Copy link to clipboard
Copied
Last week I foolishly installed malware disguised as flash player on my mac. Today I had a pop up telling I should update the Flash Player; it was not from an adobe url so I suspect. But this time I captured the url instead of clicking on it.
If this is a valid Adobe url it would be nice if you used one; if not GO GET 'EM
thanks
Bill BIesele
Copy link to clipboard
Copied
Noving to flash player.
Regards
Rajashree
Copy link to clipboard
Copied
Thanks for the report. I've escalated this to our fraud team.
Copy link to clipboard
Copied
Hi, I also have malware posing as flash player on my brand new laptop. iv reset my laptop a few times and still it comes back . can you help?
Copy link to clipboard
Copied
It sounds like there's a good chance that you're reinfecting your computer through some action that you keep repeating. It's possible that you've backed up infected files, are installing software that has an infected payload, using an infected USB memory stick, or there's another infected machine on your network that keeps infecting your machine before it can get patched completely.
If it was my personal machine on my home network, I would:
So, not a lot of fun, but just going through everything methodically, and then ensuring that you keep your software fully patched at all times (everything should have automatic updates enabled, routers should get checked regularly for available updates, etc) is the best way to keep malware off your system.
Depending on your current browser of choice, you might think about switching to one with a better reputation for resilience against malware.
Copy link to clipboard
Copied
Although fairly experienced, I was evidently fooled by a very official looking notification that my Flash Player may be out of date. I ignored the notification several times but in a weak moment approved the installation. What I got was the Kovter Malware. This malware does not use files, so it is invisible to my two security products, Windows Defender and AVG. Kovter mostly "lives" in the Registry and uses Windows modules Mshta, Powershell, Regsvr32, and perhaps others. If you use the Windows Task Manager, and specify that you want to view ALL processes running, and see two or more instances of Regsvr32 running, I think that you can be confident that your PC has been infected with the Kovter Malware. If there is a reliable way to remove this malware posted on the Internet, I have not yet found it. I know that this, strictly speaking, is not Adobe's problem, but it would be wonderful to come to this site and see a manageable method for removing Kovter. Thanks for reading this.
Copy link to clipboard
Copied
A cursory Google search returns a number of results for "Kotver removal"; however, most are dated around 2015, and I have to imagine that the malware has evolved since those articles were written. In addition, once an attacker establishes a foothold on the machine, it would be smart of them to pursue methods that ensure that their hold over the machine is resilient against the current state of the antivirus solutions.
There's an entire industry geared towards preventing, tracking and managing malware infections (and an industry-scale adversary focused on compromising machines through malware), and while we'd be happy to point you towards resources, they're easily discovered. We're not in a position to endorse the accuracy or efficacy of a given tool or technique, and there are literally hundreds of thousands of malware variants that are discovered on a given day.
As you've observed, anti-malware software can detect many known threats; however, those threats are also accompanied by a universe of unknown unknowns, and the decision to trust an affected system after infection really comes down to your personal risk tolerance and the sensitivity of what you do with the machine.
As an aside, it's also probably a good time to make sure that your backup strategy is in order for any critical data, that all of the other systems on your network have been scanned and updated, and that any hardware on the network (routers, thermostats, refrigerators, etc.) have the latest updates and firmware installed.
Hopefully that helps, or at least makes sense. The bottom line is that I'd rather see us give no answer instead of the wrong answer in this kind of situation. You're better off seeking expert advise from a reputable malware or antivirus vendor, and/or simply wiping and restoring the machine from pristine sources for maximum confidence. I totally empathize with your situation, but I don't want to give you a false sense of security, or an ineffective solution that puts you in a bad position down the road.
Copy link to clipboard
Copied
"Resilient" certainly applies. I spent hours trying to remove suspicious items from the registry and other locations on my PC thinking I had made some progress but at the next shut down/startup my PC (running Windows 7 Ultra) had the same telltale processes Mshta, Powershell, and Regsvr32 running.
In case it helps anyone, I turned to Malwarebytes.com. Their scan found 17 suspicious items, quarantined them, and I've since seen no instances of the above processes running.
Some of the quarantined items had "FlashPlayerPro" in their names. Are these miscreants devious or what?
I wish there were a way for Adobe to warn people not to respond to the "your FlashPlayer may be out-of-date" pop-up which these perps are using. In my opinion it looks extremely authentic.
I thank you for the response.
Copy link to clipboard
Copied
Unfortunately, you've hit on the intractable problem. It's pretty trivial to make pixel-perfect anything on a computer. Conversely, it's very difficult to install software without the user's consent. This means that attackers instead focus on human factors, since that is the path of least resistance. At best, we could lead attackers in a cat-and-mouse game, but that would further confuse the audience of people trying to determine what is and isn't legitimate.
Flash Player is ubiquitous (we serve up about 2.5 billion monthly installs, and that's not counting the browsers that ship it as a built-in component). If you're an attacker looking to forge an update dialog that people are likely to get, Flash Player is a good choice, and it's exactly what happens in practice.
Here's our recommendation:
Again, sorry for the pain. If you do see bogus installers, we're happy to forward them along to the team that provides the takedown notifications. We need a screenshot and the full link to the page that shows the fake download notice. Unfortunately, it's typically trivial for attackers to spawn new instances at other locations, but we're happy to do what we can to combat it.
Copy link to clipboard
Copied
Today I received a popup to update Flash, so I downloaded and installed what I thought was a genuine update.
Now I know I installed malware, and am not sure what to do to erase it? What version of Malware is it?
Copy link to clipboard
Copied
See my post above from June 16, 2016. It still applies.
I provided a little more detail to another Mac user yesterday in this vein.
It's at the end of the thread, here: VIRUS with new Adobe Flash installer
Copy link to clipboard
Copied
Malware doesn't have a version. It's a collective name for all of the bad software created to attack computers, for all sorts of reasons (stealing personal info and credit cards; sending spam; hosting illegal pornography; making bitcoin; attacking other computers; blackmail; and many more). Recommended is to have your computer professionally sorted out, which will need the computer to be wiped and all the apps installed again. This should use backups you took before the attack.