Closed
Bug 638634
Opened 13 years ago
Closed 7 years ago
possibly malware-related crashes [@ icucnv36.dll@0x13df][@ icuuc36.dll@0x1f94]
Categories
(Firefox :: Security, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: kairo, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: crash, Whiteboard: [crashkill][explosive][thirdparty][malware])
Crash Data
Attachments
(3 files)
Not completely sure which components this belong in, but while looking for how we could deal with detecting malware-related crashes, I stumbled over those probably related "beauties": https://crash-stats.mozilla.com/report/list?product=Firefox&signature=icuuc36.dll%400x1f94 https://crash-stats.mozilla.com/report/list?product=Firefox&signature=icucnv36.dll%400x13df They're both appearing very high in topcrashes in the last days, and some web searches suggest that at least some Acrobat exploit stuff used at least one of those legitimate dll names for delivering a payload, also the comments contain pieces that suggest that people are infected with malware. I'm not 100% that those belong in the same bug, but both have appeared rising together with similar symptoms and mask ICU DLLs so they look very related.
|
||
Comment 1•13 years ago
|
||
we first saw icuuc...dll crashes on Sept 1, 2010 It ran at a rate of: 60-369 crashes per day during Sept 2010. about the same for Oct, Nov. In Dec 2010 we started trending higher to 260-1300 per day with a spike right around christmas day 20101223 528 20101224 981 20101225 1151 20101226 1297 20101227 871 Most of Jan ran at 400-660 per day Feb started a steday uptick from 1100 to 1900 crashes per day. about 1800 crashes per day on mar2
|
|
||
Updated•13 years ago
|
|
|
||
Updated•13 years ago
|
|
Reporter | |
Comment 2•13 years ago
|
||
September sounds fitting the article I found connecting icuuc36.dll to an Adobe exploit, which apparently the stacks we're seeing seem to agree with: http://blog.metasploit.com/2010/09/return-of-unpublished-adobe.html
|
|
||
Comment 3•13 years ago
|
||
|
|
||
Comment 4•13 years ago
|
||
|
|
||
Comment 5•13 years ago
|
||
|
|
Reporter | |
Comment 6•13 years ago
|
||
Interestingly, this is on a significant decline in recent days.
|
|
||
Comment 7•13 years ago
|
||
date crashes at
icuuc...dll
20110301 1856
20110302 1892
20110303 2094
20110304 1215
20110305 1664
20110306 1530
20110307 1280
20110308 785|
|
||
Comment 8•13 years ago
|
||
up and down volume on this might be related to waves of exploit pdf's being spammed out in mail or phishing on high viability sites, and the ability of AV and OS vendors to implement various defenses. http://www.zdnet.com/blog/security/microsofts-anti-exploit-toolkit-can-help-mitigate-pdf-zero-day-attacks/7332? http://blog.trendmicro.com/technical-analysis-of-adobe-acrobat-and-reader-zero-day-exploit/
|
|
||
Comment 9•13 years ago
|
||
The good news here might be that where 1300+ people per day might be seeing this problem in Firefox 3.x, Firefox 4.0 possibly seems immune to this attack. Only the one report listed below seen on a sample of data from mar8.
$ awk -F\t '$1 ~ /icuuc36.dll/ && $8 ~ /3./ {print $1,$2,$3}' 20110308* | wc -l
784
$ awk -F\t '$1 ~ /icucnv36.dll/ && $8 ~ /3./ {print $1,$2,$3}' 20110308* | wc -l
523
$ awk -F\t '$1 ~ /icucnv36.dll/ && $8 ~ /4./ {print $1,$2,$3}' 20110308*
$ awk -F\t '$1 ~ /icuuc36.dll/ && $8 ~ /4./ {print $1,$2,$3}' 20110308*
icuuc36.dll@0x1f94 \N http://crash-stats.mozilla.com/report/index/5e8053c2-1b11-4163-90c7-a05472110308
maybe js heapspray defenses at work? see the trendmicro blog. when they talk about js being used in the attack, is that js within gecko or the browser, or another js engine within reader?|
|
Reporter | |
Comment 10•13 years ago
|
||
(In reply to comment #8) > up and down volume on this might be related to waves of exploit pdf's being > spammed out in mail or phishing on high viability sites, and the ability of AV > and OS vendors to implement various defenses. That sounds surely reasonable - from the data we've seen, this has seen a few waves but increased on average since it came to light. And I agree it would be quite interesting to see why we haven't been seeing that problem on FF4 so far!
|
|
Reporter | |
Comment 11•13 years ago
|
||
Those are on the rise on 3.6* again, now #5 and #14 on the topcrash list of yesterday, with 26 and 15 crashes per million ADU.
|
|
Reporter | |
Comment 12•13 years ago
|
||
(In reply to comment #11) > Those are on the rise on 3.6* again, now #5 and #14 on the topcrash list of > yesterday, with 26 and 15 crashes per million ADU. Oops, forgot about throttling there, so it's 260 and 150 crashes per million ADU, actually!
|
||
Comment 13•13 years ago
|
||
Currently on 3.6.17 these signatures are the #9 and #11 crashes, with over 6200 crashes in the last week.
Keywords: topcrash
|
Assignee | |
Updated•13 years ago
|
Crash Signature: [@ icucnv36.dll@0x13df]
[@ icuuc36.dll@0x1f94]
|
||
Comment 14•13 years ago
|
||
I had this particular crash, Dec 31 2010. About that time, I was opening a page which had a PDF file on it. I had Adobe Reader 9. Within ten minutes of the crash, there was a trojan virus on my PC. My anti-virus software has identified it as Trojan-Downloader.Java.OpenConnection.cg. I recently opened that virus file using Notepad to look at it, and some of the text is as follows: "http://besimorr.com/images/boitkpjvanaod.jar 62.122.73.51 content-length-3758 last-modified Sat, 25 Dec 2010 05:25:39 GMT" The file was in my "AppData\LocalLow\Sun\Java\Deployment\Cache" folder. I think the text above possibly indicates where the virus came from. I did find a reference on the internet to "besimorr.com" indicating they were blacklisted as a source of virus infections. Also, the date in it might indicate why there seemed to be a peak in Firefox 3.6 crashes around Christmas day. It seems like the people here have already concluded that this crash is due to a PDF exploit, and my personal experience seems to agree with that.
|
|
||
Comment 15•13 years ago
|
||
P.S. I did not realize that the URL I provided in the last comment would come out as a link. PLEASE BE CAREFUL about clicking it, since I think that site is a possible source of malware.
|
|
||
Comment 16•13 years ago
|
||
update on volume. about 1000 crashes per day.
date crashes at
icucnv36.dll
20110620 415
20110621 328
20110622 349
host-4-169:crashdata chofmann$ ./stacktrend.sh icuuc36.dll 2011062*
date crashes at
icuuc36.dll
20110620 694
20110621 554
20110622 583Crash Signature: [@ icucnv36.dll@0x13df]
[@ icuuc36.dll@0x1f94] → [@ icucnv36.dll@0x13df]
[@ icuuc36.dll@0x1f94]
|
||
Comment 17•13 years ago
|
||
Fwiw, I can see this in my malware crash stats clearly (24 of 181 total entries in my db right now), but all are FF 3.x. Most of the sites are labeled with "Blackhole exploit kit", so it might be that the exploit is included in there.
|
||
Comment 18•13 years ago
|
||
We know this is malware. Not a top crash anymore.
Keywords: topcrash
Whiteboard: [crashkill][explosive][thirdparty] → [crashkill][explosive][thirdparty][malware]
|
||
Comment 19•7 years ago
|
||
I'm marking this bug as WORKSFORME as bug crashlog signature didn't appear from a long time (over half year).
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•