Blackhole site given as clean - because malware is down!

See: hxtp://vscan.urlvoid.com/analysis/7cf0cd2fee53fe5fd3348fdbd6ce5b97/cmVwb3J0LXBocA==/
detected: http://urlquery.net/report.php?id=58222
First detection is right because malware now down,

polonus

A rescan still reports Blackhole?: http://urlquery.net/report.php?id=58240

http://wepawet.iseclab.org/view.php?hash=cbcc958f121af828b593eb84fb1d0e38&type=js

Didn’t know the code was that heavily obfuscated. :o

Interesting algorithm to join the variable using eval.

Hi !Donovan,

This is used to load malware from external web sites while not being visible to the user. It is also known as Trojan.JS.Iframe on different anti virus products.
Also related to this malware: http://sucuri.net/malware-injection-sidename-js.html (that generates the Blackhole exploit alert on some AVs)
(info link author = dcid),

polonus

Hi folks,

Avast Webshield has detection for this, goin’ to htxp://tijdreizen.com/website/index.php with malzilla sandboxed gives a JS:Iframe-CG[Trj] alert,

polonus