SOHJimmy 0 Posted September 8, 2017 Posted September 8, 2017 Recently by sheer coincidence I discovered that a Google Chrome Browser Extension I used was known to upload recently visited URLs to remote server presumably mined by some advertising company. The Extension was also known to redirect, to display pop-ups and so forth, which I never experienced interestingly. The entire time I had NOD32 activated and I am wondering what mechanisms NOD32 might have utilised and would utilise in similar circumstances to prevent sensitive information such as this being uploaded unknowingly when the Extension is part of a legitimate program, in this case Google Chrome. The information presently offered on HTTP filtering on the help pages seems really incomplete and I'm not really sure if I would have been protected.
Most Valued Members cyberhash 201 Posted September 9, 2017 Most Valued Members Posted September 9, 2017 First point of call would be to check if you have the detection of PUA/PUP enabled ???
SOHJimmy 0 Posted September 11, 2017 Author Posted September 11, 2017 (edited) Hi cyberhash. Yes, HIPS and real time scanning are active, with those 3 scanner options enabled, as well as 'Web and Email' HTTP and SSL protocol filtering. I have found evidence the malicious remote server is being contacted on a computer of mine running the browser extension without anti-malware but via TLS and TCP, not HTTP. I appear to have been mistaken about the protocol the malware uses to contact the server all along. I have not found evidence that my computer running NOD32 is contacting the malicious server, although I have not found evidence that no such communication has taken place. Since the browser extension did not seem to be detected via RTS or scans I initiated on this computer, I am beginning to think that perhaps communication between my browser and the remote server is being blocked by my strict SSL/TLS Certificate Validity settings, which are set to: "Block communication that uses the certificate" in relation to both 'If the certificate cannot be verified using the TRCA certificate store" and "If the certificate is corrupt". When I type the domain name of the server on an SSL checker, the certificate is not "Organisationally Verified", issued by "Amazon" and "Starfield"; however, neither certificate issuer or date appears identical to the corresponding details for the certificates in the TRCA repository on my PC. Is it plausible that for these reasons, or perhaps for other reasons, relating to certificate authority that NOD32 is blocking communication to this server and is there any way to check so that I can know definitively that it is? The malware is apparently heavily obfuscated and is contained in a .jpg file which when loaded in a canvas element executes Javascript code after decoding. I also have the settings "Enable advanced scanning of browser script" under "Web access protection" enabled. Could NOD32 perhaps be impeding the script's execution without me even knowing, and again: Is there a way for me to check? Does NOD32 protect against attack vectors utilising this kind of "steganography"? Edited September 12, 2017 by SOHJimmy
Recommended Posts