Last week, I talked about heavy obfuscation being used by attackers to hide their HTML source code from detection. This time we came across an interesting fake antivirus website, which not only continually changes the source of the webpage but also the malicious binaries being used in the attack. This occurs when you revisit that same malicious site. The malicious site also changes certain strings used inside the animation sequences. For this blog, I have visited that site a few times in span of a minute and collected the various source files and malicious binaries.

Umesh continues his discussion of fake AV sites, showing how the attackers are getting more sophisticated and introducing random changes to the attacks.