Nano Adblocker / Nano Defender are now malware

[zombunny2]

This is not stricly related to Immunet, but may be worth highlighting to visitors of this forum.

In October, the lead developer of the popular adblocker extension "Nano Adblocker" and companion extension "Nano Defender" sold the identity and code-repository access (effectively "sold the extension") to some previously-unknown Middle-Eastern developers. In his defence, he had been unable to keep up with the maintenance requirements of the addon, and wanted its development to continue rather than leave his users "high and dry". He also performed some (albeit) minimal background-checking on the new developers before the sale, although he may have been a little naive and therefore too trusting.

Unfortunately, the first thing the new developers did was introduce some very crudely-obfuscated spyware into the popular extensions. In a rudimentary attempt to conceal the existence of the spyware, the developers even attempted to have the extension detect if the browser's developer console was open, and modify its behaviour accordingly.

If you use Chrome, (which is arguably a piece of spyware in and of itself), it is important that you remove these extensions immediately. I suspect the same extension will also be used in Opera/Vivaldi/Brave, so if you are a user of those browsers this could also apply to you.

Fortunately, the Firefox version of the extension has not yet been updated with the malware changes, as the extension is developed for Chrome, and ported to Firefox by another maintainer. The new spyware was exposed before the Firefox maintainer had pulled-in the upstream code-changes. That said, it would be a smart move to delete this extension if you are using it on Firefox, as I don't see any updates being made to it from now on.

 You will probably find Gorhill's uBlock Origin a suitable replacement for Nano Adblocker, and in fact it is the extension from which Nano takes most of its (non-malicious) code. If you are already a uBlock Origin user, please doublecheck that you didn't install Nano Defender at some time, to protect uBlock.

Fortunately, at the time of writing, this malware is easy to remove: Simply uninstall the Nano Adblocker and Nano Defender extensions. Then change all of your passwords. If you are extremely worried, and want to make extra sure that your browser profile is clean, delete your browser profile and create a new one.

To the best of my knowledge Immunet does not yet detect these extensions when installed.

I think it'd be a good idea for us to all treat this as a warning that an extension is only as trustworthy as its developer, and that the same developer may not always "own" an extension. It'd therefore be a good opportunity to have a look at all your browser extensions, and uninstall the ones you don't use. You could also take a look to get a feel for the public profile of each developer. Uninstall any that make you uneasy. Broadly-speaking, if it's not under a free (libre)/open-source licence, you can't verify that the code is benign and you need to be confident that you know how the developer(s) are paying for their time and resources.

More info:

GHacks Article

Ars Technica Article

 

[zombunny2]

I made the assumption that everyone still logs out of sites when they're not using them, so forgot to mention... Because of the way the malware works, if you've been affected you should log out of all of your sites and services, as well as changing your password.

I also forgot that "Edge" is a browser too. I've never had any desire to subject myself to it, but I believe it can now run Chrome extensions too, so if you're an Edge user who's installed Nano, you could also be infected.

[WilliamKing321]

On 11/23/2020 at 4:52 PM, zombunny2 said:

This is not stricly related to Immunet, but may be worth highlighting to visitors of this forum.

In October, the lead developer of the popular adblocker extension "Nano Adblocker" and companion extension "Nano Defender" sold the identity and code-repository access (effectively "sold the extension") to some previously-unknown Middle-Eastern developers. In his defence, he had been unable to keep up with the maintenance requirements of the addon, and wanted its development to continue rather than leave his users "high and dry". He also performed some (albeit) minimal background-checking on the new developers before the sale, although he may have been a little naive and therefore too trusting.

Unfortunately, the first thing the new developers did was introduce some very crudely-obfuscated spyware into the popular extensions. In a rudimentary attempt to conceal the existence of the spyware, the developers even attempted to have the extension detect if the browser's developer console was open, and modify its behaviour accordingly.

If you use Chrome, (which is arguably a piece of spyware in and of itself), it is important that you remove these extensions immediately. I suspect the same extension will also be used in Opera/Vivaldi/Brave, so if you are a user of those browsers this could also apply to you.

Fortunately, the Firefox version of the extension has not yet been updated with the malware changes, as the extension is developed for Chrome, and ported to Firefox by another maintainer. The new spyware was exposed before the Firefox maintainer had pulled-in the upstream code-changes. That said, it would be a smart move to delete this extension if you are using it on Firefox, as I don't see any updates being made to it from now on.

 You will probably find Gorhill's uBlock Origin a suitable replacement for Nano Adblocker, and in fact it is the extension from which Nano takes most of its (non-malicious) code. If you are already a uBlock Origin user, please doublecheck that you didn't install Nano Defender at some time, to protect uBlock.

Fortunately, at the time of writing, this malware is easy to remove: Simply uninstall the Nano Adblocker and Nano Defender extensions. Then change all of your passwords. If you are extremely worried, and want to make extra sure that your browser profile is clean, delete your browser profile and create a new one.

To the best of my knowledge Immunet does not yet detect these extensions when installed.

I think it'd be a good idea for us to all treat this as a warning that an extension is only as trustworthy as its developer, and that the same developer may not always "own" an extension. It'd therefore be a good opportunity to have a look at all your browser extensions, and uninstall the ones you don't use. You could also take a look to get a feel for the public profile of each developer. Uninstall any that make you uneasy. Broadly-speaking, if it's not under a free (libre)/open-source licence, you can't verify that the code is benign and you need to be confident that you know how the developer(s) are paying for their time and resources.

More info:

GHacks Article

Ars Technica Article.

 

 

Edited March 3, 2021 by WilliamKing321