Click-Fraud Trojan Politely Updates Flash On Compromised Computers

jfruh writes: Kotver is in many ways a typical clickfraud trojan: it hijacks the user's browser process to create false clicks on banner ads, defrauding advertisers and ad networks. But one aspect of it is unusual: it updates the victim's installation of Flash to the most recent version, ensuring that similar malware can't get in.

Cowbird defense

[turkeydance]

Google it.

Re:Cowbird defense

[gstoddart]

Bah, tinfoil hat defense ... uninstall Flash on the premise it's full of security holes and is waste of time.

It always has been.

I don't trust most sites to set cookies or run Javascript ... run Flash?

No fucking way.

Alternate reason?

[ArcadeMan]

But one aspect of it is unusual: it updates the victim's installation of Flash to the most recent version, ensuring that similar malware can't get in.

Or maybe it just wants to make sure that all ads are shown so that it can click on them.

Re:Alternate reason?

[meerling]

It's just protecting it's turf.
"This here's my #$&^!, you all go find a different one!" :P

Re:Alternate reason?

[ArcadeMan]

https://www.youtube.com/watch?...

Re:Alternate reason?

[Translation+Error]

Didn't you read the summary? It's doing that politely.

Net positive?

[Krishnoid]

Not just "similar" malware, but anything that has a patched-to-date Flash infection vector. It might actually slow the spread of malware, while decreasing its own ability to spread, at least by that mechanism. And finally, when it's found and purged, the infected systems are somewhat more secure.

Not saying this is a good idea, but it seems that if it spread enough, it could decrease infectable targets in the short-term, maybe drastically?

Re:Net positive?

There used to be a virus that patched broken IIS servers back in 90s and early 2000. One more for the road?

Re:Net positive?

[techno-vampire]

No, it has no effect on its own ability to spread, because it only updates Flash on machines it's already infected.

Re:Net positive?

A net positive would be uninstalling Flash flash completely.

Re:Net positive?

[amicusNYCL]

I would definitely be a net positive if they manage to update it in the background. Right now my update process goes something like this:

A small popup indicating that Flash needs to be updated.
Click to update.
Web browser opens to whatever page on adobe.com.
Download installer.
Save and run.
Installer runs, tells me to close my browser that the updater just opened to download the file.
Flash will now not nag me for another 2 days or so.

If they manage that in the background like a normal sane update process in 2015 then maybe Adobe needs to hire them.

Re:Net positive?

[omfgnosis]

As annoying as the update process is, the annoyance isn't even the worst part. Adobe is still training users to use poor judgment in installing software. The process you described, at least on my Mac, has an additional step you didn't mention: enter admin password. Nothing is stopping malware from using the same process, which is exactly what a lot of malware does. It's very difficult for users to tell the difference.

My process for updating Flash is even more annoying, in an effort to try to avoid lookalikes:

1. See popup
2. Dismiss it
3. Go to Flash in System Preferences, check for updates there
4. Click to update
5. Browser page opens
6. Download installer (it actually does this automatically)
7. Verify that it's actually coming from an *.adobe.com page
8. Run installer
9. Check "Notify me to install updates" because every single update auto-checks "Allow Adobe to install updates (recommended)"
10. Quit browsers
11. Start installation, entering admin password
12. Flash will now not nag me for another 2 days or so

There was a time when Adobe wasn't code signing the damn package, too. That was nerve wracking.

Re:Net positive?

[__aabppq7737]

conficker in 2008 was similar, but spread via RPC ports w/out user intervention

Re:Net positive?

[KGIII]

I seem to recall that it could be sent out with a -s or /s (silent) switch which was useful for enterprises. This was, of course, some time ago but they may still have the same process. Basically it was a run command that ran the installer with the switch as I recall. It can also be done with MSI packaging. Adobe offers such through their enterprise portal, or did when I was last interested in such things.

Secure Flash?

Isn't "secure Flash" an oxymoron? Is there a "secure" version of Flash? Isn't that why we are migrating to HTML5 instead?

Re:Secure Flash?

[TWX]

If the HTML5 implementations were conceived of as quickly as Flash exploded, my guess is that they're no more secure. The only difference is that people haven't started exploiting all of the bugs yet.

Re:Secure Flash?

Sure, but there is only one supplier of flash, who doesn't bother fixing the bugs. It is closed-source, so you can't even volunteer to help.

But HTML5 is not software, it is a spec. If you don't like, say, microsofts implementation, then you are free to roll your own or install some competing product. All browser vendors have their own html5 - pick a good one.

Re:Secure Flash?

[__aabppq7737]

We call that the version of flash that came with windows 8
oh, wait..

Canadian!

It's fucking Canadian malware!

Re:Canadian!

Sorry about that.

They could be the next adobe!

Because every goddam time I try to update flash it fails.

Mixed Feelings

I'm not sure how to feel about this. On the one hand, yes, trojans are bad. But on the other hand, anything that negatively impacts advertisers can't be all that bad.

Re:Mixed Feelings

[roman_mir]

Let's kill all advertising so that you will not be able to find any new products or services and no company could find a client who didn't know the company directly somehow. Wouldn't it be great, not to know about anything people are trying to create for you?

Re:Mixed Feelings

[g01d4]

Let's kill all advertising

Not all ads are equal. TFS has the trojan targeting banner ads which "many web surfers regard ... as highly annoying" and are commonly blocked by popular browser add-ons.

Re:Mixed Feelings

"Let's kill all advertising ..."
I have no problem with this. If it means going back to pre-1995 Internet content, but with the modern tech that we have now, I have no problem with that either.
It's really irritating that the Ad Men think that the World revolves around them, and their various deceitful schemes. It doesn't.
I bought my first house, my first yacht, and my first Ferrari, all without the distraction of Internet advertising. The same goes for my first computer, my first test equipment, and my first girlfriend.
Yes, I did buy a Powerbook G4 off of the Apple website once, but I already knew all about it- we used a _lot_ of them at work, and I got a discount.

"Wouldn't it be great, not to know about anything people are trying to create for you?"
Yes, it would. If it's any good, I'll find out about it eventually. I'm a Divvy.
I don't give a damn about something stupid that "...people are trying to create..." for me. I don't care to spend the time researching _anything_ that is "Market Driven".

Re:Mixed Feelings

[ArcadeMan]

A lightweight static image with a link to the product page? Sure.

A multiple-files-download, drag-down-my-CPU dynamic HTML5 ad? Fuck you.
An auto-playing video ad? Fuck you too.

Re: Mixed Feelings

I agree. It would be great not to know about anything that people are trying to sell to me (or sell me on).

Re:Mixed Feelings

I bought my first house, my first yacht, and my first Ferrari, all without the distraction of Internet advertising. The same goes for my first computer, my first test equipment, and my first girlfriend.

Your first girlfriend's low cut blouse was an advertisement.

The problem with ads online isn't the fact that they exist vs. not existing. It is the pervasiveness, literal bombardment and danger of them.

An analogy would be a girl wearing a low cut blouse - this says "hey, look at me - I'm on the market." That (non intrusive, 'just there but not engineered specifically to generate unconscious clicks') is fine.

This is far different than millions of women (ads), statistically likely to fuck you over, shoving their uncovered boobs in your face like it or not saying "fuck me - I want you.", legally justified in saying that because you walked into the bar where said exposed boobs are present and that it was you that made the first and forceable move (by visiting a given site) then making the argument that you raped them (clicked on) when you have a problem you ended up with an STD (virus/trojan/other).

Women are used only and analogy to continue the OP's point.

I think there is a point where TOS and user responsibility isn't valid when it contradicts the very instinctual human behavior being counted on by the website (ie - 'bar' or other 'social establishment'). Especially when the average user is like a naive virgin that does want to get laid but is being take advantage or because they don't understand the cost/benefit ratio.

Bottom line: internet advertising needs to clean up it's own shop. If it is to be trusted, THEY need to POLICE their own. If they don't, then they are harming themselves. They have no responsibility of course but it is in their own best interest to help weed out bad actors. If they don't then all actors are assumed to be suspect.

Re:Mixed Feelings

[deesine]

So...you don't like actors.

Re:Mixed Feelings

Let's kill all advertising so that you will not be able to find any new products or services and no company could find a client who didn't know the company directly somehow. Wouldn't it be great, not to know about anything people are trying to create for you?

What a wonderful world that would be. As always people like you "accidentally" conflate classified advertising (including "surprise me" categories) and unsolicited advertising. The world would be a much better place without unsolicited advertising; almost always an attempt to get people to overpay. Good products sell themselves by word of mouth and don't need unsolicited advertising. "Me too" products not so much.

Re:Mixed Feelings

Let's kill all advertising so that you will not be able to find any new products or services and no company could find a client who didn't know the company directly somehow. Wouldn't it be great, not to know about anything people are trying to create for you?

Yes, it would be great never being told what people are trying to create & peddle. The can advertise inside of their shops. On the internet, they can advertise inside their own webshops. When I think I need a new camera - I don't rely on "ads I have seen". I visit camera shops and review sites. I google for "compact camera" or "view camera" depending on my need. I search for the cameras, they don't search for me. And eventually I buy something. And usually not something by the biggest brands. When someone have the biggest advertising power, the don't have to try so hard to make good products. This shopping strategy has served me well - I never had to put up with "windows problems" such as viruses, for example.

Yes. Lets kill external advertising. Lets do this. Outlaw it tomorrow. The internet ads, the TV commercials, the billboards.

Instead, we could explicitly allow this thing called "click fraud". Lets destroy that market by abusing the technology it uses. "Spam" is annoying "free advertising". And "Click fraud" is an answer - transmitting those fake clicks costs no more than sending spam. And it disadvantages exactly the kind of people who might ultimately profit from spam. Heck, you may even be able to make some money on "click fraud" - without bothering consumers at all!

Re:Mixed Feelings

[jafiwam]

I'm not sure how to feel about this. On the one hand, yes, trojans are bad. But on the other hand, anything that negatively impacts advertisers can't be all that bad.

My first thought was "yeah, I wonder if i can get this in a non-malicious form to fuck advertisers while suppressing those ads visually"

Whatever happens with the internet next, it'll be much better off with click farm, click bait, advertisements all over and all that.

For you naysayers, look what happened to Slashdot when it got corporatized. Ok, Fark, Redit, Image Shack, Usenet, etc. etc.

Re: Mixed Feelings

Exactly. Without ads how would civilization progress?
Fucking moron

Re:Mixed Feelings

[Jawnn]

Let's kill all advertising so that you will not be able to find any new products or services and no company could find a client who didn't know the company directly somehow. Wouldn't it be great, not to know about anything people are trying to create for you?

No. What we be great, really great, would be if advertising and marketing shitheads would stop insisting on using broken technology to animate their ads. For every Flash ad out there there is at least one engineer who has said, or tried to say, something like "We should build this on something proper..."

Re: Mixed Feelings

Ok, but can you make the same point using a car analogy?

Re:Mixed Feelings

"Your first girlfriend's low cut blouse was an advertisement."
Without the benefit of dating sites, or "Christian Dating", or any of that other Internet crap, I met my first girlfriend over, wait for it... a _Typewriter_.
(This was about four years before that first Ferrari. Twenty year old Ferraris were actually cheap back then; about the same price as a new Oldsmobile.)
I was writing a short story, just for fun, on a typewriter, which is something that I do not recommend, because cut and paste back then involved sharp objects and sticky fingers.
My Sister's best friend dropped by looking for her, gazed over my shoulder, and during a pause, leaned over and completed a sentence that I was having trouble with. That was some decades ago, and of course it didn't last, but she still sends me a Birthday card every year.
(BTW- white muslim Peasant blouse up to the neck, with little red and blue flowers embroidered on it.)
I'm sure that there is some dreary Internet equivalents these days, but please don't mention them.

"Bottom line: internet advertising needs to clean up it's own shop. If it is to be trusted, THEY need to POLICE their own."
This is very true, but not likely to happen, until they can admit to themselves that they are slime mold.
There needs to be a Professional Association for those with Degrees, and Unions for Code Monkeys. There needs to be Codes of Conduct. There needs to be beefed-up Government oversight, and some Jail time, and probably more than a few unofficial "Hits".
Until Advertising gains some measure of Self- Respect, and Self Control, all of them are guilty by Association with the very worst of the lot, (See shills like roman_mir...), and until the Industry publicly admits this, as a start, there will be no changes.

In soviet russia..

[coffecup]

.. I'm sure there is one of these jokes in here..

The real question

The real question is if it installs the Mcaffe, and if it doesn't anybody can point me out where can I get infected?

Re:The real question

[TheRealQuestor]

The real question is if it installs the McAfee, and if it doesn't anybody can point me out where can I get infected?

There is no McAfee anymore. Intel bought them a while back and now they are re-branded Intel Security.
http://www.mcafee.com/us/about...

Re: The real question

I always despised mccafes bloatware and it's 'subscription' business model. Any crap MS buys is still just that. Fuck skype too.

Re: The real question

[KGIII]

What has Microsoft got to do with this? Reading comprehension skills - one of us is missing them.

Fraud?

It's a breach of someone's terms of service maybe, but not fraud.

Yes, but...

I want to give them credit, but isn't Flash itself malware in this day and age?

Click-Fake!

This is not fraud. Nothing of value is lost. It's a fake click. That is all. Bits in action. If you can't tell the difference, then you're the John Schmuck in this. Clicks aren't fraud. Clicks aren't even fake. They are as they are.

Except this headline. It's bait for a click. And it won! Yay!

JailBreakMe.com

[tlambert]

JailBreakMe.com did a similar thing on iPhones: patched the tiff library exploit that it used to get on the phones in the first place, making it impossible to re-exploit.

I did the same thing with the Commodore Amiga in 1985, modifying a boot virus to include a payload that would patch the MOVE from processor SR. This let me install a 68010, which let me run SVR3 on the thing, without breaking a lot of popular software like Magic Sack and Transformer, both of which used the privileged version of the instruction for no good reason.

Politely?

[Nemyst]

The trojan "politely" updates Flash? How would you do that "impolitely", exactly, by flashing a bunch of obscenities while updating Flash in the background?

Re:Politely?

"Politely" as in, it does not ask you if you want it but goes ahead and installs it anyway.

Re:Politely?

"Politely" as in, it does not ask you if you want it but goes ahead and installs it anyway.

Oh. HAHAHAHAHA so this is a Windows problem again? another Windows problem. again.

I know the article isn't implying you can click a link while using Firefox on Linux and it executes rpm -Uvh flash-plugin-11.2.202.468-release.x86_64.rpm

This is a Windows issue, is it not? distrowatch.com solve these problems immediately.

I suggest migrating to Linux as soon as possible. Multi-boot it at the very least. Costs nothing, gives you every IT feature on Earth with modern protocols and standards.

Windows is for games only on any desktop.

Could have just put an article "Windows sucks" then frist post "not for me, I use Linux". No more comments required. Flash is fine on Linux. Flash is garbage on Mac. Flash has always been vulnerable in Windows because Windows is a giant security risk. How can you have operating system security when "some other company" won't let you see the source code?

as you were.

Re:Politely?

Well, that's how I usually update Flash.

Re:Politely?

[AmiMoJo]

How would you do that "impolitely", exactly, by flashing a bunch of obscenities while updating Flash in the background?

I take it you haven't tried the Adobe installer lately.

Re:Politely?

[Calydor]

Impolitely is the standard way, because you can't just update it - you have to go to get.adobe.com, remember to turn OFF downloading McAfee Security Scan, download the installer, run the installer, wait for the download and install, turn off your browser, then lose the "Restore last session" feature in Firefox (and probably others) because it 'tests' Flash by opening Adobe.com again.

So yeah, a background update by malware seems very polite.

Re: Politely?

Fuck you faggot. Flash version 17something is the extended release edition. The constant pestering bs nonsense updates the 'current' version gets is in my opinion clickbait itself. It is what it is. The fact you are even aware of windows makes you just one more user. It does not imply you are some fucking expert on dick.

lol wow honey pumpkins you are going to have a heart attack. relax sweetie. If your IQ isn't double digit I will eat 2 fucking hats.

Nothing to address here, let me just show random passersby the facts.
https://get.adobe.com/flashplayer/otherversions/

All right stop, Collaborate and listen
Ice is back with my brand new invention
Something grabs a hold of me tightly
Flow like a harpoon daily and nightly
Will it ever stop? Yo, I don't know
Turn off the lights and I'll glow
To the extreme I rock a mic like a vandal
Light up a stage and wax a chump like a candle.

Windows gives you noob ways to update flash, and that's how you get your next noob virus via noob security vulnerability. Windows = noob. With Linux you will not have this problem. Well, except you in particular above. You will probably be the first one to get rooted ever by Linux flash player updates. Make sure you are logged in as root when you go searching for this vulnerability, idiot. You will have to intend to get rooted, dickhead.

https://www.adobe.com/software/flash/about/

Platform Browser Player version
Windows Internet Explorer - ActiveX 18.0.0.194
Internet Explorer (Windows 8.x) - ActiveX 18.0.0.194
Firefox, Mozilla - NPAPI 18.0.0.194
Chrome (embedded), Opera, Chromium-based browsers - PPAPI 18.0.0.194
Macintosh
OS X Firefox, Safari - NPAPI 18.0.0.194
Chrome (embedded) - PPAPI 18.0.0.194
Opera, Chromium-based browsers - PPAPI 18.0.0.194
Linux Mozilla, Firefox - NPAPI (Extended Support Release) 11.2.202.468
Chrome (embedded), Chromium-based browsers - PPAPI 18.0.0.194
Solaris Flash Player 11.2.202.223 is the last supported Flash Player version for Solaris.

Somebody modded you -1, that means don't breed even if you could.

Do you mean, like here?

Several times I've had new browser windows open from just viewing the list of new topics. Click fraud is rampant here on the /. beta.

Re:Do you mean, like here?

Are you talking about The Home Depot ads? The click fraud here is amazing. I've never click on one of their ads, but several times I've had /. open a new browser window.

Re:Do you mean, like here?

Mac, Adblock, No Flash here.
What Home Depot ads?
I get to enjoy Slashdot Beta in all of its....

Oh...

how is this unusual?

[bloodhawk]

how is this unusual behaviour? perhaps the author needs to get out more. this has been a well used approach by various hacking groups and malware for a long time to maintain exclusivity to compromised machines.

This is not news!

[Demonoid-Penguin]

It could have been news - if you told us what novel exploit it used, who benefited, and how. That would have been news - and interesting.
But no - you had to put lipstick on a pig and try and flog the wedding night videos.

Malware has been doing the same thing for a long time - closing the weaknesses it used for access. The only thing that sounds new is the "reporting" slant. Politely. WTF - does it say "excuse me"? [sigh]

Samzenpuss - stop posting this shit please. (see that's polite).

jfruh - stop submitting this click-bait slanted crap, please. e.g. "Japanese And U.S. Piloted Robots To Brawl For National Pride". All you had to do was say "fighting robots" and more people would have read the story - no need for the Fox News histrionics. Stop acting like a whipped dog trying to get your "stories" published. You just embarrass yourself.

Thanks for lowering the standard.

Re:This is not news!

[Lodlaiden]

you had me at "fighting robots". (no mod points today)

Honestly I don't know why white hats haven't done

Honestly I don't know why white hats haven't done something similar. Create a virus that downloads security updates automatically securing machines without the user knowing.

This one does it because multiple malwares start to slow the computer to a crawl forcing the user to get it fixed. where as having a single one may be below the annoyance level of taking the computer to a shop/asking your computer guy relative to fix your computer again.

Not exactly new.

[bob_jordan]

Many countries work on the same principle. The first wave of immigrants to get established change the rules to stop more immigrants coming in.

Bob.

Re:Not exactly new.

That's pretty much my understanding of the United States. It's not the Native Americans screaming for immigration reform ...

Viral Vaccines

Wouldn't one way around the botnet issue be to infect vulnerable PCs, patch it, and then distribute it?

Of course a nastier but more effective way would be to put in a "time bomb" to delete every driver that allows for network accessible. Which is still nicer than bricking or wiping them.

That isn't malware...

[shaitand]

Malware disrupts your machine or does something negative. Just because it wasn't invited doesn't make it malware. From the sound of it everything this does is positive.

here

[__aabppq7737]

https://helpx.adobe.com/securi...

Simple reason

[allo]

Current browser activate click-to-play for insecure flash versions. This prevents auto-clicking. So the trojan horse* need recent flash.

* it's the trojan horse! The trojans were in the city, the greek were in the horse, trying to get into troja!