Software and operating system-based controls have improved significantly over the last few years, making it extremely difficult to install software without a users' permission.
Human factors are now the path of least resistance. Since Flash Player is ubiquitous, it's the go-to for impersonation. It's way easier to get you to enter your password for a fake update than it is to install something silently without your knowledge.
Furthermore, Adobe has invested massive amounts of engineering resources to ensure that downloads that you get from us are authentic and unmodified. The entire release and build process is tightly controlled and monitored end-to-end. There are technical and procedural checks from multiple disparate teams, and we use cryptographic digital signatures (the keys to which are also tightly controlled) to certify that those builds are authentic. You can actually check binaries to ensure that they're legitimate and from us, should you choose. I'm confident that any installers that you're getting that contain malware aren't from us.
It's definitely possible for an attacker to take a legitimate copy of Flash Player, bundle it with malware and release it, but it won't be signed as coming from Adobe Systems Incorporated, and it won't be served from one of our servers.
Since you're getting malware repeatedly, either you're getting tricked repeatedly by fake update dialogs, you're not really getting rid of the infection in the first place, or you're restoring a backup that's already infected. I'll give you some guidance on how to avoid all of those and get back to a truly pristine state.
Also, it's worth pointing out that the malware guys are smart. We're way past the days of bored kids in basements. Once an attacker has established a foothold on the system, they're going to ensure that the infection is resilient (the bad guys test against all the popular anti-virus and clean products, too), and they also have automatic updates. Virus scanners and cleanup tools are trailing-edge solutions. Hundreds of thousands of malware variants are generated daily. It's a cat-and-mouse game, but the attackers have the edge if they can keep ahead of the anti-virus guys.
So, it's pretty likely that any clean-up effort you've taken has been incomplete. You may have dealt with the visible symptoms, but unless you're really going to do a comprehensive forensic analysis of the system, there are no guarantees.
Given the amount of headache you've had so far, if it were me, I would go very methodically, burning the entire system down, starting from pristine sources and removing any candidates for persistent infection vectors.
Here's what I'd recommend:
- Update the firmware on your router. Ideally, from a known-good computer.
There's a widely publicized vulnerability in many commodity wifi routers that allows an attacker to put exploit code in the working memory of the router. The code allows the attacker to inject code into webpages that you load. If you guessed that this manifests as fake Flash Player update dialogs, you guessed right.
If you can't remember the last time you updated your router's firmware, or if you've never done that, there's a good chance that this might be why you're seeing update dialogs on websites all the time. Simply unplugging the router for a few seconds and plugging it back in should be enough to restore it to normal working order temporarily. Applying any pending firmware updates should prevent the infection from recurring.
- If you use portable USB memory sticks, copy off any files that are important and then take a hammer to them.
It's possible to infect the firmware on USB memory sticks in a way that allows an attacker to store exploit code on the actual device hardware. It's invisible to you from the operating system. If you're using USB sticks regularly to transfer files, that may be what's happening. *Especially* if you're using them on any shared machines, like computer lab systems, internet cafes, etc...
Either switch to some cloud storage solution (e.g. Creative/Document Cloud, iCould, Google Drive, Dropbox, Box, etc.) or get an actual portable USB hard disk. There are really small portable SSD drives that work the same way, but aren't persistent vectors for infection.
Take a hammer to those USB sticks when you're done. It will remove the temptation to use them in a pinch, and it will be cathartic.
- Back up any important data files, if you haven't done so already.
Because you can't get rid of this infection, its time for a "salt the earth" strategy. We want to burn it all down and start over from pristine sources. If your backups allow you to restore only the important data files (the actual pictures and documents, etc.) great.
What we specifically don't wan to do, is to restore all of the operating system and application files that you've backed up, as there's a good chance that an attacker has one or more malicious binaries planted on the filesystem. If you can restore just your data files, great. If not, go get a portable hard drive (*not* a USB stick) and copy all of your important files over so that we can restore just those things later in the process.
- Delete all of the data from your startup disk and reinstall MacOS
Disconnect your portable hard disk from the computer so that you don't accidentally erase it, and then follow the directions below to erase all of the data on the disk
How to reinstall macOS - Apple Support
- Apply any pending MacOS updates at startup.
Also, make sure you're running the latest available OS version.
- Download and install a reputable, brand-name virus scanner. Make sure that it's up-to-date before proceeding.
- Reinstall your applications
Download and install all of your applications again. Where possible, get them from the App Store. Where that's not possible (e.g. Flash Player), download it directly from the vendor. If you got it from a torrent site, well, you might consider paying for it to ensure that it didn't come with "extras" that you might not want.
You can get Flash Player here:
https://get.adobe.com/flashplayer
- Take a snapshot of the machine
Now that you've got the machine mostly configured how you like it, and in a trustworthy state, this is a good time to make a baseline backup. If you end up with the infection again, you can confidently restore and save yourself a couple hours of work.
- Scan your old backups.
Ideally, your AntiVirus has something like "on-access scan", where it's scanning all of the files that you copy on the fly. It should be on by default, but it's worth a check. It's a good safeguard against copying over anything that's infected at this stage.
Attach your backup disk and scan it with your antivirus utility.
- Restore just your data files
Copy over only the actual data you need (documents, pictures, videos, etc.)
- Make sure Flash Player is enabled in your browser, if you want to use it. As the browsers make it more difficult to run Flash, you may have it installed, but need to enable it in the browser. This may cause some sites to tell you to install or update Flash.
The goal is to get you to a place where you're confident in just ignoring update notifications on websites.
https://helpx.adobe.com/flash-player/kb/install-flash-player-windows.html
https://helpx.adobe.com/flash-player/kb/flash-player-issues-windows-10-ie.html
https://helpx.adobe.com/flash-player/kb/flash-player-issues-windows-10-edge.html
https://support.mozilla.org/en-US/kb/why-do-i-have-click-activate-plugins
https://helpx.adobe.com/flash-player/kb/enabling-flash-player-safari.html
https://support.google.com/chrome/answer/6258784
https://helpx.adobe.com/flash-player/kb/enabling-flash-player-opera.html.
That should get you back to a state where you can really trust the machine again.
Once you're there, then it's important to avoid future infections.
- Enable Automatic Updates for anything that processes untrusted data.
Namely, the Operating System, Anti Virus, browsers and Flash Player. It's critical that you're getting updates for the products consistently and quickly.
Attackers are very sophisticated, and we can measure the time between when a security patch is shipped to the public and when attackers have reverse-engineered the binary patch and start attacking unpatched clients with a weaponized exploit. It's generally measured in weeks or days, not months or years.
The bottom line is that Automatic updates are necessary in 2018. Just enable them. The inconvenience of the occasional functional problem pales in comparison to what you're going through currently.
- Don't follow links on websites or email to updates, and always download installers directly from the App Store or vendor.
Just don't follow links or pop-up notifications. It's easy to make legitimate-looking notifications. Be skeptical.
If you have automatic updates enabled and something tells you to update, your odds are high that it's bogus. Wherever possible, just download applications from your operating system's App Store. They'll handle updates.
If you really think you need an update, open a new window and google for the product. Make sure you're going to the developer's website and not to some random download site. Download any software directly from the vendor and install it there.
- (Optional) Use a browser with Flash Player Built-In
Both Google Chrome (for all operating systems) and IE and Edge on Win8 and higher include Flash Player as a built-in component of the browser. There's nothing separate to install or maintain. That means that you can really ignore anything that tells you to install or update Flash.
In those instances, Google Chrome and Windows Update ensure that Flash Player is always up-to-date. Also, if you really don't trust our distribution pipeline, those bits are vetted and distributed directly by the respective vendors.
- Stay away from sketchy sites
Nothing is free. If you're not paying, you're the product. When it's Facebook, they're selling your information. When it's something less reputable, they might be selling something like control over your computer. Nobody is compromising your machine for fun. They're getting paid.
- Get a password manager, rotate all of your passwords, and use two-factor authentication
If people are logging into your email and stuff, that password you're using has leaked. It's not uncommon for malware to install keystroke loggers to capture valuable information like your credentials. I think it's pretty safe to assume, given what you've been going through, that your credentials are all thoroughly compromised.
In the world of daily breach announcements, you really want a unique password for each site that you use, and wherever possible, you should enable two-factor authentication wherever possible.
Unique passwords limits the damage done by any individual breach. You don't want a password breach on that hobby forum to grant some guy in the Ukraine access to your bank account.
Two factor authentication ensures that even if a bad guy has your password, they also need control of your phone in order to do anything with it. You want this.
Also, don't use those credentials from any machine that you can't confidently trust. If your other machines have been compromised or keep getting compromised, limit your use of anything important to the one machine you do trust, until you can work through everything and get it all back to a trustworthy state.
If you want to get really fancy, you can always verify that an application has been digitally signed. On MacOS, you can also look to see where a file was downloaded from, by looking at the file File Info. Similar techniques exist for Windows as well. They're a little involved, and a quick google for "Validating code signatures for <insert operating system>" will probably serve you well. Personally, just enabling automatic updates is a whole lot easier.
This general advice holds true for your other machines as well. There's a reason that when we teach people how to compromise machines, we start them out on WinXP and Vista. If you have aging operating systems running on your network, it's a good time to give some serious thought to retiring them. Run a modern operating system, keep it patched, and if it's been infected, just burn the thing down and start from pristine sources.
In the event that you run into a malicious installer or installation dialog, we have a team that pursues action against those sites. If you can grab a screenshot and the full URL of the download or the update window, just shoot an email to phishing@adobe.com or fraud@adobe.com, and we'll be happy to pursue a takedown on those.
Thanks!
33
Replies
AdChoices