Today malware researchers at Intego have discovered a new fake Adobe Flash Player installer, which Intego has labeled “SilverInstaller.” These types of installers are nothing new these days and usually result in the same or similar adware to infect a system. Some examples are Flashback, ClickAgent, InstallMiez and InstallCore. This behavior was expected of SilverInstaller as well, but during analysis Intego observed that it behaved differently than those fake Flash Player installers we have seen in the past.
How is the user presented with the fake Adobe Flash Player update?
The methods used into tricking the user to download and install the installer are familiar, a website pop-up showing there is a new version of Flash Player available is presented. This can look like this:
Or like this:
These fake Flash Player pop-ups come in many shapes and sizes but can be recognized as fakes when compared to the real thing, and SilverInstaller is no different. If the “Update” or “Download” button is clicked, however, things become a bit more interesting. The file that is downloaded is named “FlashPlayer_01.30.pkg” and looks like a generic package file. The numbers that are appended to the FlashPlayer name differ every time the file is downloaded though, so no-one will have the same file name twice.