I had sexy-celeb-photos.com (18.104.22.168 - vps.whitepaw.com) reported to myself by a friend, and decided to check it out. Needless to say, the results were interesting.
When you first load the sites code, you are greeted with the following script;
Decoded this looks like;
If we then load images2/index.php, we see yet another script. This time alot more interesting than the last (Ref: http://vurl.mysteryfcm.co.uk/?url=151020).
This one contains the script itself, but has the bulk of the code, encoded and shoved in a div (HTML element). This has become quite popular with the bad guys, and is likely due to the misconception that it makes it harder to decode - it doesn't.
If we run this as is, in Malzilla, we are informed the script cannot be decoded. To get around this however, we can simply change;
All we need to do then, is move the code from the div, and shove it in a var called strangely enough, content;
If we have Malzilla try again, we now see the results of the decoding;
Now we see the payload coming from;
Looking at the headers for this shows;
Which shows us the real URL to the payload is;
This is a 35K executable, with an MD5 of: 85EF9776F91176CA7BC8B06FAE2193B3
Detection is not surprisingly rubbish;
vURL Online - Results for sexy-celeb-photos.com
vURL Online - Results for /images2/index.php