This isn't the Java I ordered!

This isn’t the Java I ordered!

On several sites, we have seen reports of popups that look very similar to the one Java used to notify users when the content of a site requires the Java plugin to show the full content.

prompt1w

But if we follow this particular prompt we get something completely different called “Media Downloader”.

site2w

The downloaded file is called setup.exe and is recognized by a few scanners that detect this file as potentially unwanted adware. (PUP.Optional.Media)

It installs a program called Media Downloader version 1.5.

warning4w

The other one I want to show you is not actually a pop-up, but a background image that was made to look like one.

site1w

Clicking this “Install” button downloads and prompts you to install a bundler that does install Java version 1.8.25 but not until they have offered the other components of the bundle.

In this case I had to “Decline” Norton360, Weatherbug, PC Mechanic and Stormfall Age of War. Note that the latest version for my system is Version 8 Update 65Version 8u25 is over a year old.

Paying attention to the UAC prompt could have saved us some work here. Super IS (Fried Cookie Ltd.) somehow doesn’t have that official ring to it to convince me that this is the Java installer I was promised.

UACpromptw

Having Malwarebytes Anti-Malware Premium installed and set to protect against PUPs would have helped as well. It detects and stops the bundler from deploying.

protection1

Probably triggered by the critical patch update that was released by Oracle there are some sites that use this opportunity to lure users into using Java prompt lookalikes or bundled installers (for outdated versions). As always, get your software from trusted sources and…

Save yourself the hassle and get protected.

 

Pieter Arntz

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.