undefined | Better HN

0 pointscrypt1d12y ago0 comments

Finally, the javascript decodes to something like this http://pastebin.com/13HrVgBr

0 comments

2 comments · 2 top-level

userbinator12y ago

The next level below that:

http://pastebin.com/zYgcjtK1

And Googling the URL there gets us to something familiar, which someone else has written up before:

http://tweetypage.com/wordpress-hacked/

The "IE9 Bugfix" and "IE 4 compatible" comments made me chuckle a little.

However, it looks like the page is somehow referer or IP-sensitive, since Google's cache of it goes to something intended to show popups while curling from my machine gets a fake Adobe Flash page with a nice binary to download - only 13.5KB (I only wish the real plugin was so small!) but packed and obfuscated. Nevertheless it's a pretty dismal obfuscation as I can see some strings like "qemu" and "vbox" which suggest it has VM detection. Google doesn't know its SHA-1 so there's no other public analysis of this one yet.

I don't have time right now but looks like this rabbit hole gets deeper and deeper...

1 more reply

woutersf12y ago

how did you find this, and what to do with it now?

j / k navigate · click thread line to collapse