Avast WEBforum

Other => Viruses and worms => Topic started by: polonus on June 19, 2015, 09:21:02 AM

Title: Attack script via chrome protocol in sandbox version of Google Chrome?
Post by: polonus on June 19, 2015, 09:21:02 AM

Malware script detector detected Firefox Malware Exploiter via chrome protocol on htxps://accounts.google.com/ServiceLogin?service=devconsole&passive=1209600&continue=https%3A%2F%2Fcode.google.com%2Fapis%2Fconsole%2F&followup=https%3A%2F%2Fcode.google.com%2Fapis%2Fconsole%2F

Script is blocked, but where does this threat stem from? Anyone?
This was detected in Google Chrome Sandbox Version, see: http://userscripts-mirror.org/scripts/review/30284
Is this abused for DNS rebinding attacks when a default password is used?

An extension that is suspect as an AVG attack tool may be Crunch.
Is it this install where it comes from?

polonus

Title: Re: Attack script via chrome protocol in sandbox version of Google Chrome?
Post by: polonus on June 19, 2015, 09:40:11 AM

Attack is long existing, read: https://blog.mozilla.org/security/2008/01/22/chrome-protocol-directory-traversal/

polonus

Title: Re: Attack script via chrome protocol in sandbox version of Google Chrome?
Post by: polonus on June 19, 2015, 10:26:45 AM

With these blocked no alert: Blocked:

ssl.gstatic.com - Whitelist
htxps://ssl.gstatic.com/chrome/components/doodle-notifier-02.html
www.gstatic.com - Whitelist
htxps://www.gstatic.com/og/_/js/k=og.og.en_US.-QToZkIwAFc.O/rt=j/t=zcms/m=ld,sy57,d,sy72,gl,is,id,nb,nw,sb,sd,st,awd,sy64,p,vd,lod,eld,ip,dp,cpd/rs=AItRSTMkxB8bzdEYwDq2Se-yBGk9BxSa9A

polonus