
Malicious Chrome extension is next to impossible to manually remove - Deinos
https://arstechnica.com/information-technology/2018/01/malicious-chrome-extension-is-next-to-impossible-to-manually-remove/
======
userbinator
_and renaming the folder where extensions are stored—none of them worked._

Then where is it actually installed? Unless it's doing something really
rootkit-y (unlikely given that AFAIK Chrome's extensions are just JS),
monitoring file accesses would probably be sufficient to determine where it is
and how to remove it. Unfortunately, I think this researcher just didn't
really try hard enough...

 _Removing the extension proved so difficult that he ultimately advised users
to run the free version of Malwarebytes and let it automatically remove the
add-on._

...of course, what better than to sneak in an advert for their product!

 _As Malwarebytes explained in late 2016, the forced install trick uses
JavaScript to provide a dialog box that says visitors must install the
extension before they can leave the page. Clicking cancel or closing the tab
produces an unending series of variations on that message._

IMHO this is a sign that JS running on a page has been given too much power
(and the reason I only let JS run on a whitelist.)

The other thing I find slightly off is that there's been plenty of mention of
how Chrome's extension API is nowhere near as powerful as what the old Firefox
extensions could do, and it's a more walled garden, yet things like this are
still reported.

~~~
apostacy
Have you ever tried preventing an extension from being updated (you can't) or
rolling back an update?

Go ahead and try.

I agree that 98% of the time it is fine, but that is not the point. I want to
have control over the software that runs on my computer, especially if
sometimes useful functionality is stripped away, or malicious code can be run.

Off the top of my head, I had Google Drive install a chrome extension which
then informed me that it needed me to grant it more permissions than it had
when it was installed without asking by Google Drive, and then when I didn't
grant them, it removed itself after a few days, without a trace.

Or there was the time that the Chromecast extension disappeared. Of course,
this was because Google integrated that functionality directly into the
browser, but, it made me feel very uncomfortable that the software on my
computer was so unpredictable.

And there are many other times that extensions have just "upgraded" themselves
into breaking.

Out of frustration after feeling no sense of agency, I started using git to
track the changes to my chrome config folder. Even if I used git to roll back
the filesystem to its previous state, I then have to modify the extensions to
not have the right url to check for updates, and then there are still other
mechanisms to thwart that. At best, I was able to manually re-enable the
extensions I want, and I had to write a script to automate it after each time
I started chrome.

Outside of the Chrome extensions themselves, when you install several Google
products, like Drive or Google Earth, it adds it's spyware-like "keystone
agent" updating daemon to three different locations. WHY? If you remove any of
it's hooks, it just re-creates them. And it will monitor your filesystem and
irreversibly apply updates to Chrome, which may remove features (like the
ability to side-load extensions, or save HTML5 video, or mandatory WideVine
DRM).

None of this is made clear to you. It will ask you for root access just so it
can install its system-wide updater in two locations, but if you deny it, it
will still install it for the current user. If you start to remove it, it will
never alert you that it is being tampered with or explain what is going on, it
will just resist like spyware, re-creating itself.

Out of frustration, I just started making files immutable so that it couldn't
re-inject itself. Obviously that is not ideal, but I had work to do and I was
sick of it worming around my computer.

It doesn't have to be this way. I understand the importance of updates. But
Google doesn't have to do it in such an underhanded and frankly hostile manor.
But this reflects a culture of gaslighting of the user, and general hostility.

So, it makes sense that malicious actors could piggyback on Google's already
user-hostile platform. Google is already doing much of the work for them.

EDIT: And before anyone responds by saying that there are technical means to
take control of the Chrome browser that I missed, I am sure there are, but
that is not the point. I am aware that there is an environment variable you
can set that will request that Keystone Agent stop updating, but it is
completely undiscoverable, and does not actually stop Keystone Agent from
running. Someone should not have to have an extensive understanding of
software development just to be able to say "NO", and accept the
responsibility for it.

~~~
pishpash
As I said before, monopoly companies grow more arrogant over time and Google
was particularly arrogant, patronizing, and dismissive of user concerns from
the start. What began as a technical innovation, the auto update, quickly
became a means of user control and has since spread industry-wide. You can
tell when it became user control when you could no longer turn it off.

~~~
gdulli
Google exists to be the world's perfect example of the dangers of conflating
knowledge with wisdom.

------
applecrazy
Is it not possible to right click the extension in chrome://apps or the button
in the toolbar and select "Remove from Chrome..."?

I previously had Stayfocusd and I blocked myself from uninstalling the
extension (as a test) by blocking chrome://extensions, but then found a
loophole using the method above.

Edit: Confirmed. What this article talks about is a total non-issue. All
extensions can be removed by right-clicking their toolbar button (btw they
HAVE to have a button) and selecting "Remove from Chrome."

~~~
ChrisSD
What if it doesn't have a toolbar button?

~~~
applecrazy
Google policy says that all extensions must have a button: "Starting in this
latest release, you’ll begin to see all extensions to the right of the URL
bar, so you can easily remove anything you don’t recognize. Just right click
the extension icon and select “Remove from Chrome.”"[0]

[0]: [https://blog.google/products/chrome/new-year-new-
chrome/](https://blog.google/products/chrome/new-year-new-chrome/)

~~~
ChrisSD
Ah I see, they got around that by colouring the icon the same as the
background so it was "invisible"[0]. Obviously the extra space is suspicious
if you're looking for it but I can see how that couldd be overlooked by most
users.

[0] [https://blog.malwarebytes.com/wp-
content/uploads/2018/01/Chr...](https://blog.malwarebytes.com/wp-
content/uploads/2018/01/ChromeRedirect.png)

------
j_s
I am not sure if a 'pro' version of Windows is required, but I've found adding
a 'Deny: Everyone' to NTFS permissions on required files comes in handy in
situations like this.

------
sergers
Not to defend Google, but I am sure there are alot of false malicious reports
for many apps.

From competitors, trolls, and just random idiots...

I wonder if they flag it for review after X reports in Y time frame.

I wouldn't expect immediate action, but 19 days is a bit much.

it does look pretty bad towards the end, that you can specify any site as the
extensions website to make it look more official.

What I don't understand is if they started chrome in another mode passing the
executable arguments that should have disabled said extensions, how was it
still redirecting the extensions management page?

------
dawnerd
Sounds more like a sneaky paid ad for Malwarebytes to me...

------
undisruptorrr
Breathless reporting about impossibilities should be reconsidered.

It’s not impossible to uninstall chrome and re-install it under a different
path, and create an alternate OS user account on the same laptop or desktop,
and log into that to effectively reset Chrome to its default state in a non-
disruptive manner.

The unfortunate fact, however is that most people simply won’t do that because
it’s too inconvenient, or users of a particular machine have been subjugated
by system administrator overlords, as part of an organizational policy, and
lack admin privileges to migrate to a fresh user account in part or in whole.

People also often tend to use the admin account unhygienically. Which is not
actually much of a sin, as long as you enter into those activities with the
mindset of anticipating a full reinstall at the operating system level.

...which of course won’t even kill the firmware implants that advanced
persistent threats have dropped into your peripherals, via intel extensions
commissioned by the NSA.

