The Moon Worm - Infects Home Routers - Shows Fake "Adobe Flash Critical Update Required" Message

install_flashplayer_12_x32_64_msaa_aax_latest.exe.

is nothing that comes from here

http://download.macromedia.com/pub/flashplayer/current/support/install_flash_player_ax.exe

and

http://download.macromedia.com/pub/flashplayer/current/support/install_flash_player.exe

are the ONLY legitimate files for Flash Player FULL installers

But, NOTHING with "latest.exe" would be legit.

Do a "clean install" on any machine you believe is out of date. http://forums.adobe.com/message/4041846

Also look into TDSSKiller from Kaspersky to remove adware.

I've read about a router hack that redirects to the "update" page"

http://hackersnewsbulletin.com/2014/03/hackers-hacked-300000-wireless-routers-check-now.ht ml

It may or may not have affected you.

Stick to those links I provided.

They're your best bet.

Hi Bill,

I have the same problem, the adobe (malware)update comes up on internet explorer and firefox. I tried TDSSkiller but it didn't work.

I don't think its my router, because im on another network now and i still have te problem.

Lars D.

How to tell if it's fake:

this comes up every time on firefox

and on internet explorer

What is the address in the bar when you see that?

Because that second shot shows a version (12.0.3.77) that doesn't exist.

it shows just shows www.google.com, but when i click ''ok'' or the x in the upper right corner, i get this ^

It's fake.

It's happening to mine now. Firefox seems okay for now though.

I have the same problem, tried uninstalling flash, any remnants afterwards, deleted personal settings in internet exploxer and reset, ran adware, malware and hitman.  Nothing found. Virus is still there.  Can change internet search option in control panel i.e. from google to bing and eventually shows up again.  After two days of searching and trying different virus and malware removal programs I have backed up my data an am now trying an image restore from a different date.  Anyone find another answer yet?

yesterday i tried to remove it in save mode with malwarebytes, but that didn't work. Then i restored my data from a different date, that also didn't work. I have no idea how to remove it...

Bill, one of my employee's downloaded this malware and we have a network, but only this one computer is affected.  The computer's OS is Windows 7 w/IE 11 and the network is using  Linksys E4200 router for intenet access.  I have noticed that only .com's seem to be affected from the computers browser and that I can acess the internet through another programs or bring up a website with .net only once.  None of our scans(4) picked it up either and we reran them through safe mode with no success.  We even tried a web base scan with no luck picking it up.  I did find something odd when I was able to acess a .net company in IE and tried to go another wesite the Adobe Flash Player malware reappeard and again asked to be downloaded.  When I cancel that proces and went to the tools icon and went to security and Delete Browsing History and checked all boxes and ran it.  Out of the 4 progams we've run  Microsoft Security Essentials was the only program to picked up the malware and showed it as BackDoor:Win32\Simda.AT and when MSE removed it. We rebooted but it's still there. once its downloaded now the job of refinding and removing it, so if you or anyone else has something to remove it completly please let me know.

20.whjco, Thanks for the update.  I don't have the remote management enabled on my router, and I tried the complete reset with the browser with no success.  I will give the replacement router a try next and will give it a go once more.

I have been having this same issue. It started a few days ago. I normally use a windows machine but have been using a mac (osx 10.9) for development lately. The mac is now having this issue. The PC is fine. The PC is on a hardwired network (not using a linksys) but the mac is on a wireless network that uses a linksys e3000. At first I thought it was a chrome only issue and resetting the browser cookies/settings would fix the issue. Today I went to load up a site in safari and it did the same redirect. I am stumped. I don't have admin rights so I cant check the router myself. Is there any way to test to see if the router is infected? Something I can take to our IT guy?

PS another guy in the office had the same issue and he was running fedora Linux. He got frustrated and switched to another machine (desktop) that is hardwired.

Thanks

-J

Thanks for the reply. Just another note to further describe the problem. It seems to happen randomly once the browser info is cleared. It does not happen on the same website every time. The first time I noticed the issue was with bestbuy.com. After that it was google.com. Today its happening with reddit.com but not bestbuy/google. I have not been able to replicate it on a windows 8.1 surface tablet on chrome. If i clear the browser info the problem goes away again for a bit.

Thanks

-J

Message was edited by: Jerrion *spelling

Resetting the E2500 to factory defaults corrected the problem, at least temporarily.  Time will tell if the reset is a permanent fix.

I agree with the others who have posted on this thread.  No malware of any kind is found on the machines that redirect to the SCAM Adobe flash error message screens.  I have contacted CISCO and have filed a report on our finding through today and have asked they get involved to find the cause, source and cure for this issue.  I would expect a new firmware release will be announced soon for the E2500 and any other CISCO router products that have been compromised.  I would encourage all install the firmware when it becomes available.

whjco,  Yes, its as you said.  My Linksys/Cisco E4200 router was the problem.  I didn't replace it, just Disabled the Remote Management Access & save and then under Security turned on Filter Anonymous Internet Requests and save.  Then rebooted the router the issue stoped.  Linksys called this The Moon malware it apparently bypasses authentication on the router by logging in without actually knowing the admin credentials.  Once infected the router starts flooding the network with ports 80 and 8080 outbound traffic.  A firmware update is said to becoming out soon.  Thanks again for the insight.

I did the same as trollwv yesterday for my E4200, and so far no re-appearance ... this might also explain my significant increase in bandwidth usage for the past several months; I thought it was just Netflix.

Current research suggests Linksys (Cisco) became aware of this threat a little over a year ago. Most people trying to discover the cause and cure would be searching for Adobe Flash issues, not searching for the "moon". We are currently exploring a secondary issue with the malware. We have 4 of the E2500 on the bench that were compromised, and none of them will take a firmware update. Failures consistantly occur at 18%. No comments back yet from Cisco.

In my experience, Malwarebytes reported finding Trojan.Happili within install_flashplayer_12_x32_64_msaa_aax_latest.exe.  It seemed a bit suspicious from the get go (very un-Chrome like behavior to hijack the start page with an Adobe Flash Install page). This was a redirect of http://www.google.com but not https://www.google.com.

Changing my router settings to disable Remote Management solved the persistent redirct problem.  My security settings already included Filter Anonymous Internet Requests.

Very glad to have found this page. Thankful for everyone's contribution.

I experienced the very same issue being discussed here last night via all browers. I have a Cisco/LinkSys E3000, there is quite a bit documented on this 'Moon' worm from SANS but very little from Cisco directly. Disabling remote management on the router has done the trick but i see that only as a temporary workaround to disable the hacking/ridirecting via the HNAP, the real fix would be firmware update and I can't find any reference on that from the horse's mouth.

Got this problem recently too.

Can anyone help solving this issue as it is very annoying that everytime I use Mac safari or Firefox, then it will redirect to the link and download automatically:

install_flashplayer_12_x32_64_msaa_aax_latest.exe

http://hackersnewsbulletin.com/2014/03/hackers-hacked-300000-wireless-routers-check-now.ht ml

It's a hardware problem. Adobe can't fix that.

Thanks Mike M for the explaination in the webiste.

wondering is there anything we can do to get rid of the problem?

If the router can be "flashed" (erased and rewritten) then have that done (your ISP may be able to do it). If not, it has to be replaced.

I have a Cisco E3000 Wireless N Router. I was having the issue accross OSX and Windows. This thread was a big help, but when I tried to get the latest firmware from Cisco I found the download link was no lnger present. I chatted with their support and obtained the following info if it helps anyone:

"Linksys is aware of the malware called “The Moon” that has affected select older Linksys E-Series routers and select older Wireless-N access points and routers. The exploit to bypass the admin authentication used by the worm only works when the Remote Management Access feature is enabled. Linksys ships these products with the Remote Management Access feature turned off by default."

" If you have not enabled the Remote Management Access feature of the router, you are not susceptible to this specific malware. If you have enabled the Remote Management Access feature, we can prevent further vulnerability to your network by disabling the Remote Management Access feature and rebooting your router to remove the installed malware. Linksys will be working on the affected products with a firmware fix that is planned to be posted on our website in the coming weeks."

"What we can do to fix this issue is to make sure that the router's security settings is enabled and the remote management is disabled."

"Ensure that the Filter Anonymous Internet Requests on the Security Page is enabled."

"The next step would disconnect us from the session. We need to reboot the router to clear the cache."

"According to the system, your product is already outside the complimentary assisted support period. I’d just like to inform you that we normally charge a fee for supporting this type of issue,

but since we’re seeing a potential hardware problem with the product, we’ll be extending complimentary support just this one time."

"We also need to upgrade the Firmware. However, the Firmware for this router is no longer available for download. Disabling the remote management on your router and securing it would help fix the issue."

I did find the latest firmware for the E3000 here: http://www.userdrivers.com/LAN-Network-Adapter/Linksys-E3000-Wireless-N-Router-Firmware-Up date-1-0-04-build-6/download/

Kevin,

Although Cisco will not admit it, there is an issue with this a two other of their devices. Thier blog that they sent you is a work around. If you need remote access, I would suggest acquiring another router. The Netgear N750 would be my suggestion. Solid engineering and support and under $100 if you shop around.

John

Hey i am currently experiencing this problem at work. we have a Cisco router there.I made the mistake of getting my laptop (WIN 8.1) plugged into this network and then my laptop was experiencing the same thing. My questions are 1. is this transferable  i.e. if i take my laptop home to a Netgear router will this infect my home network.  2. has there been a firmware update for this. 3. any more news on this?

tankr32 wrote:

 

1. is this transferable  i.e. if i take my laptop home to a Netgear router will this infect my home network.

Being as it's a router hack, it isn't even transferable TO the laptop. It's like a detour on a street. As long as you're on THAT street, it doesn't matter what car you drive, you'll still have to take that detour. but if you take a different street, you don't. It isn't in the car.

2. has there been a firmware update for this.

Not from Adobe, because Adobe doesn't make routers or firmware. Some routers (varies by make and model) can be "flashed" and reloaded like a cell phone.

3. any more news on this?

The link I posted is the latest I've read on it.

I figured out the problem. The router hack simply changes the DNS server to a DNS hosting service (severel.com). In my case a password hack could get downloaded. The malicious DNS server numbers in question for my issue were; 199.182.166.168 and 199.182.166.169  After you reset or flash your router firmware, make sure and install the correct DNS servers for your ISP.. Also make sure you disable "remote management". My router is a linksys E3000. Linksys has never updated the bios for this router.

A second option is to simply install the correct DNS server addresses for your ISP in the routers setup page.