Speccy users beware! Hacked service could cause you to become infected.

A Piriform web service used by Speccy has been compromised to display a malicious javascript. This was discovered when one of the BC Advisors, keyboardNinja, was using Speccy to look at his network information. When the information was displayed he noticed that the IP address information was preceded by some HTML that would load a javascript from nsa-lab.com, which has no affiliation with the United States National Security Agency. Upon visiting this url, his antivirus detected it as a malicious javascript.

After hearing about it, I downloaded the software and took a look at the network section. I too was being shown the javascript before my IP address. When looking at the network traffic I saw that this was being caused by a compromised script on the Piriform website. This script, hxxp://speccy.piriform.com/ip/, was created to output a visitors public IP address. Somehow it was compromised to also display HTML, that when viewed in a browser, would load a malicious exploit kit from nsa-lab.com. You can see a screen shot of this HTML code in the Speccy interface below:

For most users this compromise won't affect them as Speccy does not render the HTML that would load the malicious script. Those, though, who save their report as an XML file could run into trouble. That is because by default XML files are automatically loaded into the default browser of Windows. Once this report is loaded in the browser, it will see the javascript HTML and execute it. This would cause the javascript from nsa-lab.com to launch in the browser and start an exploit kit that attempts to install malware on the computer via exploits that include Sun Java, Adobe Reader, and Adobe Flash vulnerabilities. When the exploit successfully runs, it will install malware onto your computer that has been detected by VirusTotal as:

BitDefender 7.2 2011.04.12 Gen:Variant.Kazy.3281
Commtouch 5.2.11.5 2011.04.06 W32/Hiloti.J.gen!Eldorado
Comodo 8307 2011.04.11 TrojWare.Win32.Trojan.XPack.~gen1
Emsisoft 5.1.0.5 2011.04.11 Gen.Variant.Kazy!IK
F-Prot 4.6.2.117 2011.04.12 W32/Hiloti.J.gen!Eldorado
F-Secure 9.0.16440.0 2011.04.12 Gen:Variant.Kazy.3281
GData 22 2011.04.12 Gen:Variant.Kazy.3281
Ikarus T3.1.1.103.0 2011.04.11 Gen.Variant.Kazy
K7AntiVirus 9.96.4360 2011.04.11 Riskware
Sophos 4.64.0 2011.04.11 Mal/Hiloti-D

I have tried to contact Piriform using the Contact page at their site, but when I submitted the message, I received a 404 error message, as shown below, meaning that the page it was requesting on their site did not exist and thus my message was not sent. Some of the BC staff members though are active on their forums and have passed on the message.

I have also contacted the owners of nsa-lab.com and alerted them to the malicious javascript being hosted on their site.

Hopefully this issue will be resolved quickly as Speccy is an excellent program. For those who are using Speccy, though, please do not save the report as XML and open it in a web browser until this issue has been resolved or you will become infected.

Holy Crap! What mongrels would do this

Thanks for the heads up Grinler.

Holy Crap! What mongrels would do this

Those who know that we sometimes ask other members to post a Speccy screen shot to get an idea of what their system consists of.

Someone is always trying to wreak someone else's day to gain personal pleasure.

What ever happened to playing video games to relieve this stress?

Bruce.

Thank for information!

Kaspersky, nod32, Mcafee and Norton doesn't detect this malware ?

Edited by G225, 12 April 2011 - 01:15 AM.

Thank for information!

Kaspersky, nod32, Mcafee and Norton doesn't detect this malware ?

It doesn't appear so. In any case you should be safe provided you do not open any XML file created by Speccy.

It appears that the developer has resolved this issue. I just wish more developers would not use privacy features on their domains. It makes it much harder to find out how to contact them. Especially when the contact form on their site was broken.

Agreed. On a lot of sites, it is nigh impossible to contact the developers/owners about anything that is not "business" related (i.e. security issue or site error).

Just checked my own version, seems like its in the clear speccy portable v1.05.183 shows no signs of the issue. Decided to play guinea pig to aid modern science/technology and created/opened XML files via speccy portable. This version seems clear but I'll hold off on upgrading for a while.

@Crazy49er, it was not a flaw or hack in the program itself, but the way the program determines your IP address. Speccy queried http://speccy.piriform.com/ip/, but the Speccy server was compromised to host some malicious javascript.

Problem has been fixed. We're currently performing a full investigation into that server.

Please note that the software is fine and doesn't contain a virus, it's a fault on our Speccy server.

You can safely update to the latest version.

I recognize that malware name, though I forget it's characteristics.

That's awful Speccy is great...there is so much malware out there it's a shame.

I just posted the question -- and, saw the above  guess we can't do a Speccy Download on a windows 11 notebook?  thx.

 

That issue with Speccy was 11 years ago and was resolved at the time.