“RunForestRun”, “gootkit” and random domain name generation

Recently, we came across web malware that – instead of injecting an iframe pointing to a fixed existing address – generates a pseudo-random domain name, depending on the current date. This approach is not new and is widely used by botnets in C&C domain name generation, yet it’s not very common for the web malware we’ve seen so far.

After deobfuscation, we can see that the iframe redirecting to the malicious URL with generated domain name is appended to the HTML file. All URLs consist of 16 pseudo-random letters, belonging to the ru domain and execute PHP script on the server side with the sid=botnet2 as argument:

Read more: “RunForestRun”, “gootkit” and random domain name generation

Story added 1. August 2012, content source with full text you can find at link above.