Fake Flash Updater presented by #blackhole30 Aug 2012 It is an epidemic of blackhole infection url in the wild.
Below are the analysis of the dropped malwares so far:
Below are the similarities of the current epidemic:
1. New obfuscation like below
2. Shellcode API of kernel.dll and urmon.dll was used to download, save, execute and daemonize the payload trojan
3. Payload is packed by newest method to aboid packerDB detection
4. infected urls can be grepped by: ".php?f=" ".php?h=" by almost all MDL
5. This is the popular malware downloader used by current epidemic: