Spyware on FreeBSD!?

Mark Ovens mark at ukug.uk.freebsd.org
Tue Feb 8 18:59:02 GMT 2005 

Frank Shute wrote:
> Bad news, looks like my machine has been infected with some Spyware.
> 
> I noticed that on surfing to: http://news.bbc.co.uk/ or anything under
> that domain, I was getting some outgoing activity and Firefox was
> after a URL (as shown by the status bar) somewhere under the domain: 
> 
> http://bbcnewscouk.112.2o7.net/
> 
> A quick Google on 2o7.net confirmed my worst fears: spyware!
> 
> and a 2o7.net cookie planted on my machine.
> 
> I cached some pages in my proxy <excerpt>:
> 
> http://bbcnewscouk.112.2o7.net/b/ss/bbcnewscouk/1/G.7-Pd-R/s68107022286455?purl=http%3A%2F%2Fnews.bbc.co.uk%2F&pccr=true&%5BAQB%5D&ndh=1&t=8/1/2005+2:21:56+2+0&cdp=3&pageName=BBC+NEWS+|+News+Front+Page&g=http://news.bbc.co.uk/&cc=GBP&c1=1&s=1152x864&c=24&j=1.3&v=N&k=Y&bw=1129&bh=543&p=Default+Plugin%3B&%5BAQE%5D
> 
> http://bbcnewscouk.112.2o7.net/b/ss/bbcnewscouk/1/G.7-Pd-R/s68107022286455?purl=http://news.bbc.co.uk/&pccr=true&%5BAQB%5D&ndh=1&t=8/1/2005+2:21:56+2+0&cdp=3&pageName=BBC+NEWS+|+News+Front+Page&g=http://news.bbc.co.uk/&cc=GBP&c1=1&s=1152x864&c=24&j=1.3&v=N&k=Y&bw=1129&bh=543&p=Default+Plugin%3B&%5BAQE%5D
> 
> Looks like some sort of perl script which returns a 2x2 gif, whilst
> harvesting your browsing habits (and screen & windowsize - by calling
> Javascript functions in Firefox?)
> 

% whois 2o7.net

[....]

Registrant:
Omniture, Inc. (2O41-DOM)
     550 East Timpanogos Cir
     Building G
     Orem, UT 84097
     US

  From BBC's Privacy and Cookies Policy (there's a link at the bottom of
the main page) http://www.bbc.co.uk/privacy/

2. Visitor Information

[....]

"The BBC also uses a company called Omniture to track and analyse
non-personally identifiable usage and statistical information about
volume of visitors to the BBC News pages on bbc.co.uk in order to
measure the effectiveness of the BBC News web pages and improve services
to users. Please note that this is not personal information, only
general summaries of the activities of visitors to bbc.co.uk. If you
wish to reject the Omniture cookies, you can use the process set out
below in point 7. Further information regarding Omniture's privacy
statement can be found at http://www.omniture.com/policy.html#cookies."

Blocking the cookies does not stop the site working.

Regards,

Mark




---
avast! Antivirus: Outbound message clean.
Virus Database (VPS): 0506-0, 08/02/2005
Tested on: 08/02/2005 18:59:03
avast! - copyright (c) 2000-2004 ALWIL Software.
http://www.avast.com

More information about the Ukfreebsd mailing list