Rogue Chrome extension?

Discussion in 'other security issues & news' started by MessageBoxA, Dec 21, 2011.

Thread Status:
Not open for further replies.
  1. MessageBoxA

    MessageBoxA Registered Member

    Joined:
    Jun 20, 2011
    Posts:
    53
    Hey,

    Well I have been home for christmas vacation and don't have much to do but write code and perform security audits on my network.

    I just caught Chrome on a Windows box connecting to google and downloading an extension... all by itself.

    Interesting enough... Chrome auto-downloaded this:

    -dl.google.com/dl/edgedl/chrome/components/recovery/recovery/win/10.3.200.202/install.crx

    You can download and rename it with a .zip extension and extract the contents...

    Thats when it got interesting... a 64 bit binary... original filename calc.exe but perhaps a little extra?

    Well, I'll be inside Hex-Rays for the next hour or so, I'll check back here later.

    Have Fun!

    Best Wishes,
    -MessageBoxA
     
  2. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I can't check right now but is it possible that it's simply Chrome autoupdating an extension?
     
  3. MessageBoxA

    MessageBoxA Registered Member

    Joined:
    Jun 20, 2011
    Posts:
    53
    Hey,

    Sorry... I forgot about this thread. Anthony Laforge; the Program Manager over the Chrome project said it was an accidental test extension that was in-fact distributing the Microsoft 64 bit CALC.EXE application disguised as a valid Chrome 'Recovery' default extension. Apparently the some developers forgot to disable that test extension.

    I just happened to be performing a network security audit here in the lab at the right time... was extremely surprised when I saw that Microsoft calc.exe was being downloaded from Google servers... It was a true WTF moment...

    Best Wishes,
    -MessageBoxA
     
  4. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Very strange. A bit disconcerting.

    Thanks for the update.
     
Loading...
Thread Status:
Not open for further replies.