IPB

Welcome Guest ( Log In | Register )

 
Reply to this topicStart new topic
> Adobe Flash Player 11.5.502.16, Malware Adobe Flash Player 11.5.502.16?
BBMM
post 18.10.2013 01:05
Post #1


Newbie
*

Group: Members
Posts: 2
Joined: 18.10.2013




Yesterday my Mac started to show a message each time a open a webpage with flash content.

The message said:

Adobe Flash Player 11.5.502.16
Ao clicar no botao Fazer download agora, voce afirma que leu e aceitou o Contrato de Licenciamento de Software da Adobe* e o Contrato de Licenca do McAfee Security Scan Plus.

I ran a full scan but the problem persist. Any idea of how to remove it?

Many thanks in advance.
BBMM


Attached File(s)
Attached File  Pantalla_Malware.png ( 235,89K ) Number of downloads: 14
 
Go to the top of the page
 
+Quote Post
Rodion Nagornov
post 18.10.2013 18:08
Post #2


Social Media Support Manager
*************

Group: Admin
Posts: 3586
Joined: 23.11.2011
From: Moscow, Russia




I think you just should install/re-install your Flash player.
Go to the top of the page
 
+Quote Post
BBMM
post 18.10.2013 18:27
Post #3


Newbie
*

Group: Members
Posts: 2
Joined: 18.10.2013




Hi, I did what you suggested.
First uninstall the flash player but the problem persist and then reinstall it again..but nothing happened the browser still showing up the annoying message.

Go to the top of the page
 
+Quote Post
Rodion Nagornov
post 21.10.2013 18:15
Post #4


Social Media Support Manager
*************

Group: Admin
Posts: 3586
Joined: 23.11.2011
From: Moscow, Russia




Did you contact to Adobe or Apple support? I don't think the issue is related to viruses or Kaspersky.
Go to the top of the page
 
+Quote Post
Rodja
post 4.12.2013 06:43
Post #5


Newbie
*

Group: Members
Posts: 2
Joined: 4.12.2013




QUOTE(Rodion Nagornov @ 21.10.2013 11:15) *
Did you contact to Adobe or Apple support? I don't think the issue is related to viruses or Kaspersky.


This has nothing to do with Adobe or Apple.

I'm having the same issue and so far I believe this is a virus. And I'm running Windows, not a Mac.

Here's how it happens:

Whenever I access almost all websites using Chrome (didn't tested on other browsers), a transparent DIV appears covering the whole screen. This DIV popup says that you need to update your Flash Player to see the site. Here's an screenshot:


When you take a closer look, you can see that the link redirects you to an IP that holds a zip file.


This is obviously a malware that is making a lot of people download and install a virus in their computers.

I ran Kaspersky full scan and it didn't catch anything.

The only way I was able to remove this malware popup was by cleaning ALL my navigation data in Chrome. That includes cookies, history, everything.

Can the Kaspersky team help us to identify and remove this malware?

Thank you.

This post has been edited by Rodja: 4.12.2013 06:57
Attached File(s)
Attached File  flash_virus.png ( 13,67K ) Number of downloads: 0
Attached File  flash_virus_2.png ( 15,7K ) Number of downloads: 2
 
Go to the top of the page
 
+Quote Post
RageGT
post 4.12.2013 07:57
Post #6


Newbie
*

Group: Members
Posts: 1
Joined: 4.12.2013




Rodja is right. It is an annoyance that only goes away by cleaning our nav data on Chrome. I did download the file though, and submitted it to an online file scan website. Of 42 engines, only Kaspersky detect it for what I believe it truly is: Trojan Downloader! (I used Metascan Online)
Go to the top of the page
 
+Quote Post
americo2
post 4.12.2013 08:23
Post #7


Newbie
*

Group: Members
Posts: 1
Joined: 4.12.2013




It's so easy.....just clean your "cache" ,and "web cache offline/user data"
Go to the top of the page
 
+Quote Post
Guaip
post 4.12.2013 14:17
Post #8


Newbie
*

Group: Members
Posts: 1
Joined: 4.12.2013




QUOTE(americo2 @ 4.12.2013 01:23) *
It's so easy.....just clean your "cache" ,and "web cache offline/user data"



Thank you!
I was losing my mind here. Cleaning my cache helped (it was happening in Firefox and Chrome, had to clean both).

But what concerns me more is HOW it got in my computer. I consider myself an advanced user, would never fall for this kind of trick (like downloading a fake Flash installer), so how the hell did it happen? Does anyone know how the PC gets infected by it?
Go to the top of the page
 
+Quote Post
jpfaraco
post 4.12.2013 15:58
Post #9


Newbie
*

Group: Members
Posts: 3
Joined: 4.12.2013




I tried cleaning my cache and all my offline browsing data, and am still getting the overlay on Chrome..

I've found that the sites that are displaying it have the Flash overlay code lines injected by this script http://www.google-analytics.com/ga.js
They all contain <script type="text/javascript" async="" src="http://www.google-analytics.com/ga.js"></script> in the <head> ..


Now, I have no idea how the script is being injected into the pages .. Any insights as to how this may be happening would be golden.
Go to the top of the page
 
+Quote Post
jpfaraco
post 4.12.2013 16:30
Post #10


Newbie
*

Group: Members
Posts: 3
Joined: 4.12.2013




QUOTE(jpfaraco @ 4.12.2013 15:58) *
I tried cleaning my cache and all my offline browsing data, and am still getting the overlay on Chrome..

I've found that the sites that are displaying it have the Flash overlay code lines injected by this script http://www.google-analytics.com/ga.js
They all contain <script type="text/javascript" async="" src="http://www.google-analytics.com/ga.js"></script> in the <head> ..
Now, I have no idea how the script is being injected into the pages .. Any insights as to how this may be happening would be golden.


Just opened my laptop at work, and cleared my cache and offline browsing data .. The http://www.google-analytics.com/ga.js script here looks non-malicious, and doesn't inject the overlay, as I saw it did back home. I'm guessing something replaced the ga.js from my local cache with the malicious one I saw earlier. Either that, or the google-analytics.com domain is somehow being redirected to the malicious ga.js host.

Again, any ideas as to how this may be happening would be great.

This post has been edited by jpfaraco: 4.12.2013 16:37
Go to the top of the page
 
+Quote Post
The Safe Mac
post 4.12.2013 18:39
Post #11


Newbie
*

Group: Members
Posts: 2
Joined: 4.12.2013




QUOTE(jpfaraco @ 4.12.2013 07:30) *
Again, any ideas as to how this may be happening would be great.


Users over on Apple's forums are reporting the same issue, and it sounds like it may be an issue caused by DNS cache poisoning of the Brazilian ISP NET Virtua. Are you connecting to the internet through NET Virtua at home, but not at work?
Go to the top of the page
 
+Quote Post
Rodja
post 4.12.2013 20:20
Post #12


Newbie
*

Group: Members
Posts: 2
Joined: 4.12.2013




It looks like some large sites are "immune" to this data injection. Such as Google, Evernote, Facebook, etc.

In the Mac forums there are users saying that their iPad is having the same issue. So it really makes sense that this issue is either a self-running cookie or some DNS cache.
I'm connecting through Virtua right now. And I'm using their DNS. Every since I cleared the cache of Chrome the issue did not happen again.
Go to the top of the page
 
+Quote Post
jpfaraco
post 4.12.2013 22:41
Post #13


Newbie
*

Group: Members
Posts: 3
Joined: 4.12.2013




QUOTE(The Safe Mac @ 4.12.2013 18:39) *
Users over on Apple's forums are reporting the same issue, and it sounds like it may be an issue caused by DNS cache poisoning of the Brazilian ISP NET Virtua. Are you connecting to the internet through NET Virtua at home, but not at work?


Exactly .. I'm on Virtua at home, but on GVT at work.
Go to the top of the page
 
+Quote Post
The Safe Mac
post 5.12.2013 06:20
Post #14


Newbie
*

Group: Members
Posts: 2
Joined: 4.12.2013




QUOTE(jpfaraco @ 4.12.2013 13:41) *
Exactly .. I'm on Virtua at home, but on GVT at work.


In that case, I would consider changing DNS settings, at least temporarily, until the problem is fixed. See:

http://www.thesafemac.com/eliminating-brow...rtisements/#dns

You may also want to flush your DNS cache, just to be sure the poisoned DNS records are not still cached in your computer. See:

http://support.apple.com/kb/ht5343
Go to the top of the page
 
+Quote Post
Fabio Assolini
post 13.12.2013 22:36
Post #15


Advanced Member II
****

Group: KL LatAm
Posts: 224
Joined: 1.05.2006
From: SP, Brazil




Guys,

Just to register, it was a DNS poisoning attack against Net Virtua customers in Brazil.
Unfortunately this kind of attack is common in the country:
https://www.securelist.com/en/blog/20819321...tacks_in_Brazil

The problem is solved if you choose a different DNS server such as Google or OpenDNS.

Kaspersky products detect the files distributed in this attack since December 4,



--------------------
Fabio Assolini
Malware Researcher Kaspersky Brasil * http://brazil.kaspersky.com/blog
NÃO RESPONDO ANALISES VIA PM, POR FAVOR USE O FORUM
Go to the top of the page
 
+Quote Post

Reply to this topicStart new topic

 



Lo-Fi Version Time is now: 23.08.2014 19:20