Author Topic: Some particular downloader  (Read 2507 times)

0 Members and 1 Guest are viewing this topic.

July 29, 2009, 05:44:34 pm
Read 2507 times

cmg

  • Jr. Member

  • Offline
  • **

  • 21
This is pretty well protected from simple gets.  The first one is injected in an obfuscated format to hacked websites then redirects to teh first 3 sites (all hosted on 213.163.84.28) then the 3rd step does some checking on the referrer chain to before it dumps the javascript payload.   Then, if you do another request, the 3rd step directs you to either google search or ask.com search.  Pretty fun.

http://rnw.kz/index.php
http://jkk.tw/in.cgi?3
http://xbx.tw/in.cgi?6
http://esli.tw/show.php?s=18f8bc6e98