Block malicious Codec add-ons

RESOLVED FIXED

Status

()

Toolkit
Blocklisting
RESOLVED FIXED
5 years ago
a year ago

People

(Reporter: jorgev, Assigned: jorgev)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Assignee)

Description

5 years ago
These add-ons appear to be malware by all accounts found online, and they also appear to be causing bug 688895.

Codec-C: info@allpremiumplay.info
Codec-M: {EEF73632-A085-4fd3-A778-ECD82C8CB297}
Codec: haven't found it.

Comment 1

5 years ago
hello, the third one is "Codecv", see this dump from about:support of an affexted user http://pastebin.com/XWfB4Cye (sorry, i've misspelled that in the kb article i've written, the correction has not yet been approved). it seems to have randomly generated IDs - here are some examples: 4f807b7b72d78@4f807b7b72d79.info, 4f81e37bdf5d4@4f81e37bdf5d6.info, 5008717ab1a31@5008717ab1a6a.info, 4fa18895441de@4fa18895441df.info

most part of the string before the @-sign always seems to match the string afterwards besides the last 1-2 characters
Awesome. Let's blocklist ([0-9a-f]+)[0-9a-f]@\1[0-9a-f]\.info

Wonder if Unfocused is up for another blocklist hack...
Actually, I kind of suspect that those two numbers are timestamps, so maybe ([0-9a-f]+)[0-9a-f]{1}@\1[0-9a-f]{2}\.info
(Assignee)

Comment 4

5 years ago
Created attachment 676287 [details]
List of ids following the hex@hex.info pattern

A couple others I found :|
(Assignee)

Updated

5 years ago
Depends on: 806534
Hrm. There are a bunch of those that differ by as many as 5 trailing digits. We may as well block [0-9a-f]+@[0-9a-f]+.info though I suppose it won't be long before they start using another pattern.
(Assignee)

Comment 6

5 years ago
(In reply to Jorge Villalobos [:jorgev] from comment #0)
> Codec-C: info@allpremiumplay.info

Blocked: https://addons.mozilla.org/en-US/firefox/blocked/i163

> Codec-M: {EEF73632-A085-4fd3-A778-ECD82C8CB297}

Blocked: https://addons.mozilla.org/en-US/firefox/blocked/i165

The remaining IDs are waiting on bug 806534.

Comment 7

5 years ago
hello jorge, i've noticed that you're doing quite a clean up of malicious addons after bug 688895.

could you also take care of the bflix stuff on this occasion, which seems to be quite crashy & have a look in which different variants it is occuring ...

18% (473/2678) vs.   0% (875/180707) info@bflix.info
7% (178/2678) vs.   0% (355/180707) info@thebflix.com

it seems to be from the same creators as the codec addons or at least follow the same patterns because the websites apparently used for the original distribution look quite similar: http://thebflix.com/ & http://allpremiumsoft.com/
(Assignee)

Comment 8

5 years ago
Please file a separate bug to look into this. Thanks.

Comment 9

5 years ago
thanks, i've filed bug 806802 for that one.

Comment 10

5 years ago
the codec extensions also run under the hex@hex.COM pattern
(Assignee)

Comment 11

5 years ago
I just added ID info@wxdownloadmanager.com to the blocks.

https://addons.mozilla.org/en-US/firefox/blocked/i196
(Assignee)

Comment 12

5 years ago
Blocked: https://addons.mozilla.org/en-US/firefox/blocked/i256

I also posted this: https://blog.mozilla.org/addons/2013/01/22/blocklisting-malicious-codec-add-ons/. It should give users a place to complain in case something went wrong.
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
(Assignee)

Updated

4 years ago
Blocks: 842402
Product: addons.mozilla.org → Toolkit
You need to log in before you can comment on or make changes to this bug.