FlashPlayerInstaller.exe malware

[Lucky Duck]

FlashPlayerInstaller.exe is a legitimate filename but the version that existed on my computer this morning was not a legitimate file. It came to my attention when it was blocked by Windows Firewall Control* while seeking an outbound connection. A check of the exe showed that it was unsigned (unusual for a Flash module) and my attempts to upload it to Virus Total were not successful. My own AV, ESET and MBAM, found nothing wrong with it. Attempts to delete the file were also not successful. I tried to obtain a hash for it but the process failed with an error, file too large. Since Explorer reported it was only 10+ MB, that also seemed odd.

So, I loaded up a Macrium image made only two days ago, located the file and found that it was signed and it was less than 5 MB in size. It also sported the proper icon rather than the generic one displayed by the intruder. I restored the image and that was that. What I don't know is where it came from, or rather, how it became infected. I know Windows Update routinely updates Flash and this was in the Windows/SysWOW64 folder so it's likely a MS thing but I'm not pointing a finger at MS here. It was probably one of those infamous drive-by attacks that takes place right under your nose without any signs or symptoms. Thank goodness for WFC.

*For those who don't know, Windows Firewall Control is a GUI for the Windows firewall. I've been using it for at least two years and would not be without it. It was originally authored by Binisoft and is now owned by Malwarebytes. It's worth a look.

 

[Growltiger]

Thanks for the tip.
Presumably Windows Firewall would have blocked it, as WFC seems to be an easy to use interface to Windows Firewall rather than something that adds security?

I ran a check and my system contains no files with that name. I wonder how you picked it up, and of course it came with something else that tried to make it run.
Congratulations on making a recent Macrium backup - perfect timing.

 

[Lucky Duck]

Thanks for the tip.
Presumably Windows Firewall would have blocked it, as WFC seems to be an easy to use interface to Windows Firewall rather than something that adds security?

I think it *might* have been blocked but I don't think there would have been a notification to alert me that something was amiss. The firewall's verbiage says it will notify when it blocks a new app and I'm not sure how "new" is defined for this purpose.

 

[JeeperDon]

Side question... is Flash still a thing? I know I have not had any special flash install or any browser flash support installed for years.

 

[Lucky Duck]

Side question... is Flash still a thing? I know I have not had any special flash install or any browser flash support installed for years.

It is as far as MS is concerned I guess, that's where I see the updates listed and I always install them even though I don't use the MS browsers.

 

[Ann_JS]

If you ever watch cable TV on your computer, you still need Flash.
Just be sure that you only install it by getting it directly from Adobe's Site.
If you see pop-ups telling you that you need to update Flash, ignore the Link and go to Adobe's site to get the authentic installer instead.

 

[nuclearjock]

I ran a check and my system contains no files with that name.

Also not on mine Richard.

 

[Growltiger]

Side question... is Flash still a thing? I know I have not had any special flash install or any browser flash support installed for years.

Flash is nearly dead. Only a small number of websites, which are not properly maintained, have not been updated to remove the need for it.
I still have it installed as a plugin to Firefox, but I have set it as "Ask to activate" which means that every time it needs to run it has to ask my permission. I can't have granted permission more than once in the last year and eventually I will remove it entirely.

 

[7006]

Removed from my machines 1 to 2 years ago.

 

[Lucky Duck]

Flash is a part of a Windows installation, at least that's how it appears. I've never seen a way to opt out during an install. I have it on both versions, 8 and 10. If you check your Win update history, you will find that you likely do have flash and MS keeps it up to date:

Subscribe to see EXIF info for this image (if available)

Maybe the newest versions of 10 have done away with it? I don't know for sure because I'm not current. You can also search for FlashPlayerApp.exe to see if MS has gifted you with it.

 

[Growltiger]

Flash is a part of a Windows installation, at least that's how it appears. I've never seen a way to opt out during an install. I have it on both versions, 8 and 10. If you check your Win update history, you will find that you likely do have flash and MS keeps it up to date:

Maybe the newest versions of 10 have done away with it? I don't know for sure because I'm one version behind. You can also search for FlashPlayerApp.exe to see if MS has gifted you with it.

You are right. It looks like it comes with Edge.

 

[Walter Rowe]

Adobe has ceased support for Flash. Google Chrome will block it in a release coming later this year.

July 25, 2017

Adobe is planning to end-of-life Flash. Specifically, we will stop updating and distributing the Flash Player at the end of 2020 and encourage content creators to migrate any existing Flash content to these new open formats.

https://theblog.adobe.com/adobe-flash-update/

 

[Lucky Duck]

From the other thoughts dept: I don't know that this attack is specific to Flash. Maybe it is Flash-centric given its history of security issues, or maybe it just happened to be a convenient vector in this instance. Replacing an executable with one of the same name is a fairly trivial thing to do.

Regarding Adobe's announcement, no one will mourn the passing. I have Flash and javascript blocked by default, and while I need to make exceptions for JS, I almost never need to allow Flash except for cable programming as Ann pointed out above.

 

[Dayo]

I have Flash and javascript blocked by default.

Surprised anyone can operate on the web today with JS blocked.
20 years ago, one used to have "noscript" fallbacks for js blockers when building websites but no one bothers to cater for such anymore. Basically a requirement for the web today.

 

[Lucky Duck]

Surprised anyone can operate on the web today with JS blocked.

As I said, I do have to make exceptions. Some sites provide a sort of bare bones functionality without JS, some seem to be coded without any use of it and others won't work at all. The purpose of having it blocked is to add a layer of safety when clicking on links that lead to who-knows-where. I read quite a bit of news online and there are lots of links to original sources and references, many of which aren't familiar to me. The extra few seconds it takes to enable JS if needed is not an issue.

 

[Dayo]

The extra few seconds it takes to enable JS if needed is not an issue.

Sure. The important thing is always what one feels comfortable with.