Yesterday we detected several CNN spam messages that pointed to get_flash_update.exe with a different hash then the current one we have detected in past spam runs. We are seeing a whole new run of CNN spam messages hosted on several different domains using very authenticate looking emails with hidden links behind the news stories. It appears that this particular codec attack is evolving and changing dynamically in terms of sophistication, whereas before they had used very primitive methods to distribute this codec.
Most of these sites are legitimate sites that appear to have become compromised, some theories include vulnerabilities in .ASP code making them susceptible to SQL Injection attacks. More information can be found in the article “SQL Injections: The Future of Mass Hacking Campaigns”