New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

1.1.3 release contains phishing(?) code. #27

Closed
chr0n1x opened this Issue Jun 17, 2017 · 15 comments

Comments

Projects
None yet
7 participants
@chr0n1x

chr0n1x commented Jun 17, 2017

Today, the plugin required new permissions to reactivate. When activated, going to ANY site resulted in a popup message saying that my computer is infected, and then it redirects the user to

https://chromeupdates.top/s.html (DO NOT CLICK UNLESS YOU KNOW WHAT YOU'RE DOING)

Poking around that page I found this:
https://gist.github.com/chr0n1x/989af9702845cbd501fe51e897575dfe

Seems to just be a script that doesn't really do much (according to this thread). But still, concerning.

@The-MAZZTer

This comment has been minimized.

Show comment
Hide comment
@The-MAZZTer

The-MAZZTer Jun 17, 2017

I can confirm. Either the author of the extension sold out his users, or his Google account was compromised.

Report the extension here if you have experienced this issue: https://chrome.google.com/webstore/report/kaicbfmipfpfpjmlbpejaoaflfdnabnc?utm_source=chrome-remove-extension-dialog

The script being injected is alert10.js in the extension root folder. I assume it's just a drop-in.

The code does not seem to have been uploaded to github.

The-MAZZTer commented Jun 17, 2017

I can confirm. Either the author of the extension sold out his users, or his Google account was compromised.

Report the extension here if you have experienced this issue: https://chrome.google.com/webstore/report/kaicbfmipfpfpjmlbpejaoaflfdnabnc?utm_source=chrome-remove-extension-dialog

The script being injected is alert10.js in the extension root folder. I assume it's just a drop-in.

The code does not seem to have been uploaded to github.

@chr0n1x

This comment has been minimized.

Show comment
Hide comment
@chr0n1x

chr0n1x Jun 17, 2017

@The-MAZZTer can you gist alert10.js so we can take a look @ it?

chr0n1x commented Jun 17, 2017

@The-MAZZTer can you gist alert10.js so we can take a look @ it?

@The-MAZZTer

This comment has been minimized.

Show comment
Hide comment
@The-MAZZTer

The-MAZZTer Jun 17, 2017

Here's the entire extension source as it exists on the Web Store as of this writing.

https://www.dropbox.com/s/5l9prxit0y3ue7s/Chrometana%201.1.3%20%28ONLY%20FOR%20ANALYSIS%20MAY%20CONTAIN%20SPYWARE%20DO%20NOT%20INSTALL%20INTO%20CHROME%29.zip?dl=0

I looked at the manifest file. It looks like it may contain a workaround to prevent Google from automatically catching it.

"content_scripts": [ {
  "js": [ "alert10.js" ],
  "matches": [ "\u003Call_urls>" ],
  "run_at": "document_start"
} ],

I assume \u003C is the unicode code for < which ultimately makes a match string of "<all_urls>" which causes this script to be injected into every page you visit.

I do lots of JS coding for a living so I figured my own analysis of the script might be useful.

First of all, it looks like most of the file from the start is an md5 JS library that was dropped in, including comments and code that is for Internet Explorer specifically. However it appears to not be used at all. Maybe it was included so if someone opened the file in Chrome's Dev Tools or a text editor they would not see anything interesting happening right away?

Line 193 appears to be where the author's code starts. When I break it down it appears to do the following:

  1. Check the current page to see if it's a "keeper" page (I think this is a page on the site the user is ultimately redirected to).
  2. Use a cookie called "_alert" to track the last time we showed a popup to the user. Only if it has been more than 10 seconds AND the current page is not a "keeper" page do we show a new alert.
  3. Show a yes/no popup dialog with the message "Your computer is infected. You have to check it with antivirus.". However, show it in the user's native language if the user's language is Spanish, Italian, French, Portuguese, German, Russian, or Greek.
  4. If the user clicks yes, redirect the current page to http : // chromeupdates . top / tds . php ? subid = ce Otherwise redirect the page to https : // chromeupdates . top / s . html (I DO NOT RECOMMEND VISITING THESE PAGES I DON'T KNOW WHAT IS ON THEM)

The-MAZZTer commented Jun 17, 2017

Here's the entire extension source as it exists on the Web Store as of this writing.

https://www.dropbox.com/s/5l9prxit0y3ue7s/Chrometana%201.1.3%20%28ONLY%20FOR%20ANALYSIS%20MAY%20CONTAIN%20SPYWARE%20DO%20NOT%20INSTALL%20INTO%20CHROME%29.zip?dl=0

I looked at the manifest file. It looks like it may contain a workaround to prevent Google from automatically catching it.

"content_scripts": [ {
  "js": [ "alert10.js" ],
  "matches": [ "\u003Call_urls>" ],
  "run_at": "document_start"
} ],

I assume \u003C is the unicode code for < which ultimately makes a match string of "<all_urls>" which causes this script to be injected into every page you visit.

I do lots of JS coding for a living so I figured my own analysis of the script might be useful.

First of all, it looks like most of the file from the start is an md5 JS library that was dropped in, including comments and code that is for Internet Explorer specifically. However it appears to not be used at all. Maybe it was included so if someone opened the file in Chrome's Dev Tools or a text editor they would not see anything interesting happening right away?

Line 193 appears to be where the author's code starts. When I break it down it appears to do the following:

  1. Check the current page to see if it's a "keeper" page (I think this is a page on the site the user is ultimately redirected to).
  2. Use a cookie called "_alert" to track the last time we showed a popup to the user. Only if it has been more than 10 seconds AND the current page is not a "keeper" page do we show a new alert.
  3. Show a yes/no popup dialog with the message "Your computer is infected. You have to check it with antivirus.". However, show it in the user's native language if the user's language is Spanish, Italian, French, Portuguese, German, Russian, or Greek.
  4. If the user clicks yes, redirect the current page to http : // chromeupdates . top / tds . php ? subid = ce Otherwise redirect the page to https : // chromeupdates . top / s . html (I DO NOT RECOMMEND VISITING THESE PAGES I DON'T KNOW WHAT IS ON THEM)
@Wazbat

This comment has been minimized.

Show comment
Hide comment
@Wazbat

Wazbat Jun 17, 2017

Damn. It's scary to see something so trusted turn into this

Wazbat commented Jun 17, 2017

Damn. It's scary to see something so trusted turn into this

@rossinimartins2

This comment has been minimized.

Show comment
Hide comment
@rossinimartins2

rossinimartins2 Jun 17, 2017

Confirmed, happens here too.

Chrometana version 1.1.3 via Download Chrome Extension on Opera 45.

Confirmed, happens here too.

Chrometana version 1.1.3 via Download Chrome Extension on Opera 45.

@hypernova1912

This comment has been minimized.

Show comment
Hide comment
@hypernova1912

hypernova1912 Jun 17, 2017

I will mention that this is the exact same thing that happened to Infinity New Tab, complete with the same wording, a month or two ago, so it's probably a compromised account.

I will mention that this is the exact same thing that happened to Infinity New Tab, complete with the same wording, a month or two ago, so it's probably a compromised account.

@TheoBr

This comment has been minimized.

Show comment
Hide comment
@TheoBr

TheoBr Jun 17, 2017

Owner

Hey guys! Fun fact. When your extension gets taken down due to a bullshit DMCA notice, it's possible for others to somehow push updates.

I am in contact with Google and will be putting up an official press release tonight. This is absolutely maddening and I'm so sorry guys.

Owner

TheoBr commented Jun 17, 2017

Hey guys! Fun fact. When your extension gets taken down due to a bullshit DMCA notice, it's possible for others to somehow push updates.

I am in contact with Google and will be putting up an official press release tonight. This is absolutely maddening and I'm so sorry guys.

@hypernova1912

This comment has been minimized.

Show comment
Hide comment
@hypernova1912

hypernova1912 Jun 17, 2017

Thanks! Oh, and by the way, EdgeDeflector allows us to use Chrome with Cortana, so the extension has a purpose again. Yay!

hypernova1912 commented Jun 17, 2017

Thanks! Oh, and by the way, EdgeDeflector allows us to use Chrome with Cortana, so the extension has a purpose again. Yay!

@TheoBr

This comment has been minimized.

Show comment
Hide comment
@TheoBr

TheoBr Jun 17, 2017

Owner

Google is not responsive and I have no idea how any of this happened. I'm shipping an update momentarily. If anyone has advice on how to get ahold of Google and fix/prevent garbage like this please let me know

Owner

TheoBr commented Jun 17, 2017

Google is not responsive and I have no idea how any of this happened. I'm shipping an update momentarily. If anyone has advice on how to get ahold of Google and fix/prevent garbage like this please let me know

@hypernova1912

This comment has been minimized.

Show comment
Hide comment
@hypernova1912

hypernova1912 Jun 17, 2017

The problem is that Google has literally no customer support , other than specialized departments like the Pixel. I once had someone already have a Google account with my email and nobody could help me get it removed.

hypernova1912 commented Jun 17, 2017

The problem is that Google has literally no customer support , other than specialized departments like the Pixel. I once had someone already have a Google account with my email and nobody could help me get it removed.

@TheoBr

This comment has been minimized.

Show comment
Hide comment
@TheoBr

TheoBr Jun 17, 2017

Owner

Update has been shipped. I'm closing this for now, but please don't hesitate to contact me with anything at all

Owner

TheoBr commented Jun 17, 2017

Update has been shipped. I'm closing this for now, but please don't hesitate to contact me with anything at all

@TheoBr TheoBr closed this Jun 17, 2017

@MissPotato

This comment has been minimized.

Show comment
Hide comment
@MissPotato

MissPotato Jun 17, 2017

I'll be running the necessary test to hopefully insure that my PC is clean, however could we get a statement about the malwares' effect on end users who may not be able to read the code?

I'll be running the necessary test to hopefully insure that my PC is clean, however could we get a statement about the malwares' effect on end users who may not be able to read the code?

@TheoBr

This comment has been minimized.

Show comment
Hide comment
@TheoBr

TheoBr Jun 17, 2017

Owner

@MissPotato , the "malware" included was a small javascript pop-up. That pop-up could bring you to a website with worse viruses.

If you did not download anything from a suspicious webpage, you're fine.

Owner

TheoBr commented Jun 17, 2017

@MissPotato , the "malware" included was a small javascript pop-up. That pop-up could bring you to a website with worse viruses.

If you did not download anything from a suspicious webpage, you're fine.

@MissPotato

This comment has been minimized.

Show comment
Hide comment
@MissPotato

MissPotato Jun 18, 2017

@TheoBr , thanks for the statement! I tend to avoid downloading things from sites I don't use.

@TheoBr , thanks for the statement! I tend to avoid downloading things from sites I don't use.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment