothing other than the original web page.  Now there is more discussion of it online.  Surprisingly, Norton flags it as safe.  

 

Actually, virustotal's scan of the url itself only has one product labeling the site as malicious, which is surprising.  

Edited November 1, 2013 by Near_Far

[telcoman 0]

I do not use ESet but I am also gettign this URL pop up. I have now reported it to its host & domain registar and to Google to blacklist. Hopefully it will get taken down. I have seen it pop up most on zetaboard forums. Like everyoen else I scanned my PC with every virus & malware scan Icould think of with no results, so i am pretty sure its a drive by thing. Even though the domain says panama, it appears to be originating in Quebec.

Edited November 3, 2013 by telcoman

[Near_Far 4]

Telcoman,

 

What browser were you using when this url came up for you?  In my case, it only happened with the Opera browser (17.x) and only the first time I visited the blog page I mentioned in my first post.  It  was a redirect in both cases to the javeupdatecaa page, and then the popup.  I closed the tab with the 'x' on the browser tab, I did not ever click on anything on the javeupdatecaa page.  I don't have java installed on either one of the computers.  The redirect did not happen with IE or Firefox.  I figured it must be some particular feature of the Opera browser that allowed this to happen.  

[pulwasha 0]

I get redirected to this update java plugin detected from whatever browser i use.. so I'm guessing this is a virus? I don't know how to get id of it.. I tried malware bytes it didn't even detect th virus then I tried and ran the online eset thing from here doesn't work either.. It doesn't let me watch any videos.. keeps redirecting me to that page and it's extremely annoying.. what shall I do?

[Marcos 5,074]

I get redirected to this update java plugin detected from whatever browser i use.. so I'm guessing this is a virus? I don't know how to get id of it.. I tried malware bytes it didn't even detect th virus then I tried and ran the online eset thing from here doesn't work either.. It doesn't let me watch any videos.. keeps redirecting me to that page and it's extremely annoying.. what shall I do?

Please pm me the link to the website which redirects you to this fake Java update web page.