1

Headline Malware Downloaders

The relentless group pushing malicious downloaders that are crafted most often to appear as video codecs and also are packaged with cracks, underground key generators, and blackhat SEO schemes, this week have moved to serving up their warez from 95.211.8.21 to 64.20.55.163. The server now hosts files similarly named to “flash-plugin_update.45031.exe” (that number in the name changes per download).

A number of domains resolve to that ip address 64.20.55.163:
094k.ofspokesman .com
bestexe .com
bestexeonline .com
boomexe .com
boomexesite .com
hardexeworld .com
hexexe .com
hexexeterra .com
lastexe .com
lastexesite .com
luxexe .com
novoxexe .com
startexcite .com
startexe .com

ThreatFire is preventing the malicious downloaders in high volumes and currently is the most reliable solution for detecting this family. Scanning the files as they are downloaded and run by users shows dismal detection rates, as the downloaders evade detection with frequent repacking and obfuscation. Be sure to add a behavioral solution that can definitively recognize entire families of malware like this one reliably, and do your best to ensure that the software that you are downloading and installing is coming from a trustworthy source.

This entry was posted in Malware Alerts. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>