Is this detection of baidustatic true?

Viruses and worms
1

I mean this is serious! Baidustatic is some kind of website traffic static service. The Chinese website I usually browse is using it.
I test a few page and fortinet is reporting the site as malware.
The alerted sites are

  1. htxp://cpro.baidustatic.com/cpro/ui/c.js
  2. htxp://cpro.baidustatic.com/cpro/ui/noexpire/js/3.1.6/closefeedback.min.js
  3. htxp://dup.baidustatic.com/painter/clb/fixed7o.js
  4. htxp://dup.baidustatic.com/tpl/wh.js
  5. htxp://dup.baidustatic.com/tpl/ac.js

Well, there are extra site than baidustatic(but most likely FP because urlquery said that they are RedKit Exploit before but the detection is removed by them)
6. htxp://news.7k7k.com/aobi/
7. htxp://www.7k7k.com/aoqi/
8. htxp://www.9lds.com/play.html (It is a content in the site, original site see: https://www.virustotal.com/en/url/a4d02e3eb3f6133213737b73dd7b9ade8535223b386e4b1dfcb32b070052145b/analysis/1443970040/)

see: https://urlquery.net/report.php?id=1443970200922 and https://urlquery.net/report.php?id=1444053459832
Look like they only add a blacklist on the site for some reason:
https://www.virustotal.com/en/url/f178578a23897103c3a47d717cc49b37c7dbf89643ff9ced4c5f67b40d6ba2b4/analysis/1443974456/
https://www.virustotal.com/en/url/8b6ff888f19258e8aead6c8549a0a04c40849fc06419884a638268ba70e120cc/analysis/1443974587/
The “.js” itself is clean: https://www.virustotal.com/en/file/2adfd06e2213937ea0f39e2b52937843dbd00c7188418901a98a0d35f9e37bed/analysis/1438575804/

2

The sites you scanned at urlQuery are listed as infected

Sucuri reports
https://sitecheck.sucuri.net/results/www.4399.com
https://sitecheck.sucuri.net/results/news.7k7k.com

3

As soon as I went to that site I get it blocked: uMatrix has prevented the following page from loading:
-http://cpro.baidustatic.com/ - seems OK here: https://urlquery.net/report.php?id=1444054903754
htxp://wangmeng.baidu.com opens up for me, but WOt flags it as there is a report the site silently infested with OpenCandy.
They classify this as a seriously suspicious site. Seems OK here: http://toolbar.netcraft.com/site_report?url=http://wangmeng.baidu.com
iFrame check: suspicious - Modifies auto-execute functionality by setting/creating a value in the registry -malicious.


{serviceurl}{paramstring}'
'
{cproserviceurl}{paramstring}'
'
{clickurl}'

With a Javascript check - this is being flagged: Suspicious


? " https://" : " http://"); document.write(unescape("%3cscript src='" + _bdhmprotocol + "hm.baidu.com/h.js%3ff39dfe556bde4e399ff9df50170b13b6' type='text/javascript'%3e%3c/script...

HTTP hijacking going on there: http://insight-labs.org/?p=1682 going to -http://badcreditloansforpersonalpeoplewithloanpayday.com/
uMatrix has prevented the following page from loading:
-http://hm.baidu.com/h.js%3Ff39dfe556bde4e399ff9df50170b13b6’%20type='text/javascript’%3e%3c/script

Then we have to check this external link as well -http://weibo.com/wmtg → ‘关注我们’
http://www.domxssscanner.com/scan?url=http%3A%2F%2Fweibo.com%2Fwmtg++-->++‘关注我们’ seems OK.

polonus (website security analyst and website error hunter)

The C-js file it downloads can be found attached - do not open when not properly protected!

4
-http://hm.baidu.com/h.js%3ff39dfe556bde4e399ff9df50170b13b6'%20type='text/javascript'%3e%3c/script
That is the main js module of baidu website traffic statistic service. Probably blocked due to the fact that, if you remember, I reported here a few month ago that this script is hijacked to launch a ddos attack to github. (The hijack have stopped for 2 or 3 months) I am a little bit confused. Because it seem to me that they look harmless but most of the time "baidu" and "cnzz" is consider malware. What is the different between tracking and this kind of service?
5

What is the difference, not much, this is just the Chinese way of doing tracking that others on our small globe are into also.
As you analyze the code that I have attached what is the difference for instance with the average Google adtracking and what markmonitor for instance is into? Not much. From the scan reports you see markmonitor is a Baidu partner!
It is that Chinese like their own flaws of code and software. I suspect from the blockings I get from uMatrix that some adware comes included, remember OpenCandy was reported to come from this source as well by a WOT-reporter. Maybe it could be we skim through this code with a magnifying glass :smiley:

polonus

P.S. To see where the code is going also scan using this marvellous tool: http://www.linkwan.net/tr.htm
The trace info from 121.52.210.174(BeiJing Server) to 202.108.22.220(dns.baidu.com)
Hop IP Node Domain Name Location(In Chinese) Time(ms)
1 114.113.148.1 北京市朝阳区 8ms
2 10.0.20.17 局域网 4ms
3 - - - Time Out
4 - - - Time Out
5 202.106.42.97 北京市 4ms
6 61.148.154.97 北京市 4ms
7 123.126.7.149 北京市 2ms
8 124.65.57.150 北京市 2ms
9 123.125.248.110 北京市 2ms
10 202.108.22.220 xd-22-220-a8.bta.net.cn 北京市 2ms
Total 10 hops,traceroute complete!

And see the error here: http://pagespeed.webkaka.com/?q=cpro.baidustatic.com
h.jshm.baidu.comN/AN/AError:找不到目标对象。

Damian

6

Hi rickyyeung,

Just thought of scanning here: http://mxtoolbox.com/domain/cpro.baidustatic.com/
8 Problems
Category Host Result
http baidustatic.com The remote name could not be resolved: ‘baidustatic.com’ (http://baidustatic.com)
dmarc baidustatic.com Missing or Invalid Record
spf baidustatic.com No records found
dns baidustatic.com Local NS list does not match Parent NS list
dns baidustatic.com Name Servers are on the Same Subnet
dns baidustatic.com Primary Name Server Not Listed At Parent
dns baidustatic.com SOA Refresh Value is outside of the recommended range
dns baidustatic.com SOA Expire Value out of recommended range

That is more than meets the eye at first glance.

And also 11 problems for the domain the script was on: http://mxtoolbox.com/domain/hm.baidu.com/

11 Problems
Category Host Result
dmarc baidu.com Missing or Invalid Record
blacklist baidu.com Blacklisted by Spamhaus ZEN
smtp mx.n.shifen.com Warning - Does not support TLS.
smtp jpmx.baidu.com Warning - Does not support TLS.
smtp mx1.baidu.com Warning - Does not support TLS.
smtp mx1.baidu.com 10.173 seconds - Not good! on Connection time
smtp mx1.baidu.com 12.690 seconds - Not good! on Transaction Time
dns baidu.com SOA Serial Number Format is Invalid
dns baidu.com SOA Refresh Value is outside of the recommended range
dns baidu.com SOA Expire Value out of recommended range
smtp mx50.baidu.com Warning - Does not support TLS.

So you were right to report this and start the thread here.
Gonna be very informative.
Quite some misconfigurations.
On the 1% involvement on Man-On-The-Side Attacks, read here: http://www.netresec.com/?page=Blog&month=2015-03&post=China's-Man-on-the-Side-Attack-on-GitHub article author = Erik Hjelmvik

polonus