Blocklist vksaver.dll 1.0.0.1 to prevent various crashes

RESOLVED FIXED

Status

()

RESOLVED FIXED
9 years ago
3 years ago

People

(Reporter: chofmann, Assigned: unghost)

Tracking

(Depends on: 1 bug)

unspecified
x86
Windows XP
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(blocking1.9.2 needed, status1.9.2 .2-fixed)

Details

(crash signature)

Attachments

(1 attachment, 1 obsolete attachment)

(Reporter)

Description

9 years ago
stack looks like

http://crash-stats.mozilla.com/report/index/eba19f83-aef9-4ddb-b023-9155c2100118

Frame  	Module  	Signature [Expand]  	Source
0 	vksaver.dll 	vksaver.dll@0x3d09 	
1 	vksaver.dll 	vksaver.dll@0x41b1 	
2 	vksaver.dll 	vksaver.dll@0x80eb 	
3 	vksaver.dll 	vksaver.dll@0x80eb 	
4 	vksaver.dll 	vksaver.dll@0x429a 	
5 	vksaver.dll 	vksaver.dll@0x42aa 

more reports at

http://crash-stats.mozilla.com/report/list?range_value=2&range_unit=weeks&signature=vksaver.dll%400x3d09&version=Firefox%3A3.6	

more signatures also shown as

signature list
1582 vksaver.dll@0x3d09
 129 vksaver.dll@0x3e06
  37 vksaver.dll@0x3676
  36 vksaver.dll@0x2fc4
  34 vksaver.dll@0x3e16
  14 vksaver.dll@0x3dbc
  12 vksaver.dll@0x3e7f
   8 vksaver.dll@0x3666
   4 vksaver.dll@0x3dec
   3 vksaver.dll@0x3dac
   3 vksaver.dll@0x3040
   2 vksaver.dll@0x47
   1 vksaver.dll@0x4262
   1 vksaver.dll@0x3d6d
   1 vksaver.dll@0x3d5d
   1 vksaver.dll@0x3405
   1 vksaver.dll@0x31
   1 VKSAVER.DLL@0x3d09

number of crashes has exploded in the last could of days.

date vksaver.dllcrashes
230-300 crashes for early jan.

20100114-crashdata 252 vksaver.dll
20100115-crashdata 1767 vksaver.dll
20100116-crashdata 2045 vksaver.dll
20100117-crashdata 2124 vksaver.dll
20100118-crashdata 1870 vksaver.dll

google search shows

The following is the available information on vksaver.dll:
Property	Value
Product name	vkfilter
File description	Music download filter for vkontakte.ru
Internal name	vkfilter
Original filename	vkfilter
Comments	Music download filter for vkontakte.ru
Legal copyright	Copyright (C) 2008
Product version	1.0.0.1
File version	1.0.0.1
Thanks for compiling the info - hard to tell if this is delivered as part of an addon/plugin or not.  It's happening on 3.6 too, which means it's likely not a component-dir drop, anyhow...
looks like this one : http://softsearch.ru/programs/335-313-vksaver-download.shtml

Seems to be part of a plugin because it supports: Opera / Firefox / Internet Explorer / Chrome
Tomcat - as part of your crashkill QA, what are the odds that you can try to install that beast in a VM and see what it does?
Keywords: qawanted
(In reply to comment #3)
> Tomcat - as part of your crashkill QA, what are the odds that you can try to
> install that beast in a VM and see what it does?

yeah of course i will take and test this - btw vkontakte.ru is a kind of russian facebook!
analysis from virustotal.com of the installer

File vksaver-install.exe received on 2010.01.25 20:36:32 (UTC)
Antivirus	Version	Last Update	Result
a-squared	4.5.0.50	2010.01.25	Trojan.Generic.IS!IK
AhnLab-V3	5.0.0.2	2010.01.25	-
AntiVir	7.9.1.150	2010.01.25	TR/Agent.59921
Antiy-AVL	2.0.3.7	2010.01.22	-
Authentium	5.2.0.5	2010.01.25	-
Avast	4.8.1351.0	2010.01.25	-
AVG	9.0.0.730	2010.01.25	-
BitDefender	7.2	2010.01.25	Trojan.Generic.IS.542555
CAT-QuickHeal	10.00	2010.01.25	-
ClamAV	0.94.1	2010.01.25	-
Comodo	3708	2010.01.25	UnclassifiedMalware
DrWeb	5.0.1.12222	2010.01.25	-
eSafe	7.0.17.0	2010.01.25	Win32.Malware.ezbp
eTrust-Vet	35.2.7259	2010.01.25	-
F-Prot	4.5.1.85	2010.01.25	-
F-Secure	9.0.15370.0	2010.01.25	Trojan.Generic.IS.542555
Fortinet	4.0.14.0	2010.01.25	-
GData	19	2010.01.25	Trojan.Generic.IS.542555
Ikarus	T3.1.1.80.0	2010.01.25	Trojan.Generic.IS
Jiangmin	13.0.900	2010.01.24	-
K7AntiVirus	7.10.952	2010.01.22	-
Kaspersky	7.0.0.125	2010.01.25	-
McAfee	5872	2010.01.25	-
McAfee+Artemis	5872	2010.01.25	-
McAfee-GW-Edition	6.8.5	2010.01.25	Heuristic.BehavesLike.Win32.Suspicious.B
Microsoft	1.5405	2010.01.25	-
NOD32	4805	2010.01.25	-
Norman	6.04.03	2010.01.25	Malware.EZBP
nProtect	2009.1.8.0	2010.01.25	-
Panda	10.0.2.2	2010.01.25	Trj/CI.A
PCTools	7.0.3.5	2010.01.25	-
Prevx	3.0	2010.01.25	High Risk Cloaked Malware
Rising	22.32.00.04	2010.01.25	-
Sophos	4.50.0	2010.01.25	Mal/Generic-A
Sunbelt	3.2.1858.2	2010.01.25	-
Symantec	20091.2.0.41	2010.01.25	-
TheHacker	6.5.0.9.162	2010.01.25	-
TrendMicro	9.120.0.1004	2010.01.25	-
VBA32	3.12.12.1	2010.01.25	-
ViRobot	2010.1.25.2154	2010.01.25	-
VirusBuster	5.0.21.0	2010.01.25	-
also the dll itself installs into C:\WINDOWS\system32 and not into the Firefox directory, its not installing itself as plugin or extension firefox it seems
That doesn't seem very well-behaved. Do we have any reason to believe this is being done by a legitimate site - like, is it possible that we're seeing unfortunate false positives here, rather than the malware it appears to be? Who do we know that speaks Russian?
(In reply to comment #7)
> That doesn't seem very well-behaved. Do we have any reason to believe this is
> being done by a legitimate site - like, is it possible that we're seeing
> unfortunate false positives here, rather than the malware it appears to be? Who
> do we know that speaks Russian?

cc'ing Alexander and Konstantin, maybe you guys could help us here ?
As I speak Russian I could do some research on this using Russian web sites.

VKSaver doesn't seem to be a malware. It is actually a program to download some media content from Russian social networking site vkontakte.ru. But it is not a Firefox plugin. It seems to work like a "hack" for all known browsers by running a special script on opening the web site. Apparently this intrusion is implemented not quite correctly, which causes Firefox to crash.
(Assignee)

Comment 10

9 years ago
(In reply to comment #7)
> That doesn't seem very well-behaved. Do we have any reason to believe this is
> being done by a legitimate site - like, is it possible that we're seeing
> unfortunate false positives here, rather than the malware it appears to be? Who
> do we know that speaks Russian?
AFAIK, VKSaver is hack program for downloading of audiofiles from vkontakte.ru (it's very popular russian social network, clone of facebook). It's not a trojan or malware per se. Looks like it's main site is http://audiovkontakte.ru/

Comment 11

9 years ago
So then I guess we are facing a problem. We could either block this and make a lot of Russians upset, or we could choose not to do anything and have Russians who are upset about the crashes instead.

I guess the best thing we can do is to contact the developers of the "hack". Any volunteers? If they release an update with this issue fixed, we could block the old versions.
Things are not quite as hopeless as Magne puts them, but I agree with the basic options here:

- communicate and work with the authors to fix the problem
- Blocklist without communication to fix the crashes

Clearly I would strongly prefer the first option. I'm happy to be the point of contact, as always, but in this case I'm not even sure I can find an email address, nor that I would necessarily share a common language with the person I would reach.

I wonder if I can ask yet another favour of the Russian speakers on this bug: can any of you find contact information for the authors of this plugin, and make initial contact? If you can do this, please do ask whether the conversation can happen in English and, if so, feel free to hand off to me for coordination.

If we can't get that done, we'll need to look at blocklisting blind.
There is a feedback form here http://audiovkontakte.ru/feedback.php but i think we might have to sent the feedback in russian
(Assignee)

Comment 14

9 years ago
Looks like VKsaver .exe installer is bundled with Yandex.Bar extension (https://addons.mozilla.org/firefox/addon/3495). I've pinged Yandex about contact of VKsaver author.
(Reporter)

Comment 15

9 years ago
Thanks Alexander.  kev may have Yandex contacts that can help push this too.
(In reply to comment #11)
> So then I guess we are facing a problem. We could either block this and make a
> lot of Russians upset, or we could choose not to do anything and have Russians
> who are upset about the crashes instead.

Well, after looking at all those angry Russian comments submitted with crash reports, I'd say blocking this VKSaver hack would be the best approach for now until that program is fixed (and yes, we have to contact the author to make it fixed).
I'm sure that a frequent crash on vkontakte.ru site is just incomparable to a simple inability to download attached videos from that site (the videos still could be played).

My only concern is - how can we block this hack if it seems to be working on a system level, not in Firefox itself?
alexp - if Alex S's attempts to reach the author are futile, or if we otherwise decide it's appropriate, we will add an entry to Firefox's Windows DLL blocklist which will tell it to simply not load this DLL.
(Reporter)

Comment 18

9 years ago
wondering if there is a way to preemptively test this to see if there are side effects of having the addon installed, but the .dll disabled and determine if that causes a different set of issues.
If it's about the Yandex add-on - it does not depend on the VKSaver.

The VKSaver installer on the other hand does include the optional Yandex add-on, but they are not related, it's just for distribution (similar way how Google Toolbar is distributed as an optional addition to some 3rd-party freeware apps).

As far as I understand VKSaver itself does not include a Firefox add-on at all (as a Chrome extension) - it seems to work some other "unofficial" way.
(In reply to comment #19)
> As far as I understand VKSaver itself does not include a Firefox add-on at all
> (as a Chrome extension) - it seems to work some other "unofficial" way.

yes, as mentioned in comment #6 there was no addon/plugin just the dll in C:\WINDOWS\system3
(Assignee)

Comment 21

9 years ago
I've mailed to Johnathan Nightingale e-mail of VKSaver plugin (thanks to Yandex). Also VKSaver has added comment in my blog ( http://blog.unghost.ru/2010/01/vksaver.html?showComment=1264850710570#c552974813804308050 ), indicating that new version of VKSaver 1.1.9 fixes this bug.

Comment 22

9 years ago
Has that version been released already?

Comment 23

9 years ago
Oh, it has (thanks Google Translate). Do we have a way of telling the users that a plugin/extension will be disabled/remain disabled if they don't upgrade to a certain version (in this case 1.1.9)?
(Assignee)

Comment 24

9 years ago
FWIW, audiovkontakte.ru public contact e-mail is audiovkontakte.ru [at] gmail.com
(Assignee)

Comment 25

9 years ago
I've received letter from audiovkontakte.ru, that VKSaver 2.0 has been released with vksaver.dll version 2.0.0.0 (all previous versions of vksaver.dll has version 1.0.0.1).
Probably we should blocklist vksaver.dll 1.0.0.1 through http://mxr.mozilla.org/mozilla-central/source/toolkit/xre/nsWindowsDllBlocklist.h, right?
Given that a new version is available it sounds like we should go ahead and block 1.0.0.1 for 1.9.2.2.
blocking1.9.2: --- → ?
(In reply to comment #26)
> Given that a new version is available it sounds like we should go ahead and
> block 1.0.0.1 for 1.9.2.2.

Agreed. Someone want to write the patch and I'll review?
(Assignee)

Comment 28

9 years ago
Posted patch Patch v.1 (obsolete) — Splinter Review
Patch v.1
Attachment #424804 - Flags: review?(johnath)
Attachment #424804 - Flags: review?(johnath) → review+
Comment on attachment 424804 [details] [diff] [review]
Patch v.1

>diff --git a/toolkit/xre/nsWindowsDllBlocklist.h b/toolkit/xre/nsWindowsDllBlocklist.h
>+  // vksaver.dll - High crash volume
>+  {"vksaver.dll", MAKE_VERSION(1,0,0,1)},

The comment should say not only why we blocked it, but what it is. Can you add a couple words either explaining that it's part of a plugin for vkontakte, a russian social media site, or just referencing this bug for background?

r=me with that change.
(Assignee)

Comment 30

9 years ago
Posted patch Patch v.2Splinter Review
Like this?
Attachment #424828 - Flags: review?(johnath)
Attachment #424804 - Attachment is obsolete: true
Comment on attachment 424828 [details] [diff] [review]
Patch v.2

Bam.
Attachment #424828 - Flags: review?(johnath) → review+
(Assignee)

Updated

9 years ago
Keywords: checkin-needed
http://hg.mozilla.org/mozilla-central/rev/0ddf975663a0
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Keywords: checkin-needed
Resolution: --- → FIXED
(Assignee)

Comment 33

9 years ago
Comment on attachment 424828 [details] [diff] [review]
Patch v.2

I guess we should take this on 1.9.2
Attachment #424828 - Flags: approval1.9.2.2?

Comment 34

9 years ago
Would "1.9.2.2" be Firefox 3.6.1 or 3.6.2? If it is 3.6.2, I think we can get it in even earlier, as 3.6.1 is still some time away, if Out-of-process plugins should be included. Or is 3.6.1 already frozen?
(In reply to comment #34)
> Would "1.9.2.2" be Firefox 3.6.1 or 3.6.2? If it is 3.6.2, I think we can get
> it in even earlier, as 3.6.1 is still some time away, if Out-of-process plugins
> should be included. Or is 3.6.1 already frozen?

There is no 3.6.1 - we are going from 3.6 to 3.6.2 because Fennec tagged 1.9.2.1 for their release and we don't want to diverge too much on platform/product numbers. Odd, I know, but 3.6.2 is the immediate successor to 3.6.
This wasn't the problem, so I relanded it:
http://hg.mozilla.org/mozilla-central/rev/eafd8a60dfd8
Status: REOPENED → RESOLVED
Last Resolved: 9 years ago9 years ago
Resolution: --- → FIXED
blocking1.9.2: ? → needed
status1.9.2: --- → wanted
Comment on attachment 424828 [details] [diff] [review]
Patch v.2

a=beltzner for 1.9.2.2
Attachment #424828 - Flags: approval1.9.2.2? → approval1.9.2.2+
(Assignee)

Updated

9 years ago
Keywords: checkin-needed
Whiteboard: needs to be checked in 1.9.2 branch
Checked in to 1.9.2.2

http://hg.mozilla.org/releases/mozilla-1.9.2/rev/6612b700894c
status1.9.2: wanted → .2-fixed
Keywords: checkin-needed, qawanted
Whiteboard: needs to be checked in 1.9.2 branch
Tomcat, do you still have the VM to verify the fix for Firefox 3.6.2? Really, I do not wanna waste my installation. Thanks.
You could test this by renaming a non-malicious dll to vksaver.dll and verifying with Process Explorer that it is not loaded.
Would need the appropriate version too of course.
Assignee: nobody → unghost
Blocks: 708000

Updated

7 years ago
Crash Signature: [@ vksaver.dll@0x3d09 ]
Summary: Firefox Crash [@ vksaver.dll@0x3d09 ] and various other addresses → Blocklist vksaver.dll 1.0.0.1 to prevent various crashes

Updated

7 years ago
Depends on: 750601
Product: addons.mozilla.org → Toolkit
You need to log in before you can comment on or make changes to this bug.