{
	"id": "810b3946-d6e7-460e-9db3-90446a9a009e",
	"created_at": "2026-04-06T00:15:54.636281Z",
	"updated_at": "2026-04-10T03:21:40.046633Z",
	"deleted_at": null,
	"sha1_hash": "4b47b004a31ad8d33504f3fa00f4f2e10146a2e2",
	"title": "“RunForestRun”, “gootkit” and random domain name generation",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 308206,
	"plain_text": "“RunForestRun”\r\n, “gootkit” and random domain name generation\r\nBy Marta Janus\r\nPublished: 2012-08-01 · Archived: 2026-04-02 12:32:30 UTC\r\nRecently, we came across web malware that – instead of injecting an iframe pointing to a fixed existing address –\r\ngenerates a pseudo-random domain name, depending on the current date. This approach is not new and is widely\r\nused by botnets in C\u0026C domain name generation, yet it’s not very common for the web malware we’ve seen so\r\nfar.\r\nAfter deobfuscation, we can see that the iframe redirecting to the malicious URL with generated domain name is\r\nappended to the HTML file. All URLs consist of 16 pseudo-random letters, belonging to the ru domain and\r\nexecute PHP script on the server side with the sid=botnet2 as argument:\r\nhttps://securelist.com/runforestrun-gootkit-and-random-domain-name-generation/57865/\r\nPage 1 of 5\n\nEvery day a new domain name is generated, so denylisting malicious URLs as they become active is like tilting at\r\nwindmills. Fortunately, if we know the algorithm, we may easily predict the domain names for each day in the\r\nfuture. This malware is detected by Kaspersky as Trojan-Downloader.JS.Agent.gsv .\r\nA newer version of the same malware is even more tricky: instead of injecting obfuscated code into the plain JS\r\nfile, it encrypts all the content of the infected file, so as to hide the malicious code together with the clean one:\r\nSuch malware is not so easy to discover: it doesn’t have the specific “signature” (like the comment string in the\r\nprevious example) and every infected file will strongly differ from another, because the obfuscated version\r\ndepends on the clean content. Moreover, as the whole file is encrypted, you can’t just point out the exact malicious\r\npart and delete it. Therefore, it’s also not so easy to get rid of this malware without doing harm to the website. If\r\nyou don’t have clean, non-obfuscated copies of the infected files, in order to extract the clean content you need to\r\ndecrypt these files, which may prove quite a difficult task.\r\nAfter taking off the first layer of obfuscation by simply changing the eval() function to the alert() or the\r\nprint() function, we can see more obfuscated code:\r\nhttps://securelist.com/runforestrun-gootkit-and-random-domain-name-generation/57865/\r\nPage 2 of 5\n\nThe second layer of obfuscation uses the domain name to encrypt the content of the file. For example, if the URL\r\nof infected file is: hxxp://www.somesubdomain.example.com/file-to-infect.js the key for decryption will be:\r\nexample.com The clean part and the malicious part are stored in encrypted form in two separate variables:\r\nTo decrypt the code, we need to know the exact origin of the infected file. After full deobfuscation we can see\r\nslightly improved version of the function that generates random domain names, plus the clean code below:\r\nhttps://securelist.com/runforestrun-gootkit-and-random-domain-name-generation/57865/\r\nPage 3 of 5\n\nThis time the main domain is waw.pl instead of ru and the sid argument is botnet_api2 . The name of the\r\nscript remains the same and may suggest that the author is fond of the Forrest Gump film / novel. Also, from the\r\ncomment the author apparently left for researchers, we know that the malware is called “gootkit” by its creator. A\r\nquick search on the Internet revealed that this word is not entirely unknown to Google in terms of malicious code\r\nand a few other pieces of malware had borne the same name. It’s hard to tell, though, if there are any connections\r\nbetween them (or the cybercriminals behind them) and the malware described above. The most similar case is the\r\nGumblar-like Trojan, discovered in 2010, which steals credentials to FTP accounts and infects the HTML/PHP\r\nfiles on the server with the code that contain the “gootkit” strings.\r\nThe malware described in this blogpost is already detected by Kaspersky as: HEUR:Trojan.Script.Generic (in its\r\nobfuscated form) and HEUR:Trojan.Script.Iframer (deobfuscated).\r\nMost probably, it spreads through the recent vulnerability in Plesk Panel, so we would like to appeal to every web\r\nadministrator and every hosting provider to update the Plesk software on their servers to the newest version, apply\r\nall the security patches and change the passwords to all the FTP/SFTP/SSH accounts as soon as possible.\r\nThe malicious domains that we’ve checked resolved to the same IP address and seem to be “suspended due to\r\nabuse reports”, However, it’s possible that the rules defined on malicious server allow the redirection to malware\r\nonly in specified circumstances (e.g. from particular regions and/or IP ranges) and the information about abuse is a\r\nfake. Previous version of this malware was known for redirecting users to the BlackHole Exploit Kit.\r\nhttps://securelist.com/runforestrun-gootkit-and-random-domain-name-generation/57865/\r\nPage 4 of 5\n\nSource: https://securelist.com/runforestrun-gootkit-and-random-domain-name-generation/57865/\r\nhttps://securelist.com/runforestrun-gootkit-and-random-domain-name-generation/57865/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://securelist.com/runforestrun-gootkit-and-random-domain-name-generation/57865/"
	],
	"report_names": [
		"57865"
	],
	"threat_actors": [],
	"ts_created_at": 1775434554,
	"ts_updated_at": 1775791300,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4b47b004a31ad8d33504f3fa00f4f2e10146a2e2.pdf",
		"text": "https://archive.orkl.eu/4b47b004a31ad8d33504f3fa00f4f2e10146a2e2.txt",
		"img": "https://archive.orkl.eu/4b47b004a31ad8d33504f3fa00f4f2e10146a2e2.jpg"
	}
}