Last Comment Bug 806451 - Block malicious Codec add-ons
: Block malicious Codec add-ons
Status: RESOLVED FIXED
:
Product: Toolkit
Classification: Components
Component: Blocklisting (show other bugs)
: unspecified
: All All
: -- normal (vote)
: ---
Assigned To: Jorge Villalobos [:jorgev]
:
Mentors:
Depends on: 806534
Blocks: 842402
  Show dependency treegraph
 
Reported: 2012-10-29 10:46 PDT by Jorge Villalobos [:jorgev]
Modified: 2016-03-07 15:30 PST (History)
9 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
List of ids following the hex@hex.info pattern (415.04 KB, text/plain)
2012-10-29 13:24 PDT, Jorge Villalobos [:jorgev]
no flags Details

Description Jorge Villalobos [:jorgev] 2012-10-29 10:46:58 PDT
These add-ons appear to be malware by all accounts found online, and they also appear to be causing bug 688895.

Codec-C: info@allpremiumplay.info
Codec-M: {EEF73632-A085-4fd3-A778-ECD82C8CB297}
Codec: haven't found it.
Comment 1 [:philipp] 2012-10-29 12:20:51 PDT
hello, the third one is "Codecv", see this dump from about:support of an affexted user http://pastebin.com/XWfB4Cye (sorry, i've misspelled that in the kb article i've written, the correction has not yet been approved). it seems to have randomly generated IDs - here are some examples: 4f807b7b72d78@4f807b7b72d79.info, 4f81e37bdf5d4@4f81e37bdf5d6.info, 5008717ab1a31@5008717ab1a6a.info, 4fa18895441de@4fa18895441df.info

most part of the string before the @-sign always seems to match the string afterwards besides the last 1-2 characters
Comment 2 Kris Maglione [:kmag] 2012-10-29 12:26:02 PDT
Awesome. Let's blocklist ([0-9a-f]+)[0-9a-f]@\1[0-9a-f]\.info

Wonder if Unfocused is up for another blocklist hack...
Comment 3 Kris Maglione [:kmag] 2012-10-29 12:28:05 PDT
Actually, I kind of suspect that those two numbers are timestamps, so maybe ([0-9a-f]+)[0-9a-f]{1}@\1[0-9a-f]{2}\.info
Comment 4 Jorge Villalobos [:jorgev] 2012-10-29 13:24:47 PDT
Created attachment 676287 [details]
List of ids following the hex@hex.info pattern

A couple others I found :|
Comment 5 Kris Maglione [:kmag] 2012-10-29 13:33:14 PDT
Hrm. There are a bunch of those that differ by as many as 5 trailing digits. We may as well block [0-9a-f]+@[0-9a-f]+.info though I suppose it won't be long before they start using another pattern.
Comment 6 Jorge Villalobos [:jorgev] 2012-10-29 16:42:54 PDT
(In reply to Jorge Villalobos [:jorgev] from comment #0)
> Codec-C: info@allpremiumplay.info

Blocked: https://addons.mozilla.org/en-US/firefox/blocked/i163

> Codec-M: {EEF73632-A085-4fd3-A778-ECD82C8CB297}

Blocked: https://addons.mozilla.org/en-US/firefox/blocked/i165

The remaining IDs are waiting on bug 806534.
Comment 7 [:philipp] 2012-10-29 17:10:56 PDT
hello jorge, i've noticed that you're doing quite a clean up of malicious addons after bug 688895.

could you also take care of the bflix stuff on this occasion, which seems to be quite crashy & have a look in which different variants it is occuring ...

18% (473/2678) vs.   0% (875/180707) info@bflix.info
7% (178/2678) vs.   0% (355/180707) info@thebflix.com

it seems to be from the same creators as the codec addons or at least follow the same patterns because the websites apparently used for the original distribution look quite similar: http://thebflix.com/ & http://allpremiumsoft.com/
Comment 8 Jorge Villalobos [:jorgev] 2012-10-29 17:24:39 PDT
Please file a separate bug to look into this. Thanks.
Comment 9 [:philipp] 2012-10-30 04:26:32 PDT
thanks, i've filed bug 806802 for that one.
Comment 10 [:philipp] 2012-11-02 06:52:24 PDT
the codec extensions also run under the hex@hex.COM pattern
Comment 11 Jorge Villalobos [:jorgev] 2012-11-05 09:25:15 PST
I just added ID info@wxdownloadmanager.com to the blocks.

https://addons.mozilla.org/en-US/firefox/blocked/i196
Comment 12 Jorge Villalobos [:jorgev] 2013-01-22 12:18:21 PST
Blocked: https://addons.mozilla.org/en-US/firefox/blocked/i256

I also posted this: https://blog.mozilla.org/addons/2013/01/22/blocklisting-malicious-codec-add-ons/. It should give users a place to complain in case something went wrong.

Note You need to log in before you can comment on or make changes to this bug.