by EdmoOnSecurity » Mon Mar 09, 2015 9:20 pm
Good day,
I use ESET security software and every once in a while, a warning message pops up indicating that an SSL connection has been blocked:
Pic related;
I have now figured out that this occurs whenever NoScript updates itself to the latest version and takes me to the corresponding webpage on noscript.net , eg:
https://noscript.net/?ver=2.6.9.17&prev=2.6.9.16
Within the source code, on that page, is the following:
Obviously, it seems a little unusual that a legitimate web developer would place this line of code 500+ spaces away from the rest of the main body. Looking over to the main body, it is noticeable that this is part of a seemingly redundant...
...element which refers to itself as "goog1e" spelt with the the number one instead of a lower case "L" (line 288);
If you look towards the bottom of the page, there is another "text/css" style type element which appears to have obfuscated code within (lines 309-325). At this time, I don't know what this does or where it points.
It's getting late where I am and I still have the new Top Gear from yesterday to watch, I'll try and do a little more analysis tomorrow. In the meantime, I look forward to hearing your thoughts on the above.
Regards,
@EdmoOnSecurity
Good day,
I use ESET security software and every once in a while, a warning message pops up indicating that an SSL connection has been blocked:
[code]ssl://store.uniblue.com[/code]
Pic related;
[img]https://i.imgur.com/rhvEK69.png[/img]
I have now figured out that this occurs whenever NoScript updates itself to the latest version and takes me to the corresponding webpage on noscript.net , eg: [url]https://noscript.net/?ver=2.6.9.17&prev=2.6.9.16[/url]
Within the source code, on that page, is the following:
[img]https://i.imgur.com/KHuMGm0.png[/img]
Obviously, it seems a little unusual that a legitimate web developer would place this line of code 500+ spaces away from the rest of the main body. Looking over to the main body, it is noticeable that this is part of a seemingly redundant...
[code]<style type="text/css ... />[/code]
...element which refers to itself as "goog1e" spelt with the the number one instead of a lower case "L" (line 288);
[img]https://i.imgur.com/ql12565.png[/img]
If you look towards the bottom of the page, there is another "text/css" style type element which appears to have obfuscated code within (lines 309-325). At this time, I don't know what this does or where it points.
It's getting late where I am and I still have the new Top Gear from yesterday to watch, I'll try and do a little more analysis tomorrow. In the meantime, I look forward to hearing your thoughts on the above.
Regards,
@EdmoOnSecurity