Can anyone de-obfuscate this exploit?

Question

I came across the following exploit due to a warning from my AV software. It originated from an adserver delivering banner ads on one of my sites.

I have retrieved the content with Wget and copied to pastebin.

http://pastebin.com/m6fa38fac
[Warning: Link may contain malware - Do not visit from vulnerable PC.]

Please note that you have to scroll horizontally on pastebin as the code is all on one line.

Can anyone find out what the exploit actually does?

Thank you.

Answer 1

Not quite, as it includes (the equivalent of):

var mtime= new Date(document.lastModified).toUTCString().split(' ')[4].split(':');

it then uses the minutes and seconds of the last-modified time of the document containing it as a key to decode the array. If you can't still retrieve that javascript:alert(document.lastModified) time we'd have to brute-force it.

ETA: ah, actually it only uses the first digit of the minutes, and from the way it uses it we can guess it's supposed to be 1. That's leaves only sixty possibilities, and a quick loop reveals that meaningful javascript only comes out for 16 seconds.

I've put the decoded script here; it will probably also ping your anti-virus. Summary: it runs exploits against the Java, Flash and Acrobat plugins, running a payload from googleservice.net which is (surprise surprise) a Russian attack site.

Answer 2

This ussualy works to print de-obfuscated code

eval = alert;

in firefox with firebug, i solved it like this:

var lpsy16=lpsy;
eval = console.log; // This line was added
eval(lpsy+parseInt(gouy[0]));

Output is here: --deleted due to zoidberg's comment--