Closed
Bug 1181737
Opened 9 years ago
Closed 9 years ago
crash in *.xpi@0x1f73
Categories
(Firefox :: General, defect)
Tracking
()
People
(Reporter: philipp, Unassigned)
Details
(Keywords: crash, topcrash-win)
Crash Data
This bug was filed from the Socorro interface and is report bp-4ab22112-ec2e-41c5-a15f-f5fbf2150708. ============================================================= there is a new widespread crash triggered by an adware/malicious extension. since they have a randomized id, the signatures vary: https://crash-stats.mozilla.com/search/?signature=~}.xpi%400x1f73&_facets=version&_facets=address&_facets=platform_version&_facets=useragent_locale&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#facet-useragent_locale
[Tracking Requested - why for this release]: This is really bad. This doesn't show up on our topcrash reports because the signatures are always different, but in total these are something like 18% of crashes on release last week.
status-firefox39:
--- → affected
status-firefox40:
--- → affected
status-firefox41:
--- → affected
status-firefox42:
--- → ?
tracking-firefox40:
--- → ?
tracking-firefox41:
--- → ?
At least the PE metadata is consistent among the crashes: Timestamp: Fri Jul 03 18:44:45 2015 (5597105D) CheckSum: 00017249 ImageSize: 0000A000 File version: 1.0.5662.28337 Product version: 1.0.5662.28337 Search results for that version number indicate that this is a Yontoo adware.
Comment 3•9 years ago
|
||
dmajor, is it possible to determine the full path of the *.xpi DLL from the minidumps? I'm interested to know what directory it's coming from. Since .xpi is never an appropriate DLL suffix, do you think it would be safe to blocklist *.xpi ?
Flags: needinfo?(dmajor)
Approving for tracking for FF40, 41 and 42.
It's in %TEMP%: C:\Users\...\AppData\Local\Temp\{...}.xpi Not knowing who else is using .xpi (whether they're supposed to or not), I think blocking *.xpi might be risky. We might be able to do a more targeted block on {UUID}.xpi or this particular timestamp + version number.
Flags: needinfo?(dmajor)
Keywords: topcrash-win
Comment 6•9 years ago
|
||
According to the facets in the search in comment #0, this at least happens on 38,29,40,41 (and a number of older versions) and all Windows versions from XP to 10.
Comment 7•9 years ago
|
||
Nomming for 39 in case we need to take this in a point release.
tracking-firefox39:
--- → ?
Comment 8•9 years ago
|
||
I sent a support request to Yontoo that includes this bug number.
Comment 9•9 years ago
|
||
ni Florin in case his team can help by reproducing this in a VM for further debugging info.
Flags: needinfo?(florin.mezei)
Comment 10•9 years ago
|
||
(In reply to Lawrence Mandel [:lmandel] (use needinfo) from comment #9) > ni Florin in case his team can help by reproducing this in a VM for further > debugging info. Note that when it comes to testing with adware/malware we are a bit limited in the sense that we must use a VM disconnected from the network, so we avoid infecting the entire company. If you think the issue can be reproduced under such circumstances (e.g. just infect the VM and start/use Firefox with no Internet access) then we're more than happy to help out. So please see if you can provide more info on what actions may cause the crash and we'll see if we can set something up.
Comment 11•9 years ago
|
||
I started looking into this and I'm having a really hard time finding any Yontoo toolbar/software. It seems like they've "discontinued" their product on their "official" webpage: - http://www.yontoo.com/Download.aspx - http://www.yontoo.com/AppMarket.aspx I've spent at least two hours searching all the different search engines but every time I've found anything related to Yontoo, it either pointed me to the discontinued website or it downloaded something completely different which didn't include Yontoo. (like a download manager which included other crap) I searched a few of the support forums to see if I could find any information on what applications users were downloading when they got infected and and found "Best Video Downloader" but that also seems to be discontinued. - http://www.bestvideodownloader.com/ I did manage to find some random XPI (YontooFFClient.xpi) but it wouldn't install on any of the newer builds. I'll go back and see if I can get it installed on an older version like fx29 as per comment # 6. I searched https://www.virustotal.com and found two fairly recent submissions relating to Yontoo on Windows. I emailed them and asked if they could send me the two files listed below. If that doesn't work, there seems to be a LOT of OSX submissions as well so I'll get a VM going and see if I can reproduce it on OSX. (BTW are we seeing this at all on OSX??) * https://www.virustotal.com/en/file/7a939c0e66225ffbc02a4cdb04c129e0a70214dbd3fd0f5986834dfe10e54ff5/analysis/ * https://www.virustotal.com/en/file/5413b8aff50a0800cd4e7ebbb11a0761c120183d8e20c58fba5dcb2cb1505fd4/analysis/ Florin, perhaps SV will have more luck finding Yontoo out there. I'll do a bit more searching via support forums and see if I can find any information on any applications that come with Yontoo.
Reporter | ||
Comment 12•9 years ago
|
||
this signature seems to decline by its own now (maybe the malware is updating to avoid crashiness or av vendors start detecting it). the number of crashes with this signature over time pretty much correlates with the recent spike in crashiness at https://crash-analysis.mozilla.com/rkaiser/crash-report-tools/longtermgraph/?fxrel: 2015-07-01 14,164 2015-07-02 12,938 2015-07-03 10,358 2015-07-04 22,062 2015-07-05 15,059 2015-07-06 17,676 2015-07-07 39,227 2015-07-08 39,374 2015-07-09 3,631 2015-07-10 648 2015-07-11 293
Comment 13•9 years ago
|
||
And it continues: 2015-07-12 185 2015-07-13 157 (incomplete, still 6 hours of the UTC day remaining) The typical risk with declining rates on a severe crash is that the affected users merely left, and the underlying issue may still be present on the next release channel. However in this case there are reasons to believe that the fix is real: * It wasn't the type of perma-startup-crash that leaves users no choice but to leave * We've seen unrelated crashes (at extremely low volume) on version 1.0.5667.19566 with timestamp July 8, which would seem to be the version that contains the fix * No huge spikes on .xpi offsets other than 0x1f73, so it doesn't look like the signature merely moved elsewhere Let's keep an eye on the crash rates just to be sure, but at the moment it looks like no action is required on the Firefox side.
Comment 14•9 years ago
|
||
I received the files I requested from VirusTotal (comment # 11) but didn't have any luck reproducing the crash once the malware/adware was installed. I used the browser for several hours and left a bunch of videos playing for about 3 hours without any luck of getting a crash. Yontoo had a bunch of different products (Buzzdock, PageRage, BetterBrows, etc..) but I'm having a hard time finding them. Yontoo discontinued all of their apps and the ones that I do eventually find are basically other malware claiming to be Yontoo.
Reporter | ||
Comment 15•9 years ago
|
||
as the numbers are continuing to dwindle (57 reports yesterday), i'm marking the bug as resolved.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → WORKSFORME
Updated•9 years ago
|
Flags: needinfo?(florin.mezei)
Updated•9 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•