“ILOVEYOU” again! Or not?

Javascript or HTML encryption/obfuscation “may” help to protect web designer’s work from stealing their know-how. But this statement is very controversial – obfuscation or encryption mainly belongs to malicious scripts.  Such a technique may fool automatic antivirus scanners, but anyone can look under the obfuscation because the decryption script is usually distributed alongside with the script itself.  We have released today the detection for very strange script we’ve found yesterday, it’s name was JS:LoverCrypt-A .

The beginnig and the end of the script is shown in the next image where important parts are underlined (red color).  This is really unusual obfuscation – string “ILOVEYOU” is used to rebuild string “eval” using sequence substring -> split -> reverse -> join -> toLowerCase -> replace. Bizarre, isn’t it? But it is not the last odd thing about this script. Original script is hidden under long string, that consists of limited number of characters which are decrypted using last sequence of function calls (shown at the last line in the next image).

Who would use something like this for legal purposes? This can’t be made by any big company, isn’t it? But! We had to remove our detection this morning, because this script belongs to local Czech newspaper portal – it is part of their new ad system. And (continue reading...)