In MISC (Multi-system & Internet Security Cookbook) N54, Nicolas Brulez from Kaspersky Lab relate the case of a fakeAV 'Security Shield' and particularly the fake scanner page who conduct to malware download.
Article is in French.
With his permission, i give you here the decode template he made.
Basically the fake scanner page look like this:
And if you look the source code:
You will see nothing related to the page, just a huge obfuscated string.
NOTE: these pages are nicely dynamic, every xx mins, images, JS file name, and some others values are auto changed.
They use Base64 > RSA > Base64 for the string.
With some basic edit of the js file (034p0986.js on the screenshot) you can decode the string.
Here you go:
Wanna try ?
The decoded page (beautifuly version)
Downloaded file from the FakeAV page:
Oh, i see.
Tracking Cyber Crime: Gagarincash AV Affiliate (19 June 2011)
Tracking Cyber Crime: Inside the FakeAV Business (14 Jun 2k11)
Security Shield 2011 (11 Jun 2k11)
Essential Cleaner (18 May 2k11)
MS Removal Tool (29 Mar 2k11)
Security Shield (9 Dec 2k10)
System Tool (12 Dec 2k10)
Security Tool (10 Aug 2k10)