bugzilla.mozilla.org will be intermittently unavailable on Saturday, March 24th, from 16:00 until 20:00 UTC.

possibly malware-related crashes [@ icucnv36.dll@0x13df][@ icuuc36.dll@0x1f94]




7 years ago
a year ago


(Reporter: Robert Kaiser, Unassigned)


(Blocks: 1 bug, {crash})

Windows 7

Firefox Tracking Flags

(Not tracked)


(Whiteboard: [crashkill][explosive][thirdparty][malware], crash signature)


(3 attachments)



7 years ago
Not completely sure which components this belong in, but while looking for how we could deal with detecting malware-related crashes, I stumbled over those probably related "beauties":

They're both appearing very high in topcrashes in the last days, and some web searches suggest that at least some Acrobat exploit stuff used at least one of those legitimate dll names for delivering a payload, also the comments contain pieces that suggest that people are infected with malware.

I'm not 100% that those belong in the same bug, but both have appeared rising together with similar symptoms and mask ICU DLLs so they look very related.

Comment 1

7 years ago
we first saw icuuc...dll crashes on Sept 1, 2010
It ran at a rate of:

 60-369 crashes per day during Sept 2010.
 about the same for Oct, Nov.
 In Dec 2010 we started trending higher to 260-1300 per day with a spike right around christmas day

20101223 528
20101224 981
20101225 1151
20101226 1297
20101227 871

 Most of Jan ran at 400-660 per day
 Feb started a steday uptick from 1100 to 1900 crashes per day.
 about 1800 crashes per day on mar2


7 years ago
Blocks: 439679
Keywords: crash
Whiteboard: [crashkill][explosive][thirdparty]


7 years ago
Blocks: 512788
No longer blocks: 439679

Comment 2

7 years ago
September sounds fitting the article I found connecting icuuc36.dll to an Adobe exploit, which apparently the stacks we're seeing seem to agree with: http://blog.metasploit.com/2010/09/return-of-unpublished-adobe.html

Comment 3

7 years ago
Created attachment 516757 [details]
csv of daily volume sept1-mar2

Comment 4

7 years ago
Created attachment 516758 [details]
try again

Comment 5

7 years ago
Created attachment 516760 [details]
one more time with feeling

Comment 6

7 years ago
Interestingly, this is on a significant decline in recent days.

Comment 7

7 years ago
date     crashes at
20110301 1856
20110302 1892
20110303 2094
20110304 1215
20110305 1664
20110306 1530
20110307 1280
20110308 785

Comment 8

7 years ago
up and down volume on this might be related to waves of exploit pdf's being spammed out in mail or phishing on high viability sites, and the ability of AV and OS vendors to implement various defenses.



Comment 9

7 years ago
The good news here might be that where 1300+ people per day might be seeing this problem in Firefox 3.x, Firefox 4.0 possibly seems immune to this attack.  Only the one report listed below seen on a sample of data from mar8.

$ awk -F\t '$1 ~ /icuuc36.dll/ && $8 ~ /3./ {print $1,$2,$3}' 20110308* | wc -l

$ awk -F\t '$1 ~ /icucnv36.dll/ && $8 ~ /3./ {print $1,$2,$3}' 20110308* | wc -l

$ awk -F\t '$1 ~ /icucnv36.dll/ && $8 ~ /4./ {print $1,$2,$3}' 20110308* 

$ awk -F\t '$1 ~ /icuuc36.dll/ && $8 ~ /4./ {print $1,$2,$3}' 20110308* 
icuuc36.dll@0x1f94 \N http://crash-stats.mozilla.com/report/index/5e8053c2-1b11-4163-90c7-a05472110308

maybe js heapspray defenses at work?  see the trendmicro blog.  when they talk about js being used in the attack, is that js within gecko or the browser, or another js engine within reader?

Comment 10

7 years ago
(In reply to comment #8)
> up and down volume on this might be related to waves of exploit pdf's being
> spammed out in mail or phishing on high viability sites, and the ability of AV
> and OS vendors to implement various defenses.

That sounds surely reasonable - from the data we've seen, this has seen a few waves but increased on average since it came to light.

And I agree it would be quite interesting to see why we haven't been seeing that problem on FF4 so far!

Comment 11

7 years ago
Those are on the rise on 3.6* again, now #5 and #14 on the topcrash list of yesterday, with 26 and 15 crashes per million ADU.

Comment 12

7 years ago
(In reply to comment #11)
> Those are on the rise on 3.6* again, now #5 and #14 on the topcrash list of
> yesterday, with 26 and 15 crashes per million ADU.

Oops, forgot about throttling there, so it's 260 and 150 crashes per million ADU, actually!
Currently on 3.6.17 these signatures are the #9 and #11 crashes, with over 6200 crashes in the last week.
Keywords: topcrash


7 years ago
Crash Signature: [@ icucnv36.dll@0x13df] [@ icuuc36.dll@0x1f94]

Comment 14

7 years ago
I had this particular crash, Dec 31 2010. About that time, I was opening a page which had a PDF file on it. I had Adobe Reader 9.

Within ten minutes of the crash, there was a trojan virus on my PC. My anti-virus software has identified it as Trojan-Downloader.Java.OpenConnection.cg. 

I recently opened that virus file using Notepad to look at it, and some of the text is as follows:

"http://besimorr.com/images/boitkpjvanaod.jar content-length-3758 
last-modified Sat, 25 Dec 2010 05:25:39 GMT"

The file was in my "AppData\LocalLow\Sun\Java\Deployment\Cache" folder. I think the text above possibly indicates where the virus came from. I did find a reference on the internet to "besimorr.com" indicating they were blacklisted as a source of virus infections. Also, the date in it might indicate why there seemed to be a peak in Firefox 3.6 crashes around Christmas day.

It seems like the people here have already concluded that this crash is due to a PDF exploit, and my personal experience seems to agree with that.

Comment 15

7 years ago

I did not realize that the URL I provided in the last comment would come out as a link. 

PLEASE BE CAREFUL about clicking it, since I think that site is a possible source of malware.

Comment 16

7 years ago
update on volume. about 1000 crashes per day.

date     crashes at
20110620 415
20110621 328
20110622 349
host-4-169:crashdata chofmann$ ./stacktrend.sh icuuc36.dll 2011062*

date     crashes at
20110620 694
20110621 554
20110622 583
Crash Signature: [@ icucnv36.dll@0x13df] [@ icuuc36.dll@0x1f94] → [@ icucnv36.dll@0x13df] [@ icuuc36.dll@0x1f94]
Fwiw, I can see this in my malware crash stats clearly (24 of 181 total entries in my db right now), but all are FF 3.x. Most of the sites are labeled with "Blackhole exploit kit", so it might be that the exploit is included in there.

Comment 18

6 years ago
We know this is malware. Not a top crash anymore.
Keywords: topcrash
Whiteboard: [crashkill][explosive][thirdparty] → [crashkill][explosive][thirdparty][malware]
I'm marking this bug as WORKSFORME as bug crashlog signature didn't appear from a long time (over half year).
Last Resolved: a year ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.