Click-Fraud Trojan Politely Updates Flash On Compromised Computers

jfruh writes: Kotver is in many ways a typical clickfraud trojan: it hijacks the user's browser process to create false clicks on banner ads, defrauding advertisers and ad networks. But one aspect of it is unusual: it updates the victim's installation of Flash to the most recent version, ensuring that similar malware can't get in.

Cowbird defense

[turkeydance]

Google it.

Re:Cowbird defense

[gstoddart]

Bah, tinfoil hat defense ... uninstall Flash on the premise it's full of security holes and is waste of time.

It always has been.

I don't trust most sites to set cookies or run Javascript ... run Flash?

No fucking way.

Alternate reason?

[ArcadeMan]

But one aspect of it is unusual: it updates the victim's installation of Flash to the most recent version, ensuring that similar malware can't get in.

Or maybe it just wants to make sure that all ads are shown so that it can click on them.

Re:Alternate reason?

[meerling]

It's just protecting it's turf.
"This here's my #$&^!, you all go find a different one!" :P

Re:

[ArcadeMan]

https://www.youtube.com/watch?... [youtube.com]

Re:

[Translation Error]

Didn't you read the summary? It's doing that politely.

Net positive?

[Krishnoid]

Not just "similar" malware, but anything that has a patched-to-date Flash infection vector. It might actually slow the spread of malware, while decreasing its own ability to spread, at least by that mechanism. And finally, when it's found and purged, the infected systems are somewhat more secure.

Not saying this is a good idea, but it seems that if it spread enough, it could decrease infectable targets in the short-term, maybe drastically?

Re:

[Anonymous Coward]

There used to be a virus that patched broken IIS servers back in 90s and early 2000. One more for the road?

JailBreakMe.com

[tlambert]

JailBreakMe.com did a similar thing on iPhones: patched the tiff library exploit that it used to get on the phones in the first place, making it impossible to re-exploit.

I did the same thing with the Commodore Amiga in 1985, modifying a boot virus to include a payload that would patch the MOVE from processor SR. This let me install a 68010, which let me run SVR3 on the thing, without breaking a lot of popular software like Magic Sack and Transformer, both of which used the privileged version of the instruction for no good reason.

Re:

[__aabppq7737]

conficker in 2008 was similar, but spread via RPC ports w/out user intervention

Re:Net positive?

[techno-vampire]

No, it has no effect on its own ability to spread, because it only updates Flash on machines it's already infected.

Re:

[amicusNYCL]

I would definitely be a net positive if they manage to update it in the background. Right now my update process goes something like this:

A small popup indicating that Flash needs to be updated.
Click to update.
Web browser opens to whatever page on adobe.com.
Download installer.
Save and run.
Installer runs, tells me to close my browser that the updater just opened to download the file.
Flash will now not nag me for another 2 days or so.

If they manage that in the background like a normal sane update process in 2

Re:

[omfgnosis]

As annoying as the update process is, the annoyance isn't even the worst part. Adobe is still training users to use poor judgment in installing software. The process you described, at least on my Mac, has an additional step you didn't mention: enter admin password. Nothing is stopping malware from using the same process, which is exactly what a lot of malware does. It's very difficult for users to tell the difference.

My process for updating Flash is even more annoying, in an effort to try to avoid lookalike

Re:

[KGIII]

I seem to recall that it could be sent out with a -s or /s (silent) switch which was useful for enterprises. This was, of course, some time ago but they may still have the same process. Basically it was a run command that ran the installer with the switch as I recall. It can also be done with MSI packaging. Adobe offers such through their enterprise portal, or did when I was last interested in such things.

Secure Flash?

[Anonymous Coward]

Isn't "secure Flash" an oxymoron? Is there a "secure" version of Flash? Isn't that why we are migrating to HTML5 instead?

Re:

[TWX]

If the HTML5 implementations were conceived of as quickly as Flash exploded, my guess is that they're no more secure. The only difference is that people haven't started exploiting all of the bugs yet.

Re:

[Anonymous Coward]

Sure, but there is only one supplier of flash, who doesn't bother fixing the bugs. It is closed-source, so you can't even volunteer to help.

But HTML5 is not software, it is a spec. If you don't like, say, microsofts implementation, then you are free to roll your own or install some competing product. All browser vendors have their own html5 - pick a good one.

Re:

[__aabppq7737]

We call that the version of flash that came with windows 8
oh, wait..

Canadian!

[Anonymous Coward]

It's fucking Canadian malware!

Re:

[Anonymous Coward]

Sorry about that.

Mixed Feelings

[Anonymous Coward]

I'm not sure how to feel about this. On the one hand, yes, trojans are bad. But on the other hand, anything that negatively impacts advertisers can't be all that bad.

Re:

[roman_mir]

Let's kill all advertising so that you will not be able to find any new products or services and no company could find a client who didn't know the company directly somehow. Wouldn't it be great, not to know about anything people are trying to create for you?

Re:

[g01d4]

Let's kill all advertising

Not all ads are equal. TFS has the trojan targeting banner ads which "many web surfers regard ... as highly annoying" [wikipedia.org] and are commonly blocked by popular browser add-ons.

Re:

[Anonymous Coward]

"Let's kill all advertising ..."
I have no problem with this. If it means going back to pre-1995 Internet content, but with the modern tech that we have now, I have no problem with that either.
It's really irritating that the Ad Men think that the World revolves around them, and their various deceitful schemes. It doesn't.
I bought my first house, my first yacht, and my first Ferrari, all without the distraction of Internet advertising. The same goes for my first computer, my first test equipment, and my fir

Re:

[Anonymous Coward]

I bought my first house, my first yacht, and my first Ferrari, all without the distraction of Internet advertising. The same goes for my first computer, my first test equipment, and my first girlfriend.

Your first girlfriend's low cut blouse was an advertisement.

The problem with ads online isn't the fact that they exist vs. not existing. It is the pervasiveness, literal bombardment and danger of them.

An analogy would be a girl wearing a low cut blouse - this says "hey, look at me - I'm on the market." That (non intrusive, 'just there but not engineered specifically to generate unconscious clicks') is fine.

This is far different than millions of women (ads), statistically likely to fuck you over, shoving t

Re:

[deesine]

So...you don't like actors.

Re:Mixed Feelings

[ArcadeMan]

A lightweight static image with a link to the product page? Sure.

A multiple-files-download, drag-down-my-CPU dynamic HTML5 ad? Fuck you.
An auto-playing video ad? Fuck you too.

Re:

[Jawnn]

Let's kill all advertising so that you will not be able to find any new products or services and no company could find a client who didn't know the company directly somehow. Wouldn't it be great, not to know about anything people are trying to create for you?

No. What we be great, really great, would be if advertising and marketing shitheads would stop insisting on using broken technology to animate their ads. For every Flash ad out there there is at least one engineer who has said, or tried to say, something like "We should build this on something proper..."

Re:

[jafiwam]

I'm not sure how to feel about this. On the one hand, yes, trojans are bad. But on the other hand, anything that negatively impacts advertisers can't be all that bad.

My first thought was "yeah, I wonder if i can get this in a non-malicious form to fuck advertisers while suppressing those ads visually"

Whatever happens with the internet next, it'll be much better off with click farm, click bait, advertisements all over and all that.

For you naysayers, look what happened to Slashdot when it got corporatized. Ok, Fark, Redit, Image Shack, Usenet, etc. etc.

In soviet russia..

[coffecup]

.. I'm sure there is one of these jokes in here..

Re:

[TheRealQuestor]

The real question is if it installs the McAfee, and if it doesn't anybody can point me out where can I get infected?

There is no McAfee anymore. Intel bought them a while back and now they are re-branded Intel Security.
http://www.mcafee.com/us/about... [mcafee.com]

Re:

[KGIII]

What has Microsoft got to do with this? Reading comprehension skills - one of us is missing them.

Politely?

[Nemyst]

The trojan "politely" updates Flash? How would you do that "impolitely", exactly, by flashing a bunch of obscenities while updating Flash in the background?

Re:

[AmiMoJo]

How would you do that "impolitely", exactly, by flashing a bunch of obscenities while updating Flash in the background?

I take it you haven't tried the Adobe installer lately.

Re:

[Calydor]

Impolitely is the standard way, because you can't just update it - you have to go to get.adobe.com, remember to turn OFF downloading McAfee Security Scan, download the installer, run the installer, wait for the download and install, turn off your browser, then lose the "Restore last session" feature in Firefox (and probably others) because it 'tests' Flash by opening Adobe.com again.

So yeah, a background update by malware seems very polite.

how is this unusual?

[bloodhawk]

how is this unusual behaviour? perhaps the author needs to get out more. this has been a well used approach by various hacking groups and malware for a long time to maintain exclusivity to compromised machines.

This is not news!

[Demonoid-Penguin]

It could have been news - if you told us what novel exploit it used, who benefited, and how. That would have been news - and interesting.
But no - you had to put lipstick on a pig and try and flog the wedding night videos.

Malware has been doing the same thing for a long time - closing the weaknesses it used for access. The only thing that sounds new is the "reporting" slant. Politely. WTF - does it say "excuse me"? [sigh]

Samzenpuss - stop posting this shit please. (see that's polite).

jfruh - stop submitting this click-bait slanted crap, please. e.g. "Japanese And U.S. Piloted Robots To Brawl For National Pride". All you had to do was say "fighting robots" and more people would have read the story - no need for the Fox News histrionics. Stop acting like a whipped dog trying to get your "stories" published. You just embarrass yourself.

Thanks for lowering the standard.

Re:

[Lodlaiden]

you had me at "fighting robots". (no mod points today)

Not exactly new.

[bob_jordan]

Many countries work on the same principle. The first wave of immigrants to get established change the rules to stop more immigrants coming in.

Bob.

That isn't malware...

[shaitand]

Malware disrupts your machine or does something negative. Just because it wasn't invited doesn't make it malware. From the sound of it everything this does is positive.

here

[__aabppq7737]

https://helpx.adobe.com/securi... [adobe.com]

Simple reason

[allo]

Current browser activate click-to-play for insecure flash versions. This prevents auto-clicking. So the trojan horse* need recent flash.

* it's the trojan horse! The trojans were in the city, the greek were in the horse, trying to get into troja!