The relentless group pushing malicious downloaders that are crafted most often to appear as video codecs and also are packaged with cracks, underground key generators, and blackhat SEO schemes, this week have moved to serving up their warez from 95.211.8.21 to 64.20.55.163. The server now hosts files similarly named to “flash-plugin_update.45031.exe” (that number in the name changes per download).

A number of domains resolve to that ip address 64.20.55.163:
094k.ofspokesman .com
bestexe .com
bestexeonline .com
boomexe .com
boomexesite .com
hardexeworld .com
hexexe .com
hexexeterra .com
lastexe .com
lastexesite .com
luxexe .com
novoxexe .com
startexcite .com
startexe .com

ThreatFire is preventing the malicious downloaders in high volumes and currently is the most reliable solution for detecting this family. Scanning the files as they are downloaded and run by users shows dismal detection rates, as the downloaders evade detection with frequent repacking and obfuscation. Be sure to add a behavioral solution that can definitively recognize entire families of malware like this one reliably, and do your best to ensure that the software that you are downloading and installing is coming from a trustworthy source.

This entry was posted on Wednesday, September 2nd, 2009 at 9:48 am and is filed under Social Engineering, Undetected malware. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.