Fake Flash Updater presented by #blackhole

It is an epidemic of blackhole infection url in the wild.
Below are the analysis of the dropped malwares so far:


Hunting #Tips!
Below are the similarities of the current epidemic:
1. New obfuscation like below

2. Shellcode API of kernel.dll and urmon.dll was used to download, save, execute and daemonize the payload trojan
, like:

3. Payload is packed by newest method to aboid packerDB detection
4. infected urls can be grepped by: ".php?f=" ".php?h=" by almost all MDL
5. This is the popular malware downloader used by current epidemic: