Jump to content

Return to Piriform.com

Photo

A new plague of Flash Trash on the way


  • Please log in to reply
5 replies to this topic

#1 OFFLINE Alan_B

Alan_B

    Super Hero

  • Members
  • PipPipPipPipPip
  • 4,266 posts
  • Gender:Male
  • Location:Lancashire, England

Posted 18 September 2009 - 11:51 AM

Today I was given another 554 KB of unwanted rubbish, 3 files with names
1C04C61346A1FA3139A37D860ED92632AA13DECF.heu
1C04C61346A1FA3139A37D860ED92632AA13DECF.swz
cacheSize.txt

They all appeared in
C:\Documents and Settings\Dad\Application Data\Adobe\Flash Player\AssetCache\75EJ9GA4

I think it should be called LIABILITYCache, not ASSETCache.
I never asked for it.

I have now added to my winapp2.ini
FileKey4=%APPDATA%\Adobe\Flash Player\|*.*|RECURSE

n.b. Till now Flash was fully controlled by
FileKey1=%APPDATA%\Macromedia\Flash Player\|*.*|RECURSE

WARNING - Google gave me 18 results for 1C04C61346A1FA3139A37D860ED92632AA13DECF
I clicked on one and received an immediate ZIP download ! !
Approach at your own risk

Alan

#2 OFFLINE Andavari

Andavari

    .

  • Moderators
  • 16,460 posts
  • Gender:Male
  • Location:U.S.A.

Posted 18 September 2009 - 01:45 PM

The only thing though is some people that use sites which store settings in there for example some online games would be upset if they had to start over from scratch. Suppose it's security/privacy vs. convenience. However like you I wipe that folder clean!

Piriform software help documentation is available at: http://www.piriform.com/docs

 

Don't PM me for advice! I'll only ask you to read forum rule #15.


#3 OFFLINE Sailback

Sailback

    Member

  • Members
  • PipPip
  • 18 posts

Posted 19 September 2009 - 08:28 AM

The asset cache feature has been around since v9.0.115.0 (late 2007).
As well the ability to control it from the flash player settings manager.

Link for the settings manager start page:
http://www.macromedi...gs_manager.html
It attempts to explain the settings. On the left are the actual page links
In the Global Storage Settings Panel you can turn the asset cache off by
unchecking "Store common Flash components to reduce download times" and confirming.

A file called cacheSize.txt is immediately created or updated. The contents
of mine is a zero followed by a null. 2 bytes total.
So I leave it alone. So far no more assetcache files and no complaints.

Don't be confused by Adobe's use of the word Global either. It's not Global for
all users of your machine but Global for all Websites for the current user.

If you need/want machine wide control you'll need to create a special
config file. The details can be found in adobe's own documents.
Available here for flash player 8,9
http://www.adobe.com...admin_guide.pdf
or for flash player 10
http://www.adobe.com...admin_guide.pdf
(search for "mms.cfg" within the pdfs)

Kind of boring stuff unless you are an admin or very curious.

I also found a .sol file (Local Settings Object) viewer/editor.
Portable Standalone Flash .Sol File Editor (2004)
Developers page: http://solve.sourceforge.net/
Download: http://sourceforge.net/projects/solve/
It's a work-in-progress but gets the job done for me.

I just wanted to decode a few files to further my understanding.
Happy to see the .sol file left by the bank was encrypted,
and found out You Tube just wants to know my preffered volume level.

A couple more links.
An adobe technote: How to manage and disable Local Shared Objects
http://kb2.adobe.com...6/52697ee8.html

A recent blog post at Tech Republic I ran across today:
Flash cookies: What's new with online privacy
http://blogs.techrep...ecurity/?p=2299
CCleaner is mentioned several times in the comments. (There are many.)

#4 OFFLINE Alan_B

Alan_B

    Super Hero

  • Members
  • PipPipPipPipPip
  • 4,266 posts
  • Gender:Male
  • Location:Lancashire, England

Posted 20 September 2009 - 09:55 AM

Thank you both.

I will now accept this is established technology, and not necessarily malware,
even though this sort of trash has never been on my machine before and arrived like a virus without invitation.

I was very disturbed that it arrived when I did nothing unusual.

I became paranoid when I searched the magic number and got 18 hits,
most of which were foreign and related to Torrent (which I think of as a malware carrier).
I clicked on one link and many thumbnails of girls in bikinis appeared
- the thumbnails were not adult content, but I decided to back out before ! ! ! ! !

Only one of the 18 was a site I recognised - geekstogo.
I clicked and immediately had the option to download or run.
I then copied the link and carefully inspected to see that it was what I thought,
and pasted in the address bar, and the download was repeated.
The download was a ZIP file. The link had a html extension.
I thought html gave browser pages, not ZIP downloads.
The Firefox Download manager confirmed that the ZIP came from geekstogo.
I asked geekstogo whether their site was infected or hijacked ! !

I Googled "SWZ MALWARE" and "HEU MALWARE" and got thousands of results.

When I finished and CCleaned, my new Winapp2.ini addition found a new item in
C:\Documents and Settings\Dad\Application Data\Adobe\Flash Player\AssetCache\
That was immediately purged.

Incidentally, earlier this year when I received the weekly bargain email (Gmail) from the NETTO discount grocery chain,
Google offered to put into my calendar those items that I often buy from Tesco.
Google knew me so well it was as if it had access to my Tesco "Loyalty Card" list of recent purchases,
but of course data protection laws mean that cannot happen ! ! !

Google always looks over my shoulder and selects and displays a relevant sponsored link.
Two days ago is when I first yielded to the temptation and clicked on the sponsored link.
Coincidence or what ! ! !

Alan

#5 OFFLINE Andavari

Andavari

    .

  • Moderators
  • 16,460 posts
  • Gender:Male
  • Location:U.S.A.

Posted 20 September 2009 - 08:19 PM

the ZIP came from geekstogo.

MVPS HOSTS File blocks their third-party intellitxt adverts. A ton of garbage can be automatically blocked by simply using a good HOSTS file along with for example Adblock Plus for Firefox.

Piriform software help documentation is available at: http://www.piriform.com/docs

 

Don't PM me for advice! I'll only ask you to read forum rule #15.


#6 OFFLINE Alan_B

Alan_B

    Super Hero

  • Members
  • PipPipPipPipPip
  • 4,266 posts
  • Gender:Male
  • Location:Lancashire, England

Posted 21 September 2009 - 11:38 AM

MVPS HOSTS File blocks their third-party intellitxt adverts. A ton of garbage can be automatically blocked by simply using a good HOSTS file along with for example Adblock Plus for Firefox.


I use AdBlock Plus, but so far have not felt the need for the HOSTS file.

Two separate events.

1. I unexpectedly found 550 KB size 1C04C61346A1FA3139A37D860ED92632AA13DECF.swf etc.,
The Google adverts above my gmail messages never inconvenience me.
In fact I like them because they remind me that Google is watching and remembering everything I do, quite a sobering realisation ! ! !
Paranoia alert :-
For any Company X there may be a competitor Company Y, and knowledge of correspondence between X and its customers could be of great value to Y (e.g. to submit a bid that undercuts the final offer to/from X).
Is it possible that Company Y might pay Google a special referrer bonus for a "sponsored link" that results in a special "referrer cookie" that in 550kB not only identifies Google as the source, but also includes all the correspondence to and from a competing Company X ? ! ! !

2. Google search for 1C04C61346A1FA3139A37D860ED92632AA13DECF got 19 results.
The geekstogo result was
SysProt AntiRootkit v1.0.1.0 by swatkat ...
... Object: C:\Documents and Settings\Kelland\Application Data\Adobe\Flash Player\AssetCache\5SQ9YV37\1C04C61346A1FA3139A37D860ED92632AA13DECF.heu Status: ...
www.geekstogo.com/forum/post-a32410-.html - Cached - Similar

When I hovered over the first line, the browser status showed it went to
www.geekstogo.com/forum/post-a32410-.html
When I held down Ctrl and clicked on that first line Firefox opened a new TAB,
but the TAB remained empty instead of showing the rest of what swatkat wrote,
and the ZIP file was immediately sent to me and replaced the normal default with RUN.
Exactly the same happened when I selected and copied
www.geekstogo.com/forum/post-a32410-.html
and pasted into the address bar.

I have searched for "a32410", and the only instance geekstogo has found is my post on the subject.
I now suspect that a spam poster put something nasty on the geekstogo forum
and before geekstogo found it and removed it Google came along and cached it
and it is Google cache that gave me this unwanted ZIP.
Perhaps Google should place a warning about themselves "this site may harm your computer" ! ! !

I wish to continue visiting geekstogo, so I do not want MVPS HOSTS to block me,
and if it merely blocked adverts/pop-ups from geekstogo I suspect this sort of "invisible" ZIP download would still arrive.

I do accept that *.swf can have a legitimate presence and purpose,
but a 550 KB set of files where only a small cookie should happen is outside my experience, and thus suspect.
My paranoia clicks up 6 notches when I then search for the identifying 1C04C61346A1FA3139A37D860ED92632AA13DECF and :-
most results are related to Torrents (which might be illegal) ;
at least one seems to have links that could have adult content ;
somehow I get yet another monster set of *.swf with different names ;
and then I get an unsolicited 197 KB ZIP that appeared to come from geekstogo.

I still believe that man landed on the moon, but wonder if Google have the power to simulate it ! !

Regards
Alan