# Chromium spyware logging injected via extension called VLC Plugin Plyer



## drmike (Feb 16, 2015)

I made the mistake of downloading a Chromium extension for tying VLC media player within Chromium as a file handler.
 
After downloading:

VLC Plugin Player
from esexclusiva.com
 

I started noticing Ghostery coughing up blocked elements on every page.  Last item blocked every time, every page, every site:

*whos.amung.us*

The name stuck out and perma appearance of the logging / spy element, even on intranet stuff where no logging certainly exists.

Tssk.

I tracked the whos.amung.us call down to VLC Plugin Player which is feeding data to someone on every tab in your browser.  Nothing VLC needs to be running.  No extension handling or even embedded content to spring this.   It gets in and stays in when you install this plugin from esexclusiva.com.

Disable / remove this extension and it's gone.

Be warned.


----------



## blergh (Feb 16, 2015)

I'm suprised that the biggest tinfoil-hat downloaded some browser plugin(!) from a unofficial source. What's the point of a VLC plugin these days anyhow?


----------



## drmike (Feb 16, 2015)

blergh said:


> I'm suprised that the biggest tinfoil-hat downloaded some browser plugin(!) from a unofficial source. What's the point of a VLC plugin these days anyhow?


Bahaha... we haven't used tin in foil since probably 1950's.

Who said I downloaded anything from "unofficial source".  Nope.

In Chromium ---> Settings ---> Extensions ---> Get More Extensions

Search the Store ---> VLC  ---> then click on Extensions  ---> 5 down is the problem plugin VLC Plugin Player 2.2

[SIZE=13.63636302948px]What the point of such? Same as any extension.  To integrate desktop app as handler for certain content into the browser.[/SIZE]

[SIZE=13.63636302948px]This is retarded though since no reason for that extension to be leaking data or anything since no content suitable for it to interpret/process.[/SIZE]

Some other way in Chromium to achieve this / similar, all ears to that.   I don't proclaim to have a MS in Chromium.


----------



## wlanboy (Feb 17, 2015)

Chrome Plugins = Firefox Plugins = Wordpress Plugins.

Don't use them if you cannot trust the one who build them.


----------



## telephone (Feb 17, 2015)

drmike said:


> Bahaha... we haven't used tin in foil since probably 1950's.
> 
> Who said I downloaded anything from "unofficial source".  Nope.
> 
> ...


That's why I always check the permissions first. If they request absurd permissions when the extension is only for Youtube, then that's an instant red flag!

Other than that I try to stick to extensions that are OSS... That however is not always possible, which is why I then look into the unpacked extension for fishy code.

To look at the CRX file, here's a time saving method:

- Use Chrome extension source viewer (OSS via Github)

Or if you don't want to install the extension above:

- Download CRX for given extension via Chrome Extension Downloader (there's plenty of other ways, but I'm going for simplicity here)

- Upload CRX to Chrome extension source viewer (this is a live demo of the extension from above)

Excuse me while I take my 1950's tin foil hat in for an upgrade


----------



## DomainBop (Feb 17, 2015)

> I started noticing Ghostery coughing up blocked elements on every page. ..I tracked the whos.amung.us call down to VLC Plugin Player which is *feeding data to someone on every tab in your browser.*


Isn't that basically what Ghostery does you enable GhostRank?


----------



## drmike (Feb 17, 2015)

DomainBop said:


> Isn't that basically what Ghostery does you enable GhostRank?


Indeed.  It's why I do not enable GhostRank.


----------



## PortCTL (Feb 17, 2015)

drmike said:


> I made the mistake of downloading a Chromium extension for tying VLC media player within Chromium as a file handler.
> 
> 
> After downloading:
> ...


Open the manifest.json file, look in the file for Content Scripts, you'll see references JS files, look at the code to figure out where it's displaying it from.


----------



## drmike (Feb 17, 2015)

PortCTL said:


> Open the manifest.json file, look in the file for Content Scripts, you'll see references JS files, look at the code to figure out where it's displaying it from.


Went in there looking.

Nothing I found plaintext with match for amung.... Which is part of the URL on the logging / spy script.


----------



## PortCTL (Feb 17, 2015)

drmike said:


> Went in there looking.
> 
> Nothing I found plaintext with match for amung.... Which is part of the URL on the logging / spy script.


Can you send me the extension files? I'll take a peak.


----------



## drmike (Feb 17, 2015)

PortCTL said:


> Can you send me the extension files? I'll take a peak.


Let me zip this directory up and ship it to you...  Will PM it.


----------



## PortCTL (Feb 17, 2015)

Let's take a crack at this script..

manifest.json:

"content_scripts": [ {
      "js": [ "lib/jquery.js", "popout_for_videolink.js" ],
      "matches": [ "http://*/*", "https://*/*" ],
      "run_at": "document_start"
   } ],
   "content_security_policy": "script-src 'self' 'unsafe-eval';object-src 'self'

So, it's mostly adware it appears. You can see the whos.among.us injection.

Following that, upon sending a request, I'm resulted with


WAU_r_('649','cleanplugin',-1);
Refreshed the page...


WAU_r_('665','cleanplugin',-1);
Upon changing ?k=cleanplugin variable, it'll clean the cleanplugin output.

Looks like more of a stat counter. Not very sophiscated, just a advertisement bot, and what appears to be a facebook like bot/post bot/etc.

Judging by WHOIS searches and emails like [email protected], appears to be spanish developer.

Facebook excert:

Esther Gon: Me gustaria comprar esta fang page!! quien me la vende ? msj a este correo si le interessa venderla!! [email protected]

Google translation: I would like to buy this fang page !! who sells me? msg to this email if you interessa sell !! [email protected]

A yahoo result:

Osiris Demonio respondida hace 4 años 

claro amigo el programa esta en mi web en los post que eh postiado lo puedes buscar se llama mp3 converter ahy tiene una caracteristica que es para suvir y bajar el volumen del instrumental y solo dejar la voz gracias mi pagina es www.rdzonemusic.net o si no loo ves en la web por las multitudes de los post te dejo mi correo para suvirte uno que tengo en mi pc y mandarte el linck mi correo es [email protected]

It starts linking to a twitter... https://twitter.com/ChistesRD_Com/status/106918374289833985

Which links in there: peliculas2013.com

Which is not active anymore.

The Twitter account website: chistesrd.com 

Hidden behind cloudflare, private registration. WHOIS history show's it was hosted in 2011-2012 at 000webhost.com.

AND a quick google search of that website, we lead to:

https://bugzilla.mozilla.org/show_bug.cgi?id=723753

"Malicous extension"

Even further,


_like("369359856481204");
That page, links to: https://www.facebook.com/principekarim

320,000+ likes.

And furthermore, it also links to https://www.facebook.com/Marca0Producto?fref=pb&hc_location=profile_browser

100% spanish it appears.

Anyways, that was fun.


----------



## drmike (Feb 17, 2015)

@PortCTL, awesome work!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

That Mozilla Bugzilla report for this or similar piece from same author is freaking telling - lots going on in this shit payload:



> Created attachment 593998 [details]
> 20120203 chistesrd.zip
> 
> User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_2) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.77 Safari/535.7
> ...


----------



## drmike (Feb 17, 2015)

Shame that same author was called out as above in 2012 for similar conduct... Yet still allowed to run via Google's official addon systems distributing shitware.  Quite surprising and I suspect probably fairly common.   Just imagine the crap running on folks more closed and less likely to notice phones.


----------



## drmike (Feb 17, 2015)

[SIZE=13.63636302948px]And it gets worse....[/SIZE]

https://forum.eset.com/topic/3729-notifications-spam/

Lists author's website: *www.esexclusiva.com*

Blocked by some malware/virus software... back in December... for... 

"The website contains a malicious script JS/ExtenBro.FBook."

Details on that:

http://www.virusradar.com/en/JS_ExtenBro.FBook.AS/description

"The trojan is a malicious Google Chrome extension/plugin. It can show advertisements."

Looks like this shitfit needs some serious slapping.


----------



## PortCTL (Feb 18, 2015)

See post below, this somehow got posted without my knowledge.


----------



## mikho (Feb 18, 2015)

@PortCTL


Why even bother? What are you going to do? Visit him and tell him straight?


Don't you have better things to do (adding value to your project) then stalking this guy?


----------



## PortCTL (Feb 18, 2015)

@drmike: just for some added fun, same [email protected] email, but...

Domain Name: OFESWAY.COM
Registry Domain ID:
Registrar WHOIS Server: whois.netearthone.com
Registrar URL:
Updated Date: 2014-12-06T02:19:47Z
Creation Date: 2014-10-06T18:38:34Z
Registrar Registration Expiration Date: 2015-10-06T18:38:34Z
Registrar: NetEarth One, Inc.
Registrar IANA ID: 1005
Registrar Abuse Contact Email:
Registrar Abuse Contact Phone:
Domain Status: clientTransferProhibited (http://icann.org/epp#clientTransferProhibited) 
Registry Registrant ID:
Registrant Name: Veato quetin
Registrant Organization: gsgsdgsdg
Registrant Street: los cerros los mina  
Registrant City: santo domingo
Registrant State/Province: oeste
Registrant Postal Code: 809
Registrant Country: DO
Registrant Phone: +1.8095556666
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email:




@yahoo.com
Registry Admin ID:
Admin Name: Veato quetin
Admin Organization: gsgsdgsdg
Admin Street: los cerros los mina
Admin City: santo domingo
Admin State/Province: oeste
Admin Postal Code: 809
Admin Country: DO
Admin Phone: +1.8095556666
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email:



@yahoo.com
Registry Tech ID:
Tech Name: Veato quetin
Tech Organization: gsgsdgsdg
Tech Street: los cerros los mina
Tech City: santo domingo
Tech State/Province: oeste
Tech Postal Code: 809
Tech Country: DO
Tech Phone: +1.8095556666
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email:



@yahoo.com
Name Server: ns2031.banahosting.com
Name Server: ns2032.banahosting.com
DNSSEC:Unsigned
URL of the ICANN WHOIS Data Problem Reporting System:
http://wdprs.internic.net/
>>>Last update of WHOIS database: 2015-02-18T01:32:52+0000Z<<<
For more information on Whois status codes, please visit https://icann.org/epp

And, OFESWAY.COM leads to what looks to be a blog, and from here, we trace back to the owner of the blog...

https://www.facebook.com/Osiris.2049

And this matches a few posts above for the yahoo answers...

Say "hello" to your "hacker":






Osiris RD


46,727 followers

Married to Fanny RD

Knows Espaniol, Ingles y español

 

And let's check out the site...

<!-- Meta page -->
<meta http-equiv="pragma" content="no-cache">
<meta name="robots" content="index, follow"/>
<meta name="google-site-verification" content="p2bLsAychRw6eFWVwghQ8xbc3UOjFS_Q2WawOG-lnrw" />
<meta name="distribution" content="global"/>
<meta name="description" itemprop="description" content="Es una pagina donde ofreceremos servicios de analisis mostraremos lo ultimo en las novedades tecnologicas." />
<meta name="keywords" itemprop="keywords" content="Analisis de mobiles celulares, Samsung Galaxy, Iphone, Ipad, Ipod, Motorola, Alcatel One Touch, Tarjeta de video, HTC, Aplicaciones, Apple, Mac, Retina, Toshiba, Dell, Sony, Pantalla" />
<meta name="author" content="Osiris RD">
<!-- Meta Facebook -->
<meta property="fb:admins" content="100000604142487" />
<meta property="fb:app_id" content="765882460119524" />
<meta property="og:title" content="Ofesway" />
<meta property="og:type" content="website" />
<meta property="og:url" content="" />
<meta property="og:image" content="" />
<meta property="og:site_name" content="Ofesway" />
<meta property="og:description" content="Es una pagina donde ofreceremos servicios de analisis mostraremos lo ultimo en las novedades tecnologicas." />
<!-- end meta Facebook -->

 

 


Just to add extra confirmation...

https://facebook.com/profile.php?id=100000604142487

Redirects to...

https://www.facebook.com/Osiris.2049

And let's just browse his photo collection...


----------



## PortCTL (Feb 18, 2015)

mikho said:


> @PortCTL
> 
> 
> Why even bother? What are you going to do? Visit him and tell him straight?
> ...


I am adding things to my project, however I was also giving drmike a hand, and found this information, so I posted it.

If you would rather, we could very simply allow the spywhere to steal credentials, cookies, etc.

Additionally, I am filing a report at his hosting provider(s), and his local police department.


----------



## drmike (Feb 18, 2015)

Glad to see more researchers 

The plugin is / was bad news.  Until it's cleaned up goal is to get Google to pull it.  They've been front page pushing / distributing such for eons.   They have responsibility to world to stop facilitating such crap and put some boots down on people that need it.

This opened up Pandora's Box.   I am likely to start ripping through masses of Google Chrome Extensions at some point.   Find it all unbelievable that no granular protections adequately in place / enforcement / auditing lacking.   Chrome claims to be all secure and warm milk and cookies.  With stuff like this, nothing could be further from the truth.


----------



## PortCTL (Feb 18, 2015)

drmike said:


> Glad to see more researchers
> 
> The plugin is / was bad news.  Until it's cleaned up goal is to get Google to pull it.  They've been front page pushing / distributing such for eons.   They have responsibility to world to stop facilitating such crap and put some boots down on people that need it.
> 
> This opened up Pandora's Box.   I am likely to start ripping through masses of Google Chrome Extensions at some point.   Find it all unbelievable that no granular protections adequately in place / enforcement / auditing lacking.   Chrome claims to be all secure and warm milk and cookies.  With stuff like this, nothing could be further from the truth.


Shoot me an email if you find any ([email protected] or [email protected]), I'll get them removed.


----------

