Issue metadata
Sign in to add a comment
|
Security: Malicious App Hooking into Chrome Pid Running Under "Folding At Home" link to my Gmail Chrome Synced Account
Reported by
ebarb...@trading-point.com,
Mar 20 2018
|
||||||||||||||||||||
Issue descriptionHello, for the last month i have been noticing for our Palo Alto Firewall connection going from My PC to Foreign address Using Destination Port 443 & being blocked by our Application Inspection and Categorized as "Folding at Home", https://www.securitystronghold.com/gates/folding@home.html Doing Some Research, we noticed that the Legitimate Folding At Home Program was able to run successfully using the same PC with Chrome and it wasn't blocked http://folding.stanford.edu/ After Reformating the PC and inspecting Chrome Traffic from the firewall, without Signing in with my Gmail account and Syncing Chrome Data, "Folding At Home" was not Detected, After Only Syncing my gmail account ebarbour@trading-point.com Blocked Traffic Starts to Appear, we repeated this on many PCs and isolated that its only Linked to my Gmail Account, although No Plugins/Apps or Extension was installed on Chrome !! Ended Up Resetting All My Gmail Data and Resyncing Chrome, The Connection now Disappeared we suspect that a Malware built like Folding@Home app is Hooking On Chrome.exe Executable as it has Same Pid as Chrome and connecting to foreign addresses probably Crypto mining or harvesting Data
,
Mar 20 2018
Unfortunately, there's very little to go on here because you are no longer able to reproduce the issue. Can you please explain explicitly how you determined that "No Plugins/Apps or Extension was installed on Chrome"? A sync'd browser extension is by far the most likely source of unexpected traffic in the circumstances described. FWIW, the 172.217.* IP addresses in your logs appear to be owned by Google itself.
,
Mar 21 2018
Apps Extensions chrome://extensions/ chrome://apps/ i might have the Chrome Synced Data backed up somewhere, but how i help reproduce
,
Mar 21 2018
Thank you for providing more feedback. Adding the requester to the cc list. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 22 2018
Thanks. Generally, yes, examining those URLs should be sufficient to determine what extensions are installed. If you had local malware installed in the OS, it could result in traffic like this through a variety of means, but it seems unlikely that external malware would be sensitive as to whether or not Chrome sync is enabled. Unfortunately, I don't think there's anything we can do here without a live repro. If you're ever able to reproduce this in the future, please try to collect a network log (https://www.chromium.org/for-testers/providing-network-details) and we can examine exactly where the traffic is going and what it contains; this will make the report much more actionable.
,
Jun 28 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by ebarb...@trading-point.com
, Mar 20 2018