Malscript on Compromised Site
Here’s a shot of their front page:
Like most campaigns we are seeing today, you need to visit the website via a search engine first for the malicious script to activate. I searched for the site on Google then clicked on the link (searching via Bing works too).
The script has a lot of junk in there for misdirection. In fact, probably 60% of the code is just garbage. When analyzing this code, I noticed that the authors defined the variables for the legit code so identifying the good from the bad was actually very easy. Here’s the cleaned up, valid code which now makes it very easy to follow:
This script created the following:
Since the malicious site is down, I don’t know what it was doing. Perhaps rogueware or an exploit kit?