Status

()

Firefox
General
--
critical
RESOLVED WORKSFORME
3 years ago
3 years ago

People

(Reporter: philipp, Unassigned)

Tracking

({crash, topcrash-win})

unspecified
All
Windows
crash, topcrash-win
Points:
---

Firefox Tracking Flags

(firefox39- fixed, firefox40+ fixed, firefox41+ fixed, firefox42+ fixed)

Details

(crash signature)

(Reporter)

Description

3 years ago
This bug was filed from the Socorro interface and is 
report bp-4ab22112-ec2e-41c5-a15f-f5fbf2150708.
=============================================================

there is a new widespread crash triggered by an adware/malicious extension. since they have a randomized id, the signatures vary: https://crash-stats.mozilla.com/search/?signature=~}.xpi%400x1f73&_facets=version&_facets=address&_facets=platform_version&_facets=useragent_locale&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#facet-useragent_locale

Comment 1

3 years ago
[Tracking Requested - why for this release]:

This is really bad. This doesn't show up on our topcrash reports because the signatures are always different, but in total these are something like 18% of crashes on release last week.
status-firefox39: --- → affected
status-firefox40: --- → affected
status-firefox41: --- → affected
status-firefox42: --- → ?
tracking-firefox40: --- → ?
tracking-firefox41: --- → ?

Comment 2

3 years ago
At least the PE metadata is consistent among the crashes:

    Timestamp:        Fri Jul 03 18:44:45 2015 (5597105D)
    CheckSum:         00017249
    ImageSize:        0000A000
    File version:     1.0.5662.28337
    Product version:  1.0.5662.28337

Search results for that version number indicate that this is a Yontoo adware.

Comment 3

3 years ago
dmajor, is it possible to determine the full path of the *.xpi DLL from the minidumps? I'm interested to know what directory it's coming from.

Since .xpi is never an appropriate DLL suffix, do you think it would be safe to blocklist *.xpi ?
Flags: needinfo?(dmajor)

Comment 4

3 years ago
Approving for tracking for FF40, 41 and 42.
tracking-firefox40: ? → +
tracking-firefox41: ? → +
tracking-firefox42: --- → +

Comment 5

3 years ago
It's in %TEMP%: C:\Users\...\AppData\Local\Temp\{...}.xpi

Not knowing who else is using .xpi (whether they're supposed to or not), I think blocking *.xpi might be risky. We might be able to do a more targeted block on {UUID}.xpi or this particular timestamp + version number.
Flags: needinfo?(dmajor)

Updated

3 years ago
Keywords: topcrash-win

Comment 6

3 years ago
According to the facets in the search in comment #0, this at least happens on 38,29,40,41 (and a number of older versions) and all Windows versions from XP to 10.
Nomming for 39 in case we need to take this in a point release.
tracking-firefox39: --- → ?
I sent a support request to Yontoo that includes this bug number.
ni Florin in case his team can help by reproducing this in a VM for further debugging info.
Flags: needinfo?(florin.mezei)
(In reply to Lawrence Mandel [:lmandel] (use needinfo) from comment #9)
> ni Florin in case his team can help by reproducing this in a VM for further
> debugging info.

Note that when it comes to testing with adware/malware we are a bit limited in the sense that we must use a VM disconnected from the network, so we avoid infecting the entire company. If you think the issue can be reproduced under such circumstances (e.g. just infect the VM and start/use Firefox with no Internet access) then we're more than happy to help out. So please see if you can provide more info on what actions may cause the crash and we'll see if we can set something up.
I started looking into this and I'm having a really hard time finding any Yontoo toolbar/software. It seems like they've "discontinued" their product on their "official" webpage:

- http://www.yontoo.com/Download.aspx
- http://www.yontoo.com/AppMarket.aspx

I've spent at least two hours searching all the different search engines but every time I've found anything related to Yontoo, it either pointed me to the discontinued website or it downloaded something completely different which didn't include Yontoo. (like a download manager which included other crap)

I searched a few of the support forums to see if I could find any information on what applications users were downloading when they got infected and and found "Best Video Downloader" but that also seems to be discontinued.

- http://www.bestvideodownloader.com/

I did manage to find some random XPI (YontooFFClient.xpi) but it wouldn't install on any of the newer builds. I'll go back and see if I can get it installed on an older version like fx29 as per comment # 6.

I searched https://www.virustotal.com and found two fairly recent submissions relating to Yontoo on Windows. I emailed them and asked if they could send me the two files listed below. If that doesn't work, there seems to be a LOT of OSX submissions as well so I'll get a VM going and see if I can reproduce it on OSX. (BTW are we seeing this at all on OSX??)

* https://www.virustotal.com/en/file/7a939c0e66225ffbc02a4cdb04c129e0a70214dbd3fd0f5986834dfe10e54ff5/analysis/
* https://www.virustotal.com/en/file/5413b8aff50a0800cd4e7ebbb11a0761c120183d8e20c58fba5dcb2cb1505fd4/analysis/

Florin, perhaps SV will have more luck finding Yontoo out there. I'll do a bit more searching via support forums and see if I can find any information on any applications that come with Yontoo.
(Reporter)

Comment 12

3 years ago
this signature seems to decline by its own now (maybe the malware is updating to avoid crashiness or av vendors start detecting it). 
the number of crashes with this signature over time pretty much correlates with the recent spike in crashiness at https://crash-analysis.mozilla.com/rkaiser/crash-report-tools/longtermgraph/?fxrel:

2015-07-01 14,164
2015-07-02 12,938
2015-07-03 10,358
2015-07-04 22,062
2015-07-05 15,059
2015-07-06 17,676
2015-07-07 39,227
2015-07-08 39,374
2015-07-09 3,631
2015-07-10 648
2015-07-11 293

Comment 13

3 years ago
And it continues:
2015-07-12 185
2015-07-13 157 (incomplete, still 6 hours of the UTC day remaining)

The typical risk with declining rates on a severe crash is that the affected users merely left, and the underlying issue may still be present on the next release channel. However in this case there are reasons to believe that the fix is real:

* It wasn't the type of perma-startup-crash that leaves users no choice but to leave
* We've seen unrelated crashes (at extremely low volume) on version 1.0.5667.19566 with timestamp July 8, which would seem to be the version that contains the fix
* No huge spikes on .xpi offsets other than 0x1f73, so it doesn't look like the signature merely moved elsewhere

Let's keep an eye on the crash rates just to be sure, but at the moment it looks like no action is required on the Firefox side.
I received the files I requested from VirusTotal (comment # 11) but didn't have any luck reproducing the crash once the malware/adware was installed. I used the browser for several hours and left a bunch of videos playing for about 3 hours without any luck of getting a crash.

Yontoo had a bunch of different products (Buzzdock, PageRage, BetterBrows, etc..) but I'm having a hard time finding them. Yontoo discontinued all of their apps and the ones that I do eventually find are basically other malware claiming to be Yontoo.
(Reporter)

Comment 15

3 years ago
as the numbers are continuing to dwindle (57 reports yesterday), i'm marking the bug as resolved.
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → WORKSFORME
Flags: needinfo?(florin.mezei)
status-firefox39: affected → fixed
status-firefox40: affected → fixed
status-firefox41: affected → fixed
status-firefox42: ? → fixed
tracking-firefox39: ? → -
You need to log in before you can comment on or make changes to this bug.