Fake Chrome, Adobe Flash updates

Fake Chrome, Adobe Flash updates

Summary: Be on the lookout for fake updates to Chrome and Adobe Flash using high-quality techniques.

SHARE:
TOPICS: Security
21

This morning I stumbled across what seems to be a new malware-spreading technique: A fake updates for Google Chrome and a fake "media player" update that is designed to look like it's coming from Adobe.

Both updates are digitally signed by valid VeriSign code signing certificates. This is not unprecedented, but it's highly unusual for malware authors to use an expensive provider like VeriSign. VeriSign Authentication Services are now part of Symantec.

The fake Chrome update uses a logo similar to Chrome's, but obviously distinguishable from it. The page correctly identifies the version of Chrome I was running (the current version) and then says that it "may be outdated".

fakechrome

The file is named Chrome_Security_Plugin_Setup.exe and is 1.74MB. The file information identifies it as "Express Install" version "3, 7, 1, 0". The publisher, also identified in the VeriSign code signing certificate, is "TINY INSTALLER".

According to VirusTotal Friday morning, five out of the 48 products they work with recognized the file. Fortinet and ESET recognize it as W32/Kryptik. A Fortinet blog entry from earlier this year described a different variant of Kryptik as being focused on stealing FTP information, and congratulated the author on the high quality of his code.

The fake Adobe update is a little less clear on what product is mimicking. It commands the user "Upgrade your Media Player now [required]" and uses the look and feel of an Adobe update.

fakeflash

The file name is "Flash Player 12.exe" and is 814KB. The publisher in both the PE header and VeriSign code signing certificate is identified as "Air Software" and the PE Product name is "Adobe Flash Player" version 2.0.4.54. VirusTotal finds 9 of 48 companies that identify it, often as adware.

I discovered the files by accident. Through a typo in the address bar I went to an address from which the browser was redirected a couple of times until it ended up on a page which loaded one of the two attacks described above. I have notified the Administrative contact for the domain, which appears to have been parked. 

The first time I encountered the files I got to the pages with no problem. Shortly thereafter, Google Safe Browsing API blocked access to them in Firefox and Chrome.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

21 comments
Log in or register to join the discussion
  • i've seen that with java too

    nt
    abpbl6
  • Seen them

    I have seen both of these, at least 2-3 times each, in the last couple weeks. I can see where they might fool someone.
    trybble1
    • Anything for Chrome would OBVIOUSLY be FAKE!

      Why? Simple.... Chrome is continuously Updated in the background. Everyone should know that if you are even remotely cognizant of how Google designed Chrome Browser. I mean that's besides being so foolish as to not notice that Google image is simply preposterous and ugly looking in the first place too!

      Reality for anyone who really uses Chrome Browser, is that you never see an Update message and 2nd they can't dupe you out if you've got the Google 'Bell' Notifications icon in your Windows 8 task bar. I don't know about Windows 7 or Macs. But if something is urgent.... from Google that's where it will appear. Not ever in an email or even more ridiculous ..... in any browser window. Let alone that being a chrome browser window!

      For Adobe and Java? Obviously they could be spoofed, but then again that will appear in your task bar too and that's something that can't be spoofed!
      KronJohn
      • i seen them many times

        so if one want to download some thing like that where would one go????i mean yes i got the right chrome cuz i dont get emails,like you said,but what if i was=nted a flash player for animations,where would be to safest site to download???,cuz i"v downloaded it onec when i first got my computer,but didnt know,jack about a computer but seen the how they do animations and how so i decided to download FLASH PLAYER,LOL....and boom gave my computer a virus,so thats why i ask if one want to download something where would one go???seeing that there are so many opiontions........any tips????
        Fernando Romero
        • Where to go

          Simple! Go to the web site of the company that produces that software. For Chrome, you could go to www.google.com/chrome, for Flash Player you would go to adobe.com. It's pretty easy to find the actual provider of the software if you take a minute to do a search and then just take a look around to make sure you're at a legitimate site.
          Scott Petricig
  • I've seen them also.

    I only take any updates from Adobe serious if the download screen says has the word Adobe on it. I've seen them where is says your version of Flash needs updated and the download screen refers to Flash and not Adobe Flash.
    Orlbuckeye76
    • flash

      so thats how you can distingish a fake,by it saying adobe???man when i first recently got this computer,i wanted a flash player for animation and that sucker guess it had i virus or something,well leasson learnd.My best bet is to not download nothing,but then again that would defet the pourpous,of having a computer,if i could buy a flash player softwear in retail store i would,but i ask this what do i have to watch out for???cuz i lots of pop ups like that to download flash
      Fernando Romero
      • Your best bet

        Is to find a safe download site. I used to send people to download.com, but recently they've started putting their questionable wrapper around downloads. Primarily now I use filehippo, but sometimes it's hard to tell what are ads and what are the download links.
        jred
  • Art Bell wants to strangle the creator of this

    I was listening to a youtube re-broadcast of Art Bell's Dark Matter and heard him talking about all the trouble he had removing this after falling for the fake Adobe Flash update. He had to waste lots of time removing it from his Windows PC.

    Note to self: Introduce Art Bell to Linux, either Mint or Ubuntu.
    InformationRetrieval
  • isoHunt torrent website serves up the fake media player...

    This torrent website, about to be shut down (supposedly) after losing an MPAA lawsuit, tries to force on the fake media player download!
    randysmith@...
  • Seen this

    I seen this and everything I clicked wanted me to download and even the 'x' wasn't working. Finally I opened a new tab reported this website to Google. I then used task manager to finally close Google chrome.
    pbilk
  • Seen it already

    Haven't seen the Chrome one - although not surprised [and you rarely see IE "updates" partially because there are so many updates to Chrome].
    As for the Flash Player, I've seen that "update" before. Usually if you stumble on a "naughty" site by spelling a legitimate site wrongs or something like that.
    Gisabun
  • A Fix Please!

    Okay ... so what does a computer illiterate do if I already downloaded one of the above? The Flash Player one. Could that cause problems with my print settings?
    JohnBarbChuck@...
    • Try this

      Go to bleepingcomputer.com and search their downloads for malwarebytes. Install it, update it, and run a full scan. It will take a couple of hours. When it's finished, Show Results, make sure everything is selected & Remove Selected. It will ask you to reboot.
      That will clean 95% of the junk out there. If you still have problems, try the bleepingcomputer forums, they're usually pretty helpful.
      jred
  • Cheap SSL Certificate

    I think Symantec Code Signing was used to show that the update is original and from the trusted sources. As Symantec is one of the most secure product for code signing everybody will believe that it's the genuine update and they has been updated with chrome or adobe normally without thinking that the updates would have been fake!!
    CheapSSLSecurity
  • I think I got popped last night

    I think I was tricked by the Flash one last night. Not sure, though, because although it was a questionable web site, the flash update took me to Adobe.com to download. Running a scan to make sure it wasn't a drive-by...
    jred
    • Media player

      This is for Media Player that Flash
      panelshop
    • Media player

      This is for Media Player not Flash
      panelshop
  • It's past time that Adobe change it's install scheme

    We've known for a while now that Adobe updates can be mimicked - most tech-saavy users are wary of ANY application that suggests it's time for an update - unless there's a "check for update" function within the app itself. I'd rather that Adobe just send an email notification, suggesting that we visit their site for a necessary update. That way, the user has more control, and isn't as susceptible to scammers and spamers.
    wolfshades
  • The fake Flash Player page is driving me crazy!

    Running Chrome, a new tab will pop up out of nowhere often looking legit Adobe, sometimes not, so I close the tab, but even when I've closed Chrome, walk away from PC (Windows 8) for even a minute and when I come back, Chrome has been re-launched (spooky!) and there's one of the many variations of the uninvited tab staring at me. HOW DO I BLOCK THESE THINGS????? I have NEVER done the download/install, by the way.
    patchrose