Gunther
May 18th, 2014, 06:17
Recently while i was trying to troubleshoot my relative’s home network.
I happened to notice that their Chrome browser is infected with a PUP/Adware.
PUP stands for Potentially Unwanted Programs. The one that i’ve come across is DIgiCOuppOan.
I suspect that machine was infected when one of them went to some p0rn sites.
DIgiCOuppOan is classified as a potentially unwanted adware. DIgiCOuppOan claims to enhance your web browsing experiences and save your time and money by providing discounts and other bonuses and deals. DIgiCOuppOan program is compatible with the majority of the top retailers online.
DIgiCOuppOan program will display their ads with a pop up box which contains various ads according to yous queries when you browsing online. Currently DIgiCOuppOan adware program displays at least four basic types of advertising including sponsored links, coupons, video related ads and banner ads, “pop-unders” or interstitial ads.
Instead of writing what is it about. I’ll be doing my own technical tear-down of this PUP/Adware.
I’ve attached the link to the file here for anyone interested to try analysing it themselves.
2926
The password to the attachment is “infected29A”
[ Sample used in the analysis ]
MD5: 3e77ff05e942fd87964f5588b6274623
SHA1: a2f3a6af0a6f2e757e1e19694c1db614d11b464b
[ How it starts ]
Since it’s an Chrome Extension Adware, let’s check the permissions of this Adware and further dissect it.
Let’s try to understand how Chrome Extension works.
Chrome’s Extension will always require a manifest file, a background.html and possibly some JavaScript files as documented by Google here ("https://developer.chrome.com/extensions/overview").
The manifest file, called manifest.json, gives information about the extension, such as the most important files and the capabilities that the extension might use.
For this particular Adware, we can see what sort of permissions did manifest.json request for below.
{
"name": "DIgiCOuppOan",
"version": "5.3",
"description": "",
"manifest_version": 2,
"background": {"page": "background.html"},
"content_scripts": [
{
"all_frames": true,
"matches": ["http://*/*","https://*/*"],
"js": ["content.js"],
"run_at":"document_end"
}
],
"permissions": [
"http://*/*",
"https://*/*",
"tabs",
"cookies",
"management",
"notifications",
"contextMenus",
"management",
"storage"
]
}
From the above manifest.json and the documentation from here.
We can see that it will inject content.js at the end of all webpages visited by user(s).
Once this Chrome extension started, it will start “background.html”.
From the “permissions”, we can also see the permissions that it require.
For a better understanding of the permissions and what each individual permission mean, the following will be a good reference.
https://developer.chrome.com/extensions/declare_permissions
[ Dissecting Background.html ]
Let’s take a look at “background.html” and we can see that once it’s loaded, it will start 2 other JavaScripts, “L7Y9.js” & “lsdb.js”
2927
[ Dissecting L7Y9.js ]
Let’s take a look at L7Y9.js and we can see that there is a decode function.
Even though on first glance, the string looks like it’s base64 encoded but in reality it is not.
Now let’s write a decode function without running the actual script. Below is a simple decoding script.
<html>
</body>
<script>
var xlat = "abcdwxyzstuvrqponmijklefghABCDWXYZSTUVMNOPQRIJKLEFGH9876543210+/";
function _utf8_decode(a) {
for (var b = "", c = 0; c < a.length
{
var d = a.charCodeAt(c);
if (128 > d) b += String.fromCharCode(d),
c++;
else if (191 < d && 224 > d) var e = a.charCodeAt(c + 1),
b = b + String.fromCharCode((d & 31) << 6 | e & 63),
c = c + 2;
else var e = a.charCodeAt(c + 1),
f = a.charCodeAt(c + 2),
b = b + String.fromCharCode((d & 15) << 12 | (e & 63) << 6 | f & 63),
c = c + 3
}
return b;
}
function decode(a) {
for (var a = a.replace(/[^A-Za-z0-9\+\/]/g, "", b = "", c = 0; c < a.length {
var d = this.xlat.indexOf(a.charAt(c++)),
e = this.xlat.indexOf(a.charAt(c++)),
f = this.xlat.indexOf(a.charAt(c++)),
g = this.xlat.indexOf(a.charAt(c++)),
h = (e & 15) << 4 | f >> 2,
i = (f & 3) << 6 | g,
b = b + String.fromCharCode(d << 2 | e >> 4);
64 != f && 0 < h && (b += String.fromCharCode(h));
64 != g && 0 < i && (b += String.fromCharCode(i))
}
return this._utf8_decode(b);
}
var url = decode("Azm9CdOLv6qEWfqPBfbIhePLgS4PBMhLv6q4BMrLo6w0AyhApe0MgUFbhMJqn6Vele0Qgk8NqHa5nU4Jm8DQpyPJm7ZzAylwle0Q D9ZGANqsCMmZm6tUBTVGg7ZnnU8KrzxsCTDEAMw8CMmRiztPAwZdq75ECymdmNxQgkZEAVlsClmRmfxkA9hGANr5CeqOq7ZMCHbE AeZrnHDele0Qh9lGAeZonelKrzxsCUZEhzqzCUZhq6tQDHDFAVVyCkZKmftjAxPOjeCECVqOk9qspkg2Azm9CdOLv7DVDzVLDftM AeFVC6bLDc4TB79LC6VKgG1/Cj8OhVO4B7hSjwxMA98dWlhlB7PZjeC6rdZcjM8zl7O5AM8zAwDOhkmlB7P6iztQC9ZGhyxzCMmKpftTAxbcje5ECkZGq6bQgjlG hyJsCMVOiwr6BTbEhwqyCePZizbQlkZFlyJxClmRmNtQCHZFg7Y6AyhHrzbPAwFdq8hlB7PNmftPAw0bhe5ECkZGizbUC9DGixU6 CMP6q6xQekhFiy4xCVqOeMZqhHbGk7Zjn9Y4mTJODzmEpS1Lh7l9hMVIhe4LDG4TBG4PBc0HWe4TvH0FoeZMeTVLhMtrnehRjkq4 lVlLAMxqhHCEpwtpBkDfATZQBkDOm7ZVmxlLANDsCMPHiztUgkDGhy54CMqOkwtqBTbFizs6CyPZqftUA9ZGAeZsnHDKrzbUn9hF AMxsCyPlizxkA9lFlyJyCMPHpzxTAdDOhNrECyVOjwr6lVlLAMDxCMVOj9xVBTbFiztsCymHm6tsejDGANC6CePhmNxsBUlGk7ZA Aw8NrztjAxqdidVyp7Z9Dza3vG0ShyxIgeFZA7hPBylHvMqLBi0HWe4TvH0FoeZMeTVLhMtrnehRjkq4lVlLAMxqhHCEpwtpBkDf ATZQBkDOm7ZVmxlLANDsCMPHiztUgkDGhy54CMqOkwtqBTbFizs6CyPZqftUA9ZGAeZsnHDKrzbUn9hFAMxsCyPlizxkA9lFlyJy CMPHpzxTAdDOhNrECyVOjwr6lVlLAMDxCMVOj9xVBTbFiztsCymHm6tsejDGANC6CePhmNxsBUlGk7ZAAw8NrztjAxqdidVyp7Z9 Dza3vG0HWe4TANbPvMqLvMVIv6q4BMrLo6w0AyhApe0MgUFbhMJqn6Vele0Qgk8NqHa5nU4Jm8DQpyPJm7ZzAylwle0QD9ZGANqs CMmZm6tUBTVGg7ZnnU8KrzxsCTDEAMw8CMmRiztPAwZdq75ECymdmNxQgkZEAVlsClmRmfxkA9hGANr5CeqOq7ZMCHbEAeZrnHDe le0Qh9lGAeZonelKrzxsCUZEhzqzCUZhq6tQDHDFAVVyCkZKmftjAxPOjeCECVqOk9qspkg2Azm9CdOLv7FPDMlHAe8EBylQB7sK Ae4MBG0HWe4TvH0FoeZMeTVLhMtrnehRjkq4lVlLAMxqhHCEpwtpBkDfATZQBkDOm7ZVmxlLANDsCMPHiztUgkDGhy54CMqOkwtq BTbFizs6CyPZqftUA9ZGAeZsnHDKrzbUn9hFAMxsCyPlizxkA9lFlyJyCMPHpzxTAdDOhNrECyVOjwr6lVlLAMDxCMVOj9xVBTbF iztsCymHm6tsejDGANC6CePhmNxsBUlGk7ZAAw8NrztjAxqdidVyp7Z9Dza3vG0NCM08Czq8CylGC7l9vMVKhM1LC6VKgG1/Cj8OhVO4B7hSjwxMA98dWlhlB7PZjeC6rdZcjM8zl7O5AM8zAwDOhkmlB7P6iztQC9ZGhyxzCMmKpftTAxbcje5ECkZGq6bQgjlG hyJsCMVOiwr6BTbEhwqyCePZizbQlkZFlyJxClmRmNtQCHZFg7Y6AyhHrzbPAwFdq8hlB7PNmftPAw0bhe5ECkZGizbUC9DGixU6 CMP6q6xQekhFiy4xCVqOeMZqhHbGk7Zjn9Y4mTJODzmEpS1LhMVIhfqLBMFPBMlOhftVvMqLBi0HWe4TvH0FoeZMeTVLhMtrnehR jkq4lVlLAMxqhHCEpwtpBkDfATZQBkDOm7ZVmxlLANDsCMPHiztUgkDGhy54CMqOkwtqBTbFizs6CyPZqftUA9ZGAeZsnHDKrzbU n9hFAMxsCyPlizxkA9lFlyJyCMPHpzxTAdDOhNrECyVOjwr6lVlLAMDxCMVOj9xVBTbFiztsCymHm6tsejDGANC6CePhmNxsBUlG k7ZAAw8NrztjAxqdidVyp7Z9Dza3vG0MAeFVhylHA7hLCNVLDi4TB79LC6VKgG1/Cj8OhVO4B7hSjwxMA98dWlhlB7PZjeC6rdZcjM8zl7O5AM8zAwDOhkmlB7P6iztQC9ZGhyxzCMmKpftTAxbcje5ECkZGq6bQgjlG hyJsCMVOiwr6BTbEhwqyCePZizbQlkZFlyJxClmRmNtQCHZFg7Y6AyhHrzbPAwFdq8hlB7PNmftPAw0bhe5ECkZGizbUC9DGixU6 CMP6q6xQekhFiy4xCVqOeMZqhHbGk7Zjn9Y4mY=="
console.log(url);
</script>
</body>
</html>
After decoding had been done. The decoded message or URL(s) in this case are
h--p://spysimplejob.info/sync/?q=hfZ9ofbLAfkMCyVUojaMg708BNmGWj8jmGhGheDUojwHrjsHrdaGrdn9rchPBMn0qHr7pja5rdkHrihHC7n0pdCFqjaHpjUHq TkEqTkFrjs8qch7hfs0pihLC7VUojgErihOAen0qHrHpdsGrHY7rjw7qjYFqHnErShZhMg0rShSCH9F;h--p://getyourfilespot.com/sync/?q=hfZ9ofbLAfkMCyVUojaMg708BNmGWj8jmGhGheDUojwHrjsHrdaGrdn9rchPBMn0qHr7pja5rdkHrihHC7n0pdCFqjaHpjUHq TkEqTkFrjs8qch7hfs0pihLC7VUojgErihOAen0qHrHpdsGrHY7rjw7qjYFqHnErShZhMg0rShSCH9F;h--p://getfilenow.co.il/sync/?q=hfZ9ofbLAfkMCyVUojaMg708BNmGWj8jmGhGheDUojwHrjsHrdaGrdn9rchPBMn0qHr7pja5rdkHrihHC7n0pdCFqjaHpjUHq TkEqTkFrjs8qch7hfs0pihLC7VUojgErihOAen0qHrHpdsGrHY7rjw7qjYFqHnErShZhMg0rShSCH9F;h--p://bdalalakfiles.com/sync/?q=hfZ9ofbLAfkMCyVUojaMg708BNmGWj8jmGhGheDUojwHrjsHrdaGrdn9rchPBMn0qHr7pja5rdkHrihHC7n0pdCFqjaHpjUHq TkEqTkFrjs8qch7hfs0pihLC7VUojgErihOAen0qHrHpdsGrHY7rjw7qjYFqHnErShZhMg0rShSCH9F;h--p://syncjpi.co.il/sync/?q=hfZ9ofbLAfkMCyVUojaMg708BNmGWj8jmGhGheDUojwHrjsHrdaGrdn9rchPBMn0qHr7pja5rdkHrihHC7n0pdCFqjaHpjUHq TkEqTkFrjs8qch7hfs0pihLC7VUojgErihOAen0qHrHpdsGrHY7rjw7qjYFqHnErShZhMg0rShSCH9F;h--p://livesimplejob.info/sync/?q=hfZ9ofbLAfkMCyVUojaMg708BNmGWj8jmGhGheDUojwHrjsHrdaGrdn9rchPBMn0qHr7pja5rdkHrihHC7n0pdCFqjaHpjUHq TkEqTkFrjs8qch7hfs0pihLC7VUojgErihOAen0qHrHpdsGrHY7rjw7qjYFqHnErShZhMg0rShSCH9F;h--p://groupsuperset.info/sync/?q=hfZ9ofbLAfkMCyVUojaMg708BNmGWj8jmGhGheDUojwHrjsHrdaGrdn9rchPBMn0qHr7pja5rdkHrihHC7n0pdCFqjaHpjUHq TkEqTkFrjs8qch7hfs0pihLC7VUojgErihOAen0qHrHpdsGrHY7rjw7qjYFqHnErShZhMg0rShSCH9F;h--p://filesonlinehere.com/sync/?q=hfZ9ofbLAfkMCyVUojaMg708BNmGWj8jmGhGheDUojwHrjsHrdaGrdn9rchPBMn0qHr7pja5rdkHrihHC7n0pdCFqjaHpjUHq TkEqTkFrjs8qch7hfs0pihLC7VUojgErihOAen0qHrHpdsGrHY7rjw7qjYFqHnErShZhMg0rShSCH9F;h--p://filedeskforyou.com/sync/?q=hfZ9ofbLAfkMCyVUojaMg708BNmGWj8jmGhGheDUojwHrjsHrdaGrdn9rchPBMn0qHr7pja5rdkHrihHC7n0pdCFqjaHpjUHq TkEqTkFrjs8qch7hfs0pihLC7VUojgErihOAen0qHrHpdsGrHY7rjw7qjYFqHnErShZhMg0rShSCH9F
From first glance, it’s probably those links that will be injected into the webpages that the user(s) visits.
It is persistently writing data to the Local Storage as we saw that it requested “Storage” permission in the manifest.json file.
[ Conclusion ]
While this is not one of the state of the art Chrome Extension Malware, but it’s probably one of the many PUP/Adware out there.
I hope that this is fairly simple to understand technical tear down that people can repeat the steps on their own and learn how to analyse Chrome Extension PUP/Adware or even Chrome Extension malware on their own.
BR,
[ Gunther ]
