[nsp-sec] GoDaddy - AS26496

Tue Mar 8 09:55:11 EST 2011

Godaddy, a security researcher (at google) noted:

 -----------------------------------------

 Just got this in a popunder, any way we can block *.cuvce.com/* in Chrome?

 Displayed URL is
 hxxp://www[.]cuvce[.]com/download/chrome_1.php?h=eNortjI3s1KqSS4tS07VS87PrTE00DPQMzM20zOoMTLWRZLIKCkpUDV2VDVyA6Ly8nK9tMTk1KT8_GyINiNLS1NTS3MTEyVrXDBrBxpcIg,,

 Directs you to download
 hxxp://www[.]cuvce[.]com/download/chrome/tmp/2011030703/BrowserFeature.crx
 Which expands to:

 Date Time Attr Size Compressed Name
 ------------------- ----- ------------ ------------
------------------------
 2011-03-07 03:18:00 ..... 3380 2165 Add0OnAgnosphitys.html
 2011-03-07 03:18:00 ..... 14859 8041 Add0OnAgnosphitysBottom.js
 2011-03-07 03:18:00 ..... 349 177 manifest.json
 2011-03-07 03:18:00 ..... 545 374 external.js
 ------------------- ----- ------------ ------------
------------------------

 Which is a bunch of obfuscated .js that I'm not going to tear apart
 right now.

 ----------------------------

 Could you can this domain for distributing malware pls?
it looks like, among other things, this site is distributing extensions
for FF and Chrome. The extension:
- sends information about visited pages to the server at cuvce.com
- add/replace ads on visited pages
- open popups ads.

However, it takes commands from the server at cuvce.com, which include
script injection into pages, so it can do much worse.

It would be very nice if Godaddy could take some action, quickly :)

-Chris
(goog-sec-guy #3 of 3)