Update: I have decompressed the Applet
http://cocaman.ch/uploads/corp-google-hack.txt
DO NOT DOWNLOAD AND EXCECUTE THE EXE FILE! I WARNED YOU!
Original story …
A friend of mine just (his client uses Bluewin for hosting his website) asked me why the Google Analytics service wants to start a Java Applet which is unsigned. Well, as it turned out the apple wasn’t from the real Google but from an injected piece of Javascript:
ht-tp://i.corp-google.com/i.js
This injected Javascript looks like this:
A dig to zelda.corp-google.com:
corsin@pantera:~$ dig zelda.corp-google.com
; < <>> DiG 9.4.2-P2 < <>> zelda.corp-google.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER< <- opcode: QUERY, status: NOERROR, id: 51216 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;zelda.corp-google.com. IN A ;; ANSWER SECTION: zelda.corp-google.com. 41 IN A 76.22.252.142 ;; Query time: 33 msec ;; SERVER: 62.2.17.61#53(62.2.17.61) ;; WHEN: Mon Nov 24 16:34:11 2008 ;; MSG SIZE rcvd: 55
The IP address is:
c-76-22-252-142.hsd1.tn.comcast.net (76.22.252.142)
Whois data (source: http://whois.domaintools.com/corp-google.com)
Domain Name: CORP-GOOGLE.COM
Registrar: VITALWERKS INTERNET SOLUTIONS LLC DBA NO-IP
Whois Server: whois.no-ip.com
Referral URL: http://www.no-ip.com
Name Server: NS1.NO-IP.COM
Name Server: NS2.NO-IP.COM
Name Server: NS3.NO-IP.COM
Name Server: NS4.NO-IP.COM
Name Server: NS5.NO-IP.COM
Status: clientTransferProhibited
Updated Date: 15-oct-2008
Creation Date: 15-oct-2008
Expiration Date: 15-oct-2009
No contact information is available for the domain. Even the company runing the whois server has no data.
Go ahead and check your source code for any includes of corp-google.com!
UPDATE:
Here is the whois for the domain
Domain Name: CORP-GOOGLE.COM
Created On: 15-Oct-2008 13:41:07 UTC
Last Updated On: 15-Oct-2008 13:41:07 UTC
Expiration Date: 15-Oct-2009 13:41:07 UTC
Sponsoring Registrar: Vitalwerks Internet Solutions, LLC / No-IP.com
Registrant Name: Santoro, Giovanni
Registrant Organization:
Registrant Street1: 2525 Tarkiln Oaks Drive
Registrant Street2:
Registrant City: Pensacola
Registrant State/Province: FL
Registrant Postal Code: 32506
Registrant Country: US
Registrant Phone: +1.3215085261
Registrant FAX: +1.3215085261
Registrant Email: giovanni.santoro@safe-mail.net
Admin Name: Santoro, Giovanni
Admin Street1: 2525 Tarkiln Oaks Drive
Admin Street2:
Admin City: Pensacola
Admin State/Province: FL
Admin Postal Code: 32506
Admin Country: US
Admin Phone: +1.3215085261
Admin FAX: +1.3215085261
Admin Email: giovanni.santoro@safe-mail.net