Closed Bug 806451 Opened 10 years ago Closed 10 years ago

Block malicious Codec add-ons


(Toolkit :: Blocklist Policy Requests, defect)

Not set





(Reporter: jorgev, Assigned: jorgev)




(1 file)

These add-ons appear to be malware by all accounts found online, and they also appear to be causing bug 688895.

Codec-M: {EEF73632-A085-4fd3-A778-ECD82C8CB297}
Codec: haven't found it.
hello, the third one is "Codecv", see this dump from about:support of an affexted user (sorry, i've misspelled that in the kb article i've written, the correction has not yet been approved). it seems to have randomly generated IDs - here are some examples:,,,

most part of the string before the @-sign always seems to match the string afterwards besides the last 1-2 characters
Awesome. Let's blocklist ([0-9a-f]+)[0-9a-f]@\1[0-9a-f]\.info

Wonder if Unfocused is up for another blocklist hack...
Actually, I kind of suspect that those two numbers are timestamps, so maybe ([0-9a-f]+)[0-9a-f]{1}@\1[0-9a-f]{2}\.info
A couple others I found :|
Depends on: 806534
Hrm. There are a bunch of those that differ by as many as 5 trailing digits. We may as well block [0-9a-f]+@[0-9a-f] though I suppose it won't be long before they start using another pattern.
(In reply to Jorge Villalobos [:jorgev] from comment #0)
> Codec-C:


> Codec-M: {EEF73632-A085-4fd3-A778-ECD82C8CB297}


The remaining IDs are waiting on bug 806534.
hello jorge, i've noticed that you're doing quite a clean up of malicious addons after bug 688895.

could you also take care of the bflix stuff on this occasion, which seems to be quite crashy & have a look in which different variants it is occuring ...

18% (473/2678) vs.   0% (875/180707)
7% (178/2678) vs.   0% (355/180707)

it seems to be from the same creators as the codec addons or at least follow the same patterns because the websites apparently used for the original distribution look quite similar: &
Please file a separate bug to look into this. Thanks.
thanks, i've filed bug 806802 for that one.
the codec extensions also run under the hex@hex.COM pattern

I also posted this: It should give users a place to complain in case something went wrong.
Closed: 10 years ago
Resolution: --- → FIXED
Blocks: 842402
Product: → Toolkit
You need to log in before you can comment on or make changes to this bug.