Tweet

I recently tried to unpack an obfuscated JavaScript from a malicious .PDF file when I came across the following Google search results:

To my surprise, one of the resulting online JavaScript unpacker sites has been compromised. Most probably part of a blackhat search engine optimization (SEO) campaign, I finally landed on a page that served a FAKEAV warning.

The usual FAKEAV routine then ensued, which ended with a prompt giving me a stern warning that my system has been infected.

JavaScript unpackers are commonly used by computer professionals, mostly by security researchers. As such, I don’t really see the point of deliberately compromising such a site, as its likely visitors are unlikely to fall for a FAKEAV ruse.

Trend Micro protects product users from this attack via the Trend Micro™ Smart Protection Network™,  which blocks the websites involved in the redirection chain as well as detects the FAKEAV variant as TROJ_FAKEAV.SMSM and prevents it from being downloaded onto a user’s system.