Part of internet going mad xD cuz of mutex/ocfipreoqyfb/mutex

Wooozel

Active Member
Dec 8, 2015
17
8
78
https://www.google.com/search?q=mutex/ocfipreoqyfb/mutex
https://www.google.com/search?q=ocfipreoqyfb
https://www.google.com/alerts
paste ocfipreoqyfb


after some of my research its caused by a extension for firefox imho [adware, k-lite codec Pack]
if you post on a cms/forum/webapp using a textarea, during the POST process is this little piece of markup added in the end
<div id="jsseunrwnoeo"><div id="ocfipreoqyfb" class="simple_mutex">mutex/ocfipreoqyfb/mutex</div></div>
people went mad cuz of this, the string "mutex/ocfipreoqyfb/mutex" was added even to website titles, forum posts, emails and so on..
TL;DR
after some deeper research i stepped over a different string than the usual one class="simple_mutex" id="ocfipreoqyfb" origin="safe_url_2"
i was curious about the origin, so i searched via google alerts and bang!
safe_url_2 >> safe_url__2.exe >> Solvusoft >> "und eine mögliche Infektion mit Viren" DE>EN "and a possible infection with viruses"
google?safe_url__2.exe
>> reasoncoresecurity.com >> Detection: PUP.Vondos.BrowserSec >> Browser-Security Addon
additionally https://www.reasoncoresecurity.com/safe_url_2.exe-8dfd006db611eadbc01244741fa99ab3a25878eb.aspx
google?Solvusoft
>> Sophos:Solvusoft StaticBuild Installer - Adware and PUAs
fast reverse
of the addon/extension https://addons.mozilla.org/pl/firefox/addon/browser-security-1/
var className = 'simple_mutex';
mWrapper = doc.createElement('div');
var checkContent = 'mutex'+'/'+key+'/'+'mutex';
docMutexDiv.textContent = checkContent;
docMutexDiv.setAttribute('origin', localVars.appName);
docMutexDiv.style.display = 'none';
mWrapper.appendChild(docMutexDiv);

so i searched where addon/extension was included, so it appeared that its smuggled with the k-lite codec pack.
in short: Man in the Browser which interest lies in ads. so if a person will post on a forum, portal, cms, or what ever web based, he will automatically get this markup added and the person most likely wont know where it comes from.
propably the authors of the addon/extension fckd something up.
imho, if you are not a codec expert, avoid k-lite and simply install/use VLC http://www.videolan.org/ - works like charm without the k-lite.
</wooozel>

Capture.PNG
 
Top