I find with my tool Webscanner some italian sites with obfuscate javascript

The first javascript redirect over page with javascript also strong obfuscated.

vvv.deegees.it
vvv.graphixmania.it
vvv.sabrinasalerno.com
vvv.skuolasprint.it
vvv.custommania.com
vvv.giovaniudccasteltermini.com

More info over

http://edetools.blogspot.com/2008/04/utilizzo-di-webscanner-nella-ricerca-di.html

and also

http://edetools.blogspot.com/2008/04/sito-le-chicche-di-cala-con-javascript.html

I try to decode second script but i have problem with function callee to string.
If on have people know to decode is good

Edgar from Bangkok

eaofir.com is not loading, so can't test the callee code.

the link at page with obfuscate java after the first decode is
eaoafir.com/ld/grb

and url when open page is

whit java online

Edgar


Mod edit: Disabled link

I've added the javascript code to the malware listserv.

/p1082766-MD5_6ac26877a2009c0e39bafe5d405bc7a9_scit_exe.html

wasn't able to decode any of this javascript.
guess i've just been lucky to be able to decode most of the stuff i've seen so far.

in the second set of javascript, i think it is IE-specific.

callee.tostring has a slightly different implementation in IE and mozilla, so you must use the correct javascript interpreter to decode.

for more info see:
http://malzilla.sf.net/
http://isc.sans.org/diary.html?storyid=3231
http://isc.sans.org/diary.html?storyid=3219
http://isc.sans.org/diary.html?storyid=1519
http://www.malwaredomainlist.com/forums/index.php?topic=218.msg2161#msg2161

mr. edgar, you posted a hot link for a malicious webpage:

Two new with the same malware

Thanks for posting the links, I'll add the malware to the malware listserv.

When I visited the 2nd link I got a 500 error, when I went back to the 1st link I got the same error. I think my IP may be blocked.

I opened the site again on a different IP and let it do it's thing.

3 files were downloaded, 2 had the same MD5 hash and ran. The 3rd file appears to be corrupt.

I'll add them to the malware listserv.

Founds others sites with same javascript obfuscated

vvv.fluidifikas.it
vvv.ristoreggio.it
vvv.jacopo81.it
vvv.sevenpress.com
vvv.fasterage.net


Is possible malware links serve MBR ROOTKIT

and more new links with obfuscated javascript over my blog page
Some use "callee to string function" and very hard to decode.

http://edetools.blogspot.com/2008/04/sarebbero-decine-i-siti-italiani.html

Edgar

MasterBootRoot

hnoafir.com
is also doing this
possibly infected pdf
and mbr rootkit

more info
translated to english

http://translate.google.com/translate?hl=en&sl=it&u=http://maipiugromozon.blogspot.com/&sa=X&oi=translate&resnum=5&ct=result&prev=/search%3Fq%3Dhnoafir.com%26hl%3Den

I've downloaded some samples from

I guess by now you figured out there is only 2 samples and well,the site names...heh...just names,all architectures are identical to one another.

Mej1 uses a special force to sniff then associate and then crawls silently until exact matches are found,he is my best friend and never lets me down.