Thursday, August 30, 2012

Fake Flash Updater presented by #blackhole

It is an epidemic of blackhole infection url in the wild.
Below are the analysis of the dropped malwares so far:

6d84a5f24fe9c0f88a379ab0b6890cc59b76f2f1df7d1743a3e03a1786a57fe2 e580a63bc80e42a5a731754a1e7aaf489a396c8bf7d76f999e0af8ac39f40206 b87663fee7295c30d97b399ebbbea644c20e3f49778dfd8cc706574fceff7642

Hunting #Tips!
Below are the similarities of the current epidemic:
1. New obfuscation like below

2. Shellcode API of kernel.dll and urmon.dll was used to download, save, execute and daemonize the payload trojan
, like:

3. Payload is packed by newest method to aboid packerDB detection
4. infected urls can be grepped by: ".php?f=" ".php?h=" by almost all MDL
5. This is the popular malware downloader used by current epidemic: