1117285 - Blocklist malicious add-ons

Status: RESOLVED INVALID

(Toolkit :: Blocklist Policy Requests, defect)

Description

[Toady]

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0
Build ID: 20141126041045

Steps to reproduce:

Request blocklisting on following addons

gtffxtbr@GamingWonderland.com
4zffxtbr@VideoDownloadConverter_4z.com
5zffxtbr@CouponXplorer_5z.com
39ffxtbr@MapsGalaxy_39.com
65ffxtbr@FromDocToPDF_65.com
1gffxtbr@InboxAce_1g.com
9tffxtbr@InternetSpeedTracker_9t.com


Actual results:

Reports with these addons installed can be found here
https://crash-stats.mozilla.com/report/index/f301c4a8-748d-4ecb-943b-b9b722150102
https://crash-stats.mozilla.com/report/index/6adab6f0-58da-4934-b23f-78e482150101
https://crash-stats.mozilla.com/report/index/21328012-741d-4455-a3c1-4f6d62141228
https://crash-stats.mozilla.com/report/index/3036fbba-3aaa-463d-8e85-c1e342141230
https://crash-stats.mozilla.com/report/index/aec53780-f2a7-4d6e-8a7f-17bb02141230
https://crash-stats.mozilla.com/report/index/d6da4559-29e2-4171-bd12-cd2752150102

A friends Firefox would constantly crash and when looking at his installed addons found a GUID  9tffxtbr@InternetSpeedTracker_9t.com when looking on crash-stats it appears their.

Unfortunately his hdd was nuked (Formatted) so unable to provide a sample. 


Expected results:

Not sure if his crashes were associated with the addon but he has not had a single crash since the re installation of windows.

I am reporting this issue on his behalf.

Comment 1

[Loic]

CC'ed Jorge.

Comment 2

[Jorge Villalobos [:jorgev] (he/him)]

Can you explain why you think these add-ons are malicious?

Comment 3

[Toady]

Hi Jorge

When helping me friend narrow down what was causing his crashes i asked him in Skype to provide a the text readout from about:support and the addon GUID 9tffxtbr@InternetSpeedTracker_9t.com was there and when checking out the list and checking the crash-stats i found other users with that addon, When looking further into it i found many addons with "ffxtbr@" in front of there name and similar naming convention on the end of the GUID and with almost the same version number, Also when Googling the GUIDS all in one form or another were flagged as PUPs.

example:
gtffxtbr@GamingWonderland.com 	6.83.5.43442 	
4zffxtbr@VideoDownloadConverter_4z.com 	6.83.5.46944
39ffxtbr@MapsGalaxy_39.com 	6.84.5.57529
65ffxtbr@FromDocToPDF_65.com 	6.83.5.44916 	
1gffxtbr@InboxAce_1g.com 	6.83.5.44959
5zffxtbr@CouponXplorer_5z.com 	2.73.1.40123

While he formatted his computer because of other viruses i thought i would report this just in case.
For me this sent red flags.

Please forgive me if these are legit addons.

Comment 4

[Toady]

Any update on this

Comment 5

[Jorge Villalobos [:jorgev] (he/him)]

Kris, can you look into the stats for those IDs?

Comment 6

[Kris Maglione [:kmag]]

As far as I've been able to determine in the past, these add-ons are all Ask toolbar add-ons installed manually via the websites in their IDs.

Their current stats, from a 5% sample (enabled, disabled, foreign installs):

4zffxtbr@VideoDownloadConverter_4z.com	26929, 14133, 11848
39ffxtbr@MapsGalaxy_39.com	21917, 6777, 5511
65ffxtbr@FromDocToPDF_65.com	15379, 4521, 3636
9tffxtbr@InternetSpeedTracker_9t.com	14452, 1423, 587
gtffxtbr@GamingWonderland.com	12703, 3136, 2000
1gffxtbr@InboxAce_1g.com	7527, 2147, 1699
5zffxtbr@CouponXplorer_5z.com	1642, 808, 578
65ffxtbr-bs@FromDocToPDF_65.com	6, 32, 17
gtffxtbr-bs@GamingWonderland.com	6, 12, 5
39ffxtbr-bs@MapsGalaxy_39.com	5, 23, 13
1gffxtbr-bs@InboxAce_1g.com	5, 13, 3
5yffxtbr@PartnerVideoDownloadConverter_5y.com	2, 8, 7
4zffxtbr-bs@VideoDownloadConverter_4z.com	2, 1813, 91
5zffxtbr-bs@CouponXplorer_5z.com	1, 2, 0
9tffxtbr-bs@InternetSpeedTracker_9t.com	0, 14, 0

Comment 7

[Jorge Villalobos [:jorgev] (he/him)]

Okay, so I don't think there's anything to do here. If there's a strong correlation between any of these add-ons and crashes in Firefox, please file independent bugs for them.