Why You Still Receive Phishing Emails And Malware: Mangling The Strings

Basically Web browsers are dumber than most pieces of software, and they are easily tricked. They are also fairly robust in handling incorrect code, where they will allow incorrect and badly formed HTML, and try and understand what was meant by it. So, when it comes to security, the malware writers have many tricks up their sleeve, and one of them is to encode strings into a mixture of hex coding (Base 16), unicoding (the 16-bit equivalent of ASCII) and octal coding (Base 8).

So when you view your code and see something like this:

var _={"\137\x6b\u0065\x79\u0053\u0074\x72":(function () { var pI="wxyz0123456789+/=",B="klmnopqrstuv",G="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefg",h="hij"; return G+h+B+pI })(),"\u005f\u0075\164\146\u0038\137\u0065\u006e\u0063\x6f\x64\u0065":function(zt){zt=zt[(String.fromCharCode(0x72,0x65,0x70,108,0141,99,101))](/\r\n/g,(function () { var DS="n",nl="\\"; return nl+DS })());var MF="";var w;for(w=('XROQtltRu'.length-9);w('TFrd'.length*(3*8+6)+7))&&(S<(0x1*1774+274))){MF+=String[((function () { var sD="Code",U="r",T="fromCha"; return T+U+sD })())]

your head will spin. But all that is happening here, is that the normal strings we would see in a program (in this case some JavaScript code) is being represented in a way that a normal string matcher would…