Brazilian internet service provider hacked
Published December 4th, 2013 at 9:33 AM EST , modified December 4th, 2013 at 9:33 AM EST
A few users on Apple’s support forums are reporting a problem where an Adobe Flash Player update notice pops up on most web sites. It now appears that the problem is affecting users of the Brazilian internet service provider (ISP) NET Virtua. Apparently, this was done through poisoning of their domain name servers (DNS). Such DNS poisoning attacks allow a hacker to direct requests for certain sites to a fake lookalike site, usually with the intent to harvest usernames and passwords.
The Register reports on this issue, although their description only mentions the use of this DNS poisoning to attack a bank site. However, so far, some of those reporting the problem have confirmed that they are connecting through NET Virtua, while none have said they were connecting through any other ISP. This could be coincidence, but it’s unlikely.
The buttons in that pop-up both link to a file named FlashInstall.zip, containing a single file, FlashInstall.exe. The good news is that this isn’t Mac malware. So, although the problem is causing a nuisance to Mac users connecting through NET Virtua, there is no actual threat. The bad news, for Windows users, is that only three of the anti-virus engines on VirusTotal recognize the file as malware, which means it may be slipping past the defenses of many Windows computers.
Anyone suffering from this problem should consider changing their DNS settings, at least temporarily. It would also be a good idea to clear the DNS cache, to prevent cached domain name lookups from causing the problem to continue even after changing domain name servers.
Of course, it’s important to keep in mind that fake Adobe Flash Player pop-ups are common, and most of them will not be caused by this particular issue. If you are seeing a similar problem, but are not connected to NET Virtua, you should consult Eliminating browser redirects and advertisements.