Author Topic: Web Bug Blood-Hound  (Read 8820 times)

JakBeNymble

  • Sr. Member
  • ****
  • Posts: 308
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • http://
    • Email
Web Bug Blood-Hound
« on: January 26, 2002, 02:23:09 AM »
Hi Proxomitron-ites,
                         I wanted to share this with all my Friends here on the FORUM. Some of you Probably are already aware of this program, but just in case. . This program works only with I.E.Browser,(probably 5 and above). Sorry.

     This little Browser plug-in looks like a little tiny bug that sits quitely right at the top of the Browser icon line. And it appears that it doesn't even consume hardly any resoures, if any at all. When you surf to a site, if there is even anything that remotely might be a web-bug, this little fellow starts flashing, partitions the page for security, and identifys the "suspected bug" and gives you a list of things why it looks like a Web-Bug. Now if you scroll down the page, there is the Program's icon flashing right over the bug on the page. It also gives you the Web-Bug's URL, link, or third-party cookie data line. So you can cut and paste the "nasty bug's URL" right to the text file list in ZX's "Kill all know web-bugs" Filter. Now the way I know I got the match right, is to re-set the Bug-Finder Program, and refresh the page, and if "The Little Fellow" sits quitely in the Browser, you know you got it right since your Browser is being filtered through PROXO.
 
     The name of the Browser plug-in, is "Bugnosis 1.0" and can be downloaded for FREE. I think this one is a "Keeper". It works really well with PROXO. To download it, just click on the link:
      0xD1.0x42.0x4EFB/details/html/6888shot.htm
I hope you have a Wonderful and Blessed Day MY FRIENDS!
Signed: "JaK"


 
 

JakBeNymble

  • Sr. Member
  • ****
  • Posts: 308
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • http://
    • Email
Web Bug Blood-Hound
« Reply #1 on: January 26, 2002, 02:29:41 AM »
LOL! Sorry about the link, here try this one! http://0xd1.0x42.0x4efb/Details/HTML/6888.htm
"JaK"

 
 

JakBeNymble

  • Sr. Member
  • ****
  • Posts: 308
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • http://
    • Email
Web Bug Blood-Hound
« Reply #2 on: February 01, 2002, 07:45:20 AM »
Hi Proxomitron-Users,
                    Since I've been using the "Bugnosis Bug Scanner", I've been going all over the Net and hunting and killing web-bugs. The one thing I did want to tell you, that if you do use "Bugnosis", in the "options" settings there is an "Up-date" to download all the new known web-bug files. Just like dat.files for Anti-Virus Programs. Now the thing is that when you "Update" the scanner, the Bugnosis.Org. is probably logging down who it is that is downloading the updates. Well, since the program is a browser plugin and not a client/server type software, you can use a proxy to download the Up-dates with. While I was Up-dating the Bug-Scanner, I poped-up the Log-Box on Proxo and the Up-dates where coming under the Proxy.

Here is a good web-site that endorses Bugnosis Bug Scanner, just in case you are interested. http://www.privacyfoundation.org/index.cfm. Try the "Resources" section on the home-page.

Well I hope that each and everyone of you have a wonderful day, MY FRIENDS! Safe Surfing.
Signed: "Jak"

 
 

JakBeNymble

  • Sr. Member
  • ****
  • Posts: 308
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • http://
    • Email
Web Bug Blood-Hound
« Reply #3 on: February 01, 2002, 07:49:05 PM »
Heisann Proxo-Users,
                   I don't know why my Link-Discombobulator is not translating the links over. Sorry, about the link for Bugnosis not working. Here is where you can get it and check it out if you are interested. I think it's a great little program my-self. Here's the link:
http://www.bugnosis.org/
Have a Great week-end My Friends
Signed:(Gone Bobby-Fisher'ing)"Jak"

 
 

hpguru

  • Moderator
  • Sr. Member
  • *****
  • Posts: 257
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • http://lightning.prohosting.com/~hpguru/
    • Email
Web Bug Blood-Hound
« Reply #4 on: April 07, 2002, 02:00:00 AM »
I tried it but Bugnosis couldn't find any bugs because Prox was blocking them all.

 
Facing each other,
a thousand miles apart.

JakBeNymble

  • Sr. Member
  • ****
  • Posts: 308
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • http://
    • Email
Web Bug Blood-Hound
« Reply #5 on: April 07, 2002, 06:38:09 PM »
Hi "Hpguru",
            Good to hear from you. I wanted to know what your "web-Bug"Filter arrangement looks like? I use two different one's for web-bugs, but when I use I.E. I usually find a few. Also, The Bugnosis has an Up-date for the new known web-bugs.    The more I up-dated, the more bugs I would fine. I would appreciate it if you would show the Filter or Filters that you are using.
Have A Wonderful & Blessed Day, MY FREIND!
"Jak"

 
 

hpguru

  • Moderator
  • Sr. Member
  • *****
  • Posts: 257
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • http://lightning.prohosting.com/~hpguru/
    • Email
Web Bug Blood-Hound
« Reply #6 on: April 07, 2002, 09:44:50 PM »
My webbug filter is just a modified version of (I think) the Zhen-Xjell "Block Web Bugs" filter. That filter played havoc with page layout at many different sites because it replaced the bugs with a gif image of a bug. Not all 1x1 images are webbugs. Some of them are used for page layout.

Anyway here is the filter.

 
Name = "Block Web Bugs - hp"
Active = TRUE
Bounds = "<img *>"
Limit = 512
Match = "1 src=w 2"
        "& (*height=("|)[#1-3])"
        "& (*width=("|)[#1-3])"
Replace = "1 src="http://Local.ptron/webbug.gif" height="1" width="1" 2"
 


I also used PSP to create a new 1x1x2 transparent webbug.gif. You can make your own or use mine.

http://lightning.prohosting.com/~hpguru/webbug.gif

Place the gif in your html folder.



Edited by - hpguru on 08 Apr 2002  02:17:42
Facing each other,
a thousand miles apart.

sidki3003

  • Sr. Member
  • ****
  • Posts: 476
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • http://
    • Email
Web Bug Blood-Hound
« Reply #7 on: April 07, 2002, 10:17:10 PM »
This one takes care of layout images. The idea is from Mona:

Name = "Webbug Filter"
Active = TRUE
Bounds = "<(im(g|age)|input)s*>"
Limit = 2048
Match = "<(im(g|age)|input)*"
        "src=($AV((\"|)http(s|)(%3A|:)(%2F|/)(%2F|/)(^h)*))1*>"
        "&(*height=$AV((\"|)[#0-4](\"|)))"
        "&(*width=$AV((\"|)[#0-4](\"|)))"
Replace = "<a href=1><img src="http://Local.ptron/webbug.gif" "
          "border="0" width="1" height="1"></a>
"


 
 

hpguru

  • Moderator
  • Sr. Member
  • *****
  • Posts: 257
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • http://lightning.prohosting.com/~hpguru/
    • Email
Web Bug Blood-Hound
« Reply #8 on: April 08, 2002, 01:17:04 AM »
Actually Mona's filter misses some bugs. I just tried it at

http://www.cnn.com/

which has the following web bug.


<img src="/cookie.crumb" alt="" width="1" height="1">


Mona's filter didn't match this one and it is positively a web bug.



 
Facing each other,
a thousand miles apart.

sidki3003

  • Sr. Member
  • ****
  • Posts: 476
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • http://
    • Email
Web Bug Blood-Hound
« Reply #9 on: April 08, 2002, 01:31:53 AM »
Yes, the filter is based on the assumption, that the image is located on a different site.


 
 

hpguru

  • Moderator
  • Sr. Member
  • *****
  • Posts: 257
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • http://lightning.prohosting.com/~hpguru/
    • Email
Web Bug Blood-Hound
« Reply #10 on: April 08, 2002, 02:23:58 AM »
I would think that in most cases a good ad image blocking filter together with a good blockfile would zap the off-site bugs.

I prefer the "kill 'em all and let God sort 'em out" approach. I've never noticed any ill effects from blocking all suspected bugs.

 
Facing each other,
a thousand miles apart.

sidki3003

  • Sr. Member
  • ****
  • Posts: 476
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • http://
    • Email
Web Bug Blood-Hound
« Reply #11 on: April 08, 2002, 03:16:21 AM »
This, of course, is a matter of taste. I try to avoid the big gun.
Shure there are lots of annoyances that should be filtered out.
And this cookie.crumb of cnn.com is one of these.
But a web bug usually (cause there are exceptions) has to meet three criteria.
Small size, being an offsite image, and transporting meta data (bug.gif?myemail@mypop3).


 
 

hpguru

  • Moderator
  • Sr. Member
  • *****
  • Posts: 257
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • http://lightning.prohosting.com/~hpguru/
    • Email
Web Bug Blood-Hound
« Reply #12 on: April 08, 2002, 05:28:30 AM »
Here is a slightly improved filter.


Name = "Block Web Bugs - hp2"
Active = TRUE
Bounds = "<img *>"
Limit = 512
Match = "*src=w*"
        "& (*(height=("|)[#1-4])1)"
        "& (*(width=("|)[#1-4])2)"
Replace = "<img src="http://Local.ptron/wbani.gif" 1 2 alt="Web Bug">"



As for data theft or the transport of meta data as you said, I have another filter that is designed to stop certain personal info from leaving my pc via http. It isn't finished and so it still needs some work but since you mentioned it I decided to post it early.

The filter is a Header filter and uses a couple of lists and a redirect to an html document (the part that needs work) to give me a visual warning. I wrote this filter after an application I was evaluating tried (successfully) to force registration by sending my name, email address and Registered Organization to its maker via my default browser.

Here is the filter.


In = FALSE
Out = TRUE
Key = "URL-Killer: Personal Info Protector (Out) - hp"
URL = "((*$LST(Personal))&(^$LST(PIExceptions)))&$RDIR(http://Local.ptron/datatheft.html)"



The "Personal" List contains a list of keywords such as your name, spouses name, kids names, email/physical address(es), phone numbers and so on. The "PIExceptions" List contains the names of hosts you may need to send the data to.

Of course some will say you shouldn't keep personal info on your pc and while that is true in many cases. it may not be possible for everyone. Those of you who are familiar with me know I'm a big proponent of data encryption. I encrypt almost everything that can be encrypted, but in the example I gave above the stolen data was grabbed from the Registry. I can change the info in the registry but I'd rather not. If my pc is ever stolen I want my name in it. I could go direcly to the Hotmail site to check my account but I'm lazy and would rather use OE. :)

So that's the reason for the filter and it does work so long as the swiped data isn't hashed or encoded in any way. Maybe some of you guys N gals can think of a better method of notification than what I've used.

You can download the files needed here
http://hpguru.bravepages.com/files/personal.zip

I also threw in a new killed.html file. Looks better than a blank page.

Edited by - hpguru on 08 Apr 2002  07:03:50

Edited by - hpguru on 08 Apr 2002  21:47:35
Facing each other,
a thousand miles apart.

sidki3003

  • Sr. Member
  • ****
  • Posts: 476
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • http://
    • Email
Web Bug Blood-Hound
« Reply #13 on: April 08, 2002, 02:47:52 PM »
This redirect filter is actually a nice Idea. Usually i would let my firewall take care about phoning-home-apps. But sometimes these apps refuse to work if they can't connect. I had two such programs and redirected them via proxo to a local page. It was OK for one program. But the other, an IE Manager called "Switch!" that i liked a lot, stopped working ever since

Concerning encryption, there are situations where your TCP app (e.g. tray POP checker) doesn't speak SSL, but the remote server (e.g. pop3 server) does. Did you hear about Stunnel (www.stunnel.org)? It can translate in such situations.

A last word to those web bugs. Transferring your email address is of course an exception. As you know, those meta data usually look like this:
IMG SRC="http://ad.doubleclick.net/activity;src=719799;type=bount034;cat=homep809;ord=1?" WIDTH=1 HEIGHT=1 BORDER=0

I know i got a bit off-topic


 
 

JakBeNymble

  • Sr. Member
  • ****
  • Posts: 308
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • http://
    • Email
Web Bug Blood-Hound
« Reply #14 on: April 08, 2002, 05:37:41 PM »
Hi "Guys",
         What's Up? I'm glad to see this Web-bug issue taken to a newer, higher level. I'm trying the Filter Arrangements, but I haven't had time to check out some of the sites that I kept getting Web-Bug Alerts yet, but I plan to after I do some maintance work on my machine. Thanks for all the input on the Web-bug situation.

Ever since I had (by accident) found a nice sneaky nasty little "trogan" on my beloved Machine awhile back, I started using my 'host.file' for blocking instead of just resolving URL/IP for faster surfing. General Fire-Wall rules didn't catch it, it "Hides" when looking for what programs are running, and starts back when you close "what's Running" down. It only runs for about 4 minutes right after Boot-up, and usually by that time, I'm dialed-up. *Nasty Little Beasty* it is. After I discovered it, I found the port and the site (E.T. was phoning Home to), and I banned the IP on the Fire-Wall, wrote better Rules, Resovled it to local machine address, and put Url in Proxo's Url Kill file. Proxo can stop browsers from connecting, but Hosts file will stop any program from connecting. And of course a Fire-Wall, no matter how High tech and powerful it might be, is useless without Good "Rules".

  On the FORUM there is lists for host.file entries to be added, and extracted to be used. However, unless it has changed, it is only available for use to those that "Add" to it. I have found some lists that I want to Add, but it's in a different format. As soon as I convert it, I'm going to add it and some of my own entries. And you better believe that "%@$#=@*&X%^%-Trogran-Writing Site" WILL BE ON IT!
Well, you Live & you Learn.
Have A Great and Wonderful Day, MY FRIENDS!
"Jak"




Edited by - JakBeNymble on 08 Apr 2002  19:04:15