Previous 1 2 Next 24 Replies Latest reply: Apr 9, 2012 3:12 AM by Dumpedal
Timothy Westman-Barth Level 1 Level 1 (145 points)

So, I was browsing the interwebs about an hour ago (just took this long to get around to posting this) and I clicked a link that didn't take me to the page I expected, and that I think I visiting with the same link a few minutes earlier; anyways, it prompted me to download an update to Adobe Flash player, however the update window openned and downloaded the update automatically, which I know it doesn't do, also the updater looked the one on Windows, just with a Mac's title bar at the top, might look like that on Macs too, but I can't remember ever updating it so... Also, there was a spelling mistake, and I am very particular about those sorts of things, so I noticed it, and I know that the real one doesn't have that, so anyways, the updater thingy was in the browser window, it just looked like a seperate window.

 

The webpage that I ended up getting directed to and that downloaded the file is: http://adobe****hplayer.rr.nu/8f/

The file is named: FlashPlayer-11-MacOSX.pkg

 

Well, I never openned it because of the obvious (in my opinion) fake... ness... but what concerned me was that after doing a Bing search (because I switched from Google last week, and even though I checked Google, I didn't find helpful results as fast) I found that there was such a virus before, not too long ago that I figured, it was after the MacDefender virus, but I didn't read the date on the article I read about it.

Anyways, what concerned me was that the thingy (XProtect I believe it is) allowed the file to be downloaded at all. I just checked and the thingy is set to update the "safe downloads list" automatically, so...

 

Anyways, is there a reason that it may have been allowed?

More importantly, does this potentially need reporting?

 

This is the webpage that downloaded the file

Intro - watch now-1-1.png

 

< Link Edited By Host >


MacBook Pro, Mac OS X (10.7.2), Mid 2010 model
  • Linc Davis Level 10 Level 10 (165,110 points)

    Yes, it's a trojan, and this is why you can't rely on any automated protection from malware -- neither Apple's nor anyone else's. The attackers are always ahead of the defenders. The XProtect database doesn't yet include this item. The only effective defense against malware is common sense, which is what saved you in this case. I'm not aware of any way you can report malware to Apple.

  • marckopolo Level 1 Level 1 (0 points)

    I clicked on a adobe flash pop up offering an update and gave my authorisation when prompted! Just read that it may have been a Trojan! Went to software update and installed 3 updates including a java one. Do I need to do anything else? or can I relax? Please help as not very tech savvy!

  • Kurt Lang Level 8 Level 8 (35,200 points)

    I clicked on a adobe flash pop up offering an update and gave my authorization when prompted!

    The people spreading the Trojan make it somewhat difficult to figure out real from fake. Adobe's real Flash player will pop up an almost identical looking updater when a new version is available. It is real and intentional.

     

    If you check the System Preferences, you'll see a Flash Player icon in the bottom row. Click on its Advanced tab. You'll see that you can change the radio button to "Never check for updates (not recommended)". But really, it's safer to use that one and check manually with the "Check Now" button underneath that. Then you will know if you see a pop up saying you need to update Flash, it's fake.

     

    The one shown above is the most common of this Trojan going around. Two big things really give it away. One, the author can't spell worth beans. Unless "Update fix a crush of Adobe Flash player." is some new form of proper English. Also note what URL it went to. The .nu domain is particularly used in Sweden, Denmark, Norway, the Netherlands and Belgium. So the Flash player being downloaded from there sure the heck isn't from Adobe.

  • HACKINT0SH Level 5 Level 5 (5,755 points)

    I do wish these users would stop crying Wolf. There is no such thing as a MacDefender Virus. A malware trojan is another thing.  A virus would have to be self-replicating. MacDender had to rely on both compromised servers, AND have you visit them, AND have you gullible enough to fall for 10 basic NO-NO steps.

  • Mayapple Level 1 Level 1 (0 points)

    But that didn't answer Marckopolo's question, which is the same situation I have.  Once I've installed Apple's updates, am I safe?  If not, is there a way to find and erase the trojan from my download files? 

     

    Mea culpa - I admit my stupidity.  No one has yet answered the question of what to do AFTER one has mistakenly given the authorization to download the trojan.

  • woodmeister50 Level 5 Level 5 (4,185 points)
  • Kurt Lang Level 8 Level 8 (35,200 points)

    But that didn't answer Marckopolo's question,

    Sure it did. He stated:

    I clicked on a adobe flash pop up offering an update and gave my authorisation when prompted! Just read that it may have been a Trojan!

    I pointed out two of the differences in the fake Flash update (per the image in the first post). Also how to turn automatic updating of the real Flash player off, so if you see any type of popup after that, you know it's a scam. Seems like an answer to me.

  • HACKINT0SH Level 5 Level 5 (5,755 points)

    One, the author can't spell worth beans. Unless "Update fix a crush of Adobe Flash player." is some new form of proper English.

    LOL @ Kurt.

     

    Yes, I've noticed over the years, there are so many malware creators that spend their whole scammy career tweaking out fake update apps, and tend to never catch on to the fact they are giving themselves away half the time by not being able to avoid simple typos and basic linguistics.

     

    It should be mandatory for scammers to take a few courses of english at least... considering most the world either speaks English or Chinese. It's a good thing they don't!

  • Mayapple Level 1 Level 1 (0 points)

    Thank you, woodmeister. 

     

    So the answer to Marckopolo's question, "Went to software update and installed 3 updates including a java one. Do I need to do anything else? or can I relax? " is yes, we need to do something else, and no, we can't relax.

      

    Further action must be taken in addition to downloading the latest Apple updates, and woodmeister has kindly supplied a link to that further action.  I'm not very computer savvy (case-in-point, I okay'd the malware in the first place), but I will follow carefully the instructions from the link.

     

    That is what we need to know.  The rest of you can enjoy your diatribes about us dumbunnies who didn't notice the misspelling.  You are right, though, I should have known better, and, in fact, I knew the minute I clicked okay that I shouldn't have done it.  Now I'm scared to check my bank account, etc.

  • Topher Kessler Level 6 Level 6 (9,735 points)

    Its almost as if they purposefully leave a breadcrumb trail with these update mistakes. There are two obvious ones in there, the first being "update to a latest version" (should be "the latest"), and the second being "fix a crush" and the whole structure of the second sentence. Quite amusing indeed.

  • nerowolfe Level 6 Level 6 (13,070 points)

    Bingo! You hit the nail on the head.

     

    Most spam, trojans, phishes etc. are so poorly spelled that anyone with a highschool education can tell that they are fake.

     

    Look for the obvious (loose instead of lose; its confused with it's; using an 's to denote a plural) and other such bad spelling. It's not nit-picking to notice poor spelling. Most hackers are poorly educated.

  • HACKINT0SH Level 5 Level 5 (5,755 points)

    I always got a kick out of those phishing sites that try to immitate Amazon, and despite copying everything down to a T (must have taken them ages to do that), they still spelt the big title as Ammazon.

     

    LOL.

     

    Now let's forget all the other nit-picking on the page..... when you can't even get the headline right..............

  • Kurt Lang Level 8 Level 8 (35,200 points)

    The rest of you can enjoy your diatribes about us dumbunnies who didn't notice the misspelling.

    Diatribes? Calling anyone dumbunnies? Where did you see either of those? That I can see, everyone presented straight forward facts with clear explanations.

  • Mayapple Level 1 Level 1 (0 points)

    Sorry Kurt, you are correct.  I feel really stupid about clicking okay to the malware, and I know I would not have done so back when I was using a non-Apple PC.  Will never again get complacent as a user of Apple products. 

    Those of us who did allow the fake "update" are desperate to know what to do next.

Previous 1 2 Next