New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 764068 link

Starred by 2 users
Status: WontFix
Owner:
vakh@chromium.org
Closed: Nov 2017
Cc:
auk@chromium.org
vakh@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: ----
Type: Bug



Sign in to add a comment

Download Protection Bypass: Windows os system targeting

Reported by bowlingb...@gmail.com, Sep 11 2017 
VERSION
Chrome Version: 61.0.3163.79 (Official Build) (64-bit)
Operating System: All Windows Operating Systems

REPRODUCTION CASE
I was able to get any virus past google download protection using bat to exe advanced, with this tool I'm able to make an exe that builds then starts the virus file of my choosing the following file hold Dark comet remote administration tool if ran it would let me hijack the hole computer it was ran on. This has been tested on 34 people and has proven to work.
                                                          sincerely, 
                                                                Godschild Gaming

EDIT(vakh, 2017/09/22): Removed the template text.
youtube fixer2.exe
1.6 MB Download

Comment 1 by vakh@chromium.org, Sep 11 2017

Labels: Needs-Feedback
Thanks for reporting the issue.

Are you reporting that any .bat file can be converted to .exe using http://www.battoexeconverter.com/ and then distributed?

Can you share a malicious file that the gets blocked without using "bat to exe advanced", but the download is allowed after transforming it through "bat to exe advanced"?

Comment 2 Deleted

Project Member

Comment 3 by sheriffbot@chromium.org, Sep 12 2017

Cc: vakh@chromium.org
Labels: -Needs-Feedback
Thank you for providing more feedback. Adding requester "vakh@chromium.org" to the cc list and removing "Needs-Feedback" label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 4 by bowlingb...@gmail.com, Sep 12 2017 

yes I can also provide how bat to exe can be used to bypass the protection. So finale holder is the finished product of the bypassing method it holds all the  holders and payloads but only starts holder3 which holder3 start holder2 which starts holder1 at which holder1 builds and starts the dark comet payload. I will include all files used to hide the payload *edit* I had to  redo the commet forgot to include files
virus report.PNG
312 KB View Download
finale holder.exe
1002 KB Download
holder3.exe
862 KB Download
holder2.exe
794 KB Download
holder1.exe
726 KB Download
Dark Comet payload.exe.exe
658 KB Download

Comment 5 by vakh@chromium.org, Sep 22 2017

Description: Show this description

Comment 6 by vakh@chromium.org, Sep 22 2017

Labels: OS-Windows
Owner: vakh@chromium.org
Status: Assigned (was: Unconfirmed)
Thanks for the details. I'll investigate this further.

Comment 7 by vakh@chromium.org, Oct 3 2017 

I'm focusing on some other work at the moment but I'll come back to this on or before 10/12. Sorry for the delay here.

Comment 8 by vakh@chromium.org, Oct 6 2017

Cc: auk@chromium.org
auk -- this may be of interest to you. I'll follow-up offline.

Comment 9 by nparker@chromium.org, Oct 6 2017 

This is just another form of mutating a binary. As long as we're sending a ping for the outer .exe, I think this is WAI.

Comment 10 by vakh@chromium.org, Oct 13 2017

Labels: Needs-Feedback
Can you please share the contents of the page at chrome://histograms/SBClientDownload.CheckDownloadStats before and after downloading the file?

Comment 11 by nparker@chromium.org, Oct 20 2017

Labels: SafeBrowsing-Triaged

Comment 12 by bowlingb...@gmail.com, Oct 22 2017 

ok here
before.PNG
162 KB View Download
after.PNG
168 KB View Download

Comment 13 by vakh@chromium.org, Nov 10 2017

Status: WontFix (was: Assigned)
Thanks for sharing the screenshots.

Since the histogram at chrome://histograms/SBClientDownload.CheckDownloadStats shows a value of 10, it is working as intended.

This value represents that the Safe Browsing service will get uploads from extended reporting users for this file, so this is not eligible for a reward according to the VRP rules.

See "Q: Can I have more details about the Download Protection bypass rewards?" at https://www.google.com/about/appsecurity/chrome-rewards/index.html
Project Member

Comment 14 by sheriffbot@chromium.org, Feb 17 2018

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment