Ir ao conteúdo
  • Cadastre-se
Regras do Clube do Hardware

Que site é esse "http://a.oix.net/"? É algum vírus?

Lote

Por Lote
em Programas

Posts recomendados

Lote
 

Lote

Postado
Postado

Desde que o técnico da Velox veio aqui em casa para resolver um problema com velocidade da internet (na prática não melhorou nada), quase sempre antes de carregar a página inicial, "http://www.google.com.br/", aparece um endereço muito estranho que começa assim http://a.oix.net/, mas é gigantesco e nunca dá tempo de copiar. Estou com medo de ser um keylogger ou algo do gênero.

Alguém saberia me dizer o que é isso?

Obs.: Meu provedor não é Oi/ Velox.

_________________________________

Processador Intel Core 2 Duo T8100

HD 250Gb

RAM 3Gb

Wireless 4965 agn

Link para o comentário
Compartilhar em outros sites
MorbidFractal
 

MorbidFractal

Postado
Postado

Ola! Lote.

My apologies for responding in English.. I am English.

What you are seeing is the Phorm 'Navegador' system in operation. http://a.oix.net is a domain registered to Phorm,

; <<>> DiG 9.7.0-P1 <<>> a.oix.net

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10355

;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 0

;; QUESTION SECTION:

;a.oix.net. IN A

;; ANSWER SECTION:

a.oix.net. 3600 IN A 91.205.220.40

;; AUTHORITY SECTION:

oix.net. 3600 IN NS ns1.phorm.com.

oix.net. 3600 IN NS ns2.phorm.com.

oix.net. 3600 IN NS ns3.phorm.com.

http://revistaepoca.globo.com/Revista/Epoca/0,,ERT145587-15224-145587-3934,00.html

This may be important.

May I ask if you are using Telefonica SPEEDY?

Whilst Oi were the first to start testing Phorms system on Velox customers Telefonica are starting to test it on SPEEDY customers.

If you are not with Oi or Telefonica can you tell me who your service provider is?

Do you share your computer with anyone else? If so it is possible that they have 'switched' this on without you knowing about it.

Can you look at what cookies have been placed on your computer? You may find one named Navegador and one named Oix. Those names may not be the full ones. If you do see them can you note down their details and take screenshots of them.

Also if you are using Firefox can you install the 'Live HTTP Headers' plugin from,

https://addons.mozilla.org/en-US/firefox/addon/3829/

and use it to record part of a browsing session?

I'm sorry for all the questions but it would be very helpful if you could answer them and try out the other suggestions. This is not a virus on your computer so anti-virus software will not help you.

If anyone else has seen similar then could they investigate as well and reply to this thread.

Muito Obrigado

Keith

Here are pictures of what you may see. This is for Oi Navegador,

aoixfail.png

oix191210aa.png

Link para o comentário
Compartilhar em outros sites
MorbidFractal
 

MorbidFractal

Postado
Postado

Hi, MarcMira. Thank you for your reply and Merry Christmas as well.

There is another example here,

http://br.answers.yahoo.com/question/index?qid=20101216110939AA3GXYZ

Where the users browser kept on freezing on the http://a.oix.net/services connection. I have seen this on some occasions myself. In order to see the sites I have had to use proxies based on the TNL-PCS network because the system seems to check by network and IP address. I have also had to determine other page names to go deeper. Usually it will say the service is not available in my region recently though going to,

http://navegador.oi.com.br

brings up the 'Experimente' page with this notice at the bottom,

statement.png

The danger being that if you visit this page and do not read carefully then you will unknowingly opt yourself into using the system. The page itself looks like this,

mypagesm.png

This is what Phorm call their 'Personalised Internet' which they offer to get people to opt-in to their system. It is not exactly a fair exchange or something that would be useful. All it is doing is presenting public public RSS feeds taken from,

http://d.oix.net

For example,

clubedo.png

I do not know what this site owners policy might be on having their RSS feeds used in this manner. Effectively Phorm are using them, and others, for their own commercial gain. Something I would consider to be theft if they do not have permission to do so.

What I have seen when clicking on the link in the notice is that whilst it suggests the 'target address' is,

http://navegador.oi.com.br/status.php

it goes via and sometimes hangs on,

http://a.oix.net/services/OO?op=status

&opted_in_url=http://navegador.oi.com.br/status/desativado_na_sua_casa.html

&opted_out_url=http://navegador.oi.com.br/status/desativado_na_sua_casa.html

&opt_undef_url=http://navegador.oi.com.br/status/nao_disponivel.html

&tok=o6In-3wRY1uRxjH0hiCW4gAG

This is the system supposedly checking on whether you are opted-in or opted-out. You will notice that the above URL is structured to always tell you that the system is not active or not available. Even if you are opted-in then you will be told you are not. It is a deception. Another indication of such deception is here,

http://notazero.com.br/2010/11/11/veja-como-a-pgina-do-oi-navegador-e-fuja-dele-como-o-diabo-da-cruz/

If you opt-in by accident or otherwise it will be very difficult to tell but this suits Phorm because they need this to profit from monitoring your browsing.

Elio Gaspari calls it a 'cheat'.

A Oi trapaceia na maneira como oferece o “Navegador”. O sujeito liga a máquina, aciona o Velox e vê uma tela que lhe apresenta a “facilidade” (em relação a quê?). A lisura recomendaria que a empresa mencionasse, de saída, a função rastreadora do “Navegador”.

Até aí, manipulam a comunicação. No lance seguinte, recorrem a uma pegadinha para capturar clientes. Quando a tela do “Navegador” aparece, o mimo é oferecido com o aviso de que ele “já está ativo”. A tela do “Navegador” permite que o consumidor desative a ferramenta, mas não é assim que se faz. Uma pessoa não pode ser obrigada a desativar algo que não solicitou.

Lote said they were not a customer of Oi/Velox but yes I see from their profile they are based in Rio de Janeiro so maybe they are on the TNL-PCS/Oi network and being subjected to this. The behaviour is very similar to what was seen when Phorm tried this in the UK but then they were using the sysip.net domain. There is a write up of one persons problems with it here,

http://www.hotlaptop.co.uk/bt-phorm-and-me/sysip-net-what-the-heck/

Other links that may be of interest,

http://www.theregister.co.uk/2008/03/17/bt_phorm_lies/

http://www.annoyances.org/exec/forum/win2000/1147318961

http://www.techimo.com/forum/general-tech-discussion/188184-help-me-bury-dns-sysip-net-5.html

http://www.techimo.com/forum/general-tech-discussion/188184-help-me-bury-dns-sysip-net-2.html

http://www.google.com/search?num=100&hl=en&q=%22I+ETHOS+live%22&btnG=Search

http://forums.thinkbroadband.com/bt/3047764-sysipnet-bt-and-121media.html?fpart=7#Post3295746

http://forums.thinkbroadband.com/bt/3047764-sysipnet-bt-and-121media.html?Cat=&page=3&sb=7&fpart=all&você=1

Phorm are now suggesting that such problems have been solved and indicate that they have implemented a network level opt-in but we believe this may not be the case. What Lote is seeing suggests that this has not been achieved. As I understand things in order to check on your status your browsing is intercepted and redirected via a.oix.net before you are presented with the page you wished to go to so you will see a.oix.net flash up in your browsers address bar.

It is also likely to mean that even if you have not chosen to use the system then your communications are still being intercepted and monitored. There also seems to be a problem with the process such that the browser may lock up and of course if people see it but do not know what is happening then they will worry about viruses and waste a lot of time trying to solve a problem and being unable to do so.

Lote said they were suffering from a slow connection and this has not been solved. The problem is I believe in part that their requests have to pass via a.oix.net which is hosted in the UK,

http://toolbar.netcraft.com/site_report?url=http://a.oix.net

Which really seems to be a 'stupid' way of doing things. It may be made worse as a result of the way things are structured in Brasil. Whilst,

http://navegador.oi.com.br

Appears to be hosted on the Oi network it actually is redirected to,

; <<>> DiG 9.7.0-P1 <<>> navegador.oi.com.br
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5245
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 0

;; QUESTION SECTION:
;navegador.oi.com.br.		IN	A

;; ANSWER SECTION:
navegador.oi.com.br.	900	IN	CNAME	oi.webnavegador.com.br.
oi.webnavegador.com.br.	900	IN	A	187.45.178.8

;; AUTHORITY SECTION:
webnavegador.com.br.	900	IN	NS	ns1.phorm.com.
webnavegador.com.br.	900	IN	NS	ns2.phorm.com.
webnavegador.com.br.	900	IN	NS	ns3.phorm.com.

inetnum:     187.45.176/20
aut-num:     AS53055
abuse-c:     HOBIN
owner:       HostDime.com.br Data Center
ownerid:     008.369.210/0001-63
responsible: ******
country:     BR
owner-c:     HOBIN
tech-c:      HOBIN
inetrev:     187.45.176/21
nserver:     ptr1.dimenoc.com 
nsstat:      20101221 AA
nslastaa:    20101221
nserver:     ptr2.dimenoc.com 
nsstat:      20101221 AA
nslastaa:    20101221
created:     20090806
changed:     20090806

nic-hdl-br:  HOBIN
person:      HostDime Brasil Internet
e-mail:      **********
created:     20061020
changed:     20101222

I am uncertain but if this is also involved in the way traffic is routed then it would represent a major bottleneck especially as the number of 'victims' grow. In addition if the system has not changed there is a problem with the number of 307 redirects that happen before the user gets to their destination.

http://www.cl.cam.ac.uk/~rnc1/080518-phorm.pdf

I note that Clube do Hardware is a popular site and advertises and sells hardware. Part of what Phorms system does is profile people based on intercepting their communications with websites and looking for 'keywords' within the pages that are intercepted. Obviously someone visiting this site will be seen as a person who is interested in such hardware.

Phorm and their partners will use this information to serve 'behaviourally targeted advertising' to this person on other websites. The result is that whilst Clube do Hardware have invested time and effort in developing their site along with the costs of running and maintaining it they may find that they will lose sales of such hardware to other sites and the income that may have resulted for themselves. To me the activity is not exactly ethical and I have argued it is anti-competitive.

If the owners of this site see a similar problem perhaps they might consider putting in a complaint to CADE.

When they attempted this in the UK Phorm did offer a method for Websites to request that their content would not be used in such a manner. It was however dysfunctional to say the least. Sites either had to deny the Google search engine spider in their robots.txt file or put in a request via e-mail to be put on a 'blacklist'. Naturally Google is useful to websites both with the tools it provides and the traffic it drives to them via its search engine. Phorm gives no such benefit and is in fact parasitic. It is unlikely that webmasters would ban the Google spider to avoid Phorm and then they are left trusting Phorm to operate its own list honestly.

To date I have not seen mention of Phorm making such an offer to Brasilian WebSite owners. Of course they would wish to avoid this or make it as difficult as possible.

Again it would seem that if you are a Velox customer your communications will still be intercepted even if you 'opt-out' of the service. As such if you wanted to avoid this then you would have to change your provider. Unfortunately as others have mentioned for many people there is no other choice in their region.

It becomes worse when you consider that Telefonica is also trialling the system so even SPEEDY customers are not 'safe',

http://navegador.telefonica.com.br

With this Phorm gains access to 60% of the consumer broadband network in Brasil and Phorm will try to expand that reach. I have to say that unless you protest and act against this it is likely that it will become unavoidable. Whoever you take your service from your communications will be intercepted by Phorm and whilst you supposedly have to 'opt-in' to the service that will still be happening.

Of course as evidenced elsewhere Phorm will do their utmost to 'trick' you into using the system. They need to so they can profit from your browsing. Otherwise what they are offering in exchange, access to public RSS feeds, seems like a poor exchange for your privacy.

I apologise for the long post.

Abraços

Keith

Link para o comentário
Compartilhar em outros sites

Arquivado

Este tópico foi arquivado e está fechado para novas respostas.

Ir à lista de tópicos

Sobre o Clube do Hardware

No ar desde 1996, o Clube do Hardware é uma das maiores, mais antigas e mais respeitadas comunidades sobre tecnologia do Brasil. Leia mais

Direitos autorais

Não permitimos a cópia ou reprodução do conteúdo do nosso site, fórum, newsletters e redes sociais, mesmo citando-se a fonte. Leia mais

Mais

×
×
  • Criar novo...