D

Deleted member 65228

Guest
#41
Help me to judge: is this extension legit or fake: RAM light: RAM light
I did some checks for you.

Code:
"permissions": [
    "tabs",
    "system.memory",
    "storage",
    "alarms"
  ]
We can see from the above that it does actually have the potential to access memory information and the such.

Code:
"background": {
    "scripts":["js/background.js"],
    "persistent": true
  }
Now we know that background.js will be executing 24/7 in the background for the extension, so let's take a quick peek.

Code:
function getMemory(callback) {
  
    chrome.system.memory.getInfo( function(info) {
      
        var freeGb = (info.availableCapacity / 1073741824).toFixed(1);
        var freePercent = (info.availableCapacity * 100 / info.capacity).toFixed(1);
        var totalGb = (info.capacity / 1073741824).toFixed(1);
      
        callback(freeGb, freePercent, totalGb);
    });
};
I did go through more within that JavaScript document however I simply do not know enough about how freeing memory the way it is supposed to should be working, but so far it looks genuine. I did although notice something interesting within another JavaScript document belonging to the extension, with the file-name "options.js".

Code:
var _gaq = _gaq || [];
_gaq.push(['_setAccount', _AnalyticsCode]);
_gaq.push(['_trackPageview']);
(function() {
  var ga = document.createElement('script');
  ga.type = 'text/javascript';
  ga.async = true;
  ga.src = 'https://ssl.google-analytics.com/ga.js';
  var s = document.getElementsByTagName('script')[0];
  s.parentNode.insertBefore(ga, s);
})();
I left out the actual analytics ID code for potential security reasons however it seems that there is tracking potential within the extension related to Google Analytics. Recently, there has been an outbreak of drama surrounding websites and tracking, and news surfacing about good web browser projects such as Brave or updates to Mozilla Firefox to help fight these things by default (Firefox now use some features from the Tor browser code-base which was a privacy-intuitive browser connecting through the Tor network based on the Firefox browser (UI and Gecko engine)).

I do not know if the extension can be trusted, although my verdict is clean because it does appear to do genuine things and I cannot see something which is actually malicious (just suspicious to my eye due to lack of understanding). I personally would not trust it though... The author isn't "reputable" in my eyes, so stay cautious and be careful if you decide to go ahead and use it mate.
 

upnorth

Level 25
Content Creator
Verified
Joined
Jul 27, 2015
Messages
1,497
#42
Made by a possible new independent developer and they all must start somewhere ofcourse but he/she needs to learn something from it...hopefully! Not even a homepage of any kind to point the more curious users/guests to is not gonna cut it and is a big No No IMO as it show this developer isn't serious and interested in any genuine feedback etc. Sure anybody can use the support tab in the webstore but that ain't enough IMO and especially when your new in the field and want to try show yourself and what you actually can do. You can code a software/extension/app but you can't even create a plain/simple homepage of any sort not even on a common blog...ok sure. Also the contact email address itself could instead have been something like " RAMLight at gmail.com " if available ofcourse or something similar atleast but the developer clearly made the choice to use " hktr992 ".



Personal...wouldn't even take the time to try it. Thank's Prorootect for the share and thank's Opcode for the deeper test! (y)
 
Last edited:

Prorootect

Level 53
Verified
Joined
Nov 5, 2011
Messages
4,225
#43
I did some checks for you.

Code:
"permissions": [
    "tabs",
    "system.memory",
    "storage",
    "alarms"
  ]
We can see from the above that it does actually have the potential to access memory information and the such.

Code:
"background": {
    "scripts":["js/background.js"],
    "persistent": true
  }
Now we know that background.js will be executing 24/7 in the background for the extension, so let's take a quick peek.

Code:
function getMemory(callback) {
 
    chrome.system.memory.getInfo( function(info) {
 
        var freeGb = (info.availableCapacity / 1073741824).toFixed(1);
        var freePercent = (info.availableCapacity * 100 / info.capacity).toFixed(1);
        var totalGb = (info.capacity / 1073741824).toFixed(1);
 
        callback(freeGb, freePercent, totalGb);
    });
};
I did go through more within that JavaScript document however I simply do not know enough about how freeing memory the way it is supposed to should be working, but so far it looks genuine. I did although notice something interesting within another JavaScript document belonging to the extension, with the file-name "options.js".

Code:
var _gaq = _gaq || [];
_gaq.push(['_setAccount', _AnalyticsCode]);
_gaq.push(['_trackPageview']);
(function() {
  var ga = document.createElement('script');
  ga.type = 'text/javascript';
  ga.async = true;
  ga.src = 'https://ssl.google-analytics.com/ga.js';
  var s = document.getElementsByTagName('script')[0];
  s.parentNode.insertBefore(ga, s);
})();
I left out the actual analytics ID code for potential security reasons however it seems that there is tracking potential within the extension related to Google Analytics. Recently, there has been an outbreak of drama surrounding websites and tracking, and news surfacing about good web browser projects such as Brave or updates to Mozilla Firefox to help fight these things by default (Firefox now use some features from the Tor browser code-base which was a privacy-intuitive browser connecting through the Tor network based on the Firefox browser (UI and Gecko engine)).

I do not know if the extension can be trusted, although my verdict is clean because it does appear to do genuine things and I cannot see something which is actually malicious (just suspicious to my eye due to lack of understanding). I personally would not trust it though... The author isn't "reputable" in my eyes, so stay cautious and be careful if you decide to go ahead and use it mate.
Im very impressed by quality of your test, thank you Opcode!
It's tempting for me, this extension, but I want for now stay cautious and don't download it, also considering your comment at the end... thank you very much!
Very advanced for me your screenshots, could you tell me, how I could do the same, is there an extension maybe to deconstruct javascript in software or extensions ...?
- or online tool?

- I'm interested to lower the CPU heating, cause green 'onlineMarker pulse' periodic pulsations from 'Tooltip onlineMarker' on avatars, use MalwareTips 6102 style. - so to stop .gif periodic animations.
 
Last edited:
D

Deleted member 65228

Guest
#44
how I could do the same, is there an extension maybe to deconstruct javascript in software or extensions ...?
Q&A - chrome extensions are really tested and secure? like kaspersky privacy guard and avira protector ?

There are however extensions available which can be used to view the source code of other extensions, instead of unpacking the CRX and analysing it through that. I've never used such extensions though therefore I am not sure which one would be best for this. You'll also need to study HTML, JSON and JavaScript.

About the CPU thing, I cannot comment on that at all. I did see your post about the forum avatar in the questions area this morning but didn't reply because I don't understand properly, I don't know about that topic with specific avatars/colours causing CPU load... But I hope you manage to solve your problem mate.
 

Prorootect

Level 53
Verified
Joined
Nov 5, 2011
Messages
4,225
#45
Q&A - chrome extensions are really tested and secure? like kaspersky privacy guard and avira protector ?

There are however extensions available which can be used to view the source code of other extensions, instead of unpacking the CRX and analysing it through that. I've never used such extensions though therefore I am not sure which one would be best for this. You'll also need to study HTML, JSON and JavaScript.

About the CPU thing, I cannot comment on that at all. I did see your post about the forum avatar in the questions area this morning but didn't reply because I don't understand properly, I don't know about that topic with specific avatars/colours causing CPU load... But I hope you manage to solve your problem mate.
Opcode, all avatars of people logged in MalwareTips website have a green dot on avatars, that marks their logging on the website, which pulsates every 2 seconds for those members, who have chosen this precedent style/theme for MalwareTips pages (Style Chooser is at the bottom of the page, left)....but you know this, of course.

_____________
Thanks for your link, I didn't fully read this thread...

On Chrome Web Store, I found eg. <view source> : <view-source>
- and Feditor: Feditor - by this same developer
- but it would take for me to be the connoisseur, so I give up that idea.
 
Last edited:
Likes: upnorth

Prorootect

Level 53
Verified
Joined
Nov 5, 2011
Messages
4,225
#46
Made by a possible new independent developer and they all must start somewhere ofcourse but he/she needs to learn something from it...hopefully! Not even a homepage of any kind to point the more curious users/guests to is not gonna cut it and is a big No No IMO as it show this developer isn't serious and interested in any genuine feedback etc. Sure anybody can use the support tab in the webstore but that ain't enough IMO and especially when your new in the field and want to try show yourself and what you actually can do. You can code a software/extension/app but you can't even create a plain/simple homepage of any sort not even on a common blog...ok sure. Also the contact email address itself could instead have been something like " RAMLight at gmail.com " if available ofcourse or something similar atleast but the developer clearly made the choice to use " hktr992 ".



Personal...wouldn't even take the time to try it. Thank's Prorootect for the share and thank's Opcode for the deeper test! (y)
Upnorth, Thank you for this lively and detailed criticism of the behavior of some developers, I fully agree.
I appreciate the very telling photo.
- haha sorry for my English problems!
 
Last edited:
Likes: upnorth
Joined
Nov 11, 2017
Messages
58
#47
Im very impressed by quality of your test, thank you Opcode!
It's tempting for me, this extension, but I want for now stay cautious and don't download it, also considering your comment at the end... thank you very much!
Very advanced for me your screenshots, could you tell me, how I could do the same, is there an extension maybe to deconstruct javascript in software or extensions ...?
- or online tool?
You can also examine almost any extension on this website without having to install or even download anything. Unfortunately the last update was on October 30.

TBF to this extension itself, it looks pretty harmless even though for the wrong reasons, just calculating the amount of free and used memory instead of magically "freeing" memory (basically using "free" as an adjective rather than a verb).
 
Last edited:
Likes: Prorootect

Prorootect

Level 53
Verified
Joined
Nov 5, 2011
Messages
4,225
#48
You can also examine almost any extension on this website without having to install or even download anything. Unfortunately the last update was on October 30.

TBF to this extension itself, it looks pretty harmless even though for the wrong reasons, just calculating the amount of free and used memory instead of magically "freeing" memory (basically using "free" as an adjective rather than a verb).
Thank you Tsiehshi for your link and explanations!
- How do you examine the extensions, please?
- from right click/'Inspect popup' of extensions with Developer tools (Chrome) is not sufficient?
 
Last edited:
Joined
Nov 11, 2017
Messages
58
#49
Thank you Tsiehshi for your link and explanations!
- How do you examine the extensions, please?
You find the extension and open the "view source" link for the latest version. In the new page, all its files will be listed in the sidebar on the left. You can click on any file on the list to view it. However, despite the site's usefulness, there's no search function helping find a particular extension. You can still work around it though:

- Just do your search on Chrome Webstore and find the extension. Notice the ID (that long part made up of only letters after the last slash mark in the URL).
- Then go to crx.dam.io/ext/[ID].html, which is the extension's page.
- Click on the "view source" link for the latest version.

Now you can study the extension. Preferably start from manifest.json as it's the most critical file in the extension, and some of the permissions and overrides specified in it can be a blatant red flag. For example, Panda Safe Web has these permissions:

Code:
    "permissions": [
        "chrome://favicon/",
        "webNavigation",
        "storage",
        "cookies",
        "http://*/*",
        "https://*/*",
        "tabs",
        "webRequest",
        "webRequestBlocking",
        "unlimitedStorage"
    ],
It can check and modify your tabs, browsing, web requests, cookies and store data. That's a lot, but it's not necessarily harmful or even superfluous. It depends on how these permissions are used. That said, there's no reason why it should need to change the default favicon other than pointless eyecandy.

Worse, it overrides a few default browser settings, acting not unlike a browser hijacker:

Code:
    "chrome_settings_overrides": {
        "search_provider": {
            "name": "Panda Safe Web",
            "keyword": "safeWeb",
            "favicon_url": "https://pandasecurity.mystart.com/panda.ico",
            "encoding": "UTF-8",
            "is_default": true,
            "search_url": "https://pandasecurity.mystart.com/results.php?pr=vmn&id=pandasafeweb&v=1_0_chromeextension_unknown__&searchfeed=web&hsimp=yhs-panda1&ent=ch_ss&q={searchTerms}"
        }
    },
It changes your default home page to hxxps://pandasecurity.mystart.com, which uses Yahoo's search engine.

- from right click/'Inspect popup' of extensions with Developer tools (Chrome) is not sufficient?
It's not, because extensions can work even without an HTML page and scripts can run independently from it even if there's one.
 
Last edited:

Prorootect

Level 53
Verified
Joined
Nov 5, 2011
Messages
4,225
#50
Thank you very much Tsiehshi for your wonderful professional posting - never seen quality of detailed explanations! (Post #49)
- for now I don't have the opportunity to answer you in more details, but I want to post for you later on, sorry....

What you think about this Chrome extension: Chrome extension source viewer: Chrome extension source viewer

.. and CRX Inspector: CRX Inspector
CRX Inspector lets you view the files inside Chrome extensions, apps and themes. With it, developers can easily search through an extension's source code to see how an interesting feature was implemented, and security-conscious users can check extensions for malicious code before installing them.
Very promising, I think. 5,075 users
... and what happens with this ContentBlockHelper latest version?
See you later!
 
Last edited:
Joined
Nov 11, 2017
Messages
58
#51
Both inspectors are fine, and even have their own github page, but the latter is a lot more stripped-down (it doesn't work on Firefox add-ons though unlike the former).

As for ContentBlockHelper, that error doesn't occur while you're actually browsing the web, so nothing to worry about.
 
Likes: Prorootect

Prorootect

Level 53
Verified
Joined
Nov 5, 2011
Messages
4,225
#52
Both inspectors are fine, and even have their own github page, but the latter is a lot more stripped-down (it doesn't work on Firefox add-ons though unlike the former).

As for ContentBlockHelper, that error doesn't occur while you're actually browsing the web, so nothing to worry about.
-I've posted new topic about source viewers: Add-on - Extension source viewer/inspector

- then I've responded to you in the Add-on - ContentBlockHelper stopped working! thread.

Thank you Tsiehshi!
 
Joined
Nov 11, 2017
Messages
58
#53
Fake Facebook ColorZilla

[expletive deleted] is this permissions section?!:
Code:
    "permissions": [
        "clipboardRead",
        "clipboardWrite",
        "browser",
        "alarms",
        "contextMenus",
        "storage",
        "notifications",
        "syncFileSystem",
        "app.window.fullscreen.overrideEsc",
        {
            "fileSystem": [
                "write",
                "retainEntries",
                "directory"
            ]
        }
    ],
Meaning it can potentially read and modify your clipboard, store and sync data, lock your browser in full-screen mode AND control your local files. I wrote "potentially", because fortunately it actually doesn't do any of it (but still makes your browser more exploitable). For the ability to change the color of HTML elements, there must be some kind of an element reference (getElementsBy/getElementBy/querySelector/CSS or jquery selectors etc.) inside a piece of code using a browser tab, but there's none. It doesn't even interact with cookies, pages and tabs apart from opening a tab when it's installed, uninstalled and every 3 hours regardless. Fake Facebook Unseen and Q-dir have pretty much the same source code apart from some cosmetic changes, so they don't work either.
 
Last edited:
Likes: mlnevese

Prorootect

Level 53
Verified
Joined
Nov 5, 2011
Messages
4,225
#54
Facebook ColorZilla

[expletive deleted] is this permissions section?!:
Code:
    "permissions": [
        "clipboardRead",
        "clipboardWrite",
        "browser",
        "alarms",
        "contextMenus",
        "storage",
        "notifications",
        "syncFileSystem",
        "app.window.fullscreen.overrideEsc",
        {
            "fileSystem": [
                "write",
                "retainEntries",
                "directory"
            ]
        }
    ],
Meaning it can potentially read and modify your clipboard, store and sync data, lock your browser on full-screen mode AND control your local files. I wrote "potentially", because it actually doesn't do any of it. For the ability to change the color of HTML elements, there must be some kind of an element reference (getElementsBy/getElementBy/querySelector/CSS or jquery selectors etc.) inside a piece of code using a browser tab, but there's none. It doesn't even interact with cookies, pages and tabs apart from opening a tab when it's installed, uninstalled and every 3 hours regardless. Facebook Unseen and Q-dir have pretty much the same source code apart from some cosmetic changes, so they don't work either.
Yes these three very horrific Apps (Productivity section...) "offered by PHEO LANG" on the Chrome store - found if you search on the store for "pheo lang" words:
Facebook Unseen: Updated: November 8, 2017 Size: 12.04KiB, 300 users;
Facebook ColorZilla: Updated: November 8, 2017 Size: 17.89KiB, 104 users;
and Q-dir: Updated: November 14, 2017 Size: 18.77KiB, 9 users - this latest has fun English description, too:

"Q-dir manage files and folders
Q-dir portable or the board can function as a windowed interface allows you to manage files and folders on your computer with four. ..." etc etc

So PHEO LANG love manage the files and folders of not cautious, unsuspecting, unwary users, visibly...
- thank you Tsiehshi for your interesting comment, we attend your comments about these two other specialities from PHEO LANG [expletive deleted];) cookery!
 
Last edited:

Prorootect

Level 53
Verified
Joined
Nov 5, 2011
Messages
4,225
#55
Warning! Fake IMacros Apps On Chrome Web Store
- on blog.ipswitch.com: Warning! Fake iMacros Apps On Chrome Web Store
- by Greg Mooney November 9, 2017

"Warning! It has recently come to our attention that there are a couple of fake apps spoofing our browser automation tool, iMacros on the Chrome Web Store.

At Ipswitch, we talk a lot about information security. If you are a frequent visitor to theDefrag This blog, then you know we are all about sharing the latest cybercriminal tactics. Our mission on the Defrag This blog is to provide IT professionals with tips to make your job easier and keep you informed on the latest information security trends and issues. That’s why it is critical to bring to your attention that iMacros, an Ipswitch product, is being spoofed on the Chrome Web Store.

If you have recently downloaded iMacros on the Chrome Web Store, you may be effected. In any event, be wary of anything you download on app stores, since this is becoming a huge vector of attack for hackers.

Lately, hackers have been targeting Google’s app stores, including the Android Store and Chrome Web Store, creating fake versions of popular apps. Just recently, it came to light that over a million users had downloaded a fake version of WhatsApp. These fake apps install malware on your devices with adverse effects that range from annoying adware to creating backdoors into your devices.

It just so happens that we recently discovered that an Ipswitch application, iMacros, has been spoofed as well on the Chrome Store. We first noticed and issue on October 25th, when one of our employees saw an app named “iMacros – Browser Automation” by keyholesurgeryknickerbockers.xyz. It seems that this was first updated on October 24th and may be the first time it appeared.

We immediately reported the issue as abuse to Google and stated that we (Ipswitch) were the real developers of iMacros and the other app is a fake and probably being used as a form a malware. We reported the issue a couple times from multiple accounts to Google, but Google has yet to remove the fake app.

Another app called iMacros for Chrome appeared on November 1st. We just noticed this fake app this week. We have already gone ahead and reported the issue to Google, but it seems that Google will be slow to respond since they still have not responded to the first fake app we discovered a couple weeks ago.

You can see what to watch out for in the screenshot below.



As we are getting used to phishing attempts via emails, it is now necessary to always check that the apps we download are the real developer. The developer name is a big indicator whenever an app is being spoofed. If you aren’t sure who the developer is of an app is, you should do a little research online to see if that is the correct app that you want to install...."

...read more...

- but Today, some of these iMacros extensions no longer exist on Chrome Web Store, hopefully for iMacros browser automation tool.
Found always one FAKE, like from the screenshot above: iMacros Hanzify for Chrome, offered by sites.google.com, Updated: October 30, 2015, 330 users...
1 chinese comment: "I can't get started."


And no more Apps link on Chrome Web Store: Extensions and Themes links only.

 
Last edited:

upnorth

Level 25
Content Creator
Verified
Joined
Jul 27, 2015
Messages
1,497
#56
Why do they point there homepage to .net on Googlestore when they cleary have .com? I'm fully aware that developers/vendors can use several domains/subdomains but IMO this confuse as they also use different favicons. Perhaps one part of the whole issue?
 

Prorootect

Level 53
Verified
Joined
Nov 5, 2011
Messages
4,225
#57
Why do they point there homepage to .net on Googlestore when they cleary have .com? I'm fully aware that developers/vendors can use several domains/subdomains but IMO this confuse as they also use different favicons. Perhaps one part of the whole issue?
Sure.
Look on the result of clicking imacros.com:
"Secure Connection Failed
The connection to the server was reset while the page was loading.
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem."
 
Likes: upnorth

Prorootect

Level 53
Verified
Joined
Nov 5, 2011
Messages
4,225
#58
Browser hijackers post

Motto:

Remove Search.myway.com redirect from Web Browser (Help Guide): on malwaretips.com: Remove Search.myway.com redirect from Web Browser (Help Guide)

...We are entering the uncertain, muddy terrain, swamps of Chrome Web Store...


Very bad myway.com search redirect on Chrome Web Store (beware!): if we search for "myway.com": Chrome Web Store
- then we find many extensions with myway.com hijacker. Easy, Google.

"Browsing Guard"
:
Version: 1.0.0
Updated: December 12, 2017
Size: 76.34KiB
"Do you know the feeling of somebody constant watching you?...
That's why we created "Browsing Guard"...
Easy to use private search by typing 'p' + 'Tab" on your chrome search box..."

... then many other suspicious extensions like these: "Identity Guard Safe Browsing", "Pop Guard, Complete Browser Protection !!", "Browser Guard", "Security Guard", "ChromeGuard", "AppGuard", "Fake News Guard", ...etc etc

Eg. search on the Store for: "Easy to use private search": Chrome Web Store
- so you have MANY suspicious extensions...
________________________________


Here you have the Results of Chrome Web Store search for: "The application communicates with our servers to deliver its functionality and record usage metrics.":

"EasyPDFCombine":
Version: 13.321.12.16045
Updated: November 7, 2017
Size: 48.28KiB
9,263,438 users
"This extension configures your New Tab page to EasyPDFCombine...
The EasyPDFCombine extension offers convenient web search, homepage and default search....
The application communicates with our servers to deliver its functionality and record usage metrics..."

"FromDocToPDF":
Version: 13.321.12.16049
Updated: November 7, 2017
Size: 52.08KiB
10,000,000+ users
"This extension configures your New Tab page to FromDocToPDF...
The FromDocToPDF extension offers convenient web search and features from the Chrome New Tab page...
The application communicates with our servers to deliver its functionality and record usage metrics...."

"MyFunCards":
Version: 13.321.12.21058
Updated: November 10, 2017
Size: 49.44KiB
859,236 users
"This extension configures your New Tab page to MyFunCards...
The MyFunCards extension offers convenient web search and features from the Chrome New Tab page...
The application communicates with our servers to deliver its functionality and record usage metrics..."

"iSearch Tab":
Version: 1.0.0
Updated: November 16, 2016
Size: 244KiB
"This extension configures your New Tab page to iSearch Tab...
Reset your New Tab Page to iSearch Tab
Override the new tab page with iSearch Tab and begin searching from your new tab page...
The application communicates with our servers to deliver its functionality and record usage metrics..."


etc etc etc ...many many more... link to all these creepy scummy companions, to be found by you (and store developers to stop these): search on the Store for "The application communicates with our servers to deliver its functionality and record usage metrics": Chrome Web Store
- why Google why
- money
- we all see this greed
so you have 100, or 200, or more malicious extensions, I didn't count them, a lot, very huge number...

Another very populated results you have, if you search on the Store for: "offers convenient web search": Chrome Web Store
- so you have another 100, or 200, or more malicious extensions, I didn't count them, a lot, very huge number, many extensions...

- very easy to search, so why Google, why
- money
- but we all see this greed, and we are not secure with your Store ....
 
Last edited:

Prorootect

Level 53
Verified
Joined
Nov 5, 2011
Messages
4,225
#59
On Chrome Web Store, you have "infinite" number of shady weird extensions, if you type in the search box:
"Search and access popular"
and too:
"This extension configures your New Tab page to"
and too:
"Get fast, one-click access to"

- well it's good for now, a lot of work for google employees already... in this way I contribute to give the reason for your employer to pay you at the end of the month...:sneaky:
 

Prorootect

Level 53
Verified
Joined
Nov 5, 2011
Messages
4,225
#60
Other sentences to search (with quotation marks, like these from above) on Chrome Web Store, and by Google search engine too:
"Save time and effort with added convenience. The"

241 results on Google...

"instantly from your home and new tab page!"

1080 results on Google...


Example of hybrid-analysis.com/sample, found on Google with the latest sentence: Free Automated Malware Analysis Service - powered by Falcon Sandbox - Viewing online file analysis results for 'YourPackagesNow.exe'
- Malicious - Threat Score: 100/100 - Av multiscan: 55%
 
Last edited: