Url of the compromised OpenX server was :
Code: [Select]
ads.universfreebox.com/www/delivery/afr.php?zoneid=1&cb=INSERT_RANDOM_NUMBER_HERE
There are 2 modifications in the algorithm.
1.) The string list for generation of the domain name has been replaced.
New string list is:
"t speed off q ask why portal un m is po le us order host na p own call as j o old no si h ad e r g to cat n ko how i tu l d in on da b ri f try a k for me net c s"
2.) The folder name has been changed from "/news/ to "/paints/".
Here is a new version of my script.
read more.........http://www.malwaredomainlist.com/forums/index.php?topic=4962.0