1 2 Previous Next 46 Replies Latest reply: Feb 23, 2010 9:29 PM by verdy_p RSS

    Curious Flash player update

    Tomasz77 Community Member

      Hi, I got a message stating that Adobe wanted to update my flash player and if I would allow changes to my computer today (19.2.210) when I started my machine. I run my computer every day.

       

      I realized that the update request was not signed by Adobe only after clicking yes (silly me)!

       

      That's the info in my Internet Explorer about Flash (I deactivated it after getting suspicious about the update):

      Name            Shockwave Flash Object
      Herausgeber     Adobe Systems Incorporated
      Status          Deaktiviert
      Dateidatum      Mittwoch, 27. Januar 2010, 01:58
      Version         10.0.42.34

       

      Now I'm concerned about the security of my computer.

       

      Have any other of you received an update today.

       

      If any Adobe personnel reads this, is this update definitely bogus?

       

      Thanks for your help

      Tomasz

        • 1. Re: Curious Flash player update
          MerryMort2000 Community Member

          new flash player should be version 10.0.45.2

          • 2. Re: Curious Flash player update
            Tomasz77 Community Member

            Thanks for your quick answer. Well yes, I thought so by looking at the forum. Makes me even more

            suspicious

            • 3. Re: Curious Flash player update
              eidnolb onlyone Community Member

              Hi Tomasz77, Having read your thread, I would close all browsers, disconnect from the Internet and run a full Scan with

              your Anti-Virus/Spyware program.

               

              Then connect back to the Internet and check if the websites are working correctly.

               

              Then test here: http://www.adobe.com/products/flash/about

               

               

              Post back if you have any questions.

               

              Thanks,

              eidnolb

              • 4. Re: Curious Flash player update
                Tomasz77 Community Member

                Hi, thanks for bringing this to my attention.

                 

                However, I think the problems we are facing are different.

                 

                Before doing the manual update as you suggested, BOTH Firefox and IE8 showed the old version number. After updating, Firefox shows the new version number, while IE8 still shows the old one, but reports in the link you gave as the new one.

                 

                So this remains still open.

                • 5. Re: Curious Flash player update
                  eidnolb onlyone Community Member

                  Hi Tomasz77, Who suggested to you to do a manual update? And what link were you given and who gave it to you?

                   

                  I don't see anything on your thread here to indicate anything of which you speak.

                   

                  Just trying to clarify the information on the threads.

                   

                  Thank you for your help in this.

                   

                  eidnolb

                  • 6. Re: Curious Flash player update
                    Tomasz77 Community Member

                    Still open


                    • 7. Re: Curious Flash player update
                      eidnolb onlyone Community Member

                      Hi Tomasz77, I am still waiting for you to reply to my post#3 and post#5. That will be helpful since you say it is

                      "still open"

                       

                       

                      Please post back, since I'm not sure of the status of your problem. Or what it is you want to do next.

                       

                       

                      Thanks,

                      eidnolb

                      • 8. Re: Curious Flash player update
                        pwillener CommunityMVP

                        Please note that there are different installs for Flash Player on Internet Explorer (ActiveX) and Firefox (plugin).  You may need to explicitly run the Flash Player install/update on Internet Explorer.

                        • 9. Re: Curious Flash player update
                          Tomasz77 Community Member

                          Being back from hyperventilating....

                           

                          First of all, I somehow got mixed reading the other threads and eidnolb's message on this thread, so yes, there was no suggestion for a manual update in your answer here. However, a helpful link for determining the flash player version running in the browser.

                           

                          I did a thorough virus check as one of my first actions after getting suspicious and I did it again while being offline after Eidnolb's message. Both times nothing was found.

                           

                          Then I updated both the flash players in IE8 and Firefox to overwrite any possible Flash player hacks. I assured that I have the new flash player installed both in Firefox and in IE8, with IE8 still displaying the old version number (same as in my first message):          

                           

                          Name    Shockwave Flash Object
                          Herausgeber     Adobe Systems Incorporated
                          Status          Aktiviert
                          Dateidatum      Mittwoch, 27. Januar 2010, 01:58
                          Version         10.0.42.34

                           

                           

                          Additional Info (one reason I'm so suspicious):

                          One day before getting the curious update I was watching some videos in YouTube. I got the following message from my Antivirus software:

                           

                          Original in partial German:

                          18.02.2010 14:23:31    HTTP-Prüfung    Datei    http://asderweq.net/dede/gsb50.jar    OSX/Exploit.Smid.B Trojaner    Verbindung getrennt - in Quarantäne kopiert    Blacky\Thomas    Bedrohung erkannt beim Zugriff auf das Web durch die Anwendung: C:\Program Files (x86)\Java\jre6\bin\java.exe.

                           

                          Translated to English:

                          18.02.2010 14:23:31    HTTP-Check  File  http://asderweq.net/dede/gsb50.jar  

                          Threat:                                  OSX/Exploit.Smid.B Trojan

                          Action <of antivrus software>: cut connection - copied to isolation  

                          <My Computer name>  

                          Threat identified during web access by: C:\Program Files (x86)\Java\jre6\bin\java.exe.

                          • 10. Re: Curious Flash player update
                            Tomasz77 Community Member

                            Hello eidnolb,

                             

                            Beside what I have described in my earlier message I have done a system inspection with the SysInspector by ESET

                            and looked into the results - found nothing looking really suspicious.

                             

                            Cannot think of anything more to do.

                             

                            What would help really most is a solid guess how good the chances are that this update has been issued by Adobe and not by some impostor and I'm really worrying about nothing........

                            • 11. Re: Curious Flash player update
                              eidnolb onlyone Community Member

                              Hi Tomasz77,   Here is what you need to check. Using IE, go to Tools, click on Manage Add ons. Find a listing that says

                              Shockwave Flash Object...ActiveX Control....Flash10e.ocx(if vs 10.0.45.2) Flash10d.ocx (if vs 10.0.42.34). I am not sure if you can do this with IE8 or not. I know with IE6 you can. Try it anyway. Click on Shockwave Flash Object and see if there

                              is on the bottom right a box that says "Update ActiveX". If it does, click on it and see if it updates. A small window with a

                              graph will run. When it is finished, Reboot your computer. In IE6 this updates that ActiveX, whether it will or not with IE, you'll know. If it doesn't then we need to take a look at the Flash Player files.

                               

                              One other thing on this Shockwave Flash Object. In your Post#1, you said you "deactivated" it after you became suspicious. Now anytime there is an Uninstall or Install of any program or like Flash Player, one must always Reboot for the changes to take effect. By "deactivating" this I think that stopped the process. If the above trying to update the SWO does not work, make sure it is Enabled and then Reboot(restart) your computer, before checking the Flash files below.

                               

                               

                               

                               

                              Go to C:\Windows\System32\Macromed\Flash.  Open the Flash folder and post back every listing.

                               

                              Since you have run several Anti-Virus Scans and ESET is very reliable, in my opinion you are ok. Now the trojan that was found was PRIOR to you receiving a prompt from Adobe and even then it was isolated by your Anti-Virus program.

                              Had an "imposter" tried to download something, why would they download the Adobe Flash Player, when they could have tried to download something worse? Your Anti-Virus caught the Trojan, and probably would have caught the "imposter"

                              That is just my opinion and based on how spyware and viruses work, in addition to you running scans and nothing was found. I don't know what Anti-Virus you have installed on your computer, I use Avast  and can Scan each and most every file. Can you do that with your installed program?

                               

                              Keep in mind also that Adobe and Microsoft use secure servers to download and since Adobe just came out with an update for Flash Player, many people are getting prompts. I received one myself and some of my friends have as well.

                               

                              See about the above and post back.

                               

                              Thanks,

                              eidnolb

                              • 12. Re: Curious Flash player update
                                Tomasz77 Community Member

                                Hi, here a first reply since your answer is from yesterday already....

                                Slept badly and wasted the morning an a false positive given by Malwarebytes' Anti-Malware

                                 

                                I will look into your answer more thoroughly after a quick noon nap....

                                • 13. Re: Curious Flash player update
                                  eidnolb onlyone Community Member

                                  Thanks Tomasz77, that is fine, no rush. I'll be off and on the forum today.

                                   

                                   

                                   

                                  eidnolb

                                  • 14. Re: Curious Flash player update
                                    Tomasz77 Community Member

                                    Hi eidnolb,

                                     

                                    first of all: thanks for all your work you invest in this.

                                     

                                    Here my answer to your remarks:

                                     

                                    1) There is no update button in IE8. I used the Adobe "uninstall_flash_player.exe" in the meantime to delete both the Firefox plugin and the IE8 ActiveX control. I reinstalled both again from the "get.adobe.com" website. You'll find a listing of my "macromed" folder attached to this message, it is located in the "C:\windows\syswow64" folder on my computer.

                                     

                                    2) When installing the IE8 flash player, I noticed a curious thing happening:  I could view a second entry in the Tools/Add On Dialog Box of IE8 directly below the flash player entry, which was vanished when I looked a second time. The control this entry referred to is gp.ocx, which is signed by Adobe. Please see the attached jpeg for the directory where this control is located (the directory path is <C:\Program Files (x86)\NOS\bin>). Do you have the same on your computer?

                                     

                                    3) I run ESET NOD32 and yes, I can do a complete check of memory/harddisk. As stated in my previous message, I also ran a complete system check with  Malwarebytes' Anti-Malware.

                                     

                                    4) Regarding the imposter thing: I'm just worried somebody recorded my computers address when the first attack failed and attempted a second one. It all depends on how automatic update requests via Internet work: If they are only started by background processes on my own computer (repeatedly checking if an update is available) or if one can initiate something like this from "the internet". I do not really know very much about this.

                                     

                                    5) When did you receive your update for flash player? Do you still know if in the initial window starting the update process the program was signed or not?

                                     

                                    Thx a lot

                                    Thomas

                                    • 15. Re: Curious Flash player update
                                      eidnolb onlyone Community Member

                                      Hi Tomasz77, IE8 is restrictive so that is why you couldn't update the ActiveX.

                                       

                                      Your#1. I have never manually installed Flash Player; mine is installed from the prompt. However, I am aware of the various Adobe sites to install. The one you used has the DLM that is used in addition to the GetPlus/Nos. Not the best site to D/L from in my opinion. For very large files is what it is for from my understanding. I saw them in your Flash folder.

                                       

                                      2. Yes, the gp.ocx is the GetPlus activeX. No I do not have this on my system. If I did I would remove them all:-) You saw that for a moment from the Detail box I would think. Why I don't know, it still installed.

                                      3. good

                                      4. The nature of a trojan is to installed itself, but it did not, your anti-virus stopped it and isolated it. On the update process, Adobe I would think would advise of updates directly to your computer by secure servers just as Microsoft does if you have Automatic Updates permitted.

                                      Even if you go to Microsoft and install manually, same thing. You can be sure these servers are well protected. An imposter would have to have a lot more info than your IP address. Any website you visit gets that anytime you access it. These bad guys automatically search for insecure computers, not a one on one basis. Just like you sometimes receive a recorded phone message, if you answer you hear it, if you don't there is no connection made. Same thing with the trojan, it rang, your Anti-Virus answered the call. Ha-Ha

                                      5. I received my first prompt from Adobe on 2/18/10, but was busy, so clicked on the "Remind me later" option. No, I don't know if it was signed or not and have never known in all the times FP has been updated. I have never worried about that. I don't think a bad guy is going to install a perfectly working Flash Player on my system, he wants more than that and if he got it, I'd have more problems than Flash Player.

                                       

                                      No, in my opinion you are fine, your Flash Player files are all correct. As far as some things not signed, I have a couple of add ons that are not signed. In fact I use a Brothers 4 in 1 and it's not signed and Dell Support(which I'm sure you have also) is not signed. But you can be sure my Anti-Virus and very important programs are.

                                       

                                      If I were you I'd relax and if there is a problem down the road, cross that bridge when you come to it. It all looks good as far as I can see.

                                      The only thing is there is no need for GetPlus/NOS/ and if you decide to remove them the gp.ocx will more than likely remove when you remove GetPlus/NOS from Add/Remove.

                                       

                                      Take care,

                                      eidnolb

                                      • 16. Re: Curious Flash player update
                                        Tomasz77 Community Member

                                        Hello eidnolb,

                                         

                                        thanks for your answer. I only wished you had given me the info a bit earlier that you also received an automatic update request, that would have spared me a bit of time and sorrow.

                                         

                                        I think there is one last thing to clarify: Got an info from Adobe support that the automatic update request should have transferred me to flashplayer download page at get.adobe.com. I think this would be very unusual, the normal way of things is that the program or control just gets updated after you click OK to the automatic update request. Did you get transferred to the website?

                                         

                                        Thx so far

                                        Thomas

                                        • 17. Re: Curious Flash player update
                                          eidnolb onlyone Community Member

                                          Hi Tomasz77, I'll try to explain a little bit. When Adobe or any other Company comes out with an Update, users have a choice in how they update. With this latest FP update, it came out on 2/11/10. I became aware of it on 2/12/10. Now I could have updated on 2/12/10 by going to several of the Adobe sites and updated. I chose to wait for Adobe to prompt me and update that way, because that is how my FP has always been updated. Many users receive not only the FP update automatically but Adobe Reader in the samer manner. I receive a prompt for Adobe Reader updates also.

                                           

                                          My Avast Anti-Virus does the same thing when a new version is available. A pop up comes up and tells me a new version is available. At that time I can click on it and Avast will update to the new version. Now, I also can go to their website and update from there. Microsoft is the same way. Many users have set their system for Automatic Updates, which whenever Microsoft has any update for Windows or IE it will be downloaded and updated automatically. I have chosen to have Microsoft advise me updates are available and choose which update I want and when. Now likewise, I can also go to the Windows update and download that way.

                                           

                                          When I receive a prompt from Adobe for Flash Player or Reader, I am not sent or transferred to any website. It is all done automatically, I just watch what is being done until it is finished. Then I go to my Flash folder to make sure the correct files have been installed, go to manage add ons to make sure Shockwave Flash Object has been also and Reboot. My opinion is that the person that told you that you would be transferred to a website during the process of the install via the prompt was/is mistaken. Makes no sense, what's the point?

                                           

                                          In your first post, you said you noticed that the update was not signed by Adobe and you deactivated it. The only way you could have checked during the uninstall and install was to have stopped the process and therefore the update was not finished. Then in your post#9 you said you updated IE & FF. At that point you should have used the Uninstaller first. Then in post#14, you used the Uninstaller. Then you installed FP, using the "get.adobe.com" site. That site has the DLM/GetPlus/NOS installer.

                                           

                                          I hope this has answered all of your questions.

                                          Thanks,

                                          eidnolb

                                           

                                          Message was edited by: eidnolb  add'l

                                          • 18. Re: Curious Flash player update
                                            Tomasz77 Community Member

                                            Hello eidnolb,

                                            Yes, thank you, I think this answered (nearly) all of my questions.

                                             

                                             

                                            I would still like to know why Adobe sends unsigned automatic update notifications, signing or somehow being able to be easily checking the credibility of the update would have saved me some headaches.

                                            • 19. Re: Curious Flash player update
                                              verdy_p Community Member

                                              Apparently, the unsigned notifications are now exploited by a spam reaching me every day, and whose HTML content is only:

                                               

                                              <embed height="360" type="application/x-shockwave-flash" width="634" src="http://www.users.qwest.net/~benpeg72/Secure/wanadoo.swf">

                                               

                                              WARNING! This is a worm that activates with a simple mousehover. Don't try it if you're not experimented !

                                               

                                              (the URL for this Flash Video object changes daily, it is sent in a spam whose title is for now "hollaa!" but this could change at anytime, there are LOTS of alternate mirror sources of this SWF, with variable file names and on a lot of hosting domains and user webspaces).

                                               

                                              This immediately wants to run an update of Flash to the current version (that I already have), but this forced download is definitely not the original FlashPlayer from Adobe.

                                               

                                              Really, the problem is in Flash Player that activates the malicious action immediately without any user action, just by previewing a mail. Thanks, I'm using Google Chrome and not IE as my default web browser. The result of this Flsh object may be catastrophic in IE, I did not try to see what would happen in IE.

                                              • 20. Re: Curious Flash player update
                                                eidnolb onlyone Community Member

                                                Hi Tomasz77, I understand what you are saying. For my part I have never thought about it nor even checked since once I check the "install now" from the prompt I don't want to do anything to stop or interrupt the process. I like the install from

                                                the prompt because Adobe uninstalls the old FP files and installs the new and I don't have to deal with it.

                                                 

                                                I have one last question for you:-) Where did you look to find that the update was "unsigned?"

                                                 

                                                 

                                                Thanks,

                                                eidnolb

                                                • 21. Re: Curious Flash player update
                                                  verdy_p Community Member

                                                  The only fact that it comes within a spam is just enough for me to refuse its installation or even its download.

                                                   

                                                  (I simply don't know from where the file is actually downloaded by the script within this malicious SWF file, I think it's up to Adobe experts to analyze what is in this SWF and why it is used this way as a worm and casted in a working spam, apparently reaching lots of people in the world that are already infected)

                                                   

                                                  If Adove does not publish a security issue rapidly explaining how to mitigate its effects or a patch to restrict the mousehover interaction before an explicit click action to launch the video, I will completely uninstall Flash.

                                                  • 22. Re: Curious Flash player update
                                                    Tomasz77 Community Member

                                                    Hi eidnolb,

                                                     

                                                    first, I think there is a misunderstanding here: I didn't interrupt the update process, but disabled the flash player Active X control in IE. I was aware that this was a poor security measure, because the "Adobe" update request could have done just about anything on my PC once I allowed access.

                                                     

                                                    The automatic update message I received looked like

                                                     

                                                    Do you want to allow the following program to make changes to your computer:
                                                    Program name: Adobe Flash Player Update
                                                    Verified Issuer : Not verified

                                                     

                                                    (well I'm not really sure about the exact content, but this is how well I can remember)

                                                     

                                                    So long

                                                    Thomas

                                                    • 23. Re: Curious Flash player update
                                                      eidnolb onlyone Community Member

                                                      Hi Tomasz77, ok thanks. That helps me understand how this came about. Ok, then I agree with you that you did the right

                                                      thing in stopping it and the ActiveX Control. I would have done the same thing had I received that kind of a message.

                                                       

                                                       

                                                      However, the message you received is not what I receive or have ever received. That is suspect indeed. I would have said no immediately and ran my Anti-Virus at that moment.

                                                       

                                                      The prompt that I have been speaking of pops up within the time I have set for Adobe to notify me of a Flash Player update and only advises that an Adobe Flash Player update is available and gives me three choices. Install now, Remind me later, or Don't Install. These choices are in the pop up window notification. No where does it ask anything that you state.

                                                       

                                                       

                                                      Glad you finally got it all cleared and thank you for marking your thread answered.

                                                       

                                                      Regards,

                                                      eidnolb

                                                      • 24. Re: Curious Flash player update
                                                        eidnolb onlyone Community Member

                                                        Hi Verdy, well clearly this is not coming from Adobe. Everyday the bad guys are at work and the Anti-Virus programs are constantly updating to battle this. I don't see what Adobe could do to combat spam.

                                                         

                                                        Microsoft just took a lot of heat with an update that was being blamed to cause the BSOD for XP users that installed the Windows update. They investigated and the cause was a Aurelon Rootkit infection that was already on the computers that were having a problem. This Rootkit infection was able to change the Windows Kernel and the system was unstable then the update was an "effect" not the cause. Microsoft went to people's houses that reported these problems and got the hard drive info and ran multiple tests and were able to verify the exact problem.

                                                         

                                                        As anyone knows, a rootkit infection is a very serious matter and Microsoft did an excellent investigation to find the cause. Also, other XP users that did not have the Rootkit infection, installed the same update and no reports of any BSOD has been reported. And Microsoft verified all of this in their testings.

                                                         

                                                        Perhaps before we blame Adobe we might want to wait and see if something that Microsoft just experienced has not happened.

                                                         

                                                        Spam is known and can be malicious of course. It is not the Flash Player update at fault, because many people are updating and have no problem at all. I certainly have not.

                                                         

                                                        I don't know in what form this spam came to you but the bad guys are always trying new ways.

                                                         

                                                        Thanks

                                                        eidnolb

                                                        • 25. Re: Curious Flash player update
                                                          verdy_p Community Member

                                                          I didn't say that the original Adove FlashPlayer was malicious or bogous. But I'bve still never seen a SWF file activated this way from a spam. Before, it alwyas required a user action to activate it, so the spams used "social engineering" to convince recipients to open the attachment or to activate the component.

                                                           

                                                          This time, this is not necessary, the component starts running immediately and starts playing in the local zone without an explicit user action. That's why I think that there's a new security hole exploited, or that there's an incorrect assumption in the security checks performed by FlashPlayer before it activates the script stored within the SWF file (which is loaded from an external domain (not related to the webmail domain or to the local untrusted zone of a local mail client).

                                                           

                                                          Flash is supposed to be loaded by the <embed> element in an HTML mail from within an unsecure zone (notably if the email itself is not digitally signed from a secure domain): it should have the strict minimum authorizations: it should not run, it should just be able to render the first frame of static objects, but no user action should be allowed.Activating "onmousehover" events immediately is a severe security hole in this case: I thought this was the case, but visibly, the malware authors of this SWFF have found a way to circumvent this restriction, and exploit it.

                                                          • 26. Re: Curious Flash player update
                                                            eidnolb onlyone Community Member

                                                            Thanks Verdy, I read your info here before the more detailed info on your thread. I misunderstood here what you were

                                                            saying, sorry. Didn't quite have the understanding that I have now after reading your thread.

                                                             

                                                            I'm surprised that a mere "mouseover" triggers this. Is Tomasz77's suggestion on no HTML a possible answer?

                                                             

                                                            It certainly appears to me that the responsibility for this lies somewhere. That's more than I can sort out, but those that

                                                            can should.

                                                             

                                                            Thanks for explaining this and that may be what Tomasz77 was involved in.

                                                             

                                                             

                                                            Hopefully, some of the more experienced Adobe employees and contributors will respond.

                                                             

                                                             

                                                            eidnolb

                                                             

                                                            Message was edited by: eidnolb  add'l

                                                            • 27. Re: Curious Flash player update
                                                              verdy_p Community Member

                                                              Well I need to be able at least to have a safe preview. And on a webmail, there's simply no preview mode where HTML rendering can be disabled, in order to just show the plain-text code. In this preview mode, all Javascript in the HTML is disabled, lots of components become inactive, and a few <embed> elements are allowed, but loaded by disabling the auto-play parameters (notably of Flash).

                                                               

                                                              Flash is then supposed to be loaded but not allowed to run, it can just attempt to render the static elements and possibly only the first frame of a video (we should need to click somewhere to play it).

                                                               

                                                              I confirm that the mere "mouseover" action is enough to play the Flash object. And it is not tolerable, because the Flash object covers almost all the surface of the window: right-clik on a message to preview, it opens, but immediately, you don't have the time to place the mouse cursor out of the rendering area before the SWF gets loaded. So Flash intercepts a mouseover on the new HTML page that appears. This event should not trigger anything. This is not the case here. And one of the actions is to automatically download a supposed "FlashPlayer" installer (with the latest version), but I don't know where it comes from. There's not even any confirmation that the browser can intercept, because all happens within Flash that the browser annot control itself. The Flash object here is used to open a new browser window on a new (unknown) URL for the download, as if the user itself had followed an active link from a local application (for example like when activating a shortcut on the desktop).

                                                               

                                                              All happens as if Flash thought that the user initiated the download, and the web browser also does not detect it (I don't see the normal browser yellow-bar alert at the top of the window that should happen before such download starts). Yes I can still block the download, only because I have set the browser to ALWAYS ASK for the target folder of downloads, and NEVER proceed it immediately. but this is not ideal, and I need to cancel it : this requires centering the mouse on the screen to reach the cancel button or the close button of the "save as..." dialog. But as soon as the "save as..." dialog closes, the mouse is now on top of the Flash object, which retriggers immediately the "mouseover" event, which reopens a download.

                                                               

                                                              This is really irritating. And prone to errors made by users that may finally accept it by accident, or just to terminate an infinite loop of retried downloads.

                                                               

                                                              Flash should really NOT honor the "mouseover" event by default. Only a "mouseclick" on the Flash object can be a convincing event, that can be forwarded to the SWF content. All Javascript within the SWF should then be completely inactive before this effective click.

                                                               

                                                              This attack seems to work now (given the rate at which I receive this spam now), because it requires absolutely no social engineering. It just runs without permission.

                                                              • 28. Re: Curious Flash player update
                                                                verdy_p Community Member

                                                                Note: I don't use IE, so I don't blame Microsoft here.

                                                                 

                                                                I use Google Chrome which is supposed to display an yellow bar alert before authorizing the download. This does not occur. (I may blame Google for that).

                                                                 

                                                                I also blame Adobe for honoring the mouseover event immediately from a simple preview of an HTML page (even where all referenced scripts are disabled, a setting that Adobe Flash player completely ignores too...)

                                                                 

                                                                And yes, I need to use a webmail because I read emails on multiple locations (my Internet speed is fast enough that the overhead of the webmail is negligeable).

                                                                 

                                                                Google also does not list the websites hosting this SWF as malicious. None of my antivirus or antispam or antirootkit or antispam softwares are helping to detect and block this SWF.

                                                                 

                                                                I can just conclude that Flash is used as a propagation vector, helping the worm to spread (and the SWF is the worm, it can come from everywhere, it has no distinctive name and no distinctive URL, and apparently it is also mutating, so SHA1/MD5 content hashes are not helping to detect it).

                                                                 

                                                                Flash needs to be secured more: if a Flash object can contain Javascript, this javascript has to be digitally signed and secured, or it should never honor all the interactions without an explicit user consent. The Flash object should also display somewhere the effective URL from where any download is started: there's simply no indication of the domain name from where the malicious (fake?) FlashPlayer installer is downloaded.

                                                                 

                                                                My system is still clean, but given that none of the security tools I have tried are deteting this SWF, this suggests that this is a new form of attack. Let's fight it early before it creates too mauch damages and infects too many users on the web (that will then become new open doors for further variants and new attacks).

                                                                 

                                                                If I receive new copies of this SWF, I will try to list them in the other messages thread where I first discussed it. Ihave deleted them since now, but givn that there's been no action by security tools authors since a week, we must escalate the problem and inform users about this threat. I'll be happy when there's will be a detection mechanism in some security suites, and then when there will be new security restrictions in Flash, or/and in Google Chrome or other browsers, that will help mitigate or block this kind of attack.

                                                                 

                                                                (We will still have to live with social engineering, but this is manageable. I cannot easily manage automated scripts that run without any explicit user action, like here).

                                                                • 29. Re: Curious Flash player update
                                                                  eidnolb onlyone Community Member

                                                                  Thanks verdy, take a look at this. It appears Microsoft came out with this Fake Flash Player email warning on 1/16/10.

                                                                   

                                                                  I don't have time to read it at the moment.

                                                                   

                                                                  http://forums.cnet.com/5208-6132_102-0.html?messageID=3184197#3184197

                                                                   

                                                                   

                                                                  I bookmarked this on 1/18/10 and forgot about it.  Perhaps there is an update on it. I know that the Microsoft Techs were busy with it because they had a recorded message about it that if you were calling about this you could click "#" on their phone lines.

                                                                   

                                                                   

                                                                  eidnolb

                                                                  • 30. Re: Curious Flash player update
                                                                    verdy_p Community Member

                                                                    I can't call their phone line for that, and anyway I don't think that Microsoft is involved in this case, even if this occurs on Windows 7 (not XP as you have assumed above): I don't use IE (which is not installed at all) but Google Chrome (I've mostly abandoned Firefox, which is too much risky in most of its numerous addons, and I much prefer a simpler browser with less dependencies and liabilities). FlashPlayer is supported indirectly by Google too (but Google still does not detect this threat).

                                                                     

                                                                    Anyway, your pointer links to a new phishing. As I said above, the threat described is not phishing, it does not use social engineering, does not request personal data, does not want to convince us to visit a site (the worm can visit it directly) and does not even need to use it, it works just without it, making it potentially more dangerous.

                                                                     

                                                                    And all the list of malwares listed in this pointer are already detected by my security tools. But not this one which is clearly unrelated and more powerful. The only common thing is that it will download and will try to install a fake FlashPlayer, using the existing capabilities (or security holes) of an original FlashPlayer (already up to date).

                                                                    • 31. Re: Curious Flash player update
                                                                      verdy_p Community Member

                                                                      Well, now I have a detection from these two (scanned on filterBit)

                                                                       

                                                                      McAfee VirusScan Enterprise312ms2010-02-22 00:00:00Suspicious Extensions
                                                                      Norman Scan Engine15ms2010-02-22 12:26:00W32/Delf.DRLY

                                                                       

                                                                      This is effectively a new worm whose detection came only 12 hours ago (I had the first set of copies since nearly 2 weeks).

                                                                       

                                                                       

                                                                      Detected Possible File Types: Win32 Executable Delphi generic

                                                                      MD5: 7c9a2925f2329a1ba6a583a72e73316e
                                                                      SHA1: 337999016812216be3f28b9c74c024e9be290900

                                                                      File Size: 257848 bytes

                                                                       

                                                                      This is the fake "FlashPlayer10.0.45.2.exe" that the SWF above tries to install without needing a single click on the rendered video object.

                                                                       

                                                                      I retried on VirusTotal, and I get only these detections:

                                                                       

                                                                      7AntiVirus7.10.9792010.02.20Trojan.Win32.Malware.1
                                                                      Norman6.04.082010.02.21W32/Delf.DRLY
                                                                      Symantec20091.2.0.412010.02.22

                                                                      Suspicious.Insight

                                                                       

                                                                      Anyway, the detection is only on the fake FlashPlayer (second step of the malware).

                                                                       

                                                                      There's no detection for the SWF worm itself, and then this is a security hole of the original FlashPlayer use as the original vector (because it honors "'mouveover" events to automatically download this fake Flash installer). without changing any line of Javascript code in the SWF, it could download any other kind of malware.

                                                                       

                                                                      On some security forums, the W32/Delf.DRLY trojan is considered with security level "High".

                                                                      There's still nothing about its SWF vector and if FlashPlayer has a security hole plugged by this SWF worm.

                                                                      • 32. Re: Curious Flash player update
                                                                        verdy_p Community Member

                                                                        I can retrace a possible injection point of this fake FlashPlayer malware via "ThePirateBay":

                                                                        http://thepiratebay.org/torrent/5017882/L4D___left_4_dead_Patch_Full_1014_by_madwiggyNLD

                                                                         

                                                                        (but still seeking for the SWF worm that targets my mailbox about 5 or 6 times a day since more than one week)

                                                                        • 33. Re: Curious Flash player update
                                                                          eidnolb onlyone Community Member

                                                                          Hi Verdy, well you are a good detective:-) I'm not sure what I can do from here, but will try to get your posts and info

                                                                          on this to the proper place/persons that can. Your information is very valuable in my opinion and needs to be considered at a higher level than the forum.

                                                                           

                                                                          I don't use webmail, but many do. If this is Outlook Express or Gmail, then I think they need to be contacted. I know about a month ago perhaps, that HJT's entire data base was stolen and then I heard Malwarebytes as well. I don't know the latest on MWB but Trend Micro's HJT was removed. Strange that you mention "piratebay". Let me do some checking & see what I have on that. I may send you a PM, just depends.

                                                                           

                                                                          Thanks,

                                                                          eidnolb

                                                                           

                                                                          If you like it may be more helpful to post on your thread only, just a suggestion.

                                                                          • 34. Re: Curious Flash player update
                                                                            verdy_p Community Member

                                                                            My email provider is the former Wanadoo (in France), now renamed Orange.

                                                                            Apparently it is targettting the millions of users of Orange in France.

                                                                             

                                                                            I have this email since more than 10 years, Orange is no longer my ISP, but I keep the account, instead of multiplying the number of accounts (and multiplying the sources of problems (and the ways to manage them), just in order to keep my existing subscriptions in lots of contributing areas.

                                                                             

                                                                            I never use social networks, I never use pirate sites. I can give PirateBay, only because the fake FlashPlayer was detected there in 2009. However, the signature must have changed because now the fake FlashPlayer uses a version that was only realeased by Adobe during the last month.

                                                                             

                                                                            So I think that the detection (in Norman, is generic, and this is a new variant). anyway, this is not the W32/Delf.DRLY trojan that is causing me troubles (even if it is detecgted since only a few hours). For me the major problem is the way the SWF worm carries the Javascript which then automatically starts the download of the trojan fake FlashPlayer installer.

                                                                             

                                                                            So there's effectively a problem in Flash Player. but it is strange that Norman released a detection only in the last 12 hours, when someone in PirateBay could detect it in 2009 with this exact name (W32/Delf.DRLY)... May be this was a typo because in 2009, the related trojans were "W32.Delf.DRL", "W32.Delf.DRN", "W32.Delf.DRY" (with a three-letters extension, not 4-letters now).

                                                                             

                                                                            Note also: the MD5/SHA1 of this fake FlashPlayer is changing for each copy I receive. This is normal because it is packed as a generic Delphi executable containing a CAB resource, and the executable contains calls to the Win32 CABVIEWER.DLL API from Microsoft, to delete/create CAB entries in a FPI resource.

                                                                             

                                                                            The SWF file is also mutating regularly (depending on the mirror hosting it), apparently to change the internal URL from which the fake FlashPlayer will be downloaded.

                                                                             

                                                                            MD5/SHA1 file signatures do not work. We need to detect it by computing digital signatures on distinct code or data segments within the executable (but here again the exact size is changing, there is apparently some random data padded in various parts of the code and data segments). I don't know if there is a similar system for the Javascripts embedded in a SWF file, or if antivirus can parse the Javascript embedded in a SWF, before it is rendered by the original Flash Player.

                                                                             

                                                                            I really think that FlashPlayer must absolutely be digitally signed by Adobe using a secure certificate, including for its updates. and Adobe must further restrict the authorizations in its internal Javascript engine used by its Flash Player, and completely disable mouseover events as long as there's not been at least one click to start playing it.

                                                                             

                                                                            Yes this means that advertizing banners in various sites will no longer be animated automatically. Or Adobe could animate them but only using the video data present within the SWF object itself (it should not be allowed to perform any web request before an active click in the banner). The Adobe Flash player should also display its own local icon to close a malicious SWF content displayed in an embedded Flash object, without passing any click to the SWF'sembedded  javascript. In other word: don't instanciate the Flash Javascript engine before the component has been explicitely activated by the user.

                                                                            • 35. Re: Curious Flash player update
                                                                              verdy_p Community Member

                                                                              For tracking only, I signaled it to this Avira support forum (where I crossed linked this page):

                                                                               

                                                                              http://forum.avira.com/wbb/index.php?page=Thread&threadID=107297&s=9a3165b058caccbc65ce4b0 c9c2f275d9ab20c00

                                                                               

                                                                              which has also forwarded it to Avira LAB, Microsoft Protection Center and Malwarebytes' Anti-Malware team.

                                                                               

                                                                              Others will probably follow soon, now that we have at least 5 security centers involved. Are there other places interesting to follow, or is the Microsoft Protection Center already helping propagate the information to other security centers working on Windows ?

                                                                              • 36. Re: Curious Flash player update
                                                                                eidnolb onlyone Community Member

                                                                                That's great Verdy, thanks for the update. I have been so busy here on the forum, but only helping 2 right now. I have a couple of contacts, will see what I can do in a minute. I did send your info to those here that have authority to forward it on. I felt all of your research was too valuable to just not do so.

                                                                                 

                                                                                I'm glad you were able to what you have done. Just as soon as I get a break I will make a couple of contacts and let you know. I may PM any info.

                                                                                 

                                                                                Thanks,

                                                                                eidnolb

                                                                                • 37. Re: Curious Flash player update
                                                                                  verdy_p Community Member

                                                                                  Note: the "Wanadoo.SWF" vector file itself (225 694 bytes) is compressed with SWF2SWC (from the Adobe FlashKit). Apparently, this compressor (or the compression method it uses) is still not supported by any antivirus, so it cannot parse its internal malicious Javascript/Actionscript (or any other security hole in this compressed format, if the intended security security is bypassed by some incorrect format validation or false/unchecked assumptions).

                                                                                   

                                                                                  Is there an strict format online validator for SWF/SWC container files ? Is there a structure parser that shows the content streams within that file, and allows extracting them for further analysis?

                                                                                   

                                                                                  If you loose access to the SWF file (on its hosting site), I have saved a private copy of it, it will remain on my disk in a non risky store until there's a antivirus update that will detect and drop it. (Because this SWF worm is not detected by any antivirus listed in FilterBit or VirusTotal, not even Norman AV.) Ask it to me in a private message if you want a copy (notably because the initial versions of new worms are easier to parse and understand than later releases that try to complicate things for decryptors).

                                                                                  • 38. Re: Curious Flash player update
                                                                                    verdy_p Community Member

                                                                                    New location of the fake Flash Player (using exactly the same SWF from the same location)

                                                                                     

                                                                                    http://www.users.qwest.net/~lorddaven/Links/FlashPlayer10.0.45.2.exe

                                                                                     

                                                                                    This time, the fake player is detected by Avira: TR/Spy.287924

                                                                                     

                                                                                    Using the DoubleClick Flash Validator at:

                                                                                    http://gts.dartmotif.com/validator/

                                                                                    the SWF is considered valid (so, it may be advertized on the very large DoubleClick banner network on lots of target websites, and not just delivered via spams; no click through is necessary to activate it, the SWF just has to be displayed in any HTML page, and it will run its ActionScript immediately to download everything it likes directly on the local computer zone,even if it is stored in the browser's cache, without any prior confirmation alert by the browser...)

                                                                                     

                                                                                    • 39. Re: Curious Flash player update
                                                                                      verdy_p Community Member

                                                                                      New location of the fake Flash Player (using exactly the same SWF from the same location)

                                                                                       

                                                                                      http://www.users.qwest.net/~lorddaven/Links/FlashPlayer10.0.45.2.exe

                                                                                       

                                                                                      This time, the fake player is detected by Avira: TR/Spy.287924

                                                                                       

                                                                                      Using the DoubleClick Flash Validator at:

                                                                                      http://gts.dartmotif.com/validator/

                                                                                      the SWF is considered valid (so, it may be advertized on the very large DoubleClick banner network on lots of target websites, and not just delivered via spams; no click through is necessary to activate it, the SWF just has to be displayed in any HTML page, and it will run its ActionScript immediately to download everything it likes directly on the local computer zone,even if it is stored in the browser's cache, without any prior confirmation alert by the browser...)

                                                                                       

                                                                                      I've been able to block the "www.users.qwest.net" site completely, so that now Adobe Player will reject all interactions with this site (all contents downloaded from in its users accounts), but this only blocks the EXE, not the SWF vector.

                                                                                       

                                                                                      I've also reduced (using http://www.macromedia.com/support/documentation/fr/flashplayer/help/settings_manager03.htm l) the amount of space that a SWF source domain (including local host) is allowed to store locally in the Flash cache (to 100KB only per site, instead of 1 MB, this should block most malicious EXE files,as there's no reason why local stores should contain more than a few user settings or some cookie; if you use flash only to display ad banners, 10KB per site should be enough, more is possibly  needed for some complex Flash applications like videos on YouTube).

                                                                                      1 2 Previous Next