HackFest Series: LivePerson IAD Tracking Cookies

Lisa Kachold lisakachold at obnosis.com
Tue May 12 20:52:40 MST 2009


Problem:  Reading email, browsing, and other regular use of a browser could
possibly infect one with something as insidious as LivePerson cookies.

For anyone who hasn't worked for a remote hoster, LivePerson cookies are
installed either as a legitimate process, allowing remote desktop keylogging
and access; or as a virus trojan.  Watching a TCPDUMP one will see cookies
kicking off and reporting various things back home.

The HOME is always in the cookie, but might be misleading.  Check out your
LivePerson cookies to see where your keylogger or tracking cookie
originated.

Some people report RDP and mouse type controlling behavior when these
cookies until the cookies are removed (simple in Firefox, just delete the
cookie file.

Solution: Create an exclusion List.
<http://www.gozer.org/>

In newer versions of Mozilla
<http://www.mozilla.org/>(/Firefox<http://www.mozilla.org/products/firefox/>),
cookperm.txt is deprecated in favor of hostperm.1 (
http://bugzilla.mozilla.org/show_bug.cgi?id=219752).

http://bugzilla.mozilla.org/show_bug.cgi?id=219752#c4
This patch creates a new file, named "hostperm.1". The format is:

host \t cookie \t 1 \t www.mozilla.org

so:

host    image   2       ads2.clearchannel.com
host    image   2       jinisearch.co.uk
host    image   2       oas.villagevoice.com
host    image   2       aaddzz.com

... and so on

cookperm.txt is probably the same way, but hostperm.1 is very sensitive to
the delimiter (single tab only) and is stored in the same place as
cookperm.txt (http://kb.mozillazine.org/index.phtml?title=Profile_Folder).

The list of ad servers is now available in the new hostperm.1
format<http://pgl.yoyo.org/adservers/serverlist.php?hostformat=hostperm.1>

If you would like to build a LivePerson cookie for tracking, check this out:



-- 
www.obnosis.com (503)754-4452
"Contradictions do not exist." A. Rand
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20090512/77bbd91a/attachment.htm 


More information about the PLUG-discuss mailing list