Spyware on FreeBSD!?

Frank Shute frank at esperance-linux.co.uk
Tue Feb 8 10:16:20 PST 2005 

Bad news, looks like my machine has been infected with some Spyware.

I noticed that on surfing to: http://news.bbc.co.uk/ or anything under
that domain, I was getting some outgoing activity and Firefox was
after a URL (as shown by the status bar) somewhere under the domain: 

http://bbcnewscouk.112.2o7.net/

A quick Google on 2o7.net confirmed my worst fears: spyware!

and a 2o7.net cookie planted on my machine.

I cached some pages in my proxy <excerpt>:

http://bbcnewscouk.112.2o7.net/b/ss/bbcnewscouk/1/G.7-Pd-R/s68107022286455?purl=http%3A%2F%2Fnews.bbc.co.uk%2F&pccr=true&%5BAQB%5D&ndh=1&t=8/1/2005+2:21:56+2+0&cdp=3&pageName=BBC+NEWS+|+News+Front+Page&g=http://news.bbc.co.uk/&cc=GBP&c1=1&s=1152x864&c=24&j=1.3&v=N&k=Y&bw=1129&bh=543&p=Default+Plugin%3B&%5BAQE%5D

http://bbcnewscouk.112.2o7.net/b/ss/bbcnewscouk/1/G.7-Pd-R/s68107022286455?purl=http://news.bbc.co.uk/&pccr=true&%5BAQB%5D&ndh=1&t=8/1/2005+2:21:56+2+0&cdp=3&pageName=BBC+NEWS+|+News+Front+Page&g=http://news.bbc.co.uk/&cc=GBP&c1=1&s=1152x864&c=24&j=1.3&v=N&k=Y&bw=1129&bh=543&p=Default+Plugin%3B&%5BAQE%5D

Looks like some sort of perl script which returns a 2x2 gif, whilst
harvesting your browsing habits (and screen & windowsize - by calling
Javascript functions in Firefox?)

I wonder if they use different sub-domains to collect stats on
different sites. This particular variant seems to be only activated by
a visit to BBC news.

I had a grovel in the source of the BBC news homepage but found no
reference to 2o7.net (For a minute I thought the BBC had turned evil
on me!)

I'm going to do a little bit more investigation on it - I tried
removal by obliterating my Firefox profile but no joy. The only thing
I saved was my bookmarks file, which looks sound.

Spyware on a unix machine? Tell me it's not so! :(

BTW:

FreeBSD 4.11-PRERELEASE

firefox-1.0.r1,1

I know the latter has some vulnerabilities and I'll update it in due
course (and the OS).

I think I'm going to build Links/Lynx with SSL and use that for my
banking from now on (if I can).

Anybody aware of other reports of spyware infecting Unix machines?

Anyway, I'm gutted. I feel like I've been violated and humiliated. In
short, I feel like a Windows user does everyday!! 

The truth: I feel a bit pissed off but I urge people to take no action
against 2o7.net like DOS or cracking their webserver and trashing
it.....I'll do that myself ;)

-- 

 Frank 


print "f r a n k @ e s p e r a n c e - l i n u x . c o . u k" | sed 's/ //g'

                      --->PGP keyID: 0x10BD6F4B<---

More information about the freebsd-chat mailing list