Closed Bug 1394281 Opened 7 years ago Closed 7 years ago

A malicious popup seems to open an infinity of webpages resulting in FF taking all available memory (OOM | small)

Categories

(Core :: DOM: Security, defect)

55 Branch
defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 1380305

People

(Reporter: novhak, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-dos)

This bug was filed from the Socorro interface and is 
report bp-b1e3eb9a-7159-4ee5-92d6-cb40e0170827.
=============================================================

Dear Bugzilla readers,

I'm not sure it's technically a bug, and not sure either about the concerned component, sorry about that.

A simple way to reproduce the bug, as long as the malicious link is available : http://www.support.microsoft9055afrmsrbfff6242.com.s3-website.eu-central-1.amazonaws.com/?mid=6242&rb=JSbff88f81207b46cc84a30c3e45c05d9b&cid=Qcq0X3iP-pU&pid=74496_1613681&bid=0.006&ip=90.16.159.97&city=Brux&network=afrmsrbfff

(Have fun)

The page (that came to me as an unwanted popup) seems to open a tremendous number of web pages with the same URL being appended more and more text. It shows a login dialog as well, likely to prevent the user closing it.

Windows Defender kicks in, quarantining a malicious file in the browser cache (malware ID : "SupportScam:JS/TechBrolo!rfn"). The browser becomes unresponsive, then the system, since it seems it takes all virtual memory it can. Additionally, once the FF process has been killed, restarting it restores the session, including the popup, which can be a pain for users unaware of the FF's failsafe mode and not technically oriented. And btw, the browser doesn't have time to crash since this issue almost completely freezes everything (except for memory-to-disk paging activity, that is).

I found a way to limit the consequences of this by setting a system limit on the maximum committed memory per FF process (using Windows job objects, where limits can be defined, achieving what setrlimit(2) does in Linux), and now at least FF crashes without everything freezing (my current setting is 4 GiB).

As I said I'm not sure it's technically a bug, but I feel uncomfortable with the idea that an unwanted popup can crash my browser, or even freeze the whole system.

Imho, it's about time that programs have a memory usage limit, I mean, in which case would a Firefox process need to commit 100 GB, 1 TB of virtual memory ? I suppose there can be cases where it's needed, but I doubt it happens frequently, and for the vast majority of users 4-5 GB would be far more than enough. Maybe a configurable memory limit parameter ?
Keywords: csectype-dos, dupeme
I have tried to reproduce this issue, but it seems that the provided URL is no longer available. NovHak, do you know another website where the issue is reproducible?

Also, I am wondering if this issue is related to bug 675574. Gijs, Jesse do you have any thoughts on this?
Flags: needinfo?(novhak)
Flags: needinfo?(jruderman)
Flags: needinfo?(gijskruitbosch+bugs)
Without access to the URI, there's not a lot I can say here.

Reporter, do you have the popup blocker disabled, either altogether or for sites on amazonaws.com (you should be able to check your popup exception lists in the preferences/options) ?
Blocks: eviltraps
Flags: needinfo?(gijskruitbosch+bugs)
Heck, how I tried to find this popup again. This is the first time I'm asking for a nasty popup, but I guess it's when you want things that you don't get them :D

The search terms "Erreur de securitte", which could translate in english as "Securitty error" (with two Ts) may help find some information, as it seems to direct to this precise problem. I've seen people complaining about this months ago already, so it's not new and I suppose it will come back some day, considering it's still effective.

Fwiw, here's one mention of it : http://www.freezingcomputer.com/erreur-de-securitte-erreur-dw6vb36-01-82-88-89-30-removal/

One of those many websites advertising their malware cleaning programs...

I don't clear the needinfo request as I will continue looking for it in the coming days.

Concerning my browser configuration, I don't like exceptions and after checking, my popup blocker indeed has none and is activated.

I guess I was visiting https://pirateproxy.cam/ when it happened to me, but the scam being in french means you're unlikely to get it unless it has translated versions or you're detected as french somehow.
Finally, it paid off ! My browser just crashed, I have a new URL, hope you will be able to use it before it vanishes again : http://www.support.microsoft21038afrmsrbfff4764.com.s3-website.eu-central-1.amazonaws.com/?mid=4764&rb=JS7a28667d5f9c4a51ad6c28500333d2cc&cid=BADAbDMgdy0&pid=74496_1613681&bid=0.004&ip=86.222.12.144&city=Thorign%C3%A9&network=afrmsrbfff4764

FF's history shows the following URL just preceding the nasty part : https://b.codeonclick.com/script/wait.php?stamat=m%7C%2C%2CwiLWYjeToGU3BP9GH0dEdHP3xP.a83%2CipFhHQooMwajm0r9la_pZYrzNTrJnOPG0sfsJIDc2WpA-6g0bAayjPQyqVlgn9YkkLH47io1xuMAbm6t7d6UHl2nPsxf4c1qvb9RuWM2Yk0PkLr6zAStGnOAUVLixwnEZhN3DRwiEQE0J5EdfhlQ2RYyc0R5bVdUVNj_MvEXKMsEXV2ZLOIgt6a6sRJZNiS3TbL4NdrxWYGIqJqZRwU8bWgcV3rnmW4t2n6hfEyeuGrtRvSgWcV6kcWqCdCzItwwLH6SsjKQmMq09GT0aqZ0mncYbrILzLkQaCa9BB3fW5IS3aXqdAjtY9-sonv39cEwif2a9GwMxmLHy3CZm0QrI1oQngXStEiaHk1oLn9anbfaiBVBtZiaPbZKlu5nkdXO&ttc=xxxtvrx4c

I tried visiting this URL a few times, it doesn't always lead to that nasty interruption but soon enough I got it again a second time.

Here's the second nasty event URL, different from the first one : http://www.support.microsoft9135yfrmsrbs6232.com.s3-website.eu-central-1.amazonaws.com/?cid=Qh-BMDoKnFk&pid=92981_89741&bid=0.002&ip=86.222.12.144&city=Thorign%C3%A9&network=yfrmsrbs6232

This one was different, since I had no login window the first time, and here I had one popping.

But despite having visited the previous "codeonclick" link, it refreshed itself somehow and directed here before going nasty : https://b.codeonclick.com/script/wait.php?stamat=m%7C%2C%2CAiK64iaroGU3BJ9GH0dEdHP3xP.fae%2C62qGDYgkQ_yvMxfOxxJxAsEI6qoB2lVGmNLjS5ifpYsr2OPsCzXV91i40843oh-28Vs8iF0KnJJseS7ShxhItk2DYPZST-bUfNzJYqdrNExb0ZxHHPqGKQqEJU0BrJJHFg5XXCYo06u_xMHBpnlLYaCZKURXNfE_-AHkYLXx-zC41gePj22mtC1kLUbZ5b5oDFEFhDu3itMn43YcqFJgCvs6_jkyAzEd3YPsGDvu_TeN01Xa-fIT0pr9r-uUjEVLUN3MGbKPzaekP7_UJjT8Y1_AQD_wBEW_qEKFW1AWRfGb-olvEHEUUYWiGaU2689faNenrSJtYjJWQj38ioKHDSlQac61tbnTRzNgCQg2-sZKQERwhw2WE3hi-mcUNDy2HGIUNgXDLQ-multTwZahwg%2C%2C

I confirm what I said in my previous post, this was experienced while visiting pirateproxy.cam.

Hope it's clear enough here, anyway I remain available for any questions.
Flags: needinfo?(novhak)
OK, so I can see that this site is trying to scam the user, but (testing on Linux), I can close it fairly easily by clicking the tab close button. Does that not work for you? I also only get 1 of these pages, not lots of additional ones...
Flags: needinfo?(novhak)
FWIW, it looks like https://malwaretips.com/blogs/remove-c-codeonclick-com/ suggests that this may be the result of adware on your machine. Having a good hard look at everything listed under installed programs on your machine may be helpful.
Concerning the first mentioned version of the scam, I didn't try to close it and just waited until the browser (shortly) took up all the 4GiB memory limit and crashed. Now I just retried and indeed I was able to close it, but an uninformed user would likely have to do this relatively quickly, because at some time the lack of physical memory and constant paging would make it very difficult.

The second one however (with the login window) is more difficult to close because of this login dialog. The close tab button doesn't work, and trying to close the login window immediately opens up another. Eventually things seem to remain calm until you first try to close that login window, and then it begins the process of taking all available memory. My trick here is to keep Ctrl+W pressed before closing that login window, then I close it which immediately closes all browser windows and tabs. Unfortunately it's not available any more, but I managed to find another of the same kind : http://www.support.microsoft9019yfrmsrbcls6214.com.s3-website.eu-central-1.amazonaws.com/?cid={conversion}&pid={pubfeed}_{subid}&bid={bid}&ip={ip}&city={city}&network=yfrmsrbcls6214&cid=VsuVnAKMzK8&pid=75458_1613681&bid=0.0042&ip=86.222.12.144&city=Thorign%C3%A9&network=yfrmsrbcls

If you look at your browser history, you will likely see many similar webpages visited after this one, that's why I said it seems to open an infinity of web pages, it doesn't seem to open new windows or tabs though.

Concerning the fact that my computer may be infected, I won't play the arrogant guy telling he's too good at computers and that would never happen to him, however if it was the case I suppose I would get popups even when not visiting suspicious sites, but here it happens only when visiting this one (I'm not in the habit of visiting suspicious sites very often).

I noticed you said you were using Linux, maybe you will get a different experience, especially since its memory management, or FF's implementation, may be better. I'm using Windows 10 Pro 64-bit btw.

Last but not least, when I get this scam, Windows defender quarantines a file that's in the browser cache, could it be possible that removing a cache file from a live browser makes it fail ?
Flags: needinfo?(novhak)
Component: Untriaged → DOM: Security
Product: Firefox → Core
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
The problem is not opening many tabs, it opens one popup at most, but the history shows a tremendous number of pages visited, something like :

http://malicious.url/?param=0
http://malicious.url/?param=01
http://malicious.url/?param=012
http://malicious.url/?param=0123
http://malicious.url/?param=01234
http://malicious.url/?param=012345

You get the idea. But no additional tab or window is opened, technically I don't know how it manages to eat up all system memory, but I guess it's related to visiting that many pages.

If necessary, I can restart my quest searching for one of these URLs...
Crash Signature: [@ OOM | small]
Flags: needinfo?(jruderman)
Keywords: dupeme
You need to log in before you can comment on or make changes to this bug.