[Dshield] ad.uk.tangozebra

Peter Stendahl-Juvonen peter.stendahl-juvonen at welho.com
Thu Aug 1 16:15:11 GMT 2002


Keith, et al.

Please find my comment inline ([<psj>] below). Please also take notice
that apparently we both lack my latest post of last night, which I hence
forwarded to you and list at dshield.org today.
 
Take Care,
Peter
-----


| -----Original Message-----
| From: list-admin at dshield.org [mailto:list-admin at dshield.org] On Behalf
Of Keith Gainford
| Sent: Wednesday, July 31, 2002 11:14 PM
| To: Dshield
| Subject: Re: [Dshield] ad.uk.tangozebra
| 
| Peter,
| 
| Answers posted below your questions, many thanks for your thoughts
they are
| very much appreciated.
| 
| 
| 
| ----- Original Message -----
| From: "Peter Stendahl-Juvonen" <peter.stendahl-juvonen at welho.com>
| To: "Dshield General DShield Discussion List" <list at dshield.org>
| Sent: Wednesday, July 31, 2002 4:32 PM
| Subject: FW: [Dshield] ad.uk.tangozebra
| 
| 
| > Keith, et al.
| >
| > 1) Regarding your and my previous posts (below) please take notice
to
| > that you have to have "ad.uk.tangozebra" (and the respective IP
address)
| > changed to Internet zone (or at least removed from blocked zone) in
your
| > firewall first in order to be able to see the possible Web site
cookies
| > pointing at that DNS or IP address.
| > 2) Please also block cookies (at least those pointing at
| > "ad.uk.tangozebra") in your browser. That way IE will show you the
| > existence of the cookies. (And you will see the details by double
| > clicking the symbol for "Security Report" [or what ever it is called
in
| > the English language version of IE] at the bottom frame of IE
window),
| > there you should see reference to http://ad.uk.tangozebra/....
| >
| > Best Regards,
| > Peter
| > -----
| >
| >
| > | -----Original Message-----
| > | From: Peter Stendahl-Juvonen
[mailto:peter.stendahl-juvonen at welho.com]
| > | Sent: Wednesday, July 31, 2002 6:16 PM
| > | To: 'list at dshield.org'
| > | Subject: RE: [Dshield] ad.uk.tangozebra
| > |
| > | Keith, et al.
| > |
| > | Could you please check if the following could be the cause or
rather
| > explanation to of the
| > | phenomenon you're encountering.
| > |
| > | 1) On the page where your browser takes you when you launch it are
| > there Web site cookies
| > | that point at "ad.uk.tangozebra"?
| > |
|     My home page is btopenworld.com, there doesn`t appear to be any
banners
| or adverts for "ad.uk.tangozebra". I have also checked all my cookies
and
| have nothing pointing at "tangozebra".

[<psj>] Checked btopenworld.com myself, but the challenge is that the
home page is possibly custom built for you as their user - so it may be
displayed differently to me as a "more outsider". As far as I see the
page, it's clean in Web Bug aspect. At some pages they have a cookie
admanager.btopenworld.com/jserver/... do you allow this cookie in IE or
not? < < < < <

| 2) If so, then by having "ad.uk.tangozebra" in the restricted or
| > blocked zone you ask your firewall
| > | not to allow connections to that address. Hence your browser
blocks IE
| > from connecting to that
| > | particular DNS or IP address.
| 
|    In view of my reply above, this would not apply?.
|

 [<psj>] How about in view of my other reply (CCed) to you today or any
new thoughts caught by you?

| 
| > | 3) Because of the "ad.uk.tangozebra hit ZAPro numerous times with
| > scans which ZA rejected. In
| > | view of the number of scans I put the entire ISP space
(Intellispace
| > Inc) into ZA blocked zone."
| > | in your original post "adware" might have been the number one
suspect.
| > Now I would say it was
| > | coincidence or just indirectly related to the issue.
| 
| 
|   In view of the massive number of probes, I typed the DNS address
into IE.
| This returned a "Page could not be displayed" message. Is it possible
that
| some form of connection could have been made, resulting in a very
quick
| download of something nasty?.
| 

 [<psj>] What you achieved by typing the DNS address into IE is that a
HTTP connection to TangoZebras ad server's port 80 was attempted, but
since your IP address (directly or alone, not thru a qualified Web site)
does not qualify for connections to the server, the connection was
rejected. That's all. In my opinion nothing to worry about took place
(in light of your description what happened).

| 
| 
|  | 4) With the information you gave in your latest post (below) I
would
| > suggest the explanation for
| > | the phenomenon is as described in point (2) (above) providing your
| > answer is "Yes" for point (1).
| > |
| 
|    As you can see my answer to point (1) is negative.
| 

[<psj>] In order to experience the ad.uk.tangozebra phenomenon what do
you have to do? Does it occur regularly or intermittently?

| 
| 
|  5) If the deduction would prove to be true, then there is in my
| > opinion nothing to worry about and
| > | you can remove "ad.uk.tangozebra" from the blocked zone. Or change
| > "ad.uk.tangozebra" to
| > | Internet zone giving the same effect and having an option to block
it
| > quickly again if it would be
| > | required for some reason (which is unlikely in my opinion).
| > |
| 
|    Is it of any importance that all the outgoing attempts are only on
port
| (80) http

 [<psj>] Please see also above. My questimate is that they are http
connections to tangozebra's adserver (point of control for the ads).
These connections are allowed of disallowed by the control mechanism of
these javascript ads. When launched from qualified sites with their
banner ads the connection is allowed in order to steer and customise the
ad experience. If connection is attempted without approval it will be
rejected as you have testified.

| 
| 
| 
|  6) Would be happy to know your final conclusion. Thanks in advance
and
| > good luck.
| > |
| 
|    Thanks Peter, if I get to the bottom of it I will post.
| 
| 
|    | Best Wishes,
| > | Peter
| > | -----
| > |
| > |      "Everything must be taken seriously, nothing dramatically."
| > |       Louis Adolphe Thiers (1797-1877); French statesman,
historian
| > |
| > |
| > | | -----Original Message-----
| > | | From: list-admin at dshield.org [mailto:list-admin at dshield.org] On
| > Behalf Of Keith Gainford
| > | | Sent: Wednesday, July 31, 2002 2:24 PM
| > | | To: Dshield
| > | | Subject: [Dshield] ad.uk.tangozebra
| > | |
| > | | Well I`ve tried all suggestions without success. Even spybotS&D
| > couldn`t
| > | | find anything. A search of the Registry doesn`t show any obvious
| > spyware so
| > | | I`m stumped. Any more ideas?.
| > | |
| > | |
| > | | Keith G
| > | |
| > | | _______________________________________________




More information about the list mailing list