Skip to content

Instantly share code, notes, and snippets.

View CapCap's full-sized avatar

Max Kaplan CapCap

View GitHub Profile
@CapCap
CapCap / malware.html.js
Created February 28, 2012 19:37 — forked from scottschiller/malware.html
Browser malware found in the wild, 02/28/2012, deobf version
/* Hello from upgradeyour.com (coming soon),
I've done some security work in the past and figured this would be a fun and quick puzzle, I found the same hash as scott on http://50.116.17.63/stats/counter.php?id=547b373f97233059 and googling it led to his post :)
it tries to identify browser/os version, and possibly run a wmp exp
It also tries to visit http://50.116.17.63/stats/w.php?f=b6863&e=4 and http://50.116.17.63/stats/w.php?f=b6863&e=1 and download+exec, two different exes
It tries a pdf exploit ( http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0188 and also http://50.116.17.63/stats/content/ap2.php?f=b6863 and http://50.116.17.63/content/ap1.php ? f = b6863 ), and hcp exploit as well ( http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1885 ), and some pdf exploit
This is all part of the blackhole exploit kit, and this botnet is seemingly Huge!