Malicious Chrome and Edge Add-Ons Had a Novel Way To Hide On 3 Million Devices (arstechnica.com) 19
In December, Ars reported that as many as 3 million people had been infected by Chrome and Edge browser extensions that stole personal data and redirected users to ad or phishing sites. Now, the researchers who discovered the scam have revealed the lengths the extension developers took to hide their nefarious deeds. Ars Technica reports: Researchers from Prague-based Avast said on Wednesday that the extension developers employed a novel way to hide malicious traffic sent between infected devices and the command and control servers they connected to. Specifically, the extensions funneled commands into the cache-control headers of traffic that was camouflaged to appear as data related to Google analytics, which websites use to measure visitor interactions. Referring to the campaign as CacheFlow, Avast researchers wrote: "CacheFlow was notable in particular for the way that the malicious extensions would try to hide their command and control traffic in a covert channel using the Cache-Control HTTP header of their analytics requests. We believe this is a new technique. In addition, it appears to us that the Google Analytics-style traffic was added not just to hide the malicious commands, but that the extension authors were also interested in the analytics requests themselves. We believe they tried to solve two problems, command and control and getting analytics information, with one solution."
The extensions, Avast explained, sent what appeared to be standard Google analytics requests to https://stats.script-protection[.]com/__utm.gif. The attacker server would then respond with a specially formed Cache-Control header, which the client would then decrypt, parse, and execute. Avoiding infecting users who were likely to be Web developers or researchers. The developers did this by examining the extensions the users already had installed and checking if the user accessed locally hosted websites. Additionally, in the event that an extension detected that the browser developer tools were opened, it would quickly deactivate its malicious functionality. Waiting three days after infection to activate malicious functionality. Checking every Google search query a user made. In the event a query inquired about a server the extensions used for command and control, the extensions would immediately cease their malicious activity.
The extensions, Avast explained, sent what appeared to be standard Google analytics requests to https://stats.script-protection[.]com/__utm.gif. The attacker server would then respond with a specially formed Cache-Control header, which the client would then decrypt, parse, and execute. Avoiding infecting users who were likely to be Web developers or researchers. The developers did this by examining the extensions the users already had installed and checking if the user accessed locally hosted websites. Additionally, in the event that an extension detected that the browser developer tools were opened, it would quickly deactivate its malicious functionality. Waiting three days after infection to activate malicious functionality. Checking every Google search query a user made. In the event a query inquired about a server the extensions used for command and control, the extensions would immediately cease their malicious activity.
I spy with my Google eye... (Score:5, Insightful)
Specifically, the extensions funneled commands into the cache-control headers of traffic that was camouflaged to appear as data related to Google analytics, which websites use to measure visitor interactions.
Good reason to use uBlock.
https://www.antevenio.com/usa/... [antevenio.com]
shun the shit (Score:3)
Re: (Score:1)
You mean uBlock Origin.
Also uMatrix over NoScript, this isn't 2008 any more.
Re: (Score:2)
Don’t you essentially need a filtering proxy server to address these things? You have to assume the browser is compromised at some point.
Re: (Score:2)
As pointed out there are limitations to man in the middle (proxy) solutions.
https://lunarwatcher.github.io... [github.io]
Re: (Score:2)
That’s DNS not proxy. There are limitations to actual proxy solutions... like the wildcard trust implications, but you can filter out a lot of the javascript before passing to the client.
Not much good. Instead, check extension permis (Score:2)
You can't depend on an extension (ublock) to disable another extension (the malicious one). If one extension can disable the other, the malicious one could just disable ublock.
What you can and should do is check the permissions of any extensions you use. Chrome has a couple dozen different API permissions so that you can check that the extension can do only what it claims to do and nothing more. For example, the very hand Reading List extension shouldn't be modifying web pages, only saving their URLs in
Re: (Score:2)
I REALLY LOVE YOU FUCK OFF.
Checking every Google search query a user made. (Score:2)
A good reason to use Bing?
the web has become a fucking minefield (Score:3)
and we're running into it with flip-flops and smiling
how the fuck did we get here...
there's something fundamentally flawed if shit goes through, even with "protections" from everywhere that most of the time the best they achieve is getting in the way of me trying to use my computer.
Re: the web has become a fucking minefield (Score:1)
Well, that's what you get, for letting granny at the controls of the LHC because you put a pretty interface over it.
Computers and the Internet are EXTREMELY complex. You cannot Appleify it and expect there not to be a disaster, unless they aren't really in control but it't more like an illusion while you are in control, like Apple does with its iDevices.
And mostly it is *needlessly* complex.
Browsers are just bad duplications of a document viewer, a file system path handling facility, a virtual machine, and
Excuse the many typos. (Score:2)
I didn't have my coffee yet, and I'm not in my time zone.
Sorry for the hassle, and thanks for understanding.
Re: (Score:2)
that is ok
Current state of /. (Score:2)