When it’s a FakeAv/Rogueware downloader, of course. An interesting note about the malware served from the ongoing malware operation recently moved to 18.104.22.168 and is covered in many previous posts…since August 1st, the group now serves up executables labelled as flash plugins. It seems their “viewer” (streamviewer.exe, tubeviewer.exe, porntubeviewer.exe, etc) theme wasn’t as successful as it used to be. Here are a few that ThreatFire prevented in the community today:
The downloaders continue to phone home for malware payloads to the same urls as previously posted:
ThreatExpert report here. As always, add a behavioral based security layer to your system like ThreatFire and be wary of sites trying to force a codec install or upgrade.