Blackhole exploit: Compromised sites

[MysteryFCM]

Looking at a recent case of a compromised site, I noticed something rather surprising - they're not even bothering to try and make the code difficult to decode. I'm pondering of course, the thought that this is deliberate, due to the changes in v2.0 of the Blackhole exploit (others have already written about that [1] [2], so won't go into that here), but even if this is the case, the choice of using far less complex code on compromised sites, is puzzling to say the least.

Read more
http://hphosts.blogspot.co.uk/2012/10/blackhole-exploit-compromised-sites.html

[SysAdMini]

There is only one thing in your article that I don't understand.

Why do want to modify the code?  It works unmodified in Malzilla.
Ok, you are getting a list of eval results. All you have to do is opening the last one at the bottom.

[MysteryFCM]

It wouldn't actually work unmodified when I tried it in Malzilla, regardless of the settings I tried (others normally work depending on the eval() setting used, but this one error'd out every time, until the code was modified).

[SysAdMini]

Hmm, what version are you using ?

I'm using version 1.2.1.0, an unofficial beta  version. Maybe it behaves different than 1.2.0.

[MysteryFCM]

1.2.1.0 here too.