This piece of code better be blocked by NoScript...

Hi malware fighters,

I found this piece of obfuscated script online here: hxtp://dreamonisland.com/js/google.js
To have a look at the script itself I attached a picture of it below…
Then I started to analyze it here: hxtp://jsunpack.jeek.org/dec/go?report=ace9f60ac7d71e8a56595d9bec7cc0de541ed715

going here: hxtp://daddyseye.net/in.cgi?default and then here: wXw.itmakemehappy*com/666/load0x1.php?spl=mdac&fh= reported here as dangerous in two circumstances
http://www.malwaredomainlist.com/mdl.php?search=itmakemehappy.com

I also attached a picture of the dangerous part of the code as outline in Malzilla…

polonus

VirusTotal - google.js - 0/41
http://www.virustotal.com/analisis/dc1cfe77f9c38feb38fb9f1e4416e396208866576b32547717b13bdff873037d-1275839973

VirusTotal - loadx1.exe - 16/41
http://www.virustotal.com/analisis/01a7a275cb6055af4801973732941a9d7494e64efa09d971fc1ba2fbbf565507-1275840380

VirusTotal - Mmy4fqSd.pdf - 1/41
http://www.virustotal.com/analisis/480252f177076fec8776293d6dd97358096fb9509abaa69bc433ca0f60a1cd2a-1275840464

Yep, my good anti-malcode friend, it is code I would not like to turn around with a stick if it was on my website…
as a general rule I would not trust any code obfuscated in that fashion, be it suspiscious, malicious or benign,
I like to block its access to my browser or OS for that particular reason.
script 1460 bytes
Filetype: UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
MD5: ffa7160820f9ef31fec6cc45b86e80d2
SHA1: 26904226a0f740598aecd4f6ff520799048657d4

The trackers certainly have something to hide, see analysis here:
http://wepawet.iseclab.org/view.php?hash=22a6b09a195d10dc677c41bb24975241&t=1275844664&type=js

and then also look into this: htxp://www.itmakemehappy.com/666/voli9x1.php
open that up with an instance of malzilla and you get some nice obfuscated soup code…
and these finds cannot be omitted, still flagged here:
http://www.malwaredomainlist.com/mdl.php?search=itmakemehappy.com
dreamonislandcom is on SURBL lists: PH
itmakemehappy
com is on SURBL lists: PH WS
Not a very good reputation…
Both flock browser and WOT extension stopped me from going here: htxp://daddyseye.net/in.cgi?default
and got this redirecting:

 ^^^^^^
<meta http-equiv="REFRESH" content="1; URL='htxp://www.itmakemehappy.com/666/voli9x1.php'">
^^^^^^
document moved <a href="htxp://www.itmakemehappy.com/666/voli9x1.php">here</a>
^^^^^^

Then also ook here: http://www.malwaredomainlist.com/mdl.php?search=%2F666%2Findex.php&colsearch=All&quantity=50

polonus

Hi malware fighters,

There was a reply in the NoScript forum: http://forums.informaction.com/viewtopic.php?f=8&t=4482#p18953
And these are the results http://www.virustotal.com/analisis/01a7a275cb6055af4801973732941a9d7494e64efa09d971fc1ba2fbbf565507-1275840380
which avast detects as: Win32:Agent-AKOM aka BackDoor.Siggen.20773

pol