[WARNING] Chromium Versions Of Nano Adblocker Ends Up Becoming Malware
Posted: Wed Oct 21, 2020 5:50 pm
Zirconium Hacker Smack-Fu Master,
I was affected by this because I used Nano Defender to supplement uBlock Origin. It was completely unexpected that this open source extension would suddenly change hands, with no warning aside from some information on GitHub that I didn't read until it was too late.
There is nothing I could have done... and now I have an Instagram account filled with likes that aren't mine. I'm glad that's all, I guess - they could have done much worse.
Chromium Versions Of Nano Adblocker Ends Up Becoming Malware
Regardless of what you use to browse the internet on your PC, chances are you have an adblocker installed. But if you’re using Nano Adblocker and Nano Defender on a Chromium-based browser, then you should uninstall them as soon as you can. These two, frequently used together, have recently turned into a form of malware.
Ars Technica reports that the original developer for both extensions quire recently sold off the rights to both. The new developers have since rolled out updates that added malicious code. The discovery was made by the maker of another extension, uBlock Origin, on which the Nano Adblocker is based.
With the new malicious code, browsers infected by Nano Adblocker and Nano Defender are giving likes to large numbers of Instagram posts without user input. The infected browsers were also accessing other user accounts that weren’t already open in the browser. They are believed to be doing this by uploading authentication cookies and using them to gain access to user accounts.
Google has since removed them from the Chrome Web Store. You should do the same from your browser too. Oddly enough, both extensions are also available to Mozilla Firefox and Microsoft Edge, but the versions for these browsers are unaffected. Unless you’re using edge and installed them from the Chrome Web Store. To be safe, you should at least log out of all websites on your browser. You may also want to consider changing your passwords too.
https://arstechnica.com/information-tec ... -accounts/Many Nano extension users in this forum reported that their infected browsers were also accessing user accounts that weren’t already open in their browsers. This has led to speculation that the updated extensions are accessing authentication cookies and using them to gain access to the user accounts. Hill said he reviewed some of the added code and found that it was uploading data.
“Since the added code was able to collect request headers in real-time (through websocket connection I guess), this means sensitive information such as session cookies could be leaked,” he wrote in a message. “I am not a malware expert so I can't come up with *all* that is possible when having real-time access to request headers, but I do get that it's really bad.”
https://www.ghacks.net/2020/10/16/time- ... t-firefox/When Nano Defender was launched in 2019, it quickly became a go-to extension to bypass anti-adblocking mechanisms on Internet sites. It used code from uBlock Origin, one of the most prominent content blocking extensions, and users started to install the new extension in Chrome and other Chromium-based browsers.
One of the main differentiating factors between Nano Defender and uBlock Origin was that the former supported a reporting option to let the developer know about issues encountered while using the extension. A port for Firefox was created by another developer to cover all major browsers on the Windows platform.
Nano Defender has more than 200,000 users that installed the extension from the Chrome Web Store alone.
The developer of the extension revealed on the official GitHub that he decided to sell the extension twelve days ago to two Turkish developers.
Community members and Raymond Hill, developer of uBlock Origin, shared their thoughts on the deal and the fact that little information was provided. Gorhill suspected that the new owners main intention was to monetize the extension in one form or another, or do worse with it.
The new owners uploaded a new version to the Chrome store, and careful analysis of the code of the extension revealed that it contained a new connect.js file that did not come from the project's GitHub page.
Hill provided an analysis of the code and discovered that the new code allowed the developers to submit user activity and data to remote servers.
Hill suggested that users uninstall Nano Defender / Nano Adblocker immediately to block data from being submitted to the new owners.
The Firefox fork of the extension was not part of the deal, and the maintainer of it expressed interest to rename it and continue maintaining it. All other versions of the extension, basically any for Chromium-based browsers, should be removed immediately. Users who want to be on the safe side should remove the Firefox extension as well.
Other things you can do for this situation
The possibility that the extensions may have uploaded session cookies means that anyone who was infected should at a minimum fully log out of all sites.In most cases this should invalidate the session cookies and prevent anyone from using them to gain unauthorized access.
Truly paranoid users will want to change passwords just to be on the safe side.
If you use either Nano blocker or defender, DELETE THEM NOW!
i was previously using ublock with the nanodefender integration. So i delete the plugin and removed/deleted also the filterlists for nanodefender integration and any nano related filters. also purge filters then update filters just to be sure.
but even after all that, i believe the damage has already been done.... accounts could possibly be compromised so take care.
for added measures i recommend using this website
https://haveibeenpwned.com/Passwords
and if you use keepass to manage your passwords, you can then use the plugin to crosscheck against hipb database as well
https://github.com/mihaifm/HIBPOfflineCheck
but in this particular case where we clearly know the nano plugin was breached... i'd recommend just changing your passwords just to be sure (in addition to loging out of all the important websites to clear cookie). of course only if you are one of the affected users. If not, then just stay away from nano plugins for browser
There is an article on Chris Partridge's blog that explains this in more technical detail and what to do if you were affected.
What Happened?
In brief, a malware author has started approaching developers of popular Chrome Web Store extensions, which have:
Permission to read and modify all data on all sites (ex. adblockers, development tools).
-A long malware-free existence (years).
-High ratings (generally, >4.0).
-Hundreds of thousands of active installations.
They approach these developers as an anonymous party - generally as a student or a developer just starting out - and ask to purchase rights to the extension. Sometimes those are full rights, and the malware author assumes full control of the extension (promising to maintain it), other times they negotiate a deal where they only buy the rights to the existing extension and userbase, and allow the original author to upload a new copy of their extension.
Once control of the extensions is handed over to the developers, they load a whatever the current version of their malicious payload is, and all users who have these extensions are infected as Chrome automatically updates them - rolling out malware to hundreds of thousands of users.
Help for Users Impacted by Infected Extensions
Nano Adblocker
Originally released by Hugo Xu, and sold to an anonymous third party
Users during infected period: up to ~182k
ID: gabbbocakeomblphkmmnoamkioajlkfo
Infected version: 1.0.0.154
Infected timeframe: October 15th, 2020 - October 16th, 2020
Nano Defender
Originally released by Hugo Xu, and sold to an anonymous third party
Users during infected period: up to ~260k
ID: ggolfgbegefeeoocgjbmkembbncoadlb
Infected version: 15.0.0.206
Infected timeframe: October 15th, 2020 - October 16th, 2020
What Did These Do?
I’ll provide a brief technical overview of the malware’s operation, but if you want to skip this section, the key takeaways are that this extension can:
-Steal your header information for certain sites (including session tokens, which are used to authenticate you). It doesn’t do this by default for all sites, and has only been observed by me personally to do this for Instagram, but this can be done for any site the malware author chooses at any time. So, this is quite the danger.
-Force your browser to go to specific websites (generally, to like or follow specific content using your account), and report that information to the malware author. This can also be dangerous if sensitive data was accessed (ex. browsing to your messages on Facebook), but the malware author hasn’t been observed doing so.
How Can I Protect Myself?
Unfortunately, there’s little that you could have done to protect yourself from these extensions outside of “not having them installed.” Using a password manager or 2FA protects you from unauthorized logins (ex. a Russian hacker without your Yubikey can’t create a new session), but neither protects you from an existing session being stolen. First, focus on the sites that are known to be impacted:
-If you were logged in to Instagram, you should change your password here, which will also log you out of all sessions. To be safe, log out and log back in afterwards to clear the session you are currently using.
-If you were logged in to Facebook, you should change your password first using this help, then log yourself out of all sessions using this help, then log out and log back in to close the session you are currently using.
-There have also been concerns raised about this extension abusing Twitch and GitHub accounts, though I am still collecting evidence, and as of right now these should be considered “unconfirmed.”
You might be wondering: didn’t you say that all sites could have their session tokens stolen? Yes. We don’t know for sure if other sites were impacted, since this behavior was 100% controlled by the command-and-control server. To our benefit, the malware author seems to be focused on their social media like business, probably because money coming in from that is plentiful (100 likes for $1 as the going rate for Instagram, I’ve observed ~20 likes/hour/browser, you do the math!) and needs to be minimally laundered compared to stolen funds or proceeds from ransomware.
But for risk-averse users, you could take action to ensure your critical accounts are protected (ex. other social media, banks, investment accounts), as well as any you need for business or gainful employment (ex. webmail, corporate logins, file sharing or backup sites) by performing similar actions: terminate your session, change your password, and ideally enable 2FA to be sure you are safe.
https://chris.partridge.tech/2020/exten ... for-users/
best to keep an eye on chris' webpage on this and other sources that are investigating this in more detail. but to keep it simple, just change password for the important sites you logged into e.g. google, facebook, twitter, instagram to name a few