I’m just going to remove the tweets about the unique Chrome downloads this is obviously a dead-end.
Conversation
For transparency, this is my original tweet where I discovered that ChromeSetup.exe downloads are each unique. It could definitely be abused in this way, but Google’s privacy policy says they don’t and the Omaha system code that does this is open source.
4
22
65
This post discusses how the files are all signed at the same time with the same Authenticode digest, but the file hash is each different. My evil-corp postulate for why this was happening was wrong.
Quote Tweet
Replying to @SwiftOnSecurity
From: @ericlaw textslashplain.com/2016/05/13/che
2
5
48
Here’s where Google discloses they use unique downloads to track install success and conversion, but not to link identities. I think I believe them.
Quote Tweet
Replying to @SwiftOnSecurity
Seems like this might be what's documented at google.com/chrome/privacy ?
5
8
46
My job is to poke and look for unusual things on the network, and noticing every ChromeSetup.exe was a unique hash set off alarm bells about polymorphic viruses that use unique executables to evade certain virus signature approaches.
🤷♀️
5
11
119
There are APT threats that replace the GoogleUpdate.exe service for persistence and executable goodlist bypass, so it’s always good to be suspicious of stuff that looks too official to be malware...
5
14
95
