The Latest in IT Security

The most common obfuscation techniques in Fake AV pages


We have shown some of the heavy JavaScript obfucation techniques used by Fake AV pages, but the vast majority of such pages use lighter, yet effective techniques. Those techniques are aimed at bypassing detection devices (IDS, antivirus, etc.), rather than hiding the source code. The creators focus on making life difficult for those tasked with writing signatures to detect the malicious content.

HTML encoding and white space

The FakeAV pages often encode random HTML elements using HTML entities.

Use of HTML entities in the TITLE tag

This is a very common and basic evasion techniques. FakeAV pages have now however, brought this to the next level, and even encode HTML attributes (ID, Name, Class), not just text content.

Use of HTML entities in tag attributes

They also add random white space throughout the page. This causes problems for string matching algorithms.

JavaScript and CSS encoding

While most of the CSS information is contained in external files, some inline CSS is included within the HTML document. Attackers use hexadecimal encoding (\xXX) in combination with JavaScript. Again, the encoded characters differ from page to page.

Encoded inline CSS

This hexadecimal encoding is actually used for most inline JavaScript code on the page.

Hexadecimal encoding in JavaScript code

JavaScript obfuscation

The FakeAV pages use some JavaScript obfuscation, as seen in most malicious pages, but it tends to be very light, and the code spans over a few line only.

Obfuscated JavaScript

I have found over 100 variants of the Fake AV pages in the past year. The code and the obfuscation techniques have changed quite a bit, but the result is still very much the same. I have encountered only about 10 visually different Fake AV pages.

— Julien

Leave a reply



Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...



Latest Comments