Saturday, November 22, 2014

Router hack may cause unwanted Adobe download requests


There is new explanation for the unwanted popup I sometimes see to install an Adobe flash player.  It has occurred on one Windows 8.1 machine from MLB.com and Slate.com  


I have even communicated with the abuse departments of both MLB and Adobe about the popup, and Adobe recently emailed to me that it had acted (legally, probably with a trademark claim) to stop the particular popup.  


An Adobe forum suggests that it is a router that is infected, not the computer.  The link is here.  The malware is called the “Moon virus” or "Moon worm".   It’s hard to see how a Netgear router itself (firmware) would be hacked (it is password protected) but it’s possible that the hack could be on the ISP’s servers.  The implication is that as long as one doesn’t not click on the link, nothing will happen.  But the unwanted exe (which Chrome now warns about as a threat but Webroot doesn’t yet) disappears from the notification bar when the browser is simply closed (all sessions). 
  
A hacker news bulletin (link) has an even more sinister warnings that router hacking could lead to fake bank sites coming up.  Therefore, when a home user checks his or her financial statements, it’s a good idea to check them on more than one computer, or on more than one kind of device (try both mobile and PC), more than one operating system (try Mac if you have it), and more than one router.  If you have a hotspot with your cell phone, use that occasionally instead of your home router.  Or even check at a terminal inside your bank branch if it offers one (Wells Fargo is pretty good about this).  



Update: Nov. 26

Here's another writeup from the UK on the Moon virus, seeming to have something to do with Conduit, link here.

I got a fake Adobe update popup this evening on an older Dell Windows 7 laptop when I was on mlb.com (trying to go to the Washington Nationals page).  In Windows 7, it started downloading, and Webroot Secure Anywhere stopped it immediately.   I closed the browser.  Webroot scan ran for 20 minutes and verified the malware had not actually loaded or installed.  I tried the mlb site again and it worked normally.  I did go ahead and rebooted the machine and nothing unusual happened.  

No comments: