Live Global Events: Secure, Simplify, and Transform Your Business.

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Security Research

Now “” Free Domains Are Being Used To Host Malicious Code

October 27, 2011 - 2 min read
A few months back, I posted a blog on “” domains being used by attackers to host malicious code . We had identified number of different domains being used to carry out attacks using heavily obfuscated JavaScript. Now it appears that attackers are leveraging free “” domains. Likewise, we have identified a number of domains exploiting various known client side vulnerabilities. Here are a few of the URL’s being used:


The aforementioned domains suggest that random domain names are being registered to host these attacks. Once visited, the victim will be presented with obfuscated JavaScript code, formatted in such way to evade IDS, IPS and antivirus solutions. The numbers in the arrays used by the scripts are intentionally spread across separate lines. This way the size of HTML file becomes huge and the total code spans 29K lines. Here is the snapshot of the first part of the malicious code:Image

Look at the array variable. As can be seen, the numbers used in the array are spread over separate lines. Here is the last part of the script:



Once the above code is decoded, it turns out be related to the Blackhole exploit kit which exploits a variety of known client side vulnerabilities. Here is a small screenshot of the decoded script:


ImageAttackers keep registering different random domains to spread their attacks, often targeting free registration services. Due to obfuscation used by the attackers, security solutions relying on regular expressions designed to match known patterns can often be evaded due to the code being spread of over numerous lines.
Stay safe!!!
form submtited
Thank you for reading

Was this post useful?

Explore more Zscaler blogs

A cyber criminal shopping for malware
Agniane Stealer: Dark Web’s Crypto Threat
Read Post
Business people walking through a city
The Impact of the SEC’s New Cybersecurity Policies
Read Post
Digital cloud illuminated in blue
Security Advisory: Remote Code Execution Vulnerability (CVE-2023-3519)
Read Post
The TOITOIN Trojan: Analyzing a New Multi-Stage Attack Targeting LATAM Region
Read Post
01 / 02
dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.