used by Fake AV pages, but the vast majority of such pages use lighter, yet effective techniques. Those techniques are aimed at bypassing detection devices (IDS, antivirus, etc.), rather than hiding the source code. The creators focus on making life difficult for those tasked with writing signatures to detect the malicious content.
HTML encoding and white space
The FakeAV pages often encode random HTML elements using HTML entities.
|Use of HTML entities in the TITLE tag |
This is a very common and basic evasion techniques. FakeAV pages have now however, brought this to the next level, and even encode HTML attributes (ID, Name, Class), not just text content.
|Use of HTML entities in tag attributes |
They also add random white space throughout the page. This causes problems for string matching algorithms.
|Encoded inline CSS |
I have found over 100 variants of the Fake AV pages in the past year. The code and the obfuscation techniques have changed quite a bit, but the result is still very much the same. I have encountered only about 10 visually different Fake AV pages