Jump to content

HTTP Protocol Filtering and PUP/Browser Extensions


Recommended Posts

Recently by sheer coincidence I discovered that a Google Chrome Browser Extension I used was known to upload recently visited URLs to remote server presumably mined by some advertising company. The Extension was also known to redirect, to display pop-ups and so forth, which I never experienced interestingly. The entire time I had NOD32 activated and I am wondering what mechanisms NOD32 might have utilised and would utilise in similar circumstances to prevent sensitive information such as this being uploaded unknowingly when the Extension is part of a legitimate program, in this case Google Chrome. The information presently offered on HTTP filtering on the help pages seems really incomplete and I'm not really sure if I would have been protected.

Link to comment
Share on other sites

Hi cyberhash. Yes, HIPS and real time scanning are active, with those 3 scanner options enabled, as well as 'Web and Email' HTTP and SSL protocol filtering.

I have found evidence the malicious remote server is being contacted on a computer of mine running the browser extension without anti-malware but via TLS and TCP, not HTTP. I appear to have been mistaken about the protocol the malware uses to contact the server all along. I have not found evidence that my computer running NOD32 is contacting the malicious server, although I have not found evidence that no such communication has taken place.

Since the browser extension did not seem to be detected via RTS or scans I initiated on this computer, I am beginning to think that perhaps communication between my browser and the remote server is being blocked by my strict SSL/TLS Certificate Validity settings, which are set to: "Block communication that uses the certificate" in relation to both 'If the certificate cannot be verified using the TRCA certificate store" and "If the certificate is corrupt". When I type the domain name of the server on an SSL checker, the certificate is not "Organisationally Verified", issued by "Amazon" and "Starfield"; however, neither certificate issuer or date appears identical to the corresponding details for the certificates in the TRCA repository on my PC. Is it plausible that for these reasons, or perhaps for other reasons, relating to certificate authority that NOD32 is blocking communication to this server and is there any way to check so that I can know definitively that it is?

The malware is apparently heavily obfuscated and is contained in a .jpg file which when loaded in a canvas element executes Javascript code after decoding. I also have the settings "Enable advanced scanning of browser script" under "Web access protection" enabled. Could NOD32 perhaps be impeding the script's execution without me even knowing, and again: Is there a way for me to check? Does NOD32 protect against attack vectors utilising this kind of "steganography"?

Edited by SOHJimmy
Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...