If you see a snippet of javascript that looks malicious and begins with /*GNU GPL*/ and ends with "<!--ce7ed70d30ae259fa4babe8cbf7849b9-->" it's malicious and apparently if you want to use it you are free to modify it as you see fit. Perhaps the only stipulation is that you provide the source code when you use it as a way to infect client computers. I think that means no right-click javascript trapping! Anywho, it appears to call out to a server in a subdomain of: ampsguide.ru on port 8080. Which then creates an iframe to the same server, etc...
Happy opensource pwning!
Tuesday, January 5, 2010
Subscribe to:
Posts (Atom)