Also, we have a team that pursues takedown actions against sites like this.
If you can copy and paste the entire URL from the address bar, and include a screenshot, that gives them the evidence they need to move forward with those things pretty quickly. Those messages are often hidden behind an address with a long random token, and we can't necessarily reproduce them without having the entire address. In general, we need to be able to prove that malicious behavior is happening in order to justify the takedown requests.
I have no idea what the url of the popup was, but the install file that was downloaded is named "Adobe Flash Player.dmg". When I do a "Get Info" on this file, it says the file was downloaded from this url
Oh, that's killer. I totally forgot that you can do that. I'll definitely keep that trick in mind in the future.
Thanks for passing this along!
Well there is something very wrong with The Flash Player. I have had the same thing posted here as well as pop up in the browser that claim my PC has a virus.
I can get rid of the Flash Player, and for weeks on end it is all good. and then either I get the You need to update your flash player which automatically downloads the Bugged Version or I get the Pop up telling me I ave a virus.
It is not just OSX/Mac's but in windows and other Operating systems as well. every web site is not spared. even the National weather service (NWS.NOAA.GOV).
Reformatting only does the same as if I deleted the folder or Bugged Item.
I hope this can be looked into much more and maybe investigated. I have noticed (which Might not be related or have any connection to) that my Yahoo Email account had strange Log Ins from areas in which I was no where near. - I live in the midwest and the l;og ins came from Washington,Dc
Software and operating system-based controls have improved significantly over the last few years, making it extremely difficult to install software without a users' permission.
Human factors are now the path of least resistance. Since Flash Player is ubiquitous, it's the go-to for impersonation. It's way easier to get you to enter your password for a fake update than it is to install something silently without your knowledge.
Furthermore, Adobe has invested massive amounts of engineering resources to ensure that downloads that you get from us are authentic and unmodified. The entire release and build process is tightly controlled and monitored end-to-end. There are technical and procedural checks from multiple disparate teams, and we use cryptographic digital signatures (the keys to which are also tightly controlled) to certify that those builds are authentic. You can actually check binaries to ensure that they're legitimate and from us, should you choose. I'm confident that any installers that you're getting that contain malware aren't from us.
It's definitely possible for an attacker to take a legitimate copy of Flash Player, bundle it with malware and release it, but it won't be signed as coming from Adobe Systems Incorporated, and it won't be served from one of our servers.
Since you're getting malware repeatedly, either you're getting tricked repeatedly by fake update dialogs, you're not really getting rid of the infection in the first place, or you're restoring a backup that's already infected. I'll give you some guidance on how to avoid all of those and get back to a truly pristine state.
Also, it's worth pointing out that the malware guys are smart. We're way past the days of bored kids in basements. Once an attacker has established a foothold on the system, they're going to ensure that the infection is resilient (the bad guys test against all the popular anti-virus and clean products, too), and they also have automatic updates. Virus scanners and cleanup tools are trailing-edge solutions. Hundreds of thousands of malware variants are generated daily. It's a cat-and-mouse game, but the attackers have the edge if they can keep ahead of the anti-virus guys.
So, it's pretty likely that any clean-up effort you've taken has been incomplete. You may have dealt with the visible symptoms, but unless you're really going to do a comprehensive forensic analysis of the system, there are no guarantees.
Given the amount of headache you've had so far, if it were me, I would go very methodically, burning the entire system down, starting from pristine sources and removing any candidates for persistent infection vectors.
Here's what I'd recommend:
- Update the firmware on your router. Ideally, from a known-good computer.
There's a widely publicized vulnerability in many commodity wifi routers that allows an attacker to put exploit code in the working memory of the router. The code allows the attacker to inject code into webpages that you load. If you guessed that this manifests as fake Flash Player update dialogs, you guessed right.
If you can't remember the last time you updated your router's firmware, or if you've never done that, there's a good chance that this might be why you're seeing update dialogs on websites all the time. Simply unplugging the router for a few seconds and plugging it back in should be enough to restore it to normal working order temporarily. Applying any pending firmware updates should prevent the infection from recurring.
- If you use portable USB memory sticks, copy off any files that are important and then take a hammer to them.
It's possible to infect the firmware on USB memory sticks in a way that allows an attacker to store exploit code on the actual device hardware. It's invisible to you from the operating system. If you're using USB sticks regularly to transfer files, that may be what's happening. *Especially* if you're using them on any shared machines, like computer lab systems, internet cafes, etc...
Either switch to some cloud storage solution (e.g. Creative/Document Cloud, iCould, Google Drive, Dropbox, Box, etc.) or get an actual portable USB hard disk. There are really small portable SSD drives that work the same way, but aren't persistent vectors for infection.
Take a hammer to those USB sticks when you're done. It will remove the temptation to use them in a pinch, and it will be cathartic.
- Back up any important data files, if you haven't done so already.
Because you can't get rid of this infection, its time for a "salt the earth" strategy. We want to burn it all down and start over from pristine sources. If your backups allow you to restore only the important data files (the actual pictures and documents, etc.) great.
What we specifically don't wan to do, is to restore all of the operating system and application files that you've backed up, as there's a good chance that an attacker has one or more malicious binaries planted on the filesystem. If you can restore just your data files, great. If not, go get a portable hard drive (*not* a USB stick) and copy all of your important files over so that we can restore just those things later in the process.
- Delete all of the data from your startup disk and reinstall MacOS
Disconnect your portable hard disk from the computer so that you don't accidentally erase it, and then follow the directions below to erase all of the data on the disk
How to reinstall macOS - Apple Support
- Apply any pending MacOS updates at startup.
Also, make sure you're running the latest available OS version.
- Download and install a reputable, brand-name virus scanner. Make sure that it's up-to-date before proceeding.
- Reinstall your applications
Download and install all of your applications again. Where possible, get them from the App Store. Where that's not possible (e.g. Flash Player), download it directly from the vendor. If you got it from a torrent site, well, you might consider paying for it to ensure that it didn't come with "extras" that you might not want.
You can get Flash Player here:
- Take a snapshot of the machine
Now that you've got the machine mostly configured how you like it, and in a trustworthy state, this is a good time to make a baseline backup. If you end up with the infection again, you can confidently restore and save yourself a couple hours of work.
- Scan your old backups.
Ideally, your AntiVirus has something like "on-access scan", where it's scanning all of the files that you copy on the fly. It should be on by default, but it's worth a check. It's a good safeguard against copying over anything that's infected at this stage.
Attach your backup disk and scan it with your antivirus utility.
- Restore just your data files
Copy over only the actual data you need (documents, pictures, videos, etc.)
- Make sure Flash Player is enabled in your browser, if you want to use it. As the browsers make it more difficult to run Flash, you may have it installed, but need to enable it in the browser. This may cause some sites to tell you to install or update Flash.
The goal is to get you to a place where you're confident in just ignoring update notifications on websites.
That should get you back to a state where you can really trust the machine again.
Once you're there, then it's important to avoid future infections.
- Enable Automatic Updates for anything that processes untrusted data.
Namely, the Operating System, Anti Virus, browsers and Flash Player. It's critical that you're getting updates for the products consistently and quickly.
Attackers are very sophisticated, and we can measure the time between when a security patch is shipped to the public and when attackers have reverse-engineered the binary patch and start attacking unpatched clients with a weaponized exploit. It's generally measured in weeks or days, not months or years.
The bottom line is that Automatic updates are necessary in 2018. Just enable them. The inconvenience of the occasional functional problem pales in comparison to what you're going through currently.
- Don't follow links on websites or email to updates, and always download installers directly from the App Store or vendor.
Just don't follow links or pop-up notifications. It's easy to make legitimate-looking notifications. Be skeptical.
If you have automatic updates enabled and something tells you to update, your odds are high that it's bogus. Wherever possible, just download applications from your operating system's App Store. They'll handle updates.
If you really think you need an update, open a new window and google for the product. Make sure you're going to the developer's website and not to some random download site. Download any software directly from the vendor and install it there.
- (Optional) Use a browser with Flash Player Built-In
Both Google Chrome (for all operating systems) and IE and Edge on Win8 and higher include Flash Player as a built-in component of the browser. There's nothing separate to install or maintain. That means that you can really ignore anything that tells you to install or update Flash.
In those instances, Google Chrome and Windows Update ensure that Flash Player is always up-to-date. Also, if you really don't trust our distribution pipeline, those bits are vetted and distributed directly by the respective vendors.
- Stay away from sketchy sites
Nothing is free. If you're not paying, you're the product. When it's Facebook, they're selling your information. When it's something less reputable, they might be selling something like control over your computer. Nobody is compromising your machine for fun. They're getting paid.
- Get a password manager, rotate all of your passwords, and use two-factor authentication
If people are logging into your email and stuff, that password you're using has leaked. It's not uncommon for malware to install keystroke loggers to capture valuable information like your credentials. I think it's pretty safe to assume, given what you've been going through, that your credentials are all thoroughly compromised.
In the world of daily breach announcements, you really want a unique password for each site that you use, and wherever possible, you should enable two-factor authentication wherever possible.
Unique passwords limits the damage done by any individual breach. You don't want a password breach on that hobby forum to grant some guy in the Ukraine access to your bank account.
Two factor authentication ensures that even if a bad guy has your password, they also need control of your phone in order to do anything with it. You want this.
Also, don't use those credentials from any machine that you can't confidently trust. If your other machines have been compromised or keep getting compromised, limit your use of anything important to the one machine you do trust, until you can work through everything and get it all back to a trustworthy state.
If you want to get really fancy, you can always verify that an application has been digitally signed. On MacOS, you can also look to see where a file was downloaded from, by looking at the file File Info. Similar techniques exist for Windows as well. They're a little involved, and a quick google for "Validating code signatures for <insert operating system>" will probably serve you well. Personally, just enabling automatic updates is a whole lot easier.
This general advice holds true for your other machines as well. There's a reason that when we teach people how to compromise machines, we start them out on WinXP and Vista. If you have aging operating systems running on your network, it's a good time to give some serious thought to retiring them. Run a modern operating system, keep it patched, and if it's been infected, just burn the thing down and start from pristine sources.
In the event that you run into a malicious installer or installation dialog, we have a team that pursues action against those sites. If you can grab a screenshot and the full URL of the download or the update window, just shoot an email to firstname.lastname@example.org or email@example.com, and we'll be happy to pursue a takedown on those.
- Update the firmware on your router. Ideally, from a known-good computer.
Well I can say for sure I am not being tricked, it seems to automatically download it even if I destroy the folder so far it has been one full day. I have formatted my PC 3 times in the last 4 month's so, I do know that it seems to happen more when I Have MS updates.
I will have to check the firm ware on the router, that could be, but Cough we have Three router's all running into each other. I mean maybe that is the problem?we have had some people somehow getting into our WiFi and using it at night just by parking outside our house. so that is why we have Three of them., thogh that may actually be where the issue is. too many router's. could that be?
Here's the thing. Windows Update isn't sending you viruses. Neither is Adobe. Furthermore, the auto-update mechanisms employed by both companies use cryptographic checks at multiple places to ensure that nobody is substituting out auto-update payloads on the fly. They're heavily scrutinized. Also, correlation is not causation.
The bottom line is that it sounds like you have a big mess on your hands.
You've had a malware infection and one more more of your machines is compromised. What's worse, is that your machines regularly get reinfected.
That's not normal.
You're either not getting the infection cleaned up in the first place, or you're doing something to reinfect yourself repeatedly.
The fact that someone sitting on the street can get on your network seems problematic.
The fact that you have three routers isn't magically going to make your machines be infected with malware. If one or more of those routers is compromised, it may be able to redirect requests to sites that are malicious. This means that you might be encountering opportunities to infect yourself more frequently than the average person. If you're not keeping your machines patched, it's pretty easy to just park in front of your house and let a script run to scan for and infect everything vulnerable on the network. It doesn't even take skill.
You're either going to need to pay someone to come clean it all up, or you're going to have to get really serious and just take everything off the network, pick a machine, hook it directly to your cable modem or whatever, and get it into a known-good state. Once you have one trusted piece of hardware, then you get to go through every single thing, one at a time, and make sure it's clean and trusted before you stick it on a network with anything else.
If you don't go through the tedious, methodical process, there's no guarantee that you'll ever get it cleaned up.
There's also good reason to look at your habits. Cleaning things up and getting (and keeping) them current is a crucial first step. Keeping your network malware free comes down to all those little decisions where you have to choose between security and convenience/cost.
I have also experienced this on my Mac recently. I'm fairly tech savvy and don't know how I was redirected to this site, but nonetheless the fake update .dmg file was downloaded automatically. I deleted the file without mounting the disk image so I imagine that I am safe, but I wanted to put the website URL as well as the download URL out there so Adobe can possibly help get this taken down.
The website URL with the fake update notification: http://uxntc.alertammonia.win/lp/62797317/?n=571464413
If I look in the Finder the download details for the .dmg file also shows http://uxntc.alertammonia.win/file/get/?software=flash-player-npapi&title=flash-player-npa pi&clickid=9123941904822882
Here is a screen shot of the landing page with the bogus update notification:
Since I deleted the .dmg without mounting I imagine I am in the clear, but is there anything I should be concerned about on my end? Thanks!
It sounds like you did the right thing (noticing that the download was bogus and deleting it), and it's extremely unlikely that just downloading the file did any harm to the system.
The reason that this kind of approach is so prevalent is because the browsers, operating system and Flash Player have made it very difficult to take control of the system without your explicit permission (i.e. you need to enter your password to install software, etc.). It's far easier to trick someone into giving explicit permission to install malware than it is to silently install it.
Following best practices like running a reputable anti-virus program, and making sure that you have automatic updates enabled for the OS, browser and Flash Player is always wise, even on Mac.
Thank you for the help. I also sent the details along to the firstname.lastname@example.org email address as well. Everything seems just fine with the computer so far. Nothing was installed so I'm not too worried about it about it. The more worrisome thing is why I served the bogus ad on a new computer, on my home network. I get some random redirects at times on my mobile devices (via the cellular network) but never really on my home network. Kind of weird. Just wanted to add my two cents to this thread.
In general, it's usually an issue where an attacker managed to insert malicious code on the content provider's page. Examples would be things like sneaking a malicious banner ad on to an ad distribution network, or maybe figuring out how to insert code into the comments on a page, where they're actually allowed to get executed.
There's an interesting class of attack that targets home routers with a particular vulnerability, which allows attackers to store and execute code in the router's memory. This kind of vulnerability doesn't survive a reboot, so you could just unplug the router and plug it back in to temporarily solve the issue. Then you could just make sure that you have the latest firmware installed on your router to prevent future infection. Those kinds of vulnerabilities typically get used to insert similar fake update notifications into otherwise reputable webpages.
The important part here is that you just shouldn't trust links on webpages that tell you to update. If you think you need an update, go google for it and find an authoritative link from the software vendor (or use the app store, where applicable). If you set your stuff to update automatically (which we'd highly recommend), then you can be pretty confident that any update notifications should be ignored (for software that you've set to automatically update).
That's an Adobe link, but to a very specific download. It's taking you to the Flash Player variant for Firefox.
You can always go here from the browser you want to use Flash Player on and we'll serve you the right download or tell you that it's built-in, etc:
Hmm. I don’t use Firefox.
I use chrome and thought flash player updates automatically with chrome. Yes?
It does. Where are you getting that link from?
I keeps popping up on my computer. Maybe 1 x a week
There *is* a notification option for updates that would cause a dedicated window to open and encourage you to update. It's not the default option, and we don't recommend it -- specifically because bad actors target users through update notifications. Using a pop-up window in the web browser is usually the method perferred by bad actors, although modern browsers do a good job of restricting pop-up windows for the most part.
If you go to Control Panel > Flash Player > Updates and you see "Notify me to install updates" is selected, that would confirm that your system is configured to show those legitimate update dialogs. The link you shared was a real link, so that would make sense. If you primarily use Chrome, but you installed Flash Player for Firefox (or maybe for Adobe Acrobat) at some point, that would explain why you're getting the pop-up notification to update the NPAPI Flash Player variant.
Instead of trusting the pop-up, you can just initiate the update from the control panel by choosing "Install Now", which would allow you to avoid interacting with any pop-ups. The update screen will also enumerate a list of the Flash Player variants you have installed and their versions. We shipped an update yesterday, so the current version is 22.214.171.124.
I'd also highly recommend just setting that update preference to "Allow Adobe to install updates...", so that you're not wondering about whether your Flash Player is current, and/or if a pop-up dialog is legitimate.
Oh, the forums don't do email attachments. If you come back to the forums site, you can add them to the post through the UI.
A page automatically redirected to this fake Flash Update web page.
Go get 'em!
Thanks for the report. I've forwarded along to our Phishing team.
Got another one here, have had a few with drive by downloads but this one just prompted to download the "update"