See: http://aw-snap.info/file-viewer/?tgt=http%3A%2F%2Floyalaw.com&ref_sel=Google&ua_sel=ff
Could not open page in jsunpack for avast Web Shield immediately jumped on the code and blocked it as JS:Decode-BHU[Trj]. #32f02e# in line 62 looks like a color number but the extra # gives it away as malcode - site was hacked and the malcode starts from the following line
and Firekeeper alerts on that code like === Triggered rule ===
alert(url_content:“%3C”; url_content:“%22”; url_content:“%3E”; msg:“Suspicious looking GET request containing %3C, %3E, and %22. Suspiciously HTML-like.”; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
^-broken by me, Pol
eval() may be abused in the pre-onload phase of the webpage,
therefore it is so vital that eval-generated js malcode is immediately blocked by the avast! Web Shield.
Yep, think so, if they can decode the URL that fetches the blackhole exploit kit in real time, see this article by Erik Heuser: https://blogs.rsa.com/beyond-the-zero-day-reverse-engineering-malicious-class-files/
But IDS will also produce the anomaly pattern here as “ssp_ssl: Invalid Client HELLO after Server HELLO Detected” (on the network layer - OSI layer 3
and transport layer - OSI layer 4)! -
Embedding script tags in URLs/HTTP requests will incite unaware users to click on them to enable malicious javascript to be executed on the client (victim’s machine). This becomes possible when input/output validation of the server to reject active code /js or code characters is not performed or has failed.
In thsi case the HTML-tags/script inclusion was an applet (but it could have been an object, iframe, frame, xml, blink, obfuscated link etc. etc., possibilities just as much as user manipulation was allowed to take place! Cause of all this nastiness and the aftermath of it is through"insecure practices!".
Av should have static and dynamic detection rules and incorporate various detection methods for various OSI layers,
else it won’t even “see” it happen,