Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus


February 3rd, 2010

“ILOVEYOU” again! Or not?

Javascript or HTML encryption/obfuscation “may” help to protect web designer’s work from stealing their know-how. But this statement is very controversial – obfuscation or encryption mainly belongs to malicious scripts.  Such a technique may fool automatic antivirus scanners, but anyone can look under the obfuscation because the decryption script is usually distributed alongside with the script itself.  We have released today the detection for very strange script we’ve found yesterday, it’s name was JS:LoverCrypt-A [Trj].

The beginnig and the end of the script is shown in the next image where important parts are underlined (red color).  This is really unusual obfuscation – string “ILOVEYOU” is used to rebuild string “eval” using sequence substring -> split -> reverse -> join -> toLowerCase -> replace. Bizarre, isn’t it? But it is not the last odd thing about this script. Original script is hidden under long string, that consists of limited number of characters which are decrypted using last sequence of function calls (shown at the last line in the next image).

ILOVEYOU obfuscation

Who would use something like this for legal purposes? This can’t be made by any big company, isn’t it? But! We had to remove our detection this morning, because this script belongs to local Czech newspaper portal – it is part of their new ad system. And I’m still waiting for their response to my questions:

  • Why they used such suspicious obfuscation? ILOVEYOU -> EVAL and so on.
  • If they needed to have this script encrypted, why they didn’t use some commonly known tool which should be less suspicious?
  • Are they optimizing the script for lower impact on user’s internet speed? No, obfuscated script is three times longer than the original one.

What is the conclusion here? Well, web designers should be more careful about what they publish. It is not very smart idea to use or create obfuscation/encryption on your own website, especially when the internet is full of legitimate websites that are getting infected with enormous speed. Why? Because antivirus scanners are getting very sensitive about suspicious operations -> we must protect our users!

Categories: analyses, Virus Lab Tags:
  • stn

    You should not remove the detection. The script simply IS suspicious and should be reported as such. User can then put the site to exclusion list if he trusts the site enough, or avoid the site next time if he doesn’t. Or ask the antivirus to delete the obfuscated code – at least the user won’t be bothered by the ads, if this code is part of the ad system :-). Personally, I would not trust any site which uses such obfuscating technics.

  • http://www.404techsupport.com/ Jason

    This article, though very interesting, has a really bad URL because of the fancy quotes.

    This bit.ly link works for sharing though:
    http://bit.ly/agXw66

  • Phil

    More evidence that ads are evil. Keep the detection.

  • Lol Phirae

    You should have kept the definition in place. Those Seznam.cz folks should have known better than this POS.

  • http://www.erwynn.webs.com erwynn

    Hello guys…I am very impressed about the new avast 5.0…I suggest avast should go for hourly update…Boot-time scan is impresive…

  • http://www.avast.com vlk

    erwynn :
    Hello guys…I am very impressed about the new avast 5.0…I suggest avast should go for hourly update…Boot-time scan is impresive…

    More frequent (micro-) updates are one of the features planned for avast v5.1.

  • http://www.avast.com Jiri Sejtko

    @Jason
    Ups, didn’t expect it could be a problem.

  • http://www.ppinfotek.com Yanto Chiang

    Hi Jiri,

    Have you received any notification from Czech newspaper portal about this infected?

    Regards,
    Yanto Chiang

  • PATCOGHM

    Can we have the maLE voice prompts for updated. I have a hearing loss and everyone knows a womens voice would not be prefered as the male voice is more understandable. Reason for male announcers in the old days before equality.

  • Alois Mahdal

    @Jason
    Sorry, I simply had to check this :-D
    All three browsers I have installed here interpreted and displayed it correctly (I feel it’s a nice result):
    IE8.0, FF3.5.7 and, of course, my beloved Opera 10.10