Comodo's Site Inspector site suspicious. Hacked?

[polonus]

See: http://chrome.quttera.com/chrome_detailed_report/siteinspector.comodo.com
Also see request for: htxp://siteinspector.comodo.com//javascripts/jrails.js%3F1291890010

Anyone?
The hack in the code is redirecting, see here: htxp://siteinspector.comodo.com" target="_blank"> < img alt="Site inspector" src="^^/images/logo.png?^^1348574868"
going to pr0n...

polonus

[polonus]

Well the rendering of the site in Google Chrome has changed back to normal. Just good to see the site has no more issues now,

polonus

[mchain]

Good to catch that one.  Seems COMODO found and fixed it.

[polonus]

Hi mchain,

There is still a hick-up here:
siteinspector.comodo dot com/javascripts/ suspicious
[suspicious:2] (ipaddr:91.209.196.82) (iframe) siteinspector.comodo dot com/javascripts/
     status: (referer=siteinspector.comodo dot com/javascripts/jquery.fancybox.js?1291890010)saved 13622 bytes be79870b0836be88d533c57cb607eaf5a89adaf8
     info: [script] siteinspector.comodo dot com/javascripts/jquery.js?1291890010
     info: [script] siteinspector.comodo dot com/javascripts/jquery-ui.js?1291890010
     info: [script] siteinspector.comodo dot com/javascripts/jrails.js?1291890010
     info: [script] siteinspector.comodo dot com/javascripts/application.js?1296117261
     info: [img] siteinspector.comodo dot com/images/logo.png?1291890010
     info: [img] siteinspector.comodo dot com/images/faq/q4_1.png?1291890010
     info: [img] siteinspector.comodo dot com/images/faq/q4_2.png?1291890010
     info: [decodingLevel=0] found JavaScript
     suspicious:
Quttera's findings:
Potentially Suspicious files: 2
/javascripts/jquery-ui.js?1291890010
File size[byte]:    84559
Threat type:   Potentially Suspicious
Details:    Our investigation system run out of memory used for execution process.
Reason:    Reached execution stack limit. Stack content: [ call ][ ! ][ %26%26 ][ || ][ prepareOffsets ]
MD5:   4CC062B5CCA2EC99833A8D542FE34081
Scan duration[sec]:    3.416000
/javascripts/jquery.fancybox.js?1291890010
File size[byte]:    15624
Threat type:   Potentially Suspicious
Details:    Our investigation system run out of memory used for execution process.
Reason:    Reached execution stack limit. Stack content: [ = ]
MD5:   8BC36A08C46719377528D962966CE37C
Scan duration[sec]:    0.206000

polonus

[mchain]

hi pol,

One thing that caught my eye was the time-outs/memory process out-of-space in the execution process analysis.

Symantec has a recent blog re new strategies malware authors will use to evade automated threat analysis systems.

http://www.symantec.com/connect/blogs/malware-authors-using-new-techniques-evade-automated-threat-analysis-systems

You probably are aware of this, but even if you aren't, this is a quick read, so...

[polonus]

Hi mchain,

Now I get:
nfo: [img] siteinspector.comodo dot com/images/main/q4_2.png  (data vector)
     info: [decodingLevel=0] found JavaScript
     error: undefined variable $
     error: undefined function $  (referencing something that does not exist!)
     suspicious:

Yes I am aware there are a couple of  these tricks being used by malcreants:
One is detecting whether a sandbox or VM is present and then malware stops to function.
Another one is detecting mouse activity, if mouse driven traffic is not detected the malware stops functioning,
A third one is going into sleep mode for some time and then activate or re-activate.
All of these methods are known to circumvent av detection, and are known to be used now.

In the above case apart from the reasons you mention another  could be that with two functions each calls  the other in large javascript code bases.
And I think that is what caused it here. Or it could just have been simple recursion causing it.

polonus