I was sent a URL earlier, that redirected to fake meds (surprise surprise). Checking further however, I arrived at the sites homepage to discover two scripts being loaded, one from a site that has now been cleaned, and another loaded from 70.85.43.147, that is still there;
70.85.43.147/minitools.js
Trying a quick check, Malzilla, JSUnpack etc failed to decode it, so I figured I'd wait until I had a few mins spare, to do it manually. A look over the code showed the problem - the interpreters couldn't handle the way the script worked, so it required heavy modification to get it to decode.
I can't post the scripts themselves here, as your AVs will go haywire if they've got heuristics enabled, so will post screenshots instead.
Original (before modification)ModifiedThe result of this, is a lovely little iFrame;
the iFrame itself is the blackhole exploit, loaded from;
twefwf.freewww.info/showthread.php?t=15410812
This is currently residing at;
IP:
89.201.174.28IP PTR: Resolution failed
ASN:
34594 89.201.128.0/17 OT-AS OT - Optima Telekom d.d.
inetnum: 89.201.174.0 - 89.201.174.63
netname: INFONET
descr: InfoNET d.o.o.
descr: Livanjska 23
descr: 10000 Zagreb
country: HR
admin-c: DM1283-RIPE
tech-c: DM1283-RIPE
status: ASSIGNED PA
remarks: INFRA-AW
mnt-by: OT-MNT
source: RIPE # Filtered
person: Damir Maracic
address: InfoNET d.o.o.
address: Livanjska 23
address: 10000 Zagreb
address: Croatia
phone: +385 1 3840205
nic-hdl: DM1283-RIPE
abuse-mailbox: abuse@infoit.hr
mnt-by: OT-MNT
source: RIPE # Filtered
% Information related to '89.201.128.0/17AS34594'
route: 89.201.128.0/17
descr: OT - Optima Telekom d.d.
origin: AS34594
mnt-by: OT-MNT
source: RIPE # Filtered
% Information related to '89.201.160.0/19AS34594'
route: 89.201.160.0/19
origin: AS34594
descr: OT - Optima Telekom d.d.
mnt-by: OT-MNT
source: RIPE # Filtered
Personally I'd recommend putting a block on it if you've not already. I'll leave the decision as to whether to block just the IP or the entire range, up to you.
freewww.info itself is a dynamic DNS service operated by ChangeIP, a service heavily abused by miscreants (not all together surprising, but very disappointing that like no-ip.com and the likes, they're still seemingly doing very little to put a stop to it).