At the very top of the JS file is a strange glob of values preceeded by document.writes. They look like hex.
After going through the script, we can see that it checks for a cookie value to prevent whacking the same client twice. Then it attaches an iframe to the body tag. We can cheat and insert an alert in the right place to see the URL being called.
Here’s the malicious link:
This eventually leads to Black Hole Exploit Kit so we know the rest of the story. However, there’s one more chapter to add. I was fortunate to be able to obtain the PHP file. Let’s have a look at it!
They’ve certainly obfuscated the contents to prevent the website administrator from knowing what it does. This is an array of characters which are concatenated together. At the very bottom, you can see two key functions it performs to turn this gibberish into script.
Sneaky! After it does that then it evals the result. If we change that to ‘echo’ then we can see the deobfuscated script.
It creates a huge array then joins pieces of them together. Besides hiding from spiders, it creates a folder called “.svn” and does a GET with a specific user-agent string to another website then writes it to a file in the folder.
The downloaded content changes every so often with a new URL. This ensures the visitor will be redirected to the latest Black Hole host.
I think this highlights rather nicely the lengths criminals go to in order to hide their links and motives.