Adobe Flash Player Update - Dregol and Glassbottle pigybacked!

Question

On 5/15/2015 at 0700 Adobe Flash Player pushed an update to my computer with the familiar pop up window that advised of a "necessary" update, I clicked on it to start the process and my AVAST Antivirus software immediately went into overdrive.... It quickly blocked 15 programs from running including a Trojan named "Glass Bottle" which had apparently allowed a port to be opened on my computer as I could see that files were still loading onto my computer. I unplugged my network cord and the download terminated. I stopped working on my projects and immediately ran Malwarebytes to eliminate ALL threats. It found and successfully destroyed the attacking file (Dregol.A), and it's sub files, closed the ports that were in use to download malware. All told it was three pages of output and 48 files in total, not including the ones that had been terminated and quarantined by AVAST.

Glass Bottle is the Trojan that opens a port, starts the download process for Dregol and other malware before it can be stopped. Dregol then installs a compromised version of the Chromium browser and makes it your default browser, using system level authorization granted when the user clicks on the "install" button on the Flash Player update. It then redirects default search engines in all installed browsers and then make sure you receive false results from "Dregol" compromised web searches and starts downloading it's various payloads to your computer. It also opens several ports including 21 and 22 to establish two way communications within your computer for remote access.

I have tried to find a way to report this to Adobe, but all my attempts to do so have come up with dead ends or redirects. My last attempt to "chat" with a representative was very underwhelming, to say the least. For Adobe Staff, please make reporting such attacks a streamlined, easy process for us - the end users of your products. To be pushed around from email link to forum to chat and back to email is quite frustrating. I have wasted several hours of my time with this problem this week, if Adobe is not interested in providing support or a way to easily report such attacks please make that clear so we do not waste our time.

For the rest of us - until Adobe changes Flash Update Engine to address this vulnerability - disable automatic updates and uninstall the adobe download manager. If you have been hit by Dregol - run Malwarebytes, use complete scan options for ALL files and check your computer for open ports. Dregol in itself is not directly dangerous to your user data but what it downloads without your permission could be extremely dangerous!

CB_Hedricks

_maria_ · Accepted Answer

Charles Hedricks wrote:There was not one indication of impersonation or foul play at all.Unfortunately the malicious actors who create these malicious/fake Flash Player websites are very good at copying the Adobe and/or Flash Player brand/logo and sometimes it's very difficult to determine that it is a fake notification or site (a common one is Flash Player Pro..there is no such Adobe product). Just the other day, on a different post, someone's router was infected and the DNS IP address changed. The only indication to me that it was a malicious site was the URL the page was redirected to. A normal user such as yourself wouldn't know the difference as the page itself looked just like the official Adobe Flash Player Download Center page.We do actively go after these malicious actors. If you come across these fake Flash Player install/update sites please message them to me. I do forward them to the appropriate folks here at Adobe when users tell me about them or I find them on web searches.--Maria

jeromiec83223024 · Answer

Ugh, sorry to hear that your machine got infected with malware.

Unfortunately, one of the problems with Flash Player's ubiquity is that malware authors often attempt to impersonate Flash Player download dialogs in an attempt to trick you into downloading and installing fake software. Adobe takes extraordinary measures to ensure that our signing keys are tightly controlled, and that the binaries issued from Adobe are legitimate and free from malware.

We highly recommend that users opt-in to automatic updates, and always download Flash Player directly from adobe by typing in the link: http://get.adobe.com/flashplayer.

If in doubt you're always welcome to download fresh copies of our installers, and check them against VirusTotal to confirm.

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded