Malware on this japanese art site?

system · 2015-10-26T23:15:50.000Z

Sucuri reports (possible?) malware on japanese art website pixiv.net which me myself have visited at times. Few other online scanners I tried seem to catch nothing.

https://sitecheck.sucuri.net/results/pixiv.net

polonus · 2015-10-27T00:25:47.000Z

Hi Pernaman,

Again a very interesting posting you came up with for us here, and not an easy nut at all to crack!.
As you can see there is an external link that VT has with detections: https://www.virustotal.com/nl/domain/tjs.sjs.sinajs.cn/information/

An iFrame check comes up as suspicious: Suspicious

-http://d.pixiv.org/show?zone_id=topjack&segments=noseg&format=html&pla_referer_page_name=pixiv&num=5’

Please check this list for unknown links on this website:

-https://booth.pm/ → ‘booth(ç°¡åã«ã’
-http://ja.curecos.com/?ref=pixiv-cool → ‘ã³ã¹ãã¬cure’
-http://worldcosplay.net/?ref=pixiv-cool → ‘worldcosplay’
-https://halol.me/ → ‘halol’

Suspicious to me also: https://www.secure.pixiv.net/login.php?return_to=%2F
tags.php?tag=pixiv%E3%83%95%E3%82%A1%E3%83%B3%E3%82%BF%E3%82%B8%E3%82%A2T
= Unicode/UTF-8-character table landing at: - https://source.secure.pixiv.net/www/js/files/app.min.js?136fc9d88cfb9b351c1e55add23b5175 and - //seal.globalsign.com/SiteSeal/gmogs_image_100-50_ja.js

What about code like this

/*!  / / / /    ／ |  /    `､ i  !  |i   i  ,  l  / / //   ／   | /       | |  |  l !  i  |  | `/ｰ- ､ / ／    | /       | ｌ   |  l l  !  !  i / ,,,,- ﾆ=ｘ- ､_   !/       |i  _, +十'ｲ  i  !  ! ''" ／ :;;r jヽ `￣  ﾘ      ,, -＝､ ﾚ | / /  :|  /:::::;;;;;;;:`::::::l          / :;;r ヽヽ   |/| /   :!  |::::::::;;;;;;;;:::::::l             ｌ:::;;;;;` ::| ｌ  //    :!   '､:_ ''''  ノ          l  '''' ﾉ |  /    :| ::::::::.. ￣               ` ー '   ,'      :| ::::::::::::            ,    ..::::::::::::..l  .:|   :| ::::::::::                :::::::::::::::::::|  :|   :|                     ::::::::::::::: l .:|  l  :|                          /  :| :ｌ  :|                       , '   :::| :|  :| ` 、     ⊂ﾆ＝＝ー‐-     , ｲ    ::::| :|  :| */

this is starting in -https://source.secure.pixiv.net/www/js/files/app.min.js?136fc9d88cfb9b351c1e55add23b5175
We have a poorly constructed api here that is vulnerable, persistent name update vulnerability for app.min.js - the common vulnerability we saw earlier behind the Kardashian sites php tags malcode? → checklist → https://my.hostmonster.com/cgi/help/511

Website test-in log-in errors found up.
Still iFrame is the main suspicious blocking factor here.
SSL certificate = OK.

polonus (volunteer website security analyst and website error-hunter)

system · 2015-10-27T12:36:06.000Z

That is rather interesting, concidering the fact that the site seems to be rather popular and commonly used by great number of people and be pretty popular. At least by quick Googeling I didn’t manage to find any comments about the site spreading malware to it’s users. However, this catched my eye:

http://community.norton.com/en/forums/pixivnet-safe

According to this topic seems that Sucuri has had some iframes flagged for quite long time now, but nonetheless there doesn’t seem to be any bad given reputitioin to this site. As said, I have also visited this site frequently without any problems. :-\

system · 2015-10-28T16:58:02.000Z

Hello again! Sorry for topic lift, but I have something new which I think might fit with this.

I was doing some more Google search for recent possible Pixiv malware notices, and found a result link “times-pixiv.tumblr.com/”. I thought it would be a tumblr site, but when getting there it took me to “times.pixiv.net” which seemed like some sort of blog site for pixiv.net news. While visiting, I checked noscript list for the site, and saw for a glimpse of second one domain that dissappeared quickly. However, Noscripts list of recently blocked website managed to safe it. The blocked moain in it’s fullnes seemed to be “-cs600.wpc.edgecastdns.net”. I got to Google and got a link to Virustotal report of the domain that has some detections, but none for Avast or MBAM, only blacklists seem to come from Bitdefender. Sucuri and Virustotal show clean for times.pixiv.net itself.

https://sitecheck.sucuri.net/results/times.pixiv.net/

https://www.virustotal.com/en/url/633e100521e703c393f32f61d26579acb4daafbcdd3b927b58b0e5bc900fed8a/analysis/

Sucuri.net shows some scripts and iframes seemingly related to tumblr.com, compare to this:

https://sitecheck.sucuri.net/results/dawnlitroad.tumblr.com/

Here’s virustotal report for mentioned domain that Noscript blocked.

https://www.virustotal.com/en/domain/cs600.wpc.edgecastdns.net/information/

Pondus · 2015-10-28T17:22:52.000Z

pixiv.net.htm scan
https://www.virustotal.com/en/file/2fe1cc8a1a703f03238815db9082c3750597f59576f22917e42dd4cee0979c98/analysis/1446052803/

polonus · 2015-10-28T17:38:59.000Z

I see no javascript vulnerabilities, but consider this external link: http://toolbar.netcraft.com/site_report?url=http://oz.plusone.nl. so-called fast-button code display limitations.
Nothing here: https://urlquery.net/report.php?id=1446053261989
But there is insecure log-in vulnerability: [pixiv] padlock icon
www.pixiv.net
Alerts (1)
Insecure login (1)
Password will be transmited in clear to -http://www.pixiv.net/login.php where p_ab_id = 30% insecure tracking.
Infos (1)
Encryption (HTTPS) (1)
Communication is NOT encrypted
Statistics
Images 0 External JS 0
Background images 0 External CSS 0
Objects (Ex: Flash…) 0 IFrames 0

See no direct malcode!

Track the trackers report attached…two widget and one script tracker…

polonus

system · 2015-10-28T17:44:48.000Z

So we could be pretty sure there was nothing noticeably malicious on the site? Did you look up anything about that “edgecastdns.net” domain my Noscript noticed?

Announcements