Closed Bug 806451 Opened 12 years ago Closed 11 years ago

Block malicious Codec add-ons

Categories

(Toolkit :: Blocklist Policy Requests, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED

People

(Reporter: jorgev, Assigned: jorgev)

References

Details

Attachments

(1 file)

These add-ons appear to be malware by all accounts found online, and they also appear to be causing bug 688895.

Codec-C: info@allpremiumplay.info
Codec-M: {EEF73632-A085-4fd3-A778-ECD82C8CB297}
Codec: haven't found it.
hello, the third one is "Codecv", see this dump from about:support of an affexted user http://pastebin.com/XWfB4Cye (sorry, i've misspelled that in the kb article i've written, the correction has not yet been approved). it seems to have randomly generated IDs - here are some examples: 4f807b7b72d78@4f807b7b72d79.info, 4f81e37bdf5d4@4f81e37bdf5d6.info, 5008717ab1a31@5008717ab1a6a.info, 4fa18895441de@4fa18895441df.info

most part of the string before the @-sign always seems to match the string afterwards besides the last 1-2 characters
Awesome. Let's blocklist ([0-9a-f]+)[0-9a-f]@\1[0-9a-f]\.info

Wonder if Unfocused is up for another blocklist hack...
Actually, I kind of suspect that those two numbers are timestamps, so maybe ([0-9a-f]+)[0-9a-f]{1}@\1[0-9a-f]{2}\.info
A couple others I found :|
Depends on: 806534
Hrm. There are a bunch of those that differ by as many as 5 trailing digits. We may as well block [0-9a-f]+@[0-9a-f]+.info though I suppose it won't be long before they start using another pattern.
(In reply to Jorge Villalobos [:jorgev] from comment #0)
> Codec-C: info@allpremiumplay.info

Blocked: https://addons.mozilla.org/en-US/firefox/blocked/i163

> Codec-M: {EEF73632-A085-4fd3-A778-ECD82C8CB297}

Blocked: https://addons.mozilla.org/en-US/firefox/blocked/i165

The remaining IDs are waiting on bug 806534.
hello jorge, i've noticed that you're doing quite a clean up of malicious addons after bug 688895.

could you also take care of the bflix stuff on this occasion, which seems to be quite crashy & have a look in which different variants it is occuring ...

18% (473/2678) vs.   0% (875/180707) info@bflix.info
7% (178/2678) vs.   0% (355/180707) info@thebflix.com

it seems to be from the same creators as the codec addons or at least follow the same patterns because the websites apparently used for the original distribution look quite similar: http://thebflix.com/ & http://allpremiumsoft.com/
Please file a separate bug to look into this. Thanks.
thanks, i've filed bug 806802 for that one.
the codec extensions also run under the hex@hex.COM pattern
Blocked: https://addons.mozilla.org/en-US/firefox/blocked/i256

I also posted this: https://blog.mozilla.org/addons/2013/01/22/blocklisting-malicious-codec-add-ons/. It should give users a place to complain in case something went wrong.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Blocks: 842402
Product: addons.mozilla.org → Toolkit
You need to log in before you can comment on or make changes to this bug.