Chrome app store has a rogue Adblock Plus entry under apps!

[felipegeek]

I had to rebuild my Chrome profile and proceeded to look for the extensions I typically use including ABP. When I searched for Adblock Plus an entry came out in the Apps section which is placed above the Extensions section. The app is not published by adblockplus.org but by extew.com. The domain does get any hits in a Google search and when following the link to launch the app from the Chrome store it takes you to http://www.extew.com/adblock-plus/ which has the framework of being a game site but no content to speak of.

It's a troubling issue and ABP should have Google take down the fake entry.

Thanks,
-felipegeek

[Just Me]

What is Google doing about this? I can't uninstall it!

[mapx]

You could:
1.scan your system for adware / malware
use
http://www.softpedia.com/get/Antivirus/ ... ware.shtml

2.if still you have issues, create a new profile:
https://support.google.com/chrome/answer/142059?hl=en

and reinstall your stuff (extensions)

for google:
If you want, open an issue on their tracker
http://code.google.com/p/chromium/issues/list

[tampermonkey]

Chrome app store has a rogue Adblock Plus entry under apps!

Damn, I knew that something more was wrong here. This must be why I saw a 2.0 version of Adblock Plus: I was looking at the rogue web store which was attempting to serve me the malware, but it failed to install.

Cannot load extension with file or directory name _. Filenames starting with "_" are reserved for use by the system

forum/viewtopic.php?f=10&t=23406&start=0

Thats what I saw on the Google Chrome web store. I found the post mentioned above when I came here to report this issue, and saw that someone else had already complained.

I think the Adblock Plus web site also attempted to serve me the malware, but I did not realize this because Chrome said "Failed - No file" when I attempted to download ABP from there. A closer inspection of my Download folder turned up the file that it had intended to run. But the file name might be generated randomly, it sure looks that way. It seems that the hacker tried to create a malformed file name in order to make an EXE file appear as a CRX file on the Chrome download tile. Apparently it was renamed to something they did not expect or it failed to launch automatically on this old version of Chrome for some other reason. (That is why I disagree with Google's attempt to withdraw old versions of Chrome; its useful for ALL kinds of testing purposes.) On the download tile it says:

cfhdojbkjhnklbpkdai....crx

That is not the correct name of the extension (or the name of the malware file), but I just assumed the installer script failed and the name got mangled because my version of Chrome was buggy or incompatible with the web installer. It was really two separate issues.

Unfortunately I launched the file thinking it was legitimate before I saw this thread. I immediately recognized that it was malware though, and attempted to log its actions. It looks like this malware utilizes the "InstallPath Install Manager" to deliver its payload. So I guess Adblockplus.org is compromised too. When that guy mentioned the "sweet" page* he was talking about browser windows that open when the malware triggers. This means the infection has been going on since at LEAST 2014-5-18. I am also seeing new misspelled versions of AdBlock Plus on the Google Web Store now, and foreign language versions that were not there before. The Google web store is probably loaded with malware. I wasted a lot of time trying help the ABP guys troubleshoot their software because I believe in open source, and this is what I get for my efforts. I have to take a break now and go clean things up. Goddammit, this is why I dont use Windows on production machines: its basically just another malware installer.

* the "sweet" page
forum/viewtopic.php?t=16526&start=15#p99667

If you want, open an issue on their tracker

That is a remarkably nonchalant and cavalier attitude towards a security issue as serious as this one. If the web store has been compromised, why report it to the browser developers and not the web store? Why arent YOU taking responsibility for reporting it to Google? They are a lot more likely to listen to the developer of their #1 extension! If the infection is as bad as it looks, both AdBlockPlus.org and the Chrome web store should be taken offline for a total redesign in order to guarantee security to millions of users... and this is all you have to say? From now on your handle is "Marie Antoinette" (as in "Qu'ils mangent de la brioche.")

[mapx]

well, why do you consider:

Adblockplus.org is compromised too

?

the ABP team can not follow all the malwares someone installs.
for example if you read the page of the new releases:
releases/

you will see which is the last version for the various platforms.

(by the way, I'm only a volunteer moderator, trying to help people)

[mapx]

Where did you find ABP version 2.0 ?
and from where did you download such exe/crx file ? the google store does not permit the direct downloading (but only installing the crx files)

[felipegeek]

I tried hunting down the offending files but being rather busy with other issues I simply renamed my "User Data" folder and reconfigured Comodo Dragon.

-Rant about app stores-
On app stores in general - Google, Apple, and Microsoft all do a poor job of vetting the software that shows up in their app stores but Google is by far the least involved. Apple at least tries. They should have a "Report as Fake/Malware" link on every app. They should also not allow any add-in/extension to install itself in such a way as to not be easily and automatically removed. The browser/mobile device should track and store every file, settings, etc. created by an extension and be able to remove it without any code from the app itself being involved. This would completely eliminate an offending app without parts of it being left behind.

Adblock Plus should be able to go protect their brand and have the name "AdBlock Plus" and "ABP" reserved so that it cannot be used in the name of any other apps. This should be the state of things in general. Microsoft's app store on the Windows Phone platform is filled with apps that have the name Facebook or Twitter in their titles but have nothing to with the companies themselves. Many of the programs are dubious in function and intent. Sadly, I don't think that small creators of legitimate apps will get any relief from the Big 3 in this regard. Only lawsuits from the large companies such as banks, stores, social media, etc. that need to protect their brands and reputations will get them to pay attention to the security and veracity of the apps in their stores.

-felipe

[Jimmie]

I also noticed that chrome web store has many extensions which mimic the ABP brand like ABP super, ABP pro, ABP premium etc... I thought ABP was now selling his extension because of those words 'pro' 'premium'. Recently I notice that there is an extension with the exact name as ABP Adblock Plus in the chrome store. https://chrome.google.com/webstore/deta ... e-ntp-icon. I avoided it because it might give me malwares! Is it time to start some actions for ABP?

[Gingerbread Man]

1. Go to the add-on's details page.
   Edit: this extension has been removed from the Chrome web store.
2. Click the "Report Abuse" link near the top right.

Recently I notice that there is an extension with the exact name as ABP Adblock Plus in the chrome store.

It's not the same name.

Original
Adblock Plus
from adblockplus.org

Fake
ABP AdBlock Plus
from www․extew․com

[tampermonkey]

well, why do you consider: Adblockplus.org is compromised too

In Chrome version 29, the download from the Chrome web store failed with the following error message:

Cannot load extension with file or directory name _. Filenames starting with "_" are reserved for use by the system

When I tried to download ABP from en/chrome using the green button ("Install for Chrome") the download begins. A file transfer occurs. I am watching the lights on the modem, okay? I see the progress indicator go around the "clock" on the download tile. But when the file transfer is finished, on the download tile it said: "Failed - No file." So I thought the file was not written to disk. But the next day, I saw a file in my Download folder named:

chrome failed no file__3038_i812936956_il6334629.exe

Then I thought: OK, this is the file that I received from AdBlockPlus.org. It is not a CRX file, but it must be safe because it came from your server. So I launched the file. But it is not the ABP installer. It is the InstallPath Installer. This appears to be a scriptable installer tool for web-based installations which can silently download junk from other web sites and install it without your permission. Then my anti-virus software began to display alarms about system files being modified. I have a copy of the log and I will post it here when I am done cleaning the PC.

the ABP team can not follow all the malwares someone installs.

Of course not. But the circumstantial evidence implies that the AdBlockPlus.org server might also be offering malware to some versions of Chrome. You should tell the server administrator to perform a security audit on the web server scripts immediately. Something is wrong and the problem is not "fixed." For example, why can I download the CRX file from here

https://downloads.adblockplus.org/devbu ... 4.1153.crx

but I cannot download the same thing from en/chrome

(by the way, I'm only a volunteer moderator, trying to help people)

OK, that explains why you did not fix the instructions here https://support.google.com/chrome/answer/142059?hl=en when I told you they are wrong. So you cannot edit the FAQ. But someone else should do it. Thanks for volunteering.

[tampermonkey]

Where did you find ABP version 2.0 ?

As I mentioned in the original thread, I saw versions of AdBlock Plus greater than 2.0 on the Google Chrome web store. Another user gives a link to the "AdBlock plus Malware" here on this forum:

forum/viewtopic.php?f=10&t=23505

and from where did you download such exe/crx file ?

I think it came from en/chrome because I watched the file transfer, but did not receive a CRX file. It was the InstallPath malware. And I must warn everyone that some of this malware downloaded by InstallPath has a valid security certificate, so Windows does not ask for permission to install it! The anti-virus software will not protect you, and MalwareBytes will not clean everything!

the google store does not permit the direct downloading (but only installing the crx files)

Yes, this is precisely my point: it appears that AdBlockPlus.org does permit the direct downloading of EXE files. I am not sure which versions of Chrome can be tricked to launch this malware automatically. But many people have been infected when they installed AdBlock Plus. I know this because I see many other posts in the forum here which indicate that the malware was bundled with AdBlock Plus. Here are several examples:

Waiting for ABP extension...
forum/viewtopic.php?f=10&t=23495

It pops up intrusive advertising whenever I browse in a shopping site (eg amazon)
forum/viewtopic.php?f=10&t=23507

fix youtube pls » new advertisement annoying
forum/viewtopic.php?f=10&t=23496

STILL CAN'T install ABP extension, FILES STARTING WITH "_"
forum/viewtopic.php?f=10&t=23406

Specific Pop-up not being blocked - It is malware!
forum/viewtopic.php?f=10&t=23427

This malware appears to install a proxy so all of your web traffic is routed through the hackers server. They can alter the contents of any web page or capture your passwords. The connection might become very slow. The user will see ads which are not blocked. The malware will also open new browser windows with advertisements for more malware. For example:

Opens a web page to offer a bogus "update" to your Flash player
http://www.installpath.com/thankyou-ins ... upted.html

Says your browser is infected by malware and offers more malware to "clean" it:
http://www.yac.mx/ssa/yac.php?pt=amo <---- [AMO = aMonetize Ltd = InstallPath Installer

I see you telling people to scan for malware in almost every post. But you do not tell them the malware was bundled with AdBlock Plus They did not have any problem before they installed ABP. Now we cannot trust any download from the Google Chrome store or AdBlockPlus.org. This is a terrible mess.

[Gingerbread Man]

Then I thought: OK, this is the file that I received from AdBlockPlus.org.

You didn't get anything from adblockplus.org. The Chrome, Firefox and Opera versions aren't hosted here but in the respective add-on galleries: in this case, the Chrome web store.

Press F12 to open the developer pane, then click the "Console" button in the top toolbar of the pane. If that doesn't explain what's going on, use a network monitoring tool like Fiddler.

For example, why can I download the CRX file from here

https://downloads.adblockplus.org/devbu ... 4.1153.crx

Development builds are hosted on adblockplus.org. As I said above, release versions for Chrome, Firefox and Opera aren't. What does the link point to, when you hover the mouse over the Install for Chrome button? It should say

Code: Select all

https://clients2.google.com/service/update2/crx?response=redirect&x=id%3Dcfhdojbkjhnklbpkdaibdccddilifddb%26uc

OK, that explains why you did not fix the instructions here https://support.google.com/chrome/answer/142059?hl=en when I told you they are wrong. So you cannot edit the FAQ. But someone else should do it.

That's obviously a Google page. Talk to Google if you want something changed on one of their pages.

I see you telling people to scan for malware in almost every post. But you do not tell them the malware was bundled with AdBlock Plus

That's because their systems are infested with malware, but they weren't infected here. Malware can do whatever it wants to your system. They usually inject ads into web pages you visit, but there's no reason why they can't inject ads tailored to the web sites you visit, or modify the sites themselves to redirect legitimate download links to malicious ones.

[tampermonkey]

Recently I notice that there is an extension with the exact name as ABP Adblock Plus in the chrome store.

I looked in my browser history and I see one page titled "Chrome Web Store - Adblock Plus"

I see another page titled: "Chrome Web Store - adblock plus"

Notice how the second page title is all lower-case letters. This was the malware page on the web store. Now this becomes even more complicated after you install the malware: if it succeeds to install the proxy, it can alter the Chrome Web Store to display more fake copies of AdBlock Plus! So you must completely remove the malware before you install AdBlock Plus from the Chrome store again. But I would tell my friends to stop using Chrome and Windows. Who knows if this security flaw will ever be fixed?

[mapx]

@tampermonkey,

if your system was infected by malware, well, it also downloaded some exe files when you thinked it was downloaded the crx file.
Gingerbread Man answered the other questions.

[tampermonkey]

You didn't get anything from adblockplus.org. The Chrome, Firefox and Opera versions aren't hosted here but in the respective add-on galleries: in this case, the Chrome web store.

This is true. But I was not redirected to the Chrome web store when I clicked on that green button several days ago. It is working correctly now. It seems like the AdBlockPlus.org server has been fixed! Notice how the rogue ABP on the Chrome web store was removed after this thread appeared on the forum. The hacker might still have access to your server and they only restored the original behavior to cover their tracks. I can only speculate about the possibilities here. But AdBlockPlus.org did not redirect me to the Chrome store before. When I clicked on that green button, a download began immediately. It is very strange.

That's obviously a Google page. Talk to Google if you want something changed on one of their pages.

Well here is my point: if the information on the Google page is incorrect, you should not keep sending users to that page: You should copy the page to your own forum so you can add the correct information. How difficult is that? But if you wanted Google to change it, I think you could easily accomplish this with a single message to the webmaster. Dont you have a very close working relationship with Google?

How do we make money?

We are being paid by some larger properties that serve non-intrusive advertisements that want to participate in the Acceptable Ads initiative.

en/about

So who are these "large properties" Why is this such a big secret? Would people stop using AdBlock Plus if they knew the answer? I mean, there must be some reason why you cannot disclose this. Is it Google ? Could you pick up the phone and get an immediate response from Google? Does Eyeo GmbH have a "hotline" to Google? How much of the revenue from this secret ad program is applied directly to software development? Is Eyeo GmbH a non-profit corporation? Many other people have raised the issue of profit here. It happened again just the other day. If you want them to use AdBlock Plus instead of the original AdBlock, you should provide a stronger justification.

forum/viewtopic.php?f=10&t=23435

That's because their systems are infested with malware, but they weren't infected here.

Well I installed Chrome and then I immediately installed the AdBlock Plus extension. Chrome was never installed on this system before. So when I see a file downloading from en/chrome, and after the download it says "Failed - No file", and then I discover a file named "chrome failed no file__3038_i812936956_il6334629.exe" in my Download folder, I am reasonably sure of where it came from. Could I be wrong about this? Yes, maybe. I am only telling you what I saw and what I believe. If a gigantic corporation with the resources of Google has no security, maybe Eyeo GmbH has no security too!

Malware can do whatever it wants to your system. They usually inject ads into web pages you visit, but there's no reason why they can't inject ads tailored to the web sites you visit, or modify the sites themselves to redirect legitimate download links to malicious ones.

Yes, all of this is true. But the malware did not appear on my computer until I launched the installer by mistake. I did not download anything from another web site with Google Chrome. There were no strange pop-up browser windows appearing before. How did Chrome version 29 get this malware from Google? Version 29 is blacklisted and not allowed to download from the Chrome web store. It's a mystery to me! But I thought it was my duty to report what I saw because someone else could verify this on another machine. If you know specifically which malware has infected the users system, and new users continue to appear here on the forum complaining about the same malware infection after installing AdBlock Plus, this is something you must consider.

So now we return to the original problem: people who are using Chrome 29 cannot install AdBlock Plus. Your server does not detect the clients version and offer the CRX file automatically. Instead they must come to this forum and ask for help. I was not trying to solve the problem for me, I was trying to solve it for everyone!

felipegeek is 100% correct: the integrity of the brand must be protected. But neither this web site or the Chrome web store are using SSL certificates with Extended Validation. There is really nothing which prevents the traffic from being modified in transit. This could still occur even if there is no malware on the clients computer:

https://en.wikipedia.org/wiki/DNS_cache_poisoning

fraudsters (including phishing websites) have started to use SSL to add perceived credibility to their websites
https://en.wikipedia.org/wiki/Extended_ ... ertificate

Are you trying to say that Google and Eyeo cannot afford $100 for an SSL cert with Extended Validation ? But even Mozilla has one! How can the browser better communicate information about the security of a connection to the user? I just want developers to think about this. There is plenty of room for improvement here.

https://addons.mozilla.org/en-US/firefox/search/?q=ssl

"It is unclear how many intermediate certification authorities really exist, and yet each of them has god-like power to impersonate any https web site using a Man in the Middle (MITM) attack scenario. Researchers at Princeton are acknowledging this problem and recommending Certificate Patrol." - https://addons.mozilla.org/en-US/firefo ... te-patrol/

"You never knew your browser trusts the Bavarian National Library, right?"
http://patrol.psyced.org/

How is SSL hopelessly broken?
http://www.theregister.co.uk/2011/04/11 ... _analysis/

"The Comodo breach of March 2011 ... allowed some bad guys to use a registration authority to generate valid certificates for Google, Yahoo, Skype, etc. There are companies that sell boxes with software that will generate a valid certificates on the fly for every secure web site you visit in order to be able to observe your traffic."
https://www.conetrix.com/Blog/post/How- ... rusts.aspx
http://arstechnica.com/security/2011/09 ... -breached/

Mozilla will pay $10,000 for any critical vulnerability found in its new certificate verification code
http://www.infoworld.com/d/security/moz ... fox-241319

Just for the record, the malware I found on my system was signed & approved by:

GoDaddy secure certification authority
GlobalSign CodeSigning CA -G2