Status

()

defect
RESOLVED FIXED
7 years ago
3 years ago

People

(Reporter: jorgev, Assigned: jorgev)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

Assignee

Description

7 years ago
These add-ons appear to be malware by all accounts found online, and they also appear to be causing bug 688895.

Codec-C: info@allpremiumplay.info
Codec-M: {EEF73632-A085-4fd3-A778-ECD82C8CB297}
Codec: haven't found it.

Comment 1

7 years ago
hello, the third one is "Codecv", see this dump from about:support of an affexted user http://pastebin.com/XWfB4Cye (sorry, i've misspelled that in the kb article i've written, the correction has not yet been approved). it seems to have randomly generated IDs - here are some examples: 4f807b7b72d78@4f807b7b72d79.info, 4f81e37bdf5d4@4f81e37bdf5d6.info, 5008717ab1a31@5008717ab1a6a.info, 4fa18895441de@4fa18895441df.info

most part of the string before the @-sign always seems to match the string afterwards besides the last 1-2 characters
Awesome. Let's blocklist ([0-9a-f]+)[0-9a-f]@\1[0-9a-f]\.info

Wonder if Unfocused is up for another blocklist hack...
Actually, I kind of suspect that those two numbers are timestamps, so maybe ([0-9a-f]+)[0-9a-f]{1}@\1[0-9a-f]{2}\.info
Assignee

Comment 4

7 years ago
A couple others I found :|
Assignee

Updated

7 years ago
Depends on: 806534
Hrm. There are a bunch of those that differ by as many as 5 trailing digits. We may as well block [0-9a-f]+@[0-9a-f]+.info though I suppose it won't be long before they start using another pattern.
Assignee

Comment 6

7 years ago
(In reply to Jorge Villalobos [:jorgev] from comment #0)
> Codec-C: info@allpremiumplay.info

Blocked: https://addons.mozilla.org/en-US/firefox/blocked/i163

> Codec-M: {EEF73632-A085-4fd3-A778-ECD82C8CB297}

Blocked: https://addons.mozilla.org/en-US/firefox/blocked/i165

The remaining IDs are waiting on bug 806534.

Comment 7

7 years ago
hello jorge, i've noticed that you're doing quite a clean up of malicious addons after bug 688895.

could you also take care of the bflix stuff on this occasion, which seems to be quite crashy & have a look in which different variants it is occuring ...

18% (473/2678) vs.   0% (875/180707) info@bflix.info
7% (178/2678) vs.   0% (355/180707) info@thebflix.com

it seems to be from the same creators as the codec addons or at least follow the same patterns because the websites apparently used for the original distribution look quite similar: http://thebflix.com/ & http://allpremiumsoft.com/
Assignee

Comment 8

7 years ago
Please file a separate bug to look into this. Thanks.

Comment 9

7 years ago
thanks, i've filed bug 806802 for that one.

Comment 10

7 years ago
the codec extensions also run under the hex@hex.COM pattern
Assignee

Comment 12

6 years ago
Blocked: https://addons.mozilla.org/en-US/firefox/blocked/i256

I also posted this: https://blog.mozilla.org/addons/2013/01/22/blocklisting-malicious-codec-add-ons/. It should give users a place to complain in case something went wrong.
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Assignee

Updated

6 years ago
Blocks: 842402
Product: addons.mozilla.org → Toolkit
You need to log in before you can comment on or make changes to this bug.