[ Technical Tear Down : Chrome Extension – Pro Visitor ]

Today, I’ll be doing another technical tear-down of a Chrome Extension that does more than what it advertises.
I was alerted to this particular interesting piece of Chrome extension by Janne Ahlberg when he tweeted about it here.
I’ve attached the link to the file here for anyone interested to try analysing it themselves.
nbpaecgogmkifkfgdeoalcilnjigcglb
The password to the attachment is “infected29A
I was encouraged by Emiliano Martinez of VirusTotal to upload this Chrome extension to see whether AV will detect such stuff.
I wasn’t surprised by the final outcome, 0/54
virustotal.com_001
https://www.virustotal.com/en/file/26eb50c2543a3f9c8cff8f01068140a00c639c5fe75843eb5d6175c6208147ba/analysis/1410057947/

[ Sample used in the analysis ]
MD5: bb93188a0e751f95e156f490f612d19f
SHA1: 624b9fd7e08ac10f194b835551f98c0a1c127118

[ How it starts ]
If you access the website, thousandssa[dot]pw, you will see something like the image below.
thousandssa.pw

It will keep prompting visitor(s) of that url to install Firefox extension or Chrome extension.
If you had peeped into the html of the above-mentioned url, you will see this interesting of Javascript below.

I’ve tried to download both the Firefox extension from http://www[dot]defends4987de[dot]asia/profilevisitor[dot]xpi but the url is no longer valid anymore.
So i’ve tried to download the Chrome extension from the official Google Chrome webstore, https://chrome[dot]google[dot]com/webstore/detail/nbpaecgogmkifkfgdeoalcilnjigcglb using my tool here, CRXDownloader

Since it’s an Chrome Extension, let’s check the permissions of this Adware and further dissect it.
Let’s try to understand how Chrome Extension works.
Chrome’s Extension will always require a manifest file, a background.html and possibly some JavaScript files as documented by Google here.

The manifest file, called manifest.json, gives information about the extension, such as the most important files and the capabilities that the extension might use.
For this particular Chrome extension, we can see what sort of permissions did manifest.json request for below.

From the above manifest.json, once user(s) install this Chrome extension.
We can see from the “permissions” that it requires:
“permissions”: [“tabs”, “http://*/*”, “https://*/*”, “webRequest”, “webRequestBlocking”]

For a better understanding of the permissions and what each individual permission mean, the following will be a good reference.
https://developer.chrome.com/extensions/declare_permissions
Of particular interest to us are the “tabs” and “webRequestBlocking
If you had read the documentation for “webRequestBlocking”, the API allows developers to observe and analyze traffic and to intercept, block, or modify requests in-flight.
It sure doesn’t sound safe to me.

From the above manifest.json and the documentation from here.
We can see that it will try to do 2 matches against webpages visited by user(s).
The 1st “Matching” seems like a typical FaceBook application installation url with all the required permission(s) and then running the 2 Javascript(s).
“js/jquery-1.8.2.min.js”, “js/installer.js”
The 2nd “Matching” just wants all the url with a match to “facebook.com” and then run 4 Javascript(s).
“js/jquery-1.8.2.min.js”, “js/bililiteRange.js”, “js/jquery.sendkeys.js”, “js/poster.js”

[ Dissecting installer.js ]
Let’s take a look at “installer.js” and we can see that it’s trying to install the FaceBook application on behalf of the user(s).

[ Dissecting Background.js ]
Let’s take a look at “background.js” and this is actually the more important piece of Javascript in solving the mystery around this Chrome extension.
We can see that once “background.js” actually in this case fetching information from http://shockingvisitor[dot]com (I will name this as C&C for the time being for simplicity sake) to click on “Like” on certain urls that were fetch from the C&C.

From the above information that we have gathered thus far, we can see the following “Domain Whois” information:

If we were to go to “http://shockingvisitor[dot]com/spotify/index.php/message/index”, you will see something like the image below.
shockingvisitor.com

That site probably is where the owner will configure what the Pro-Visitor_v0.6“user(s)” of this Chrome extension will “Like” on FaceBook when they are logged in.

[ Conclusion ]
Remember that i mentioned that this Chrome extension was like what it advertised.
It advertised to do these, “Instantly see who is viewing your profile” & “Check how many photo views you have” but it didn’t. 😛

While this is not a state of the art Chrome Extension Malware, but it’s probably one of the rare & interesting ones out there.
We can even see from the scripts that the author had hastily “Copy/Paste” from elsewhere.
It’s even more interesting that it even managed to survive in Chrome webstore for quite some time.

I hope that this is fairly simple to understand technical tear down that people can repeat the steps on their own and learn how to analyse Potentially malicious Chrome Extension on their own.

Happy Reversing,
Jacob Soo