4 Replies Latest reply on Oct 12, 2011 2:34 PM by kmoser

    Malware found on this site...

    jont717

      Anyone else get Malware error trying to get into this site?

       

      http://www.rvs-monte-carlo.com/

       

      First page loads, but once I click on the flag I get the Malware Detected message.

       

       

      URL: http://www.rvs-monte-carlo.com/main.php

      Media Type: text/html

      Virus Name: MGW: Heuristic.BehavesLike.JS.CodeUnfolding.C

        • 1. Re: Malware found on this site...

          Yes. The page went to a lot of effort to hide an email address and we detected it's obfuscation technique.

           

          The original code:

          //<![CDATA[

               var d="";for(var i=0;i<362;i++)d+=String.fromCharCode(("}hy'zD)zpJo{c)Dyl}vJlz|vtJuv'c)c)JDmlyo' hC./l{py~5{ult|jvk7;77|ccit.20d7bdc)c)b3n6J6/ljhswly5.Av{spht.ccDmlyo5nupy{Z2c)5 c)2008/y{zi|z5c)Kc)3n6'6/ljhswly5.s'lpy|''po{MMc)D{|vlz|vtuv'c).cc.20<@2;3@4?88/ lkvJyhoJtvym5{zi|z5c)Tc)3n6M6/ljhswly5.Eh6CIT'66Ec).cc.ccMDMmlyo5z0008/y)BkD))Bm vy/}hy'pD7BpCz5slun{oBp2D;?0k2Dz5z|iz{y/p3;?05zwsp{/))05yl}lyzl/05qvpu/))0Bl}hs/ k0".charCodeAt(i)+56)%95+32);eval(d)

               //]]>

           

          There are 2 obfuscation passes to get to this:

          <a href="" onmouseover="this.href='mailto: xx @ xyz.com'" onmouseout="this.href=''">// MB</a>

           

          Message was edited by: eelsasser obscured the actual email adress so crawlers won't capture it. on 3/11/11 7:02:16 PM EST
          • 2. Malware found on this site...
            jont717

            What does this mean?  Obviously it is not bad, just hiding the email?  I see the //MB when I am on the page.  If I click it, it just wants to send an email.

            • 3. Malware found on this site...

              Correct, It's not "Bad". He's just trying to prevent spam havesting from the page.

               

              But it's the fact that that he used a sophisticated obfuscation technique in the first place.

              One that could be used to hide malicious code instead of a benign email address.

              1 of 1 people found this helpful
              • 4. Re: Malware found on this site...

                I run a site that uses a similar email obfuscation technique and I get occasional complaints about this.

                 

                Is there a preferred obfuscation technique that will prevent McAfee AV from mistakenly flagging my site as containing malware?