The beginnig and the end of the script is shown in the next image where important parts are underlined (red color). This is really unusual obfuscation – string “ILOVEYOU” is used to rebuild string “eval” using sequence substring -> split -> reverse -> join -> toLowerCase -> replace. Bizarre, isn’t it? But it is not the last odd thing about this script. Original script is hidden under long string, that consists of limited number of characters which are decrypted using last sequence of function calls (shown at the last line in the next image).
Who would use something like this for legal purposes? This can’t be made by any big company, isn’t it? But! We had to remove our detection this morning, because this script belongs to local Czech newspaper portal – it is part of their new ad system. And I’m still waiting for their response to my questions:
- Why they used such suspicious obfuscation? ILOVEYOU -> EVAL and so on.
- If they needed to have this script encrypted, why they didn’t use some commonly known tool which should be less suspicious?
- Are they optimizing the script for lower impact on user’s internet speed? No, obfuscated script is three times longer than the original one.
What is the conclusion here? Well, web designers should be more careful about what they publish. It is not very smart idea to use or create obfuscation/encryption on your own website, especially when the internet is full of legitimate websites that are getting infected with enormous speed. Why? Because antivirus scanners are getting very sensitive about suspicious operations -> we must protect our users!