Is this code malcode?

[polonus]

Hi malware fighters,

I found the following code attached on a web-page of my provider, is this suspicious. Nothing was flagged however by avast,

polonus

[polonus]

This are the virustotal results:
http://www.virustotal.com/nl/analisis/898cc70013f761380d37ef7de2cf74a6ac3b499bf57ae3ac9aa9bbcfffadc87b-1243371535

Comodo's scan: • File Info
Name   Value
Size   28515
MD5   41f46ddbfe907e377b0b916c60ef2376
SHA1   12be52e5dee4e719a855e869c95c46a022991c69
SHA256   898cc70013f761380d37ef7de2cf74a6ac3b499bf57ae3ac9aa9bbcfffadc87b
Process   Failed
• Verdict
Auto Analysis Verdict
Not Rated as Suspicious

pol

[DavidR]

What is the URL, is it the on in the attached file ?

I tried to check this code out at gooby.ca and just got some divide by zero errors.

[polonus]

Hi DavidR,

Code resides here: hXtp://www.online.nl/typo3conf/ext/rgmedialinks/res/mootools.js
I think it is wrong to obfuscate code that much for propriety reasons, it is giving real malcoders a head-start, don't you think,
Got this answer on the NoScript forum:

MooTools is a JavaScript extension library (similar to JQuery or Prototype).
In this case it's just packed with a standard packer, something you usually do to reduce bandwidth usage.
I actually prefer minification, which reduces sizes (slightly less efficiently) by stripping off redundant whitespaces but is still retains the code in an almost readable state.
Anyway most webserver today have built-in gzip resource compression, hence there's no compelling reason to keep stuff semi-obfuscated on the web.

legit reasons for obfuscation

There are many reasons why you would obfuscate the code that has nothing to do with hiding anything. The fact is that the author has a right to protect their work from being ripped off and if that makes it slightly harder, then so be it. Also to reduce code size and speed up execution. So on and so forth, many legit reasons.

pol

[DavidR]

I have to say I don't like the lengths they go to to obfuscate javascript if they have nothing to hide, given that javascript is a plain language scripting language.

If the author wants to protect their code, there must be a better way, e.g. the use of a different tool as there are many that browse with javascript off or with NoScript, etc.

[polonus]

Hi DavidR,

The main reason for obfuscation on websites to-day is bandwidth related, also here. Again sign of the times, also playing into the hands of malcreants - obfuscated code is obfuscated code whether it is straight or malcode,

polonus

[Lisandro]

The main reason for obfuscation on websites to-day is bandwidth related

Polonus, can you elaborate?
I never heard about that (not that I'm an expert on this anyway...).

[polonus]

Hi Tech,

From one point of view it is a bandwidth thing, yep, it's just a bandwidth thing. Keep things as small as you can, to keep the downloads down. Imagine if every piece of Google code was as big as it "should*" be, and then having to download all these little chunks of code throughout the day. It'd definitely tot up pretty fast..and furthermore it is that the code cannot be too easily analyzed and hacked by a third party.
Users (like e-mule users) do it for reasons so their ISP won't block their P2P traffic that easily, ISP and Google do it for the reasons mentioned above, malcoders do it on a random basis to get under the radar of webmasters and website admins to redirect to silent malcode download sites, and this code should be blocked by the avast shield,

pol

[Lisandro]

How does obfuscating decrease the download size in http traffic?
I understand obfuscating of P2P traffic as providers wants to block it...

[DavidR]

Well in this case it isn't technically obfuscating, but packing the javascript making it smaller (reducing bandwidth) which in turn would obfuscate it in a way.

Though anyone that suggests that this is to save on bandwidth is totally wrong as the file wouldn't be that large in the first place so any packing would produce a very minimal saving.

However true obfuscation could actually increase the size as it takes more physical characters to effectively produce the same code but obfuscated, where one four letter word may when obfuscated tale 12 or more characters to obfuscate.

So when they say it is to reduce bandwidth I fear they are trying to use smoke and mirrors to baffle us.