Closed Bug 638139 Opened 13 years ago Closed 8 years ago

e-mail users with request to help diagnose 4.0 beta malware related crashes

Categories

(Firefox Graveyard :: Help Documentation, defect)

x86
Windows 7
defect
Not set
normal

Tracking

(Not tracked)

RESOLVED INVALID

People

(Reporter: chofmann, Unassigned)

References

Details

(Keywords: user-doc-needed)

Attachments

(3 files)

lets proceed with a general e-mail campain to inform users that there recent firefox 4.0 beta crash is the result of having malware installed on there system.

At this point lets just indicate that the malware uses a random naming convention for the .dll and is not yet detected by anti-virus packages.  Lets refer directly to the bug, and hope that we snag at least a few people in the beta population with enough technical skill to find the randomly named .dll, and upload a sample were we can start working with symantec and others to get the malware classified and blocked.

I'll add a list of signatures shortly for which we need to find e-mail address for and transmit the e-mail.

besides this general campaign I'll keep working with marcia and tomcat to cull e-mail address and the the specific .dll name that we see in individual crash reports so we can do a more targeted outreach.

the key here is to start gather some samples that we can get in the hands of AV vendors.
Blocks: 633445
lets get started with the set of signatures in Bug 633445 

[@ mozalloc_abort(char const* const) | mozcrt19.dll@0x1327f |
nsCycleCollectingAutoRefCnt::decr(nsISupports*) ]

[@ mozalloc_abort(char const* const) | NS_DebugBreak_P |
nsCycleCollectingAutoRefCnt::decr(nsISupports*) ]
OS: Mac OS X → Windows 7
Version: unspecified → Trunk
So I think we have all decided that reaching out to users to help track this down is the right next step. I think we should accelerate on this. I am hearing from Cheng that combining this with some mass email campaign is not the right way to go. We should not combine the mass email with asking for feedback. There are 2 questions...

+ Should we do the mass campaign. I am hearing no because there is really nothing we can tell them to do.
+ We should move aggressively on the targeted outreach and figure out if tomcat wants help with that. Cheng can give us hand with that.

We also need to figure out what we would tell people in that targeted campaign and Cheng can sit down with chofmann, me, tomcat and work out the details.

Is this the plan?
If we're not doing a mass campaign with general info about how to remove malware, it probably makes more sense to not use Socorro for this. Cheng has been doing this manually before, so he'd know the best procedure...
we are getting about 5000 reports for these signatures per day.  the estimated load for the reports with e-mail address is about 350 e-mails per day.
so the targeted outreach process can use the attachment in comment 5.

steps to execute are

1. load the crash report out of attachment list like
http://crash-stats.mozilla.com/report/index/e0afda06-664d-4e25-98fd-5d4fb2110301

2. open up the module list for that crash

3. find the randomly named malware .dll
   in the case of the crash report listed in step 1 its  ao4cvOn84IU-VH.dll

4. dig out the e-mail for this report

5. send an e-mail to the user requesting they upload the .dll somewhere where we can get it, or attach to the bug.



4.
Some crash signatures in the attachment are not caused by malwares. Only the ones in comment 1 are applicable, the first one is Beta 11 specific and the second one is Beta 12 specific.
it looks like the random named malware .dlls aren't providing version info, so maybe I can refine the list further to pick out un-versioned .dlls and add them to the report.
Just a little experience from the last time we did this:

I emailed ~ 100 users who had a specific crash in some 3.5 version to get a copy of a specific file in their profile folders.  I got something like 10 replies back that were of any value but then I spent on the order of 2-4 hours per user on the phone working through how they could send the appropriate file over and then making Firefox usable again.  Then all 100 users had my email address and so for about 3 months, I was getting 2-3 personal emails a week asking for tech support.

I think it was a worthwhile exercise and I'd be happy to do something like that again if it'll help us figure out what's going on and help millions of users.  However, we should definitely limit it.  100 users is plenty if all we need is 2 or 3 copies of the one file.
ignore the mozjs.dll's but these are the things to ask users for so we can take a look at whats getting loaded.
No longer valid.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → INVALID
Product: Firefox → Firefox Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: