Closed Bug 439679 Opened 17 years ago Closed 7 years ago

Socorro report to watch for adware, spyware, malware in crash data

Categories

(Socorro :: General, task)

Product:
Socorro
Component:
General
Platform:
x86
All
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX
Milestone:
Future

People

(Reporter: chofmann, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: search [crashkill][crashkill-metrics])

Attachments

(1 file)

crash signatures with *.dll@ for 3.6 rc1 on 2010 01 11
10.68 KB, text/plain
Details
Starting to see a variety of suspicious .dll's showing up in crash reporter data. We should develop reports that give us trends in the existence of adware/malware to watch for attacks or outbreaks of malware affecting firefox users and think about defenses that could help protect. http://crash-stats.mozilla.com/report/index/a6277345-3c91-11dd-8c01-0013211cbf8a which has the stack, and shows a likely crash in the asksbar.dll 0 ASKSBAR.DLL ASKSBAR.DLL@0xc7c2 1 ASKSBAR.DLL ASKSBAR.DLL@0x2186b 2 ASKSBAR.DLL ASKSBAR.DLL@0x21c90 3 ASKSBAR.DLL ASKSBAR.DLL@0x2295b 4 ASKSBAR.DLL ASKSBAR.DLL@0x22445 5 ASKSBAR.DLL ASKSBAR.DLL@0x14cd4 6 ASKSBAR.DLL ASKSBAR.DLL@0x1bf6 7 A2PLUGIN.DLL A2PLUGIN.DLL@0x1f15 8 A2PLUGIN.DLL A2PLUGIN.DLL@0x4e08 9 xul.dll ns4xPluginInstance::SetWindow mozilla/modules/plugin/base/src/ns4xPluginInstance.cpp:1175 10 xul.dll nsPluginNativeWindow::CallSetWindow nsPluginNativeWindow.h:95 11 xul.dll nsPluginNativeWindowWin::CallSetWindow mozilla/modules/plugin/base/src/nsPluginNativeWindowWin.cpp:499 12 xul.dll nsPluginHostImpl::InstantiateEmbeddedPlugin mozilla/modules/plugin/base/src/nsPluginHostImpl.cpp:3642 13 xul.dll nsObjectFrame::InstantiatePlugin mozilla/layout/generic/nsObjectFrame.cpp:860 and definition of the asksbar can be found here. http://www.what-is-exe.com/filenames/asksbar-dll.html Another example of borderline suspect apps/toolbar was also found in bkavhook.dll but after investigation I think it looks like some kind of Vietnamese locale application or toolbar. http://crash-stats.mozilla.com/report/index/fac25d94-3c8f-11dd-933c-0013211cbf8a 0 BkavHook.dll BkavHook.dll@0x357d 1 xul.dll nsSocketTransport::InitiateSocket mozilla/netwerk/base/src/nsSocketTransport2.cpp:1158 2 xul.dll nsSocketTransport::OnSocketEvent mozilla/netwerk/base/src/nsSocketTransport2.cpp:1426 3 xul.dll nsSocketEvent::Run mozilla/netwerk/base/src/nsSocketTransport2.cpp:98 4 xul.dll nsThread::ProcessNextEvent mozilla/xpcom/threads/nsThread.cpp:510 5 xul.dll NS_ProcessPendingEvents_P nsThreadUtils.cpp:180 6 xul.dll nsSocketTransportService::Run mozilla/netwerk/base/src/nsSocketTransportService2.cpp:555 7 xul.dll nsThread::ProcessNextEvent mozilla/xpcom/threads/nsThread.cpp:510 8 xul.dll nsThread::ThreadFunc mozilla/xpcom/threads/nsThread.cpp:254 9 @0x13dff6b http://www.spywaredata.com/spyware/spyware-adware/process/719/results.php http://www.siteadvisor.com/sites/saigon.vnn.vn/downloads/2609716/ we could scrap adware/spyware/malware lists and then search for instants of these .dll's in the stack, or process list, then show frequency of presence in the incoming crash data.
semi-related to bug 423968 , but this would have a different report output to meet a different use case.
Depends on: 423968
We should also keep an eye on z4spyblk.dll http://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=contains&range_unit=hours&version=Firefox%3A3.0&signature=Z4SPYBLK.DLL%400x7b4c&range_value=9 Firefox 3.0 Crash Report [@ Z4SPYBLK.DLL@0x7b4c ] 0 Z4SPYBLK.DLL Z4SPYBLK.DLL@0x7b4c 1 Z4SPYBLK.DLL Z4SPYBLK.DLL@0x78a1 2 @0x28137ae 3 @0x2813af1 4 xul.dll CallNPMethodInternal mozilla/modules/plugin/base/src/nsJSNPRuntime.cpp:1378 5 xul.dll CallNPMethod mozilla/modules/plugin/base/src/nsJSNPRuntime.cpp:1425 6 js3250.dll js_Invoke mozilla/js/src/jsinterp.c:1297 7 js3250.dll js_Interpret mozilla/js/src/jsinterp.c:4852 8 js3250.dll js_Invoke mozilla/js/src/jsinterp.c:1313 9 xul.dll nsXPCWrappedJSClass::CallMethod mozilla/js/src/xpconnect/src/xpcwrappedjsclass.cpp:1523 10 xul.dll nsXPCWrappedJS::CallMethod mozilla/js/src/xpconnect/src/xpcwrappedjs.cpp:559 11 xul.dll PrepareAndDispatch mozilla/xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:114 12 xul.dll SharedStub mozilla/xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:141 13 xul.dll nsEventListenerManager::HandleEventSubType mozilla/content/events/src/nsEventListenerManager.cpp:1080 Its under investigation at spyware data http://www.spywaredata.com/spyware/malware/z4spyblk.dll.php this article and others detect it in a Zone Alarm installation, but its not clear if it is part of the standard installation, or attacking it. http://www.atribune.org/forums/index.php?s=186d8535602e50c75f6f7ac6d5633c6b&showtopic=3962&st=0&p=18762&#entry18762
here is another one http://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=contains&range_unit=hours&version=Firefox%3A3.0&signature=ffe.dll%400x9e69&range_value=6 commnents > was during initial startup - not sure what crashed - but I know my kids told me we've been having trouble with bookmarks > loading Firefox 3 for the first time. stack 0 ffe.dll ffe.dll@0x9e69 1 xul.dll nsDocLoader::FireOnStateChange mozilla/uriloader/base/nsDocLoader.cpp:1235 2 xul.dll xul.dll@0x7d04cf modules list ffe.dll 1.1.0.141 45E5E83315 ffe.pdb investigations http://www.spywarewarrior.com/viewtopic.php?t=15598 844] C:\WINDOWS\system32\fee.dll -> Spyware.Look2Me : Error during cleaning http://www.prevx.com/filenames/2885319548134216537-0/T1.S1.FEE.DLL.html http://spywaredlls.prevx.com/RRABHC41015003/PGMR-FEE.DLL.html Looks like this could be part of windows logon or replaced by attackers.
here is another one. crashing in firebit.dll 6 seconds after first start up or less. http://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=contains&range_unit=hours&version=Firefox%3A3.0&signature=firebit.dll%400x17b44&range_value=10 stack 0 firebit.dll firebit.dll@0x17b44 1 firebit.dll firebit.dll@0x19376 2 ntdll.dll ntdll.dll@0x3e4b5 3 ntdll.dll ntdll.dll@0x3e488 Avira considers this malware: http://analysis.avira.com/samples/details.php?uniqueid=cjfH4B3dkkt7mM7TrqHyEOIv6J5x0PbH&incidentid=145222 the firebit.dll appears to be distributed by or from a free hosting site http://bitware.net Interesting report at mcafee http://forums.mcafeehelp.com/showthread.php?p=520116 "... lately when i have been searching on google with firefox i am being redirected to totally different sites and yesterday i couldnt access either ie or firefox and my pc was running very slow. i ran virus scan but it didnt pick up anything so i tried a free online scanner and it picked up these, C:\System Volume Information\_restore{1283C4C2-5C9F-4160-B9A2-AC1BC36A6A58}\RP94\A0019710.exe C:\System Volume Information\_restore{1283C4C2-5C9F-4160-B9A2-AC1BC36A6A58}\RP94\A0019711.exe Trojan-Downloader.Win32.Zlob.jgs C:\Documents and Settings\Application Data\Mozilla\Firefox\Profiles\jcl6fq4j.default\ext ensions\firebit@firebit\components\firebit.dll/C:\Documents and Settings\Application Data\Mozilla\Firefox\Profiles\jcl6fq4j.default\ext ensions\firebit@firebit\components\firebit.dll C:\Documents and Settings\Application Data\Mozilla\Firefox\Profiles\jcl6fq4j.default\ext ensions\firebit@firebit\components\firebit.dll not-a-virus:AdWare.Win32.Kitsune.b if anyone can tell me what these are or can help in any way it would be much appreciated thanks"
Search comments from the Reverse Engineering b10g also indicate http://letitbit.net (another free hosting/downloading) site wants to install firebit.dll. Question was also asked there "Has anybody reversed it and care to explain what it does? I noticed it adds two http request headers: ... " but I can't find the post or any responses.
here is another Crash Reports in rlxf.dll@0xe9dc Frame Module Signature [Expand] Source 0 rlxf.dll rlxf.dll@0xe9dc rlxf.dll 1.0.0.5 mostly crashing at start up and shortly after. here are comment: every time it starts it crashes um i just opened it and it crashes1 to 2 seconds after i downloaded the 3.0 and now i can't even get on it. Other crash reports here: http://crash-stats.mozilla.com/report/list?range_unit=weeks&query_search=signature&query_type=contains&product=Firefox&version=Firefox%3A3.0&branch=1.9&signature=rlxf.dll%400xe9dc&query=.dll&range_value=1 Reports that try and describe what this .dll is about are at: http://forums.majorgeeks.com/archive/index.php?t-100395.html ...suggest steps to remove http://forums.majorgeeks.com/archive/index.php?t-100395.html ...rxfl.dll classified as dangerous http://research.sunbelt-software.com/threatdisplay.aspx?name=Marketscore.RelevantKnowledge&threatid=15129 ... indicates some association with adware
here is an interesting one Firefox 3.0 Crash Report [@ radhslib.dll@0x3b6f 0 radhslib.dll radhslib.dll@0x3b6f 1 radhslib.dll radhslib.dll@0x16bf5 2 @0x5f110009 3 nspr4.dll SocketSend mozilla/nsprpub/pr/src/io/prsocket.c:694 4 nspr4.dll SocketWrite mozilla/nsprpub/pr/src/io/prsocket.c:714 5 xul.dll nsSocketOutputStream::Write mozilla/netwerk/base/src/nsSocketTransport2.cpp:576 6 xul.dll nsHttpConnection::OnReadSegment mozilla/netwerk/protocol/http/src/nsHttpConnection.cpp:530 7 xul.dll nsHttpTransaction::ReadRequestSegment mozilla/netwerk/protocol/http/src/nsHttpTransaction.cpp:411 8 xul.dll nsBufferedInputStream::ReadSegments mozilla/netwerk/base/src/nsBufferedStreams.cpp:331 9 xul.dll nsHttpTransaction::ReadSegments mozilla/netwerk/protocol/http/src/nsHttpTransaction.cpp:436 10 xul.dll nsHttpConnection::OnSocketWritable mozilla/netwerk/protocol/http/src/nsHttpConnection.cpp:565 11 xul.dll nsHttpConnection::OnOutputStreamReady mozilla/netwerk/protocol/http/src/nsHttpConnection.cpp:776 12 xul.dll nsSocketOutputStream::OnSocketReady mozilla/netwerk/base/src/nsSocketTransport2.cpp:515 13 xul.dll nsSocketTransport::OnSocketReady mozilla/netwerk/base/src/nsSocketTransport2.cpp:1543 14 xul.dll nsSocketTransportService::DoPollIteration mozilla/netwerk/base/src/nsSocketTransportService2.cpp:658 15 xul.dll nsSocketTransportService::OnProcessNextEvent mozilla/netwerk/base/src/nsSocketTransportService2.cpp:522 16 xul.dll nsThread::ProcessNextEvent mozilla/xpcom/threads/nsThread.cpp:497 17 nspr4.dll PR_Lock no version info in the modules list, but some of the reports show multiple instances of the .dll radhslib.dll radprlib.dll more reports at http://crash-stats.mozilla.com/report/list?range_unit=weeks&query_search=signature&query_type=contains&product=Firefox&version=Firefox%3A3.0&branch=1.9&signature=radhslib.dll%400x3b6f&query=.dll&range_value=1 on further examination radhslib.dll appears to be part of Naomi web filter by Radiant Morning Technologies. http://forum.utorrent.com/viewtopic.php?id=34978 so this one might be one to disable if we can based on incompatibility/stability problems. we could also just put an advisory of possible compatibilty problems with this software on sumo. we could also follow up with contact to http://www.radiance.m6.net/ to diagnose and see if we can get afix in the works.
re: comment 6 there is also a different stack signature for the same .dll Firefox 3.0 Crash Report [@ rlxf.dll@0x14d4a and this signature is assoicated with a different version number in the .dll rlxf.dll 1.2.0.5 comments asking for help are a bit more desparate in this batch of crash reports http://crash-stats.mozilla.com/report/list?range_unit=weeks&query_search=signature&query_type=contains&product=Firefox&version=Firefox%3A3.0&branch=1.9&signature=rlxf.dll%400x14d4a&query=.dll&range_value=1
here is another angle on the reporting. something like this would be very helpful. It shows we have several different stack signatures for this .dll representing several versions of the .dll that are in use. rank stack sig. #of-crashes .dll version 1 rlxf.dll@0xe9dc 200 rlxf.dll 1.0.0.5 2 rlxf.dll@0x14d4a 133 rlxf.dll 1.2.0.5 3 rlxf.dll@0xcfc1 72 rlxf.dll 1.1.0.8 4 rlxf.dll@0x111e3 58 rlxf.dll 1.2.0.3 5 rlxf.dll@0xcc8b 35 rlxf.dll 1.1.0.7 this base query gets us part of the way there. then you currently have to drill down with a number of clicks to see the pattern. the idea is that we just want to reduce the number of clicks and raise the right set of data to the surface http://crash-stats.mozilla.com/?do_query=1&product=Firefox&branch=1.9&version=Firefox%3A3.0&query_search=signature&query_type=contains&query=rlxf.dll&date=&range_value=1&range_unit=weeks
re comment 3: the distribution for ffe.dll looks like 1 ffe.dll@0x9e69 130 ffe.dll 1.1.0.141 2 ffe.dll@0xa851 50 ffe.dll 1.1.0.141 3 ffe.dll@0x9e36 15 ffe.dll 1.1.0.141 4 ffe.dll@0x944e 12 ffe.dll 1.0.0.106 5 ffe.dll@0xa982 9 ffe.dll 1.1.0.141 6 ffe.dll@0x9662 2 ffe.dll 1.0.0.106
or this query http://crash-stats.mozilla.com/?do_query=1&product=Firefox&branch=1.9&version=Firefox%3A3.0&query_search=signature&query_type=contains&query=.dll&date=&range_value=1&range_unit=weeks produces a pretty interesting report of top 100 external .dlls that cause crashes. maybe its the start point for this kind of analysis. From this kind of list we could scan by eyeball, or whitelist out .dll's that suffer from just compatibility problems, and others that might be more serious malware. top100 signature tl crashes win mac linux sol rank 59 BkavHook.dll@0x65bf 90 90 0 0 0 14 BkavHook.dll@0xff0 353 353 0 0 0 70 dirapi.dll@0x46a90 74 74 0 0 0 63 dirapiX.dll@0x379c3 88 88 0 0 0 41 ffe.dll@0x9e69 127 127 0 0 0 94 ffe.dll@0xa851 50 50 0 0 0 58 firebit.dll@0x174c4 90 90 0 0 0 66 firebit.dll@0x17b44 86 86 0 0 0 47 gears_ff2.dll@0x10577c 106 106 0 0 0 13 gears_ff2.dll@0x10577d 374 374 0 0 0 76 GoogleDesktopCommon.dll@0x1679 66 66 0 0 0 7 GoogleDesktopMozilla.dll@0x54da 1073 1073 0 0 0 1 GoogleDesktopMozilla.dll@0x5500 6085 6085 0 0 0 3 GoogleDesktopMozilla.dll@0x5512 3390 3390 0 0 0 75 GoogleDesktopMozilla.dll@0x552a 68 68 0 0 0 37 GoogleDesktopMozilla.dll@0x55d5 156 156 0 0 0 80 GoogleDesktopMozilla.dll@0x567f 61 61 0 0 0 4 GoogleDesktopMozilla.dll@0x56bc 1907 1907 0 0 0 78 GoogleDesktopMozilla.dll@0x56f0 66 66 0 0 0 68 GoogleDesktopMozilla.dll@0x5724 79 79 0 0 0 39 GoogleDesktopMozilla.dll@0x5742 142 142 0 0 0 9 GoogleDesktopMozilla.dll@0x5747 499 499 0 0 0 21 GoogleDesktopMozilla.dll@0x5824 226 226 0 0 0 2 googletoolbar.dll@0x4b2f 3924 3924 0 0 0 67 icm32.dll@0x433e 85 85 0 0 0 52 iFW_Xfilter.dll@0x37a9 98 98 0 0 0 44 imm32.dll@0x3e24 117 117 0 0 0 96 jpinscp.dll@0xac57 49 49 0 0 0 18 jpinscp.dll@0xd015 263 263 0 0 0 69 js3250.dll@0x4cb97 76 76 0 0 0 65 jvm.dll@0x10b5d0 87 87 0 0 0 93 jvm.dll@0x115da8 53 53 0 0 0 84 jvm.dll@0xb7688 57 57 0 0 0 81 jvm.dll@0xbc1f8 61 61 0 0 0 57 jvm.dll@0xbc228 93 93 0 0 0 54 jvm.dll@0xbc3a0 95 95 0 0 0 17 kernel32.dll@0x12aeb 284 284 0 0 0 36 kernel32.dll@0x442eb 157 157 0 0 0 22 kernel32.dll@0x49207 211 211 0 0 0 12 kernel32.dll@0x9e7a 404 404 0 0 0 48 libvlc.dll@0x1177f 104 104 0 0 0 71 mshtml.dll@0x84998 70 70 0 0 0 56 msvcr71.dll@0x28ed 93 93 0 0 0 87 msvcr80.dll@0x14500 57 57 0 0 0 49 msvcrt.dll@0x10a78 103 103 0 0 0 83 msvcrt.dll@0x1226a 57 57 0 0 0 26 msvcrt.dll@0x37740 180 180 0 0 0 62 msvcrt.dll@0x37c89 88 88 0 0 0 79 msxf.dll@0xe9dc 65 65 0 0 0 55 mzvkbd.dll@0x1871 95 95 0 0 0 61 npampx3.0.84.2.dll@0x2a63 89 89 0 0 0 50 npdivx32.dll@0x140f1 100 100 0 0 0 99 npdsplay.dll@0x2a3f7 48 48 0 0 0 88 npietab.dll@0x43e9 56 56 0 0 0 5 npLegitCheckPlugin.dll@0x14ed9 1776 1776 0 0 0 46 npOGAPlugin.dll@0xb391 109 109 0 0 0 100 nppdf32.dll@0x5696 47 47 0 0 0 24 nppdf32.dll@0x6d0a 201 201 0 0 0 91 nppdf32.dll@0xb125 54 54 0 0 0 34 nppdf32.dll@0xc3e8 163 163 0 0 0 10 nppl3260.dll@0x4341 488 488 0 0 0 6 nppl3260.dll@0x54bb 1140 1140 0 0 0 77 NPSWF32.dll@0x16e8b9 66 66 0 0 0 51 NPSWF32.dll@0x16ef 99 99 0 0 0 15 NPSWF32.dll@0x1ddbf1 308 308 0 0 0 74 NPSWF32.dll@0x241ce 68 68 0 0 0 72 NPSWF32.dll@0x288f 68 68 0 0 0 60 NPSWF32.dll@0x34860 90 90 0 0 0 38 NPSWF32.dll@0x3486f 153 153 0 0 0 27 NPSWF32.dll@0x348cd 179 179 0 0 0 16 NPSWF32.dll@0xa966b 299 299 0 0 0 32 NPSWF32.dll@0xd48bb 167 167 0 0 0 98 NPSWF32.dll@0xd49bc 48 48 0 0 0 23 NPSWF32.dll@0xd4ef8 202 202 0 0 0 85 NPSWF32.dll@0xd4ff9 57 57 0 0 0 82 NPSWF32.dll@0xf3492 60 60 0 0 0 64 npww.dll@0x1634 88 88 0 0 0 8 ntdll.dll@0x100b 770 770 0 0 0 33 ntdll.dll@0x1b1fa 164 164 0 0 0 89 ntdll.dll@0x3b15f 56 56 0 0 0 20 ntdll.dll@0x42e7b 249 249 0 0 0 53 ntdll.dll@0x43387 97 97 0 0 0 11 ntdll.dll@0x47dd2 404 404 0 0 0 29 ntdll.dll@0x59a94 174 174 0 0 0 45 ntdll.dll@0x60f34 111 111 0 0 0 35 ntdll.dll@0xe4f4 157 157 0 0 0 28 piclens.dll@0x114bd9 176 176 0 0 0 92 piclens.dll@0xe2d17 54 54 0 0 0 19 piclens19.dll@0x109eaa 254 254 0 0 0 97 piclens19.dll@0x117066 49 49 0 0 0 30 piclens19.dll@0x11a767 171 171 0 0 0 43 piclens19.dll@0x122d50 118 118 0 0 0 31 radhslib.dll@0x3b6f 170 170 0 0 0 86 rlxf.dll@0x111e3 57 57 0 0 0 40 rlxf.dll@0x14d4a 129 129 0 0 0 73 rlxf.dll@0xcfc1 68 68 0 0 0 25 rlxf.dll@0xe9dc 199 199 0 0 0 42 uxtheme.dll@0x1c78d 124 124 0 0 0 90 WMNetMgr.dll@0x47c82 55 55 0 0 0 95 xul.dll@0x272d81 49 49 0 0 0
noami is bug 427406
I hope this kind of information is useful in this bug report, please advise if it isn't. I came across bug 448837 today which I presume is caused by MySearch. Info: http://ca.com/us/securityadvisor/pest/pest.aspx?id=453090717 dll's of interest: S4BAR.dll S4PLUGIN.DLL Sample stack: ID: 158a9e2b-602e-11dd-bd03-001a4bd43e5c Signature @0x4b053b4 UUID 3fe4a911-60ae-11dd-996c-001321b13766 Time 2008-08-02 09:14:49-07:00 Uptime 1 Product Firefox Version 3.0.1 Build ID 2008070208 OS Windows NT OS Version 6.0.6001 Service Pack 1 CPU x86 CPU Info GenuineIntel family 6 model 23 stepping 6 Crash Reason EXCEPTION_ACCESS_VIOLATION Crash Address 0x4b053b4 Comments Crashing Thread Frame Module Signature [Expand] Source 0 @0x4b053b4 1 user32.dll user32.dll@0x11911 2 user32.dll user32.dll@0x20816 3 user32.dll user32.dll@0x139f6 4 ntdll.dll ntdll.dll@0x599cd 5 user32.dll user32.dll@0x13cc2 6 user32.dll user32.dll@0xfd90 7 S4BAR.DLL S4BAR.DLL@0x2670 8 S4BAR.DLL S4BAR.DLL@0x1413 9 S4PLUGIN.DLL S4PLUGIN.DLL@0x1f13 10 S4PLUGIN.DLL S4PLUGIN.DLL@0x43ad 11 xul.dll ns4xPluginInstance::SetWindow mozilla/modules/plugin/base/src/ns4xPluginInstance.cpp:1175 12 xul.dll nsPluginNativeWindow::CallSetWindow nsPluginNativeWindow.h:95 13 xul.dll nsPluginNativeWindowWin::CallSetWindow mozilla/modules/plugin/base/src/nsPluginNativeWindowWin.cpp:499 14 xul.dll nsPluginHostImpl::InstantiateEmbeddedPlugin mozilla/modules/plugin/base/src/nsPluginHostImpl.cpp:3642 15 xul.dll nsObjectFrame::InstantiatePlugin mozilla/layout/generic/nsObjectFrame.cpp:860
Summary: soccoro report to watch for adware,spyware, malware in crash data → Socorro report to watch for adware, spyware, malware in crash data
bug 512122 Possible Adware.DoubleD related Crash [@NPFFAddOn.dll@0x11867 has a good case study for why some reporting tools around this are needed, what kind of data we need, and how it it might be used.
Blocks: 467167
the quicker we could get a report like this, the quicker we might be able to assess how many users might be getting their searches hijacked by malware. see: https://bugzilla.mozilla.org/show_bug.cgi?id=513570 if we could see how many crash reports had .dll's related to TSPY_EBOD.A and Nine-Ball loaded in the module list that would give us rough numbers on how many firefox users might be affected in the general population.
other bug related to search hijacking added to dependency list
Whiteboard: cloud, next
darkreading just published an interesting study on number of enterprise users affected by botnets. http://www.darkreading.com/insiderthreat/security/client/showArticle.jhtml?articleID=220200118 we could do something similar with #firefox users affected in the general population of 100million daily users, and also in segment of large institutional use of firefox. It would be interesting to see if general population and instituional botnet infection is lower or the same for places were firefox is already deployed. we have the pretty good start of the .dll's in the process/module list to go look for under the dependency list in bug 512788
Blocks: malware-attacks
whoa, this is hot news day for this kind of stuff. http://www.thetechherald.com/article.php/200939/4504/Cyveillance-More-than-half-of-the-active-threats-online-go-undetected writes that [the research company Cyveillance said a couple of interesting things] ----- ...that they detect hundreds if not thousands of new Malware attacks. To test detection rates, they fed these active attacks through thirteen of the top anti-Virus vendor offerings. McAfee scored the highest, with a detection rate of 44-percent, followed by Sophos (38%), Dr. Web (36%), Symantec (35%), Trend Micro (34%), AVG (31%), and F-Secure with 28-percent. They tested browser security as well, using Internet Explorer, Safari, Google Chrome, and Firefox. The browser test aimed at Phishing protections, and overall, Mozilla scored the highest. Firefox detected 54.9-percent of Phishing related attempts upon initial discovery, and 87.1-percent after the fist 24-hours. Chrome came in second, followed by Safari and Internet Explorer ---- research on the module list could help validate and track that 54.9% number. I think the first paragraph is making the claim that they have the most authortative list of what constitutes malware, or atleast a pretty good list that all the anti-virus companies have, but just aren't able to protect against yet. I wonder if they would be interested in sharing that list so we could use it for checking against the crash report module lists.
Target Milestone: --- → 1.3
Whiteboard: cloud, next → cloud, next [crashkill][crashkill-metrics]
Target Milestone: 1.3 → 1.4
Assignee: nobody → deinspanjer
This will need to use the new system -- Daniel can you put this near the top of your list? When can we start hacking on this using the cluster?
OS: Mac OS X → All
Target Milestone: 1.4 → 1.5
Shortly after bug 538206 is fixed. I'll make it a top priority.
a ranking report by Firefox product version would fit the bill on this very nicely. just linkify the signatures so a viewer of the report could drill down. this kind of report could allow third party providers to watch their .dlls, or anti-virus companies and us to look for new instances of .dll's that are crashing and should be blocked or removed from the system.
we could also link to bugs with signatures in the bug title that correspond to .dll names as we do in the reports like http://crash-stats.mozilla.com/topcrasher/byversion/Firefox/3.6
Target Milestone: 1.5 → 1.6
Target Milestone: 1.6 → 1.7
After we have imported the existing jsonz files into production, we'll be able to begin developing a MR to answer this question. Since we need schema changes to be able to import jsonz and those changes won't be in production until 1.7, technically, this bug is impossible to close as part of 1.7 and should be pushed to 1.8
Assignee: deinspanjer → aphadke
Target Milestone: 1.7 → 1.8
Whiteboard: cloud, next [crashkill][crashkill-metrics] → search
Whiteboard: search → search [crashkill][crashkill-metrics]
Target Milestone: 1.8 → 1.9
Possible to develop this MR job now?
Laura/choffman - What exactly do we need out here? 1. A framework for MR job that returns related DLLs with counts for a given input DLL as per comment #15 or something else? 2. What time range? 3. By when do you want this? Daniel - Would meta_data:json column be sufficient for this job or we need to do some sort of backfilling? -anurag
there are two basic types of monitoring we could do with respect to monitoring first would be to watch for crashes in suspiious .dll's to watch for widespread outbreaks of malware attacks against firefox, where poorly written malware is also generating crashes. second would be to scan the module list of crash reports looking for known malware .dll's then attempting to warn users what we spotted in their crash report submission. we have e-mail notification system sort of in place now, and we could build extra client features for notification. both of these kinds of analysis involve starting to build a list of known, suspected, and to-be-investigated malware .dll's and then banging them against crash reports. I'll try to write more, or get someone to write more on this soon.
Looking for signatures with .dll in them and no bug report assigned, filtering out a few known valid libraries (like ntdll.dll) would probably go a long way for the first part. What makes the task harder is that some malware seems to mask with random names or names of valid libraries, apparently, but we probably can never be perfect on automatic detection. Fore the second part that chofmann mentions here, I guess we'll need to go build a list of known malware dlls - though as mentioned, name masking might pose a problem here as well. :(
Depends on: 638634
No longer depends on: 638634
Blocks: 638191
Assignee: aphadke → nobody
Depends on: 577613
Target Milestone: 1.9 → ---
Component: Socorro → General
Product: Webtools → Socorro
Depends on: 656297
Will DLL Directory cover everything that's needed here?
(In reply to Laura Thomson :laura from comment #28) > Will DLL Directory cover everything that's needed here? From how I read comment #0, the DLL Directory would be a prerequisite for getting what chofmann has intended here, but it would need to become integrated into Socorro. If anything, that can only be a term-term goal, nothing we can immediately attack.
yep, this is another "explosiveness" kind of report based on stacks and module lists that have spyware. the dictionary only helps us to describe and keep track of what dll's are and what they do.
Target Milestone: --- → Future
We can pursue this in data platform if it is still desired. crash-stats will not implement this or dll directory.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: