By: Julien Sobrier

The Most Common Obfuscation Techniques In Fake AV Pages

Analysis

We have shown some of the heavy JavaScript obfucation techniques used by Fake AV pages, but the vast majority of such pages use lighter, yet effective techniques. Those techniques are aimed at bypassing detection devices (IDS, antivirus, etc.), rather than hiding the source code. The creators focus on making life difficult for those tasked with writing signatures to detect the malicious content.

HTML encoding and white space

The FakeAV pages often encode random HTML elements using HTML entities.
Use of HTML entities in the TITLE tag
This is a very common and basic evasion techniques. FakeAV pages have now however, brought this to the next level, and even encode HTML attributes (ID, Name, Class), not just text content.
 
Use of HTML entities in tag attributes
They also add random white space throughout the page. This causes problems for string matching algorithms.

JavaScript and CSS encoding

While most of the CSS information is contained in external files, some inline CSS is included within the HTML document. Attackers use hexadecimal encoding (\xXX) in combination with JavaScript. Again, the encoded characters differ from page to page.
 
Encoded inline CSS
This hexadecimal encoding is actually used for most inline JavaScript code on the page.
 
Hexadecimal encoding in JavaScript code
JavaScript obfuscation

The FakeAV pages use some JavaScript obfuscation, as seen in most malicious pages, but it tends to be very light, and the code spans over a few line only.
 
 
Obfuscated JavaScript

I have found over 100 variants of the Fake AV pages in the past year. The code and the obfuscation techniques have changed quite a bit, but the result is still very much the same. I have encountered only about 10 visually different Fake AV pages.

-- Julien

Learn more about Zscaler.