Recently we encountered a very suspicious piece of code on some Joomla-powered webpages. The code looks as if garbled and without any special meaning, and starts like this:

Upon closer observation, several strange things are to be noted. First, there are no alphanumerical symbols to be seen in any part of the code. Second, on the line before this code starts, there is actually an HTML tag indicating a start of Javascript code (<script>), preceded by 37 tabs. Therefore, when opening an infected file in a text editor, one cannot normally see the starting tag, because it is shifted all the way to the right. To be able to see it, you either have to horizontal scroll, or have word wrap on. The same trick is performed with the script closing tag as well. Why would anyone try to hide these tags? The answer is simple, to trick people into thinking this is not actually a Javascript code.

Read more…