Spyware on FreeBSD!?

Mark Ovens marko at freebsd.org
Tue Feb 8 10:41:38 PST 2005 

Frank Shute wrote:
> Bad news, looks like my machine has been infected with some Spyware.
> 
> I noticed that on surfing to: http://news.bbc.co.uk/ or anything under
> that domain, I was getting some outgoing activity and Firefox was
> after a URL (as shown by the status bar) somewhere under the domain: 
> 
> http://bbcnewscouk.112.2o7.net/
> 
> A quick Google on 2o7.net confirmed my worst fears: spyware!
> 
> and a 2o7.net cookie planted on my machine.
> 
> I cached some pages in my proxy <excerpt>:
> 
> http://bbcnewscouk.112.2o7.net/b/ss/bbcnewscouk/1/G.7-Pd-R/s68107022286455?purl=http%3A%2F%2Fnews.bbc.co.uk%2F&pccr=true&%5BAQB%5D&ndh=1&t=8/1/2005+2:21:56+2+0&cdp=3&pageName=BBC+NEWS+|+News+Front+Page&g=http://news.bbc.co.uk/&cc=GBP&c1=1&s=1152x864&c=24&j=1.3&v=N&k=Y&bw=1129&bh=543&p=Default+Plugin%3B&%5BAQE%5D
> 
> http://bbcnewscouk.112.2o7.net/b/ss/bbcnewscouk/1/G.7-Pd-R/s68107022286455?purl=http://news.bbc.co.uk/&pccr=true&%5BAQB%5D&ndh=1&t=8/1/2005+2:21:56+2+0&cdp=3&pageName=BBC+NEWS+|+News+Front+Page&g=http://news.bbc.co.uk/&cc=GBP&c1=1&s=1152x864&c=24&j=1.3&v=N&k=Y&bw=1129&bh=543&p=Default+Plugin%3B&%5BAQE%5D
> 
> Looks like some sort of perl script which returns a 2x2 gif, whilst
> harvesting your browsing habits (and screen & windowsize - by calling
> Javascript functions in Firefox?)
> 

% whois 2o7.net

[....]

Registrant:
Omniture, Inc. (2O41-DOM)
    550 East Timpanogos Cir
    Building G
    Orem, UT 84097
    US

 From BBC's Privacy and Cookies Policy (there's a link at the bottom of 
the main page) http://www.bbc.co.uk/privacy/

2. Visitor Information

[....]

"The BBC also uses a company called Omniture to track and analyse 
non-personally identifiable usage and statistical information about 
volume of visitors to the BBC News pages on bbc.co.uk in order to 
measure the effectiveness of the BBC News web pages and improve services 
to users. Please note that this is not personal information, only 
general summaries of the activities of visitors to bbc.co.uk. If you 
wish to reject the Omniture cookies, you can use the process set out 
below in point 7. Further information regarding Omniture's privacy 
statement can be found at http://www.omniture.com/policy.html#cookies."

Blocking the cookies does not stop the site working.

Regards,

Mark



---
avast! Antivirus: Outbound message clean.
Virus Database (VPS): 0506-0, 08/02/2005
Tested on: 08/02/2005 18:39:49
avast! - copyright (c) 2000-2004 ALWIL Software.
http://www.avast.com

More information about the freebsd-chat mailing list