Closed Bug 1181737 Opened 9 years ago Closed 9 years ago

crash in *.xpi@0x1f73

Categories

(Firefox :: General, defect)

All
Windows
defect
Not set
critical

Tracking

()

RESOLVED WORKSFORME
Tracking Status
firefox39 - fixed
firefox40 + fixed
firefox41 + fixed
firefox42 + fixed

People

(Reporter: philipp, Unassigned)

Details

(Keywords: crash, topcrash-win)

Crash Data

This bug was filed from the Socorro interface and is 
report bp-4ab22112-ec2e-41c5-a15f-f5fbf2150708.
=============================================================

there is a new widespread crash triggered by an adware/malicious extension. since they have a randomized id, the signatures vary: https://crash-stats.mozilla.com/search/?signature=~}.xpi%400x1f73&_facets=version&_facets=address&_facets=platform_version&_facets=useragent_locale&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#facet-useragent_locale
[Tracking Requested - why for this release]:

This is really bad. This doesn't show up on our topcrash reports because the signatures are always different, but in total these are something like 18% of crashes on release last week.
At least the PE metadata is consistent among the crashes:

    Timestamp:        Fri Jul 03 18:44:45 2015 (5597105D)
    CheckSum:         00017249
    ImageSize:        0000A000
    File version:     1.0.5662.28337
    Product version:  1.0.5662.28337

Search results for that version number indicate that this is a Yontoo adware.
dmajor, is it possible to determine the full path of the *.xpi DLL from the minidumps? I'm interested to know what directory it's coming from.

Since .xpi is never an appropriate DLL suffix, do you think it would be safe to blocklist *.xpi ?
Flags: needinfo?(dmajor)
It's in %TEMP%: C:\Users\...\AppData\Local\Temp\{...}.xpi

Not knowing who else is using .xpi (whether they're supposed to or not), I think blocking *.xpi might be risky. We might be able to do a more targeted block on {UUID}.xpi or this particular timestamp + version number.
Flags: needinfo?(dmajor)
According to the facets in the search in comment #0, this at least happens on 38,29,40,41 (and a number of older versions) and all Windows versions from XP to 10.
Nomming for 39 in case we need to take this in a point release.
I sent a support request to Yontoo that includes this bug number.
ni Florin in case his team can help by reproducing this in a VM for further debugging info.
Flags: needinfo?(florin.mezei)
(In reply to Lawrence Mandel [:lmandel] (use needinfo) from comment #9)
> ni Florin in case his team can help by reproducing this in a VM for further
> debugging info.

Note that when it comes to testing with adware/malware we are a bit limited in the sense that we must use a VM disconnected from the network, so we avoid infecting the entire company. If you think the issue can be reproduced under such circumstances (e.g. just infect the VM and start/use Firefox with no Internet access) then we're more than happy to help out. So please see if you can provide more info on what actions may cause the crash and we'll see if we can set something up.
I started looking into this and I'm having a really hard time finding any Yontoo toolbar/software. It seems like they've "discontinued" their product on their "official" webpage:

- http://www.yontoo.com/Download.aspx
- http://www.yontoo.com/AppMarket.aspx

I've spent at least two hours searching all the different search engines but every time I've found anything related to Yontoo, it either pointed me to the discontinued website or it downloaded something completely different which didn't include Yontoo. (like a download manager which included other crap)

I searched a few of the support forums to see if I could find any information on what applications users were downloading when they got infected and and found "Best Video Downloader" but that also seems to be discontinued.

- http://www.bestvideodownloader.com/

I did manage to find some random XPI (YontooFFClient.xpi) but it wouldn't install on any of the newer builds. I'll go back and see if I can get it installed on an older version like fx29 as per comment # 6.

I searched https://www.virustotal.com and found two fairly recent submissions relating to Yontoo on Windows. I emailed them and asked if they could send me the two files listed below. If that doesn't work, there seems to be a LOT of OSX submissions as well so I'll get a VM going and see if I can reproduce it on OSX. (BTW are we seeing this at all on OSX??)

* https://www.virustotal.com/en/file/7a939c0e66225ffbc02a4cdb04c129e0a70214dbd3fd0f5986834dfe10e54ff5/analysis/
* https://www.virustotal.com/en/file/5413b8aff50a0800cd4e7ebbb11a0761c120183d8e20c58fba5dcb2cb1505fd4/analysis/

Florin, perhaps SV will have more luck finding Yontoo out there. I'll do a bit more searching via support forums and see if I can find any information on any applications that come with Yontoo.
this signature seems to decline by its own now (maybe the malware is updating to avoid crashiness or av vendors start detecting it). 
the number of crashes with this signature over time pretty much correlates with the recent spike in crashiness at https://crash-analysis.mozilla.com/rkaiser/crash-report-tools/longtermgraph/?fxrel:

2015-07-01 14,164
2015-07-02 12,938
2015-07-03 10,358
2015-07-04 22,062
2015-07-05 15,059
2015-07-06 17,676
2015-07-07 39,227
2015-07-08 39,374
2015-07-09 3,631
2015-07-10 648
2015-07-11 293
And it continues:
2015-07-12 185
2015-07-13 157 (incomplete, still 6 hours of the UTC day remaining)

The typical risk with declining rates on a severe crash is that the affected users merely left, and the underlying issue may still be present on the next release channel. However in this case there are reasons to believe that the fix is real:

* It wasn't the type of perma-startup-crash that leaves users no choice but to leave
* We've seen unrelated crashes (at extremely low volume) on version 1.0.5667.19566 with timestamp July 8, which would seem to be the version that contains the fix
* No huge spikes on .xpi offsets other than 0x1f73, so it doesn't look like the signature merely moved elsewhere

Let's keep an eye on the crash rates just to be sure, but at the moment it looks like no action is required on the Firefox side.
I received the files I requested from VirusTotal (comment # 11) but didn't have any luck reproducing the crash once the malware/adware was installed. I used the browser for several hours and left a bunch of videos playing for about 3 hours without any luck of getting a crash.

Yontoo had a bunch of different products (Buzzdock, PageRage, BetterBrows, etc..) but I'm having a hard time finding them. Yontoo discontinued all of their apps and the ones that I do eventually find are basically other malware claiming to be Yontoo.
as the numbers are continuing to dwindle (57 reports yesterday), i'm marking the bug as resolved.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → WORKSFORME
Flags: needinfo?(florin.mezei)
You need to log in before you can comment on or make changes to this bug.