Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Security Research

The Most Common Obfuscation Techniques In Fake AV Pages

May 14, 2011 - 2 min read
We have shown some of the heavy JavaScript obfucation techniques used by Fake AV pages, but the vast majority of such pages use lighter, yet effective techniques. Those techniques are aimed at bypassing detection devices (IDS, antivirus, etc.), rather than hiding the source code. The creators focus on making life difficult for those tasked with writing signatures to detect the malicious content.

HTML encoding and white space

The FakeAV pages often encode random HTML elements using HTML entities.
Use of HTML entities in the TITLE tag
This is a very common and basic evasion techniques. FakeAV pages have now however, brought this to the next level, and even encode HTML attributes (ID, Name, Class), not just text content.
Use of HTML entities in tag attributes
They also add random white space throughout the page. This causes problems for string matching algorithms.

JavaScript and CSS encoding

While most of the CSS information is contained in external files, some inline CSS is included within the HTML document. Attackers use hexadecimal encoding (\xXX) in combination with JavaScript. Again, the encoded characters differ from page to page.
Encoded inline CSS
This hexadecimal encoding is actually used for most inline JavaScript code on the page.
Hexadecimal encoding in JavaScript code
JavaScript obfuscation

The FakeAV pages use some JavaScript obfuscation, as seen in most malicious pages, but it tends to be very light, and the code spans over a few line only.
Obfuscated JavaScript

I have found over 100 variants of the Fake AV pages in the past year. The code and the obfuscation techniques have changed quite a bit, but the result is still very much the same. I have encountered only about 10 visually different Fake AV pages.

-- Julien

Explore more Zscaler blogs

A cyber criminal shopping for malware
Agniane Stealer: Dark Web’s Crypto Threat
Read Post
Business people walking through a city
The Impact of the SEC’s New Cybersecurity Policies
Read Post
Digital cloud illuminated in blue
Security Advisory: Remote Code Execution Vulnerability (CVE-2023-3519)
Read Post
The TOITOIN Trojan: Analyzing a New Multi-Stage Attack Targeting LATAM Region
Read Post
01 / 02
dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.