关于域名 canonicalizer.ucsuri.tcs
起因
在 firefox 中拦截到一个特别的 HTTP 请求。
大致内容如下:
POST /680074007400700073003a002f002f00700069006e0067002e002e0063006800650063006b0061007000700065007800650063002e006d006900630072006f0073006f00660074002e0063006f006d002f00770069006e0064006f00770073002f007300680065006c006c002f0061006300740069006f006e007300 HTTP/1.1
Accept-Encoding: gzip, deflate
X-OI-Thumbprint: 154cda3ef3299e031f660850b40db1d30b53aec9
User-Agent: SmartScreen/2814750890000521
Authorization: SmartScreenHash eyJhdXRooIjoiVGR4R0tIWXBqVjg9Iiwia2V5IjoiZ1YxVjByYmlaeXVRVWV3ZENiQ29DQT09In0=
Content-Length: 1346
Content-Type: application/json; charset=utf-8
Host: canonicalizer.ucsuri.tcs
Pragma: no-cache
Connection: close
{"config":{"device":{"appControl":{"level":"anywhere"},"appReputation":{"enforcedByPolicy":false,"level":"warn"}},"user":{"uriReputation":{"enforcedByPolicy":false,"level":"warn"}}},"identity":{"caller":{"locales":["zh-CN","en-US"],"process":{"application":{"$type":"win32","path":"C:\\Windows\\System32\\smartscreen.exe"},"creationTime":"131974819******536","id":2764,"owner":"S-1-5-21-250279****-404402****-239399****-1001"}},"client":{"data":{"offlineExperience_zh-CN":"23749272507****304980338013937214574612","script":"166080520357002240460585396258367723085.rel.v2"},"version":"2814750890000521"},"device":{"architecture":9,"browser":{"edge":"Microsoft.MicrosoftEdge_42.1****.1.0_neutral__8wekyb3d8bbwe","internetExplorer":"9.**.*****.0"},"cloudSku":false,"enterprise":null,"family":3,"id":"wGYaWTYZPWz34=:0","locale":"zh-CN","netJoinStatus":2,"onlineIdTicket":"t=GwAWwE=&p=","osVersion":"10.0.*****.523.rs4_release"},"user":{"locale":"zh-CN"}}}
Authorization header base64 decode 后大概如下
{"authId":"adfff4ad-****-****-****-2ad4267aeed6","hash":"TdxGKHYpjV8=","key":"gV1V0rbiZyuQUewdCbCoCA=="}
有分析推测是 smartscreen 的一部分,由 ieapfltr.dll 发起请求。
strings -el ieapfltr.dll | grep "\.tcs"
Results: canonicalizer.ucsuri.tcs http://canonicalizer.ucsuri.tcs
http://security5magics.blogspot.com/2018/05/what-is-canonicalizerucsuritcs.html
https://forums.malwarebytes.com/topic/237034-any-win10-smartscreencanonicalizerucsuritcs-link/
Leave a Reply