This is to confirm a report from Websense about the compromised official website of Syrian Embassy located in London. Indeed, there are three obfuscated iframes found in the site.

The following is a sample obfuscated script found in the compromised page:

Deobfuscating the said scripts we get the following URLs:

• hxxp://0ki.ru{blocked}/index.php
• hxxp://sicil.info{blocked}/index.php
• hxxp://x12345.or/{blocked}ounter.php?out=1189360677 (a zero-byte file)

Initial analysis of the first URL, it seems that it accepts country code as an argument, thus country checking is most probably employed. This is already detected as JS_PSYME.ANT. The second URL contains another iframe which leads to a URL containing the exploit kit (most probably Icepack). The exploit kit employs OS detection, web browser detection, and contains several exploits targeting web browsers and web browser plug-in. This will try to exploit several vulnerabilities to download and execute a file to be detected as TROJ_SMALL.KYZ. The exploit kit will be detected as JS_PSYME.ADQ.

The third URL just contains a zero-byte file.The malicious files are already being processed and the malicious URLs are submitted for blocking.