document.write('htt' + 'p:/' + '/badguysrus.co' + 'm');but you can still scan for "document.write", so they obfuscate a little more:
eval('docu' + 'ment.w' + 'rite(\'htt\' +' + '\'p:/\' + \'/badguysrus.co\' + \'m\')')
And of course it can get arbitrarily complicated. The reason this makes sense is that current virus scanner technology only checks files for "virus fingerprints" -- which are fixed byte sequences. The above obfuscation already makes it impossible just to check for a link to badguysrus.com, and I can assign values to variables and shuffle them around at will to foil more sophisticated attempts to scan for fixed sequences. At least one obfuscation I've seen obfuscates using a variable key, so that different runs of the obfuscator will result in entirely different sets of byte sequences.
But no matter how obfuscated the code, ultimately it must still contain every bit of the information we need to de-obfuscated it. Why? Because your browser has to run it, for it to fulfill its nefarious purposes.
Ultimately, of course, the task as a whole is a dauntingly large one: intelligent analysis of the obfuscational tricks of some pretty smart people. I have no idea how possible it will be to automate -- there will have to be a great deal of interactivity involved, and I frankly have no real concept of how to organize that, especially in an online tool which should ideally be available to the public for anonymous use.