Wednesday, May 9, 2018

What is canonicalizer.ucsuri.tcs?

Recently I have observed a few hosts which were attempting to POST data to this domain, albeit, unsuccessfully as this is not a valid domain. Everything about the data in the PCAP suggests Microsoft SmartScreen, such as the user agent and even the decoded hex in the HTTP request header:

For example:

252F680074007400700073003a002f002f00700069006e0067002e002e0063006800650063006b0061007000700065007800650063002e006d006900630072006f0073006f00660074002e0063006f006d002f00770069006e0064006f00770073002f007300680065006c006c002f0061006300740069006f006e007300
Translates to https://ping..checkappexec.microsoft.com/windows/shell/actions

Upon further investigation, I found that several hosts were attempting to query and unsuccessfully resolve this domain.  So I did some digging and the results for this ranged wildly:

A Patent for reputation based software
patentimages.storage.googleapis.com/pdfs/US8695092.pdf

A suggestion that this is part of a Canon printer
https://translate.google.com/translate?hl=en&sl=de&u=https://www.windows-7-forum.net/threads/canonicalizer-ucsuri-tcs.44343/&prev=search

A couple Hybrid-analysis sandbox submissions for phishing pages where this domain was observed in DNS

And an AlienVault link which shows that this link didn't resolve even back a few years ago
https://otx.alienvault.com/indicator/hostname/canonicalizer.ucsuri.tcs?utm_medium=InProduct&utm_source=ThreatCrowd

Pivoting from the AlienVault link, I wen to the associated VirusTotal page:
https://www.virustotal.com/en/domain/canonicalizer.ucsuri.tcs/information/

The relevant information here is:
Latest files that are not detected by any antivirus solution and embed URL pattern strings with the domain provided.

Which links here:
https://www.virustotal.com/en/file/1437c574656520724e6ceafa00667d90b8abc78bd54d8962ece21a4203c7f726/analysis/

The piece that stands out here is the file name: ieapfltr.dll, which is part of SmartScreen.
So, I figured I would pull a few known clean hosts together, a Windows 7 and a couple Windows 10 hosts and sure enough they have this dll. In each case I ran the following:

strings -el ieapfltr.dll | grep "http"
or
strings -el ieapfltr.dll | grep "\.tcs"


strings -el ieapfltr.dll | grep "\.tcs"
Results: canonicalizer.ucsuri.tcs http://canonicalizer.ucsuri.tcs

My conclusion is that this is a part of SmartScreen, but why have only a couple hosts been observed with a POST to this domain? Why are so many hosts attempting to resolve this domain? What is the purpose of this non-valid TLD anyway? I'm left with a lot of questions, but do not believe at this time that there is anything malicious about this domain. I'm hoping someone has some more information about this, if you do, please contact me.

2 comments:

  1. Hello, I have also observed this situation.
    Here I have a Proxy (Squid) that I can observe this URL being submitted and no response.
    I also do not know what can be, but in doubt I'm blocking this URL.

    See this excerpt from the logs:

    1526989310.137 54 10.82.0.109 TCP_MISS/503 3600 POST http://canonicalizer.ucsuri.tcs/680074007400700073003a002f002f00700069006e0067002e002e006e00610076002e0073006d00610072007400730063007200650065006e002e006d006900630072006f0073006f00660074002e0063006f006d002f00770069006e0064006f00770073002f00620072006f0077007300650072002f0065006400670065002f0061006300740069006f006e007300 jarbas.peixoto HIER_NONE/- text/html

    ReplyDelete
    Replies
    1. Yeah, its interesting that there is hex encoded data in the URI. In your example it is https://ping..nav.smartscreen.microsoft.com/windows/browser/edge/actions

      Again, more evidence of it belonging to smartscreen, but why? Thanks for the comment.

      Delete