Page 1 of 1

[WARNING] Chromium Versions Of Nano Adblocker Ends Up Becoming Malware

Posted: Wed Oct 21, 2020 5:50 pm
by Moogle Stiltzkin
Zirconium Hacker Smack-Fu Master,

I was affected by this because I used Nano Defender to supplement uBlock Origin. It was completely unexpected that this open source extension would suddenly change hands, with no warning aside from some information on GitHub that I didn't read until it was too late.

There is nothing I could have done... and now I have an Instagram account filled with likes that aren't mine. I'm glad that's all, I guess - they could have done much worse.
Chromium Versions Of Nano Adblocker Ends Up Becoming Malware

Regardless of what you use to browse the internet on your PC, chances are you have an adblocker installed. But if you’re using Nano Adblocker and Nano Defender on a Chromium-based browser, then you should uninstall them as soon as you can. These two, frequently used together, have recently turned into a form of malware.

Ars Technica reports that the original developer for both extensions quire recently sold off the rights to both. The new developers have since rolled out updates that added malicious code. The discovery was made by the maker of another extension, uBlock Origin, on which the Nano Adblocker is based.

With the new malicious code, browsers infected by Nano Adblocker and Nano Defender are giving likes to large numbers of Instagram posts without user input. The infected browsers were also accessing other user accounts that weren’t already open in the browser. They are believed to be doing this by uploading authentication cookies and using them to gain access to user accounts.

Google has since removed them from the Chrome Web Store. You should do the same from your browser too. Oddly enough, both extensions are also available to Mozilla Firefox and Microsoft Edge, but the versions for these browsers are unaffected. Unless you’re using edge and installed them from the Chrome Web Store. To be safe, you should at least log out of all websites on your browser. You may also want to consider changing your passwords too.
Many Nano extension users in this forum reported that their infected browsers were also accessing user accounts that weren’t already open in their browsers. This has led to speculation that the updated extensions are accessing authentication cookies and using them to gain access to the user accounts. Hill said he reviewed some of the added code and found that it was uploading data.

“Since the added code was able to collect request headers in real-time (through websocket connection I guess), this means sensitive information such as session cookies could be leaked,” he wrote in a message.
“I am not a malware expert so I can't come up with *all* that is possible when having real-time access to request headers, but I do get that it's really bad.”
https://arstechnica.com/information-tec ... -accounts/

When Nano Defender was launched in 2019, it quickly became a go-to extension to bypass anti-adblocking mechanisms on Internet sites. It used code from uBlock Origin, one of the most prominent content blocking extensions, and users started to install the new extension in Chrome and other Chromium-based browsers.

One of the main differentiating factors between Nano Defender and uBlock Origin was that the former supported a reporting option to let the developer know about issues encountered while using the extension. A port for Firefox was created by another developer to cover all major browsers on the Windows platform.

Nano Defender has more than 200,000 users that installed the extension from the Chrome Web Store alone.

The developer of the extension revealed on the official GitHub that he decided to sell the extension twelve days ago to two Turkish developers.

Community members and Raymond Hill, developer of uBlock Origin, shared their thoughts on the deal and the fact that little information was provided. Gorhill suspected that the new owners main intention was to monetize the extension in one form or another, or do worse with it.

The new owners uploaded a new version to the Chrome store, and careful analysis of the code of the extension revealed that it contained a new connect.js file that did not come from the project's GitHub page.

Hill provided an analysis of the code and discovered that the new code allowed the developers to submit user activity and data to remote servers.

Hill suggested that users uninstall Nano Defender / Nano Adblocker immediately to block data from being submitted to the new owners.

The Firefox fork of the extension was not part of the deal, and the maintainer of it expressed interest to rename it and continue maintaining it. All other versions of the extension, basically any for Chromium-based browsers, should be removed immediately. Users who want to be on the safe side should remove the Firefox extension as well.
https://www.ghacks.net/2020/10/16/time- ... t-firefox/


Other things you can do for this situation
The possibility that the extensions may have uploaded session cookies means that anyone who was infected should at a minimum fully log out of all sites.In most cases this should invalidate the session cookies and prevent anyone from using them to gain unauthorized access.

Truly paranoid users will want to change passwords just to be on the safe side.

If you use either Nano blocker or defender, DELETE THEM NOW!

i was previously using ublock with the nanodefender integration. So i delete the plugin and removed/deleted also the filterlists for nanodefender integration and any nano related filters. also purge filters then update filters just to be sure.

but even after all that, i believe the damage has already been done.... accounts could possibly be compromised :shock: so take care.


for added measures i recommend using this website
https://haveibeenpwned.com/Passwords

and if you use keepass to manage your passwords, you can then use the plugin to crosscheck against hipb database as well
https://github.com/mihaifm/HIBPOfflineCheck


but in this particular case where we clearly know the nano plugin was breached... i'd recommend just changing your passwords just to be sure (in addition to loging out of all the important websites to clear cookie). of course only if you are one of the affected users. If not, then just stay away from nano plugins for browser :S



There is an article on Chris Partridge's blog that explains this in more technical detail and what to do if you were affected.
What Happened?
In brief, a malware author has started approaching developers of popular Chrome Web Store extensions, which have:

Permission to read and modify all data on all sites (ex. adblockers, development tools).
-A long malware-free existence (years).
-High ratings (generally, >4.0).
-Hundreds of thousands of active installations.

They approach these developers as an anonymous party - generally as a student or a developer just starting out - and ask to purchase rights to the extension. Sometimes those are full rights, and the malware author assumes full control of the extension (promising to maintain it), other times they negotiate a deal where they only buy the rights to the existing extension and userbase, and allow the original author to upload a new copy of their extension.

Once control of the extensions is handed over to the developers, they load a whatever the current version of their malicious payload is, and all users who have these extensions are infected as Chrome automatically updates them - rolling out malware to hundreds of thousands of users.



Help for Users Impacted by Infected Extensions

Nano Adblocker
Originally released by Hugo Xu, and sold to an anonymous third party
Users during infected period: up to ~182k
ID: gabbbocakeomblphkmmnoamkioajlkfo
Infected version: 1.0.0.154
Infected timeframe: October 15th, 2020 - October 16th, 2020



Nano Defender
Originally released by Hugo Xu, and sold to an anonymous third party
Users during infected period: up to ~260k
ID: ggolfgbegefeeoocgjbmkembbncoadlb
Infected version: 15.0.0.206
Infected timeframe: October 15th, 2020 - October 16th, 2020


What Did These Do?
I’ll provide a brief technical overview of the malware’s operation, but if you want to skip this section, the key takeaways are that this extension can:

-Steal your header information for certain sites (including session tokens, which are used to authenticate you). It doesn’t do this by default for all sites, and has only been observed by me personally to do this for Instagram, but this can be done for any site the malware author chooses at any time. So, this is quite the danger.

-Force your browser to go to specific websites (generally, to like or follow specific content using your account), and report that information to the malware author. This can also be dangerous if sensitive data was accessed (ex. browsing to your messages on Facebook), but the malware author hasn’t been observed doing so.




How Can I Protect Myself?
Unfortunately, there’s little that you could have done to protect yourself from these extensions outside of “not having them installed.” Using a password manager or 2FA protects you from unauthorized logins (ex. a Russian hacker without your Yubikey can’t create a new session), but neither protects you from an existing session being stolen. First, focus on the sites that are known to be impacted:

-If you were logged in to Instagram, you should change your password here, which will also log you out of all sessions. To be safe, log out and log back in afterwards to clear the session you are currently using.

-If you were logged in to Facebook, you should change your password first using this help, then log yourself out of all sessions using this help, then log out and log back in to close the session you are currently using.

-There have also been concerns raised about this extension abusing Twitch and GitHub accounts, though I am still collecting evidence, and as of right now these should be considered “unconfirmed.”

You might be wondering: didn’t you say that all sites could have their session tokens stolen? Yes. We don’t know for sure if other sites were impacted, since this behavior was 100% controlled by the command-and-control server. To our benefit, the malware author seems to be focused on their social media like business, probably because money coming in from that is plentiful (100 likes for $1 as the going rate for Instagram, I’ve observed ~20 likes/hour/browser, you do the math!) and needs to be minimally laundered compared to stolen funds or proceeds from ransomware.

But for risk-averse users, you could take action to ensure your critical accounts are protected (ex. other social media, banks, investment accounts), as well as any you need for business or gainful employment (ex. webmail, corporate logins, file sharing or backup sites) by performing similar actions: terminate your session, change your password, and ideally enable 2FA to be sure you are safe.


https://chris.partridge.tech/2020/exten ... for-users/

best to keep an eye on chris' webpage on this and other sources that are investigating this in more detail. but to keep it simple, just change password for the important sites you logged into e.g. google, facebook, twitter, instagram to name a few :'

Re: [WARNING] Chromium Versions Of Nano Adblocker Ends Up Becoming Malware

Posted: Thu Oct 22, 2020 1:58 am
by Moogle Stiltzkin
here are some chrome plugins (ones not yet compromised afaik) i recommend for managing your cookies

cookieautodelete
https://chrome.google.com/webstore/deta ... jagh?hl=en


you can schedule it to auto clear cookies after closing a site automatically. there is even a whitelist or greylist feature.

but to my understanding, the bad extension might have already intercepted your cookie and already uploaded it before you logged out and this other plugin cleaned/remove it. at most it only helps you from someone using your pc and login to your sites without you knowing when your pc is unattended.



anyway in regarding to changing your account passwords, on e.g. facebook, after you changed, there is some link where you can view your active sessions, you can go there and logged them all out, then on facebook, logout. then if you are using chrome, click on the lock icon in the url bar > site settings > cookies > clear data

Then you can log back with the new password. done :)

and obviously delete that bad extension first before you do this





update: seems only the chrome extension was affected. Not firefox.
Iron Heart said on October 16, 2020 at 7:26 pm
REPLY
@Fais

1) The Nano Adblocker and Nano Defender extensions on Firefox were not affected, because the Firefox versions are being maintained by someone else, more info here: https://github.com/LiCybora/NanoDefende ... issues/187

The person maintaining the Firefox version is as sad about these ongoings as we all are. The maintainer of the Firefox versions has announced that development of Nano Adblocker will be put to rest on Firefox, but that he / she will continue to develop Nano Defender independently, possibly renaming it. So if you are on Firefox, you can keep Nano Defender and replace Nano Adblocker (which is abandoned now) with uBlock Origin.

2) Nano Defender serves the purpose of evading anti-adblock scripts. There are other uBlock Origin-compatible lists which achieve the same thing:

Adblock Warning Removal List (hit “Subscribe” in order to subscribe):

https://filterlists.com/lists/adblock-w ... moval-list

Fuc@@k Fuc@@@@kadblock (hit “Subscribe” in order to subscribe):

https://filterlists.com/lists/fuc@@k-fuc@@@kadblock

Code: Select all

remove @@@
These two could serve as a replacement, but as said, Nano Defender on Firefox can still be recommended. The Chromium versions of both Nano Adblocker and Nano Defender are malicious now.

Re: [WARNING] Chromium Versions Of Nano Adblocker Ends Up Becoming Malware

Posted: Thu Oct 22, 2020 6:19 am
by Moogle Stiltzkin
now that nanodefender is out, we have to find alternatives to fill what it previously did. Yes ublock is awesome, but it needs a bit more help to make it work even better.
Iron Heart said on October 16, 2020
@anonymous

Yes, uninstall Nano Adblocker and Nano Defender as soon as possible, then install uBlock Origin as a replacement.

Nano Defender serves the purpose of evading anti-adblock scripts. There are other uBlock Origin-compatible lists which achieve the same thing:

Adblock Warning Removal List (hit “Subscribe” in order to subscribe):

Code: Select all

https://filterlists.com/lists/adblock-warning-removal-list
** ** (hit “Subscribe” in order to subscribe):

Code: Select all

https://filterlists.com/lists/**-**
These two could serve as a replacement.

I am definitely planning to renew this post of mine with updated information (including the removal of the Nanos), but I am still waiting for an opportunity to re-post this that would not be blatantly off-topic on my part. Since Brave is underreported here, such an opportunity is yet to arise.
Reno Sifana Paksi said on October 17, 2020

Hi. yes, it is true uBlock Origin as a replacement for Nano Adblocker. and the uBO Extra Extension as a replacement for Nano Defender.
Nano Defender Based on Code from:

Credits
Nano Defender uses open source code from the following projects (alphabetical):

reek / anti-adblock-killer

primers / octicons

uBlockOrigin / uAssets

gorhill / uBlock

gorhill / uBO-Extra
Note: I am citing a list from the GitHub page of jspinguin2017 / uBlockProtector.
Iron Heart said on October 18, 2020 at 10:58 am
@Reno Sifana Paksi

uBlock Origin Extra seems to be abandoned, though. Last update was on September 9th, 2019, more than a year ago:

https://chrome.google.com/webstore/deta ... ffkjpaplco
https://www.ghacks.net/2020/10/16/time- ... t-firefox/