Inline Detection of Evil JavaScript: "
Exploit kits are a much more common threat on the web
than they used to be. In order to evade detection, the kits frequently contain
logic to obfuscate, or hide, the meaning behind the content that they serve to
the victim. Additionally, with each visit to the exploit page, the obfuscation
techniques will differ slightly so that static, content signatures will be
unable to detect the threat. Other threats contain obfuscated JavaScript (JS)
which sets up the page to exploit a vulnerability and launch a payload (for
example, 'spraying' the heap with shellcode). Still other threats inject
obfuscated JS into legitimate sites, which after decoding embeds a hidden
(0-pixel) IFrame to malicious content. As we have seen in the past, the JS
encodings vary greatly with each incident, and many instances are encoded
multiple times and may contain non-standard JS (reference past blog posts, such
as
(Via Zscaler Research blog.)