Blog for hpHosts, and whatever else I feel like writing about ....

Sunday 20 October 2013

Alert: Lunacom Interactive Ltd and fake Java sites

Seems we've got another Israel based crapware company, this one is involved in the use of fake Chrome and Java sites, to push their files (all digitally signed FYI).


Offending IPs;

66.55.92.88 - AS32181 66.55.88.0/21 ASN-GIGENET - GigeNET
146.185.156.77 - AS46652 146.185.128.0/19 SERVERSTACK-ASN - ServerStack, Inc
54.218.7.114 - awstrack01.tguhost.com - 16509 54.218.0.0/17 AMAZON-02 - Amazon.com, Inc.
146.185.156.77 - AS46652 146.185.128.0/19 SERVERSTACK-ASN - ServerStack, Inc.
54.244.6.207 - AS16509 54.244.0.0/18 AMAZON-02 - Amazon.com, Inc.

Sites identified thus far;

googlechromeup.com
securejavaupdate.com
latestjavas.com
eu.latestjavas.com
new.latestjavas.com
securejavadownload.com
eu.securejavadownload.com
new.securejavadownload.com
upjavadownload.com
securejavafiledownload.org
securejava.org
eu.securejava.org
new.securejava.org
eu.securejavafiledownload.org
new.securejavafiledownload.org
ttb.123mediaplayer.com
dlp.123mediaplayer.com
dtrack.secdls.com
dtrack.sslsecure1.com




The MD5 for the file I got served is;

6539515369f76e50c670f663debb0c37

However, I am aware that the MD5s appear to be different for each access, so you're going to want to detect the files on their sig instead.

/Edit

2 more IPs and 2 more hostnames added.

/Edit 2

Few more hostnames added.

1 comment:

devouringone3 said...

I downloaded and launched the Java7.exe file; thinking my Java was outdated again. It looked legit until I remembered how different the setup was and after declining the agreements of like 6 different toolbars and spyware. The setup ended congratulating me for having installed something called “jfilemanager7”, which so far I couldn't find any trace of on my Windows 7 PC.

Am I the first to get caught by Lunacom Interactive Ltd ?