The Moon Worm - Infects Home Routers - Shows Fake "Adobe Flash Critical Update Required" Message

Report · Mar 24, 2014

Greetings,

This morning we had numerous workstations pop up with an Adobe Flash error. The browser will be taken over by an Adobe Flash Critical Update Required page and won't let the browser go to any other internet site. Within the page, a box will pop up that says: "Attention! your current version of Adobe Flash Player is outdated! Your computer is vulnerable to malware now. Update your Adobe Flash player now."

This message pops up on IE Explorer version 9-11, Google Chrome and Firefox and the operating systems are Windows XP Pro and Windows 7 pro. It has all the behavior of a virus or malware so I don't want to run it's download file which is named install_flashplayer_12_x32_64_msaa_aax_latest.exe.

I've been able to download both flash player installs from the Adobe.com site for both IE and Other Browsers. Sometimes I've been able to run the installs and it shows that the download and install ran okay with Adobe Flash Player 12 ActiveX showing up in the installed programs list. Other times, the install won't run and the install file mysteriously gets deleted. Even after the successful download and install, the browser works briefly okay and then gets seized by the "Critical Update Required" page again.

We're running AVG Anti-Virus Business Edition which is kept updated. A scan with this program and an updated version of Malwarebytes isn't showing any viruses or malware that could cause this problem.

What can I do to get rid of this "Critical Update Required" problem and get our browsers working again?

Thanks.

Bill J., Lexington, KY

Report · Mar 24, 2014

install_flashplayer_12_x32_64_msaa_aax_latest.exe.

is nothing that comes from here

http://download.macromedia.com/pub/flashplayer/current/support/install_flash_player_ax.exe

and

http://download.macromedia.com/pub/flashplayer/current/support/install_flash_player.exe

are the ONLY legitimate files for Flash Player FULL installers

But, NOTHING with "latest.exe" would be legit.

Do a "clean install" on any machine you believe is out of date. http://forums.adobe.com/message/4041846

Also look into TDSSKiller from Kaspersky to remove adware.

Report · Mar 25, 2014

I downloaded and ran Kaspersky's TDSSKiller. It's not finding anything.

Any suggestions as to what to try next?

Thanks so much for your help!

Bill J.

Report · Mar 25, 2014

I've read about a router hack that redirects to the "update" page"

http://hackersnewsbulletin.com/2014/03/hackers-hacked-300000-wireless-routers-check-now.html

It may or may not have affected you.

Stick to those links I provided.

They're your best bet.

Report · Mar 25, 2014

Mike,

Many thanks. I’ve downloaded and installed both versions of Adobe Flash as we’re using Explorer, Chrome and Firefox. The Kaspersky didn’t find anything, Malwarebytes didn’t find anything of any substance nor did our AVG Business AV software.

I ran the installation of both versions of Flash and it didn’t solve the problem

Whatever this thing is it’s propagating through the entire network domain and is now on all workstations in the domain. Not good stuff!

Bill Johnson

Report · Mar 25, 2014

Mike,

The router hack might be the problem. It would explain why it’s showing up in the whole network. I’ll look into that next.

Thanks!

Bill J.

Report · Mar 25, 2014

Hi Bill,

I have the same problem, the adobe (malware)update comes up on internet explorer and firefox. I tried TDSSkiller but it didn't work.

I don't think its my router, because im on another network now and i still have te problem.

Lars D.

Report · Mar 25, 2014

Lars,

Thanks. I’m running in circles trying to get rid of this problem. Still haven’t had any luck.

Bill J.

Report · Mar 25, 2014

How to tell if it's fake:

Report · Mar 25, 2014

this comes up every time on firefox

and on internet explorer

Report · Mar 25, 2014

What is the address in the bar when you see that?

Because that second shot shows a version (12.0.3.77) that doesn't exist.

Report · Mar 25, 2014

it shows just shows www.google.com, but when i click ''ok'' or the x in the upper right corner, i get this ^

Report · Mar 25, 2014

It's fake.

Report · Mar 25, 2014

It's happening to mine now. Firefox seems okay for now though.

Report · Mar 25, 2014

I have the same problem, tried uninstalling flash, any remnants afterwards, deleted personal settings in internet exploxer and reset, ran adware, malware and hitman. Nothing found. Virus is still there. Can change internet search option in control panel i.e. from google to bing and eventually shows up again. After two days of searching and trying different virus and malware removal programs I have backed up my data an am now trying an image restore from a different date. Anyone find another answer yet?

Report · Mar 26, 2014

yesterday i tried to remove it in save mode with malwarebytes, but that didn't work. Then i restored my data from a different date, that also didn't work. I have no idea how to remove it...

Report · Mar 26, 2014

Lars,

It appears that the redirect may be coming from malicious code that’s been put into the router. Are you by chance using a Linksys or DLink router?

I’m going to go over later this morning and remove our Linksys E2500 router from service and put one of our spare Cradlepoint routers (we use them in charter buses for WIFI access) as a temporary measure and see if this fixes the problem. I’ve done repeated scans of the computers that are popping up the bogus Adobe Flash message and am finding nothing so either the redirect is occurring in the router itself or this is new malware whose signature is not yet being recognized.

I’m feeling pretty strongly that the problem is malicious code in the router. In the meantime, we’re having all the passwords changed via phone to any online sites, accounts, etc.

I’ll let you know what happens with the temporary replacement router. The new Cisco I ordered should be here tomorrow.

Bill J.

Report · Mar 28, 2014

In my experience, Malwarebytes reported finding Trojan.Happili within install_flashplayer_12_x32_64_msaa_aax_latest.exe. It seemed a bit suspicious from the get go (very un-Chrome like behavior to hijack the start page with an Adobe Flash Install page). This was a redirect of http://www.google.com but not https://www.google.com.

Changing my router settings to disable Remote Management solved the persistent redirct problem. My security settings already included Filter Anonymous Internet Requests.

Very glad to have found this page. Thankful for everyone's contribution.

Report · Apr 04, 2014

I experienced the very same issue being discussed here last night via all browers. I have a Cisco/LinkSys E3000, there is quite a bit documented on this 'Moon' worm from SANS but very little from Cisco directly. Disabling remote management on the router has done the trick but i see that only as a temporary workaround to disable the hacking/ridirecting via the HNAP, the real fix would be firmware update and I can't find any reference on that from the horse's mouth.

Report · Apr 15, 2014

Got this problem recently too.

Can anyone help solving this issue as it is very annoying that everytime I use Mac safari or Firefox, then it will redirect to the link and download automatically:

install_flashplayer_12_x32_64_msaa_aax_latest.exe

Report · Apr 15, 2014

http://hackersnewsbulletin.com/2014/03/hackers-hacked-300000-wireless-routers-check-now.html

It's a hardware problem. Adobe can't fix that.

Report · Apr 15, 2014

Thanks Mike M for the explaination in the webiste.

wondering is there anything we can do to get rid of the problem?

Report · Apr 15, 2014

If the router can be "flashed" (erased and rewritten) then have that done (your ISP may be able to do it). If not, it has to be replaced.

Report · Mar 25, 2014

The router hack still seems to be the best explanation. However, does this mean that the redirect that could be in the router has caused the connected workstations to download malicious software? None of my security software is showing anything so I've ordered a replacement Cisco router and will see if that helps the problem.

Report · Mar 26, 2014

Okay folks, here's the latest. Thanks to Mike M's post above I've been able to do some additional research and have come to the conclusion that our Linksys E2500 router has been hacked. I pulled it out of service and set up a router from a different manufacturer and we're now able to access the internet.

However, the redirects from the infected router had installed some additional settings in the browsers themselves, so I had to do a complete browser reset and that took care of the problem. To do this in Internet Explorer, I clicked on Internet Options/Advanced Tab and then click on the Reset link at the bottom and also reset all personal settings. In Google Chrome, I've had to go to Settings, click on Show Advanced Settings at the bottom, then click on Reset Browser Settings in the link at the very bottom.

So far, we've been back up and running without any problems.

Adobe Community

The Moon Worm - Infects Home Routers - Shows Fake "Adobe Flash Critical Update Required" Message

1 Correct answer