Last Comment Bug 806451 - Block malicious Codec add-ons
: Block malicious Codec add-ons
Product: Toolkit
Classification: Components
Component: Blocklisting (show other bugs)
: unspecified
: All All
-- normal (vote)
: ---
Assigned To: Jorge Villalobos [:jorgev]
: Jorge Villalobos [:jorgev]
Depends on: 806534
Blocks: 842402
  Show dependency treegraph
Reported: 2012-10-29 10:46 PDT by Jorge Villalobos [:jorgev]
Modified: 2016-03-07 15:30 PST (History)
9 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

List of ids following the pattern (415.04 KB, text/plain)
2012-10-29 13:24 PDT, Jorge Villalobos [:jorgev]
no flags Details

Description User image Jorge Villalobos [:jorgev] 2012-10-29 10:46:58 PDT
These add-ons appear to be malware by all accounts found online, and they also appear to be causing bug 688895.

Codec-M: {EEF73632-A085-4fd3-A778-ECD82C8CB297}
Codec: haven't found it.
Comment 1 User image [:philipp] 2012-10-29 12:20:51 PDT
hello, the third one is "Codecv", see this dump from about:support of an affexted user (sorry, i've misspelled that in the kb article i've written, the correction has not yet been approved). it seems to have randomly generated IDs - here are some examples:,,,

most part of the string before the @-sign always seems to match the string afterwards besides the last 1-2 characters
Comment 2 User image Kris Maglione [:kmag] 2012-10-29 12:26:02 PDT
Awesome. Let's blocklist ([0-9a-f]+)[0-9a-f]@\1[0-9a-f]\.info

Wonder if Unfocused is up for another blocklist hack...
Comment 3 User image Kris Maglione [:kmag] 2012-10-29 12:28:05 PDT
Actually, I kind of suspect that those two numbers are timestamps, so maybe ([0-9a-f]+)[0-9a-f]{1}@\1[0-9a-f]{2}\.info
Comment 4 User image Jorge Villalobos [:jorgev] 2012-10-29 13:24:47 PDT
Created attachment 676287 [details]
List of ids following the pattern

A couple others I found :|
Comment 5 User image Kris Maglione [:kmag] 2012-10-29 13:33:14 PDT
Hrm. There are a bunch of those that differ by as many as 5 trailing digits. We may as well block [0-9a-f]+@[0-9a-f] though I suppose it won't be long before they start using another pattern.
Comment 6 User image Jorge Villalobos [:jorgev] 2012-10-29 16:42:54 PDT
(In reply to Jorge Villalobos [:jorgev] from comment #0)
> Codec-C:


> Codec-M: {EEF73632-A085-4fd3-A778-ECD82C8CB297}


The remaining IDs are waiting on bug 806534.
Comment 7 User image [:philipp] 2012-10-29 17:10:56 PDT
hello jorge, i've noticed that you're doing quite a clean up of malicious addons after bug 688895.

could you also take care of the bflix stuff on this occasion, which seems to be quite crashy & have a look in which different variants it is occuring ...

18% (473/2678) vs.   0% (875/180707)
7% (178/2678) vs.   0% (355/180707)

it seems to be from the same creators as the codec addons or at least follow the same patterns because the websites apparently used for the original distribution look quite similar: &
Comment 8 User image Jorge Villalobos [:jorgev] 2012-10-29 17:24:39 PDT
Please file a separate bug to look into this. Thanks.
Comment 9 User image [:philipp] 2012-10-30 04:26:32 PDT
thanks, i've filed bug 806802 for that one.
Comment 10 User image [:philipp] 2012-11-02 06:52:24 PDT
the codec extensions also run under the hex@hex.COM pattern
Comment 11 User image Jorge Villalobos [:jorgev] 2012-11-05 09:25:15 PST
I just added ID to the blocks.
Comment 12 User image Jorge Villalobos [:jorgev] 2013-01-22 12:18:21 PST

I also posted this: It should give users a place to complain in case something went wrong.

Note You need to log in before you can comment on or make changes to this bug.