NEWS FROM THE LAB - Wednesday, May 13, 2009

Fake Adobe Flash Player Site Posted by WebSecurity @ 07:40 GMT

One of our Web Security Analysts came across a website (118,000 ranking in Alexa) that drives users into installing a fake Adobe Flash Player file. The site prompts a message requesting the user download "a new version of Adobe Flash Player" in order to view a video on the site.

Fake Adobe Flashplayer

On clicking "Continue", visitors are taken to this page:

Fake Adobe FlashPlayer

Looks pretty authentic, right? It even offers to download an "install_flash_player.exe" file for you. The analyst was using a Linux system though, so this seemed slightly odd.

Turns out the site is a (pretty good) fake. Unless a visitor takes a hard look at the address bar, it's pretty easy to be fooled.

The downloaded installer also looks like the original Adobe Flash Player installer, though the checksum and digital signatures point out the difference.

Fake Adobe Flashplayer installer

install_flash_player.exe version
md5: 51F26C0051E97A91145971FE5BC632FF

md5: 71AD0C4A4168AA98BB20E3561E505CC7

Based on a reverse domain lookup on the malware link, the fake site is hosted in Bulgaria.

Updates to the latest antivirus definitions detect this threat.