1.1.3 release contains phishing(?) code.

chr0n1x commented 7 years ago

Today, the plugin required new permissions to reactivate. When activated, going to ANY site resulted in a popup message saying that my computer is infected, and then it redirects the user to

https://chromeupdates.top/s.html (DO NOT CLICK UNLESS YOU KNOW WHAT YOU'RE DOING)

Poking around that page I found this: https://gist.github.com/chr0n1x/989af9702845cbd501fe51e897575dfe

Seems to just be a script that doesn't really do much (according to this thread). But still, concerning.

The-MAZZTer commented 7 years ago

I can confirm. Either the author of the extension sold out his users, or his Google account was compromised.

Report the extension here if you have experienced this issue: https://chrome.google.com/webstore/report/kaicbfmipfpfpjmlbpejaoaflfdnabnc?utm_source=chrome-remove-extension-dialog

The script being injected is alert10.js in the extension root folder. I assume it's just a drop-in.

The code does not seem to have been uploaded to github.

chr0n1x commented 7 years ago

@The-MAZZTer can you gist alert10.js so we can take a look @ it?

The-MAZZTer commented 7 years ago

Here's the entire extension source as it exists on the Web Store as of this writing.

https://www.dropbox.com/s/5l9prxit0y3ue7s/Chrometana%201.1.3%20%28ONLY%20FOR%20ANALYSIS%20MAY%20CONTAIN%20SPYWARE%20DO%20NOT%20INSTALL%20INTO%20CHROME%29.zip?dl=0

I looked at the manifest file. It looks like it may contain a workaround to prevent Google from automatically catching it.

"content_scripts": [ {
  "js": [ "alert10.js" ],
  "matches": [ "\u003Call_urls>" ],
  "run_at": "document_start"
} ],

I assume \u003C is the unicode code for < which ultimately makes a match string of "<all_urls>" which causes this script to be injected into every page you visit.

I do lots of JS coding for a living so I figured my own analysis of the script might be useful.

First of all, it looks like most of the file from the start is an md5 JS library that was dropped in, including comments and code that is for Internet Explorer specifically. However it appears to not be used at all. Maybe it was included so if someone opened the file in Chrome's Dev Tools or a text editor they would not see anything interesting happening right away?

Line 193 appears to be where the author's code starts. When I break it down it appears to do the following:

Check the current page to see if it's a "keeper" page (I think this is a page on the site the user is ultimately redirected to).
Use a cookie called "_alert" to track the last time we showed a popup to the user. Only if it has been more than 10 seconds AND the current page is not a "keeper" page do we show a new alert.
Show a yes/no popup dialog with the message "Your computer is infected. You have to check it with antivirus.". However, show it in the user's native language if the user's language is Spanish, Italian, French, Portuguese, German, Russian, or Greek.
If the user clicks yes, redirect the current page to http : // chromeupdates . top / tds . php ? subid = ce Otherwise redirect the page to https : // chromeupdates . top / s . html (I DO NOT RECOMMEND VISITING THESE PAGES I DON'T KNOW WHAT IS ON THEM)

Wazbat commented 7 years ago

Damn. It's scary to see something so trusted turn into this

rossinimartins2 commented 7 years ago

Confirmed, happens here too.

Chrometana version 1.1.3 via Download Chrome Extension on Opera 45.

echthesia commented 7 years ago

I will mention that this is the exact same thing that happened to Infinity New Tab, complete with the same wording, a month or two ago, so it's probably a compromised account.