Fake Flash Updater presented by #blackhole
30 Aug 2012 It is an epidemic of blackhole infection url in the wild.Below are the analysis of the dropped malwares so far:
6d84a5f24fe9c0f88a379ab0b6890cc59b76f2f1df7d1743a3e03a1786a57fe2e580a63bc80e42a5a731754a1e7aaf489a396c8bf7d76f999e0af8ac39f40206b87663fee7295c30d97b399ebbbea644c20e3f49778dfd8cc706574fceff7642
Hunting #Tips!
Below are the similarities of the current epidemic:
1. New obfuscation like below
2. Shellcode API of kernel.dll and urmon.dll was used to download, save, execute and daemonize the payload trojan
, like:
3. Payload is packed by newest method to aboid packerDB detection
4. infected urls can be grepped by: ".php?f=" ".php?h=" by almost all MDL
5. This is the popular malware downloader used by current epidemic: