Download TrojanHunter Now
Free 30-day trial!
Latest TrojanHunter Version:
TrojanHunter 5.0
Order Now
License file delivered within minutes.
Welcome, Guest. Please Login or Register.
Oct 6th, 2008, 10:27pm
   Mischel Internet Security Forum
   Internet Security
   News (Moderators: Helena, Gavin_Coe, Magnus)
   Is it a Super-Cookie or a Commercial Trojan?		 « Previous topic | Next topic »
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print
   Author  Topic: Is it a Super-Cookie or a Commercial Trojan?  (Read 989 times)
Jamming
Stole All the Forum Stars
********




Remember when a Trojan was just for protection.

   


Gender: male
 Posts: 2039
Is it a Super-Cookie or a Commercial Trojan?
« on: May 13th, 2002, 8:50pm »		 Quote Quote  Modify Modify
Shocked
http://www.scottish-enterprise.com/businessstart/academics/pocf/latest/c ommtech0
2/?PageId=600083
 
Makes me wonder if there is a whole new Anti Super Cookie Program Project, that needs to be contemplated.
 
Jamming
« Last Edit: May 13th, 2002, 8:50pm by Jamming » IP Logged
Team Z Member

Servare cives, major est virtus patriae patri.
- Lucius Annaeus Seneca
I was born an American; I live an American; I shall die an American!
- Daniel Webster
Jamming
Stole All the Forum Stars
********




Remember when a Trojan was just for protection.

   


Gender: male
 Posts: 2039
Re: Is it a Super-Cookie or a Commercial Trojan?
« Reply #1 on: May 17th, 2002, 2:12am »		 Quote Quote  Modify Modify
http://www.scottish-enterprise.com/businessstart/academics/pocf/latest/c ommtech02/?PageId=600083
 
Trying to Fix link so it works. Embarassed
IP Logged
Team Z Member

Servare cives, major est virtus patriae patri.
- Lucius Annaeus Seneca
I was born an American; I live an American; I shall die an American!
- Daniel Webster
Ian
Stole All the Forum Stars
********



Good things come to those who wait ...

   


Posts: 2907
Re: Is it a Super-Cookie or a Commercial Trojan?
« Reply #2 on: May 17th, 2002, 6:22pm »		 Quote Quote  Modify Modify
Quote:
Makes me wonder if there is a whole new Anti Super Cookie Program Project, that needs to be contemplated.

Reminds me of the thing with MS MP7 (back over in GRC there are lots of threads from back in January about this). The dodgy thing about these 'super-cookies' is they're not really cookies in the normal sense, but GUIDs stored in some form on your PC.
 
The ugly thing about this is that they survive regular cleaning. The MP7 one was even hard-coded into one of the ActiveX files it used (msdxm.ocx) - version 1 was around 2Mb but was replaced last Nov with an update that copied a much smaller file of only 800Kb. That's obviously 'small' when compared to most of M$'s support files... Both files contained the MP GUID encoded into each. It even partially survives the 'check this box to prevent MP identifying your PC' option in MP, which simply blanks part of the GUID (it can still narrow you down to about 1 in 100,000 people, which will do for most users, but data-mining of user habits etc can refine this).
 
Any 'Super-Cookie' hunter will definitely have to be aware of all the different possible ways these things work. They will no doubt be harder to spot (anyone up for a spot of hex-editing? Huh) and removal may prove tricky if different versions of the same file exist (like MP's OCX trick).
IP Logged
... but crap arrives pretty much straight away.
Jamming
Stole All the Forum Stars
********




Remember when a Trojan was just for protection.

   


Gender: male
 Posts: 2039
Re: Is it a Super-Cookie or a Commercial Trojan?
« Reply #3 on: May 18th, 2002, 1:08am »		 Quote Quote  Modify Modify
So what your saying is they are using operating system files to map the places you visit?  Like in the Cookie.dat file, so you would need to store a fresh copy of the file somewhere that would be used when the OS is booted?  That might be possible if you are able to create a something at start-up before that file is initialized.
IP Logged
Team Z Member

Servare cives, major est virtus patriae patri.
- Lucius Annaeus Seneca
I was born an American; I live an American; I shall die an American!
- Daniel Webster
Ian
Stole All the Forum Stars
********



Good things come to those who wait ...

   


Posts: 2907
Re: Is it a Super-Cookie or a Commercial Trojan?
« Reply #4 on: May 18th, 2002, 11:44am »		 Quote Quote  Modify Modify
Well, MS were, at any rate. The difference is that most versions of index.dat, for example, will be recreated brand-new, blank and ready to go if they're deleted.
 
I used Raihan Kibria's Free Hex Editor to look through msdxm.ocx - in the 'smaller' version, the MP GUID, as reported at http://computerbytesman.com/privacy/supercookiedemo.htm, was coded in at about 15% or so through the file. I did a search based on this GUID and the one stored in the Registry (which was different... sneaky or what?). Registry entries are
HKEY_CURRENT_USER\Software\Microsoft\Windows Media\WMSDK\General  > {[stringvalue "UniqueID"]}
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Player\Settings
HKEY_USERS\.DEFAULT\Software\Microsoft\MediaPlayer\Player\Settings
 
Since these are per user, WinNT users will have copies in each user profile, for example
HKEY_USERS\S-1-5-21-1801674531-1580436667-842925246-1000\Software\Micros oft\MediaPlayer\Player\Settings,  
where the code between USERS\ and \Software is the unique user code.
 
FrHEd is available at http://www.kibria.de/frhed.html
« Last Edit: May 18th, 2002, 11:47am by Ian » IP Logged
... but crap arrives pretty much straight away.
Jamming
Stole All the Forum Stars
********




Remember when a Trojan was just for protection.

   


Gender: male
 Posts: 2039
Re: Is it a Super-Cookie or a Commercial Trojan?
« Reply #5 on: May 19th, 2002, 1:36am »		 Quote Quote  Modify Modify
Check my private message to you.
 
So they could name them anything and have them installed upon your machine, then modified when they darn well felt like it.  In the future it will be easier just to allow on certain file types to access, rather than trying to write exclusive rules.  Thank heaven for Proxomitron, Trojan Hunter, and NAV and the most restrictive host file known to man.  Grin
IP Logged
Team Z Member

Servare cives, major est virtus patriae patri.
- Lucius Annaeus Seneca
I was born an American; I live an American; I shall die an American!
- Daniel Webster
Ian
Stole All the Forum Stars
********



Good things come to those who wait ...

   


Posts: 2907
Re: Is it a Super-Cookie or a Commercial Trojan?
« Reply #6 on: May 19th, 2002, 5:46pm »		 Quote Quote  Modify Modify
Got the message - you should have the file by now  Grin
 
Hosts files are pretty simple to set up - I use Hostess (Ray Marron - http://accs-net.com/hostess/ ) since it does the job of keeping the Host file in order, plus Steve Martin's 'big list' of hosts (http://www.smartin-designs.com/ ), and one or two tips from Gorilla's page (http://www.accs-net.com/hosts - but it gets busy - a good resource if you need to play about with hosts on NT).
 
I find Host file stuff doesn't work every where, so have arranged DNSKong and eDexter for my school - the nice guys at Pyrenean worked out a deal based on the US federal govt's CIPA that let my place (in UK) benefit from the same tax-break deal they offer US schools. They are at http://www.pyrenean.com/
IP Logged
... but crap arrives pretty much straight away.
Jamming
Stole All the Forum Stars
********




Remember when a Trojan was just for protection.

   


Gender: male
 Posts: 2039
Re: Is it a Super-Cookie or a Commercial Trojan?
« Reply #7 on: May 22nd, 2002, 5:40am »		 Quote Quote  Modify Modify
That's is really great Ian and thanks for the advice, I use ie-spyad host file which is based upon Steve Martin's.  I am also a Proxomitron User with Zhen-Xjell's latest filters, I am thinking once I know what is being looked for I would talk to ZX about setting up a filter to prevent access to those files.
    
« Last Edit: May 22nd, 2002, 5:41am by Jamming » IP Logged
Team Z Member

Servare cives, major est virtus patriae patri.
- Lucius Annaeus Seneca
I was born an American; I live an American; I shall die an American!
- Daniel Webster
Ian
Stole All the Forum Stars
********



Good things come to those who wait ...

   


Posts: 2907
Re: Is it a Super-Cookie or a Commercial Trojan?
« Reply #8 on: May 22nd, 2002, 6:23pm »		 Quote Quote  Modify Modify
I have ie-spyad here too, but haven't tried it properly. I like the idea of linking it to the Restricted Zones in MSIE (sorry to all those Netscape and Opera users, but it is only IE) ((On second thoughts, this is IE we're talking about - pity the poor user... Grin)) According to the write-up, a user just turns everything 'off' in Restricted Zones (like it should be anyway) and even the pop-up or -under ads fail to open! Cool (Unlike Hosts files, for example.)
 
This makes the Registry even bigger, though. Also isn't adding extra sites laborious, or do they provide regular updates based on the newer versions of Steve's list? Hostess can export a .REG file version of the current hosts database, so that's a way around it.
« Last Edit: May 22nd, 2002, 6:24pm by Ian » IP Logged
... but crap arrives pretty much straight away.
Jamming
Stole All the Forum Stars
********




Remember when a Trojan was just for protection.

   


Gender: male
 Posts: 2039
Re: Is it a Super-Cookie or a Commercial Trojan?
« Reply #9 on: May 23rd, 2002, 5:25am »		 Quote Quote  Modify Modify
Regular updates are announced on DSLReports in the Security Forum for ie-spyad, I have my restricted zone set to full control and I only have one or two differences in my internet zone, really I only allow things to function normally in the trusted zone.  I think that eburger, who does ie-spyad, has an email announcement service on updates.  Updates are usually one hour to one day behind Steve's Update.
IP Logged
Team Z Member

Servare cives, major est virtus patriae patri.
- Lucius Annaeus Seneca
I was born an American; I live an American; I shall die an American!
- Daniel Webster
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print

« Previous topic | Next topic »
Search
Members
Login
Register