Site might be hacked...jsunpack.org....avast detects

See: http://www.ipvoid.com/scan/209.9.239.101/
http://hosts-file.net/?s=209.9.239.101
http://www.urlvoid.com/ip/209.9.239.101
The malware seems to have been closed after 0.5 hrs on 2012-09-17 15:03:50
Can anybody give the recent status of the site
place.holder 209.9.239.101
The site is used by malware researchers to evaluate malcoded javascript, so visit only
when security savvy with full protection as script blocking and a VM (appropriate sandbox)
The site seems clear…
But a version of JS/Dldr.IFrame.CF still seems active on the other domain hosted at that IP
which is being appropriately detected by our avast av:
https://www.virustotal.com/file/47e37ad58c6643dd40377cbbee75062de84170c8075d44a79850a2444c3d6f18/analysis/
I get a on that request…

polonus

I’m sure I have seen stuff on jsunpack.org in the forums before. Doesn’t it host users’ javascript files that can be shared.

Hi DavidR,

It is a site to analyze obfuscated javascript or analyze possible malcoded javascripts as either benign or suspicious (infected).
The site can be used to analyze a suspicious website and is meant to be used by website security researchers,
that use the online service in a specific safe and secure “lab” setting. There are cases that a scan cannot be performed
because the avast web shield or networkshield detects the code or part of the code or the site to be analyzed is being blocked.
In that case the google cache results can be used. So this site is dangerous for the average user that does not have the
specific protection of javascript blocking and the security of a virtual environment like a sandbox.
I posted the link because now there seems to be malware being placed on the sites hosted on the particular IP on which
jsunpack etc. runs. You could imagine that malcreants, malvertisers and malcious obfuscaters are not particularly fond of
the initiative of the makers of jsunpack, which code can also be downloaded and used in another way than the online version.
Sometimes we give part of these evaluations as other online scanners like sucuri’s, zulu zscaler etc. cannot come up with
a reasonable explanation where a particular url has been flagged or when the nature of a particular cause of the malware
is not clear. I do not give links because of the dangers to the uninformed to get exposed to suspicious javascript code.
It should be said that jsunpack should not be much more dangerous than the average analysis via wepawet or anubis etc.

It is a good custom here that findings of code analysis should only be presented in the form of an attached image, so
the code cannot do any harm whatsoever and the image is just exclusively informational,

polonus