Closed Bug 540692 Opened 15 years ago Closed 15 years ago

Blocklist vksaver.dll 1.0.0.1 to prevent various crashes

Categories

(Toolkit :: Blocklist Policy Requests, defect)

Product:
Toolkit
Component:
Blocklist Policy Requests
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
blocking1.9.2 --- needed
status1.9.2 --- .2-fixed

People

(Reporter: chofmann, Assigned: unghost)

References

(Depends on 1 open bug)

Details

Crash Data

Attachments

(1 file, 1 obsolete file)

Patch v.2
822 bytes, patch
johnath
: review+
beltzner
: approval1.9.2.2+
Details | Diff | Splinter Review
stack looks like http://crash-stats.mozilla.com/report/index/eba19f83-aef9-4ddb-b023-9155c2100118 Frame Module Signature [Expand] Source 0 vksaver.dll vksaver.dll@0x3d09 1 vksaver.dll vksaver.dll@0x41b1 2 vksaver.dll vksaver.dll@0x80eb 3 vksaver.dll vksaver.dll@0x80eb 4 vksaver.dll vksaver.dll@0x429a 5 vksaver.dll vksaver.dll@0x42aa more reports at http://crash-stats.mozilla.com/report/list?range_value=2&range_unit=weeks&signature=vksaver.dll%400x3d09&version=Firefox%3A3.6 more signatures also shown as signature list 1582 vksaver.dll@0x3d09 129 vksaver.dll@0x3e06 37 vksaver.dll@0x3676 36 vksaver.dll@0x2fc4 34 vksaver.dll@0x3e16 14 vksaver.dll@0x3dbc 12 vksaver.dll@0x3e7f 8 vksaver.dll@0x3666 4 vksaver.dll@0x3dec 3 vksaver.dll@0x3dac 3 vksaver.dll@0x3040 2 vksaver.dll@0x47 1 vksaver.dll@0x4262 1 vksaver.dll@0x3d6d 1 vksaver.dll@0x3d5d 1 vksaver.dll@0x3405 1 vksaver.dll@0x31 1 VKSAVER.DLL@0x3d09 number of crashes has exploded in the last could of days. date vksaver.dllcrashes 230-300 crashes for early jan. 20100114-crashdata 252 vksaver.dll 20100115-crashdata 1767 vksaver.dll 20100116-crashdata 2045 vksaver.dll 20100117-crashdata 2124 vksaver.dll 20100118-crashdata 1870 vksaver.dll google search shows The following is the available information on vksaver.dll: Property Value Product name vkfilter File description Music download filter for vkontakte.ru Internal name vkfilter Original filename vkfilter Comments Music download filter for vkontakte.ru Legal copyright Copyright (C) 2008 Product version 1.0.0.1 File version 1.0.0.1
Thanks for compiling the info - hard to tell if this is delivered as part of an addon/plugin or not. It's happening on 3.6 too, which means it's likely not a component-dir drop, anyhow...
looks like this one : http://softsearch.ru/programs/335-313-vksaver-download.shtml Seems to be part of a plugin because it supports: Opera / Firefox / Internet Explorer / Chrome
Tomcat - as part of your crashkill QA, what are the odds that you can try to install that beast in a VM and see what it does?
Keywords: qawanted
(In reply to comment #3) > Tomcat - as part of your crashkill QA, what are the odds that you can try to > install that beast in a VM and see what it does? yeah of course i will take and test this - btw vkontakte.ru is a kind of russian facebook!
analysis from virustotal.com of the installer File vksaver-install.exe received on 2010.01.25 20:36:32 (UTC) Antivirus Version Last Update Result a-squared 4.5.0.50 2010.01.25 Trojan.Generic.IS!IK AhnLab-V3 5.0.0.2 2010.01.25 - AntiVir 7.9.1.150 2010.01.25 TR/Agent.59921 Antiy-AVL 2.0.3.7 2010.01.22 - Authentium 5.2.0.5 2010.01.25 - Avast 4.8.1351.0 2010.01.25 - AVG 9.0.0.730 2010.01.25 - BitDefender 7.2 2010.01.25 Trojan.Generic.IS.542555 CAT-QuickHeal 10.00 2010.01.25 - ClamAV 0.94.1 2010.01.25 - Comodo 3708 2010.01.25 UnclassifiedMalware DrWeb 5.0.1.12222 2010.01.25 - eSafe 7.0.17.0 2010.01.25 Win32.Malware.ezbp eTrust-Vet 35.2.7259 2010.01.25 - F-Prot 4.5.1.85 2010.01.25 - F-Secure 9.0.15370.0 2010.01.25 Trojan.Generic.IS.542555 Fortinet 4.0.14.0 2010.01.25 - GData 19 2010.01.25 Trojan.Generic.IS.542555 Ikarus T3.1.1.80.0 2010.01.25 Trojan.Generic.IS Jiangmin 13.0.900 2010.01.24 - K7AntiVirus 7.10.952 2010.01.22 - Kaspersky 7.0.0.125 2010.01.25 - McAfee 5872 2010.01.25 - McAfee+Artemis 5872 2010.01.25 - McAfee-GW-Edition 6.8.5 2010.01.25 Heuristic.BehavesLike.Win32.Suspicious.B Microsoft 1.5405 2010.01.25 - NOD32 4805 2010.01.25 - Norman 6.04.03 2010.01.25 Malware.EZBP nProtect 2009.1.8.0 2010.01.25 - Panda 10.0.2.2 2010.01.25 Trj/CI.A PCTools 7.0.3.5 2010.01.25 - Prevx 3.0 2010.01.25 High Risk Cloaked Malware Rising 22.32.00.04 2010.01.25 - Sophos 4.50.0 2010.01.25 Mal/Generic-A Sunbelt 3.2.1858.2 2010.01.25 - Symantec 20091.2.0.41 2010.01.25 - TheHacker 6.5.0.9.162 2010.01.25 - TrendMicro 9.120.0.1004 2010.01.25 - VBA32 3.12.12.1 2010.01.25 - ViRobot 2010.1.25.2154 2010.01.25 - VirusBuster 5.0.21.0 2010.01.25 -
also the dll itself installs into C:\WINDOWS\system32 and not into the Firefox directory, its not installing itself as plugin or extension firefox it seems
That doesn't seem very well-behaved. Do we have any reason to believe this is being done by a legitimate site - like, is it possible that we're seeing unfortunate false positives here, rather than the malware it appears to be? Who do we know that speaks Russian?
(In reply to comment #7) > That doesn't seem very well-behaved. Do we have any reason to believe this is > being done by a legitimate site - like, is it possible that we're seeing > unfortunate false positives here, rather than the malware it appears to be? Who > do we know that speaks Russian? cc'ing Alexander and Konstantin, maybe you guys could help us here ?
As I speak Russian I could do some research on this using Russian web sites. VKSaver doesn't seem to be a malware. It is actually a program to download some media content from Russian social networking site vkontakte.ru. But it is not a Firefox plugin. It seems to work like a "hack" for all known browsers by running a special script on opening the web site. Apparently this intrusion is implemented not quite correctly, which causes Firefox to crash.
(In reply to comment #7) > That doesn't seem very well-behaved. Do we have any reason to believe this is > being done by a legitimate site - like, is it possible that we're seeing > unfortunate false positives here, rather than the malware it appears to be? Who > do we know that speaks Russian? AFAIK, VKSaver is hack program for downloading of audiofiles from vkontakte.ru (it's very popular russian social network, clone of facebook). It's not a trojan or malware per se. Looks like it's main site is http://audiovkontakte.ru/
So then I guess we are facing a problem. We could either block this and make a lot of Russians upset, or we could choose not to do anything and have Russians who are upset about the crashes instead. I guess the best thing we can do is to contact the developers of the "hack". Any volunteers? If they release an update with this issue fixed, we could block the old versions.
Things are not quite as hopeless as Magne puts them, but I agree with the basic options here: - communicate and work with the authors to fix the problem - Blocklist without communication to fix the crashes Clearly I would strongly prefer the first option. I'm happy to be the point of contact, as always, but in this case I'm not even sure I can find an email address, nor that I would necessarily share a common language with the person I would reach. I wonder if I can ask yet another favour of the Russian speakers on this bug: can any of you find contact information for the authors of this plugin, and make initial contact? If you can do this, please do ask whether the conversation can happen in English and, if so, feel free to hand off to me for coordination. If we can't get that done, we'll need to look at blocklisting blind.
There is a feedback form here http://audiovkontakte.ru/feedback.php but i think we might have to sent the feedback in russian
Looks like VKsaver .exe installer is bundled with Yandex.Bar extension (https://addons.mozilla.org/firefox/addon/3495). I've pinged Yandex about contact of VKsaver author.
Thanks Alexander. kev may have Yandex contacts that can help push this too.
(In reply to comment #11) > So then I guess we are facing a problem. We could either block this and make a > lot of Russians upset, or we could choose not to do anything and have Russians > who are upset about the crashes instead. Well, after looking at all those angry Russian comments submitted with crash reports, I'd say blocking this VKSaver hack would be the best approach for now until that program is fixed (and yes, we have to contact the author to make it fixed). I'm sure that a frequent crash on vkontakte.ru site is just incomparable to a simple inability to download attached videos from that site (the videos still could be played). My only concern is - how can we block this hack if it seems to be working on a system level, not in Firefox itself?
alexp - if Alex S's attempts to reach the author are futile, or if we otherwise decide it's appropriate, we will add an entry to Firefox's Windows DLL blocklist which will tell it to simply not load this DLL.
wondering if there is a way to preemptively test this to see if there are side effects of having the addon installed, but the .dll disabled and determine if that causes a different set of issues.
If it's about the Yandex add-on - it does not depend on the VKSaver. The VKSaver installer on the other hand does include the optional Yandex add-on, but they are not related, it's just for distribution (similar way how Google Toolbar is distributed as an optional addition to some 3rd-party freeware apps). As far as I understand VKSaver itself does not include a Firefox add-on at all (as a Chrome extension) - it seems to work some other "unofficial" way.
(In reply to comment #19) > As far as I understand VKSaver itself does not include a Firefox add-on at all > (as a Chrome extension) - it seems to work some other "unofficial" way. yes, as mentioned in comment #6 there was no addon/plugin just the dll in C:\WINDOWS\system3
I've mailed to Johnathan Nightingale e-mail of VKSaver plugin (thanks to Yandex). Also VKSaver has added comment in my blog ( http://blog.unghost.ru/2010/01/vksaver.html?showComment=1264850710570#c552974813804308050 ), indicating that new version of VKSaver 1.1.9 fixes this bug.
Has that version been released already?
Oh, it has (thanks Google Translate). Do we have a way of telling the users that a plugin/extension will be disabled/remain disabled if they don't upgrade to a certain version (in this case 1.1.9)?
FWIW, audiovkontakte.ru public contact e-mail is audiovkontakte.ru [at] gmail.com
I've received letter from audiovkontakte.ru, that VKSaver 2.0 has been released with vksaver.dll version 2.0.0.0 (all previous versions of vksaver.dll has version 1.0.0.1). Probably we should blocklist vksaver.dll 1.0.0.1 through http://mxr.mozilla.org/mozilla-central/source/toolkit/xre/nsWindowsDllBlocklist.h, right?
Given that a new version is available it sounds like we should go ahead and block 1.0.0.1 for 1.9.2.2.
blocking1.9.2: --- → ?
(In reply to comment #26) > Given that a new version is available it sounds like we should go ahead and > block 1.0.0.1 for 1.9.2.2. Agreed. Someone want to write the patch and I'll review?
Attached patch Patch v.1 (obsolete) — Splinter Review
Patch v.1
Attachment #424804 - Flags: review?(johnath)
Attachment #424804 - Flags: review?(johnath) → review+
Comment on attachment 424804 [details] [diff] [review] Patch v.1 >diff --git a/toolkit/xre/nsWindowsDllBlocklist.h b/toolkit/xre/nsWindowsDllBlocklist.h >+ // vksaver.dll - High crash volume >+ {"vksaver.dll", MAKE_VERSION(1,0,0,1)}, The comment should say not only why we blocked it, but what it is. Can you add a couple words either explaining that it's part of a plugin for vkontakte, a russian social media site, or just referencing this bug for background? r=me with that change.
Attached patch Patch v.2Splinter Review
Like this?
Attachment #424828 - Flags: review?(johnath)
Attachment #424804 - Attachment is obsolete: true
Comment on attachment 424828 [details] [diff] [review] Patch v.2 Bam.
Attachment #424828 - Flags: review?(johnath) → review+
Keywords: checkin-needed
http://hg.mozilla.org/mozilla-central/rev/0ddf975663a0
Status: NEW → RESOLVED
Closed: 15 years ago
Keywords: checkin-needed
Resolution: --- → FIXED
Comment on attachment 424828 [details] [diff] [review] Patch v.2 I guess we should take this on 1.9.2
Attachment #424828 - Flags: approval1.9.2.2?
Would "1.9.2.2" be Firefox 3.6.1 or 3.6.2? If it is 3.6.2, I think we can get it in even earlier, as 3.6.1 is still some time away, if Out-of-process plugins should be included. Or is 3.6.1 already frozen?
(In reply to comment #34) > Would "1.9.2.2" be Firefox 3.6.1 or 3.6.2? If it is 3.6.2, I think we can get > it in even earlier, as 3.6.1 is still some time away, if Out-of-process plugins > should be included. Or is 3.6.1 already frozen? There is no 3.6.1 - we are going from 3.6 to 3.6.2 because Fennec tagged 1.9.2.1 for their release and we don't want to diverge too much on platform/product numbers. Odd, I know, but 3.6.2 is the immediate successor to 3.6.
I backed this out: http://hg.mozilla.org/mozilla-central/rev/83adba230467 http://hg.mozilla.org/mozilla-central/rev/096332cd6d39 to test the theory that it's the cause of bug 545195. If bug 545195 doesn't go away in tomorrow's nightly, we should reland it.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
This wasn't the problem, so I relanded it: http://hg.mozilla.org/mozilla-central/rev/eafd8a60dfd8
Status: REOPENED → RESOLVED
Closed: 15 years ago15 years ago
Resolution: --- → FIXED
blocking1.9.2: ? → needed
status1.9.2: --- → wanted
Comment on attachment 424828 [details] [diff] [review] Patch v.2 a=beltzner for 1.9.2.2
Attachment #424828 - Flags: approval1.9.2.2? → approval1.9.2.2+
Keywords: checkin-needed
Whiteboard: needs to be checked in 1.9.2 branch
Tomcat, do you still have the VM to verify the fix for Firefox 3.6.2? Really, I do not wanna waste my installation. Thanks.
You could test this by renaming a non-malicious dll to vksaver.dll and verifying with Process Explorer that it is not loaded.
Would need the appropriate version too of course.
Assignee: nobody → unghost
Blocks: 708000
Crash Signature: [@ vksaver.dll@0x3d09 ]
Summary: Firefox Crash [@ vksaver.dll@0x3d09 ] and various other addresses → Blocklist vksaver.dll 1.0.0.1 to prevent various crashes
Depends on: 750601
Product: addons.mozilla.org → Toolkit
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: