Categories

Fraud/Scam Alert

A Java Safe Full of PUPs

What is it? A website telling the end-user that they need to update their Java install.

Why is it risky? When random websites are telling you to update “security features”, there’s a good chance there is something in it for the person giving you the heads up. Security updates shouldn’t come with additional bundled software.

Do we detect it? Yes, as PUP.Optional.BundleInstaller.A

Always be careful where you grab downloads of system critical (or not) files. Case in point, our old friend Java.

There are sites out there which will try to convince you to download “Free Java security updates”.

In my experience, security updates don’t come bundled with additional programs such as “toolbars, browser add-ons, game applications, antivirus applications and other types of applications”. Yet, that is exactly what we have the possibility of here.

Presenting Java-safe(dot)org:

Java safe

The site resembles the real Java website, mentions a “Free Java security update” in the background and pops a box which says “Warning: your current browser is outdated”, and that a “critical security update” is required for your Java Player.

In other words, scam tactics going back to the days when Myspace ruled the roost and everybody was using Hotmail. Clicking through to the “update” leads end-users to the following install splash on another URL:

Update time!

Note the text at the bottom of the page which doesn’t sound like something you’re usually informed of when grabbing any form of security update. The installer itself needs to be run on a net connected PC, lest the end-user be presented with an error.

I quite like the “broken” images in the first splash an end-user sees while running this online:

Broken images

From there, they’ll have to wade through a fair amount of text related to various EULA agreements for shopping helpers, PC optimizers and so on.

T&Cs

Eventually, the desktop looks like this:

Windows everywhere

“Ooops it looks like it wasn’t the product you wanted”

Well, that could be the case because where this install is concerned, it didn’t actually give me anything Java related in the install. In three lots of testing – two with everything installed and one without – we saw no sign of Java being updated as a result of this particular bundle.

If you need to get your hands on a Java install, then go straight to the source. If and when Java needs to be updated, it’ll tell you. Be very cautious around websites giving you the lowdown on system and program updates – more often than not, a couple of additional items will be coming along for the ride…

Christopher Boyd (Thanks to Adam @Kujman5000 for additional testing)


  • Pingback: A Java Safe Full of PUPs | Cyber Security | Sco...

  • SkunkWerks7 .

    “In my experience, security updates don’t come bundled with additional programs such as “toolbars, browser add-ons, game applications, antivirus applications and other types of applications”. Yet, that is exactly what we have the possibility of here.”

    Except that the perfectly legit Sun Java updater does EXACTLY that, every time you encounter a regular update.

    It’s always amused me that the invitation to download opt-ins (typically Google Chrome, Google Toolbar, and to a somewhat lesser extent McAfee) with Java typically shortly follows the message that “3 Million Devices Use Java”.

    May as well say “we don’t make enough money off our product being insanely integral to **** near everything in computing, let’s squeeze you for some more!” And that’s not just for Sun Microsystems, Google too.

    Can’t tell you how many machines I’ve cleaned Google Chrome off of where the user strangely can’t recall ever downloading it. Aside from the fact that I seriously doubt that either Google needs this kind of lame trickery to get people to use Chrome (although I won’t use the thing on principle because of this) or Sun needs the ad dollars from Google, there’s always the danger of lowering user expectations.

    I could rant on about this for a bit, but the simplest way to distill this argument is thusly: If you in fact ARE a responsible, above-board company, don’t ACT like a 3rd-Party-Twice-Removed Shovelware Shill, hmm?

    Aside from being disappointing behavior to see from companies this “respectable” it makes it VERY hard to discern the difference between them and the “bad guys”.

  • Pingback: Brows(er)ing for Updates | Malwarebytes Unpacked

Subscribe to our YouTube Channel