Sophos Cloud Optix
A technical paper by Fraser Howard, SophosLabs, UK
3.4 HTML
There are tricks that can be used to obfuscate simple HTML code. A good example is provided by some recent Blackhole landing pages, specifically ones that contain an applet element within the landing page to load the malicious Java (as in Figure 6).
Initially samples appeared that used numeric character references in attempts to evade detection. Then we started to see dummy applet parameters added. At the time of writing, we have even started to see additional characters prepended to the string used to pass in the payload URL! A selection of these tricks is summarised in Figure 13.
Figure 13: Examples of some of the common obfuscation tactics used within the applet element of Blackhole landing pages.