You can see paste of main page here. Malicious code begins at line 166.
Cleaned up JS code is here.
This also highlights some changes in the g01pack exploit chain, will post more about it after researching more.
Exploit Chain:
http://www.speedtest.net
http://lewhenfold.is-a-designer.com/finance/
http://lewhenfold.is-a-designer.com/finance/sw4qr.gif (application/java-archive)
http://lewhenfold.is-a-designer.com/finance/rlwra.gif (application/java-archive)
http://lewhenfold.is-a-designer.com/finance/qyjkj.php
http://lewhenfold.is-a-designer.com/finance/2qsyk.php?lint=39705&template=%2F&site=33676207&login=50& (Encoded EXE > 0x7e) > application/octet-stream
Comments are closed.