How can I identify malware containing Chrome extensions in Linux?

I'm not sure if this is the case in your particular issue but there have been situations where known good extensions have been sold to 3rd parties who then co-opt the extension for nefarious purposes. Here is one such story that discusses this: Google Chrome Extensions are Being Sold to Malicious Adware Companies.

excerpt

Ron Amadeo from Ars Technica recently wrote an article about adware vendors buying Chrome extensions in order to place malicious, ad-injected updates.

Google Chrome has automatic updates in order to make sure that the users always running on the latest updates. Obviously, Google Chrome is updated directly by Google. However, this update process consequently includes Chrome’s extensions. Chrome extensions are updated by the extension owners, and it is up to the user to determine if the extension owner is trustworthy or not.

When users download an extension, they are giving the extension owner permission to push new code out to their browser at anytime.

What has inevitably happened is that adware vendors are buying the extensions, and therefore the users, from extension authors. These vendors are pushing adware out to every user of the extension, which can make for a dangerous browsing experience.

One Google extension author gave his personal account of this in his blog post entitled, “I Sold a Chrome Extension but it was a bad decision.”

My advice would be to take this situation very seriously and disable extensions that you're not sure about. I would then monitor the situation to see if it subsides or continues.

If it continues then I would dig deeper and start to scrutinize the DNS servers you're using. I typically use OpenDNS for this exact reason, since this service (free) attempts to thwart attack vectors by redirecting DNS lookups to alternative OpenDNS pages instead.

Why care about DNS?

OpenDNS DNS servers will intentionally augment the results they return when you do a lookup if a hostname is known to be affiliated with spam/hacking/phishing related activities. They're in a unique position since they perform the lookups for every site their customers traffic, so they can detect anomalies see here: OPENDNS PHISHING PROTECTION, as well as here.

What else?

I would also make sure that your /etc/hosts file hasn't been compromised, and continue to monitor the situation using something like nethog, which will show which processes are accessing your network.

Amit Agarwal created a Feedly extension for Chrome in less than an hour and sold it unknowingly to an Adware vendor for a 4-figure offer. The extension had 30,000+ users on Chrome at the time of sale. The new owners pushed an update to the Chrome store, which injected adware and affiliate links into the users’ browsing experience. While this extension has been removed due to the publicity that Agarwal’s remorseful confession made, this is a very common event in Chrome extensions.

Take a look at the reviews of the extension Smooth Gestures (direct link).

If you sort the reviews by date (by clicking Recent), you'll see that almost all new reviews have a one-star rating and complain about underhanded ads:

Kevin Lee 1 day ago

Sold to a third-party company that adds ads, and a pay-to-remove-ad feature.

Suresh Nageswaran 3 days ago

Hate the ads. Worked good until it started injecting ads into my browsing experience. I would have paid to continue to use it, but I felt strongly about the sneakiness. Borderlines on spyware.

John Smith 6 days ago

Do not use this. It is injecting JS to clickjack things and causes XSS security problems with https.

Tomas Hlavacek Feb 23, 2014

Absolute crap... Remember the incident with unauthorized URL sneaking? Then they started to force users to "donate" or suffer ads. It even started to lag on certain pages (which was not the case before all those "improvements"). So I have switched to CrxMouse and I am fine.

kyle barr Feb 19, 2014

It's a solid mouse gestures extension, but the new ads are a horrible addition. First because the extension updates and silently adds the ads, so you don't know where they're coming from. Here I am scanning my computer with multiple malware scanners because I'm getting random ads, until I realize it's Smooth Gestures inserting them.

There's no good reason to use this extension any longer, and personally I'd like to know who develops this extension so I can make sure not to install anything from them in the future.

Looks like that one's the culprit.

In addition to the answers here, I found a few more useful resources.

1. This howtogeek article recommends a program called Fiddler that acts as a web debugging proxy, allowing you to examine network requests (there's an alpha linux version). @slm pointed me to this answer on SO that has various similar programs as well.

2. The developer mode in chrome's chrome://extensions page allows you to check each extension for processes running in the background:

   

   Clicking on background.html opens chrome's developer tools window which allows you to easily look through the sources of the various scripts that the extension contains. In this case, I noticed a folder called support in Sexy Undo Close Tab's source tree that contained a script called background.js that looked suspicious (it was generating random time intervals which fits my symptoms).

3. This other howtogeek article has a list of known extensions to avoid, but even better is http://www.extensiondefender.com which seems to be a user generated database of malicious extensions. However, they don't specify how or why a particular extension has been tagged as mal- or addware so perhaps it should be taken with a grain of salt.

4. The people behind extensiondefender.com (whoever they are) have also developed a very cool little extension called, (drumroll) Extension Defender. This both lets you scan your existing extensions for known "bad" ones and also blocks blacklisted extensions from being installed.

So of the extensions in my OP, both Smooth Gestures (thanks @Dennis) and Sexy Undo Close Tab are addware. Based on the source code of the support/background.js file of the latter, I'm pretty sure that one was the one randomly hijacking my current page but I'll give it a few days to be sure.

Another useful extension is Extensions Update Notifier (thanks @Dennis) which apparently lets you know whenever an extension haqs been updated which could help identifying the culprit in case an updated added this type of behavior.