Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

FlashPlayer Virus

So, I was browsing the interwebs about an hour ago (just took this long to get around to posting this) and I clicked a link that didn't take me to the page I expected, and that I think I visiting with the same link a few minutes earlier; anyways, it prompted me to download an update to Adobe Flash player, however the update window openned and downloaded the update automatically, which I know it doesn't do, also the updater looked the one on Windows, just with a Mac's title bar at the top, might look like that on Macs too, but I can't remember ever updating it so... Also, there was a spelling mistake, and I am very particular about those sorts of things, so I noticed it, and I know that the real one doesn't have that, so anyways, the updater thingy was in the browser window, it just looked like a seperate window.


The webpage that I ended up getting directed to and that downloaded the file is: http://adobe****hplayer.rr.nu/8f/

The file is named: FlashPlayer-11-MacOSX.pkg


Well, I never openned it because of the obvious (in my opinion) fake... ness... but what concerned me was that after doing a Bing search (because I switched from Google last week, and even though I checked Google, I didn't find helpful results as fast) I found that there was such a virus before, not too long ago that I figured, it was after the MacDefender virus, but I didn't read the date on the article I read about it.

Anyways, what concerned me was that the thingy (XProtect I believe it is) allowed the file to be downloaded at all. I just checked and the thingy is set to update the "safe downloads list" automatically, so...


Anyways, is there a reason that it may have been allowed?

More importantly, does this potentially need reporting?


This is the webpage that downloaded the file

User uploaded file


< Link Edited By Host >

MacBook Pro, Mac OS X (10.7.2), Mid 2010 model

Posted on Jan 20, 2012 6:31 PM

Reply
Question marked as Best reply

Posted on Jan 20, 2012 6:44 PM

Yes, it's a trojan, and this is why you can't rely on any automated protection from malware -- neither Apple's nor anyone else's. The attackers are always ahead of the defenders. The XProtect database doesn't yet include this item. The only effective defense against malware is common sense, which is what saved you in this case. I'm not aware of any way you can report malware to Apple.

26 replies
Question marked as Best reply

Jan 20, 2012 6:44 PM in response to Timothy Westman-Barth

Yes, it's a trojan, and this is why you can't rely on any automated protection from malware -- neither Apple's nor anyone else's. The attackers are always ahead of the defenders. The XProtect database doesn't yet include this item. The only effective defense against malware is common sense, which is what saved you in this case. I'm not aware of any way you can report malware to Apple.

Apr 5, 2012 9:06 AM in response to marckopolo

I clicked on a adobe flash pop up offering an update and gave my authorization when prompted!

The people spreading the Trojan make it somewhat difficult to figure out real from fake. Adobe's real Flash player will pop up an almost identical looking updater when a new version is available. It is real and intentional.


If you check the System Preferences, you'll see a Flash Player icon in the bottom row. Click on its Advanced tab. You'll see that you can change the radio button to "Never check for updates (not recommended)". But really, it's safer to use that one and check manually with the "Check Now" button underneath that. Then you will know if you see a pop up saying you need to update Flash, it's fake.


The one shown above is the most common of this Trojan going around. Two big things really give it away. One, the author can't spell worth beans. Unless "Update fix a crush of Adobe Flash player." is some new form of proper English. Also note what URL it went to. The .nu domain is particularly used in Sweden, Denmark, Norway, the Netherlands and Belgium. So the Flash player being downloaded from there sure the heck isn't from Adobe.

Apr 6, 2012 9:34 AM in response to Kurt Lang

But that didn't answer Marckopolo's question, which is the same situation I have. Once I've installed Apple's updates, am I safe? If not, is there a way to find and erase the trojan from my download files?


Mea culpa - I admit my stupidity. No one has yet answered the question of what to do AFTER one has mistakenly given the authorization to download the trojan.

Apr 6, 2012 10:00 AM in response to Mayapple

But that didn't answer Marckopolo's question,

Sure it did. He stated:

I clicked on a adobe flash pop up offering an update and gave my authorisation when prompted! Just read that it may have been a Trojan!

I pointed out two of the differences in the fake Flash update (per the image in the first post). Also how to turn automatic updating of the real Flash player off, so if you see any type of popup after that, you know it's a scam. Seems like an answer to me.

Apr 6, 2012 4:25 PM in response to Kurt Lang

One, the author can't spell worth beans. Unless "Update fix a crush of Adobe Flash player." is some new form of proper English.

LOL @ Kurt.


Yes, I've noticed over the years, there are so many malware creators that spend their whole scammy career tweaking out fake update apps, and tend to never catch on to the fact they are giving themselves away half the time by not being able to avoid simple typos and basic linguistics.


It should be mandatory for scammers to take a few courses of english at least... considering most the world either speaks English or Chinese. It's a good thing they don't!

Apr 6, 2012 6:17 PM in response to woodmeister50

Thank you, woodmeister.


So the answer to Marckopolo's question, "Went to software update and installed 3 updates including a java one. Do I need to do anything else? or can I relax? " is yes, we need to do something else, and no, we can't relax.

Further action must be taken in addition to downloading the latest Apple updates, and woodmeister has kindly supplied a link to that further action. I'm not very computer savvy (case-in-point, I okay'd the malware in the first place), but I will follow carefully the instructions from the link.


That is what we need to know. The rest of you can enjoy your diatribes about us dumbunnies who didn't notice the misspelling. You are right, though, I should have known better, and, in fact, I knew the minute I clicked okay that I shouldn't have done it. Now I'm scared to check my bank account, etc.

Apr 6, 2012 6:32 PM in response to Kurt Lang

Bingo! You hit the nail on the head.


Most spam, trojans, phishes etc. are so poorly spelled that anyone with a highschool education can tell that they are fake.


Look for the obvious (loose instead of lose; its confused with it's; using an 's to denote a plural) and other such bad spelling. It's not nit-picking to notice poor spelling. Most hackers are poorly educated.

Apr 7, 2012 7:45 AM in response to Mayapple

I feel really stupid about clicking okay to the malware,

Don't. That's exactly what the crooks hope for. That you aren't paying close enough attention, or to scare you into clicking on something with a dire sounding warning that you've been infected.


Of course, there really are the less intelligent who (believe it or not!) continue to fall for the Nigerian scam. Greed, or the prospect of seemingly easy riches can make people do very stupid things.

FlashPlayer Virus

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.