Troubleshoot Google Chrome Unusual Connection and Crypto Type Behavior

[AtlBo]

On one machine I noticed the PC was racing. It had been doing this for some time, but I wasn't aware because I have streaming video running behind the scenes much of the time on this one PC. Then I noticed that under the same conditions the problem wasn't present on another computer with the video running. That led me to be curious if there were some kind of crypto activity going on with a page. I shut down the video page and sure enough the processor was still racing, so then I really started to wonder.

Some things about this episode (there are lots of things):

-I noticed an unusual IP listed in connections list in FortKnox Firewall on both PCs. It's a local type connection that o/c IPVoid returns no information for. This IP is 192.0.73.2:443. Anyone else see this when using Chrome or anything similar?
-My bandwidth is not affected by the processor usage, meaning no extra traffic is coming in or out of the PC over the internet. Glad for that.
-The racing processor issue only happens with one page. It's a page I linked through a thread here.

Intel Releases Spectre Patches for More CPUs

The first link in the first post titled "Skylake processors".

OK, so back to this episode. Because of the list of symptoms, I have some speculation, and I would like any input:

1. Only the single page on a single PC. It happens no matter how I link the page. However, it's not happening on any other page on the site or anywhere else. This is strange. This tab was open for probably two weeks, because of Meltdown and Spectre issues I have. So it almost seems like something hand picked this page to attempt to abuse from this PC or somehow. Again, traffic is normal...if the video is off it's nil, even with Chrome open. Weird.





2. Could this site be partially hacked as in given time (a link open for a long time), some kind of cryptominer can use the site and steal my processor bandwidth?
3. One thing I though of about a malicious activity that maybe exists, idk. I thought, OK everyone knows how Chrome updates. When it does, hashes change. Security programs notice and adjust o/c. Well, that in mind, could malware change files in Chrome when it updates and not be caught since the legit update had just happened (or is still happening) etc.? Imagining what could happen if some reverse engineered and altered files were placed in place of Chrome files. Like, you will help me infect sites for crypto etc. Kind of scary.

Guys FortKnox Firewall gets better with each minute I use the app. I am even using it with Comodo Firewall at the same time with both Firewalls running. So far no conflicts. The presentation takes I guess a couple of weeks to maybe a month to get used to, but then you start to learn what can be done with the Advanced rules. OK, no IP ranges, but I can block a single IP for all apps in a single rule etc. Also, I can monitor local if I am willing to enter 10-15 local addresses for allows in individual rules. Very nice. Still can monitor svchost spefically for other traffic by just setting it to ask. Same for kernel or any other vulnerable app.

 

[Rengar]

A solution is to ban the ip with host list.

 

[cruelsister]

Just curious- do you have a Wordpress extension installed on the browser, or have you gone to a WordPress site recently?

 

[AtlBo]

Thx. I was looking at the situation from the perspective of why this one page on one machine.

I forgot to mention one important thing. This AM and twice today, the system32 cmd.exe module wanted to contact the internet. The IPs in each case were blackholed by Threat Crowd. That's what started me wondering if I could be infected with a miner. I blocked both of those, so I'm not too worried for now. One of them is blicked by FortKnox on a regular basis, though. The racing processor only happened on the one page but there was no associated bandwidth usage...maybe the blocked IPs? idk...

I'm going to monitor this for now. I can see how this might pick a page in Chrome to blame it somehow and then try to use the net maybe? However, if there is a miner here, I also think it can't connect. I want to see if it happens again (on a different page) before I jump to conclusions though...

Just curious- do you have a Wordpress extension installed on the browser, or have you gone to a WordPress site recently?

I haven't @cruelsister and don't. I made a couple of blogs using Blogger many moons ago. They are still there but I haven't updated them in a long time.

But you jogged my memory again, I did notice that I was logged into Disqus on the affected PC on the page. Well, about an hour ago I deleted the account. That didn't resolve the processor usage issue though. It still happens.

I try some kind of out there security type apps like IP checkers and so I risk it a little bit on this PC. I'm OK with that. It's my kind of testing, which is alot safer than testing malware...I just take a calculated risk on a program sometimes even if I don't know the dev from his site, etc Not very often, just sometimes...and I watch on this PC with NVT ERP.

Really cool that I can sync internet connection requests with activity in the NVT ERP logs btw. Another great reason to keep NVT running in the tray. However, watch out or you will have 3 years and 3 gigs of data in the NVT logs folder LOL...

 

[AtlBo]

Got a ton of pics on this, because it is strange...like mega strange. First some things. Here are the actual things I have noticed lately:

1. Processor on this PC races on the one SecurityWeek page...now all of them
2. Java is not installed on this PC
3. Processor activity is all associated with Chrome
4. Visitors who read and close the page do not see the spike
5. I had the page open for maybe a week or two, and I leave the browser open all day basically on this PC
6. There is no associated data moving across the internet from my location
7. I did have strange pop ups from cmd.exe asking if I would allow it to connect. It was two separate IPs both of which I blackholed in FortKnox FW. I can't tell, and I am a little concerned that something on this PC (malware?) may be telling someone somplace who to hack with crypto miner because page is constantly open etc. However, the cmd.exe associated IP blocks ease my mind about that some. I will keep watching.
8. Installed Fences 1.0 or whatever it is yesterday because it's decent and can be firewalled. However, it's kind of crazy for its times. Some question whether it may have a hand in the cmd.exe IPs
9. I can match NVT ERP logs to the time of these events to see what precedes the connection attempt. I'll be working on that. Looked already but nothing conclusive.
10. All I can say is if I open that site the processor will race. Does my opening ot pages lead to a hack of a site? Maybe, and that would mean malware on my computer. I think more likely, this malware waits on the site server for a page to be open for a long time...then strikes for processor power via its crack. I guess this would be a vulnerability of Google, but only testing could say. Remember ALL the processor activity is attached to a Chrome.exe process on this end, so the problem is either Chrome is hijacked here or the site was hacked.

Conclusion

Don't have one. Going to be watching to see if I notice anything later. For now here are pictorial evidence of what could be a hijacked site. I doubt seriously SecurityWeek.com would do this intentionally themselves:

Processor before clicking the link to open SecurityWeek.com



Processor jump after clicking the link to open SecurityWeek.com->instantaneous



Data rate to and from PC with SecurityWeek.com page closed



Data rate to and from PC with SecurityWeek.com open



Chrome well behaved no SecurityWeek.com page open



Chrome and system CPU SecurityWeek.com page open



cmd.exe block surrounded by NTKernel blocks via FortKnox Firewall



IPVoid information on block by Threat Crowd



Threat Crowd's look at cmd.exe IP activity



More cmd.exe attempts blocked



And this little gem I noticed. Maybe this is courtesy of Google apps support and or Google Docs...Blocked...



Thanks for looking. Pls post any comments. This brings me back to a belief I have. If sophisticatedly crafted malware can worm its way...any way at all...onto a system, it can make spagetti out of the internet and noone ever know it was there. Kind of scary. Hoping for rapid advancements in internet monitoring and also in firewalling...

 

[lowdetection]

Hey bro, try to scan that page with this service: Scan your website - urlscan.io

Regards,

 

[AtlBo]

Thx for the link. Page comes up clean everywhere I have looked so far. No idea what the scan means except I believe it says it's clean.



I honestly think the site has been hacked. Malware probably waits for an established connection with a browser open for a long time before flipping on the coiner...

 

[Prorootect]

Too many open tabs for your fan now?..
Restart your PC, but first - clean your fan maybe...
Then test this website with browser without those many open tabs, test with this website only in the browser

Test too with this heavy gerold's blog humor page: Humor, Jokes ‘n Stuff – Vol. 2 | Gerold's Blog

 

[AtlBo]

Couldn't do the tab thing. No way to save sessions for now, although there probably is a way. However, after a reboot, I get this for the sites:

Same story after boot:



This was a little bit on the low end. It was mostly 40-45% on Gerold's:



Well, if the hackers turn this down so noone will really notice, that's the scary scenario. On a lighter note, PC fan did start making the buzzing noise back a couple of hours ago. I just cleaned it, but it's an older PC (i3-540 c.2011), so I guess I need to replace all of them.

I just updated the lists in UBO using @Evjl's Rain's links. The first one seems to me to be on the server and able to shut down extensions or block them from accessing their lists. If so, that seems like a breach of Chrome's container to me.

 

[upnorth]

I never liked that site as there popups are too intrusive and agressive IMO.

 

[Evjl's Rain]

hi, I found a problem on that page but I don't think it's related to cryptomining

1/ When I entered the page using the filters I posted, I saw the url: brightinfo.com was blocked repeatedly/endlessly. This means the page was trying to load ad images from brightinfo but it was blocked so the page kept trying again and again in a loop, >10k blocked items. CPU usage was constant around 15% (i7-3630QM)


2/ stevenblack hosts is the only one which can block brightinfo -> I temporarily disabled stevenblack -> the page loaded normal without any CPU peaking but in exchange of some floating ads originated from brightinfo
CPU usage without stevenblack hosts in idle was 0%


3/ I performed some URL scans and found these results
VT: 0/67
Scan report for http://brightinfo.com/ at 2018-03-10 10:44:32 UTC - VirusTotal

quttera on brightinfo: safe
FREE Online Website Malware Scanner | Website Security Monitoring & Malware Removal | Quttera

quttera on securityweek: MALICIOUS
FREE Online Website Malware Scanner | Website Security Monitoring & Malware Removal | Quttera
quttera detected a malicious PHP

[[<a href="/thousands-devices-hacked-rakos-botnet">Thousands of Devices Hacked by Rakos Botnet</a>]]

However, I think it's a false positive because the page doesn't seem so malicious
Thousands of Devices Hacked by Rakos Botnet | SecurityWeek.Com

Scan report for https://www.securityweek.com/thousands-devices-hacked-rakos-botnet at 2018-03-10 10:48:11 UTC - VirusTotal

 

[AtlBo]

With UBO + UBO+ + Privacy Badger + Netcraft + HTTPS E + 360 web shiled on one computer->No processor usage. With UBO + UBO+ + HTTPS E +PB only on another computer->75-100% constant.

Thing is I think you will have to leave the page open in the open browser for hours or maybe even days for the processor to start. I am crazy, so I just leave computers on for days and browser open and all kinds of crazy things like this. I test things for long periods like long boots with long runtimes for programs and this kind of thing to see what will break if anything. So this tab was open for like a week maybe, and I do suspect the site was hacked by one of its trusted domains...

For now, I can test this site any time (still high usage), if any of you have an idea of how. Pls let me know if I can add to UBO anything or use any verified safe extension etc. to see what site is behind the activity. UBO setup:

Adguard Spyware Filters
EasyPrivacy
Fanboy’s Enhanced Tracking List
Adguard’s Annoyance List
http://www.jabcreations.com/downloads/adblock-filters.php
https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts

Not sure about these. I have them if they are in UBO+:

Adversity
Blockzilla
English Filter
uBlock Filters +

 

[Evjl's Rain]

With UBO + UBO+ + Privacy Badger + Netcraft + HTTPS E + 360 web shiled on one computer->No processor usage. With UBO + UBO+ + HTTPS E +PB only on another computer->75-100% constant.

Thing is I think you will have to leave the page open in the open browser for hours or maybe even days for the processor to start. I am crazy, so I just leave computers on for days and browser open and all kinds of crazy things like this. I test things for long periods like long boots with long runtimes for programs and this kind of thing to see what will break if anything. So this tab was open for like a week maybe, and I do suspect the site was hacked by one of its trusted domains...

For now, I can test this site any time (still high usage), if any of you have an idea of how. Pls let me know if I can add to UBO anything or use any verified safe extension etc. to see what site is behind the activity. UBO setup:



Not sure about these. I have them if they are in UBO+:

sorry I don't get what you mean, my english is limited
please post a screenshot of ublock's logger when you see high cpu usage and count the number of blocked items on ublock icon
without a log, I'm blind, I don't know anything

for your information, I removed privacy badger from my extension list because it consumed noticeable CPU on some sites and it didn't do anything outstanding that convinced me to keep it. It barely blocked anything on some websites with obvious trackers

the filters below are the extra ones I got from filterlists.com because they have some generic rules which are quite useful
the are not present in ublock

if you want to test
temporarily uncheck stevenblack hosts or just allow brightinfo.com and open the page, you will see the Cpu will no longer increase

 

[AtlBo]

Thx. I see. One of the feeder domains is spamming Chrome. What I don't get is why it's 100% on this processor. It benchmarks at around 2500 passmark, which is decent compared to what you guys are running. Yet you are not seeing anywhere nearly the activity.



Isn't this strange for a site like SecurityWeek to be doing business with this type of domain.

 

[Evjl's Rain]

Thx. I see. One of the feeder domains is spamming Chrome. What I don't get is why it's 100% on this processor. It benchmarks at around 2500 passmark, which is decent compared to what you guys are running. Yet you are not seeing anywhere nearly the activity.

View attachment 182099

Isn't this strange for a site like SecurityWeek to be doing business with this type of domain.

I don't know. Maybe it's due to a combination of ublock repeatedly blocking the brightinfo and privacy badger
you can open google chrome's built-in task manager to see what is the other cause (I suspect PB), note that the CPU usage reported in chrome task manager is always higher than normal and can reach 200% so just divide the number by half or 1/3

I think this website use brightinfo to deliver ads because it's an uncommon adserver which nobody except stevenblack has blocked it (stevenblack is an AIO hosts merged from many other well-known hosts)

 

[Evjl's Rain]

if you want to keep reading this website without disabling stevenblack hosts
you should do the following steps

 

[AtlBo]

OK yes it's all the extensions in GoogTaMgr. All have high processor activity.

I get the same usage without PB or HTTPS installed in Chrome. I added those after I noticed high processor to duplicate the PC where I wasn't seeing any activity.

Question remains for me about why another computer doesn't have any activity on the page.

OK, it's a little stranger too. Consider that on the unaffected computer I use an extension "The Great Suspender" to suspend tabs (5 mins) and also the Qihoo 360 webshield. GoogTaMgr on this unaffected PC is 0%. No processor use for any extensions.

I will add The Great Suspender and the 360 webshield to 100% duplicate the extensions, then see what happens. However, maybe brightinfo noticed that the connected remained to the page for a long time and then began spamming the connection. Not saying yes this happened but maybe. Why one machine and not the other? Only difference really is the open page for a long time.

Trying 360 webshield first, then the Great Suspender

 

[AtlBo]

if you want to keep reading this website without disabling stevenblack hosts
you should do the following steps

Don't see the lock:

 

[Evjl's Rain]

Don't see the lock:

View attachment 182101

the lock only appears after you change any rule -> you should click on the + sign in the second column of brightifo.com -> when it turns green the lock will appear -> this means the rule will be saved. Without clicking the lock, the rule will be temporary and will be reverted after you close your browser

the first column = the rule is applied to all websites
the second column = the rule is applied to the current website only

 

[AtlBo]

Don't worry about it @Evjl's Rain. Can't change the color on any site with any kind of click. Don't know why. Happens on both PCs I am working on now. Was running in Comodo sandbox then turned it off for Chrome. Maybe that is the reason, so I'll try the sandbox again. Thx for the tips and help...