Tracking suspicious/infectious CRX Files

Francesco

unread,

Mar 3, 2016, 2:22:32 PM3/3/16

to Chromium-discuss

// Originally submitted: https://productforums.google.com/forum/#!topic/chrome/MKmx2SuEYfM;context-place=topicsearchin/chrome/extension_6_44_4 //

Hello,

I have been observing adware/malware detections on client systems after browsing remote sites related to CRX files [chrome extensions]:

r8---sn-a8au-xfge.gvt1[.com]/crx/blobs/qgaaac6zw0qh2djtnxe8z7rujp0rz86qudrwaqevy0i4d3uivsvhfb5y3qd1emovvjvy5ky6qtkq7q66lkzhnqlo3fu1ed_pjpm0ejvq8nnbqyz-amzsmuvx8dxrcwtaflyekuq-h78xy8vwzq/extension_6_44_4.crx

redirector.gvt1[.com]/crx/blobs/qgaaac6zw0qh2djtnxe8z7rujp0rz86qudrwaqevy0i4d3uivsvhfb5y3qd1emovvjvy5ky6qtkq7q66lkzhnqlo3fu1ed_pjpm0ejvq8nnbqyz-amzsmuvx8dxrcwtaflyekuq-h78xy8vwzq/extension_6_44_4.crx

www.gstatic[.com]/chrome/crlset/2854/crl-set-delta-2848-7102232292593027312.crx.data

The AV product detects the objects created on the end system as a generic trojan. This activity began 26-Feb-16.

How can I identify what this extension is?

Thanks!

PhistucK

unread,

Mar 4, 2016, 3:10:56 AM3/4/16

to francesco....@gmail.com, Chromium-discuss

The third one looks like the certificate revocation list. It is not an extension, but a package that the browser occasionally downloads with revoked certificates (for showing security errors on bad HTTPS websites).

☆PhistucK

--
--
Chromium Discussion mailing list: chromium...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-discuss

---
You received this message because you are subscribed to the Google Groups "Chromium-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-discu...@chromium.org.

Francesco

unread,

Mar 4, 2016, 9:13:01 AM3/4/16

to Chromium-discuss, francesco....@gmail.com

How does one inspect these CRX files?

Christian Biesinger

unread,

Mar 4, 2016, 10:59:43 AM3/4/16

to francesco....@gmail.com, Chromium-discuss

Fairly sure they're just zip files, so you can unzip them with some unzip tool

-Christian

Joe Mason

unread,

Mar 7, 2016, 4:19:14 PM3/7/16

to cbies...@chromium.org, francesco....@gmail.com, Chromium-discuss

This page describes the structure of a .crx file: https://developer.chrome.com/extensions/crx

Francesco

unread,

Mar 9, 2016, 2:33:57 PM3/9/16

to Chromium-discuss, cbies...@chromium.org, francesco....@gmail.com

Thanks Christian and Joe.

I was able to fetch the CRX file and extract it. These files appear to be benign -- here's the contents:

{
"update_url": "https://clients2.google.com/service/update2/crx",
"version": "6.44.4", "name": "Software Reporter Tool", "manifest_version": 2}

Thanks again,

-Francesco

MSI Team

unread,

Mar 17, 2016, 2:16:27 PM3/17/16

to Chromium-discuss

Which apps and extensions are you using?

Jonathan Garbee

unread,

Mar 17, 2016, 2:25:22 PM3/17/16

to Chromium-discuss

Here is an extension that will let you see the CRX internals when viewing the extension page in the web store.

https://chrome.google.com/webstore/detail/chrome-extension-source-v/jifpbeccnghkjeaalbbjmodiffmgedin?hl=en

--

Reply all

Reply to author

Forward