On most days, our WorldMap shows more of the same thing. Today is an exception.
One infection is topping so high in the charts that it pretty much captured our attention.
Checking the recent history of this threat, we saw that these past few days, it has been increasing in infection hits.
So we dug deeper… it wasn't long before we saw that a lot of scripts hosted in various websites got compromised. Our telemetry actually showed that almost 40% of the infected websites were hosted in Germany. In those sites, malicious code has been appended to the scripts which could look as simple and short as this:
Successful redirection leads to a fake flash download site that look similar to these pages:
The user would have to manually click on the Download Now link before a file called flashplayer.exe could be downloaded from a certain SkyDrive account.
When the malicious flashplayer.exe is executed, this message is displayed to the user.
While in the background, it is once again connecting to the same SkyDrive account in order to download another malware.
Initial analysis showed that the sample is connecting to these locations.