Closed
Bug 806451
Opened 12 years ago
Closed 11 years ago
Block malicious Codec add-ons
Categories
(Toolkit :: Blocklist Policy Requests, defect)
Toolkit
Blocklist Policy Requests
Tracking
()
RESOLVED
FIXED
People
(Reporter: jorgev, Assigned: jorgev)
References
Details
Attachments
(1 file)
415.04 KB,
text/plain
|
Details |
These add-ons appear to be malware by all accounts found online, and they also appear to be causing bug 688895. Codec-C: info@allpremiumplay.info Codec-M: {EEF73632-A085-4fd3-A778-ECD82C8CB297} Codec: haven't found it.
Comment 1•12 years ago
|
||
hello, the third one is "Codecv", see this dump from about:support of an affexted user http://pastebin.com/XWfB4Cye (sorry, i've misspelled that in the kb article i've written, the correction has not yet been approved). it seems to have randomly generated IDs - here are some examples: 4f807b7b72d78@4f807b7b72d79.info, 4f81e37bdf5d4@4f81e37bdf5d6.info, 5008717ab1a31@5008717ab1a6a.info, 4fa18895441de@4fa18895441df.info most part of the string before the @-sign always seems to match the string afterwards besides the last 1-2 characters
Comment 2•12 years ago
|
||
Awesome. Let's blocklist ([0-9a-f]+)[0-9a-f]@\1[0-9a-f]\.info Wonder if Unfocused is up for another blocklist hack...
Comment 3•12 years ago
|
||
Actually, I kind of suspect that those two numbers are timestamps, so maybe ([0-9a-f]+)[0-9a-f]{1}@\1[0-9a-f]{2}\.info
Assignee | ||
Comment 4•12 years ago
|
||
A couple others I found :|
Comment 5•12 years ago
|
||
Hrm. There are a bunch of those that differ by as many as 5 trailing digits. We may as well block [0-9a-f]+@[0-9a-f]+.info though I suppose it won't be long before they start using another pattern.
Assignee | ||
Comment 6•12 years ago
|
||
(In reply to Jorge Villalobos [:jorgev] from comment #0) > Codec-C: info@allpremiumplay.info Blocked: https://addons.mozilla.org/en-US/firefox/blocked/i163 > Codec-M: {EEF73632-A085-4fd3-A778-ECD82C8CB297} Blocked: https://addons.mozilla.org/en-US/firefox/blocked/i165 The remaining IDs are waiting on bug 806534.
Comment 7•12 years ago
|
||
hello jorge, i've noticed that you're doing quite a clean up of malicious addons after bug 688895. could you also take care of the bflix stuff on this occasion, which seems to be quite crashy & have a look in which different variants it is occuring ... 18% (473/2678) vs. 0% (875/180707) info@bflix.info 7% (178/2678) vs. 0% (355/180707) info@thebflix.com it seems to be from the same creators as the codec addons or at least follow the same patterns because the websites apparently used for the original distribution look quite similar: http://thebflix.com/ & http://allpremiumsoft.com/
Assignee | ||
Comment 8•12 years ago
|
||
Please file a separate bug to look into this. Thanks.
Comment 9•12 years ago
|
||
thanks, i've filed bug 806802 for that one.
Comment 10•12 years ago
|
||
the codec extensions also run under the hex@hex.COM pattern
Assignee | ||
Comment 11•12 years ago
|
||
I just added ID info@wxdownloadmanager.com to the blocks. https://addons.mozilla.org/en-US/firefox/blocked/i196
Assignee | ||
Comment 12•11 years ago
|
||
Blocked: https://addons.mozilla.org/en-US/firefox/blocked/i256 I also posted this: https://blog.mozilla.org/addons/2013/01/22/blocklisting-malicious-codec-add-ons/. It should give users a place to complain in case something went wrong.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Updated•8 years ago
|
Product: addons.mozilla.org → Toolkit
You need to log in
before you can comment on or make changes to this bug.
Description
•