Hi malware fighters,
I found this piece of obfuscated script online here: hxtp://dreamonisland.com/js/google.js
To have a look at the script itself I attached a picture of it below…
Then I started to analyze it here: hxtp://jsunpack.jeek.org/dec/go?report=ace9f60ac7d71e8a56595d9bec7cc0de541ed715
going here: hxtp://daddyseye.net/in.cgi?default and then here: wXw.itmakemehappy*com/666/load0x1.php?spl=mdac&fh= reported here as dangerous in two circumstances
http://www.malwaredomainlist.com/mdl.php?search=itmakemehappy.com
I also attached a picture of the dangerous part of the code as outline in Malzilla…
polonus
Yep, my good anti-malcode friend, it is code I would not like to turn around with a stick if it was on my website…
as a general rule I would not trust any code obfuscated in that fashion, be it suspiscious, malicious or benign,
I like to block its access to my browser or OS for that particular reason.
script 1460 bytes
Filetype: UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
MD5: ffa7160820f9ef31fec6cc45b86e80d2
SHA1: 26904226a0f740598aecd4f6ff520799048657d4
The trackers certainly have something to hide, see analysis here:
http://wepawet.iseclab.org/view.php?hash=22a6b09a195d10dc677c41bb24975241&t=1275844664&type=js
and then also look into this: htxp://www.itmakemehappy.com/666/voli9x1.php
open that up with an instance of malzilla and you get some nice obfuscated soup code…
and these finds cannot be omitted, still flagged here:
http://www.malwaredomainlist.com/mdl.php?search=itmakemehappy.com
dreamonislandcom is on SURBL lists: PH
itmakemehappycom is on SURBL lists: PH WS
Not a very good reputation…
Both flock browser and WOT extension stopped me from going here: htxp://daddyseye.net/in.cgi?default
and got this redirecting:
^^^^^^
<meta http-equiv="REFRESH" content="1; URL='htxp://www.itmakemehappy.com/666/voli9x1.php'">
^^^^^^
document moved <a href="htxp://www.itmakemehappy.com/666/voli9x1.php">here</a>
^^^^^^
Then also ook here: http://www.malwaredomainlist.com/mdl.php?search=%2F666%2Findex.php&colsearch=All&quantity=50
polonus