Avast reporting BV:Crossrider-B [PUP] but not finding the source

Viruses and worms
1

Didn’t quite know where to post it, but just to get the helping hand out. If anyone else has problems with Avast reporting BV:Crossrider-B [PUP] on files like CrossriderAPI.js, monitor.js, events.js etc… being found when opening Google Chrome on macOS, then at least for my case, there was the culprit in the /private/var/tmp folder, the file was referenced from
~/Library/Application Support/Google/Chrome/External Extensions/bknocbldidknmbnfgofcmkjdohancana.json


{
    "external_crx": "/private/var/tmp/photozoom.crx",
    "external_version": "1.26.22"
}

Which in turn was written into
~/Library/Application Support/Google/Chrome/Profile 1/Secure Settings


{
    "protection": {
        "macs": {
            "extensions": {
                "settings": {
                    "bknocbldidknmbnfgofcmkjdohancana": "4C805531E47980DBC7CE0E878D425CD7D9E2EEA98BDC585E5A2843D26F899503"
                }
            }
        }
    }
    "extensions": {
        "settings": {
            "bknocbldidknmbnfgofcmkjdohancana": {
                "active_permissions": {
                    "api": ["contextMenus", "cookies", "notifications", "proxy", "storage", "tabs", "unlimitedStorage", "webNavigation", "webRequest", "webRequestBlocking"],
                    "explicit_host": ["http://*/*", "https://*/*"],
                    "manifest_permissions": [],
                    "scriptable_host": ["http://*/*", "https://*/*"]
                },
                "commands": {},
                "content_settings": [],
                "creation_flags": 1,
                "events": [],
                "extension_can_script_all_urls": true,
                "from_bookmark": false,
                "from_webstore": false,
                "incognito_content_settings": [],
                "incognito_preferences": {},
                "initial_keybindings_set": true,
                "install_time": "13091882323313056",
                "location": 2,
                "manifest": {
                    "background": {
                        "page": "background.html"
                    },
                    "content_scripts": [{
                        "all_frames": true,
                        "js": ["js/312f101f5066b6f1ef0bb7faff696773.js", "js/lib/a8704f994c151db1c1640244c9fb7679.js", "js/lib/54d05a9a405c8a537efa33aa04977775.js", "js/lib/114ee707ad4e3c272bd0d6187527f3c7.js", "js/lib/dde536c20dd8b25085f3607a8256a94f.js", "js/api/d0d5d35797aa340e6993119a0d70d808.js", "js/api/2045e0266af452bc84cebe0e0c456aba.js", "js/api/pageAction.js", "js/lib/installer.js", "js/lib/app_api.js"],
                        "matches": ["http://*/*", "https://*/*"],
                        "run_at": "document_start"
                    }],
                    "content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'",
                    "description": "Images Zoom Extension",
                    "icons": {
                        "128": "icons/icon128.png",
                        "16": "icons/icon16.png",
                        "48": "icons/icon48.png"
                    },
                    "key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUtrVjxeg6ueYU9gLhAY017tvCxUHO6kpWoHdA2FlbQn+xpmE7xS66i8037guqVaXGtGU0/0IzM+9hfaNL4leTXJYn1mFnB31is9OwRKGQ/u2Ip2zZ5kXIgvb8zPHrkyE/HWUYqJyAX/a6fWEDVFTwMuMEntWUQMpuUJo5NYaAdwIDAQAB",
                    "manifest_version": 2,
                    "name": "Photozoom V9.0",
                    "permissions": ["http://*/*", "https://*/*", "tabs", "cookies", "notifications", "contextMenus", "webNavigation", "webRequest", "webRequestBlocking", "unlimitedStorage", "storage", "proxy"],
                    "update_url": "https://w9u6a2p6.ssl.hwcdn.net/plugin/chrome/update/60792.xml",
                    "version": "1.26.97",
                    "web_accessible_resources": ["Settings.json"]
                },
                "path": "bknocbldidknmbnfgofcmkjdohancana/1.26.97_0",
                "preferences": {},
                "regular_only_preferences": {},
                "state": 2,
                "was_installed_by_default": false,
                "was_installed_by_oem": false
            }
        }
    }
}

Reported the photozoom.crx (which is RAR-archived chrome package if anyone is interested) to Avast, not giving it here :wink:

The way I tracked the culprit down was

Quit Google Chrome
then in terminal
sudo opensnoop
then open Google Chrome
and after the Avast has detected the error CTRL+C the trace → happy hunting

First thing is to get rid of the file and ofcourse the settings fields, that refer to it

Finding the references to the extension was doable with


cd ~/Library/Application Support/Google
grep -lr "photozoom" *

Hope it helps someone :smiley:

2

Crossrider info from malwarebytes >>> https://blog.malwarebytes.com/detections/pup-optional-crossrider/

3

Look also at the error here:

www.google-analytics.com/static/js/index.min.js
info: [decodingLevel=0] found JavaScript
error: line:58: SyntaxError: invalid label:
error: line:58: “@context”: “http:/schema.org”,
error: line:58: …^
error: line:3: SyntaxError: missing = in XML attribute:
error: line:3:
error: line:3: …^

and in this discussion: https://bugs.chromium.org/p/chromium/issues/detail?id=41902

There are a few problems with having the "external_extensions.json" located inside "Google Chrome.app" bundle on Mac:
  • This folder can be read-only in some cases.
  • In multi-user environments, it will force the extension to be installed for all users.

Would it be possible to use a different location, preferably user-specific?

Info credits go to “roustem”.

polonus (volunteer website security analyst and website error-hunter)