Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Malware in Windows binary #2418

Closed
tmairegasnighto opened this issue Nov 30, 2020 · 8 comments
Closed

Malware in Windows binary #2418

tmairegasnighto opened this issue Nov 30, 2020 · 8 comments
Labels
🐍 invalid This doesn't seem right

Comments

@tmairegasnighto
Copy link

Description

I have discovered some malicious behavior in the Windows version of this app (have not tested other OS versions).

  • [ Yes] Can you reproduce the issue?

Steps to reproduce

  1. Install an HTTP monitoring program, such as Fiddler
  2. Install Marktext
  3. Run Marktext and type some new markdown and hit enter

Actual behavior:

I discovered export of some data, and it downloaded some malicious files...

Link to an example: [optional]
More details can be found here: https://old.reddit.com/r/Markdown/comments/k43hzw/warning_malicious_code_found_in_mark_text/

Versions

  • Mark Text version: 0.16.2
  • Operating system: Windows 10
@FormerlyChucks
Copy link

Interesting conversation on Hacker News https://news.ycombinator.com/item?id=25258794

@fxha
Copy link
Contributor

fxha commented Nov 30, 2020
edited

@tmairegasnighto Thanks for reporting this issue and we need to investigate this but gvt1.com is a Google service that is used by Chromiums spell checker Hunspell to download automatically dictionaries. This was a recently change in Electron and our own spellchecker (also Hunspell) downloads only manually from Google.

Edit: e.g. https://redirector.gvt1.com/edgedl/chrome/dict/en-us-7-1.bdic

@fxha fxha added the 🔍 needs further investigation This issue needs further investigation. label Nov 30, 2020
@tmairegasnighto
Copy link
Author

tmairegasnighto commented Nov 30, 2020
edited

The gvt1.com URL I am seeing is different:

http://r4---sn-8xgp1vo-xfgs.gvt1.com/edgedl/release2/chrome_component/AIn3zS2zP2W0T6dH89fdfUo_2020.11.29.1203/Vx5-bd3sH9glYb_6GC_ovw?cms_redirect=yes&mh=vQ&mip=<myPublicIPAddress>&mm=28&mn=sn-8xgp1vo-xfgs&ms=nvh&mt=1606761620&mv=m&mvi=4&pl=17&shardbypass=yes

and is also transmitting my public IP address as a URL parameter. It's hard to understand why that would be required.

Additionally, there is encrypted traffic going both ways.

I'm not sure what value the URLs being downloaded have to Marktext dictionary autocorrect...

eg...

10proga.ru
123moviesgoto.com
1progs.ru
1sa.com.ua
24smi.co
24smi.org
2drive.ru
2hpc.ru
2recepta.com
3.kino.filmive-hd.net
34travel.me
9anime.uno
...
aceh.tribunnews.com
adindex.ru
adultdeepfakes.com
etc....

@FormerlyChucks
Copy link

I think that the place where things are downloaded from is corrupted or had a change. I doubt would the devs be using these:

123moviesgoto.com
34travel.me

I like movies but I don't think they need to be included here. And traveling now isn't a great idea.

@fxha
Copy link
Contributor

fxha commented Nov 30, 2020

@tmairegasnighto The "random" list might be the safe browsing list from Chromium as Electron is just a browser and the traffic is encrypted due to HTTPS. Please download electron-v8.3.2-win32-x64 and check whether there is the same network activity, if so it's just the browser downloading some metadata. Electron and Mark Text open a connection to https://redirector.gvt1.com that's redirected to some internal Google server when downloading the spell checker dictionary, please ask Google why they include our IP address.

Please replace Mark Text root resources folder with the folder you downloaded from Electron, to test whether a NPM package is affected. Mark Text and Electrons dictionaries are stored in %appdata%\<app>\dictionaries (marktext or Electron) directory. If you replaced Mark Text resources, all data is stored in Electron application directory instead marktext.

@fxha
Copy link
Contributor

fxha commented Nov 30, 2020
edited

I got the same behavior if I run the Electron demo application or replace Mark Text bundled files with the demo application. Could you please email me the dumped files (including the suspicious URLs) because it might be a safe browsing list from Google. Please open an upstream Electron issue (or I'll open one when I have time) because I think Electron shouldn't download dictionaries automatically on startup when Chromiums build-in spell checker is disabled.

At the moment it seems as no bad NPM package is present because the connection to Google is also present when launching unchanged Electron with the official default_app.asar file.

Summarized:

  1. Chromium/Electron/Mark Text connect to https://redirector.gvt1.com that is redirected to an internal Google server and our public IP is forwarded. This might be due to the fact that we download dictionaries for spell checking.
  2. The "issue" is also present with the official Electron build without any changes.
  3. The suspicious URLs might be a safe browsing list from Google (need investigation).

@fxha
Copy link
Contributor

fxha commented Nov 30, 2020
edited

Thank you @tmairegasnighto and the user(s) that posted it on reddit and HN. The security of our product is very important to us and at the present time we verified that the HTTP requests are legit connections to Google servers.

  1. Chromiums build-in spell checker checks for and downloads newer dictionaries at application start-up (https://redirector.gvt1.com).
  2. Google forwards your public IP address in plaintext in the redirected URL but we cannot do something against that. Please open a Google support ticket or file a GDPR violation if you are concerned about this and there is a legal basis.
  3. The downloaded payload is a safe browsing list of bad domain names or similar that needed by Chromium (Crowd Deny).

I downloaded the content @tmairegasnighto posted in the second comment to verify that the Crowd Deny list is a legit package by Google, extracted the payload and we got three files:

.
|- manifest.json
|- Preload Data (suspicious domain names)
|- _metadata/
  |- verified_contents.json

manifest.json includes some metadata like the database version (2020.11.29.1203) of the payload. verified_contents.json includes hashes, a signature and data to verify the downloaded content and one field is call item_id in the encoded Base64 string with the same value (ggkkehgbnfjpeggfpleeakpidbkibbmn) as you can find it in Chromiums source code.

Decoded Base64 string:

{"content_hashes":[{"block_size":4096,"digest":"sha256","files":[{"path":"Preload Data","root_hash":"32t43rRFE_y_XjUDjCP9u0YC6lOwp4x2BpUoHdhQCck"},{"path":"manifest.json","root_hash":"AePzoZyaQzc2Xp5g9ln6IIDWeW9tr3WwcWn8wXMZyv4"}],"format":"treehash","hash_block_size":4096}],"item_id":"ggkkehgbnfjpeggfpleeakpidbkibbmn","item_version":"2020.11.29.1203","protocol_version":1}

@fxha fxha closed this as completed Nov 30, 2020
@fxha fxha added 🐍 invalid This doesn't seem right and removed 🔍 needs further investigation This issue needs further investigation. labels Nov 30, 2020
@tmairegasnighto
Copy link
Author

I just want to say thank you for the extremely quick follow up and resolution, and glad this was just a false alarm. Sorry for my issue title - it jumped the gun a bit. ...but you know, seeing "adultdeepfakes.com" in an app's network packet will do that :-)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
🐍 invalid This doesn't seem right
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tmairegasnighto @fxha @FormerlyChucks