Skip navigation
Tomasz77
Currently Being Moderated

Curious Flash player update

Feb 19, 2010 9:30 AM

Hi, I got a message stating that Adobe wanted to update my flash player and if I would allow changes to my computer today (19.2.210) when I started my machine. I run my computer every day.

 

I realized that the update request was not signed by Adobe only after clicking yes (silly me)!

 

That's the info in my Internet Explorer about Flash (I deactivated it after getting suspicious about the update):

Name            Shockwave Flash Object
Herausgeber     Adobe Systems Incorporated
Status          Deaktiviert
Dateidatum      Mittwoch, 27. Januar 2010, 01:58
Version         10.0.42.34

 

Now I'm concerned about the security of my computer.

 

Have any other of you received an update today.

 

If any Adobe personnel reads this, is this update definitely bogus?

 

Thanks for your help

Tomasz

 
Replies 1 2 Previous Next
  • Currently Being Moderated
    Feb 19, 2010 10:13 AM   in reply to Tomasz77

    new flash player should be version 10.0.45.2

     
    |
    Mark as:
  • Currently Being Moderated
    Feb 19, 2010 11:05 AM   in reply to Tomasz77

    Hi Tomasz77, Having read your thread, I would close all browsers, disconnect from the Internet and run a full Scan with

    your Anti-Virus/Spyware program.

     

    Then connect back to the Internet and check if the websites are working correctly.

     

    Then test here: http://www.adobe.com/products/flash/about

     

     

    Post back if you have any questions.

     

    Thanks,

    eidnolb

     
    |
    Mark as:
  • Currently Being Moderated
    Feb 20, 2010 10:55 AM   in reply to Tomasz77

    Hi Tomasz77, Who suggested to you to do a manual update? And what link were you given and who gave it to you?

     

    I don't see anything on your thread here to indicate anything of which you speak.

     

    Just trying to clarify the information on the threads.

     

    Thank you for your help in this.

     

    eidnolb

     
    |
    Mark as:
  • Currently Being Moderated
    Feb 19, 2010 4:10 PM   in reply to Tomasz77

    Hi Tomasz77, I am still waiting for you to reply to my post#3 and post#5. That will be helpful since you say it is

    "still open"

     

     

    Please post back, since I'm not sure of the status of your problem. Or what it is you want to do next.

     

     

    Thanks,

    eidnolb

     
    |
    Mark as:
  • Currently Being Moderated
    Feb 19, 2010 7:41 PM   in reply to Tomasz77

    Please note that there are different installs for Flash Player on Internet Explorer (ActiveX) and Firefox (plugin).  You may need to explicitly run the Flash Player install/update on Internet Explorer.

     
    |
    Mark as:
  • Currently Being Moderated
    Feb 20, 2010 2:26 PM   in reply to Tomasz77

    Hi Tomasz77,   Here is what you need to check. Using IE, go to Tools, click on Manage Add ons. Find a listing that says

    Shockwave Flash Object...ActiveX Control....Flash10e.ocx(if vs 10.0.45.2) Flash10d.ocx (if vs 10.0.42.34). I am not sure if you can do this with IE8 or not. I know with IE6 you can. Try it anyway. Click on Shockwave Flash Object and see if there

    is on the bottom right a box that says "Update ActiveX". If it does, click on it and see if it updates. A small window with a

    graph will run. When it is finished, Reboot your computer. In IE6 this updates that ActiveX, whether it will or not with IE, you'll know. If it doesn't then we need to take a look at the Flash Player files.

     

    One other thing on this Shockwave Flash Object. In your Post#1, you said you "deactivated" it after you became suspicious. Now anytime there is an Uninstall or Install of any program or like Flash Player, one must always Reboot for the changes to take effect. By "deactivating" this I think that stopped the process. If the above trying to update the SWO does not work, make sure it is Enabled and then Reboot(restart) your computer, before checking the Flash files below.

     

     

     

     

    Go to C:\Windows\System32\Macromed\Flash.  Open the Flash folder and post back every listing.

     

    Since you have run several Anti-Virus Scans and ESET is very reliable, in my opinion you are ok. Now the trojan that was found was PRIOR to you receiving a prompt from Adobe and even then it was isolated by your Anti-Virus program.

    Had an "imposter" tried to download something, why would they download the Adobe Flash Player, when they could have tried to download something worse? Your Anti-Virus caught the Trojan, and probably would have caught the "imposter"

    That is just my opinion and based on how spyware and viruses work, in addition to you running scans and nothing was found. I don't know what Anti-Virus you have installed on your computer, I use Avast  and can Scan each and most every file. Can you do that with your installed program?

     

    Keep in mind also that Adobe and Microsoft use secure servers to download and since Adobe just came out with an update for Flash Player, many people are getting prompts. I received one myself and some of my friends have as well.

     

    See about the above and post back.

     

    Thanks,

    eidnolb

     
    |
    Mark as:
  • Currently Being Moderated
    Feb 21, 2010 8:17 AM   in reply to Tomasz77

    Thanks Tomasz77, that is fine, no rush. I'll be off and on the forum today.

     

     

     

    eidnolb

     
    |
    Mark as:
  • Currently Being Moderated
    Feb 21, 2010 12:56 PM   in reply to Tomasz77

    Hi Tomasz77, IE8 is restrictive so that is why you couldn't update the ActiveX.

     

    Your#1. I have never manually installed Flash Player; mine is installed from the prompt. However, I am aware of the various Adobe sites to install. The one you used has the DLM that is used in addition to the GetPlus/Nos. Not the best site to D/L from in my opinion. For very large files is what it is for from my understanding. I saw them in your Flash folder.

     

    2. Yes, the gp.ocx is the GetPlus activeX. No I do not have this on my system. If I did I would remove them all:-) You saw that for a moment from the Detail box I would think. Why I don't know, it still installed.

    3. good

    4. The nature of a trojan is to installed itself, but it did not, your anti-virus stopped it and isolated it. On the update process, Adobe I would think would advise of updates directly to your computer by secure servers just as Microsoft does if you have Automatic Updates permitted.

    Even if you go to Microsoft and install manually, same thing. You can be sure these servers are well protected. An imposter would have to have a lot more info than your IP address. Any website you visit gets that anytime you access it. These bad guys automatically search for insecure computers, not a one on one basis. Just like you sometimes receive a recorded phone message, if you answer you hear it, if you don't there is no connection made. Same thing with the trojan, it rang, your Anti-Virus answered the call. Ha-Ha

    5. I received my first prompt from Adobe on 2/18/10, but was busy, so clicked on the "Remind me later" option. No, I don't know if it was signed or not and have never known in all the times FP has been updated. I have never worried about that. I don't think a bad guy is going to install a perfectly working Flash Player on my system, he wants more than that and if he got it, I'd have more problems than Flash Player.

     

    No, in my opinion you are fine, your Flash Player files are all correct. As far as some things not signed, I have a couple of add ons that are not signed. In fact I use a Brothers 4 in 1 and it's not signed and Dell Support(which I'm sure you have also) is not signed. But you can be sure my Anti-Virus and very important programs are.

     

    If I were you I'd relax and if there is a problem down the road, cross that bridge when you come to it. It all looks good as far as I can see.

    The only thing is there is no need for GetPlus/NOS/ and if you decide to remove them the gp.ocx will more than likely remove when you remove GetPlus/NOS from Add/Remove.

     

    Take care,

    eidnolb

     
    |
    Mark as:
  • Currently Being Moderated
    Feb 22, 2010 8:33 AM   in reply to Tomasz77

    Hi Tomasz77, I'll try to explain a little bit. When Adobe or any other Company comes out with an Update, users have a choice in how they update. With this latest FP update, it came out on 2/11/10. I became aware of it on 2/12/10. Now I could have updated on 2/12/10 by going to several of the Adobe sites and updated. I chose to wait for Adobe to prompt me and update that way, because that is how my FP has always been updated. Many users receive not only the FP update automatically but Adobe Reader in the samer manner. I receive a prompt for Adobe Reader updates also.

     

    My Avast Anti-Virus does the same thing when a new version is available. A pop up comes up and tells me a new version is available. At that time I can click on it and Avast will update to the new version. Now, I also can go to their website and update from there. Microsoft is the same way. Many users have set their system for Automatic Updates, which whenever Microsoft has any update for Windows or IE it will be downloaded and updated automatically. I have chosen to have Microsoft advise me updates are available and choose which update I want and when. Now likewise, I can also go to the Windows update and download that way.

     

    When I receive a prompt from Adobe for Flash Player or Reader, I am not sent or transferred to any website. It is all done automatically, I just watch what is being done until it is finished. Then I go to my Flash folder to make sure the correct files have been installed, go to manage add ons to make sure Shockwave Flash Object has been also and Reboot. My opinion is that the person that told you that you would be transferred to a website during the process of the install via the prompt was/is mistaken. Makes no sense, what's the point?

     

    In your first post, you said you noticed that the update was not signed by Adobe and you deactivated it. The only way you could have checked during the uninstall and install was to have stopped the process and therefore the update was not finished. Then in your post#9 you said you updated IE & FF. At that point you should have used the Uninstaller first. Then in post#14, you used the Uninstaller. Then you installed FP, using the "get.adobe.com" site. That site has the DLM/GetPlus/NOS installer.

     

    I hope this has answered all of your questions.

    Thanks,

    eidnolb

     

    Message was edited by: eidnolb  add'l

     
    |
    Mark as:
  • Currently Being Moderated
    Feb 22, 2010 9:35 AM   in reply to Tomasz77

    Apparently, the unsigned notifications are now exploited by a spam reaching me every day, and whose HTML content is only:

     

    <embed height="360" type="application/x-shockwave-flash" width="634" src="http://www.users.qwest.net/~benpeg72/Secure/wanadoo.swf">

     

    WARNING! This is a worm that activates with a simple mousehover. Don't try it if you're not experimented !

     

    (the URL for this Flash Video object changes daily, it is sent in a spam whose title is for now "hollaa!" but this could change at anytime, there are LOTS of alternate mirror sources of this SWF, with variable file names and on a lot of hosting domains and user webspaces).

     

    This immediately wants to run an update of Flash to the current version (that I already have), but this forced download is definitely not the original FlashPlayer from Adobe.

     

    Really, the problem is in Flash Player that activates the malicious action immediately without any user action, just by previewing a mail. Thanks, I'm using Google Chrome and not IE as my default web browser. The result of this Flsh object may be catastrophic in IE, I did not try to see what would happen in IE.

     
    |
    Mark as:
  • Currently Being Moderated
    Feb 22, 2010 9:54 AM   in reply to Tomasz77

    Hi Tomasz77, I understand what you are saying. For my part I have never thought about it nor even checked since once I check the "install now" from the prompt I don't want to do anything to stop or interrupt the process. I like the install from

    the prompt because Adobe uninstalls the old FP files and installs the new and I don't have to deal with it.

     

    I have one last question for you:-) Where did you look to find that the update was "unsigned?"

     

     

    Thanks,

    eidnolb

     
    |
    Mark as:
  • Currently Being Moderated
    Feb 22, 2010 10:02 AM   in reply to eidnolb

    The only fact that it comes within a spam is just enough for me to refuse its installation or even its download.

     

    (I simply don't know from where the file is actually downloaded by the script within this malicious SWF file, I think it's up to Adobe experts to analyze what is in this SWF and why it is used this way as a worm and casted in a working spam, apparently reaching lots of people in the world that are already infected)

     

    If Adove does not publish a security issue rapidly explaining how to mitigate its effects or a patch to restrict the mousehover interaction before an explicit click action to launch the video, I will completely uninstall Flash.

     
    |
    Mark as:
  • Currently Being Moderated
    Feb 22, 2010 10:31 AM   in reply to Tomasz77

    Hi Tomasz77, ok thanks. That helps me understand how this came about. Ok, then I agree with you that you did the right

    thing in stopping it and the ActiveX Control. I would have done the same thing had I received that kind of a message.

     

     

    However, the message you received is not what I receive or have ever received. That is suspect indeed. I would have said no immediately and ran my Anti-Virus at that moment.

     

    The prompt that I have been speaking of pops up within the time I have set for Adobe to notify me of a Flash Player update and only advises that an Adobe Flash Player update is available and gives me three choices. Install now, Remind me later, or Don't Install. These choices are in the pop up window notification. No where does it ask anything that you state.

     

     

    Glad you finally got it all cleared and thank you for marking your thread answered.

     

    Regards,

    eidnolb

     
    |
    Mark as:
  • Currently Being Moderated
    Feb 22, 2010 10:50 AM   in reply to verdy_p

    Hi Verdy, well clearly this is not coming from Adobe. Everyday the bad guys are at work and the Anti-Virus programs are constantly updating to battle this. I don't see what Adobe could do to combat spam.

     

    Microsoft just took a lot of heat with an update that was being blamed to cause the BSOD for XP users that installed the Windows update. They investigated and the cause was a Aurelon Rootkit infection that was already on the computers that were having a problem. This Rootkit infection was able to change the Windows Kernel and the system was unstable then the update was an "effect" not the cause. Microsoft went to people's houses that reported these problems and got the hard drive info and ran multiple tests and were able to verify the exact problem.

     

    As anyone knows, a rootkit infection is a very serious matter and Microsoft did an excellent investigation to find the cause. Also, other XP users that did not have the Rootkit infection, installed the same update and no reports of any BSOD has been reported. And Microsoft verified all of this in their testings.

     

    Perhaps before we blame Adobe we might want to wait and see if something that Microsoft just experienced has not happened.

     

    Spam is known and can be malicious of course. It is not the Flash Player update at fault, because many people are updating and have no problem at all. I certainly have not.

     

    I don't know in what form this spam came to you but the bad guys are always trying new ways.

     

    Thanks

    eidnolb

     
    |
    Mark as:
  • Currently Being Moderated
    Feb 22, 2010 11:05 AM   in reply to eidnolb

    I didn't say that the original Adove FlashPlayer was malicious or bogous. But I'bve still never seen a SWF file activated this way from a spam. Before, it alwyas required a user action to activate it, so the spams used "social engineering" to convince recipients to open the attachment or to activate the component.

     

    This time, this is not necessary, the component starts running immediately and starts playing in the local zone without an explicit user action. That's why I think that there's a new security hole exploited, or that there's an incorrect assumption in the security checks performed by FlashPlayer before it activates the script stored within the SWF file (which is loaded from an external domain (not related to the webmail domain or to the local untrusted zone of a local mail client).

     

    Flash is supposed to be loaded by the <embed> element in an HTML mail from within an unsecure zone (notably if the email itself is not digitally signed from a secure domain): it should have the strict minimum authorizations: it should not run, it should just be able to render the first frame of static objects, but no user action should be allowed.Activating "onmousehover" events immediately is a severe security hole in this case: I thought this was the case, but visibly, the malware authors of this SWFF have found a way to circumvent this restriction, and exploit it.

     
    |
    Mark as:
  • Currently Being Moderated
    Feb 22, 2010 11:33 AM   in reply to verdy_p

    Thanks Verdy, I read your info here before the more detailed info on your thread. I misunderstood here what you were

    saying, sorry. Didn't quite have the understanding that I have now after reading your thread.

     

    I'm surprised that a mere "mouseover" triggers this. Is Tomasz77's suggestion on no HTML a possible answer?

     

    It certainly appears to me that the responsibility for this lies somewhere. That's more than I can sort out, but those that

    can should.

     

    Thanks for explaining this and that may be what Tomasz77 was involved in.

     

     

    Hopefully, some of the more experienced Adobe employees and contributors will respond.

     

     

    eidnolb

     

    Message was edited by: eidnolb  add'l

     
    |
    Mark as:
  • Currently Being Moderated
    Feb 22, 2010 11:50 AM   in reply to eidnolb

    Well I need to be able at least to have a safe preview. And on a webmail, there's simply no preview mode where HTML rendering can be disabled, in order to just show the plain-text code. In this preview mode, all Javascript in the HTML is disabled, lots of components become inactive, and a few <embed> elements are allowed, but loaded by disabling the auto-play parameters (notably of Flash).

     

    Flash is then supposed to be loaded but not allowed to run, it can just attempt to render the static elements and possibly only the first frame of a video (we should need to click somewhere to play it).

     

    I confirm that the mere "mouseover" action is enough to play the Flash object. And it is not tolerable, because the Flash object covers almost all the surface of the window: right-clik on a message to preview, it opens, but immediately, you don't have the time to place the mouse cursor out of the rendering area before the SWF gets loaded. So Flash intercepts a mouseover on the new HTML page that appears. This event should not trigger anything. This is not the case here. And one of the actions is to automatically download a supposed "FlashPlayer" installer (with the latest version), but I don't know where it comes from. There's not even any confirmation that the browser can intercept, because all happens within Flash that the browser annot control itself. The Flash object here is used to open a new browser window on a new (unknown) URL for the download, as if the user itself had followed an active link from a local application (for example like when activating a shortcut on the desktop).

     

    All happens as if Flash thought that the user initiated the download, and the web browser also does not detect it (I don't see the normal browser yellow-bar alert at the top of the window that should happen before such download starts). Yes I can still block the download, only because I have set the browser to ALWAYS ASK for the target folder of downloads, and NEVER proceed it immediately. but this is not ideal, and I need to cancel it : this requires centering the mouse on the screen to reach the cancel button or the close button of the "save as..." dialog. But as soon as the "save as..." dialog closes, the mouse is now on top of the Flash object, which retriggers immediately the "mouseover" event, which reopens a download.

     

    This is really irritating. And prone to errors made by users that may finally accept it by accident, or just to terminate an infinite loop of retried downloads.

     

    Flash should really NOT honor the "mouseover" event by default. Only a "mouseclick" on the Flash object can be a convincing event, that can be forwarded to the SWF content. All Javascript within the SWF should then be completely inactive before this effective click.

     

    This attack seems to work now (given the rate at which I receive this spam now), because it requires absolutely no social engineering. It just runs without permission.

     
    |
    Mark as:
  • Currently Being Moderated
    Feb 22, 2010 12:15 PM   in reply to eidnolb

    Note: I don't use IE, so I don't blame Microsoft here.

     

    I use Google Chrome which is supposed to display an yellow bar alert before authorizing the download. This does not occur. (I may blame Google for that).

     

    I also blame Adobe for honoring the mouseover event immediately from a simple preview of an HTML page (even where all referenced scripts are disabled, a setting that Adobe Flash player completely ignores too...)

     

    And yes, I need to use a webmail because I read emails on multiple locations (my Internet speed is fast enough that the overhead of the webmail is negligeable).

     

    Google also does not list the websites hosting this SWF as malicious. None of my antivirus or antispam or antirootkit or antispam softwares are helping to detect and block this SWF.

     

    I can just conclude that Flash is used as a propagation vector, helping the worm to spread (and the SWF is the worm, it can come from everywhere, it has no distinctive name and no distinctive URL, and apparently it is also mutating, so SHA1/MD5 content hashes are not helping to detect it).

     

    Flash needs to be secured more: if a Flash object can contain Javascript, this javascript has to be digitally signed and secured, or it should never honor all the interactions without an explicit user consent. The Flash object should also display somewhere the effective URL from where any download is started: there's simply no indication of the domain name from where the malicious (fake?) FlashPlayer installer is downloaded.

     

    My system is still clean, but given that none of the security tools I have tried are deteting this SWF, this suggests that this is a new form of attack. Let's fight it early before it creates too mauch damages and infects too many users on the web (that will then become new open doors for further variants and new attacks).

     

    If I receive new copies of this SWF, I will try to list them in the other messages thread where I first discussed it. Ihave deleted them since now, but givn that there's been no action by security tools authors since a week, we must escalate the problem and inform users about this threat. I'll be happy when there's will be a detection mechanism in some security suites, and then when there will be new security restrictions in Flash, or/and in Google Chrome or other browsers, that will help mitigate or block this kind of attack.

     

    (We will still have to live with social engineering, but this is manageable. I cannot easily manage automated scripts that run without any explicit user action, like here).

     
    |
    Mark as:
  • Currently Being Moderated
    Feb 22, 2010 12:45 PM   in reply to verdy_p

    Thanks verdy, take a look at this. It appears Microsoft came out with this Fake Flash Player email warning on 1/16/10.

     

    I don't have time to read it at the moment.

     

    http://forums.cnet.com/5208-6132_102-0.html?messageID=3184197#3184197

     

     

    I bookmarked this on 1/18/10 and forgot about it.  Perhaps there is an update on it. I know that the Microsoft Techs were busy with it because they had a recorded message about it that if you were calling about this you could click "#" on their phone lines.

     

     

    eidnolb

     
    |
    Mark as:
  • Currently Being Moderated
    Feb 22, 2010 3:25 PM   in reply to eidnolb

    I can't call their phone line for that, and anyway I don't think that Microsoft is involved in this case, even if this occurs on Windows 7 (not XP as you have assumed above): I don't use IE (which is not installed at all) but Google Chrome (I've mostly abandoned Firefox, which is too much risky in most of its numerous addons, and I much prefer a simpler browser with less dependencies and liabilities). FlashPlayer is supported indirectly by Google too (but Google still does not detect this threat).

     

    Anyway, your pointer links to a new phishing. As I said above, the threat described is not phishing, it does not use social engineering, does not request personal data, does not want to convince us to visit a site (the worm can visit it directly) and does not even need to use it, it works just without it, making it potentially more dangerous.

     

    And all the list of malwares listed in this pointer are already detected by my security tools. But not this one which is clearly unrelated and more powerful. The only common thing is that it will download and will try to install a fake FlashPlayer, using the existing capabilities (or security holes) of an original FlashPlayer (already up to date).

     
    |
    Mark as:
  • Currently Being Moderated
    Feb 22, 2010 3:49 PM   in reply to verdy_p

    Well, now I have a detection from these two (scanned on filterBit)

     

    McAfee VirusScan Enterprise312ms2010-02-22 00:00:00Suspicious Extensions
    Norman Scan Engine15ms2010-02-22 12:26:00W32/Delf.DRLY

     

    This is effectively a new worm whose detection came only 12 hours ago (I had the first set of copies since nearly 2 weeks).

     

     

    Detected Possible File Types: Win32 Executable Delphi generic

    MD5: 7c9a2925f2329a1ba6a583a72e73316e
    SHA1: 337999016812216be3f28b9c74c024e9be290900

    File Size: 257848 bytes

     

    This is the fake "FlashPlayer10.0.45.2.exe" that the SWF above tries to install without needing a single click on the rendered video object.

     

    I retried on VirusTotal, and I get only these detections:

     

    7AntiVirus7.10.9792010.02.20Trojan.Win32.Malware.1
    Norman6.04.082010.02.21W32/Delf.DRLY
    Symantec20091.2.0.412010.02.22

    Suspicious.Insight

     

    Anyway, the detection is only on the fake FlashPlayer (second step of the malware).

     

    There's no detection for the SWF worm itself, and then this is a security hole of the original FlashPlayer use as the original vector (because it honors "'mouveover" events to automatically download this fake Flash installer). without changing any line of Javascript code in the SWF, it could download any other kind of malware.

     

    On some security forums, the W32/Delf.DRLY trojan is considered with security level "High".

    There's still nothing about its SWF vector and if FlashPlayer has a security hole plugged by this SWF worm.

     
    |
    Mark as:
  • Currently Being Moderated
    Feb 22, 2010 3:52 PM   in reply to verdy_p

    I can retrace a possible injection point of this fake FlashPlayer malware via "ThePirateBay":

    http://thepiratebay.org/torrent/5017882/L4D___left_4_dead_Patch_Full_1 014_by_madwiggyNLD

     

    (but still seeking for the SWF worm that targets my mailbox about 5 or 6 times a day since more than one week)

     
    |
    Mark as:
  • Currently Being Moderated
    Feb 22, 2010 4:13 PM   in reply to verdy_p

    Hi Verdy, well you are a good detective:-) I'm not sure what I can do from here, but will try to get your posts and info

    on this to the proper place/persons that can. Your information is very valuable in my opinion and needs to be considered at a higher level than the forum.

     

    I don't use webmail, but many do. If this is Outlook Express or Gmail, then I think they need to be contacted. I know about a month ago perhaps, that HJT's entire data base was stolen and then I heard Malwarebytes as well. I don't know the latest on MWB but Trend Micro's HJT was removed. Strange that you mention "piratebay". Let me do some checking & see what I have on that. I may send you a PM, just depends.

     

    Thanks,

    eidnolb

     

    If you like it may be more helpful to post on your thread only, just a suggestion.

     
    |
    Mark as:
  • Currently Being Moderated
    Feb 22, 2010 4:52 PM   in reply to eidnolb

    My email provider is the former Wanadoo (in France), now renamed Orange.

    Apparently it is targettting the millions of users of Orange in France.

     

    I have this email since more than 10 years, Orange is no longer my ISP, but I keep the account, instead of multiplying the number of accounts (and multiplying the sources of problems (and the ways to manage them), just in order to keep my existing subscriptions in lots of contributing areas.

     

    I never use social networks, I never use pirate sites. I can give PirateBay, only because the fake FlashPlayer was detected there in 2009. However, the signature must have changed because now the fake FlashPlayer uses a version that was only realeased by Adobe during the last month.

     

    So I think that the detection (in Norman, is generic, and this is a new variant). anyway, this is not the W32/Delf.DRLY trojan that is causing me troubles (even if it is detecgted since only a few hours). For me the major problem is the way the SWF worm carries the Javascript which then automatically starts the download of the trojan fake FlashPlayer installer.

     

    So there's effectively a problem in Flash Player. but it is strange that Norman released a detection only in the last 12 hours, when someone in PirateBay could detect it in 2009 with this exact name (W32/Delf.DRLY)... May be this was a typo because in 2009, the related trojans were "W32.Delf.DRL", "W32.Delf.DRN", "W32.Delf.DRY" (with a three-letters extension, not 4-letters now).

     

    Note also: the MD5/SHA1 of this fake FlashPlayer is changing for each copy I receive. This is normal because it is packed as a generic Delphi executable containing a CAB resource, and the executable contains calls to the Win32 CABVIEWER.DLL API from Microsoft, to delete/create CAB entries in a FPI resource.

     

    The SWF file is also mutating regularly (depending on the mirror hosting it), apparently to change the internal URL from which the fake FlashPlayer will be downloaded.

     

    MD5/SHA1 file signatures do not work. We need to detect it by computing digital signatures on distinct code or data segments within the executable (but here again the exact size is changing, there is apparently some random data padded in various parts of the code and data segments). I don't know if there is a similar system for the Javascripts embedded in a SWF file, or if antivirus can parse the Javascript embedded in a SWF, before it is rendered by the original Flash Player.

     

    I really think that FlashPlayer must absolutely be digitally signed by Adobe using a secure certificate, including for its updates. and Adobe must further restrict the authorizations in its internal Javascript engine used by its Flash Player, and completely disable mouseover events as long as there's not been at least one click to start playing it.

     

    Yes this means that advertizing banners in various sites will no longer be animated automatically. Or Adobe could animate them but only using the video data present within the SWF object itself (it should not be allowed to perform any web request before an active click in the banner). The Adobe Flash player should also display its own local icon to close a malicious SWF content displayed in an embedded Flash object, without passing any click to the SWF'sembedded  javascript. In other word: don't instanciate the Flash Javascript engine before the component has been explicitely activated by the user.

     
    |
    Mark as:
  • Currently Being Moderated
    Feb 22, 2010 9:02 PM   in reply to verdy_p

    For tracking only, I signaled it to this Avira support forum (where I crossed linked this page):

     

    http://forum.avira.com/wbb/index.php?page=Thread&threadID=107297&s=9a3 165b058caccbc65ce4b0c9c2f275d9ab20c00

     

    which has also forwarded it to Avira LAB, Microsoft Protection Center and Malwarebytes' Anti-Malware team.

     

    Others will probably follow soon, now that we have at least 5 security centers involved. Are there other places interesting to follow, or is the Microsoft Protection Center already helping propagate the information to other security centers working on Windows ?

     
    |
    Mark as:
  • Currently Being Moderated
    Feb 22, 2010 9:21 PM   in reply to verdy_p

    That's great Verdy, thanks for the update. I have been so busy here on the forum, but only helping 2 right now. I have a couple of contacts, will see what I can do in a minute. I did send your info to those here that have authority to forward it on. I felt all of your research was too valuable to just not do so.

     

    I'm glad you were able to what you have done. Just as soon as I get a break I will make a couple of contacts and let you know. I may PM any info.

     

    Thanks,

    eidnolb

     
    |
    Mark as:
  • Currently Being Moderated
    Feb 22, 2010 10:54 PM   in reply to eidnolb

    Note: the "Wanadoo.SWF" vector file itself (225 694 bytes) is compressed with SWF2SWC (from the Adobe FlashKit). Apparently, this compressor (or the compression method it uses) is still not supported by any antivirus, so it cannot parse its internal malicious Javascript/Actionscript (or any other security hole in this compressed format, if the intended security security is bypassed by some incorrect format validation or false/unchecked assumptions).

     

    Is there an strict format online validator for SWF/SWC container files ? Is there a structure parser that shows the content streams within that file, and allows extracting them for further analysis?

     

    If you loose access to the SWF file (on its hosting site), I have saved a private copy of it, it will remain on my disk in a non risky store until there's a antivirus update that will detect and drop it. (Because this SWF worm is not detected by any antivirus listed in FilterBit or VirusTotal, not even Norman AV.) Ask it to me in a private message if you want a copy (notably because the initial versions of new worms are easier to parse and understand than later releases that try to complicate things for decryptors).

     
    |
    Mark as:
  • Currently Being Moderated
    Feb 22, 2010 11:07 PM   in reply to verdy_p

    New location of the fake Flash Player (using exactly the same SWF from the same location)

     

    http://www.users.qwest.net/~lorddaven/Links/FlashPlayer10.0.45.2.exe

     

    This time, the fake player is detected by Avira: TR/Spy.287924

     

    Using the DoubleClick Flash Validator at:

    http://gts.dartmotif.com/validator/

    the SWF is considered valid (so, it may be advertized on the very large DoubleClick banner network on lots of target websites, and not just delivered via spams; no click through is necessary to activate it, the SWF just has to be displayed in any HTML page, and it will run its ActionScript immediately to download everything it likes directly on the local computer zone,even if it is stored in the browser's cache, without any prior confirmation alert by the browser...)

     

     
    |
    Mark as:
  • Currently Being Moderated
    Feb 22, 2010 11:23 PM   in reply to verdy_p

    New location of the fake Flash Player (using exactly the same SWF from the same location)

     

    http://www.users.qwest.net/~lorddaven/Links/FlashPlayer10.0.45.2.exe

     

    This time, the fake player is detected by Avira: TR/Spy.287924

     

    Using the DoubleClick Flash Validator at:

    http://gts.dartmotif.com/validator/

    the SWF is considered valid (so, it may be advertized on the very large DoubleClick banner network on lots of target websites, and not just delivered via spams; no click through is necessary to activate it, the SWF just has to be displayed in any HTML page, and it will run its ActionScript immediately to download everything it likes directly on the local computer zone,even if it is stored in the browser's cache, without any prior confirmation alert by the browser...)

     

    I've been able to block the "www.users.qwest.net" site completely, so that now Adobe Player will reject all interactions with this site (all contents downloaded from in its users accounts), but this only blocks the EXE, not the SWF vector.

     

    I've also reduced (using http://www.macromedia.com/support/documentation/fr/flashplayer/help/se ttings_manager03.html) the amount of space that a SWF source domain (including local host) is allowed to store locally in the Flash cache (to 100KB only per site, instead of 1 MB, this should block most malicious EXE files,as there's no reason why local stores should contain more than a few user settings or some cookie; if you use flash only to display ad banners, 10KB per site should be enough, more is possibly  needed for some complex Flash applications like videos on YouTube).

     
    |
    Mark as:
1 2 Previous Next

More Like This

  • Retrieving data ...

Bookmarked By (0)

Answers + Points = Status

  • 10 points awarded for Correct Answers
  • 5 points awarded for Helpful Answers
  • 10,000+ points
  • 1,001-10,000 points
  • 501-1,000 points
  • 5-500 points