Rogue Chrome extension?

Discussion in 'other security issues & news' started by MessageBoxA, Dec 21, 2011.

Thread Status:
Not open for further replies.
  1. MessageBoxA

    MessageBoxA Registered Member

    Joined:
    Jun 20, 2011
    Posts:
    62
    Hey,

    Well I have been home for christmas vacation and don't have much to do but write code and perform security audits on my network.

    I just caught Chrome on a Windows box connecting to google and downloading an extension... all by itself.

    Interesting enough... Chrome auto-downloaded this:

    -dl.google.com/dl/edgedl/chrome/components/recovery/recovery/win/10.3.200.202/install.crx

    You can download and rename it with a .zip extension and extract the contents...

    Thats when it got interesting... a 64 bit binary... original filename calc.exe but perhaps a little extra?

    Well, I'll be inside Hex-Rays for the next hour or so, I'll check back here later.

    Have Fun!

    Best Wishes,
    -MessageBoxA
     
  2. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    I can't check right now but is it possible that it's simply Chrome autoupdating an extension?
     
  3. MessageBoxA

    MessageBoxA Registered Member

    Joined:
    Jun 20, 2011
    Posts:
    62
    Hey,

    Sorry... I forgot about this thread. Anthony Laforge; the Program Manager over the Chrome project said it was an accidental test extension that was in-fact distributing the Microsoft 64 bit CALC.EXE application disguised as a valid Chrome 'Recovery' default extension. Apparently the some developers forgot to disable that test extension.

    I just happened to be performing a network security audit here in the lab at the right time... was extremely surprised when I saw that Microsoft calc.exe was being downloaded from Google servers... It was a true WTF moment...

    Best Wishes,
    -MessageBoxA
     
  4. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Very strange. A bit disconcerting.

    Thanks for the update.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.