Hot on the heels of the NBC.com hack last week, Websense® Security Labs™ researchers were alerted by SANS to another high profile website compromise on Friday: bible.org. It appears that the offending code has now been removed from the bible.org website.
At first glance, this seemed to be a run-of-the-mill “compromise, redirect, exploit” chain; however, closer analysis revealed the use of an interesting Honeyclient evasion technique. Honeyclients allow the profiling of websites in a heuristic and automated way; more often, testing a website with a Honeyclient takes longer than signature-based solutions but the results are much more accurate, especially when new zero-day code or a new emerging threat needs to be flagged up and requires scrutiny. Usually, Honeyclients run on top of virtual machine sandboxes: evasion techniques allow malicious code to become more aware of its running environment and to check if it's in a virtual environment or likely to be an 'analysis' environment before actually running malicious code.
This snippet of code is the entirety of the Honeyclient evasion attempt - as the method name suggests, the function ‘jsstatic’ will only be called once the eventhandler registers the movement of the user’s mouse over the document (page) – obviously, a primitive Honeyclient will have no mouse movement emulation, therefore the offending function that leads to exploit code will never be called and alerted on by the Honeyclient.
Let’s take a closer look at the jsstatic function (click to enlarge):
read more........http://community.websense.com/blogs/securitylabs/archive/2013/02/25/web-sandbox-evasion-techniques-bible-org-case.aspx?cmpid=sltw