The code is calling out to a malicous URL for a script, downloading it, and executing the script. The malicious script from the URL is mirrored here: https://archive.is/TxFWj
Nobody has figured out exactly what it's doing quite yet, but you can paste that code into a Javascript deobfuscator and try to figure it out yourself: https://lelinhtinh.github.io/de4js/
Based off of reading the code for 5 minutes with my very poor javascript skills, it's modifying your searches via Google / Bing and redirecting you to a practically unknown search engine called "Blacksearch". Very suspicious. I found a reddit thread with others complaining about this search engine, https://old.reddit.com/r/edge/comments/kzwb6q/redirecting_to...
Seems like weird malware. It’s not exactly subtle if the first time I Google something after installing it, I get redirected to not-Google.
I could see this working on Karen who downloaded a coupon extension. But surely the type of person who installs an extension to force old.reddit.com will realize what’s happening almost immediately.
What is the point of malware if it can be caught so easily? This makes me wonder if maybe the dev didn’t do it on purpose. Maybe they sold it to an unscrupulous (and dumb) company, or maybe their build process is somehow infected.
That makes sense and also explains why that Reddit thread had users describing multiple extensions as the source of the same problem.
So the root issue here is effectively extension squatting on the Edge store. The attacker can simply scrape the most popular extensions in Chrome, inject malware into them, and publish them on the Edge store under the same name.
If that’s what’s happening, there is probably substantial effort behind sockpuppet publishers so that one ban won’t ban them all. But then again it also looks like an amateur operation if every extension is footprinting itself by using the same domain for the malicious redirect.
Hopefully Microsoft can clean this up with some one-off code scans for the signatures of this malware. Ban all the publishers and delete the extensions. Then, hold those names in reserve unless the creator can prove they own the same name at the Chrome store.
Long term, the ideal system might involve a verification step at registration time if the publisher name or extension name exists in the Chrome store. I think npm has been working on features in this area, as they are vulnerable to similar namesquatting vectors of malware distribution.
I can't edit the original comment anymore, I posted it in a rush and didn't have time to check the script contents. The loaded script also loads a script called "firebase.js" from this URL: https://1658209995.rsc.cdn77.org/firebase.js (archive: https://archive.is/gdij8). That script is obviously not the actual Firebase, you can paste it in a deobfuscator and see what it does, it has some funny things such as a postMessage called "GimmeResults."
Ah, browser extensions, the new "Download a random executable that can access your data (because your data is now all online), with auto-update and antiviruses don't care about them. But don't worry, Google vets them!".
When will Norton (snort) make "Norton Anti Malware" to "protect" your browser against bad extensions?
I think it's just a matter of time until an extension steals a lot of people's data or money...
It’s easy to say that. But be careful what you wish for. Do we need another locked down sandbox?
I think Google would like to take Apple’s curated approach to the Play/Extension Stores. But they don’t have the political capital to do it. As an advertising company, any restrictions they add will appear malicious to many.
All that said... this thread is about Microsoft, where for enterprise clients, telemetry and restrictions are a feature, not a bug. So I would expect some movement by Microsoft to add more security to their store. It could be something as simple as a label “Reviewed by Microsoft” for vetted extensions. But that’s a dangerous game as long as the browser sandbox is widely defined. Malicious apps could sneak through review and then Microsoft would look bad. Whereas Apple has an actual OS level sandbox with restrictions mostly matching their policies.
There isn’t really an easy answer to this problem unless you want to sacrifice control of your browser, in exchange for increased security controls that might not even apply to you. It’s not a new tradeoff by any means.
20 comments
[ 2.2 ms ] story [ 55.6 ms ] threadThe URL used in the XHR points to this (accessing directly only shows a '0' but with archive.is you get that JavaScript): https://archive.is/TxFWj
Here's the full source code:
And the manifest:Clever. Probably avoids naive forms of static analysis that would catch more obvious ways of eval'ing code.
Nobody has figured out exactly what it's doing quite yet, but you can paste that code into a Javascript deobfuscator and try to figure it out yourself: https://lelinhtinh.github.io/de4js/
Based off of reading the code for 5 minutes with my very poor javascript skills, it's modifying your searches via Google / Bing and redirecting you to a practically unknown search engine called "Blacksearch". Very suspicious. I found a reddit thread with others complaining about this search engine, https://old.reddit.com/r/edge/comments/kzwb6q/redirecting_to...
I could see this working on Karen who downloaded a coupon extension. But surely the type of person who installs an extension to force old.reddit.com will realize what’s happening almost immediately.
What is the point of malware if it can be caught so easily? This makes me wonder if maybe the dev didn’t do it on purpose. Maybe they sold it to an unscrupulous (and dumb) company, or maybe their build process is somehow infected.
I doubt this since the code is stolen from this Firefox and Chrome extension https://github.com/tom-james-watson/old-reddit-redirect but there's no acknowledgement of Edge in that GitHub project.
So the root issue here is effectively extension squatting on the Edge store. The attacker can simply scrape the most popular extensions in Chrome, inject malware into them, and publish them on the Edge store under the same name.
If that’s what’s happening, there is probably substantial effort behind sockpuppet publishers so that one ban won’t ban them all. But then again it also looks like an amateur operation if every extension is footprinting itself by using the same domain for the malicious redirect.
Hopefully Microsoft can clean this up with some one-off code scans for the signatures of this malware. Ban all the publishers and delete the extensions. Then, hold those names in reserve unless the creator can prove they own the same name at the Chrome store.
Long term, the ideal system might involve a verification step at registration time if the publisher name or extension name exists in the Chrome store. I think npm has been working on features in this area, as they are vulnerable to similar namesquatting vectors of malware distribution.
How did you get from the XHR to that script inside that archive?
Since opening that URL directly in the browser didn't work I tried archiving it and it worked. Then I shared the archive link here.
It seems that they implemented some poorly done access control that is letting archive.is see the contents but not web browsers when visited directly.
edit: just checked and the Chrome version doesn't seem to be affected.
When will Norton (snort) make "Norton Anti Malware" to "protect" your browser against bad extensions?
I think it's just a matter of time until an extension steals a lot of people's data or money...
I think Google would like to take Apple’s curated approach to the Play/Extension Stores. But they don’t have the political capital to do it. As an advertising company, any restrictions they add will appear malicious to many.
All that said... this thread is about Microsoft, where for enterprise clients, telemetry and restrictions are a feature, not a bug. So I would expect some movement by Microsoft to add more security to their store. It could be something as simple as a label “Reviewed by Microsoft” for vetted extensions. But that’s a dangerous game as long as the browser sandbox is widely defined. Malicious apps could sneak through review and then Microsoft would look bad. Whereas Apple has an actual OS level sandbox with restrictions mostly matching their policies.
There isn’t really an easy answer to this problem unless you want to sacrifice control of your browser, in exchange for increased security controls that might not even apply to you. It’s not a new tradeoff by any means.