Reverse Engineering an Eclipse Plugin (opens in new tab)

(0x10f8.wordpress.com)

135 pointsRKoutnik8y ago19 comments

19 comments

The plugin that is inspected in this article is now delisted in the Eclipse Marketplace. You can't download it from there anymore (Checked with STS 3.9.0.RELEASE). A new fork without the ad related code as been publish and you can inspect the code on https://github.com/ecd-plugin/ecd .

It's nice to see the community stepping in to "fix" the situation.

philbarr8y ago

Original author doing a pretty bad job of explaining himself [0]. Mainly:

Anyone who does not like it, please uninstall this plugin.

I will not explain it anymore.

I'm not interested in stealing your privacy.

[0] https://github.com/cnfree/Eclipse-Class-Decompiler/issues/30

contravariant8y ago

The only acceptable explanation would be that they weren't aware and didn't intend for this to happen.

Any other scenario means that they intentionally and secretly included code into their compiled binaries which posed a security and privacy risk.

nerdponx8y ago

I wonder about the nature of this scam. It almost looks like it's designed to spoof ad clicks, not direct the user to them.

1 more reply

0xfeba8y ago

From an earlier response in the same thread:

> These codes never worked on user machine. They were used for patching plugin bugs.

Uh huh. If it was such a benign use, why wasn't it in the repository, or mentioned in the marketplace page?

philbarr8y ago

Alternative version:

http://marketplace.eclipse.org/content/enhanced-class-decomp...

hiram1128y ago

Good writeup on the reverse engineering.

I'm still a little confused as to what the code was doing, though. It gathers statistics about your user machine (none of which seemed too personal - basically IP, OS, country, etc).

But then what is it doing? Opening a virtual browser or simulating clicks to some ad network?

jjjensen908y ago

Seems to me that it is indeed running a hidden browser on a background thread, loading ads, and simulating views/clicks. That is in addition to collecting and sending user and system information (possibly also for ad-serving or information sales or some other nefarious skulduggery).

nerdponx8y ago

I wonder if this was actually an attempt to scam the advertisers into thinking they were receiving genuine add traffic, in order to get affiliate revenue. Using actual customer data might have prevented the advertisers from getting suspicious.

1 more reply

lsaferite8y ago

A simple thing would be to trigger a visit to a site using a JS coin miner if it's running JS in the hidden browser.

1 more reply

lvoudour8y ago

I'm surprised he wasn't mining bitcoins on the side :)

ramshanker8y ago

Guess author of the plugin is pretty smart but not smart enough to encrypt the traffic back home or obscure his/her nasty secrets.

I guess it might be keeping the black stuff for some cool down time just after installation. Many malware seem to do there days. We might have got true clicks targeted.

mseebach8y ago

Encrypting the traffic would only have made it marginally more difficult to intercept (https://portswigger.net/burp/help/proxy_options_installingca...). Also, the guy got 400k downloads, sometimes you don't need "smart".

nallerooth8y ago

While this was a popular plugin for Eclipse - I'm sure there are plugins for other editors, IDEs and browsers which do the same (or worse). Yet, we often try a multitude of plugins without a single thought about any unwanted features bundled with the main features.

moocowtruck8y ago

and so many people make fun of js/node... this dude made over 400k installs part of his personal ad clicking bot net..

zaphirplane8y ago

Thank you for doing this, makes you think how many other highly rated/used s/w is malicious

j / k navigate · click thread line to collapse

19 comments

guildan8y ago

It's nice to see the community stepping in to "fix" the situation.

philbarr8y ago

Original author doing a pretty bad job of explaining himself [0]. Mainly:

Anyone who does not like it, please uninstall this plugin.

I will not explain it anymore.

I'm not interested in stealing your privacy.

[0] https://github.com/cnfree/Eclipse-Class-Decompiler/issues/30

contravariant8y ago

The only acceptable explanation would be that they weren't aware and didn't intend for this to happen.

Any other scenario means that they intentionally and secretly included code into their compiled binaries which posed a security and privacy risk.

nerdponx8y ago

I wonder about the nature of this scam. It almost looks like it's designed to spoof ad clicks, not direct the user to them.

1 more reply

0xfeba8y ago

From an earlier response in the same thread:

> These codes never worked on user machine. They were used for patching plugin bugs.

Uh huh. If it was such a benign use, why wasn't it in the repository, or mentioned in the marketplace page?

philbarr8y ago

Alternative version:

http://marketplace.eclipse.org/content/enhanced-class-decomp...

hiram1128y ago

Good writeup on the reverse engineering.

I'm still a little confused as to what the code was doing, though. It gathers statistics about your user machine (none of which seemed too personal - basically IP, OS, country, etc).

But then what is it doing? Opening a virtual browser or simulating clicks to some ad network?

jjjensen908y ago

nerdponx8y ago

1 more reply

lsaferite8y ago

A simple thing would be to trigger a visit to a site using a JS coin miner if it's running JS in the hidden browser.

1 more reply

lvoudour8y ago

I'm surprised he wasn't mining bitcoins on the side :)

ramshanker8y ago

Guess author of the plugin is pretty smart but not smart enough to encrypt the traffic back home or obscure his/her nasty secrets.

I guess it might be keeping the black stuff for some cool down time just after installation. Many malware seem to do there days. We might have got true clicks targeted.

mseebach8y ago

nallerooth8y ago

moocowtruck8y ago

and so many people make fun of js/node... this dude made over 400k installs part of his personal ad clicking bot net..

zaphirplane8y ago

Thank you for doing this, makes you think how many other highly rated/used s/w is malicious

j / k navigate · click thread line to collapse