We have shown some of the
heavy JavaScript obfucation techniques used by Fake AV pages, but the vast majority of such pages use lighter, yet effective techniques. Those techniques are aimed at bypassing detection devices (IDS, antivirus, etc.), rather than hiding the source code. The creators focus on making life difficult for those tasked with writing signatures to detect the malicious content.
HTML encoding and white space
The FakeAV pages often encode random HTML elements using HTML entities.
 |
| Use of HTML entities in the TITLE tag |
This is a very common and basic evasion techniques. FakeAV pages have now however, brought this to the next level, and even encode HTML attributes (ID, Name, Class), not just text content.
 |
| Use of HTML entities in tag attributes |
They also add random white space throughout the page. This causes problems for string matching algorithms.
JavaScript and CSS encoding
While most of the CSS information is contained in external files, some inline CSS is included within the HTML document. Attackers use hexadecimal encoding (\xXX) in combination with JavaScript. Again, the encoded characters differ from page to page.
 |
| Encoded inline CSS |
This hexadecimal encoding is actually used for most inline JavaScript code on the page.
 |
| Hexadecimal encoding in JavaScript code |
JavaScript obfuscation
The FakeAV pages use some JavaScript obfuscation, as seen in most malicious pages, but it tends to be very light, and the code spans over a few line only.
 |
| Obfuscated JavaScript |
I have found over 100 variants of the Fake AV pages in the past year. The code and the obfuscation techniques have changed quite a bit, but the result is still very much the same. I have encountered only about 10 visually
different Fake AV pages.
-- Julien
