[Techtalk] is this malicious code? -- the code in Pastebin

[Elwing]

On Jan 15, 2013, at 6:46 PM, Carla Schroder wrote:

> On Tue, 15 Jan 2013 23:30:12 +0000
> James Sutherland <james at deadnode.org> wrote:
> 
>> On 15 Jan 2013, at 23:20, Carla Schroder <carla at bratgrrl.com> wrote:
>>> On Tue, 15 Jan 2013 23:03:57 +0000
>>> James Sutherland <james at deadnode.org> wrote:
>>> 
>>>> On 15 Jan 2013, at 23:01, Carla Schroder <carla at bratgrrl.com>
>>>> wrote:
>>>> 
>>>>> Hey all,
>>>>> 
>>>>> I have a snippet of a Javascript ad that Google flagged as
>>>>> malicious. I would like a second opinion from you fine
>>>>> Techtalkers-- what's the best way to safely share this code? It's
>>>>> about a dozen lines.
>>>> 
>>> ...
>>> 
>>> http://pastebin.com/NvTGxDQd
>> 
>> Looks harmless: all it does is insert a <script> tag referencing
>> adsbyisocket.com. The "odd" bits are just it putting things like the
>> current page address and the page 'referer'(sic) into that URL, so
>> they get a better idea whom they're serving their ads to.
>> 
>> It's possible adsbyisocket.com is a malware domain, but it certainly
>> looks like a regular online ad broker from a quick look.
> 
> Here's the whole story: one of the sites I work for uses Isocket for
> serving ads. This ad was flagged by Google this morning and they
> blocked 5 of our 8 sites. We removed the ads early this morning, and I
> manually inspected every page that Google flagged, and they were clean.
> Google still has not removed the block. 
> 
> Isocket did this once before, and despite vowing to 'do whatever it
> takes' to get their customers back online they are utterly useless and
> helpless. Google, of course, is impenetrable and unresponsive. We've
> lost a day's business.
> 
> Carla

I'm with Cynthia  the last document.write ("'><\/scr"+"ipt>");  looks suspicious and is used by attackers trying to obsfucate cross-site scripting, so I can see why Google is flagging it.