9 Replies Latest reply on May 19, 2015 12:13 PM by CB_Hedricks

    Adobe Flash Player Update - Dregol and Glassbottle pigybacked!

    CB_Hedricks

      On 5/15/2015 at 0700 Adobe Flash Player pushed an update to my computer with the familiar pop up window that advised of a "necessary" update, I clicked on it to start the process and my AVAST Antivirus software immediately went into overdrive....  It quickly blocked 15 programs from running including a Trojan named "Glass Bottle" which had apparently allowed a port to be opened on my computer as I could see that files were still loading onto my computer.   I unplugged my network cord and the download terminated.    I stopped working on my projects and immediately ran Malwarebytes to eliminate ALL threats.  It found and successfully destroyed the attacking file (Dregol.A), and it's sub files, closed the ports that were in use to download malware.  All told it was three pages of output and 48 files in total, not including the ones that had been terminated and quarantined by AVAST.

       

      Glass Bottle is the Trojan that opens a port, starts the download process for Dregol and other malware before it can be stopped.  Dregol then installs a compromised version of the Chromium browser and makes it your default browser, using system level authorization granted when the user clicks on the "install" button on the Flash Player update. It then redirects default search engines in all installed browsers and then make sure you receive false results from "Dregol" compromised web searches and starts downloading it's various payloads to your computer.  It also opens several ports including 21 and 22 to establish two way communications within your computer for remote access.

       

      I have tried to find a way to report this to Adobe, but all my attempts to do so have come up with dead ends or redirects.  My last attempt to "chat" with a representative was very underwhelming, to say the least.  For Adobe Staff, please make reporting such attacks a streamlined, easy process for us - the end users of your products.  To be pushed around from email link to forum to chat and back to email is quite frustrating.  I have wasted several hours of my time with this problem this week, if Adobe is not interested in providing support or a way to easily report such attacks please make that clear so we do not waste our time.


      For the rest of us - until Adobe changes Flash Update Engine to address this vulnerability - disable automatic updates and uninstall the adobe download manager.  If you have been hit by Dregol - run Malwarebytes, use complete scan options for ALL files and check your computer for open ports.  Dregol in itself is not directly dangerous to your user data but what it downloads without your permission could be extremely dangerous!

       

      CB_Hedricks

        • 1. Re: Adobe Flash Player Update - Dregol and Glassbottle pigybacked!
          pwillener Level 8

          I have used Flash Player since version 6, and I have never gotten any malware from Adobe downloads.  This is still true for the latest Flash Player update 17.0.0.188.

           

          Never download any Flash Player installers or updates from anywhere else than the Adobe.com or Macromedia.com websites!

           

          If you got pushed to download infected software, then it was most likely issued by other malware.  Sorry, I have no other explanation than this.

          • 2. Re: Adobe Flash Player Update - Dregol and Glassbottle pigybacked!
            jeromiec83223024 Adobe Employee

            Ugh, sorry to hear that your machine got infected with malware.

             

            Unfortunately, one of the problems with Flash Player's ubiquity is that malware authors often attempt to impersonate Flash Player download dialogs in an attempt to trick you into downloading and installing fake software.  Adobe takes extraordinary measures to ensure that our signing keys are tightly controlled, and that the binaries issued from Adobe are legitimate and free from malware.

             

            We highly recommend that users opt-in to automatic updates, and always download Flash Player directly from adobe by typing in the link: http://get.adobe.com/flashplayer.

             

            If in doubt you're always welcome to download fresh copies of our installers, and check them against VirusTotal to confirm.

            • 3. Re: Adobe Flash Player Update - Dregol and Glassbottle pigybacked!
              CB_Hedricks Level 1

              The update was exactly like the normal pop up message that spawns to the desktop when ever an Adobe update is pushed.  This is why I clicked on it in the first place with out hesitation.  There was not one indication of impersonation or foul play at all. Due to this, and the lack of a direct reporting path I will not use Adobe auto updates going forward. With every attempt made to connect or contact someone from Adobe, I was constantly turned away, or redirected (bounced) from one representative to another 6 times before I finally gave up in frustration.  Your post (reply) is the closest thing to what I would consider a professional response to my concerns, to this point.

              • 4. Re: Adobe Flash Player Update - Dregol and Glassbottle pigybacked!
                m_vargas Adobe Employee

                Charles Hedricks wrote:

                 

                <snip>

                There was not one indication of impersonation or foul play at all.

                </snip>

                 

                Unfortunately the malicious actors who create these malicious/fake Flash Player websites are very good at copying the Adobe and/or Flash Player brand/logo and sometimes it's very difficult to determine that it is a fake notification or site (a common one is Flash Player Pro..there is no such Adobe product).  Just the other day, on a different post, someone's router was infected and the DNS IP address changed.  The only indication to me that it was a malicious site was the URL the page was redirected to.  A normal user such as yourself wouldn't know the difference as the page itself looked just like the official Adobe Flash Player Download Center page.


                We do actively go after these malicious actors.  If you come across these fake Flash Player install/update sites please message them to me.  I do forward them to the appropriate folks here at Adobe when users tell me about them or I find them on web searches.

                 

                --

                Maria

                • 5. Re: Adobe Flash Player Update - Dregol and Glassbottle pigybacked!
                  jeromiec83223024 Adobe Employee

                  Unfortunately, we don't offer direct support for free products.  The people staffing the forum here actually work on the player, so for better or worse, we're generally more informed than the support organization on day-to-day Flash topics. 


                  I'd be interested in seeing the logs from the scanners to see what got picked up and where. 

                  • 6. Re: Adobe Flash Player Update - Dregol and Glassbottle pigybacked!
                    CB_Hedricks Level 1

                    Thank you Maria - I had been trying to get someone's attention for several days with a copy of the infected file available for inspection.  It was impossible to reach anyone via phone or chat that actually indicated they were concerned, the only thing they wanted to do is "hot transfer" me to another department or redirect me to a different chat or forum window.

                     

                    Your post here is the first "sign of life" that anyone actually cares to hear or deal with this situation.  Unfortunately I have since deleted the file and scrubbed my PC with Malwarebytes in safe mode, then had it clear the unused space on my drive, followed by a defrag program effectively wiping out any trace of the file.

                     

                    If it comes up again, I will most assuredly contact you with the intent to work it out.

                     

                    Many thanks!

                    • 7. Re: Adobe Flash Player Update - Dregol and Glassbottle pigybacked!
                      CB_Hedricks Level 1

                      You do not support free products?  Even if it is an Adobe branded product?

                       

                      wow, just plain wow.

                      • 8. Re: Adobe Flash Player Update - Dregol and Glassbottle pigybacked!
                        jeromiec83223024 Adobe Employee

                        Correct.  Adobe does not offer free, direct technical support for the products that we offer free of charge.  If you're having trouble with a paid product, that's a different story.  You *can* pay a nominal fee that offsets the cost of support for the free products, but most people choose not to.  As a result, the tech support guys don't get a lot of Flash experience, and since the folks here are actually engineers on the product, we have pretty close to real-time information.  If it's anything esoteric, we have an unfair advantage. 

                         

                        Adobe does provide these user-to-user forums to everyone regardless of means, and the staff here typically carve out time from their day/evening as a courtesy to our users, in addition to our actual workloads.  I stuck around until about 8PM yesterday to answer installer questions. 

                         

                        If you run into problems again, please feel free to drop me a direct message through the forums (just click my name).  It will land in my Inbox that way, and will get my attention.  For security incidents, you're also more than welcome to email the Adobe Product Security Incident Response Team <psirt at adobe dot com> with details, as that queue is staffed 24/7/365.

                        • 9. Re: Adobe Flash Player Update - Dregol and Glassbottle pigybacked!
                          CB_Hedricks Level 1

                          I paid quite a bit for Adobe CS5.5 back several years ago, and in that was the "free" version of Flash Player.  Just a side note - I am now dealing with an issue in AI from that same package on a different thread so I do understand the differences between supported and not supported.  All told, I am old school - if it is "branded" then it should be "supported" by the branding company at some level - and if it is maintained by an update engine, then a bit more interest or easier way to report malware attacks and code compromises would be greatly appreciated.  In my case I wasted about 6 hours ($50.00 per hour) of my time trying to track down a location to report the malware / code subversion of the update engine.  A simple link on the support home page to facilitate reporting efforts would have saved a significant amount of frustration and lost time on my part.

                           

                          Don't get me wrong - I understand the intent of Adobe's stance on free software vs. paid, I am just old school in my thinking about it.

                           

                          Cheers.