in Meddling, X-Geek

setupupgrade.fixbugs.club attempts to install malware

This morning, my wife returned to her Google Chrome web browser to see the following tab had been opened:

setupupgrades.fixbugs.club attempts to install a fake Adobe Flash player

setupupgrades.fixbugs.club attempts to install a fake Adobe Flash player

The text reads:

WARNING: Your Adobe Flash Player version is out of date. Your computer is prone to malware attacks! Please update the latest Flash Player version

At the bottom of the page is this:

UPDATE INSTALL
About | End User License Agreement | Contact | Privacy | Terms of service | Download Manager | How to Uninstall

By downloading, you accept our Terms of use and Privacy Policy. This free download is done via download manager which may offer other applications you can decline or uninstall. This site and the download manager have no relationship with the author. Software may also be available for free from the original author’s site.

setupupgrade.fixbugs.club © 2016 | All Rights Reserved.

It uses Javascript to ask if you’re sure you want to leave this page, after which the page refreshes to the below dialog, looking nearly identical to the real Flash upgrade dialog:

setupupgrades.fixbugs.club is now distributing Adobe Flash. Seems legit, right? :-)

setupupgrades.fixbugs.club is now distributing Adobe Flash. Seems legit, right? 🙂

A Google search for fixbugs.com only shows 5 results, most of them simply domain registration tracking websites. Looks like I’ll have to do my own research on this one.

I did a whois search on fixbugs.com:

Domain Name: FIXBUGS.CLUB
Domain ID: D2728855-CLUB
WHOIS Server: whois.nic.club
Referral URL: http://www.namecheap.com
Updated Date: 2016-01-20T13:13:53Z
Creation Date: 2016-01-20T13:13:50Z
Registry Expiry Date: 2017-01-19T23:59:59Z
Sponsoring Registrar: NameCheap, Inc.
Sponsoring Registrar IANA ID: 1068
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Registrant ID: C2728853-CLUB
Registrant Name: WhoisGuard Protected
Registrant Organization: WhoisGuard, Inc.
Registrant Street: P.O. Box 0823-03411
Registrant City: Panama
Registrant State/Province: Panama
Registrant Postal Code: 00000
Registrant Country: PA
Registrant Phone: +507.8365503
Registrant Fax: +51.17057182
Registrant Email: b9e2729b9f11494f85eb0b201543a091.protect@whoisguard.com
Admin ID: C2728851-CLUB
Admin Name: WhoisGuard Protected
Admin Organization: WhoisGuard, Inc.
Admin Street: P.O. Box 0823-03411
Admin City: Panama
Admin State/Province: Panama
Admin Postal Code: 00000
Admin Country: PA
Admin Phone: +507.8365503
Admin Fax: +51.17057182
Admin Email: b9e2729b9f11494f85eb0b201543a091.protect@whoisguard.com
Tech ID: C2728854-CLUB
Tech Name: WhoisGuard Protected
Tech Organization: WhoisGuard, Inc.
Tech Street: P.O. Box 0823-03411
Tech City: Panama
Tech State/Province: Panama
Tech Postal Code: 00000
Tech Country: PA
Tech Phone: +507.8365503
Tech Fax: +51.17057182
Tech Email: b9e2729b9f11494f85eb0b201543a091.protect@whoisguard.com
Billing ID: C2728852-CLUB
Billing Name: WhoisGuard Protected
Billing Organization: WhoisGuard, Inc.
Billing Street: P.O. Box 0823-03411
Billing City: Panama
Billing State/Province: Panama
Billing Postal Code: 00000
Billing Country: PA
Billing Phone: +507.8365503
Billing Fax: +51.17057182
Billing Email: b9e2729b9f11494f85eb0b201543a091.protect@whoisguard.com
Name Server: DNS1.REGISTRAR-SERVERS.COM
Name Server: DNS2.REGISTRAR-SERVERS.COM
Name Server: DNS3.REGISTRAR-SERVERS.COM
Name Server: DNS4.REGISTRAR-SERVERS.COM
Name Server: DNS5.REGISTRAR-SERVERS.COM
DNSSEC: unsigned
>>> Last update of WHOIS database: 2016-01-31T14:06:44Z <<<

So, the domain is listed anonymously. What about where it’s hosted?

$ nslookup setupupgrade.fixbugs.club
Server: 127.0.1.1
Address: 127.0.1.1#53

Non-authoritative answer:
Name: setupupgrade.fixbugs.club
Address: 37.48.124.216

Let’s see who 37.48.124.216 belongs to. A whois query shows this:

% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
% To receive output for a database update, use the “-B” flag.

% Information related to ‘37.48.64.0 – 37.48.127.255’

% Abuse contact for ‘37.48.64.0 – 37.48.127.255’ is ‘abuse@nl.leaseweb.com’

inetnum: 37.48.64.0 – 37.48.127.255
netname: NL-LEASEWEB-20120124
org: ORG-OB3-RIPE
descr: LeaseWeb Netherlands B.V.
admin-c: LSW1-RIPE
tech-c: LSW1-RIPE
country: NL
status: ALLOCATED PA
remarks: Please send all abuse notifications to the following email address: abuse@nl.leaseweb.com. To ensure proper processing of your abuse notification, please visit the website www.leaseweb.com/abuse for notification requirements. All police and other government agency requests must be sent to subpoenas@nl.leaseweb.com.
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: OCOM-MNT
mnt-lower: LEASEWEB-MNT
mnt-lower: LEASEWEB-NL-MNT
mnt-routes: OCOM-MNT
mnt-routes: LEASEWEB-MNT
mnt-routes: LEASEWEB-NL-MNT
mnt-domains: OCOM-MNT
mnt-domains: LEASEWEB-NL-MNT
created: 2012-01-24T10:32:05Z
last-modified: 2015-09-28T14:57:19Z
source: RIPE # Filtered

A generic web hosting company in the Netherlands. I will report the malware site to LeaseWeb and have already reported the site to Google Safe Browsing. Hopefully it won’t show up in anyone else’s web browsers.

The amusing thing is that the dialog box appeared in Google Chrome, which has its own Flash renderer that cannot be upgraded outside of Chrome’s regular updates. I don’t think for a minute that Chrome’s Flash is vulnerable since Google updates it constantly.

This all reminds me that I need to set up a good honeypot system to capture and test malware like this.