Dustin wrote:
> Dustin<bughunter.dustin@gmail.com> wrote in
> news:Xns9FE4BD80B687CHHI2948AJD832@no:
>
>> FromTheRafters<erratic@nomail.afraid.org> wrote in
>> news:jfl95n$f9m$1@dont-email.me:
>>
>>> David H. Lipman wrote:
>>>> From: "FromTheRafters"<erratic@nomail.afraid.org>
>>>>
>>>> | G. Morgan wrote:
>>>> |
>>>> | I got a blob of obfuscated javascript. While analyzing it, I
>>>> | accidentally closed the program and lost it all. Going back three
>>>> | more times did not give me the obfuscated javascript anymore.
>>>> |
>>>> | The obfuscation looked very similar to some I have seen before
>>>> | that had eventually led to a Fake-AV trojan.
>>>>
>>>> Yeah. I ran it again at that JS is playing Hide& Seek. I think it
>>>> is recording IPs and checking User-Agent. I ran it again under
>>>> sandBox and although no malware and successful explotation occurred
>>>> (the box is full of exploitable software from IE6, to Adobe Reader 9
>>>> to Sun Java v5 update X) but I did capture the following screen.
>>>>
>>>> http://multi-av.thespykiller.co.uk/dump0.jpeg
>>>>
>>>> It "IS" associated with Black Hole Exploit kit sites.
>>>>
>>>> http://blog.dynamoo.com/2011/12/malw...from-your.html
>>>> http://urlquery.net/report.php?id=10700
>>>>
>>> Do you know what this line does?
>>>
>>> <script type="text/javascript"> jQuery(document).ready( function() {
>>> jQuery("a.confirm").click( function() { if ( confirm( 'Are you sure?'
>>> ) ) return true; else return false; }); });</script>
>>>
>>>
>>
>> If you try closing the page or going "back", it comes up and asks "Are
>> you sure?" This is the routine heh, that does it.
>>
>>
>
> not sure if some is missing tho. Javascript isn't my speciality.

I think jquery functions for javascript like a library file does for
executables.