Closed Bug 439679 Opened 12 years ago Closed 3 years ago

Socorro report to watch for adware, spyware, malware in crash data

Categories

(Socorro :: General, task)

x86
All
task
Not set

Tracking

(Not tracked)

RESOLVED WONTFIX
Future

People

(Reporter: chofmann, Unassigned)

References

(Blocks 2 open bugs)

Details

(Whiteboard: search [crashkill][crashkill-metrics])

Attachments

(1 file)

Starting to see a variety of suspicious .dll's showing up in crash reporter data.  We should develop reports that give us trends in the existence of adware/malware to watch for attacks or outbreaks of malware affecting firefox users and think about defenses that could help protect.

http://crash-stats.mozilla.com/report/index/a6277345-3c91-11dd-8c01-0013211cbf8a
which has the stack, and shows a likely crash in the asksbar.dll

0  	ASKSBAR.DLL  	ASKSBAR.DLL@0xc7c2  	
1 	ASKSBAR.DLL 	ASKSBAR.DLL@0x2186b 	
2 	ASKSBAR.DLL 	ASKSBAR.DLL@0x21c90 	
3 	ASKSBAR.DLL 	ASKSBAR.DLL@0x2295b 	
4 	ASKSBAR.DLL 	ASKSBAR.DLL@0x22445 	
5 	ASKSBAR.DLL 	ASKSBAR.DLL@0x14cd4 	
6 	ASKSBAR.DLL 	ASKSBAR.DLL@0x1bf6 	
7 	A2PLUGIN.DLL 	A2PLUGIN.DLL@0x1f15 	
8 	A2PLUGIN.DLL 	A2PLUGIN.DLL@0x4e08 	
9 	xul.dll 	ns4xPluginInstance::SetWindow 	mozilla/modules/plugin/base/src/ns4xPluginInstance.cpp:1175
10 	xul.dll 	nsPluginNativeWindow::CallSetWindow 	nsPluginNativeWindow.h:95
11 	xul.dll 	nsPluginNativeWindowWin::CallSetWindow 	mozilla/modules/plugin/base/src/nsPluginNativeWindowWin.cpp:499
12 	xul.dll 	nsPluginHostImpl::InstantiateEmbeddedPlugin 	mozilla/modules/plugin/base/src/nsPluginHostImpl.cpp:3642
13 	xul.dll 	nsObjectFrame::InstantiatePlugin 	mozilla/layout/generic/nsObjectFrame.cpp:860

and definition of the asksbar can be found here.

http://www.what-is-exe.com/filenames/asksbar-dll.html

Another example of borderline suspect apps/toolbar was also found in bkavhook.dll  but after investigation I think it looks like some kind of Vietnamese locale application or toolbar.

http://crash-stats.mozilla.com/report/index/fac25d94-3c8f-11dd-933c-0013211cbf8a

0  	BkavHook.dll  	BkavHook.dll@0x357d  	
1 	xul.dll 	nsSocketTransport::InitiateSocket 	mozilla/netwerk/base/src/nsSocketTransport2.cpp:1158
2 	xul.dll 	nsSocketTransport::OnSocketEvent 	mozilla/netwerk/base/src/nsSocketTransport2.cpp:1426
3 	xul.dll 	nsSocketEvent::Run 	mozilla/netwerk/base/src/nsSocketTransport2.cpp:98
4 	xul.dll 	nsThread::ProcessNextEvent 	mozilla/xpcom/threads/nsThread.cpp:510
5 	xul.dll 	NS_ProcessPendingEvents_P 	nsThreadUtils.cpp:180
6 	xul.dll 	nsSocketTransportService::Run 	mozilla/netwerk/base/src/nsSocketTransportService2.cpp:555
7 	xul.dll 	nsThread::ProcessNextEvent 	mozilla/xpcom/threads/nsThread.cpp:510
8 	xul.dll 	nsThread::ThreadFunc 	mozilla/xpcom/threads/nsThread.cpp:254
9 		@0x13dff6b 	

http://www.spywaredata.com/spyware/spyware-adware/process/719/results.php
http://www.siteadvisor.com/sites/saigon.vnn.vn/downloads/2609716/


we could scrap adware/spyware/malware lists and then search for instants of these .dll's in the stack, or process list, then show frequency of presence in the incoming crash data.
semi-related to bug 423968 , but this would have a different report output to meet a different use case.
Depends on: 423968
We should also keep an eye on z4spyblk.dll

http://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=contains&range_unit=hours&version=Firefox%3A3.0&signature=Z4SPYBLK.DLL%400x7b4c&range_value=9

Firefox 3.0 Crash Report [@ Z4SPYBLK.DLL@0x7b4c ]

0  	Z4SPYBLK.DLL  	Z4SPYBLK.DLL@0x7b4c  	
1 	Z4SPYBLK.DLL 	Z4SPYBLK.DLL@0x78a1 	
2 		@0x28137ae 	
3 		@0x2813af1 	
4 	xul.dll 	CallNPMethodInternal 	mozilla/modules/plugin/base/src/nsJSNPRuntime.cpp:1378
5 	xul.dll 	CallNPMethod 	mozilla/modules/plugin/base/src/nsJSNPRuntime.cpp:1425
6 	js3250.dll 	js_Invoke 	mozilla/js/src/jsinterp.c:1297
7 	js3250.dll 	js_Interpret 	mozilla/js/src/jsinterp.c:4852
8 	js3250.dll 	js_Invoke 	mozilla/js/src/jsinterp.c:1313
9 	xul.dll 	nsXPCWrappedJSClass::CallMethod 	mozilla/js/src/xpconnect/src/xpcwrappedjsclass.cpp:1523
10 	xul.dll 	nsXPCWrappedJS::CallMethod 	mozilla/js/src/xpconnect/src/xpcwrappedjs.cpp:559
11 	xul.dll 	PrepareAndDispatch 	mozilla/xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:114
12 	xul.dll 	SharedStub 	mozilla/xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:141
13 	xul.dll 	nsEventListenerManager::HandleEventSubType 	mozilla/content/events/src/nsEventListenerManager.cpp:1080

Its under investigation at spyware data
http://www.spywaredata.com/spyware/malware/z4spyblk.dll.php

this article and others detect it in a Zone Alarm installation, but its not clear if it is part of the standard installation, or attacking it.

http://www.atribune.org/forums/index.php?s=186d8535602e50c75f6f7ac6d5633c6b&showtopic=3962&st=0&p=18762&#entry18762

here is another one

http://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=contains&range_unit=hours&version=Firefox%3A3.0&signature=ffe.dll%400x9e69&range_value=6

commnents

>  was during initial startup - not sure what crashed - but I know my kids told me we've been having trouble with bookmarks

> loading Firefox 3 for the first time. 

stack

0  	ffe.dll  	ffe.dll@0x9e69  	
1 	xul.dll 	nsDocLoader::FireOnStateChange 	mozilla/uriloader/base/nsDocLoader.cpp:1235
2 	xul.dll 	xul.dll@0x7d04cf 	


modules list
ffe.dll  	1.1.0.141  	45E5E83315  	ffe.pdb

investigations

http://www.spywarewarrior.com/viewtopic.php?t=15598
844] C:\WINDOWS\system32\fee.dll -> Spyware.Look2Me : Error during cleaning 

http://www.prevx.com/filenames/2885319548134216537-0/T1.S1.FEE.DLL.html
http://spywaredlls.prevx.com/RRABHC41015003/PGMR-FEE.DLL.html

Looks like this could be part of windows logon or replaced by attackers.
here is another one. crashing in firebit.dll 6 seconds after first start up or less.

http://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=contains&range_unit=hours&version=Firefox%3A3.0&signature=firebit.dll%400x17b44&range_value=10

stack

0  	firebit.dll  	firebit.dll@0x17b44  	
1 	firebit.dll 	firebit.dll@0x19376 	
2 	ntdll.dll 	ntdll.dll@0x3e4b5 	
3 	ntdll.dll 	ntdll.dll@0x3e488


Avira considers this malware:

http://analysis.avira.com/samples/details.php?uniqueid=cjfH4B3dkkt7mM7TrqHyEOIv6J5x0PbH&incidentid=145222


the firebit.dll appears to be distributed by or from a free hosting site http://bitware.net


Interesting report at mcafee
http://forums.mcafeehelp.com/showthread.php?p=520116

"...  lately when i have been searching on google with firefox i am being redirected  to totally different sites and yesterday i couldnt access either ie or firefox and my pc was running very slow.
i ran virus scan but it didnt pick up anything so i tried a free online scanner and it picked up these,

C:\System Volume Information\_restore{1283C4C2-5C9F-4160-B9A2-AC1BC36A6A58}\RP94\A0019710.exe

C:\System Volume Information\_restore{1283C4C2-5C9F-4160-B9A2-AC1BC36A6A58}\RP94\A0019711.exe

Trojan-Downloader.Win32.Zlob.jgs

C:\Documents and Settings\Application Data\Mozilla\Firefox\Profiles\jcl6fq4j.default\ext ensions\firebit@firebit\components\firebit.dll/C:\Documents and Settings\Application Data\Mozilla\Firefox\Profiles\jcl6fq4j.default\ext ensions\firebit@firebit\components\firebit.dll

C:\Documents and Settings\Application Data\Mozilla\Firefox\Profiles\jcl6fq4j.default\ext ensions\firebit@firebit\components\firebit.dll

not-a-virus:AdWare.Win32.Kitsune.b

if anyone can tell me what these are or can help in any way it would be much appreciated thanks"


Search comments from the  Reverse Engineering b10g also indicate  

http://letitbit.net (another free hosting/downloading)  site wants to install firebit.dll. 

Question was also asked there "Has anybody reversed it and care to explain what it does? I noticed it adds two http request headers: ...  "   but I can't find the post or any responses.
here is another  

Crash Reports in rlxf.dll@0xe9dc

Frame  	Module  	Signature [Expand]  	Source
0 	rlxf.dll 	rlxf.dll@0xe9dc

rlxf.dll  	1.0.0.5

mostly crashing at start up and shortly after.  here are comment:

   every time it starts it crashes

   um i just opened it and it crashes1 to 2 seconds after

   i downloaded the 3.0 and now i can't even get on it.

Other crash reports here:

http://crash-stats.mozilla.com/report/list?range_unit=weeks&query_search=signature&query_type=contains&product=Firefox&version=Firefox%3A3.0&branch=1.9&signature=rlxf.dll%400xe9dc&query=.dll&range_value=1

Reports that try and describe what this .dll is about are at:

http://forums.majorgeeks.com/archive/index.php?t-100395.html
 ...suggest steps to remove

http://forums.majorgeeks.com/archive/index.php?t-100395.html
  ...rxfl.dll classified as dangerous

http://research.sunbelt-software.com/threatdisplay.aspx?name=Marketscore.RelevantKnowledge&threatid=15129
   ... indicates some association with adware
here is an interesting one

Firefox 3.0 Crash Report [@ radhslib.dll@0x3b6f 

0  	radhslib.dll  	radhslib.dll@0x3b6f  	
1 	radhslib.dll 	radhslib.dll@0x16bf5 	
2 		@0x5f110009 	
3 	nspr4.dll 	SocketSend 	mozilla/nsprpub/pr/src/io/prsocket.c:694
4 	nspr4.dll 	SocketWrite 	mozilla/nsprpub/pr/src/io/prsocket.c:714
5 	xul.dll 	nsSocketOutputStream::Write 	mozilla/netwerk/base/src/nsSocketTransport2.cpp:576
6 	xul.dll 	nsHttpConnection::OnReadSegment 	mozilla/netwerk/protocol/http/src/nsHttpConnection.cpp:530
7 	xul.dll 	nsHttpTransaction::ReadRequestSegment 	mozilla/netwerk/protocol/http/src/nsHttpTransaction.cpp:411
8 	xul.dll 	nsBufferedInputStream::ReadSegments 	mozilla/netwerk/base/src/nsBufferedStreams.cpp:331
9 	xul.dll 	nsHttpTransaction::ReadSegments 	mozilla/netwerk/protocol/http/src/nsHttpTransaction.cpp:436
10 	xul.dll 	nsHttpConnection::OnSocketWritable 	mozilla/netwerk/protocol/http/src/nsHttpConnection.cpp:565
11 	xul.dll 	nsHttpConnection::OnOutputStreamReady 	mozilla/netwerk/protocol/http/src/nsHttpConnection.cpp:776
12 	xul.dll 	nsSocketOutputStream::OnSocketReady 	mozilla/netwerk/base/src/nsSocketTransport2.cpp:515
13 	xul.dll 	nsSocketTransport::OnSocketReady 	mozilla/netwerk/base/src/nsSocketTransport2.cpp:1543
14 	xul.dll 	nsSocketTransportService::DoPollIteration 	mozilla/netwerk/base/src/nsSocketTransportService2.cpp:658
15 	xul.dll 	nsSocketTransportService::OnProcessNextEvent 	mozilla/netwerk/base/src/nsSocketTransportService2.cpp:522
16 	xul.dll 	nsThread::ProcessNextEvent 	mozilla/xpcom/threads/nsThread.cpp:497
17 	nspr4.dll 	PR_Lock 	

no version info in the modules list, but some of the reports show multiple instances of the .dll

radhslib.dll  	 	 	
radprlib.dll

more reports at http://crash-stats.mozilla.com/report/list?range_unit=weeks&query_search=signature&query_type=contains&product=Firefox&version=Firefox%3A3.0&branch=1.9&signature=radhslib.dll%400x3b6f&query=.dll&range_value=1

on further examination radhslib.dll appears to be part of Naomi web filter by Radiant Morning Technologies.   http://forum.utorrent.com/viewtopic.php?id=34978

so this one might be one to disable if we can based on incompatibility/stability problems.  we could also just put an advisory of possible compatibilty problems with this software on sumo.

we could also follow up with contact to http://www.radiance.m6.net/ to diagnose and see if we can get afix in the works.
re: comment 6

there is also a different stack signature for the same .dll

Firefox 3.0 Crash Report [@ rlxf.dll@0x14d4a

and this signature is assoicated with a different version number in the .dll
rlxf.dll  	1.2.0.5

comments asking for help are a bit more desparate in this batch of crash reports
http://crash-stats.mozilla.com/report/list?range_unit=weeks&query_search=signature&query_type=contains&product=Firefox&version=Firefox%3A3.0&branch=1.9&signature=rlxf.dll%400x14d4a&query=.dll&range_value=1
here is another angle on the reporting.  something like this would be very helpful.   It shows we have several different stack signatures for this .dll representing several versions of the .dll that are in use.

rank    stack sig.          #of-crashes  .dll version

1       rlxf.dll@0xe9dc         200  	rlxf.dll        1.0.0.5
2 	rlxf.dll@0x14d4a 	133 	rlxf.dll        1.2.0.5
3 	rlxf.dll@0xcfc1 	72 	rlxf.dll  	1.1.0.8
4 	rlxf.dll@0x111e3 	58 	rlxf.dll  	1.2.0.3
5 	rlxf.dll@0xcc8b 	35 	rlxf.dll  	1.1.0.7

this base query gets us part of the way there. then you currently have to drill down with a number of clicks to see the pattern.  the idea is that we just want to reduce the number of clicks and raise the right set of data to the surface

http://crash-stats.mozilla.com/?do_query=1&product=Firefox&branch=1.9&version=Firefox%3A3.0&query_search=signature&query_type=contains&query=rlxf.dll&date=&range_value=1&range_unit=weeks


re comment 3:  the distribution for ffe.dll looks like

1  	ffe.dll@0x9e69  130  ffe.dll  	1.1.0.141  
2 	ffe.dll@0xa851 	50   ffe.dll  	1.1.0.141
3 	ffe.dll@0x9e36 	15   ffe.dll  	1.1.0.141
4 	ffe.dll@0x944e 	12   ffe.dll  	1.0.0.106
5 	ffe.dll@0xa982 	9    ffe.dll  	1.1.0.141
6 	ffe.dll@0x9662 	2    ffe.dll  	1.0.0.106
or this query 
http://crash-stats.mozilla.com/?do_query=1&product=Firefox&branch=1.9&version=Firefox%3A3.0&query_search=signature&query_type=contains&query=.dll&date=&range_value=1&range_unit=weeks

produces a pretty interesting report of top 100 external .dlls that cause crashes.  maybe its the start point for this kind of analysis.  From this kind of list we could scan by eyeball, or whitelist out .dll's that suffer from just compatibility problems, and others that might be more serious malware.


top100  signature         tl crashes  win     mac    linux    sol
rank

59	BkavHook.dll@0x65bf 	90	90	0	0	0
14	BkavHook.dll@0xff0 	353	353	0	0	0

70	dirapi.dll@0x46a90 	74	74	0	0	0
63	dirapiX.dll@0x379c3 	88	88	0	0	0

41	ffe.dll@0x9e69 	127	127	0	0	0
94	ffe.dll@0xa851 	50	50	0	0	0

58	firebit.dll@0x174c4 	90	90	0	0	0
66	firebit.dll@0x17b44 	86	86	0	0	0

47	gears_ff2.dll@0x10577c 	106	106	0	0	0
13	gears_ff2.dll@0x10577d 	374	374	0	0	0

76	GoogleDesktopCommon.dll@0x1679 	66	66	0	0	0
7	GoogleDesktopMozilla.dll@0x54da 	1073	1073	0	0  0
1	GoogleDesktopMozilla.dll@0x5500   	6085	6085	0	0  0
3	GoogleDesktopMozilla.dll@0x5512 	3390	3390	0	0  0
75	GoogleDesktopMozilla.dll@0x552a 	68	68	0	0  0
37	GoogleDesktopMozilla.dll@0x55d5 	156	156	0	0  0
80	GoogleDesktopMozilla.dll@0x567f 	61	61	0	0  0
4	GoogleDesktopMozilla.dll@0x56bc 	1907	1907	0	0  0
78	GoogleDesktopMozilla.dll@0x56f0 	66	66	0	0  0
68	GoogleDesktopMozilla.dll@0x5724 	79	79	0	0  0
39	GoogleDesktopMozilla.dll@0x5742 	142	142	0	0  0
9	GoogleDesktopMozilla.dll@0x5747 	499	499	0	0  0
21	GoogleDesktopMozilla.dll@0x5824 	226	226	0	0  0

2	googletoolbar.dll@0x4b2f 	3924	3924	0	0	0

67	icm32.dll@0x433e 	85	85	0	0	0

52	iFW_Xfilter.dll@0x37a9 	98	98	0	0	0

44	imm32.dll@0x3e24 	117	117	0	0	0

96	jpinscp.dll@0xac57 	49	49	0	0	0
18	jpinscp.dll@0xd015 	263	263	0	0	0

69	js3250.dll@0x4cb97 	76	76	0	0	0

65	jvm.dll@0x10b5d0 	87	87	0	0	0
93	jvm.dll@0x115da8 	53	53	0	0	0
84	jvm.dll@0xb7688 	57	57	0	0	0
81	jvm.dll@0xbc1f8 	61	61	0	0	0
57	jvm.dll@0xbc228 	93	93	0	0	0
54	jvm.dll@0xbc3a0 	95	95	0	0	0

17	kernel32.dll@0x12aeb 	284	284	0	0	0
36	kernel32.dll@0x442eb 	157	157	0	0	0
22	kernel32.dll@0x49207 	211	211	0	0	0
12	kernel32.dll@0x9e7a 	404	404	0	0	0

48	libvlc.dll@0x1177f 	104	104	0	0	0

71	mshtml.dll@0x84998 	70	70	0	0	0

56	msvcr71.dll@0x28ed 	93	93	0	0	0
87	msvcr80.dll@0x14500 	57	57	0	0	0

49	msvcrt.dll@0x10a78 	103	103	0	0	0
83	msvcrt.dll@0x1226a 	57	57	0	0	0
26	msvcrt.dll@0x37740 	180	180	0	0	0
62	msvcrt.dll@0x37c89 	88	88	0	0	0

79	msxf.dll@0xe9dc 	65	65	0	0	0

55	mzvkbd.dll@0x1871 	95	95	0	0	0

61	npampx3.0.84.2.dll@0x2a63 	89	89	0	0	0

50	npdivx32.dll@0x140f1 	100	100	0	0	0

99	npdsplay.dll@0x2a3f7 	48	48	0	0	0

88	npietab.dll@0x43e9 	56	56	0	0	0

5	npLegitCheckPlugin.dll@0x14ed9 	1776	1776	0	0	0

46	npOGAPlugin.dll@0xb391 	109	109	0	0	0

100	nppdf32.dll@0x5696 	47	47	0	0	0
24	nppdf32.dll@0x6d0a 	201	201	0	0	0
91	nppdf32.dll@0xb125 	54	54	0	0	0
34	nppdf32.dll@0xc3e8 	163	163	0	0	0

10	nppl3260.dll@0x4341 	488	488	0	0	0

6	nppl3260.dll@0x54bb 	1140	1140	0	0	0

77	NPSWF32.dll@0x16e8b9 	66	66	0	0	0
51	NPSWF32.dll@0x16ef 	99	99	0	0	0
15	NPSWF32.dll@0x1ddbf1 	308	308	0	0	0
74	NPSWF32.dll@0x241ce 	68	68	0	0	0
72	NPSWF32.dll@0x288f 	68	68	0	0	0
60	NPSWF32.dll@0x34860 	90	90	0	0	0
38	NPSWF32.dll@0x3486f 	153	153	0	0	0
27	NPSWF32.dll@0x348cd 	179	179	0	0	0
16	NPSWF32.dll@0xa966b 	299	299	0	0	0
32	NPSWF32.dll@0xd48bb 	167	167	0	0	0
98	NPSWF32.dll@0xd49bc 	48	48	0	0	0
23	NPSWF32.dll@0xd4ef8 	202	202	0	0	0
85	NPSWF32.dll@0xd4ff9 	57	57	0	0	0
82	NPSWF32.dll@0xf3492 	60	60	0	0	0

64	npww.dll@0x1634 	88	88	0	0	0

8	ntdll.dll@0x100b 	770	770	0	0	0
33	ntdll.dll@0x1b1fa 	164	164	0	0	0
89	ntdll.dll@0x3b15f 	56	56	0	0	0
20	ntdll.dll@0x42e7b 	249	249	0	0	0
53	ntdll.dll@0x43387 	97	97	0	0	0
11	ntdll.dll@0x47dd2 	404	404	0	0	0
29	ntdll.dll@0x59a94 	174	174	0	0	0
45	ntdll.dll@0x60f34 	111	111	0	0	0
35	ntdll.dll@0xe4f4 	157	157	0	0	0

28	piclens.dll@0x114bd9 	176	176	0	0	0
92	piclens.dll@0xe2d17 	54	54	0	0	0

19	piclens19.dll@0x109eaa 	254	254	0	0	0
97	piclens19.dll@0x117066 	49	49	0	0	0
30	piclens19.dll@0x11a767 	171	171	0	0	0
43	piclens19.dll@0x122d50 	118	118	0	0	0

31	radhslib.dll@0x3b6f 	170	170	0	0	0

86	rlxf.dll@0x111e3 	57	57	0	0	0
40	rlxf.dll@0x14d4a 	129	129	0	0	0
73	rlxf.dll@0xcfc1 	68	68	0	0	0
25	rlxf.dll@0xe9dc 	199	199	0	0	0

42	uxtheme.dll@0x1c78d 	124	124	0	0	0

90	WMNetMgr.dll@0x47c82 	55	55	0	0	0

95	xul.dll@0x272d81 	49	49	0	0	0
noami is bug 427406
I hope this kind of information is useful in this bug report, please advise if it isn't.

I came across bug 448837 today which I presume is caused by MySearch. Info: http://ca.com/us/securityadvisor/pest/pest.aspx?id=453090717

dll's of interest:
S4BAR.dll
S4PLUGIN.DLL

Sample stack:

ID: 158a9e2b-602e-11dd-bd03-001a4bd43e5c

Signature       @0x4b053b4
UUID    3fe4a911-60ae-11dd-996c-001321b13766
Time    2008-08-02 09:14:49-07:00
Uptime  1
Product Firefox
Version 3.0.1
Build ID        2008070208
OS      Windows NT
OS Version      6.0.6001 Service Pack 1
CPU     x86
CPU Info        GenuineIntel family 6 model 23 stepping 6
Crash Reason    EXCEPTION_ACCESS_VIOLATION
Crash Address   0x4b053b4
Comments
Crashing Thread
Frame   Module  Signature [Expand]      Source
0               @0x4b053b4
1       user32.dll      user32.dll@0x11911
2       user32.dll      user32.dll@0x20816
3       user32.dll      user32.dll@0x139f6
4       ntdll.dll       ntdll.dll@0x599cd
5       user32.dll      user32.dll@0x13cc2
6       user32.dll      user32.dll@0xfd90
7       S4BAR.DLL       S4BAR.DLL@0x2670
8       S4BAR.DLL       S4BAR.DLL@0x1413
9       S4PLUGIN.DLL    S4PLUGIN.DLL@0x1f13
10      S4PLUGIN.DLL    S4PLUGIN.DLL@0x43ad
11      xul.dll         ns4xPluginInstance::SetWindow
mozilla/modules/plugin/base/src/ns4xPluginInstance.cpp:1175
12      xul.dll         nsPluginNativeWindow::CallSetWindow
nsPluginNativeWindow.h:95
13      xul.dll         nsPluginNativeWindowWin::CallSetWindow
mozilla/modules/plugin/base/src/nsPluginNativeWindowWin.cpp:499
14      xul.dll         nsPluginHostImpl::InstantiateEmbeddedPlugin
mozilla/modules/plugin/base/src/nsPluginHostImpl.cpp:3642
15      xul.dll         nsObjectFrame::InstantiatePlugin
mozilla/layout/generic/nsObjectFrame.cpp:860
Summary: soccoro report to watch for adware,spyware, malware in crash data → Socorro report to watch for adware, spyware, malware in crash data
  bug 512122 Possible Adware.DoubleD related Crash [@NPFFAddOn.dll@0x11867  
has a good case study for why some reporting tools around this are needed, what kind of data we need, and how it it might be used.
Blocks: 467167
the quicker we could get a report like this, the quicker we might be able to assess how many users might be getting their searches hijacked by malware.

see: https://bugzilla.mozilla.org/show_bug.cgi?id=513570

if we could see how many crash reports had .dll's related to  TSPY_EBOD.A  and Nine-Ball loaded in the module list that would give us rough numbers on how many firefox users might be affected in the general population.
other bug related to search hijacking added to dependency list
Whiteboard: cloud, next
darkreading just published an interesting study on number of enterprise users affected by botnets.   

http://www.darkreading.com/insiderthreat/security/client/showArticle.jhtml?articleID=220200118

we could do something similar with #firefox users affected in the general population of 100million daily users, and also in segment of large institutional use of firefox.

It would be interesting to see if  general population and instituional botnet infection is lower or the same for places were firefox is already deployed.

we have the pretty good start of the .dll's in the process/module list to go look for under the dependency list in bug 512788
whoa,  this is hot news day for this kind of stuff.

http://www.thetechherald.com/article.php/200939/4504/Cyveillance-More-than-half-of-the-active-threats-online-go-undetected

writes that 

[the research company Cyveillance said a couple of interesting things] 

-----
...that they detect hundreds if not thousands of new Malware attacks. To test detection rates, they fed these active attacks through thirteen of the top anti-Virus vendor offerings. McAfee scored the highest, with a detection rate of 44-percent, followed by Sophos (38%), Dr. Web (36%), Symantec (35%), Trend Micro (34%), AVG (31%), and F-Secure with 28-percent.

They tested browser security as well, using Internet Explorer, Safari, Google Chrome, and Firefox. The browser test aimed at Phishing protections, and overall, Mozilla scored the highest. Firefox detected 54.9-percent of Phishing related attempts upon initial discovery, and 87.1-percent after the fist 24-hours. Chrome came in second, followed by Safari and Internet Explorer
----

research on the module list could help validate and track that 54.9% number.

I think the first paragraph is making the claim that they have the most authortative list of what constitutes malware, or atleast a pretty good list that all the anti-virus companies have, but just aren't able to protect against yet.   I wonder if they would be interested in sharing that list so we could use it for checking against the crash report module lists.
Target Milestone: --- → 1.3
Whiteboard: cloud, next → cloud, next [crashkill][crashkill-metrics]
Target Milestone: 1.3 → 1.4
Assignee: nobody → deinspanjer
This will need to use the new system -- Daniel can you put this near the top of your list?  When can we start hacking on this using the cluster?
OS: Mac OS X → All
Target Milestone: 1.4 → 1.5
Shortly after bug 538206 is fixed.  I'll make it a top priority.
a ranking report by Firefox product version would fit the bill on this very nicely.   just linkify the signatures so a viewer of the report could drill down.

this kind of report could allow third party providers to watch their .dlls, or anti-virus companies and us to look for new instances of .dll's that are crashing and should be blocked or removed from the system.
we could also link to bugs with signatures in the bug title that correspond to .dll names as we do in the reports like

http://crash-stats.mozilla.com/topcrasher/byversion/Firefox/3.6
Target Milestone: 1.5 → 1.6
Target Milestone: 1.6 → 1.7
After we have imported the existing jsonz files into production, we'll be able to begin developing a MR to answer this question.
Since we need schema changes to be able to import jsonz and those changes won't be in production until 1.7, technically, this bug is impossible to close as part of 1.7 and should be pushed to 1.8
Assignee: deinspanjer → aphadke
Target Milestone: 1.7 → 1.8
Whiteboard: cloud, next [crashkill][crashkill-metrics] → search
Whiteboard: search → search [crashkill][crashkill-metrics]
Target Milestone: 1.8 → 1.9
Possible to develop this MR job now?
Laura/choffman - What exactly do we need out here? 
1. A framework for MR job that returns related DLLs with counts for a given input DLL as per comment #15 or something else?
2. What time range? 
3. By when do you want this? 

Daniel - Would meta_data:json column be sufficient for this job or we need to do some sort of backfilling?

-anurag
there are two basic types of monitoring we could do with respect to monitoring

first would be to watch for crashes in suspiious .dll's to watch for widespread outbreaks of malware attacks against firefox, where poorly written malware is also generating crashes.  

second would be to scan the module list of crash reports looking for known malware .dll's then attempting to warn users what we spotted in their crash report submission.  we have e-mail notification system sort of in place now, and we could build extra client features for notification.

both of these kinds of analysis involve starting to build a list of known, suspected, and to-be-investigated malware .dll's and then banging them against crash reports.

I'll try to write more, or get someone to write more on this soon.
Looking for signatures with .dll in them and no bug report assigned, filtering out a few known valid libraries (like ntdll.dll) would probably go a long way for the first part. What makes the task harder is that some malware seems to mask with random names or names of valid libraries, apparently, but we probably can never be perfect on automatic detection.

Fore the second part that chofmann mentions here, I guess we'll need to go build a list of known malware dlls - though as mentioned, name masking might pose a problem here as well. :(
Depends on: 638634
No longer depends on: 638634
Blocks: 638191
Assignee: aphadke → nobody
Depends on: 577613
Target Milestone: 1.9 → ---
Component: Socorro → General
Product: Webtools → Socorro
Depends on: 656297
Will DLL Directory cover everything that's needed here?
(In reply to Laura Thomson :laura from comment #28)
> Will DLL Directory cover everything that's needed here?

From how I read comment #0, the DLL Directory would be a prerequisite for getting what chofmann has intended here, but it would need to become integrated into Socorro. If anything, that can only be a term-term goal, nothing we can immediately attack.
yep, this is another "explosiveness" kind of report based on stacks and module lists that have spyware.  the dictionary only helps us to describe and keep track of what dll's are and what they do.
Target Milestone: --- → Future
We can pursue this in data platform if it is still desired. crash-stats will not implement this or dll directory.
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.