Copy link to clipboard
Copied
On Mac OSX 10.9.5. Within my Flash player app it is set to download but not update Flashplayer. Went OK for update, file downloaded. Checked the 'verify internet source' box, and got sent to www.get3adobe.com -'Page Not Found'. The site is valid according to Trusteer. It had the text below. So I am suspicious and do not know what to do next.
The page you requested could not be found on our web site.
You may wish to try one of the following links:
The host in your log is legitimate (get3.adobe.com). The host you referenced from your security tool (get3adobe.com) -- notice the critical missing dot -- is an impostor domain. Our installer logs do not make reference to the impostor domain. I believe that you got tricked by a really good impostor pop-up. There's no guarantee that the malicious payload would have written to our log if executed, but our installer does not appear to have accessed it based on the information you've provided.
I'
...Copy link to clipboard
Copied
Hi geoffr90904907,
Unless there's a typo, www.get3adobe.com is not an Adobe website. Attempting to go to www.get3adobe.com redirects to ww1.get3adobe.com, Adobe IT filters block it as being potentially malicious.. Can you provide more information on this app that downloads Flash Player?
Thank you.
--
Maria
Copy link to clipboard
Copied
hi Maria
Thanks for that. I'm not clear what downloads Flash Player; it comes up periodically in a small Adobe style window which, I think, offers 3 options, something like 'install without prompt', 'ask before installing' and 'Never instal'. The auto update is marked 'recommended'. I always opt for 'ask', and when the Apple download window appears with 'downloaded from internet - trust this, or see originating site?' I check the site. This is the first time I've hit the get3adobe site, and it just did not look right. The downloaded file was:
AdobeFlashPlayer_18au_a_install.dmg
Where on the previous update it was:
AdobeFlashPlayer_17_a_install.dmg
A second Adobe style window appeared subsequently, on screen at the same time as the first one (both visible) and the originator site for the topmost (second) window was the main Adobe one, and the downloaded file was:
AdobeFlashPlayer_18_a_install.dmg
Which is what I expected and I installed that.
I do not know how Adobe prompts my Flash app to post an update; I was on a news website (I think) and some Flash content came up, so I'm guessing it called the Flash app for a video, which then looked for updates. I therefore assume that the Flash Player app sets up any update windows. But I do not know.
This is quite worrying IF Flash Player has got corrupted, but perhaps it is more likely that the news page triggered something. I just don't know what page I was on at that time.
If Flash Player 18n has now loaded on my Mac, and is the genuine app, AND is the app that checks for updates, then problem has disappeared, but still the question remains.
Regards
Geoff
Copy link to clipboard
Copied
Hi Jeromie, Maria
(looks like you are connected?)
I have just looked at my Console logs.
I have the following from Adobe_ADM.log
06/23/15 12:21:15:554 | | | ADM | | ApplicationContext | | | 277925 | *********************** ADM Workflow start. Version: 1.0.0.19s **************************
06/23/15 12:21:25:011 | | | ADM | | ApplicationContext | | | 278158 | *********************** ADM Workflow start. Version: 1.0.0.19s **************************
06/23/15 12:21:26:869 | | | ADM | | ApplicationContext | | | 277925 | White listed URLs are
06/23/15 12:21:26:869 | | | ADM | | ApplicationContext | | | 277925 | get.adobe.com
06/23/15 12:21:26:869 | | | ADM | | ApplicationContext | | | 277925 | get2.adobe.com
06/23/15 12:21:26:869 | | | ADM | | ApplicationContext | | | 277925 | aihdownload.adobe.com
06/23/15 12:21:26:869 | | | ADM | | ApplicationContext | | | 277925 | admdownload.stage.adobe.com
06/23/15 12:21:26:869 | | | ADM | | ApplicationContext | | | 277925 | admdownload.adobe.com
06/23/15 12:21:26:869 | | | ADM | | ApplicationContext | | | 277925 | airdownload.adobe.com
06/23/15 12:21:26:869 | | | ADM | | ApplicationContext | | | 277925 | ardownload.adobe.com
06/23/15 12:21:26:869 | | | ADM | | ApplicationContext | | | 277925 | ardownload2.adobe.com
06/23/15 12:21:26:869 | | | ADM | | ApplicationContext | | | 277925 | download.macromedia.com
06/23/15 12:21:26:869 | | | ADM | | ApplicationContext | | | 277925 | fpdownload.macromedia.com
06/23/15 12:21:26:869 | | | ADM | | ApplicationContext | | | 277925 | fpdownload2.macromedia.com
06/23/15 12:21:26:869 | | | ADM | | ApplicationContext | | | 277925 | fpdownload.adobe.com
06/23/15 12:21:26:869 | | | ADM | | ApplicationContext | | | 277925 | fpdownload2.adobe.com
06/23/15 12:21:26:869 | | | ADM | | ApplicationContext | | | 277925 | platformdl.adobe.com
06/23/15 12:21:26:869 | | | ADM | | ApplicationContext | | | 277925 | platformdl-stage.corp.adobe.com
06/23/15 12:21:26:869 | | | ADM | | ApplicationContext | | | 277925 | wwwimages2.adobe.com
06/23/15 12:21:26:869 | | | ADM | | ApplicationContext | | | 277925 | wwwimages.adobe.com
06/23/15 12:21:26:869 | | | ADM | | ApplicationContext | | | 277925 | wwwimages.stage.adobe.com
06/23/15 12:21:26:869 | | | ADM | | ApplicationContext | | | 277925 | wwwimages2.stage.adobe.com
06/23/15 12:21:26:869 | | | ADM | | ApplicationContext | | | 277925 | dlmping.adobe.com
06/23/15 12:21:26:869 | | | ADM | | ApplicationContext | | | 277925 | dlmping2.adobe.com
06/23/15 12:21:26:869 | | | ADM | | ApplicationContext | | | 277925 | dlmping3.adobe.com
06/23/15 12:21:26:869 | | | ADM | | ApplicationContext | | | 277925 | dlmping4.adobe.com
06/23/15 12:21:26:869 | | | ADM | | ApplicationContext | | | 277925 | get3.adobe.com
06/23/15 12:21:26:870 | | | ADM | | ApplicationContext | | | 277925 | get3.stage.adobe.com
06/23/15 12:21:26:870 | | | ADM | | ApplicationContext | | | 277925 | adobetag.com
06/23/15 12:21:26:870 | | | ADM | | ApplicationContext | | | 277925 | promotion.adobe.com
06/23/15 12:21:26:870 | | | ADM | | ApplicationContext | | | 277925 | stats.adobe.com
06/23/15 12:21:26:870 | | | ADM | | ApplicationContext | | | 277925 | sstats.adobe.com
06/23/15 12:21:26:870 | | | ADM | | ApplicationContext | | | 277925 | Actual OS locale:'en_US', OS locale for this instance:'en_US', ADM locale : en
06/23/15 12:21:27:976 | | | ADM | | WorkflowManager | | | 278200 | Complete ADM URL after encoding: https://get.adobe.com/flashplayer/webservices/adm/?cname=AdobeFlashPlayer_18_a_install.dmg&bname=FlashPlayer&site=live&type=install&language=en
06/23/15 12:21:28:652 | | | ADM | | ApplicationContext | | | 278214 | sc_code : FP
06/23/15 12:21:28:652 | | | ADM | | ApplicationContext | | | 278214 | ping : {"pagename":"ACDC_FP_ADM_Launched","channel":"ACDC_FlashPlayer","prop1":"ADM","prop2":"ACDC Downloads","prop3":"get.adobe.com","prop4":"en_US","prop5":"en_US:ACDC_FP_ADM_Launched","products":";FlashPlayer_ADM","eVar74":"","events":"event96","eVar73":"ACDC_FlashPlayer"}
06/23/15 12:21:29:197 | | | ADM | | ApplicationContext | | | 278214 | systemPath=/Library/Application Support/Macromedia/mms.cfg
06/23/15 12:21:29:206 | | | ADM | | ApplicationContext | | | 278214 | AutoUpdateDisable=0, SilentAutoUpdateEnable=0
06/23/15 12:21:35:472 | | | ADM | | ApplicationContext | | | 278545 | ping : {"pagename":"ACDC_FP_ADM_Pref_1","channel":"ACDC_FlashPlayer","prop1":"ADM","prop2":"ACDC Downloads","prop3":"get.adobe.com","prop4":"en_US","prop5":"en_US:ACDC_FP_ADM_Pref_1","products":";FlashPlayer_ADM","eVar74":"","events":"","eVar73":"ACDC_FlashPlayer"}
06/23/15 12:21:35:899 | | | ADM | | WorkflowManager | | | 278545 | WorkflowManager.startPrechecks for product:Adobe Flash Player isPreInstalled:false isDiskSpaceAvailable:true
06/23/15 12:22:23:725 | | | ADM | | ApplicationContext | | | 278582 | Installation started for package 'Adobe Flash Player'
06/23/15 12:22:27:547 | | | ADM | | ApplicationContext | | | 278182 | Message received :
06/23/15 12:23:19:400 | | | ADM | | ApplicationContext | | | 278165 | Message received :
06/23/15 12:23:19:401 | | | ADM | | ApplicationContext | | | 278165 | InstallAction::launchProcessCallbackFn : errorCode : 0, returnCode : 3
06/23/15 12:23:19:805 | | | ADM | | ApplicationContext | | | 278582 | Installation completed for package 'Adobe Flash Player' installerReturnCode:'3' installerErrorCode:'0'
06/23/15 12:23:19:805 | | | ADM | | ApplicationContext | | | 278582 | Product installation successful 'Adobe Flash Player'
06/23/15 12:33:30:025 | | | ADM | | ApplicationContext | | | 303430 | ping : {"pagename":"ACDC_FP_ADM_Success_exitcode=3","channel":"ACDC_FlashPlayer","prop1":"ADM","prop2":"ACDC Downloads","prop3":"get.adobe.com","prop4":"en_US","prop5":"en_US:ACDC_FP_ADM_Success_exitcode=3","products":";FlashPlayer_ADM","eVar74":"","events":"","eVar73":"ACDC_FlashPlayer"}
06/23/15 12:33:30:176 | | | ADM | | ApplicationContext | IPCCommunications | | 278182 | Error CB_PktID_Terminate
06/23/15 12:33:30:176 | | | ADM | | ApplicationContext | | | 278158 | *********************** ADM Workflow end. Version: 1.0.0.19s **************************
06/23/15 12:33:30:333 | | | ADM | | ApplicationContext | | | 303430 | Start Application Detection Id
06/23/15 12:33:31:444 | | | ADM | | ApplicationContext | | | 277925 | *********************** ADM Workflow end. Version: 1.0.0.19s **************************
There is also an Adobe_GDE.log as follows:
06/23/15 12:21:27:976 | | | | | | | | 278200 | ******************start of Download***************
06/23/15 12:21:27:976 | | | | | | | | 278200 | GDE Version is 1.0.0.1
06/23/15 12:21:35:929 | | | | | | | | 278545 | The file to be downloaded is http://platformdl.adobe.com/adm/manifest/FlashPlayerInstaller_1800194.xml
06/23/15 12:21:35:929 | | | | | | | | 278545 | Going to download the file at /Users/geoffrussellgrant/Library/Application Support/Adobe/.F433086D-59E4-42FB-A27D-A7FA3A628C72/9C6919C0-A6B2-4BD5-9803-EFE762FFDB6F/AF522981-6938-47E9-8544-FDCBD94D5097
06/23/15 12:21:35:929 | | | | | | | | 278545 | Preference: Client has set the preference for single stream download
06/23/15 12:21:36:334 | | | | | | | | 278554 | *File download complete.*
06/23/15 12:21:36:338 | | | | | | | | 278554 | The file to be downloaded is http://fpdownload.adobe.com/pub/flashplayer/pdc/18.0.0.194/install_flash_player_osx.dmg
06/23/15 12:21:36:338 | | | | | | | | 278554 | Going to download the file at /Users/geoffrussellgrant/Library/Application Support/Adobe/.F433086D-59E4-42FB-A27D-A7FA3A628C72/9C6919C0-A6B2-4BD5-9803-EFE762FFDB6F/DE29BC3B-2F47-4A60-AAF4-9126D6384D33
06/23/15 12:21:50:267 | | | | | | | | 278582 | incrementing the thread. now the active thread count is 7
06/23/15 12:22:11:687 | | | | | | | | 278582 | decrementing the thread count. now the active thread count is 6
06/23/15 12:22:23:720 | | | | | | | | 278582 | *File download complete.*
06/23/15 12:33:31:370 | | | | | | | | 277925 | ******************End***************
Maybe this will assist investigation. I am no expert on logs. There are other logs.
Regards
Geoff
Copy link to clipboard
Copied
The host in your log is legitimate (get3.adobe.com). The host you referenced from your security tool (get3adobe.com) -- notice the critical missing dot -- is an impostor domain. Our installer logs do not make reference to the impostor domain. I believe that you got tricked by a really good impostor pop-up. There's no guarantee that the malicious payload would have written to our log if executed, but our installer does not appear to have accessed it based on the information you've provided.
I've already escalated the issue with the impostor domain to our legal and fraud teams, and they're actively pursuing a takedown request. As you noted, going to the domain directly doesn't result in a malicious payload, but they may be employing some creative techniques to avoid automatic detection. I don't think there's any additional stuff we can do about this beyond the actions already underway.
Both Google Chrome and Internet Explorer (on Win8 and higher) include Flash Player as a built-in component. This avoids the necessity of a separate download (and all of these kinds of headaches) entirely, because Flash Player updates are handled through the Chrome updater and Windows Update respectively. For users on other platforms, our primary recourse is education. Like most commercial applications, Adobe binaries are signed with a cryptographic publisher certificate that confirms that they were published by Adobe. That's over the head of the average end-user, but it's an available option. What we tend to recommend is to just come to adobe.com directly and grab the download, instead of clicking through any website-generated popups or notifications.
Again, thanks for alerting us to this and providing great in-depth details.
Copy link to clipboard
Copied
Thanks, Jeromie, for all your help,
I guess we're all done on this episode.
I will think about Chrome to replace Safari, or maybe opt for the Adobe auto update, which would avoid any spoofs.
'Apple' and 'Adobe' have a lot in common; they both start with 'A' and end with 'e' and have 5 letters each. After that, it gets progressively less amusing!
Regards
Geoff
Copy link to clipboard
Copied
Hi Geoff,
It looks like a malware distributor has registered a domain that looks very similar to a legitimate adobe domain. Our guess is that you were redirected here from a popup generated by a malicious website or advertisement. We do have a machine called "get3.adobe.com" that's a legitimate source for software, but it looks like these guys (who registered it under the company name "Adove", which is cute) registered "get3adobe.com" to confuse unsuspecting users. It looks like your security software saved you a big headache today.
I've forwarded this off to our fraud and legal teams to pursue.
In the meantime, it's a good general rule to just visit the software author's site directly by typing their URL or going to a bookmark, even if you get a browser popup offering an update. For Flash Player, please go to http://get.adobe.com/flashplayer to ensure that you get the latest, legitimate copy.
Thanks!
Copy link to clipboard
Copied
Jeromie,
Thanks, I'm not a technical person, but what you say makes sense. I've just responded to Maria along those lines. A pop-up seems the likely source. I cannot remember what web page I was on; some news item, I think, when the pop-up appeared. I don't understand why the 'show originator's website' came up with a 'page not found'. You would think that malware would at least get you to an existing page. Maybe not very good malware!
In future, as you advise, best type in the author's site direct.
Regards
Geoff