Well, if you mean what does the obfuscated code do, there are a few sites I've used that can "de-obfuscate" code however sometimes all that can tell you is that "yeah, it's probably malicious". I would google for "javascript deobfuscate".
You could submit the blogspot site to an online sandbox for analysis, like I just did: http://anubis.iseclab.org/?action=result&task_id=1c4a179271c4d4ee4f5b9820e431f7281&format=html and possibly find other URLs found in the de-obfuscated code to see what they do.... like this one http://1nonsensical.cn/?pid=312s02&sid=4db12f ... I've yet to find a .cn domain name I could trust. LOL. Follow down the rabbit hole... That way you can find out if the PC was infected, and how to clean it up. Otherwise it would seem like some sort of facebook worm that spreads using the FB address book. Was the user logged into Facebook at the time? Might be a good idea to change their password, sounds like it either used the active facebook session to send itself out, or maybe a cookie with the user's saved credentials. PJ From: [email protected] Date: Tue, 1 Dec 2009 14:54:36 -0600 To: [email protected] Subject: [Pauldotcom] phishing question A coworker clicked on a link in an email and was directed to facebook then redirected to the following site: despatiesmercemerce . blogspot . com All of there fb contacts then received the same email. I pulled up the site in malzilla and noticed a script block in the header that looks like it's obfuscated. I was wondering if someone in the group could figure out what the site was trying to do. Thanks, Chris
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
