Is everyone using Comodo Secure DNS getting redirected to malware?

I just uninstalled Adobe Flash (was acting strange), and am trying to download it again. If I try to go to get.adobe.com/flashplayer, I end up at http://get2.adobe.com/flashplayer/?no_redirect

I’m pretty sure I remember this happening in Firefox in the past, but now its only happening with Dragon… which I reinstalled twice in the last 24 hours in between scans and running ccleaner.

I honestly thought I had scanned the install_flash_player11.exe from this site about a month ago, but it seems the file has changed and it was uploaded 1.5 weeks ago to virus total (check additional information for “get2” URL). Please see the following VirusTotal page, (SHA1: 44ada1431cf46196d00dfc84ec7ba1e73e5a9267):

For internet’s sake, please navigate to get.adobe.com/flashplayer in your browsers to get a consensus of who is being redirected and, hopefully, why.

Here is a screen shot of the offending website: http://archive.is/get2.adobe.com – note the McAffee download has been reported to be bundled with a trojan.

My guess is the malware involved in this conspiracy is, or is at least similar to the DNSChanger that surfaced this February: Advanced Research Center | Trellix

I should note that the McAfee site above received a Calomel SSL Validation analysis of: "WARNING, BROKEN and INSECURE! (red 12%), and Perspectives reports that it is not the most commonly reported that only 3 out of 7 visitors reported this same certificate, and over the last 15 days the sites certificate has changed 4 times. If you go back to the virustotal report to the flash installer, the behavioral information may suggest manifestation and manipulation of network hardware, the users shell, and remote access… I’m no expert but I have had problems with quite a few of these affected files in the last couple months…

So please, if anybody can be brave and save the internet, please look into this and see if you are affected in a similar way; if not, go ahead and update your flash player via Comodo and watch your logs :smiley:

Looks fine to me, get2.adobe.com is just an alias for get.adobe.com

$ dig get2.adobe.com

; <<>> DiG 9.9.2-P1 <<>> get2.adobe.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18267
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 3, ADDITIONAL: 4

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;get2.adobe.com.                        IN      A

;; ANSWER SECTION:
get2.adobe.com.         10418   IN      CNAME   get.adobe.com.
get.adobe.com.          5645    IN      CNAME   get.wip4.adobe.com.
get.wip4.adobe.com.     5       IN      A       192.150.16.58

;; AUTHORITY SECTION:
wip4.adobe.com.         19      IN      NS      da1gtm001.adobe.com.
wip4.adobe.com.         19      IN      NS      sj1gtm001.adobe.com.
wip4.adobe.com.         19      IN      NS      du1gtm001.adobe.com.

;; ADDITIONAL SECTION:
da1gtm001.adobe.com.    5645    IN      A       192.150.16.247
du1gtm001.adobe.com.    5645    IN      A       193.104.215.247
sj1gtm001.adobe.com.    5645    IN      A       192.150.19.247

Yes, the URLs are all children of adobe.com which may or may not mean its fine: Google Transparency Report

If I had to bet money I would bet that Adobe hasn’t gone rouge and started releasing Trojans targeted at select browsers like Dragon. But I still don’t understand why only dragon is unable to connect to https://get.adobe.com/flashplayer, but redirected to the get2.adobe.com URL whereas Firefox connects fine to https://get.adobe.com/flashplayer with Perspectives reporting 100% certificate consistency.

And if I’m not the only one seeing/getting this odd behavior, then malware is in fact being hosted on get2.adobe.com, as the virustotal report shows:

ProductName…: Adobe Flash Player Installer/Uninstaller
Website…: http://get2.adobe.com/flashplayer/?no_redirect
OriginalFilename…: install_flash_player11.exe
TimeStamp…: 1970:01:01 00:00:41+00:00

Detection ratio: 11 / 46

AntiVir TR/Dropper.Gen 20130330
Avast Win32:Malware-gen 20130330
AVG BackDoor.Generic12.ARP 20130330
Comodo Backdoor.Win32.Poison.~AB 20130330
DrWeb Trojan.KeyLogger.8784 20130330
ESET-NOD32 a variant of MSIL/Spy.Agent.BP 20130330
GData Win32:Malware-gen 20130330
Ikarus Win32.SuspectCrc 20130330
Jiangmin Backdoor/Poison.dbu 20130330
Kaspersky HEUR:Trojan.Win32.Generic 20130330
NANO-Antivirus Trojan.Win32.Siggen.mqrhp 20130330

Domain Name: ADOBE.COM
Registrar: MELBOURNE IT, LTD. D/B/A INTERNET NAMES WORLDWIDE
Whois Server: whois.melbourneit.com
Referral URL: http://www.melbourneit.com
Name Server: ADOBE-DNS-01.ADOBE.COM
Name Server: ADOBE-DNS-02.ADOBE.COM
Name Server: ADOBE-DNS-03.ADOBE.COM
Name Server: ADOBE-DNS-04.ADOBE.COM
Name Server: ADOBE-DNS-05.ADOBE.COM
Status: clientTransferProhibited
Updated Date: 02-apr-2013
Creation Date: 17-nov-1986
Expiration Date: 16-may-2014

BTW the reason I uninstalled it (took 3 tries) was because Secunia PSI detected it as a high threat, but was unable to update it. I restarted and ran CCleaner, but it still wouldn’t update, so I tried to uninstall through Windows, but flash was still running in my processes, even on fresh boot with no automatic startup enabled. Revo failed as well, I found myself in the process of robocopy purging and registry editing, but in the end I noticed that there were 2 entries for Flash in Geek Uninstaller, and it actually removed it as far as I can tell… no handles found searching “flash”, although I had a process called “Plugin” running a while back from it IDK what happened to that… but looking at the behavior on virustotal i’ll probably never find it. :frowning:

The URLs aren’t actually “children” one is an alias for the other, or in DNS terms, one is a Canonical name for the other:

From my previous post:
get2.adobe.com. 10418 IN CNAME get.adobe.com.

This is more than likely just a load balancing method used by Adobe. From what I can see, all Chromium based browsers use ‘get2.adobe.com’ Where as other browsers use ‘get.adobe.com’ I used two different DNS providers.

You can see more here - http://host.robtex.com/get2.adobe.com.html#records

A quick test confirms this. I made sure to flush DNS cache after trying in Opera and before testing in Dragon. I am not using Secure DNS servers.

When assuming Adobe is serving a clean Flash Player with no malware attached to it that virus scanners are overzealous in diagnosing it. With as a consequence making Google’s website reports questionable…

Before jumping to the wild conclusion that Adobe is deliberately, or unknowingly, serving malware infected Flash Player let’s go back to the initial problem:

I just uninstalled Adobe Flash (was acting strange),

What was the problem you were having

Thanks, both of you. It is good to know that Comodo Secure DNS is not an issue!

Flash has run multiple processes at a time, multiple installations, did not EVER update, and causes Firefox to crash every time I tried to watch a Youtube video or do anything with Flash. Also, I cannot uninstall it, I thought I was successful with Geek Uninstaller, but in the control panel of Windows 8 64 bit there is still a “Flash Player (32 bit)” program.

Background info: Currently using Comodo Firewall and Bitdefender along with WinPatrol. I have never been able to run any rootkit scan on any of my computers in the last 4 or so years. I just tried TrendMicro’s Sysclean and the log turned out like this:

http://s23.postimg.org/6xoyevaa3/image.jpg

If you can’t see this, its basically just strange symbols…

I should have been watching the scan, but it took a few hours, and all I remember seeing as that there were a lot of errors and it skipped the rootkit scan… Yesterday I was in a folder buried deep in Application Data in a temporary folder and I tried to run sysinternal’s RootkitRevealer, and a file with the RootkitRevealer icon appeared in the folder with the number 5 for the name. RootkitRevealer didn’t run, but every time I tried to execute it another file popped up in this folder, and the names kept getting bigger into the thousands…

There are a few glitchy non-conclusive things that I have run into with Flash, but I don’t remember all of them… such as a strange entry in Winpatrol similar to the ones I posted here: https://forums.comodo.com/virusmalware-removal-assistance/winpatrol-found-me-some-rotten-potatoes-mysterious-auto-start-t93049.0.html;msg670198#msg670198

I should also mention that my windows update is corrupt, it does not check for updates on its own even though its set to automatically update, Secunia warns me that it can’t find microsoft update, and a scan I did a while back (don’t remember which one) said it couldn’t find windows update: i think it specified the file “wuauclt” as missing…

Anyway I would like to purge flash completely.

It sound like you need a reinstall.

With regard to flash and Windows 8, you do realise it’s part and parcel of IE and the OS? You use Windows update to for new versions and it’s not easy to remove.

Compare the hours of “questions”
to the time a reinstall needs.
Profit.

Thanks for the input, but I think I’ll just uninstall everything and move to the Atlantic ocean and live with the jellyfish.

http://animals.pawnation.com/DM-Resize/photos.demandstudios.com/getty/article/129/135/92835354.jpg?w=600&h=600&keep_ratio=1

Thanks again.

  aSILENTfire out.

Jellyfish would recommend a fresh OS install