Rogue Chrome extension?

Hey,

Well I have been home for christmas vacation and don't have much to do but write code and perform security audits on my network.

I just caught Chrome on a Windows box connecting to google and downloading an extension... all by itself.

Interesting enough... Chrome auto-downloaded this:

-dl.google.com/dl/edgedl/chrome/components/recovery/recovery/win/10.3.200.202/install.crx

You can download and rename it with a .zip extension and extract the contents...

Thats when it got interesting... a 64 bit binary... original filename calc.exe but perhaps a little extra?

Well, I'll be inside Hex-Rays for the next hour or so, I'll check back here later.

Have Fun!

Best Wishes,
-MessageBoxA

 

I can't check right now but is it possible that it's simply Chrome autoupdating an extension?

 

Hey,

Sorry... I forgot about this thread. Anthony Laforge; the Program Manager over the Chrome project said it was an accidental test extension that was in-fact distributing the Microsoft 64 bit CALC.EXE application disguised as a valid Chrome 'Recovery' default extension. Apparently the some developers forgot to disable that test extension.

I just happened to be performing a network security audit here in the lab at the right time... was extremely surprised when I saw that Microsoft calc.exe was being downloaded from Google servers... It was a true WTF moment...

Best Wishes,
-MessageBoxA

 

Very strange. A bit disconcerting.

Thanks for the update.