A keyword on script obfuscation

Obfuscators and packers may have legitimate uses when it comes to concealing intellectual property or reducing memory footprint however when the obfuscation begins to include unused yet otherwise regular keywords it makes one wonder what is being obscured from who.

Take for example this bit of javascript:

scriptcap.JPG

The deliberate insertion of keywords (in blue) such as in comments is almost certainly a play at confusing malware scanners rather than simply obscuring the true content.

The continued use of script obfuscators for so called “˜legitimate’ uses is a flawed idea since tools such as spidermonkey make short work of them, yet most anti-virus and anti-spam engines still have difficulty, making such tricks a favourite of web-centric malware.

It would be nice if we could assume that only malware employs such tricks but as long as the general public continue to have blind faith in obfuscation technology so will the malware authors.