Comodo's Site Inspector site suspicious. Hacked?

See: http://chrome.quttera.com/chrome_detailed_report/siteinspector.comodo.com
Also see request for: htxp://siteinspector.comodo.com//javascripts/jrails.js%3F1291890010

Anyone?
The hack in the code is redirecting, see here: htxp://siteinspector.comodo.com" target=“_blank”> < img alt=“Site inspector” src=“^^/images/logo.png?^^1348574868”
going to pr0n…

polonus

Well the rendering of the site in Google Chrome has changed back to normal. Just good to see the site has no more issues now,

polonus

Good to catch that one. Seems COMODO found and fixed it.

Hi mchain,

There is still a hick-up here:
siteinspector.comodo dot com/javascripts/ suspicious
[suspicious:2] (ipaddr:91.209.196.82) (iframe) siteinspector.comodo dot com/javascripts/
status: (referer=siteinspector.comodo dot com/javascripts/jquery.fancybox.js?1291890010)saved 13622 bytes be79870b0836be88d533c57cb607eaf5a89adaf8
info: [script] siteinspector.comodo dot com/javascripts/jquery.js?1291890010
info: [script] siteinspector.comodo dot com/javascripts/jquery-ui.js?1291890010
info: [script] siteinspector.comodo dot com/javascripts/jrails.js?1291890010
info: [script] siteinspector.comodo dot com/javascripts/application.js?1296117261
info: [img] siteinspector.comodo dot com/images/logo.png?1291890010
info: [img] siteinspector.comodo dot com/images/faq/q4_1.png?1291890010
info: [img] siteinspector.comodo dot com/images/faq/q4_2.png?1291890010
info: [decodingLevel=0] found JavaScript
suspicious:
Quttera’s findings:
Potentially Suspicious files: 2
/javascripts/jquery-ui.js?1291890010
File size[byte]: 84559
Threat type: Potentially Suspicious
Details: Our investigation system run out of memory used for execution process.
Reason: Reached execution stack limit. Stack content: [ call ][ ! ][ %26%26 ][ || ][ prepareOffsets ]
MD5: 4CC062B5CCA2EC99833A8D542FE34081
Scan duration[sec]: 3.416000
/javascripts/jquery.fancybox.js?1291890010
File size[byte]: 15624
Threat type: Potentially Suspicious
Details: Our investigation system run out of memory used for execution process.
Reason: Reached execution stack limit. Stack content: [ = ]
MD5: 8BC36A08C46719377528D962966CE37C
Scan duration[sec]: 0.206000

polonus

hi pol,

One thing that caught my eye was the time-outs/memory process out-of-space in the execution process analysis.

Symantec has a recent blog re new strategies malware authors will use to evade automated threat analysis systems.

http://www.symantec.com/connect/blogs/malware-authors-using-new-techniques-evade-automated-threat-analysis-systems

You probably are aware of this, but even if you aren’t, this is a quick read, so…

Hi mchain,

Now I get:
nfo: [img] siteinspector.comodo dot com/images/main/q4_2.png (data vector)
info: [decodingLevel=0] found JavaScript
error: undefined variable $
error: undefined function $ (referencing something that does not exist!)
suspicious:

Yes I am aware there are a couple of these tricks being used by malcreants:
One is detecting whether a sandbox or VM is present and then malware stops to function.
Another one is detecting mouse activity, if mouse driven traffic is not detected the malware stops functioning,
A third one is going into sleep mode for some time and then activate or re-activate.
All of these methods are known to circumvent av detection, and are known to be used now.

In the above case apart from the reasons you mention another could be that with two functions each calls the other in large javascript code bases.
And I think that is what caused it here. Or it could just have been simple recursion causing it.

polonus