Closed
Bug 530898
Opened 15 years ago
Closed 15 years ago
Consider blocklisting rdolib.dll
Categories
(Toolkit :: Blocklist Policy Requests, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: sicking, Assigned: johnath)
References
Details
(Keywords: verified1.9.2)
Attachments
(1 file)
|
962 bytes,
patch
|
sicking
:
review+
beltzner
:
approval1.9.2.2+
|
Details | Diff | Splinter Review |
This library is heavily correlated with the _PR_MD_SEND crash signature, which is one of our topcrashes. Looking at the last three days of data for the 3.5.5 release for the _PR_MD_SEND signature:
21% (244/1143) vs. 0% (457/93699) rdolib.dll
18% (175/997) vs. 0% (407/91800) rdolib.dll
19% (225/1158) vs. 1% (518/97540) rdolib.dll
In all cases it's version 6.0.88.4 that is the one correlated with the crash.
Additionally it seems like this dll is correlated with a couple of other crash signatures as well. Looking at the data from 11/23 for 3.5.5:
rdolib.dll@0x3cc2|EXCEPTION_ACCESS_VIOLATION (62 crashes)
100% (62/62) vs. 1% (518/97540) rdolib.dll (6.0.88.4)
rdolib.dll@0x3f0a|EXCEPTION_ACCESS_VIOLATION (60 crashes)
100% (60/60) vs. 1% (518/97540) rdolib.dll (6.0.88.4)
rdolib.dll@0x3635|EXCEPTION_ACCESS_VIOLATION (41 crashes)
100% (41/41) vs. 1% (518/97540) rdolib.dll (6.0.88.4)
rdolib.dll@0x134c|EXCEPTION_ACCESS_VIOLATION (26 crashes)
100% (26/26) vs. 1% (518/97540) rdolib.dll (6.0.88.4)
recv|EXCEPTION_ACCESS_VIOLATION (22 crashes)
45% (10/22) vs. 1% (518/97540) rdolib.dll (6.0.88.4)
send|EXCEPTION_ACCESS_VIOLATION (21 crashes)
14% (3/21) vs. 1% (518/97540) rdolib.dll (6.0.88.4)
rdolib.dll@0x3f60|EXCEPTION_ACCESS_VIOLATION (11 crashes)
100% (11/11) vs. 1% (518/97540) rdolib.dll (6.0.88.4)
(again, no surprise that crashes in the dll itself is correlated with the dll).
A google search turned up these two pages:
http://www.prevx.com/filenames/X955166305604864582-X1/RDOLIB.DLL.html
http://www.incodesolutions.com/threats3/System32Rootrdolibdll.php
But also a lot of pages sort of indicating that rdolib.dll wasn't that big of a deal. Does anyone know of better places to search than a simple google search?Flags: blocking-firefox3.6?
|
Reporter | |
Comment 1•15 years ago
|
||
Oh, I forgot to mention. Since I'm still not quite sure what type of dll this is (virus, AV, somethingelse), we should investigate if we can block this through addon blocking or plugin blocking instead. Though the little data I found seems to indicate that we can't do that.
|
||
Comment 2•15 years ago
|
||
from http://www.bleepingcomputer.com/forums/lofiversion/index.php/t269709.html C:\WINNT\system32\rdolib.dll Infected: Backdoor.Win32.Agent.amqy 1 http://www.threatexpert.com/report.aspx?md5=ae872a24db4529b397845a4a8b7ab6b8 %System%\rdolib.dll Backdoor.Win32.Agent.anba [Kaspersky Lab]
|
||
Comment 3•15 years ago
|
||
Man, I'm liking this DLL blocklist thing. Assigning to Johnath, though I expect he might want Kev to help verify that this is malware. I bet our friends at Norton could help us here.
Assignee: nobody → johnath
Flags: blocking-firefox3.6? → blocking-firefox3.6+
|
Assignee | |
Comment 4•15 years ago
|
||
(In reply to comment #0) > (again, no surprise that crashes in the dll itself is correlated with the dll). > > > A google search turned up these two pages: > http://www.prevx.com/filenames/X955166305604864582-X1/RDOLIB.DLL.html > http://www.incodesolutions.com/threats3/System32Rootrdolibdll.php > > But also a lot of pages sort of indicating that rdolib.dll wasn't that big of a > deal. Does anyone know of better places to search than a simple google search? I've been using McAfee's threat search - http://search.mcafee.com/search and http://www.processlibrary.com/ to supplement google, but I agree we need better tools here. I've sent feelers to stopbadware.org as well, to see if they have a good resource here. Having an actual copy of the DLL would help a lot, since we could ask it things. Looks like it's consistently version 6.0.88.4 at work here, based on checking the last couple nightly "interesting modules, with versions."
|
|
Assignee | |
Comment 5•15 years ago
|
||
Incidentally - the internet (well, prevx) believes that this dll only started appearing Nov. 9 (http://www.prevx.com/filenames/X955166305604864582-X1/RDOLIB.DLL.html) and our crash tell a similar story - no crashes before Nov-6-2009.
|
|
||
Updated•15 years ago
|
Flags: blocking-firefox3.6+ → wanted-firefox3.6+
|
|
Assignee | |
Comment 6•15 years ago
|
||
Emailed a few of the reporters of rdolib crashes that supplied email addresses, in an attempt to get a copy of the DLL.
|
|
Reporter | |
Comment 7•15 years ago
|
||
Johnathan: Any updates here? Still looking for a copy of the DLL? If so I can try to send out a few more feelers. Don't really understand what you're intending to "ask" the dll though?
|
|
Assignee | |
Comment 8•15 years ago
|
||
(In reply to comment #7) > Johnathan: Any updates here? Still looking for a copy of the DLL? If so I can > try to send out a few more feelers. Don't really understand what you're > intending to "ask" the dll though? In point of fact, I put the patch together this morning when I got back from vacation! I'd have liked to ask the DLL's metadata if it had anything to say about a vendor - when you first filed the google results felt a little more ambiguous than they do now. These days, the thing looks like unambiguous malware. I'd be happier if processlibrary or mcafee knew anything about it, but I would also like our users to stop crashing, and haven't been able to turn up anything more legitimate. Blocking this in a version-specific way means that if we do flush a legitimate vendor, they have an out. I'm reasonably certain they didn't want our users crashing either.
Attachment #420158 -
Flags: review?(jonas)
|
|
Reporter | |
Comment 9•15 years ago
|
||
Comment on attachment 420158 [details] [diff] [review] Block rdolib 6.0.88.4 Awesome, thanks!
Attachment #420158 -
Flags: review?(jonas) → review+
|
|
Assignee | |
Comment 10•15 years ago
|
||
On my way out, can't land this tonight, but it should be good to land on mozilla-central.
Keywords: checkin-needed
|
|
Reporter | |
Comment 11•15 years ago
|
||
Pushed to mozilla-central http://hg.mozilla.org/mozilla-central/rev/f986bfa5844a Thanks for the patch!
|
|
Reporter | |
Comment 12•15 years ago
|
||
We likely want this on the 1.9.2 branch, but there's currently no way to request blocking since this component/product doesn't have that flag :( We also might want to let this bake a few days before taking on that branch
|
|
Assignee | |
Comment 13•15 years ago
|
||
Yeah, once it's baked for a day or two, we'll just request approval and get it in comments, I think. I don't think this *blocks* per se (I would accept a world in which we released in in 3.6.1, for instance) but it should be a trivial approval if it bakes without incident.
|
|
Reporter | |
Comment 14•14 years ago
|
||
There doesn't seem to be a way to ask for 1.9.2 approval for this patch :( But I think we should take this on 1.9.2
blocking1.9.2: --- → ?
|
|
Reporter | |
Updated•14 years ago
|
Attachment #420158 -
Flags: approval1.9.2.1?
|
|
||
Updated•14 years ago
|
|
|
||
Comment 15•14 years ago
|
||
Comment on attachment 420158 [details] [diff] [review] Block rdolib 6.0.88.4 a=beltzner for 1.9.2.2
Attachment #420158 -
Flags: approval1.9.2.2? → approval1.9.2.2+
|
|
Reporter | |
Comment 16•14 years ago
|
||
Checked in to 1.9.2.2 http://hg.mozilla.org/releases/mozilla-1.9.2/rev/29952d709b5b
|
||
Comment 17•14 years ago
|
||
not sure this fix can be verified prior to releasing Fx3.6.2. We may need to watch crash reports to see if anything creeps up with the rdolib.dll doing bad things.
|
||
Comment 18•14 years ago
|
||
This can be verified for looking at source, which I did. We've just added the file to the list.
Keywords: verified1.9.2
|
||
Updated•8 years ago
|
Product: addons.mozilla.org → Toolkit
You need to log in
before you can comment on or make changes to this bug.
Description
•