Around the 17th of this month, the relentless malware distribution gang serving up malicious downloaders in a variety of scams and “headline malware” schemes moved their wares from 95.211.8.20, as described in a previous post, to their newest location at 95.211.8.21. Their phony codec file naming scheme has changed slightly yet again:

update_flash_plugin.v.40013.exe

95.211.8.21
alsexe.com
astexe.com
callexe.com
domainexe.com
helpexe.com
helpexeguide.com
homeexeguide.com
loadexedirect.com
sitespacesexe.com
texeguide.com
thetestexe.com
topexeonline.com

As always, be sure to add a layer of behavioral detection to your system. Detection for these downloaders are generally poor with the FakeAv payloads receiving more attention but not 100%.

This entry was posted on Monday, August 24th, 2009 at 1:20 pm and is filed under Downloader, FakeAlert, Rogueware, Undetected malware. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.