Open Bug 1419418 Opened 4 years ago Updated 9 months ago

Investigate why core.exe is our second most common accessibility OOP client

Categories

(Core :: Disability Access APIs, enhancement, P3)

All
Windows
enhancement

Tracking

()

People

(Reporter: jimm, Unassigned)

References

(Blocks 1 open bug)

Details

See this data - 
https://sql.telemetry.mozilla.org/queries/48848#131661

I'm tempted to just block this outright but we should investigate first.
Do we have any established contacts?
Flags: needinfo?(mitaylor)
Flags: needinfo?(dchinniah)
Flags: needinfo?(astevenson)
Summary: Investigate why core.exe (Electronic Arts) is our second most common accessibility OOP client → Investigate why core.exe (Electronic Arts Download Manager) is our second most common accessibility OOP client
Lets get this installed and do some testing to see if there are performance issues.
David - We have a mailing list with EA, sent you a DM about getting added to it.
Flags: needinfo?(mitaylor)
Flags: needinfo?(dchinniah)
Flags: needinfo?(astevenson)
I've been testing working with the Origin application [1], which is the current rev of the EA Download Manager desktop app. So far no luck getting accessibility to turn on due to this. I played a free game and poked around various options and settings. Note there is a switch in settings for "browser integration" which is on.

Testing with Firefox 57 set as the default.

I do not see a core.exe running though, so maybe these clients have a different revision of this EA software.

[1] https://www.origin.com/

Tracy would you please do some additional discovery work here - try to find a rev of this EA Download Manager software that installs a 'core.exe' and turns on a11y in the default browser. Please test with 57.
Flags: needinfo?(twalker)
Here's a query that lists all the versions of core.exe as an a11y instantiator: https://sql.telemetry.mozilla.org/queries/49500/source

I'll try reproducing this today.
I made initial EA contact directly via a common friend, and have cc'ed you Jim.
According to some comments on a file id site, this gets installed with 'EA Link'.
Hey Jim,

I'm Thomas from EA. Do you have any more details on which file it is? Core.exe? Do you have a version number or any other information, like a screenshot of specifc settings of EADM that were used to repro this problem?
Flags: needinfo?(tbruckschlegel)
(In reply to Thomas Bruckschlegel from comment #9)
> Hey Jim,
> 
> I'm Thomas from EA. Do you have any more details on which file it is?
> Core.exe? Do you have a version number or any other information, like a
> screenshot of specifc settings of EADM that were used to repro this problem?

Hi Thomas,

Thanks for checking in here. We're not sure what EA application is involved, what we have an exe name (core.exe) and version info - 

core.exe - 2.8.4.40465, population:1861340
core.exe - 2.8.4.40478, population:647490
core.exe - 2.8.4.40429, population:36050
core.exe - 2.8.4.40408, population:14680
core.exe - 2.7.3.6798, population:5530
core.exe - 2.8.3.10739, population:4390
core.exe - 2.8.4.36998, population:2530
core.exe - 2.8.3.15291, population:2430
core.exe - 2.8.3.15131, population:2190
core.exe - 2.8.3.19208, population:1450
core.exe - 2.8.1.12822, population:1030
core.exe - 2.8.4.40460, population:890
core.exe - 2.8.4.40453, population:810
core.exe - 2.7.6.1364, population:470
core.exe - 2.8.4.40412, population:300
core.exe - 2.8.2.3691, population:130
core.exe - 2.8.1.2134, population:100
core.exe - 2.8.1.3919, population:70
core.exe - 2.8.4.40394, population:30

We know accessibility apis are in use for all of these users and our internal accessibility library provides the information above related what application triggered accessibility use.

We've been trying to reproduce using various Origin apps but so far have not had any luck. Do you have idea what products this might involve? Any idea why EA game software would consume apis designed for desktop automation and the visually impaired?

Thanks for the help!
Core.exe was found in an old EA application, but the version number was higher. I did a quick check with 

http://processchecker.com/file/Core.exe.html

Looks like this app is what you are looking for:

F:\Arquivos de programas\Diebold\Warsaw\core.exe 	GAS Tecnologia - Protection 	GAS Tecnologia LTDA 	2.8.3.10739 	62161 	41D89D7D6B32961B3961DD0A41785854
Flags: needinfo?(tbruckschlegel)
(In reply to Thomas Bruckschlegel from comment #11)
> Core.exe was found in an old EA application, but the version number was
> higher. I did a quick check with 

This is very helpful, so you can confirm this application is not an EA app based on the version information?

> 
> http://processchecker.com/file/Core.exe.html
> 
> Looks like this app is what you are looking for:
> 
> F:\Arquivos de programas\Diebold\Warsaw\core.exe 	GAS Tecnologia -
> Protection 	GAS Tecnologia LTDA 	2.8.3.10739 	62161 
> 41D89D7D6B32961B3961DD0A41785854

We kinda ruled smaller apps and malware out due to the high incidence rate, but sounds like we should reconsider. Thanks.
Flags: needinfo?(tbruckschlegel)
(In reply to Jim Mathies [:jimm] from comment #12)
> (In reply to Thomas Bruckschlegel from comment #11)
> > Core.exe was found in an old EA application, but the version number was
> > higher. I did a quick check with 
> 
> This is very helpful, so you can confirm this application is not an EA app
> based on the version information?
> 
> > 
> > http://processchecker.com/file/Core.exe.html
> > 
> > Looks like this app is what you are looking for:
> > 
> > F:\Arquivos de programas\Diebold\Warsaw\core.exe 	GAS Tecnologia -
> > Protection 	GAS Tecnologia LTDA 	2.8.3.10739 	62161 
> > 41D89D7D6B32961B3961DD0A41785854
> 
> We kinda ruled smaller apps and malware out due to the high incidence rate,
> but sounds like we should reconsider. Thanks.

Yes, the versin number scheme does not match the scheme EA was using that long ago and core.exe is no longer part of our current Origin product.
Flags: needinfo?(tbruckschlegel)
(In reply to Thomas Bruckschlegel from comment #13)
> Yes, the versin number scheme does not match the scheme EA was using that
> long ago and core.exe is no longer part of our current Origin product.

Thanks!
Flags: needinfo?(twalker)
OS: Unspecified → Windows
Hardware: Unspecified → All
Summary: Investigate why core.exe (Electronic Arts Download Manager) is our second most common accessibility OOP client → Investigate why core.exe is our second most common accessibility OOP client
Thank you indeed. Let's block this.
Priority: -- → P2
Warsaw 1.3.1 is a program developed by GAS Tecnologia. Upon installation and setup, it defines an auto-start registry entry which makes this program run on each Windows boot for all user logins. It adds a background controller service that is set to automatically run. Delaying the start of this service is possible through the service manager. The software is designed to connect to the Internet and adds a Windows Firewall exception in order to do so without being interfered with. The main program executable is core.exe. The software installer includes 27 files and is usually about 8.04 MB (8,434,614 bytes). In comparison to the total number of users, most PCs are running the OS Windows 7 (SP1) as well as Windows 8. While about 94% of users of Warsaw come from Brazil, it is also popular in the United States and France. 

It seems this is used mostly by banks in Brazil.  However, it is also reported as malware.  I haven't had any luck findign a way to install the software; I am still investigating.
(In reply to David Bolter [:davidb] (NeedInfo me for attention) from comment #15)
> Thank you indeed. Let's block this.

If this is banking related, we should figure out what this does before blocking. It may be a required piece of some sort of bank access security software.
In continuing to research, I have come up with a loose hypothesis that this is actually malware that got installed on systems during a massive DNS breach of a major Brazilian financial company.  see https://www.wired.com/2017/04/hackers-hijacked-banks-entire-online-operation/  Malware may have been added to anyone using those bank(s) online services that particular Saturday during the breach window.  My theory is this core.exe was part of that malware package.  Not much to back up the theory though.
quote from the above linked wired article:

"Aside from mere phishing, the spoofed sites also infected victims with a malware download that disguised itself as an update to the Trusteer browser security plug-in that the Brazilian bank offered customers. According to Kaspersky's analysis, the malware harvests not just banking logins—from the Brazilian banks as well as eight others—but also email and FTP credentials, as well as contact lists from Outlook and Exchange, all of which went to a command-and-control server hosted in Canada. The Trojan also included a function meant to disable antivirus software; for infected victims, it may have persisted far beyond the five-hour window when the attack occurred."

These attackers were extremely clever using multiple vectors.  I don't think we'll ever know completely what happened. But I think we should probably just block core.exe.
Seems like this is a one-liner fix to add core.exe here https://searchfox.org/mozilla-central/rev/ff462a7f6b4dd3c3fdc53c9bc0b328f42a5b3d2b/accessible/windows/msaa/LazyInstantiator.cpp#181

Jim are we worried about blocking legit versions of core.exe?
Flags: needinfo?(jmathies)
(In reply to David Bolter [:davidb] (NeedInfo me for attention) from comment #20)
> Seems like this is a one-liner fix to add core.exe here
> https://searchfox.org/mozilla-central/rev/
> ff462a7f6b4dd3c3fdc53c9bc0b328f42a5b3d2b/accessible/windows/msaa/
> LazyInstantiator.cpp#181
> 
> Jim are we worried about blocking legit versions of core.exe?

Yeah I don't think our confidence level is very high here. If this is banking software doing something useful we don't want to block it.
Flags: needinfo?(jmathies)
core.exe as accessibility client is also present in the crashes from bug 1417897, where another module of that software is causing a crash spike for brazilian users since yesterday.
See Also: → 1417897
(In reply to Tracy Walker [:tracy] from comment #16)
> I haven't had any luck findign a way to install the software; I am still investigating.
at http://www.dieboldnixdorf.com.br/warsaw once you select an institution, it would provide download links for the software.
This is also linked to from the individual banks' websites, eg: https://seg.bb.com.br/home.html
See Also: → 1438562
Moving to p3 because no activity for at least 24 weeks.
Priority: P1 → P3
See Also: → 1644240
You need to log in before you can comment on or make changes to this bug.