Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Speccy users beware! Hacked service could cause you to become infected.


  • Please log in to reply
11 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:05 PM

Posted 11 April 2011 - 08:16 PM

A Piriform web service used by Speccy has been compromised to display a malicious javascript. This was discovered when one of the BC Advisors, keyboardNinja, was using Speccy to look at his network information. When the information was displayed he noticed that the IP address information was preceded by some HTML that would load a javascript from nsa-lab.com, which has no affiliation with the United States National Security Agency. Upon visiting this url, his antivirus detected it as a malicious javascript.

After hearing about it, I downloaded the software and took a look at the network section. I too was being shown the javascript before my IP address. When looking at the network traffic I saw that this was being caused by a compromised script on the Piriform website. This script, hxxp://speccy.piriform.com/ip/, was created to output a visitors public IP address. Somehow it was compromised to also display HTML, that when viewed in a browser, would load a malicious exploit kit from nsa-lab.com. You can see a screen shot of this HTML code in the Speccy interface below:

For most users this compromise won't affect them as Speccy does not render the HTML that would load the malicious script. Those, though, who save their report as an XML file could run into trouble. That is because by default XML files are automatically loaded into the default browser of Windows. Once this report is loaded in the browser, it will see the javascript HTML and execute it. This would cause the javascript from nsa-lab.com to launch in the browser and start an exploit kit that attempts to install malware on the computer via exploits that include Sun Java, Adobe Reader, and Adobe Flash vulnerabilities. When the exploit successfully runs, it will install malware onto your computer that has been detected by VirusTotal as:

BitDefender 7.2 2011.04.12 Gen:Variant.Kazy.3281
Commtouch 5.2.11.5 2011.04.06 W32/Hiloti.J.gen!Eldorado
Comodo 8307 2011.04.11 TrojWare.Win32.Trojan.XPack.~gen1
Emsisoft 5.1.0.5 2011.04.11 Gen.Variant.Kazy!IK
F-Prot 4.6.2.117 2011.04.12 W32/Hiloti.J.gen!Eldorado
F-Secure 9.0.16440.0 2011.04.12 Gen:Variant.Kazy.3281
GData 22 2011.04.12 Gen:Variant.Kazy.3281
Ikarus T3.1.1.103.0 2011.04.11 Gen.Variant.Kazy
K7AntiVirus 9.96.4360 2011.04.11 Riskware
Sophos 4.64.0 2011.04.11 Mal/Hiloti-D

I have tried to contact Piriform using the Contact page at their site, but when I submitted the message, I received a 404 error message, as shown below, meaning that the page it was requesting on their site did not exist and thus my message was not sent. Some of the BC staff members though are active on their forums and have passed on the message.

I have also contacted the owners of nsa-lab.com and alerted them to the malicious javascript being hosted on their site.

Hopefully this issue will be resolved quickly as Speccy is an excellent program. For those who are using Speccy, though, please do not save the report as XML and open it in a web browser until this issue has been resolved or you will become infected.



BC AdBot (Login to Remove)

 


#2 killerx525

killerx525

    Bleepin' Aussie


  • Members
  • 7,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Melbourne, Australia
  • Local time:07:05 AM

Posted 11 April 2011 - 08:31 PM

Holy Crap! What mongrels would do this :wacko:

>Michael 
System1: CPU- Intel Core i7-5820K @ 4.4GHz, CPU Cooler- Noctua NH-D14, RAM- G.Skill Ripjaws 16GB Kit(4Gx4) DDR3 2133MHz, SSD/HDD- Samsung 850 EVO 250GB/Western Digital Caviar Black 1TB/Seagate Barracuada 3TB, GPU- 2x EVGA GTX980 Superclocked @1360/MHz1900MHz, Motherboard- Asus X99 Deluxe, Case- Custom Mac G5, PSU- EVGA P2-1000W, Soundcard- Realtek High Definition Audio, OS- Windows 10 Pro 64-Bit
Games: APB: Reloaded, Hours played: 3100+  System2: Late 2011 Macbook Pro 15inch   OFw63FY.png


#3 master131

master131

  • Members
  • 366 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Melbourne, Australia
  • Local time:07:05 AM

Posted 11 April 2011 - 08:48 PM

Thanks for the heads up Grinler. :thumbup2:

#4 MrBruce1959

MrBruce1959

    My cat Oreo


  • BC Advisor
  • 6,377 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norwich, Connecticut. in the USA
  • Local time:04:05 PM

Posted 11 April 2011 - 10:13 PM

Holy Crap! What mongrels would do this :wacko:

Those who know that we sometimes ask other members to post a Speccy screen shot to get an idea of what their system consists of.

Someone is always trying to wreak someone else's day to gain personal pleasure.

What ever happened to playing video games to relieve this stress?

Bruce.
Welcome to Bleeping Computer! :welcome:
New Members: Please click here for the Bleeping Computer Forum Board Rules
 
My Career Involves 37 Years as an Electronics Repair Technician, to Which I am Currently Retired From.

I Am Currently Using Windows 10 Home Edition.

As a Volunteer Staff Member of Bleeping Computer, the Help That I Proudly Provide Here To Our BC Forum Board Membership is Free of Charge. :wink:

#5 G225

G225

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 12 April 2011 - 01:08 AM

Thank for information!

Kaspersky, nod32, Mcafee and Norton doesn't detect this malware ?

Edited by G225, 12 April 2011 - 01:15 AM.


#6 Andrew

Andrew

    Bleepin' Night Watchman


  • Moderator
  • 8,257 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Right behind you
  • Local time:01:05 PM

Posted 12 April 2011 - 01:55 AM

Thank for information!

Kaspersky, nod32, Mcafee and Norton doesn't detect this malware ?


It doesn't appear so. In any case you should be safe provided you do not open any XML file created by Speccy.

#7 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,504 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:05 PM

Posted 12 April 2011 - 08:53 AM

It appears that the developer has resolved this issue. I just wish more developers would not use privacy features on their domains. It makes it much harder to find out how to contact them. Especially when the contact form on their site was broken.

#8 keyboardNinja

keyboardNinja

    Bleepin' Ninja


  • BC Advisor
  • 4,815 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:teh interwebz
  • Local time:02:05 PM

Posted 12 April 2011 - 09:31 AM

Agreed. On a lot of sites, it is nigh impossible to contact the developers/owners about anything that is not "business" related (i.e. security issue or site error).
PICNIC - Problem In Chair, Not In Computer

Posted Image Posted Image

20 Things I Learned About Browsers and the Web

#9 Crazy49er

Crazy49er

  • Members
  • 110 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Charlotte, NC
  • Local time:03:05 PM

Posted 14 April 2011 - 01:36 PM

Just checked my own version, seems like its in the clear speccy portable v1.05.183 shows no signs of the issue. Decided to play guinea pig to aid modern science/technology and created/opened XML files via speccy portable. This version seems clear but I'll hold off on upgrading for a while.

#10 keyboardNinja

keyboardNinja

    Bleepin' Ninja


  • BC Advisor
  • 4,815 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:teh interwebz
  • Local time:02:05 PM

Posted 14 April 2011 - 02:26 PM

@Crazy49er, it was not a flaw or hack in the program itself, but the way the program determines your IP address. Speccy queried http://speccy.piriform.com/ip/, but the Speccy server was compromised to host some malicious javascript.

Problem has been fixed. We're currently performing a full investigation into that server.

Please note that the software is fine and doesn't contain a virus, it's a fault on our Speccy server.


You can safely update to the latest version. :)
PICNIC - Problem In Chair, Not In Computer

Posted Image Posted Image

20 Things I Learned About Browsers and the Web

#11 chromebuster

chromebuster

  • Members
  • 899 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:the crazy city of Boston, In the North East reaches of New England
  • Local time:04:05 PM

Posted 18 April 2011 - 07:24 PM

I recognize that malware name, though I forget it's characteristics.

The AccessCop Network is just me and my crew. 

Some call me The Queen of Cambridge


#12 Beth102

Beth102

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:03:05 PM

Posted 19 April 2011 - 04:20 AM

That's awful Speccy is great...there is so much malware out there it's a shame.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users