Slashdot Mirror

← Back to Stories (view on slashdot.org)

Click-Fraud Trojan Politely Updates Flash On Compromised Computers

Posted by samzenpus on from the how-kind dept.

jfruh writes: Kotver is in many ways a typical clickfraud trojan: it hijacks the user's browser process to create false clicks on banner ads, defrauding advertisers and ad networks. But one aspect of it is unusual: it updates the victim's installation of Flash to the most recent version, ensuring that similar malware can't get in.

42 of 66 comments (clear)

  1. Cowbird defense by turkeydance · · Score: 1

    Google it.

    1. Re:Cowbird defense by gstoddart · · Score: 4, Interesting

      Bah, tinfoil hat defense ... uninstall Flash on the premise it's full of security holes and is waste of time.

      It always has been.

      I don't trust most sites to set cookies or run Javascript ... run Flash?

      No fucking way.

      --
      Lost at C:>. Found at C.
  2. Alternate reason? by ArcadeMan · · Score: 4, Insightful

    But one aspect of it is unusual: it updates the victim's installation of Flash to the most recent version, ensuring that similar malware can't get in.

    Or maybe it just wants to make sure that all ads are shown so that it can click on them.

    --
    Get free satoshi (Bitcoin) and Dogecoins
    1. Re:Alternate reason? by meerling · · Score: 3, Funny

      It's just protecting it's turf.
      "This here's my #$&^!, you all go find a different one!" :P

    2. Re:Alternate reason? by ArcadeMan · · Score: 1

      https://www.youtube.com/watch?...

      --
      Get free satoshi (Bitcoin) and Dogecoins
    3. Re:Alternate reason? by Translation+Error · · Score: 1

      Didn't you read the summary? It's doing that politely.

      --
      When someone says, "Any fool can see ..." they're usually exactly right.
  3. Net positive? by Krishnoid · · Score: 4, Interesting

    Not just "similar" malware, but anything that has a patched-to-date Flash infection vector. It might actually slow the spread of malware, while decreasing its own ability to spread, at least by that mechanism. And finally, when it's found and purged, the infected systems are somewhat more secure.

    Not saying this is a good idea, but it seems that if it spread enough, it could decrease infectable targets in the short-term, maybe drastically?

    1. Re:Net positive? by Anonymous Coward · · Score: 2, Interesting

      There used to be a virus that patched broken IIS servers back in 90s and early 2000. One more for the road?

    2. Re:Net positive? by techno-vampire · · Score: 3, Informative

      No, it has no effect on its own ability to spread, because it only updates Flash on machines it's already infected.

      --
      Good, inexpensive web hosting
    3. Re:Net positive? by amicusNYCL · · Score: 1

      I would definitely be a net positive if they manage to update it in the background. Right now my update process goes something like this:

      A small popup indicating that Flash needs to be updated.
      Click to update.
      Web browser opens to whatever page on adobe.com.
      Download installer.
      Save and run.
      Installer runs, tells me to close my browser that the updater just opened to download the file.
      Flash will now not nag me for another 2 days or so.

      If they manage that in the background like a normal sane update process in 2015 then maybe Adobe needs to hire them.

      --
      "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
    4. Re:Net positive? by omfgnosis · · Score: 1

      As annoying as the update process is, the annoyance isn't even the worst part. Adobe is still training users to use poor judgment in installing software. The process you described, at least on my Mac, has an additional step you didn't mention: enter admin password. Nothing is stopping malware from using the same process, which is exactly what a lot of malware does. It's very difficult for users to tell the difference.

      My process for updating Flash is even more annoying, in an effort to try to avoid lookalikes:

      1. See popup
      2. Dismiss it
      3. Go to Flash in System Preferences, check for updates there
      4. Click to update
      5. Browser page opens
      6. Download installer (it actually does this automatically)
      7. Verify that it's actually coming from an *.adobe.com page
      8. Run installer
      9. Check "Notify me to install updates" because every single update auto-checks "Allow Adobe to install updates (recommended)"
      10. Quit browsers
      11. Start installation, entering admin password
      12. Flash will now not nag me for another 2 days or so

      There was a time when Adobe wasn't code signing the damn package, too. That was nerve wracking.

    5. Re:Net positive? by __aabppq7737 · · Score: 1

      conficker in 2008 was similar, but spread via RPC ports w/out user intervention

    6. Re:Net positive? by KGIII · · Score: 1

      I seem to recall that it could be sent out with a -s or /s (silent) switch which was useful for enterprises. This was, of course, some time ago but they may still have the same process. Basically it was a run command that ran the installer with the switch as I recall. It can also be done with MSI packaging. Adobe offers such through their enterprise portal, or did when I was last interested in such things.

      --
      "So long and thanks for all the fish."
  4. Secure Flash? by Anonymous Coward · · Score: 3, Insightful

    Isn't "secure Flash" an oxymoron? Is there a "secure" version of Flash? Isn't that why we are migrating to HTML5 instead?

    1. Re:Secure Flash? by TWX · · Score: 2

      If the HTML5 implementations were conceived of as quickly as Flash exploded, my guess is that they're no more secure. The only difference is that people haven't started exploiting all of the bugs yet.

      --
      Do not look into laser with remaining eye.
    2. Re:Secure Flash? by Anonymous Coward · · Score: 2, Insightful

      Sure, but there is only one supplier of flash, who doesn't bother fixing the bugs. It is closed-source, so you can't even volunteer to help.

      But HTML5 is not software, it is a spec. If you don't like, say, microsofts implementation, then you are free to roll your own or install some competing product. All browser vendors have their own html5 - pick a good one.

    3. Re:Secure Flash? by __aabppq7737 · · Score: 1

      We call that the version of flash that came with windows 8
      oh, wait..

  5. Canadian! by Anonymous Coward · · Score: 5, Funny

    It's fucking Canadian malware!

    1. Re:Canadian! by Anonymous Coward · · Score: 1

      Sorry about that.

  6. Mixed Feelings by Anonymous Coward · · Score: 3, Interesting

    I'm not sure how to feel about this. On the one hand, yes, trojans are bad. But on the other hand, anything that negatively impacts advertisers can't be all that bad.

    1. Re:Mixed Feelings by roman_mir · · Score: 1, Insightful

      Let's kill all advertising so that you will not be able to find any new products or services and no company could find a client who didn't know the company directly somehow. Wouldn't it be great, not to know about anything people are trying to create for you?

      --
      You can't handle the truth.
    2. Re:Mixed Feelings by g01d4 · · Score: 1

      Let's kill all advertising

      Not all ads are equal. TFS has the trojan targeting banner ads which "many web surfers regard ... as highly annoying" and are commonly blocked by popular browser add-ons.

    3. Re:Mixed Feelings by Anonymous Coward · · Score: 2, Interesting

      "Let's kill all advertising ..."
      I have no problem with this. If it means going back to pre-1995 Internet content, but with the modern tech that we have now, I have no problem with that either.
      It's really irritating that the Ad Men think that the World revolves around them, and their various deceitful schemes. It doesn't.
      I bought my first house, my first yacht, and my first Ferrari, all without the distraction of Internet advertising. The same goes for my first computer, my first test equipment, and my first girlfriend.
      Yes, I did buy a Powerbook G4 off of the Apple website once, but I already knew all about it- we used a _lot_ of them at work, and I got a discount.

      "Wouldn't it be great, not to know about anything people are trying to create for you?"
      Yes, it would. If it's any good, I'll find out about it eventually. I'm a Divvy.
      I don't give a damn about something stupid that "...people are trying to create..." for me. I don't care to spend the time researching _anything_ that is "Market Driven".

    4. Re:Mixed Feelings by ArcadeMan · · Score: 4, Informative

      A lightweight static image with a link to the product page? Sure.

      A multiple-files-download, drag-down-my-CPU dynamic HTML5 ad? Fuck you.
      An auto-playing video ad? Fuck you too.

      --
      Get free satoshi (Bitcoin) and Dogecoins
    5. Re:Mixed Feelings by Anonymous Coward · · Score: 2, Interesting

      I bought my first house, my first yacht, and my first Ferrari, all without the distraction of Internet advertising. The same goes for my first computer, my first test equipment, and my first girlfriend.

      Your first girlfriend's low cut blouse was an advertisement.

      The problem with ads online isn't the fact that they exist vs. not existing. It is the pervasiveness, literal bombardment and danger of them.

      An analogy would be a girl wearing a low cut blouse - this says "hey, look at me - I'm on the market." That (non intrusive, 'just there but not engineered specifically to generate unconscious clicks') is fine.

      This is far different than millions of women (ads), statistically likely to fuck you over, shoving their uncovered boobs in your face like it or not saying "fuck me - I want you.", legally justified in saying that because you walked into the bar where said exposed boobs are present and that it was you that made the first and forceable move (by visiting a given site) then making the argument that you raped them (clicked on) when you have a problem you ended up with an STD (virus/trojan/other).

      Women are used only and analogy to continue the OP's point.

      I think there is a point where TOS and user responsibility isn't valid when it contradicts the very instinctual human behavior being counted on by the website (ie - 'bar' or other 'social establishment'). Especially when the average user is like a naive virgin that does want to get laid but is being take advantage or because they don't understand the cost/benefit ratio.

      Bottom line: internet advertising needs to clean up it's own shop. If it is to be trusted, THEY need to POLICE their own. If they don't, then they are harming themselves. They have no responsibility of course but it is in their own best interest to help weed out bad actors. If they don't then all actors are assumed to be suspect.

    6. Re:Mixed Feelings by deesine · · Score: 1

      So...you don't like actors.

      --
      damaged by dogma
    7. Re:Mixed Feelings by jafiwam · · Score: 1

      I'm not sure how to feel about this. On the one hand, yes, trojans are bad. But on the other hand, anything that negatively impacts advertisers can't be all that bad.

      My first thought was "yeah, I wonder if i can get this in a non-malicious form to fuck advertisers while suppressing those ads visually"

      Whatever happens with the internet next, it'll be much better off with click farm, click bait, advertisements all over and all that.

      For you naysayers, look what happened to Slashdot when it got corporatized. Ok, Fark, Redit, Image Shack, Usenet, etc. etc.

    8. Re:Mixed Feelings by Jawnn · · Score: 1

      Let's kill all advertising so that you will not be able to find any new products or services and no company could find a client who didn't know the company directly somehow. Wouldn't it be great, not to know about anything people are trying to create for you?

      No. What we be great, really great, would be if advertising and marketing shitheads would stop insisting on using broken technology to animate their ads. For every Flash ad out there there is at least one engineer who has said, or tried to say, something like "We should build this on something proper..."

  7. In soviet russia.. by coffecup · · Score: 1

    .. I'm sure there is one of these jokes in here..

  8. JailBreakMe.com by tlambert · · Score: 4, Interesting

    JailBreakMe.com did a similar thing on iPhones: patched the tiff library exploit that it used to get on the phones in the first place, making it impossible to re-exploit.

    I did the same thing with the Commodore Amiga in 1985, modifying a boot virus to include a payload that would patch the MOVE from processor SR. This let me install a 68010, which let me run SVR3 on the thing, without breaking a lot of popular software like Magic Sack and Transformer, both of which used the privileged version of the instruction for no good reason.

  9. Politely? by Nemyst · · Score: 4, Funny

    The trojan "politely" updates Flash? How would you do that "impolitely", exactly, by flashing a bunch of obscenities while updating Flash in the background?

    1. Re:Politely? by AmiMoJo · · Score: 1

      How would you do that "impolitely", exactly, by flashing a bunch of obscenities while updating Flash in the background?

      I take it you haven't tried the Adobe installer lately.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    2. Re:Politely? by Calydor · · Score: 1

      Impolitely is the standard way, because you can't just update it - you have to go to get.adobe.com, remember to turn OFF downloading McAfee Security Scan, download the installer, run the installer, wait for the download and install, turn off your browser, then lose the "Restore last session" feature in Firefox (and probably others) because it 'tests' Flash by opening Adobe.com again.

      So yeah, a background update by malware seems very polite.

      --
      -=This sig has nothing to do with my comment. Move along now=-
  10. how is this unusual? by bloodhawk · · Score: 2

    how is this unusual behaviour? perhaps the author needs to get out more. this has been a well used approach by various hacking groups and malware for a long time to maintain exclusivity to compromised machines.

  11. Re:The real question by TheRealQuestor · · Score: 2

    The real question is if it installs the McAfee, and if it doesn't anybody can point me out where can I get infected?

    There is no McAfee anymore. Intel bought them a while back and now they are re-branded Intel Security.
    http://www.mcafee.com/us/about...

  12. This is not news! by Demonoid-Penguin · · Score: 4, Insightful

    It could have been news - if you told us what novel exploit it used, who benefited, and how. That would have been news - and interesting.
    But no - you had to put lipstick on a pig and try and flog the wedding night videos.

    Malware has been doing the same thing for a long time - closing the weaknesses it used for access. The only thing that sounds new is the "reporting" slant. Politely. WTF - does it say "excuse me"? [sigh]

    Samzenpuss - stop posting this shit please. (see that's polite).

    jfruh - stop submitting this click-bait slanted crap, please. e.g. "Japanese And U.S. Piloted Robots To Brawl For National Pride". All you had to do was say "fighting robots" and more people would have read the story - no need for the Fox News histrionics. Stop acting like a whipped dog trying to get your "stories" published. You just embarrass yourself.

    Thanks for lowering the standard.

    1. Re:This is not news! by Lodlaiden · · Score: 1

      you had me at "fighting robots". (no mod points today)

      --
      Suborbital [spaceflight] is the special olympics of spaceflight. - Rei
  13. Not exactly new. by bob_jordan · · Score: 1

    Many countries work on the same principle. The first wave of immigrants to get established change the rules to stop more immigrants coming in.

    Bob.

  14. That isn't malware... by shaitand · · Score: 1

    Malware disrupts your machine or does something negative. Just because it wasn't invited doesn't make it malware. From the sound of it everything this does is positive.

  15. here by __aabppq7737 · · Score: 1

    https://helpx.adobe.com/securi...

  16. Re: The real question by KGIII · · Score: 1

    What has Microsoft got to do with this? Reading comprehension skills - one of us is missing them.

    --
    "So long and thanks for all the fish."
  17. Simple reason by allo · · Score: 1

    Current browser activate click-to-play for insecure flash versions. This prevents auto-clicking. So the trojan horse* need recent flash.

    * it's the trojan horse! The trojans were in the city, the greek were in the horse, trying to get into troja!