Safari malware offers Flash Upgrade

Question

Level 1

78 points

Safari malware offers Flash Upgrade

I have the latest OS X and latest Safari installed on a macbook purchased 2 months ago.

When I try to access wunderground.com, after navigation there, one of several types of dialogue boxes will open that tell me that my Flash is out of date.

Trying to escape this mess, one may end up downloading several files that portend to be .dmg files that have an update to Adobe Flash. If one mounts these disks, it is immediately obvious that these .dmg did not come from Adobe.

One of the web sites that this web page refers you to is: http://liveupdate.upgrade-pro.org

I don't suppose anyone would be surprised to discover this is in Europe.

I have gone to the Adobe site and ensured I've installed the latest flash. This did not stop the pop-ups.

I turned off flash and deleted it completely according to Adobe instructions. The pop-ups still happen.

I've tried several other "off-the-wall" ideas that I won't mention here to avoid embarrassment.

I have another macbook set up looking at exactly the same pages from wunderground.com. It has not had these dialogue boxes pop up.

This is not the first box to show up, but note that this is a really, really old version of Flash

This is an alternate dialogue box that might appear. This one comes from a totally different web site

http://cdn.freefacet.com/lp/?appid=2297&subid=d3609d4b-10c4-4b92-be54-413d78e69e b3&c8=service.quickseas.com&btp_h=31cde2…

This problem (AFAIK) only affects wunderground.com pages (which are not affected on my other computer)

Here is a trace route to the web site that is pushing this bogus flash on me.

bash-3.2$ traceroute liveupdate.upgrade-pro.org

traceroute to liveupdate.upgrade-pro.org (62.210.93.163), 64 hops max, 52 byte packets

1 10.0.1.1 (10.0.1.1) 4.267 ms 1.139 ms 1.886 ms

2 cpe-50-113-48-1.hawaii.res.rr.com (50.113.48.1) 27.453 ms 23.238 ms 10.457 ms

3 24.25.234.97 (24.25.234.97) 31.455 ms 31.439 ms 32.666 ms

4 agg29.milnhixd01r.hawaii.rr.com (72.129.45.182) 17.099 ms 20.391 ms 18.195 ms

5 agg31.lsancarc01r.socal.rr.com (72.129.45.0) 64.323 ms 63.733 ms 62.789 ms

6 bu-ether16.lsancarc0yw-bcr00.tbone.rr.com (66.109.6.102) 66.545 ms 63.616 ms 72.398 ms

7 0.ae1.pr1.lax00.tbone.rr.com (107.14.17.250) 64.161 ms

0.ae0.pr1.lax00.tbone.rr.com (107.14.17.248) 65.878 ms 69.105 ms

8 ix-24-0.tcore1.lvw-los-angeles.as6453.net (66.110.59.81) 68.727 ms 69.074 ms 67.782 ms

9 if-3-2.tcore1.pdi-palo-alto.as6453.net (66.198.127.25) 306.654 ms 239.873 ms 305.031 ms

10 if-1-2.tcore1.nyy-new-york.as6453.net (66.198.127.6) 306.852 ms * *

11 if-3-2.thar1.njy-newark.as6453.net (66.198.70.21) 229.511 ms 532.619 ms *

12 if-4-2.tcore1.l78-london.as6453.net (80.231.130.33) 524.233 ms 476.479 ms

if-7-2.tcore1.l78-london.as6453.net (66.198.70.26) 290.903 ms

13 if-3-6.tcore1.pye-paris.as6453.net (80.231.130.86) 482.792 ms * *

14 * * *

15 if-34-2.thar1.vi8-vitry-sur-seine.as6453.net (80.231.153.58) 329.678 ms * *

16 5.23.24.6 (5.23.24.6) 280.537 ms 306.226 ms 310.611 ms

17 * * *

18 62-210-93-163.rev.poneytelecom.eu (62.210.93.163) 343.930 ms 310.188 ms 331.720 ms

bash-3.2$

MacBook Pro with Retina display, OS X Yosemite (10.10.4), 500G Flash Drive 8Gig memory

Posted on Aug 29, 2015 8:53 PM

Reply

Answer 1

Best reply

ckuan

Level 10

120,686 points

Aug 29, 2015 9:01 PM in response to John Zwiebel

The site \is compromised.

If you need Adobe Flash player, go to Adobe.com directly.

or on your Mac  > System Preferences.. > Flash Player > check for updates there.

If restarting Safari you're still getting the popups. try restarting with the Shift key pressed.

Reply

Answer 2

Klaus1

Level 9

52,749 points

Aug 30, 2015 6:50 AM in response to John Zwiebel

Flash Player should ONLY be installed from Adobe’s website.

You can check here what version of Flash player you actually have installed: http://kb2.adobe.com/cps/155/tn_15507.html

You can check here: http://www.adobe.com/products/flash/about/ to see which version you should install for your Mac and OS. You should first uninstall any previous version of Flash Player, using the uninstaller from here (make sure you use the correct one!):

http://kb2.adobe.com/cps/909/cpsid_90906.html

and also that you follow the instructions closely, such as closing ALL applications (including Safari) first before installing. It is highly recommended that you carry out a permission repair after installing anything from Adobe.

After installing, reboot your Mac and relaunch Safari, then in Safari Preferences/Security enable ‘Allow Plugins’. If you are running 10.6.8 or later:

When you have installed the latest version of Flash, relaunch Safari and test.

If you're getting a "blocked plug-in" error, then in System Preferences… ▹ Flash Player ▹ Advanced

click Check Now. Quit and relaunch your browser. More advice here:

http://www.macworld.co.uk/how-to/mac-software/unblock-safari-plug-ins-on-mac-360 8065/

Facebook dropping all but the very latest version of Flash:

http://www.theguardian.com/technology/2015/jul/14/facebook-end-adobe-flash-firef ox-blocks-hacking

Reply

Answer 3

John Zwiebel Author

Level 1

78 points

Aug 30, 2015 1:47 PM in response to ckuan

Thank you for your reply. See my reply to Klause

Reply

Answer 4

John Zwiebel Author

Level 1

78 points

Aug 30, 2015 2:03 PM in response to Klaus1

Thank You Klaus 1:

Unfortunately the information you've provided is not useful. I do only download Flash from the Adobe site. I did uninstall the version I had (which I recall was version 18, whatever, it was the latest version.) I have not ever seen a "blocked plugin" message.

I recall that I put two more posts on this thread which provided some additional information. They are not here.

I had removed Flash completely following the Adobe instructions which included manually deleting several files.

I then rebooted the machine and went back to the wunderground web pages. The malware message showed up again anyway.

My computer has been off-line now for about 12 hours and I've moved from Hawaii to Fiji. When I access the wunderground web sit now, I am NOT seeing the malware error message.

IMHO the error had nothing to do with my computer, but was a hack on the CDN (content delivery networks) that were suppose to have the correct Adobe flash to download. Like Herman Cain, "I have no facts to back this up", but it is the only thing that makes sense to me at this point since the error is no longer happening.

I have yet not found it necessary to place Flash back on my computer. I'll leave it off until something else comes up.

Thanks again for your help.

Reply