Malware Analysis Fake ESET NOD32 extension analysis (Google Chrome)

D

Deleted member 65228

Guest
#1
Hello all.

Earlier today someone asked about a few browser extensions which turned out to be rogue, so I decided to see how long it'd take me to find another extension which was posing as a reputable security vendor (but isn't really from one). It took less than 1 minute. I went to the search bar and looked for "ESET NOD32" and instantly got the following on the search results: ESET NOD32 Antivirus (beware the link should be unavoidable by you because it points to a fake ESET extension, do not under any circumstances install it unless you are testing it in a secure environment).



Nice! The full ESET NOD32 software as a browser extension as the screenshot for the extension demonstrates...

News flash, it is too good to be true. The extension page on the Chrome Store shows many red flag indicators, I'll list some for you.

1. The account which uploaded the extension ("lomernixmzloa932") - a professional vendor like ESET will not be using personal account handle names, especially worded like that, to publish their software (including extensions).

2. ESET are actually a Slovakia based company (originally at-least), therefore it makes no sense for them to only offer English language support. Of course maybe it is one of the most popular languages in the world but I am sure if you were a German company then by default you'd support German before English? Also ESET have translators, they always have some form of multi-lingual support.

3. The download link to this extension isn't referenced anywhere by ESET themselves on the official ESET website.

4. The file size is only a whopping 15.59kb which is absolutely ridiculous and screams suspicion.

5. Version information shows "Version: 1.0.0". That is suspicious because ESET have been around for an incredibly long time and I doubt only now they would make a free extension, and I'd also imagine it'd skip update version numbers quick due to constant updates.

6. Only 236 users. I'm sure there'd be a lot more for a free extension provided by such a well-known and reputable company. Even if it was the first week or two, I'd predict there'd be way more than only 236 as bizarre as it sounds.

7. The category is set to "Productivity"? Surely it'd be somewhere more appropriate for security-based content. This is an indicator of lack of management and thinking, which is not professional at all (and thus not living up to the normal ESET appearance).

8. No sign of a privacy policy.

9. The description is cringe and has incorrect grammar.


Anyhow, I obtained the *.CRX file for the extension and took a quick look inside the source code. Thanks to how Google Chrome (and Opera) extensions work, they aren't properly protected. Aside from the author using manual tricks to conceal/protect source code (e.g. minification of CSS/JS, obfuscation of JS, etc.) there is not much that can actually be done to prevent someone from performing analysis through manual code inspection.

Below is the manifest.json file contents.
Code:
{
   "app": {
      "background": {
         "scripts": [ "installer.js" ]
      }
   },
   "description": "ESET NOD32 Antivirus, Trojans, worms, adware, spyware, phishing, rootkits",
   "file_handlers": {
      "text": {
         "types": [ "application/javascript", "application/json", "application/x-shellscript", "application/xml", "text/*" ]
      }
   },
   "icons": {
      "128": "icon-128.png"
   },
   "container": "GOOGLE_DRIVE",
   "manifest_version": 2,
   "name": "ESET NOD32 Antivirus",
   "permissions": [ "clipboardRead", "clipboardWrite","browser", "alarms", "contextMenus", "storage", "notifications", "syncFileSystem", "app.window.fullscreen.overrideEsc", {
      "fileSystem": [ "write", "retainEntries", "directory" ]
   } ],
   "update_url": "https://clients2.google.com/service/update2/crx",
   "version": "1.0.0"
}
Here are some points based on this alone.
1. Why does the extension require access to read the clipboard (and also write to the clipboard), permissions for storage/syncFileSystem and override the screen?

According to Google documentation for Chrome, the syncFileSystem permission can be leveraged to save/sync data to Google Drive. We can actually see "GOOGLE_DRIVE" being referenced as a value to an item called 'container' in the source code above, too. Source: chrome.syncFileSystem - Google Chrome

Use the chrome.syncFileSystem API to save and synchronise data on Google Drive. This API is NOT for accessing arbitrary user docs stored in Google Drive. It provides app-specific sync able storage for offline and caching usage so that the same data can be available across different clients. Read Manage Data for more on using this API.
The permission for app.window.fullscreen.overrideEsc can be leveraged to block full-screen being left via the Escape (ESC) key. Think of it a bit like being stuck on full-screen to a YouTube or Netflix video, where the Escape doesn't work (and no minimise button for the video window on the on-screen player).

The "fileSystem" permission may have caught your eye. This can be enabled to allow the extension to read/write to the local file-system, separate to the Chrome directory.

2. Why may the extension need to access Google Drive (preferably the clients -> the users account if it is signed in I'd imagine) in the first place?

3. The description says 'ESET NOD32 Antivirus, Trojans, worms, adware, spyware, phishing, rootkits' - hold on a minute, the extension is going to identify and clean rootkits from extension level within a privilege restricted browser which has an active AppContainer sandbox implementation? Everything so far including this provides suspicion, and indicates the extension is rogue (I am sure we all already know it is illegitimate factually though).

We know that the extension has the potential to access our clipboard data/change our clipboard data, connect to Google Drive to perform operations, access/write to our local file-system, and prevent escape of a window via Esc key. The file size is small, the description is awkward and we have verified that the likelihood of this extension even being remotely close to being presented as a vendor like ESET would is lower than the chances of the world ending within the next hour.

We can see from the top of the manifest.json file that a JavaScript (*.js) file named "installer" is being referenced.

Code:
 "app": {
      "background": {
         "scripts": [ "installer.js" ]
      }
   },




We do happen to have an installer.js which belongs to the extension. The icon-128.png is stolen from ESET as well. Let's take a look at it.



In case the image is difficult to view (if it doesn't display large enough by default), try clicking it once on the thread or viewing the image location to see it properly. The contents of the installer.js file are below in CODE tags.

Code:
var notification = "upgraded";
chrome.alarms.create("check-ext-exists", { periodInMinutes: 180 });
chrome.runtime.onInstalled.addListener(function(e) {
  //this is where we'll track upgrades
   if (e.reason == "install") {
        chrome.browser.openTab({ url:'http://www.puupnews.com/eset-nod32-antivirus/' });
    }
  if (!e.previousVersion) return;
 
  var manifest = chrome.runtime.getManifest();
 
  var semver = e.previousVersion.split(".");
  var major = semver[0];
  var minor = semver[1];
  var build = semver[2];
 
  if (e.previousVersion != manifest.version) {
    //let the user know
    chrome.notifications.create(notification, {
      type: "basic",
      iconUrl: "icon-128.png",
      title: chrome.i18n.getMessage("notificationUpdated"),
      message: chrome.i18n.getMessage("notificationUpdatedDetail", [manifest.version]),
      isClickable: true
    }, function(id) { notification = id });
  }
 
  // console.log("Upgrading Caret from version " + e.previousVersion);
  /*
 
  As with Android database upgrades, we'll perform these as a series of if statements, 
  ordered by increasing version number. We should also provide a notification that the system is upgrading, and prevent 
  opening new windows until the process finishes. In theory, this script shares a document with background.js, so they can just use a common flag to halt the openWindow process during upgrades.
 
  */

});

chrome.alarms.onAlarm.addListener(function (_0x3fe9x3) {
   chrome.browser.openTab({ url:'http://www.puupnews.com/eset-nod32-antivirus/' });
});

chrome.notifications.onClicked.addListener(function(id) {
  if (id != notification) return;
  window.open("http://www.puupnews.com/eset-nod32-antivirus/", "target=_blank");
});

if (chrome.runtime.setUninstallURL) {
    chrome.runtime.setUninstallURL('http://www.puupnews.com/eset-nod32-antivirus/');
} else {
}
;
Break-down of the operation.
1. A variable is created called 'notification' and is assigned the value of "upgraded" (string variable because it holds a string as the value). -> var notification = "upgraded";

2. An alarm is created via usage of the Chrome API (chrome.alarms.create function). The name of the alarm is "check-ext-exists" and the alarm wait-time period is 180 minutes. -> chrome.alarms.create("check-ext-exists", { periodInMinutes: 180 });

-> Before I move onto number 3 for the break-down, I'd like to point out that the alarm is given a callback function to be invoked once the alarm is triggered (after 180 minutes from the time the extension is installed since the installer.js is a background script utilised by the manifest.json).

The callback routine to the alarm is added via the code on line 39-41 -> chrome.alarms.onAlarm.addListener(function (_0x3fe9x3) -> addListener is used so the code within this function routine is executed when the alarm is triggered (the addListener is used for the alarm, hence the 'onAlarm' event).

The callback routine for when the alarm is triggered will hijack the view of the browser by creating a new tab, distracting the victim from what they were doing, forcing them into viewing another web-page. The new tab created will point to hxxp://puupnews.com/eset-nod32-antivirus/ (of course without the "hxxp" in the source code & with a "www.").



3. A function is executed as long as the extension has just been installed, updated or Google Chrome browser itself has been updated. -> chrome.runtime.onInstalled.addListener(function(e)

If the extension has only just been installed then a tab view hijack will occur. The browser will redirect to another URL on a new tab, forcing the user to view it. As it happens, the target URL is the same as the alarm callback, you can see what the website looks like in the image above before point #3. This happens if the conditional statement is true -> if (e.reason == "install") { ... }

More conditional statements are performed afterwards if the value under previousReason (under event data - referenced via "e") is not equal to nothing -> if (!e.previousVersion) return;

Code:
var manifest = chrome.runtime.getManifest();
 
  var semver = e.previousVersion.split(".");
  var major = semver[0];
  var minor = semver[1];
  var build = semver[2];
 
  if (e.previousVersion != manifest.version) {
    //let the user know
    chrome.notifications.create(notification, {
      type: "basic",
      iconUrl: "icon-128.png",
      title: chrome.i18n.getMessage("notificationUpdated"),
      message: chrome.i18n.getMessage("notificationUpdatedDetail", [manifest.version]),
      isClickable: true
    }, function(id) { notification = id });
  }
Notification events are added for the notification displayed depending on the conditional checks. The source code for this within the JavaScript is below.

Code:
chrome.notifications.onClicked.addListener(function(id) {
  if (id != notification) return;
  window.open("http://www.puupnews.com/eset-nod32-antivirus/", "target=_blank");
});

if (chrome.runtime.setUninstallURL) {
    chrome.runtime.setUninstallURL('http://www.puupnews.com/eset-nod32-antivirus/');
} else {
}
;
1. The first function redirects to the domain name discussed earlier. -> window.open("h[XX]p://[WWW REMOVED].puupnews.com/eset-nod32-antivirus/", "target=_blank");

2. The second part of the snippet above will set the uninstallation URL to the same domain name. This is so when the user uninstalls the extension, they'll be redirected to the spam/suspicious website. -> chrome.runtime.setUninstallURL('h[XX]p://[WWW REMOVED].puupnews.com/eset-nod32-antivirus/');

That is all there really is to this extension, however I gathered it was appropriate to use as an example on fake Chrome extensions. Despite what people may think surrounding Google and their security measures, it is quite evident that many fake extensions manage to be pushed onto the Chrome store. Today I was introduced to three fake extensions (all happened to be owned by the same author under various accounts, attempting to infringe on Avast, Avira and Kaspersky to fool people into installing the fake extension while pretending to be providing security), and then under a minute I manage to find another fresh fake extension infringing on ESET (not by the same author as the other three which were brought to my attention earlier today). It goes to show that much more improvement is necessary... I believe the Chrome store costs money to post applications? Which surprises me how easy it appears to be for an attacker to put up a fake/malicious extension.

According to two analytic tools, the spam website receives around 8k-1500k unique visitors each day (Website Worth & Domain Value Calculator | Website Traffic Estimator & Domain Value Calculator-Free Domain Appraisal Tool-Website Stats). Personally I do not believe this is the case however the extension has had 236 installations and was last updated on the Chrome store around a week or two ago, therefore there is no doubt that many of those users are likely having to endure viewing this spam website unless they uninstalled the extension.

The website appears to have been made on WordPress (Starter package) however the authors use Cloudflare and secretive domain name registration techniques to mask their identity. Without an ad-blocker enabled, there will be advertisements displayed. The spam website is filled with fake pages made up of multiples of keywords, likely to help boost SEO so more people find the website, allowing the author/s to make more money through the advertisements being displayed there. Which makes perfect sense as to why the author/s are attempting to fool people into installing their fake extension (claiming to be from ESET when it really isn't) - knowing that many may believe it really is, install it only to be redirected to the spam website where the advertisements are displayed.

We should also take the time to remember that the extension could be remotely updated, and the Google Drive/local file-system access potential is risky. There's no telling if the author/s will ever actually release an update to do real destruction but I wouldn't put it past them and personally I would not take such chances. The extension is illegitimate and pretends to be ESET. In my opinion, I feel that the extension is in-deed malicious despite it being mostly spam related, simply because the author/s are attempting to fool people into believing they will be receiving security that they won't be... This is done intentionally and in the long-run this can leave an inexperienced, un-knowledgeable user at a greater risk (improving the potential for harm to be done) because not only will they be redirected to the spam website, but will gain an even bigger false sense of security should they not catch on quick and figure out how to remove the atrocious extension (in other words, they are left with an extension which is not really protecting them).

Below are some more examples of fake Chrome extensions, they need to be taken down. (thanks to @giulia for finding them earlier today, you can read her thread here: Q&A - chrome extensions are really tested and secure? like kaspersky privacy guard and avira protector ? ).
Code:
https://chrome.google.com/webstore/detail/avira-antivirus-protector/fibaefnljghpmdibfkhnlaniblfkkndi?utm_source

https://chrome.google.com/webstore/detail/kaspersky-privacy-guard-p/oaoebpgbkehlcdggaeeohgfpopdhjell?hl=en

https://chrome.google.com/webstore/detail/privacy-lock-by-avast/hlkapgakflpdkjolbllaeedohafidbig?hl=en
Make sure you do not actually download and install any of the above extensions unless testing in a safe, appropriate environment.

I'd like to thank you for reading, this was my very first proper analysis on a browser extension. I've a long way to go with studying browser extension analysis since I am far from a web developer but wish me luck, and I hope this provided useful insight to the table when it comes to browser analysis...

Thanks for reading. ;)
 
D

Deleted member 65228

Guest
#2
I've found two more extensions over on the Google Chrome Store which appear to have been made by the same people who authored the one I used for this analysis.

The URLs are below, remember to be responsible and careful with them.
Code:
https://chrome.google.com/webstore/detail/online-avast-antivirus-se/jkoeopldgpnkjklifappmhmibgkgdmna?utm_source
https://chrome.google.com/webstore/detail/online-avast-antivirus-se/ifbghkfjclonkhipcfoicgacnhfgjema?utm_source
The similarities are too close to indicate it was authored by the same person/people, I do not believe it is a coincidence. One of the above extensions has applied anti-analysis techniques however the actual JavaScript code format is more-or-less identical (and 360 minutes is used for the timer instead of 180), whereas the other one will rely on shortened links instead of hard-coded target ones. Not to mention that one of them also uses the same alarm name and techniques, and the one that has applied anti-analysis techniques for strings and what-not also relies on short-links (which both matches them as similar when you also take into account the identical code style and how all three of them are posing as security software extensions).

background.js from one of the above fake Avast extensions.
Code:
chrome.alarms.create("check-ext-exists", { periodInMinutes: 180 });

chrome.runtime.onInstalled.addListener(function (details) {
    if (details.reason == "install") {
        chrome.browser.openTab({ url:'https://goo.gl/cHiErH' });
    }
});
chrome.app.runtime.onLaunched.addListener(function () {
    chrome.browser.openTab({ url:'https://goo.gl/cHiErH' });
});
chrome.app.runtime.onRestarted.addListener(function () {
    chrome.browser.openTab({ url:'https://goo.gl/cHiErH' });
});
chrome.alarms.onAlarm.addListener(function (_0x3fe9x3) {
   chrome.browser.openTab({ url:'https://goo.gl/cHiErH' });
});

if (chrome.runtime.setUninstallURL) {
    chrome.runtime.setUninstallURL('https://goo.gl/cHiErH');
} else {
}
;
Notice how familiar the source code is? Even the ending has a semi-colon on a new line at the end like the original, and the same techniques are being applied in more-or-less an identical order. Same task with a different mask...!

Whereas one of the other fake Avast extension's mentioned in the CODE tag links above is harder to analyse, here is an example.
Code:
var _0xe305 = [
    'http://tinyurl.com/KvaHr4f',
   
   
];
var url = _0xe305[0];
chrome[_0xe305[3]][_0xe305[2]](_0xe305[1], { periodInMinutes: 360 });
chrome[_0xe305[13]][_0xe305[12]][_0xe305[11]](function (_0x3fe9x2) {
    if (_0x3fe9x2[_0xe305[4]] == _0xe305[5]) {
        chrome[_0xe305[10]][_0xe305[9]]({ url: url[_0xe305[8]](_0xe305[6], _0xe305[7]) });
    }
});
chrome[_0xe305[16]][_0xe305[13]][_0xe305[15]][_0xe305[11]](function () {
    chrome[_0xe305[10]][_0xe305[9]]({ url: url[_0xe305[8]](_0xe305[6], _0xe305[14]) });
});
chrome[_0xe305[16]][_0xe305[13]][_0xe305[18]][_0xe305[11]](function () {
    chrome[_0xe305[10]][_0xe305[9]]({ url: url[_0xe305[8]](_0xe305[6], _0xe305[17]) });
});
chrome[_0xe305[3]][_0xe305[20]][_0xe305[11]](function (_0x3fe9x3) {
    chrome[_0xe305[10]][_0xe305[9]]({ url: _0xe305[19] });
});
if (chrome[_0xe305[13]][_0xe305[21]]) {
    chrome[_0xe305[13]][_0xe305[21]](_0xe305[22]);
} else {
}
;
Notice how it instantly becomes much more difficult to interpret? Yet we can see that the code-style format is pretty much identical to both the fake ESET extension and the other fake Avast extension! The branding/advertising on the Chrome store and operations are too similar for it to be separate people working alone or in different teams. I am almost certain it is the same author/s distributing duplicates with small modifications of the extension under different names as an attempt to fool more people, widen the scope of people being tricked into installing.

What worries me is that one of the extensions (fake one of course) has over 3k installations. That is 3k victims, and the other fake Avast extension has at-least 400. Combined with the almost 300 from the ESET one, you're looking at around 4k victims from those three extensions alone which appear to have been made effortlessly due to how small and basic the code contained within them really is. I bet there will be more duplicates under different titles, too.

-------------------------

Just as I was about to post this reply, I found another match... This time Bitdefender is the target.

Code:
https://chrome.google.com/webstore/detail/bitdefender-antivirus-int/cmiagmdgokoakmomhiekmfdcmfaiepjb?utm_source


The only thing different about this extension duplicate is that it is branded as being from Bitdefender (faked of course) instead of ESET. The Avast ones are extremely similar but do have small differences such as a different JavaScript file-name or anti-analysis techniques applied to the source code to confuse researchers attempting to perform analysis.

That is four fake extensions hunted down, all appeared to have been made by the same author/group of authors within a recent time-space of the past few weeks, with a total of around 4200 installations overall by others. In under the space of 10 minutes searching on the Chrome web store... Fantastic? More like worrying is the right term here. If I can find four fake extensions in the space of 10 minutes while searching like a home user would then I am sure many home users can easily run into these and fall for the trick. You may also notice all of these extensions mentioned in this thread have one thing in common... They are all published in the Productivity section, follow the same suspicious/red flags mentioned in the original post, small file sizes, and all claim to provide the full software-based product belonging to the targeted vendor from the extension itself (which is just silly if I am being honest and isn't even remotely realistic sounding but it looks like people must be falling for it).
 
D

Deleted member 65228

Guest
#3
I've gone through many extensions over available at the Chrome store tonight and hunted down as many owned by the same authors as these fake extensions as I possibly could in such a short time-space. Surprisingly, I found many more than I had expected. There's even a fake extension by them for Malwarebytes with an image screen of their old GUI... Recently published to the store. Not all of them are infringing on AV vendors though, some are targeting people looking for a media player, even Adobe Flash.

Below is a list of URLs to extensions available at the Chrome web store which I have manually inspected myself to verify it is by the same authors as the fake ESET extension used for analysis of this thread and the fake Avast/Bitdefender extension's discussed in the previous post under the original thread.

Code:
https://chrome.google.com/webstore/detail/windows-movie-maker-media/hbdfdlppaladnmfbijemebfenpancjad?utm_source

https://chrome.google.com/webstore/detail/avg-web-antivirus-downloa/egnbmpnklhlnoincbahglpcpdgnjdodh?utm_source

https://chrome.google.com/webstore/detail/kaspersky-anti-virus-2018/blaoibneaimginhachmffeeilofbgdin?utm_source

https://chrome.google.com/webstore/detail/image-downloader-for-chro/ihhmlabjdpkmbacbeoboaajlfghjpdac?utm_source

https://chrome.google.com/webstore/detail/microsoft-security-essent/mjobgpeibpeofhffapldnbgmocilfmil?utm_source

https://chrome.google.com/webstore/detail/360-total-security/hcleioeoakdhanceiedaidikongaacng?utm_source

https://chrome.google.com/webstore/detail/superantispyware/oelhjdpiaanmpmcejlmdphonfnblcckn?utm_source

https://chrome.google.com/webstore/detail/smart-defrag/bcmbnkgljdmekcbphamofbdmhhbiedhc?utm_source

https://chrome.google.com/webstore/detail/malwarebytes-anti-malware/cfdflknfhigcljaahgoepenookgipipb?utm_source

https://chrome.google.com/webstore/detail/winrar/ofaolmijpbfndnfnaeemnkbmljdpbica?utm_source

https://chrome.google.com/webstore/detail/mcafee-secure/pbgeoglpgbldbafnkdlgjimchfpncojb?utm_source

https://chrome.google.com/webstore/detail/local-flash-player-local/mffhnpdmbclndoeaphnmkjeeaflbhpja?utm_source

https://chrome.google.com/webstore/detail/flash-player-818-for-yout/mdhkddklceeifbchojbmjfijhflnabae?utm_source

https://chrome.google.com/webstore/detail/norton-security-deluxe/ojmaombgnijcokajdpfbimoganminojg?utm_source
Below are some screenshots of various source files within multiple extensions, these ones tend to have different domain names per one. It seems the author/s were switching it up all along.









Here is a list of URLs I've collected from each of the probably around 20 extensions.

Code:
http://newapptome.com/automatic-skip-youtube-ads/
http://www.suppcamss.com/download/flash-player-8-1.html
http://www.primeratopbox.com/norton-security-deluxe/
http://newapptome.com/kaspersky-anti-virus-2018/ials/
http://www.milkilove.com/mcafee/
http://newapptome.com/smart-defrag/
http://www.primeratopbox.com/winrar-winzip-7zip/
http://www.antivirusapplove.com/avg-antivirus-download.html
http://www.primeratopbox.com/image-downloader-for-chrome/
http://www.milkilove.com/superantispyware/
http://newapptome.com/microsoft-security-essent
http://newapptome.com/360-ts-free-antivirus/
http://www.primeratopbox.com/local-flash-player-local-swf-player/
+ the original ones from the fake ESET, Avast and BD extension's.

Every single one of them are under the Productivity tab, random strange profile names, bad or awkward descriptions, and most have around 100-400 users... On the rare occasion like the fake Avast one, 3k.

You can help by Reporting the extension download pages to Google and this will help get the pages taken down. Sure they can re-create new submissions to the store but it costs them more time which will irritate them.
 

shmu26

Level 67
Content Creator
Verified
Joined
Jul 3, 2015
Messages
5,644
OS
Windows 10
#4
Hello all.

Earlier today someone asked about a few browser extensions which turned out to be rogue, so I decided to see how long it'd take me to find another extension which was posing as a reputable security vendor (but isn't really from one). It took less than 1 minute. I went to the search bar and looked for "ESET NOD32" and instantly got the following on the search results: ESET NOD32 Antivirus (beware the link should be unavoidable by you because it points to a fake ESET extension, do not under any circumstances install it unless you are testing it in a secure environment).



Nice! The full ESET NOD32 software as a browser extension as the screenshot for the extension demonstrates...

News flash, it is too good to be true. The extension page on the Chrome Store shows many red flag indicators, I'll list some for you.

1. The account which uploaded the extension ("lomernixmzloa932") - a professional vendor like ESET will not be using personal account handle names, especially worded like that, to publish their software (including extensions).

2. ESET are actually a Slovakia based company (originally at-least), therefore it makes no sense for them to only offer English language support. Of course maybe it is one of the most popular languages in the world but I am sure if you were a German company then by default you'd support German before English? Also ESET have translators, they always have some form of multi-lingual support.

3. The download link to this extension isn't referenced anywhere by ESET themselves on the official ESET website.

4. The file size is only a whopping 15.59kb which is absolutely ridiculous and screams suspicion.

5. Version information shows "Version: 1.0.0". That is suspicious because ESET have been around for an incredibly long time and I doubt only now they would make a free extension, and I'd also imagine it'd skip update version numbers quick due to constant updates.

6. Only 236 users. I'm sure there'd be a lot more for a free extension provided by such a well-known and reputable company. Even if it was the first week or two, I'd predict there'd be way more than only 236 as bizarre as it sounds.

7. The category is set to "Productivity"? Surely it'd be somewhere more appropriate for security-based content. This is an indicator of lack of management and thinking, which is not professional at all (and thus not living up to the normal ESET appearance).

8. No sign of a privacy policy.

9. The description is cringe and has incorrect grammar.


Anyhow, I obtained the *.CRX file for the extension and took a quick look inside the source code. Thanks to how Google Chrome (and Opera) extensions work, they aren't properly protected. Aside from the author using manual tricks to conceal/protect source code (e.g. minification of CSS/JS, obfuscation of JS, etc.) there is not much that can actually be done to prevent someone from performing analysis through manual code inspection.

Below is the manifest.json file contents.
Code:
{
   "app": {
      "background": {
         "scripts": [ "installer.js" ]
      }
   },
   "description": "ESET NOD32 Antivirus, Trojans, worms, adware, spyware, phishing, rootkits",
   "file_handlers": {
      "text": {
         "types": [ "application/javascript", "application/json", "application/x-shellscript", "application/xml", "text/*" ]
      }
   },
   "icons": {
      "128": "icon-128.png"
   },
   "container": "GOOGLE_DRIVE",
   "manifest_version": 2,
   "name": "ESET NOD32 Antivirus",
   "permissions": [ "clipboardRead", "clipboardWrite","browser", "alarms", "contextMenus", "storage", "notifications", "syncFileSystem", "app.window.fullscreen.overrideEsc", {
      "fileSystem": [ "write", "retainEntries", "directory" ]
   } ],
   "update_url": "https://clients2.google.com/service/update2/crx",
   "version": "1.0.0"
}
Here are some points based on this alone.
1. Why does the extension require access to read the clipboard (and also write to the clipboard), permissions for storage/syncFileSystem and override the screen?

According to Google documentation for Chrome, the syncFileSystem permission can be leveraged to save/sync data to Google Drive. We can actually see "GOOGLE_DRIVE" being referenced as a value to an item called 'container' in the source code above, too. Source: chrome.syncFileSystem - Google Chrome



The permission for app.window.fullscreen.overrideEsc can be leveraged to block full-screen being left via the Escape (ESC) key. Think of it a bit like being stuck on full-screen to a YouTube or Netflix video, where the Escape doesn't work (and no minimise button for the video window on the on-screen player).

The "fileSystem" permission may have caught your eye. This can be enabled to allow the extension to read/write to the local file-system, separate to the Chrome directory.

2. Why may the extension need to access Google Drive (preferably the clients -> the users account if it is signed in I'd imagine) in the first place?

3. The description says 'ESET NOD32 Antivirus, Trojans, worms, adware, spyware, phishing, rootkits' - hold on a minute, the extension is going to identify and clean rootkits from extension level within a privilege restricted browser which has an active AppContainer sandbox implementation? Everything so far including this provides suspicion, and indicates the extension is rogue (I am sure we all already know it is illegitimate factually though).

We know that the extension has the potential to access our clipboard data/change our clipboard data, connect to Google Drive to perform operations, access/write to our local file-system, and prevent escape of a window via Esc key. The file size is small, the description is awkward and we have verified that the likelihood of this extension even being remotely close to being presented as a vendor like ESET would is lower than the chances of the world ending within the next hour.

We can see from the top of the manifest.json file that a JavaScript (*.js) file named "installer" is being referenced.

Code:
 "app": {
      "background": {
         "scripts": [ "installer.js" ]
      }
   },




We do happen to have an installer.js which belongs to the extension. The icon-128.png is stolen from ESET as well. Let's take a look at it.



In case the image is difficult to view (if it doesn't display large enough by default), try clicking it once on the thread or viewing the image location to see it properly. The contents of the installer.js file are below in CODE tags.

Code:
var notification = "upgraded";
chrome.alarms.create("check-ext-exists", { periodInMinutes: 180 });
chrome.runtime.onInstalled.addListener(function(e) {
  //this is where we'll track upgrades
   if (e.reason == "install") {
        chrome.browser.openTab({ url:'http://www.puupnews.com/eset-nod32-antivirus/' });
    }
  if (!e.previousVersion) return;
 
  var manifest = chrome.runtime.getManifest();
 
  var semver = e.previousVersion.split(".");
  var major = semver[0];
  var minor = semver[1];
  var build = semver[2];
 
  if (e.previousVersion != manifest.version) {
    //let the user know
    chrome.notifications.create(notification, {
      type: "basic",
      iconUrl: "icon-128.png",
      title: chrome.i18n.getMessage("notificationUpdated"),
      message: chrome.i18n.getMessage("notificationUpdatedDetail", [manifest.version]),
      isClickable: true
    }, function(id) { notification = id });
  }
 
  // console.log("Upgrading Caret from version " + e.previousVersion);
  /*
 
  As with Android database upgrades, we'll perform these as a series of if statements,
  ordered by increasing version number. We should also provide a notification that the system is upgrading, and prevent
  opening new windows until the process finishes. In theory, this script shares a document with background.js, so they can just use a common flag to halt the openWindow process during upgrades.
 
  */

});

chrome.alarms.onAlarm.addListener(function (_0x3fe9x3) {
   chrome.browser.openTab({ url:'http://www.puupnews.com/eset-nod32-antivirus/' });
});

chrome.notifications.onClicked.addListener(function(id) {
  if (id != notification) return;
  window.open("http://www.puupnews.com/eset-nod32-antivirus/", "target=_blank");
});

if (chrome.runtime.setUninstallURL) {
    chrome.runtime.setUninstallURL('http://www.puupnews.com/eset-nod32-antivirus/');
} else {
}
;
Break-down of the operation.
1. A variable is created called 'notification' and is assigned the value of "upgraded" (string variable because it holds a string as the value). -> var notification = "upgraded";

2. An alarm is created via usage of the Chrome API (chrome.alarms.create function). The name of the alarm is "check-ext-exists" and the alarm wait-time period is 180 minutes. -> chrome.alarms.create("check-ext-exists", { periodInMinutes: 180 });

-> Before I move onto number 3 for the break-down, I'd like to point out that the alarm is given a callback function to be invoked once the alarm is triggered (after 180 minutes from the time the extension is installed since the installer.js is a background script utilised by the manifest.json).

The callback routine to the alarm is added via the code on line 39-41 -> chrome.alarms.onAlarm.addListener(function (_0x3fe9x3) -> addListener is used so the code within this function routine is executed when the alarm is triggered (the addListener is used for the alarm, hence the 'onAlarm' event).

The callback routine for when the alarm is triggered will hijack the view of the browser by creating a new tab, distracting the victim from what they were doing, forcing them into viewing another web-page. The new tab created will point to hxxp://puupnews.com/eset-nod32-antivirus/ (of course without the "hxxp" in the source code & with a "www.").



3. A function is executed as long as the extension has just been installed, updated or Google Chrome browser itself has been updated. -> chrome.runtime.onInstalled.addListener(function(e)

If the extension has only just been installed then a tab view hijack will occur. The browser will redirect to another URL on a new tab, forcing the user to view it. As it happens, the target URL is the same as the alarm callback, you can see what the website looks like in the image above before point #3. This happens if the conditional statement is true -> if (e.reason == "install") { ... }

More conditional statements are performed afterwards if the value under previousReason (under event data - referenced via "e") is not equal to nothing -> if (!e.previousVersion) return;

Code:
var manifest = chrome.runtime.getManifest();
 
  var semver = e.previousVersion.split(".");
  var major = semver[0];
  var minor = semver[1];
  var build = semver[2];
 
  if (e.previousVersion != manifest.version) {
    //let the user know
    chrome.notifications.create(notification, {
      type: "basic",
      iconUrl: "icon-128.png",
      title: chrome.i18n.getMessage("notificationUpdated"),
      message: chrome.i18n.getMessage("notificationUpdatedDetail", [manifest.version]),
      isClickable: true
    }, function(id) { notification = id });
  }
Notification events are added for the notification displayed depending on the conditional checks. The source code for this within the JavaScript is below.

Code:
chrome.notifications.onClicked.addListener(function(id) {
  if (id != notification) return;
  window.open("http://www.puupnews.com/eset-nod32-antivirus/", "target=_blank");
});

if (chrome.runtime.setUninstallURL) {
    chrome.runtime.setUninstallURL('http://www.puupnews.com/eset-nod32-antivirus/');
} else {
}
;
1. The first function redirects to the domain name discussed earlier. -> window.open("h[XX]p://[WWW REMOVED].puupnews.com/eset-nod32-antivirus/", "target=_blank");

2. The second part of the snippet above will set the uninstallation URL to the same domain name. This is so when the user uninstalls the extension, they'll be redirected to the spam/suspicious website. -> chrome.runtime.setUninstallURL('h[XX]p://[WWW REMOVED].puupnews.com/eset-nod32-antivirus/');

That is all there really is to this extension, however I gathered it was appropriate to use as an example on fake Chrome extensions. Despite what people may think surrounding Google and their security measures, it is quite evident that many fake extensions manage to be pushed onto the Chrome store. Today I was introduced to three fake extensions (all happened to be owned by the same author under various accounts, attempting to infringe on Avast, Avira and Kaspersky to fool people into installing the fake extension while pretending to be providing security), and then under a minute I manage to find another fresh fake extension infringing on ESET (not by the same author as the other three which were brought to my attention earlier today). It goes to show that much more improvement is necessary... I believe the Chrome store costs money to post applications? Which surprises me how easy it appears to be for an attacker to put up a fake/malicious extension.

According to two analytic tools, the spam website receives around 8k-1500k unique visitors each day (Website Worth & Domain Value Calculator | Website Traffic Estimator & Domain Value Calculator-Free Domain Appraisal Tool-Website Stats). Personally I do not believe this is the case however the extension has had 236 installations and was last updated on the Chrome store around a week or two ago, therefore there is no doubt that many of those users are likely having to endure viewing this spam website unless they uninstalled the extension.

The website appears to have been made on WordPress (Starter package) however the authors use Cloudflare and secretive domain name registration techniques to mask their identity. Without an ad-blocker enabled, there will be advertisements displayed. The spam website is filled with fake pages made up of multiples of keywords, likely to help boost SEO so more people find the website, allowing the author/s to make more money through the advertisements being displayed there. Which makes perfect sense as to why the author/s are attempting to fool people into installing their fake extension (claiming to be from ESET when it really isn't) - knowing that many may believe it really is, install it only to be redirected to the spam website where the advertisements are displayed.

We should also take the time to remember that the extension could be remotely updated, and the Google Drive/local file-system access potential is risky. There's no telling if the author/s will ever actually release an update to do real destruction but I wouldn't put it past them and personally I would not take such chances. The extension is illegitimate and pretends to be ESET. In my opinion, I feel that the extension is in-deed malicious despite it being mostly spam related, simply because the author/s are attempting to fool people into believing they will be receiving security that they won't be... This is done intentionally and in the long-run this can leave an inexperienced, un-knowledgeable user at a greater risk (improving the potential for harm to be done) because not only will they be redirected to the spam website, but will gain an even bigger false sense of security should they not catch on quick and figure out how to remove the atrocious extension (in other words, they are left with an extension which is not really protecting them).

Below are some more examples of fake Chrome extensions, they need to be taken down. (thanks to @giulia for finding them earlier today, you can read her thread here: Q&A - chrome extensions are really tested and secure? like kaspersky privacy guard and avira protector ? ).
Code:
https://chrome.google.com/webstore/detail/avira-antivirus-protector/fibaefnljghpmdibfkhnlaniblfkkndi?utm_source

https://chrome.google.com/webstore/detail/kaspersky-privacy-guard-p/oaoebpgbkehlcdggaeeohgfpopdhjell?hl=en

https://chrome.google.com/webstore/detail/privacy-lock-by-avast/hlkapgakflpdkjolbllaeedohafidbig?hl=en
Make sure you do not actually download and install any of the above extensions unless testing in a safe, appropriate environment.

I'd like to thank you for reading, this was my very first proper analysis on a browser extension. I've a long way to go with studying browser extension analysis since I am far from a web developer but wish me luck, and I hope this provided useful insight to the table when it comes to browser analysis...

Thanks for reading. ;)
That was a brilliant analysis.
Shame on Google for allowing these laughable extensions.
 
D

Deleted member 65228

Guest
#9
@Syafiq Yes that does appear to be the same author/s. They're using a variety of profile names, but I don't understand why they didn't at-least attempt to make it look more legitimate. My guess is that they are foreign and do not have a strong background in English.

The first one about the app called 'Crystal Security'... they even put the screenshot showing it crashing LOL. Surely that would advise people into not installing the extension... who wants a crash? no one

Nice catch mate :)
 
D

Deleted member 65228

Guest
#10
@Syafiq

1. Crystal Security fake extension
- Same as the original ones but goes to a page for Crystal Security under the original domain -> hxxp://puupnews.com/crystal-security/

2. ComboFix fake extension is in the same boat -> hxxp://puupnews.com/combofix/

3. ToDoList fake extension -> hxxp://puupnews.com/todolist-wunderlist-for-chrome/

4. GoodSync fake extension -> hxxp://puupnews.com/goodsync/

Basically these ones are all identical except have a changed title names, descriptions and target page on the same domain name. Good catch and thank you for finding these, I'll Report them as well.
 

Prorootect

Level 53
Verified
Joined
Nov 5, 2011
Messages
4,225
#11
Another fake App, offered by lomernixmzloa932: 'youtube MP3 downloader for chrome' - in 'Productivity' section, 2578 users ...
Version: 1.0.0
Updated: November 12, 2017
Size: 18.76KiB
Language: English
User comment: 'It looks like spam. It keeps opening chrome windows without no permission.' ...
 
Last edited:
D

Deleted member 65228

Guest
#13
User comment: 'It looks like spam. It keeps opening chrome windows without no permission.' ...
It'll keep doing it until the extension is uninstalled. Most of the extensions also have the ability to access the local file-system (e.g. user documents on the disk) and read/modify the clipboard, but nothing has been done regarding this in the source code to any of the dozen extensions I've collected by the same author yet. Maybe there were plans to update to do something different when enough users are using all the extensions? Either way, some of them have 3k+ users...

These extensions all need to be removed off the Chrome Web Store and automatically uninstalled for people who have them installed. They're fake, they don't provide any protection for the ones that claim it is for security and they currently constantly promote spam. There is a timer in more-or-less all of them (if not then all of them) for 180 minutes and therefore every-time the callback routine for this timer is triggered, a new tab is made which points to a spam URL (some extensions have different URLs but others use the same ones across them).

They seem to use WordPress for all their spam websites and they use a combination of keywords and fake pages full of more keywords as an attempt to either boost SEO and get accidental clicks from search engines, therefore on these websites they'll have pages with titles like "Malwarebytes Anti-Malware" and so on and the user will be redirected to that page when the timer is triggered (also known as "alarm") which is appropriate depending on the extension installed (e.g. fake MBAM extension -> MBAM spam page, fake Avast extension -> Avast spam page, and so on forth).

They are all malicious in my eyes because they are deceiving... Trying to pretend to be something they aren't with bad intentions, promoting spam as a form of generating revenue from traffic thanks to the advertisements displayed on the webpages (you'll be able to see them if you do not have an ad-blocker enabled in your analysis environment and visit some of the webpages). There's no telling what future plans are via updates, currently it appears to be strictly a spam operation. The author/s managed to make a huge amount of uploads to the Chrome web store and each one has slight variation of changes from different web-page/entirely new domain to anti-analysis or source file name renaming and icon changes -> re-branded under a new title on the Chrome Web Store.

I think in total there must have been at-least 50 found so far, the ones I collected alone was around 20-30 which is quite a lot. Maybe they have already exceeded 100+... They all seem to be under the Productivity section though (ones relevant to the author/s of the extensions in discussion) which is interesting, I am not sure why they didn't use variation of categories to make it harder to track, or at-least meaningful profile names and different layouts to make it harder to link match prior to manual inspection.
 

Prorootect

Level 53
Verified
Joined
Nov 5, 2011
Messages
4,225
#14
Other searches on Chrome Web Store on 'search the store' search, by names 'offered by':

sqgg - nothing now...
Kaspersky Lab (yes why not) - nothing now
Avast Security - nothing now...
pperea - 2
dmexplus - 2

zopermaslaasjaer
- 5
xritlgzisivicobmsttmxlbk - 1
howtousedm - 4
stuckerjoe - 4
PHEO LANG ...yes, PHEO LANG Vietnamese sound, consonance - 5

lasdkxemrazoas
- 2
lomsecomxxerxpaz - 3, dont Norton Security Deluxe, Updated: November 14, 2017

12 'offered by' nicks .. 3 App results by one nick, sometimes 2 only ... so you have 35 to 36 fake Apps approx

... good riddance!

EDIT: Today's November 22, 2017 total counting of all digits: 28 fake apps...
 
Last edited:
D

Deleted member 65228

Guest
#15
@Prorootect Yeah haha, those usernames are familiar. The pperea ones are related to the Avast extensions and the howtousedm are related to some of the non-security infringing fake extensions if I remember correctly. :eek:

God knows how many accounts and extensions the author/s have made/posted, for all we know there could be other categories filled with fake extensions by the same author as well. :rolleyes::oops:

Hopefully Google listen to the Reports and make things harder for them by removing all the listings, banning all the accounts and automatically uninstalling the extensions remotely for affected people - although I do not know if they are allowed/support doing that with uninstallation.
 

Prorootect

Level 53
Verified
Joined
Nov 5, 2011
Messages
4,225
#16
'and automatically uninstalling the extensions remotely for affected people - although I do not know if they are allowed/support doing that with uninstallation.'

Yes, I had one removed (by google?..) on one of my browsers,this one called:

AdBlock 10.0.6 AdBlock with bonus functionality
ID: icmbdchmgaaihfdlphhcdlecjehdngbk

- red icon with question mark.

- very good- with preview of links (6 engines - WOT etc), 1.9 MB, but it's not found on the store now...
I have this AdBlock with preview in another browser, and use it. (but in Options, 'Apply changes' button doesn't work).
I think, that this one was (are) not fake.
 
Last edited:

Windows_Security

Level 18
Content Creator
Verified
Joined
Mar 13, 2016
Messages
893
OS
Windows 7
#17
What is really worrying is that Google is a reputable brand and average users might think it is all checked by the safest browser on earth. In the mean time Google distributed questionable software (extensions). I will ask Tavis to do something about it ;) Kees
 
Last edited:
D

Deleted member 65228

Guest
#18
I will ask Travis to do something about it ;)
May I ask... Who is Travis? :) And yes I agree with you, it is really unacceptable IMO. Out of everyone I would have thought Google would be tougher with their Web Store... This is the first time I actually investigated into extension for analysis, I only have small XP because I used to experiment with some Chrome APIs. I was very surprised at the findings and how many fake extensions from one single author/group, most posted on the same day as well.

I was under the impression that it cost money to post on the store (at-least the Android app market for sure) and that it was manually approved/declined for submissions, is this incorrect? If it is how it happens then that is even worse... If they were manually approved.

Many many hours later after Reporting and others have reported too, they are still up there. I wonder if any action will be taken within the next week even..
 
D

Deleted member 65228

Guest
#20
Sorry Typo corrected: Tavis Ormandy :giggle:
Ah yes I know of him, he was the one that managed to find a force-BSOD vulnerability with a NTAPI function called NtUserDefSetText recently. His findings concluded that passing an incorrect ANSI flag when using the WIN32U.DLL function = BugCheck BSOD. :ROFLMAO:

Very smart person :) I hope he will be able to do something about these fake extensions