Wednesday, May 9, 2018

What is canonicalizer.ucsuri.tcs?

Recently I have observed a few hosts which were attempting to POST data to this domain, albeit, unsuccessfully as this is not a valid domain. Everything about the data in the PCAP suggests Microsoft SmartScreen, such as the user agent and even the decoded hex in the HTTP request header:

For example:

252F680074007400700073003a002f002f00700069006e0067002e002e0063006800650063006b0061007000700065007800650063002e006d006900630072006f0073006f00660074002e0063006f006d002f00770069006e0064006f00770073002f007300680065006c006c002f0061006300740069006f006e007300
Translates to https://ping..checkappexec.microsoft.com/windows/shell/actions

Upon further investigation, I found that several hosts were attempting to query and unsuccessfully resolve this domain.  So I did some digging and the results for this ranged wildly:

A Patent for reputation based software
patentimages.storage.googleapis.com/pdfs/US8695092.pdf

A suggestion that this is part of a Canon printer
https://translate.google.com/translate?hl=en&sl=de&u=https://www.windows-7-forum.net/threads/canonicalizer-ucsuri-tcs.44343/&prev=search

A couple Hybrid-analysis sandbox submissions for phishing pages where this domain was observed in DNS

And an AlienVault link which shows that this link didn't resolve even back a few years ago
https://otx.alienvault.com/indicator/hostname/canonicalizer.ucsuri.tcs?utm_medium=InProduct&utm_source=ThreatCrowd

Pivoting from the AlienVault link, I wen to the associated VirusTotal page:
https://www.virustotal.com/en/domain/canonicalizer.ucsuri.tcs/information/

The relevant information here is:
Latest files that are not detected by any antivirus solution and embed URL pattern strings with the domain provided.

Which links here:
https://www.virustotal.com/en/file/1437c574656520724e6ceafa00667d90b8abc78bd54d8962ece21a4203c7f726/analysis/

The piece that stands out here is the file name: ieapfltr.dll, which is part of SmartScreen.
So, I figured I would pull a few known clean hosts together, a Windows 7 and a couple Windows 10 hosts and sure enough they have this dll. In each case I ran the following:

strings -el ieapfltr.dll | grep "http"
or
strings -el ieapfltr.dll | grep "\.tcs"


strings -el ieapfltr.dll | grep "\.tcs"
Results: canonicalizer.ucsuri.tcs http://canonicalizer.ucsuri.tcs

My conclusion is that this is a part of SmartScreen, but why have only a couple hosts been observed with a POST to this domain? Why are so many hosts attempting to resolve this domain? What is the purpose of this non-valid TLD anyway? I'm left with a lot of questions, but do not believe at this time that there is anything malicious about this domain. I'm hoping someone has some more information about this, if you do, please contact me.