1152966 - Blocklist bad versions of Ad Limiter

Status: RESOLVED FIXED

(Toolkit :: Blocklist Policy Requests, defect)

Description

[Jorge Villalobos [:jorgev] (he/him)]

It looks like there are a bunch of bogus versions for the Ad Limiter add-on (https://addons.mozilla.org/addon/ad-limiter/). We should block everything about version 100.0.

Comment 1

[John Nagle]

Please provide some info on where these bogus versions are coming from. Not finding anything in Google. Is it being called something else? Thanks.

Comment 2

[John Nagle]

Trying to get add-on version stats. The stats page
https://addons.mozilla.org/en-US/firefox/addon/ad-limiter/statistics/usage/versions/?last=30
is failing with Firefox errors, because there are so many different bogus versions that the stats page blows up:

SyntaxError: JSON.parse: unexpected end of data at line 1 column 444723 of the JSON data stats-min.js:6:15278
SyntaxError: JSON.parse: unexpected end of data at line 1 column 446675 of the JSON data stats-min.js:6:15278

Looking at the raw data, each bogus version seems to have a semi-random version.  All valid versions are in the range 1.3 to 2.0.  Bogus versions range from 2.17.71 to 1009.99.992.  All bogus versions have three-number versions, while all legitimate versions have two-number versions.  So please block everything below 1.3 and above 2.2 (so I can release new versions), which should get things under control until extension signing goes live.  Thanks.  (John Nagle/Ad Limiter).

I still want to see the malware.

Comment 3

[Jorge Villalobos [:jorgev] (he/him)]

(In reply to John Nagle from comment #2)
> Trying to get add-on version stats. The stats page
> https://addons.mozilla.org/en-US/firefox/addon/ad-limiter/statistics/usage/
> versions/?last=30
> is failing with Firefox errors, because there are so many different bogus
> versions that the stats page blows up:
> 
> SyntaxError: JSON.parse: unexpected end of data at line 1 column 444723 of
> the JSON data stats-min.js:6:15278
> SyntaxError: JSON.parse: unexpected end of data at line 1 column 446675 of
> the JSON data stats-min.js:6:15278

I ran into the same problem and filed bug 1152965 for that.

> Looking at the raw data, each bogus version seems to have a semi-random
> version.  All valid versions are in the range 1.3 to 2.0.  Bogus versions
> range from 2.17.71 to 1009.99.992.  All bogus versions have three-number
> versions, while all legitimate versions have two-number versions.  So please
> block everything below 1.3 and above 2.2 (so I can release new versions),
> which should get things under control until extension signing goes live. 
> Thanks.  (John Nagle/Ad Limiter).

Okay.

> I still want to see the malware.

The only evidence I have of it existing are the stats. Malware is distributed in ways that can be hard to detect or reproduce, so I can't really help you on that front.

Comment 4

[John Nagle]

Are any other add-ons showing a similar attack, with large numbers of bogus versions?  That's worth a check of Mozilla's logging data.  Select for any add-on with more than, say, 100 versions. A more detailed check is to check for known add-ons with versions not known to AMO. 

If you have that data in an SQL database, it's one SELECT statement.

Comment 5

[Jorge Villalobos [:jorgev] (he/him)]

Yes, there are multiple add-ons with that problem. There's no easy fix, though, and malware developers will eventually resort to using more valid-looking version numbers. The real solution to this problem is extension signing, which we will deploy later this year.

Comment 6

[Jorge Villalobos [:jorgev] (he/him)]

Blocked: https://addons.mozilla.org/en-US/firefox/blocked/i890

I ended up blocking 2.3 and above, to give you a bit more space.

Comment 7

[John Nagle]

They got Flashblock, too.  Check out the raw JSON for version usage statistics.

https://addons.mozilla.org/en-us/firefox/addon/flashblock/statistics/versions-day-20150409-20150411.json

Hundreds of 1000.xxx.xxx version number entries.  About 5,000 installs.