Help - Search - Members
Full Version: Adobe Flash Player 11.5.502.16
Kaspersky Lab Forum > English User Forum > Protection for Mac computers
BBMM
Yesterday my Mac started to show a message each time a open a webpage with flash content.

The message said:

Adobe Flash Player 11.5.502.16
Ao clicar no botao Fazer download agora, voce afirma que leu e aceitou o Contrato de Licenciamento de Software da Adobe* e o Contrato de Licenca do McAfee Security Scan Plus.

I ran a full scan but the problem persist. Any idea of how to remove it?

Many thanks in advance.
BBMM

Rodion Nagornov
I think you just should install/re-install your Flash player.
BBMM
Hi, I did what you suggested.
First uninstall the flash player but the problem persist and then reinstall it again..but nothing happened the browser still showing up the annoying message.

Rodion Nagornov
Did you contact to Adobe or Apple support? I don't think the issue is related to viruses or Kaspersky.
Rodja
QUOTE(Rodion Nagornov @ 21.10.2013 11:15) *
Did you contact to Adobe or Apple support? I don't think the issue is related to viruses or Kaspersky.


This has nothing to do with Adobe or Apple.

I'm having the same issue and so far I believe this is a virus. And I'm running Windows, not a Mac.

Here's how it happens:

Whenever I access almost all websites using Chrome (didn't tested on other browsers), a transparent DIV appears covering the whole screen. This DIV popup says that you need to update your Flash Player to see the site. Here's an screenshot:


When you take a closer look, you can see that the link redirects you to an IP that holds a zip file.


This is obviously a malware that is making a lot of people download and install a virus in their computers.

I ran Kaspersky full scan and it didn't catch anything.

The only way I was able to remove this malware popup was by cleaning ALL my navigation data in Chrome. That includes cookies, history, everything.

Can the Kaspersky team help us to identify and remove this malware?

Thank you.
RageGT
Rodja is right. It is an annoyance that only goes away by cleaning our nav data on Chrome. I did download the file though, and submitted it to an online file scan website. Of 42 engines, only Kaspersky detect it for what I believe it truly is: Trojan Downloader! (I used Metascan Online)
americo2
It's so easy.....just clean your "cache" ,and "web cache offline/user data"
Guaip
QUOTE(americo2 @ 4.12.2013 01:23) *
It's so easy.....just clean your "cache" ,and "web cache offline/user data"



Thank you!
I was losing my mind here. Cleaning my cache helped (it was happening in Firefox and Chrome, had to clean both).

But what concerns me more is HOW it got in my computer. I consider myself an advanced user, would never fall for this kind of trick (like downloading a fake Flash installer), so how the hell did it happen? Does anyone know how the PC gets infected by it?
jpfaraco
I tried cleaning my cache and all my offline browsing data, and am still getting the overlay on Chrome..

I've found that the sites that are displaying it have the Flash overlay code lines injected by this script http://www.google-analytics.com/ga.js
They all contain <script type="text/javascript" async="" src="http://www.google-analytics.com/ga.js"></script> in the <head> ..


Now, I have no idea how the script is being injected into the pages .. Any insights as to how this may be happening would be golden.
jpfaraco
QUOTE(jpfaraco @ 4.12.2013 15:58) *
I tried cleaning my cache and all my offline browsing data, and am still getting the overlay on Chrome..

I've found that the sites that are displaying it have the Flash overlay code lines injected by this script http://www.google-analytics.com/ga.js
They all contain <script type="text/javascript" async="" src="http://www.google-analytics.com/ga.js"></script> in the <head> ..
Now, I have no idea how the script is being injected into the pages .. Any insights as to how this may be happening would be golden.


Just opened my laptop at work, and cleared my cache and offline browsing data .. The http://www.google-analytics.com/ga.js script here looks non-malicious, and doesn't inject the overlay, as I saw it did back home. I'm guessing something replaced the ga.js from my local cache with the malicious one I saw earlier. Either that, or the google-analytics.com domain is somehow being redirected to the malicious ga.js host.

Again, any ideas as to how this may be happening would be great.
The Safe Mac
QUOTE(jpfaraco @ 4.12.2013 07:30) *
Again, any ideas as to how this may be happening would be great.


Users over on Apple's forums are reporting the same issue, and it sounds like it may be an issue caused by DNS cache poisoning of the Brazilian ISP NET Virtua. Are you connecting to the internet through NET Virtua at home, but not at work?
Rodja
It looks like some large sites are "immune" to this data injection. Such as Google, Evernote, Facebook, etc.

In the Mac forums there are users saying that their iPad is having the same issue. So it really makes sense that this issue is either a self-running cookie or some DNS cache.
I'm connecting through Virtua right now. And I'm using their DNS. Every since I cleared the cache of Chrome the issue did not happen again.
jpfaraco
QUOTE(The Safe Mac @ 4.12.2013 18:39) *
Users over on Apple's forums are reporting the same issue, and it sounds like it may be an issue caused by DNS cache poisoning of the Brazilian ISP NET Virtua. Are you connecting to the internet through NET Virtua at home, but not at work?


Exactly .. I'm on Virtua at home, but on GVT at work.
The Safe Mac
QUOTE(jpfaraco @ 4.12.2013 13:41) *
Exactly .. I'm on Virtua at home, but on GVT at work.


In that case, I would consider changing DNS settings, at least temporarily, until the problem is fixed. See:

http://www.thesafemac.com/eliminating-brow...rtisements/#dns

You may also want to flush your DNS cache, just to be sure the poisoned DNS records are not still cached in your computer. See:

http://support.apple.com/kb/ht5343
Fabio Assolini
Guys,

Just to register, it was a DNS poisoning attack against Net Virtua customers in Brazil.
Unfortunately this kind of attack is common in the country:
https://www.securelist.com/en/blog/20819321...tacks_in_Brazil

The problem is solved if you choose a different DNS server such as Google or OpenDNS.

Kaspersky products detect the files distributed in this attack since December 4,

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2014 Invision Power Services, Inc.