The most common obfuscation techniques in Fake AV pages
HTML encoding and white space
The FakeAV pages often encode random HTML elements using HTML entities.
|Use of HTML entities in the TITLE tag|
This is a very common and basic evasion techniques. FakeAV pages have now however, brought this to the next level, and even encode HTML attributes (ID, Name, Class), not just text content.
|Use of HTML entities in tag attributes|
They also add random white space throughout the page. This causes problems for string matching algorithms.
|Encoded inline CSS|
I have found over 100 variants of the Fake AV pages in the past year. The code and the obfuscation techniques have changed quite a bit, but the result is still very much the same. I have encountered only about 10 visually different Fake AV pages.
Leave a reply