PJ, Yeah, I had the user change all passwords from the email account to fb. I had tried googling for that 1st part of the address, hoping someone had posted something about it. That came up empty. I tried to get malzilla to decode it, but I really have little experience decoding JavaScript like that. I'll try looking for deobfuscaters to see if something else can decode it. Sorry for the typos in the original email. :)
Thanks for the help! Chris On Dec 1, 2009, at 8:47 PM, PJ McGarvey <[email protected]> wrote: > Well, if you mean what does the obfuscated code do, there are a few > sites I've used that can "de-obfuscate" code however sometimes all > that can tell you is that "yeah, it's probably malicious". I would > google for "javascript deobfuscate". > > You could submit the blogspot site to an online sandbox for > analysis, like I just did: > > http://anubis.iseclab.org/?action=result&task_id=1c4a179271c4d4ee4f5b9820e431f7281&format=html > > and possibly find other URLs found in the de-obfuscated code to see > what they do.... like this one > http://1nonsensical.cn/?pid=312s02&sid=4db12f > > ... I've yet to find a .cn domain name I could trust. LOL. > > Follow down the rabbit hole... > > That way you can find out if the PC was infected, and how to clean > it up. > > Otherwise it would seem like some sort of facebook worm that spreads > using the FB address book. Was the user logged into Facebook at the > time? Might be a good idea to change their password, sounds like it > either used the active facebook session to send itself out, or maybe > a cookie with the user's saved credentials. > > PJ > > From: [email protected] > Date: Tue, 1 Dec 2009 14:54:36 -0600 > To: [email protected] > Subject: [Pauldotcom] phishing question > > A coworker clicked on a link in an email and was directed to > facebook then redirected to the following site: > despatiesmercemerce . blogspot . com > All of there fb contacts then received the same email. I pulled up > the site in malzilla and noticed a script block in the header that > looks like it's obfuscated. > > I was wondering if someone in the group could figure out what the > site was trying to do. > > Thanks, > Chris > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
