
Reverse Engineering an Eclipse Plugin - RKoutnik
https://0x10f8.wordpress.com/2017/08/07/reverse-engineering-an-eclipse-plugin/
======
guildan
The plugin that is inspected in this article is now delisted in the Eclipse
Marketplace. You can't download it from there anymore (Checked with STS
3.9.0.RELEASE). A new fork without the ad related code as been publish and you
can inspect the code on [https://github.com/ecd-
plugin/ecd](https://github.com/ecd-plugin/ecd) .

It's nice to see the community stepping in to "fix" the situation.

------
philbarr
Original author doing a pretty bad job of explaining himself [0]. Mainly:

Anyone who does not like it, please uninstall this plugin.

I will not explain it anymore.

I'm not interested in stealing your privacy.

[0] [https://github.com/cnfree/Eclipse-Class-
Decompiler/issues/30](https://github.com/cnfree/Eclipse-Class-
Decompiler/issues/30)

~~~
contravariant
The only acceptable explanation would be that they weren't aware and didn't
intend for this to happen.

Any other scenario means that they intentionally and secretly included code
into their compiled binaries which posed a security and privacy risk.

~~~
nerdponx
I wonder about the nature of this scam. It almost looks like it's designed to
_spoof_ ad clicks, not direct the user to them.

~~~
0xfeba
Should contact the ad providers, they'd be happy to chargeback with proof of
fraud.

------
philbarr
Alternative version:

[http://marketplace.eclipse.org/content/enhanced-class-
decomp...](http://marketplace.eclipse.org/content/enhanced-class-
decompiler?mpc=true&mpc_state=)

------
hiram112
Good writeup on the reverse engineering.

I'm still a little confused as to what the code was doing, though. It gathers
statistics about your user machine (none of which seemed too personal -
basically IP, OS, country, etc).

But then what is it doing? Opening a virtual browser or simulating clicks to
some ad network?

~~~
jjjensen90
Seems to me that it is indeed running a hidden browser on a background thread,
loading ads, and simulating views/clicks. That is in addition to collecting
and sending user and system information (possibly also for ad-serving or
information sales or some other nefarious skulduggery).

~~~
nerdponx
I wonder if this was actually an attempt to scam the advertisers into thinking
they were receiving genuine add traffic, in order to get affiliate revenue.
Using actual customer data might have prevented the advertisers from getting
suspicious.

~~~
0xfeba
By and large, that's exactly what it was doing, getting ad revenue. The second
part also sounds plausible, but it would need to use this as the user agent
during the actual clicks.

------
ramshanker
Guess author of the plugin is pretty smart but not smart enough to encrypt the
traffic back home or obscure his/her nasty secrets.

I guess it might be keeping the black stuff for some cool down time just after
installation. Many malware seem to do there days. We might have got true
clicks targeted.

~~~
mseebach
Encrypting the traffic would only have made it marginally more difficult to
intercept
([https://portswigger.net/burp/help/proxy_options_installingca...](https://portswigger.net/burp/help/proxy_options_installingcacert.html)).
Also, the guy got 400k downloads, sometimes you don't need "smart".

------
nallerooth
While this was a popular plugin for Eclipse - I'm sure there are plugins for
other editors, IDEs and browsers which do the same (or worse). Yet, we often
try a multitude of plugins without a single thought about any unwanted
features bundled with the main features.

------
moocowtruck
and so many people make fun of js/node... this dude made over 400k installs
part of his personal ad clicking bot net..

------
zaphirplane
Thank you for doing this, makes you think how many other highly rated/used s/w
is malicious

