This guide was written to help Windows users remove malware from their devices. An ad with a fake request to update Adobe Flash Player or Java will randomly pop-up. The malicious web page will display a pop-up box stating that you need to updated or install Flash Player or Java to view a video. How to remove SearchPage.com from Mac.
The latest version of the venerable (and oh-so-holey) PDF viewing routine, Acrobat Reader DC 15.023.20053, released this week, looks for information about your Google Chrome surfing habits. Without your knowledge or consent, the security patch installs a Chrome browser extension that's spyware, pure and simple.
The situation's a little more complex, but for most people using Adobe Acrobat Reader, Chrome spyware comes along for the ride.
If you haven't looked at the Adobe Acrobat Reader lately -- I haven't used it in years, due to security concerns -- this latest privacy twist warrants your attention. Unfortunately, there are three distinct versions of Acrobat Reader making the rounds, and this spyware 'feature' affects only one of them.
In April 2015, Adobe put Acrobat Reader in the cloud, creating Acrobat DC. Those who haven't gone to the cloud are still running Reader XI, which will lose support in October 2017. Acrobat DC is split into two branches, the 'continuous release track' -- the one affected by the spyware this month -- and the 'classic release track,' which freezes the feature set at 2015 levels.
Adobe Acrobat Reader routinely receives a dozen or more security patches every month. As Lucian Constantin reported in PC World, this month, 29 security holes were plugged. The latest version numbers:
- Reader DC continuous release track: 15.023.20053
- Reader DC classic release track: 15.006.30279
- Reader XI: 11.0.19
As reported by Catalin Cimpanu on BleepingComputer and confirmed by Martin Brinkmann at ghacks, installing the DC continuous release track patch, which is the one that most Acrobat Reader users will install, brings along an extension for Google Chrome only, on Windows only. The Chrome extension is installed without notifying you or asking for permission. It's called 'Adobe Acrobat' and it can:
- Read and change all your data on the websites you visit
- Manage your downloads
- Communicate with cooperating native applications
Fortunately, if you're running Chrome when you install the latest Acrobat security patch, or when you restart Chrome after installing the security patch, Chrome's smart enough to detect that a new extensions has been added, and to ask your permission before enabling it (screenshot).
Unfortunately, the default action selected is to enable the spyware. Unless you specifically click Remove from Chrome, the extension gets installed and armed. You see this notification:
With this all-new extension, you can:
- Easily turn web pages into PDF files so they look and act just like the page you converted -- keeping original links, layout, and formatting intact
- Quickly switch from viewing PDFs in Chrome to opening them in Acrobat on your desktop
- Explore Adobe Document Services to convert and combine files in your browser
Please note: With this release, you can share information with Adobe about how you use the application. This option is turned on by default. The information is anonymous and will help us improve product quality and features. You can change this setting at any time in Options for this Chrome extension.
If you're curious about this all-new extension/feature, you can read Adobe's Product Improvement Program explanation:
Adobe Product Improvement Program is designed to understand and anticipate customer needs in order to deliver world-class products and solutions. Participation is voluntary, and no personal information is collected… Since no personally identifiable information is collected, the anonymous data will not be meaningful to anyone outside of Adobe… Can I see the data that is collected before it is sent to Adobe? No, the information cannot be displayed. This program is designed to work for millions of users without affecting their product use, so the data is sent automatically. The data is also encoded so that it can be processed efficiently.
You're to be forgiven if that sounds a whole lot like Windows 10 data collection method. Apparently Adobe now feels it's entitled to install spyware without your permission.
Don't want to send your browsing history to Adobe? Try using a different PDF viewer: PDF X-Change Editor is free for the basic version (which puts a watermark on your pages when certain features are used), $43.50 for full version. I used to recommend Foxit Viewer, but its installer is now riddled with crapware. At least Foxit Viewer makes it possible to dodge the spyware, where Adobe Acrobat Reader does not.
If you installed the spyware by mistake, you can turn it off. In Chrome, click the three dots in the upper right corner, choose More tools > Extensions. To the right of the entry for Adobe Acrobat, click the trash can, then Remove. Restart Chrome and it's gone.
But why use a PDF viewer? Chrome already has good PDF viewing capabilities and a solid editor to help you fill out forms. (Tip: To save a filled-out form in Chrome, use Print, then Save as PDF.) If you're running Windows 10, Edge has a built-in PDF viewer.
Hubris. Sounds like a good name for a new product: Adobe Hubris.
A decade-old Windows malware trojan wormed its way into the macOS ecosystem, complete with a signed (likely stolen) Apple developer certificate. The exploit appears as an Adobe Flash Player installer. Once permission is granted, it hides itself deep inside macOS folders. Its certificate has already been revoked by Apple, but it's good to be aware of your enemies.
According to Fox-IT, Snake, a malware framework that has been infecting Windows software since 2008, and more recently Linux, is now targeting Mac.
Update flash for safari. “On a website that requires a plug-in like Adobe Flash to function, users can activate it with a click as can be done in Google’s Chrome browser.” Clover reports, “Safari 10 will also include a command to reload a page with installed plug-ins activated to give users additional options for controlling the content that’s displayed, and there are preferences for choosing which plug-ins are visible to which websites in Safari’s Security preferences.” Read more in the full article. –: “Google issued a similar proposal for Chrome last month, which is set to be implemented in Q4 this year. Adobe your shitastic Flash must die. MacDailyNews Take: Yes! “As explained by Apple developer Ricky Mondello in a post on the WebKit blog, when a website offers both Flash and HTML5 content, Safari will always deliver the more modern HTML5 implementation,” Clover reports.
Now, Fox-IT has identified a version of Snake targeting Mac OS X.As this version contains debug functionalities and was signed on February 21st, 2017 it is likely that the OS X version of Snake is not yet operational.Fox-IT expects that the attackers using Snake will soon use the Mac OS X variant on targets.
Snakes are dangerous and here's why
Similar to the Dok trojan that we heard about earlier this week, Snake popped up with an authenticated developer certificate, which means the Mac's built-in security system, Gatekeeper, would consider it legit and allow the installation process to complete.
It's important to note that Apple has already revoked this fake or stolen developer certificate, so Gatekeeper will block it. However, there is still a slight chance of someone downloading Snake by accident if they've found it through dubious channels. Malwarebytes explains:
Fortunately, Apple revoked the certificate very quickly, so this particular installer is no further danger unless the user is tricked into downloading it via a method that doesn't mark it with a quarantine flag (such as via most torrent apps).
How Snake slithers into your Mac
Just like most malware attacks, Snake doesn't just magically appear on your Mac one day. There isn't someone shooting corrupted files through your ethernet cable directly into your software. Snake has to be welcomed into your operating system by you.
Think of it is a vampire. If you don't invite it into your home, it can't attack you.
The file, named Install Adobe Flash Player.app.zip, will appear to be an Adobe Flash installer (Say what you will about Flash, but there are still a lot of people that have to use it for school or work). From Malwarebytes:
If the app is opened, it will immediately ask for an admin user password, which is typical behavior for a real Flash installer. If such a password is provided, the behavior continues to be consistent with the real thing.
Interestingly, once the installation is complete, Flash is actually installed on the Mac, making it even more difficult to tell that it's a trojan.
How you can protect yourself against Snake
As noted above, the fake/stolen developer certificate that allowed Snake to get a pass from Gatekeeper has already been revoked, so it's likely that, even if you download the zip file and try to open the app, your built-in security program will say, 'Nope Dope!'
But to refresh best practices, if you receive an email with an attachment at all, do some due diligence to make sure it's from a legitimate source. Check the sender address to make sure it is from an address you recognize. Click on the sender's name to view the email address it was sent from to make sure it's not a spoofed email. If you're still unsure, confirm with the sender by texting, calling or sending a separate email asking if the attachment is legit.
Specific to the Snake trojan, avoid downloading any zip files with the name Install Adobe Flash Player.app.zip.
What to do if Snake already bit you
![Free malware for mac Free malware for mac](/uploads/1/2/5/3/125306391/109569542.jpg)
Do you like my snake puns?
![Adobe Adobe](/uploads/1/2/5/3/125306391/250214238.png)
If you think you might have managed to accidentally install the Snake trojan onto your Mac, you can find and delete the following files:
- /Library/LaunchDaemons/com.adobe.update.plist
- /Library/Scripts/installd.sh
- /Library/Scripts/queue
- /var/tmp/.ur-*
- /tmp/.gdm-socket
- /tmp/.gdm-selinux
Next, delete the stolen/fake signed Apple Developer certificate.
- Launch Finder.
- Select Applications.
- Open your Utilities folder.
- Double-click on Keychain Access.
- Select the certificate named Adobe Flash Player installer with the signed certificate issued to Addy Symonds.
- Right or Control + click on the Certificate.
- Select Delete Certificate from the drop down options.
- Select Delete to confirm that you want to delete the certificate.
Lastly, change your administrator password to ensure that you're backdoor is rekeyed so the hackers can't get back in.
Remember best practices for staying safe
It is unlikely, at this point, that Snake will slither through your Mac's backdoor. For one, Apple has revoked the certificate, which makes it nearly impossible to make it through the installation process without you knowing about it.
To reiterate, don't open attachments from unknown sources. Double check the sender email address to make sure it is not spoofed. Don't open suspicious-looking files or give administrator permission to unknown programs. You can protect yourself from attacks if you stay safe.
If you do end up with malware on your Mac, take a moment to relax and know that everything will be O.K. You can remove malware on your own, but if it seems too difficult for you to tackle, you can talk to Apple support. Someone will be able to help you.