The first part of this paper concluded in the deobfuscation of the server code which, while not complete, was still sufficient for a general understanding of the operation. It enabled us to follow the procession of the events both from the client and server side. The client side events we have already documented in detail. This paper attempts to fill in the missing server side piece.
By Gabor Szappanos, Principal Researcher, SophosLabs