Category Archives: Chrome Extension

[ Technical Tear Down : Chrome Extension – Pro Visitor ]

Today, I’ll be doing another technical tear-down of a Chrome Extension that does more than what it advertises.
I was alerted to this particular interesting piece of Chrome extension by Janne Ahlberg when he tweeted about it here.
I’ve attached the link to the file here for anyone interested to try analysing it themselves.
nbpaecgogmkifkfgdeoalcilnjigcglb
The password to the attachment is “infected29A
I was encouraged by Emiliano Martinez of VirusTotal to upload this Chrome extension to see whether AV will detect such stuff.
I wasn’t surprised by the final outcome, 0/54
virustotal.com_001
https://www.virustotal.com/en/file/26eb50c2543a3f9c8cff8f01068140a00c639c5fe75843eb5d6175c6208147ba/analysis/1410057947/

[ Sample used in the analysis ]
MD5: bb93188a0e751f95e156f490f612d19f
SHA1: 624b9fd7e08ac10f194b835551f98c0a1c127118

[ How it starts ]
If you access the website, thousandssa[dot]pw, you will see something like the image below.
thousandssa.pw

It will keep prompting visitor(s) of that url to install Firefox extension or Chrome extension.
If you had peeped into the html of the above-mentioned url, you will see this interesting of Javascript below.

I’ve tried to download both the Firefox extension from http://www[dot]defends4987de[dot]asia/profilevisitor[dot]xpi but the url is no longer valid anymore.
So i’ve tried to download the Chrome extension from the official Google Chrome webstore, https://chrome[dot]google[dot]com/webstore/detail/nbpaecgogmkifkfgdeoalcilnjigcglb using my tool here, CRXDownloader

Since it’s an Chrome Extension, let’s check the permissions of this Adware and further dissect it.
Let’s try to understand how Chrome Extension works.
Chrome’s Extension will always require a manifest file, a background.html and possibly some JavaScript files as documented by Google here.

The manifest file, called manifest.json, gives information about the extension, such as the most important files and the capabilities that the extension might use.
For this particular Chrome extension, we can see what sort of permissions did manifest.json request for below.

From the above manifest.json, once user(s) install this Chrome extension.
We can see from the “permissions” that it requires:
“permissions”: [“tabs”, “http://*/*”, “https://*/*”, “webRequest”, “webRequestBlocking”]

For a better understanding of the permissions and what each individual permission mean, the following will be a good reference.
https://developer.chrome.com/extensions/declare_permissions
Of particular interest to us are the “tabs” and “webRequestBlocking
If you had read the documentation for “webRequestBlocking”, the API allows developers to observe and analyze traffic and to intercept, block, or modify requests in-flight.
It sure doesn’t sound safe to me.

From the above manifest.json and the documentation from here.
We can see that it will try to do 2 matches against webpages visited by user(s).
The 1st “Matching” seems like a typical FaceBook application installation url with all the required permission(s) and then running the 2 Javascript(s).
“js/jquery-1.8.2.min.js”, “js/installer.js”
The 2nd “Matching” just wants all the url with a match to “facebook.com” and then run 4 Javascript(s).
“js/jquery-1.8.2.min.js”, “js/bililiteRange.js”, “js/jquery.sendkeys.js”, “js/poster.js”

[ Dissecting installer.js ]
Let’s take a look at “installer.js” and we can see that it’s trying to install the FaceBook application on behalf of the user(s).

[ Dissecting Background.js ]
Let’s take a look at “background.js” and this is actually the more important piece of Javascript in solving the mystery around this Chrome extension.
We can see that once “background.js” actually in this case fetching information from http://shockingvisitor[dot]com (I will name this as C&C for the time being for simplicity sake) to click on “Like” on certain urls that were fetch from the C&C.

From the above information that we have gathered thus far, we can see the following “Domain Whois” information:

If we were to go to “http://shockingvisitor[dot]com/spotify/index.php/message/index”, you will see something like the image below.
shockingvisitor.com

That site probably is where the owner will configure what the Pro-Visitor_v0.6“user(s)” of this Chrome extension will “Like” on FaceBook when they are logged in.

[ Conclusion ]
Remember that i mentioned that this Chrome extension was like what it advertised.
It advertised to do these, “Instantly see who is viewing your profile” & “Check how many photo views you have” but it didn’t. 😛

While this is not a state of the art Chrome Extension Malware, but it’s probably one of the rare & interesting ones out there.
We can even see from the scripts that the author had hastily “Copy/Paste” from elsewhere.
It’s even more interesting that it even managed to survive in Chrome webstore for quite some time.

I hope that this is fairly simple to understand technical tear down that people can repeat the steps on their own and learn how to analyse Potentially malicious Chrome Extension on their own.

Happy Reversing,
Jacob Soo

[ Technical Tear Down : DIgiCOuppOan (PUP/Adware) ]

Recently while i was trying to troubleshoot my relative’s home network.
I happened to notice that their Chrome browser is infected with a PUP/Adware.

PUP stands for Potentially Unwanted Programs. The one that i’ve come across is DIgiCOuppOan.
I suspect that machine was infected when one of them went to some p0rn sites.

DIgiCOuppOan is classified as a potentially unwanted adware. DIgiCOuppOan claims to enhance your web browsing experiences and save your time and money by providing discounts and other bonuses and deals. DIgiCOuppOan program is compatible with the majority of the top retailers online.

DIgiCOuppOan program will display their ads with a pop up box which contains various ads according to yous queries when you browsing online. Currently DIgiCOuppOan adware program displays at least four basic types of advertising including sponsored links, coupons, video related ads and banner ads, “pop-unders” or interstitial ads.

Instead of writing what is it about. I’ll be doing my own technical tear-down of this PUP/Adware.
I’ve attached the link to the file here for anyone interested to try analysing it themselves.bkkdkcifjmepenkhibomliiocmpiejlj
The password to the attachment is “infected29A

[ Sample used in the analysis ]
MD5: c33dc4f0d10e233f6428ba8f35d5d16b
SHA1: 87fc5db935b95d0d3b84535bbffc36a8b8f1ba52

[ How it starts ]
Since it’s an Chrome Extension Adware, let’s check the permissions of this Adware and further dissect it.
Let’s try to understand how Chrome Extension works.
Chrome’s Extension will always require a manifest file, a background.html and possibly some JavaScript files as documented by Google here.

The manifest file, called manifest.json, gives information about the extension, such as the most important files and the capabilities that the extension might use.
For this particular Adware, we can see what sort of permissions did manifest.json request for below.

From the above manifest.json and the documentation from here.
We can see that it will inject content.js at the end of all webpages visited by user(s).
Once this Chrome extension started, it will start “background.html”.

From the “permissions”, we can also see the permissions that it require.
For a better understanding of the permissions and what each individual permission mean, the following will be a good reference.
https://developer.chrome.com/extensions/declare_permissions

[ Dissecting Background.html ]
Let’s take a look at “background.html” and we can see that once it’s loaded, it will start 2 other JavaScripts, “L7Y9.js” & “lsdb.js”
DIgiCOuppOan.01

[ Dissecting L7Y9.js ]
Let’s take a look at L7Y9.js and we can see that there is a decode function.
Even though on first glance, the string looks like it’s base64 encoded but in reality it is not.

Now let’s write a decode function without running the actual script. Below is a simple decoding script.

After decoding had been done. The decoded message or URL(s) in this case are

From first glance, it’s probably those links that will be injected into the webpages that the user(s) visits.
It is persistently writing data to the Local Storage as we saw that it requested “Storage” permission in the manifest.json file.

[ Conclusion ]
While this is not one of the state of the art Chrome Extension Malware, but it’s probably one of the many PUP/Adware out there.

I hope that this is fairly simple to understand technical tear down that people can repeat the steps on their own and learn how to analyse Chrome Extension PUP/Adware or even Chrome Extension malware on their own.

Happy Reversing,
Jacob Soo