Closed
Bug 538099
Opened 15 years ago
Closed 11 years ago
Spike in H8SRT*.dll rootkit crashes in late Dec 2009
Categories
(Toolkit :: Blocklist Policy Requests, defect)
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: chofmann, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: crash, user-doc-needed, Whiteboard: [crashkill])
rootkit .dll crashes are going crazy in the past few days. ...zero dec1-3 20091204-crashdata 1 H8SRT --zero 20091214-crashdata 1 H8SRT --zero 20091228-crashdata 24 H8SRT 20091229-crashdata 159 H8SRT 20091230-crashdata 117 H8SRT 20091231-crashdata 173 H8SRT 20100101-crashdata 240 H8SRT 20100102-crashdata 277 H8SRT 20100103-crashdata 1203 H8SRT 20100104-crashdata 1500 H8SRT the rootkit randomly renames the .dll signature distribution 817 signature list 21 H8SRTpmtpnugxww.dll@0x210b 15 H8SRTqmkdviwuyu.dll@0x210b 14 H8SRTipmkjyyrwk.dll@0x1626 13 H8SRTeoawvipmnv.dll@0x210b 11 H8SRTwkbwevpquf.dll@0x210b 10 H8SRTntncdqjcyo.dll@0x210b 10 H8SRTkcxuiymqpu.dll@0x210b 10 H8SRTholtytyhrr.dll@0x210b <and 700+ more .dll names> checking --- 20100104-crashdata.csv H8SRT release total-crashes H8SRT crashes pct. all 226696 1500 0.00661679 3.0.15 2434 6 0.00246508 3.0.16 35495 354 0.00997324 3.5.5 6721 22 0.00327332 3.5.6 121957 900 0.00737965 3.6b5 23541 118 0.00501253 3.6b4 1853 1 0.000539665 3.6b3 657 7 0.0106545 3.6b2 664 0 3.6b1 2069 0 os breakdown 809 0.539333 Windows NT5.1.2600 Service Pack 3 412 0.274667 Windows NT5.1.2600 Service Pack 2 117 0.078 Windows NT6.0.6001 Service Pack 1 92 0.0613333 Windows NT6.0.6002 Service Pack 2 46 0.0306667 Windows NT6.0.6000 7 0.00466667 Windows NT5.1.2600 Service Pack 1 6 0.004 Windows NT5.1.2600 4 0.00266667 Windows NT5.1.2600 Service Pack 3, v.5857 4 0.00266667 Windows NT5.1.2600 Service Pack 3, v.3180 1 0.000666667 Windows NT5.2.3790 1 0.000666667 Windows NT5.1.2600 Service Pack 3, v.5755 1 0.000666667 Windows NT5.1.2600 Service Pack 3, v.3244 google search has this link and many more that tell about the rootkit and how to remove. http://www.myantispyware.com/2009/12/22/how-to-remove-h8srt-trojan-remove-rootkit-tdss/ H8SRT trojan is a new version of TDSS trojan, also known as Rootkit.TDSS. The trojan infects your computer through a vulnerability in an already installed programs (mostly in InternetExplorer). It is a very dangerous trojan-rootkit, it uses rootkit-specific techniques designed to hide the software presence in the system. When installed, it will be configured to start automatically when Windows starts. H8SRT trojan may: - display many popups and fake security alerts; - hijack Internet Explorer; - redirect search results in Google, Yahoo, MSN to non related sites; - block an access to security websites; - disable Windows Task Manager, Windows Security Center and Registry editor. What is more, H8SRT trojan blocks the ability to run a lot of antivirus and antispyware programs, including Malwarebytes Anti-Malware. Also it is usually installed in conjunction with a rogue antispyware programs. If your computer is infected with the trojan, then use these removal instructions below, which will remove H8SRT trojan and any associated malware for free.
Reporter | ||
Updated•15 years ago
|
Blocks: malware-attacks
Reporter | ||
Comment 1•15 years ago
|
||
I wish we could block stuff like this, but might only need user doc on sumo for now.
we could switch to only allowing signed libraries into our process's memory space...
Reporter | ||
Comment 3•15 years ago
|
||
pretty strong Correlation to startup 1500 total crashes for H8SRT on 20100104-crashdata.csv 760 start up crashes inside 3 minutes one recent comment: Firefox crashes after about 10 seconds each time i try to open it. I have uninstalled it and installed it over and over but it doesnt wor k. please help me! not much in the urls that might help to indicate a high correlation of where the infection might be coming from domains of sites 340 // 168 http://www.facebook.com 136 \N// 49 http://www.google.com 38 about:blank// 37 about:sessionrestore// 34 http://login.live.com 31 http://www.youtube.com 22 http://www.tuenti.com 20 http://www.google.es 14 http://www.google.de 14 http://m.www.yahoo.com 12 http://home.myspace.com 11 http://apps.facebook.com 8 http://www.pornhub.com 8 http://www.google.it 7 http://www.comcast.net 7 http://download.cnet.com 6 http://www.google.se 6 http://www.google.com.br 6 http://h20000.www2.hp.com 5 http://www.paidthefastest.com
Reporter | ||
Comment 4•15 years ago
|
||
mostly 10.0.32.18 is running when flash is present at the time of the crash but other versions are also showing up. http://crash-stats.mozilla.com/report/index/fc50fea2-11a4-4e63-8c0b-d47bf2100105 H8SRTxynxnpfpfu.dll NPSWF32.dll 10.0.32.18 http://crash-stats.mozilla.com/report/index/fcc2b7de-8db8-4381-a3f4-253fc2100105 http://crash-stats.mozilla.com/report/index/ef5a5965-d8ad-4b48-beb8-1b2ad2100105 H8SRTubxsxnspcm.dll NPSWF32.dll 10.0.42.34 http://crash-stats.mozilla.com/report/index/f429aaa0-5040-4a66-934c-30ffe2100105 H8SRTkwmahnejrf.dll NPSWF32.dll 10.0.22.87
Reporter | ||
Comment 5•15 years ago
|
||
looks like any one of this signatures is not high enough volume to show up in http://people.mozilla.com/crash_analysis/ so its hard to get an idea about plugins that might have been exploited to get the root kit installed.
Reporter | ||
Updated•15 years ago
|
Component: General → Blocklisting
Product: Firefox → addons.mozilla.org
QA Contact: general → blocklisting
Version: 3.5 Branch → unspecified
re comment 2, http://msdn.microsoft.com/en-us/library/aa382384(VS.85).aspx has the code to do it. i just need to find the code where we were starting to veto stuff.
In http://hg.mozilla.org/mozilla-central/file/aa6337822028/toolkit/xre/nsWindowsDllBlocklist.cpp While you're there, you could add support for * matching maybe, though that would be a bit of complex code there. But would let us block h8srt*.dll
Comment 8•11 years ago
|
||
Closing old blocklist bugs. Please reopen if the problem still exists.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → WONTFIX
Assignee | ||
Updated•8 years ago
|
Product: addons.mozilla.org → Toolkit
You need to log in
before you can comment on or make changes to this bug.
Description
•