The SANS Internet Storm center shares an awareness that malware actively circulates in mobile vector, which a new Javascript that uses hexadecimal coding to hide in an obfuscated manner

A reader reported a suspicious piece of a Javascript code that was found on a website. In the meantime, the compromized website has been cleaned but it was running WordPress. The de-obfuscation is quite easy to perform. The most interesting part is in the array of hex-encoded strings.

This code performs some verifications. If the following conditions are met, a cookie is created and the visitor is redirected to the URL present in the code.

* The cookie does not exist yet
* The visitor is not the Google crawler
* The visitor is using a mobile device/browser

Nothing really malicious here, the visitor is redirected to a bunch of spam websites but keep in mind that such websites can also deliver much more malicious content like an exploit kit (it was not the case here).