Sucuri and nvidia.com

[Ijkoy]

Hi,

i just wanted to download the latest drivers for my gfx card. As the sucuri site was open by that time in my browser i just scanned nvidia.com awaiting that everything is okay. But sucuri showed me a warning about nvidia.com instead (http://sitecheck.sucuri.net/results/www.nvidia.com).

As Im no expert i have no idea if this is a false positive. nvidia and sucuri dont respond to me, but maybe someone here can help me to find out if there was/is a real thread. I was on nvidia.com and im therefore a bit worried.

Thanks!

[Michael (alan1998)]

Hi, it appears Sucuri is detecting nvidia.ru (Russian). I've asked Polonus to come and help you.

[polonus]

Hi Ijkoy &  Michael (alan1998)

From a site like this one we would expect otherwise, but the overall security situation is worse than I ever thought. 

Here we see errors and insecurities exposed: https://asafaweb.com/Scan?Url=www.nvidia.com%2Fpage%2Fhome.html
Custom Errors Fail can expose internal configuration details to attackers.
Excessive headers info also:
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Http Only Cookie * vuln - and Clickjacking vuln warnings -  misspelled domain name for malicious purposes.

As this scan is also  confirming this situation: https://www.virustotal.com/nl/ip-address/184.51.126.9/information/

Well Sucuri isn't the only scanner that detects.
Web Security Test detects this from Javascript Check
Suspicious
.location = "htxp://www.nvidia.ru/page/home.html"; } if (existingcookie=="de") { window.location = "htxp://www.nvidia.de/page/home.html"; } if (existingcookie=="es") { window.l...
and naturally we see traces of a hack as we check the 404 error check: Suspicious
Re: http://jsunpack.jeek.org/?report=7b3271d196e510baaef41cd789101053d0df56ee
Suspicious 404 Page:
   document.write(unescape('%3c')+'\!-'+'-') //--></script><noscript><p><img src="htxp://omniture.nvidia.com/b/ss/nvidiau ->
Here I get a connection refused: http://jsunpack.jeek.org/?report=333d9c6562d0eff5b0402f5a869155ff96552e0e
looks here like someone launched some bitcoin vanish attack 

So Sucuri detected a suspicious domain there: if (existingcookie=="RU") { window.location = "htxp://www.nvidia.ru/page/home.html"; } * vuln
see: http://labs.sucuri.net/db/malware/malware-entry-mwblacklisted35
so Sucuri blacklisted the site.

I would wait going there until this site has been cleansed/taken down.

polonus

[Michael (alan1998)]

Hi Ijkoy &  Michael (alan1998)

From a site like this one we would expect otherwise, but the overall security situation is worse than I ever thought. 

Here we see errors and insecurities exposed: https://asafaweb.com/Scan?Url=www.nvidia.com%2Fpage%2Fhome.html
Custom Errors Fail can expose internal configuration details to attackers.
Excessive headers info also:
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Http Only Cookie * vuln - and Clickjacking vuln warnings - all these insecurities are signs of sloppy server management where site is being hosted.

As this scan is also  confirming this situation: https://www.virustotal.com/nl/ip-address/184.51.126.9/information/

Who wants to ride in a cheap chair here and at what cost?

Well Sucuri isn't the only scanner that detects.
Web Security Test detects this from Javascript Check
Suspicious
.location = "htxp://www.nvidia.ru/page/home.html"; } if (existingcookie=="de") { window.location = "htxp://www.nvidia.de/page/home.html"; } if (existingcookie=="es") { window.l...
and naturally we see traces of a hack as we check the 404 error check: Suspicious
Re: http://jsunpack.jeek.org/?report=7b3271d196e510baaef41cd789101053d0df56ee
Suspicious 404 Page:
   document.write(unescape('%3c')+'\!-'+'-') //--></script><noscript><p><img src="htxp://omniture.nvidia.com/b/ss/nvidiau ->
Here I get a connection refused: http://jsunpack.jeek.org/?report=333d9c6562d0eff5b0402f5a869155ff96552e0e
looks here like someone launched some bitcoin vanish attack 

So Sucuri detected a suspicious domain there: if (existingcookie=="RU") { window.location = "htxp://www.nvidia.ru/page/home.html"; } * vuln
see: http://labs.sucuri.net/db/malware/malware-entry-mwblacklisted35
so Sucuri blacklisted the site.

I would wait going there until this site has been cleansed.

polonus

I had seen the redirect. I thought that was a little bit weird. Thanks for the confirmation. I'll go tell Lorie to add it to the block list @ my school for a little while. You'd think they keep the site not exposed like that. Such a big name being "Hacked" is not good.

[polonus]

Hi, Michael (alan1998)

Well with these times out I getting now, it seems they are cleansing it all up now: http://maldb.com/www.nividia.com/
Address is unreachable. Site is down for maintenance -> : http://www.downforeveryoneorjustme.com/www.nividia.com

Haven't we been there before on their forums: http://nakedsecurity.sophos.com/2012/07/13/nvidia-android-forums-hackers/
Security history teaches us all........and then you may complete that sentence yourself, please.
From not that  long ago: https://nl.dolphin-emu.org/blog/2014/01/17/hacked-up-the-VSH/ link article author = MajorR

pol

[!Donovan]

Hi Polonus,

Just a heads up that in your previous post you gave analysis results to nividia.com instead of nvidia.com.

See: http://maldb.com/www.nvidia.com/

Regards,
~!Donovan

[polonus]

Thanks !Donovan, see how clever that misspelling plays in the hands of the malcreants going here: htxp://www.nvidia.com/page/home.html

pol

[Ijkoy]

Thank you very much for your answers. Can you explain where the actual vulnerability is. All i see is a redirect to the russian nvidia site if a certain cookie exists. Was there a hack on the russian site and this redirect alarms sucuri therefore. Sorry for my curiosity

[Michael (alan1998)]

Hi, Sucuri thought wXw.nvidia.com redirect to wXw.nvidia.ru was suspicious. May I ask why you don't use Geforce Experienc to update?It's a little simplier lol.

Edit: Broke the links

[Ijkoy]

So apart from the redirect theres nothing really malicious, i mean its just a redirect?

I need drivers for an old geforce card. And since i got problems after an update i want to switch to the drivers i had before

[Michael (alan1998)]

I don't know. All I see if a redirect. Polonus indicated they were cleaning the site up. Let me chevck with sucuri again. See if it comes back.

[Michael (alan1998)]

Looks like the redirect is still there.

[polonus]

See how it is being detected now: http://maldb.com/www.nvidia.com/#
AvastHTML:Iframe-inf
VIPREHeur.HTML.MalIFrame (v)
NormanIframer.AU
SophosMal/Iframe-V
GDataHTML:Iframe-inf
ESET-NOD32HTML/Iframe.B.Gen

see iframe malware here: http://jsunpack.jeek.org/?report=c8be58cd122643b1335b984c2d58bd3d85f0eebb
and http://analysis.hsoub.com/websites/nvidia.com

pol

[Ijkoy]

See how it is being detected now: http://maldb.com/www.nvidia.com/#
AvastHTML:Iframe-inf
VIPREHeur.HTML.MalIFrame (v)
NormanIframer.AU
SophosMal/Iframe-V
GDataHTML:Iframe-inf
ESET-NOD32HTML/Iframe.B.Gen

see iframe malware here: http://jsunpack.jeek.org/?report=c8be58cd122643b1335b984c2d58bd3d85f0eebb
and http://analysis.hsoub.com/websites/nvidia.com

pol

It seams like nvidia.com cleaned it up. Sucuri results are now okay. Can you confirm this Polonus with all you other sources? Thanks!

Edit: Nevermind, sucuri was just unable to connect, but now lists the malware again.

[Ijkoy]

I rescaned nvidia.com over the day several times, always the same.

What im wondering about is, wouldnt there be a bigger outcry if nvidia would realy deliver malware? Thats why im under the impression that this is just some kind of sloppiness by nvidia and not really malware. In addition, sucuri states that nvidia.com is malicious because of a blacklisted site which comes after a redirect (the russian site):

Code: [Select]

*Suspicious domain detected. Details: http://sucuri.net/malware/malware-entry-mwblacklisted35
if (existingcookie=="RU") { window.location = "http://www.nvidia.ru/page/home.html"; }

When i scan http://www.nvidia.ru/page/home.html, sucuri states that everything is fine. So in fact its not really blacklisted?! I dont get it...