Has Anyone Seen a Missing Scroll Bar? Phony Flash Update Redirects to Malware

Type threatpost
Reporter Michael Mimoso
Modified 2013-05-07T18:30:14


Microsoft said it has received 70,000 reports this week of a new Trojan disguised as an Adobe Flash Player update that will change your browser’s home page and redirect a Web session to an attacker’s page.

There are several clues something is amiss, namely part of the GUI for the supposed Flash 11 update is written in Turkish, and there is no scroll bar on the EULA.

Related Posts

GozNym Banking Trojan Targeting German Banks

August 23, 2016 , 1:03 pm

EFF Blasts Microsoft Over ‘Malicious’ Windows 10 Rollout Tactics

August 18, 2016 , 4:38 pm

Latest Windows UAC Bypass Permits Code Execution

August 15, 2016 , 3:35 pm

Microsoft detects the file, which is spreading in emails, as Trojan:Win32/Preflayer.A. The malware will change the home page on Internet Explorer, Google Chrome, Mozilla Firefox and Yanex to either anasayfada[.]net or heydex[.]com.

“These sites appear to be a type of search engine, but there are pop-up advertisements displayed on the pages, and there was an instance where I was redirected to a different page not of my choosing,” said Jonathan Jose, an antivirus researcher at Microsoft.

When a victim executes the malicious file, a typical Flash Player dialog box pops up; the text of the agreement isn’t entirely visible because of the lack of a scroll bar. Jose said by highlighting the text, you’re able to read it to the end and notice a condition that states the user’s home back will be changed

“Not having a scroll bar is a bit dodgy as most users won’t realize that the program is going to change the browser’s start page,” he said.

Should the user go ahead and click on the install button, written in Turkish, the malware executes and changes the start pages. The domains were for the new start pages, as well as the domains hosting the malicious Flash update were created within the last six months, including one on March 4 that hosts the Flash executable.

Jose said that in addition to changing the browser start page, the browser shortcut file may also change to open either of the malicious pages.

“It’s a fairly simple ruse – misleading file name, misleading GUI, deliberately inaccessible EULA, misleading file properties – and some of the files are even signed. And yet, we’ve received over 70,000 reports of this malware in the last week,” he said. “Social engineering doesn’t have to be particularly sophisticated to be successful. So the message today is be wary. If you think something ‘feels’ wrong (like that missing scrollbar in the EULA) it may well be. Listen to those feelings and use them to protect yourself by saying ‘no’ to content you don’t trust.”