![]() ![]() APT attacks are highly sophisticated and often target specific, high-profile institutions, such as government or financial-sector companies. This method does not guarantee 100% detection AV, as it is based on verification of the installed anti-virus extension for Chrome which can be disabled by the user.An Advanced Persistent Threat (APT) attack is a type of network attack that uses advanced malware and zero-day exploits to get access to networks and confidential data over extended periods of time.If (nort.indexOf('coToolbarFrame')>=0 & nort.indexOf('/toolbar/placeholder.html')>=0 & nort.indexOf('chrome-extension://')>=0 ) ![]() ![]() JS code which is implemented by the extension on the page as followsĪnd in the end, it turned out that it is also very easy to detected using this JS code var NAV = document.getElementById('coFrameDiv') He has installed, like Avira, 2 extension When installing Avira antivirus Pro, it installed 2 extensions in the Chrome browserĪvira Browser Safety and Avira Save Search PlusĪvira on the page index.html injected iframe which has the following formĪnd it turns out JS code for detect Avira extension is as follows var AV = document.getElementById("abs-top-frame")ĪV.outerHTML.indexOf('/html/top.html')>=0 & AV.outerHTML.indexOf('chrome-extension://')>=0Īnd finally the last extension to AV which I had to consider - Norton If (document.getElementsB圜lassName('drweb_btn').length > 0) using the following simple JS code can be found installed DrWeb us or not. On the index.html page injected follow code Product version DrWeb Security Space 11.0Ĭhrome extension name s - Dr.Web Anti-Virus Link Checker Next, consider Avira, Norton, DrWeb antivirus, if anyone wants to continue this mini study, I will be glad to hear about the rest of it works.Īntivirus Avira, Norton, DrWeb, together with the installation of the system, for the chrome browser, install and even add-ons which are as of injectate to the page specific data which can be Oh detectit. I wanted to see how things will pan out from other antivirus software if other anti-virus software to detect, or only KIS. Great, to detect, KIS antivirus needs to get code from iframe.html page and parse strings, if the page has kasperskylab_antibanner then we can say - the client computer has installed KIS antivirus. In this img we can see changed iframe page code When we open index.html page, it will load iframe.html and inject JS code. If (ka.indexOf("kasperskylab_antibanner") != -1) Var frm = document.getElementById("frmin") Hmmm, why not create a special page that will monitor the Javascript's scripts, and understand - have on the client computer any antivirus, include KIS.Ĭreate on the server first page - iframe.html Īnd after create second page - index.html with this HTML code I immediately realized that my antivirus made MITM traffic (http & https), and injected its code to track the activity on the page. ![]() Why does Facebook use javascript code with Kaspersky website?. One day, looking through one of the web pages, I noticed a very interesting code, which in my opinion should not have been on the page. The operating system I often work with is windows 7, and to ensure greater safety, I installed Kaspersky Internet Security antivirus software. ![]()
0 Comments
Leave a Reply. |