[nsp-sec] ACK 26496 - Re: GoDaddy - AS26496

Greg Schwimer gschwimer at godaddy.com
Tue Mar 8 11:14:38 EST 2011 

Looking into it...

On Tue, 2011-03-08 at 09:55 -0500, Chris Morrow wrote:
> ----------- nsp-security Confidential --------
> 
> Godaddy, a security researcher (at google) noted:
> 
>  -----------------------------------------
> 
>  Just got this in a popunder, any way we can block *.cuvce.com/* in Chrome?
> 
>  Displayed URL is
>  hxxp://www[.]cuvce[.]com/download/chrome_1.php?h=eNortjI3s1KqSS4tS07VS87PrTE00DPQMzM20zOoMTLWRZLIKCkpUDV2VDVyA6Ly8nK9tMTk1KT8_GyINiNLS1NTS3MTEyVrXDBrBxpcIg,,
> 
>  Directs you to download
>  hxxp://www[.]cuvce[.]com/download/chrome/tmp/2011030703/BrowserFeature.crx
>  Which expands to:
> 
>  Date Time Attr Size Compressed Name
>  ------------------- ----- ------------ ------------
> ------------------------
>  2011-03-07 03:18:00 ..... 3380 2165 Add0OnAgnosphitys.html
>  2011-03-07 03:18:00 ..... 14859 8041 Add0OnAgnosphitysBottom.js
>  2011-03-07 03:18:00 ..... 349 177 manifest.json
>  2011-03-07 03:18:00 ..... 545 374 external.js
>  ------------------- ----- ------------ ------------
> ------------------------
> 
>  Which is a bunch of obfuscated .js that I'm not going to tear apart
>  right now.
> 
>  ----------------------------
> 
>  Could you can this domain for distributing malware pls?
> it looks like, among other things, this site is distributing extensions
> for FF and Chrome. The extension:
> - sends information about visited pages to the server at cuvce.com
> - add/replace ads on visited pages
> - open popups ads.
> 
> However, it takes commands from the server at cuvce.com, which include
> script injection into pages, so it can do much worse.
> 
> It would be very nice if Godaddy could take some action, quickly :)
> 
> -Chris
> (goog-sec-guy #3 of 3)
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________

More information about the nsp-security mailing list