OFFICIAL SECURITY BLOG

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

Brazilian internet service provider hacked

Published December 4th, 2013 at 9:33 AM EST , modified December 4th, 2013 at 9:33 AM EST

A few users on Apple’s support forums are reporting a problem where an Adobe Flash Player update notice pops up on most web sites. It now appears that the problem is affecting users of the Brazilian internet service provider (ISP) NET Virtua. Apparently, this was done through poisoning of their domain name servers (DNS). Such DNS poisoning attacks allow a hacker to direct requests for certain sites to a fake lookalike site, usually with the intent to harvest usernames and passwords.

NET Virtua poisoningThe Register reports on this issue, although their description only mentions the use of this DNS poisoning to attack a bank site. However, so far, some of those reporting the problem have confirmed that they are connecting through NET Virtua, while none have said they were connecting through any other ISP. This could be coincidence, but it’s unlikely.

An intriguing discussion on the Kaspersky forums links this pop-up to pages that contain a Google Analytics JavaScript. If this is true, the DNS poisoning may also be redirecting www.google-analytics.com to a malicious site. This would allow the normal Google Analytics JavaScript to be replaced with a malicious one for affected users. (Note that there is no verification that this is the case at this point, just a lot of connecting of dots!)

The buttons in that pop-up both link to a file named FlashInstall.zip, containing a single file, FlashInstall.exe. The good news is that this isn’t Mac malware. So, although the problem is causing a nuisance to Mac users connecting through NET Virtua, there is no actual threat. The bad news, for Windows users, is that only three of the anti-virus engines on VirusTotal recognize the file as malware, which means it may be slipping past the defenses of many Windows computers.

Anyone suffering from this problem should consider changing their DNS settings, at least temporarily. It would also be a good idea to clear the DNS cache, to prevent cached domain name lookups from causing the problem to continue even after changing domain name servers.

Of course, it’s important to keep in mind that fake Adobe Flash Player pop-ups are common, and most of them will not be caused by this particular issue. If you are seeing a similar problem, but are not connected to NET Virtua, you should consult Eliminating browser redirects and advertisements.

Tags: ,

This post is more than 90 days old and has been locked. No further comments are allowed.