RocketTab malware and the Tab Manager Chrome extension

[Tweet]

Chrome slowed down for me this week. It’s always been a memory and CPU hog, but this got ridiculous. Like grind-my-system-to-a-halt ridiculous. Unable to determine the problem, I switched to Firefox. But I figured out the Chrome issue today.

Side note: I haven’t used Firefox for years but I’m pleased to report it’s become an amazing browser in the meantime. I’ll definitely be continuing to use it as more than just a testing browser for web development.

So the clue for me was that my DuckDuckGo search pages started coming up with ads injected at the top.

The perpetrator was kind enough to add a label, “RocketTab powered by Advertise,” at the top and bottom of the injected results, so it was easy enough to search for. Apparently the RocketTab ad/malware has been around for a long time, and the “powered by Advertise” mutation is only the most recent incarnation. Over its lifespan it’s been everything from a bundled application to browser extensions. It purportedly just injects ads across a bunch of different services with redirects and affiliate links to gather commissions. It also slows your entire computer down tremendously, which seems odd for something so supposedly innocuous.

I started by searching through all of my recently-installed apps. I’m not careless about installing untrusted apps, so that wasn’t likely, but I deleted some cruft. No change.

I ran MalwareBytes, which specifically lists RocketTab as one it detects (and which is, by the way, a very good anti-malware app), but no results there.

So I jumped into the web inspector and started tracing the XHR calls that were made when the ads were injected, then searching for the strings in my Chrome extensions folder. I turned up nothing. Convinced it had to be an extension — and I run a lot of them1 — I disabled all of them. Ads went away. Enabled them one by one, repeatedly refreshing the DuckDuckGo search page to see when they came back. Boom: Tab Manager.

I’m not going to link it here, but see the image above if you need to confirm which one I’m talking about. You’ll immediately note on the Reviews tab that it’s reported as malware. Repeatedly. Many, many times. I reported abuse, as I assume many of the dozens of commenters have, so it’s unfathomable to me that the Chrome Web Store has continued to allow its presence. This apparently only happened with the latest update to the extension published this month (February, 2018).

Long story short, if you see “RocketTab powered by [anything],” figure it out, fast. I read reports that “YouTube Video Downloader” also had the same PUP, and I’m sure there are a dozen others. Disable all your extensions and re-enable them until you find it.

Deleting the offending extension fixed the problem and all of the issues I was having. I’m adding adware (and malware) creators to the list.

  1. I know, I know, “and then you wonder why Chrome gets so slow.”