Is Big Brother Watching ?
Aureate Spy
and other SpyWare
Sinister motives for installing spy technology
Is Spyware the way to launch 'Magic Lantern' virus ?
3D anarchy, 3D-FTP, any Abe's software ( Abe's FTP, Abe's Imag viewer, etc) Acorn E-mail, Add URL, Alive and Kicking, Add/Remove PLUS! AdWizard, AutoWeb, AxelCD, Beatle, BinaryVortex, Blue Engine, CamGrab, Capture Express 2000, Cheat Machine, ChanStat, CSE HTML Validator, Crystal FTP, CuteFTP 3.0, CuteFTP/Tripod, CutePage, Digicams - The WebCam Viewer, GetRight, Splash!, Web Resume, WebCopier, Web-N-Force, WebStripper, Your ESP Test, Zion, Zip Express 2000. and many many MORE |
Portions of This article is reprinted from OB-1 and published on http://www.hackInTheBox.org Its a fairly safe bet you have at least one of those programs listed above installed on your system, If you do have one or more of these software packages installed and you are a security continuos person like myself and since your reading this page I assume you are, you will be horrified at what information this software sends about you to a 3rd party called Aureate. When you install an offending program that is affiliated with Aureate it installs what people who know of it have come to call the "Aureate Spy". This Spy program consists of various DLL and EXE files, that are activated when you launch your WebBrowser. Some of the information that is sent to Aureate are such things as, your name as it appears in the system registry, a listing of the software that is installed on your system as it appears in the system registry as well as your web surfing habits, what sites you visit and what banners you click on. |
| Aureate's watching you - OB1 | |
The DLL's and EXE files that are installed by the Aureate spy are adimage.dll, advert.dll, advpack.dll, amcis.dll, amcis2.dll, amcompat.tlb, amstream.dll, anadsc.ocx, anadscb.ocx, htmdeng.exe, ipcclient.dll3, msipcsv.exe, tfde.dll. To my knowledge these files are not used by any other programs. I found most of these files on my system and upon finding them I renamed then before deleting them to make sure it didn't affect any of my existing programs which naturally it didn't effect them in the slightest so I was able to delete them without any adverse effects to my system. I have found some information on what each DLL apparently does, This information was taken from the NT Security Mailing list. advert.dll - This DLL creates a hidden window every time you open your browser. It creates and sends 4 pages of information to the Aureate servers using port 1749 on your system, these pages include: 1. Your name as listed in the system registry ( not the name you installed one of the programs with ) 2. Your IP address 3. The reverse DNS match of your address. ( Tells them what ISP and area of country you are in ) 4. A listing of ALL software that is shown in your registry as being installed. ( Not just the companies they work with ) 5. This DLL sends the following information to their server on all URL's you visit: A.) ad banners you may click on B.) all downloads you do showing the filename/file size/date/time/type of file(image, zip,executable, etc) C.) full time and date stamps of all your actions while using your browser D.) the remote dialup number you are dialing in on (taken out of your dialer configuration) E.) dialup password if saved, does not "appear" at first glance to send this through to them. 6. Contains programmers note: "Show me the money! I want to be Mike!" advpack.dll - Used during the installation only to check for other needed files. amcis.dll - This DLL modifies the following registry keys: 1. HKEY_CURRENT_CONFIG 2. HKEY_DYN_DATA 3. HKEY_PERFORMANCE_DATA 4. HKEY_USERS 5. HKEY_LOCAL_MACHINE 6. HKEY_CURRENT_USER 7. HKEY_CLASSES_ROOT Unregisterss oleaut32.dll from memory as provided by M$oft and replaces with its own calls. Switches back to M$oft's when browser is closed. Creates stub processes to be started anytime your browser is opened. amcompat.tlb - This guy tracks any multimedia clips (video / pictures / sound ) that you view It tracks the rating level on the video/picture/sound and title / location Contains references to DblClick ( still digging on this one! ) amstream.dll - Setups TWO way communications between your system and theirs. Used to send info and receive update commands/files Open port 1749 for communications" <---- the port number seems to vary from program to program When Aureate was approached with the above information they replied with the following Aureates Reply to the Above information: A variety of false rumors have been started, and we would appreciate your help in finding the source of these rumors so that we can clarify what our technology actually does and put these to rest. As you may already know, what Aureate Media does is work with software companies to make their products advertising supported. Aureate's technology allows for these advertisements to be delivered and displayed within the software products of these software products. The following concerns are those that have been brought to our attention. If you have additional concerns, please do contact us directly. Advert.dll creates a hidden window every time you open your browser This is true, but this happens because of the way that Microsoft Windows networking works. You will find that in running almost any windows program that hidden windows are created as this is how the OS was designed. Advert.dll creates and sends 4 pages of information to Aureate on port 1749 We aren't sure exactly what is being referred to here. The first time someone installs software they are presented with an optional demographic survey (none of the information is required), and this information is sent to us one time (after the survey is completed). Prior to answering these questions, the user is presented with information explaining why we ask these questions and how the answers are used. The information sent is only the information provided. The use of port 1749 is misleading, as again this is something built into the way that Microsoft Windows networking works. Windows will pick a high numbered port (1500+) in a largely random fashion. Again, this is how the OS works. Advert.dll will send your name to Aureate as it is listed in the system registry Completely false. Advert.dll will send your IP address to Aureate Your IP address is sent, again because of the way that Microsoft Windows networking and TCP/IP protocol works. An IP address is obviously required in order to communicate with an Internet server in any instance. Advert.dll performs a reverse DNS lookup on your IP address Here again, it is Microsoft Windows networking that does this as part of the OS networking system. Advert.dll creates a process anytime your browser is open. This is true. This process delivers advertisements to a cache on the users PC which are displayed while the software is being run. This works in a similar way to how the browser works, with content and images (including ads) being delivered to a cache on the users PC and then are displayed in the browser window. Advert.dll sends a list of all software listed in your registry Completely false. Advert.dll sends a list of all URL's you click on/visit Completely false. Advert.dll sends a list of all ad banners you click on Completely false. We will of course know when you click on an ad banner that we delivered such that we can send the user to that advertisers web site in the same way that any ad network works. Advert.dll will send all downloads you perform and related information Completely false. Advert.dll will send full time and date stamps of all your actions while you use your browser. Completely false. Advert.dll contains the string "Show me the money! I want to be Mike!" This is true. It's a text string used by the DLL. DLLs contain many text strings which are used by the DLL itself. For example, if a particular program displayed a window which contained the text "Hello World", then the "Hello World" text string would be present inside that DLL. Advpack.dll (and all comments relating to it) Completely false. Advpack.dll is not one of our DLLs. Amcis.dll modifies the following registry keys: (list of keys removed) Amcis.dll will only add itself to the HKEY_CLASSES_ROOT registry key, as does any DLL installed on your system. It simply tells Windows where to find the DLLs your programs use. Amcompat.tlb (and all comments relating to it) Completely false. Amcompat.tlb is not one of our files. Amstream.dll (and all comments relating to it) Completely false. Amstream.dll is not one of our DLLs. Well I will leave you to make up your own mind on how _True_ Aureates reply is but I personally do not trust the corporate reply as far as I could throw it. I Hope you don't get stung by this invasion of privacy as so many others have been in the past and probably will continue to be stung in the future. It kind of leads to the question of who should people worry more about _Hackers_ or these corporate sleaze bags that think because they do not ask for money for their programs it gives them the right to harvest information straight off your computer without you knowing. Actually this line of thought opens a can of worms because it brings up the topic of why Antivirus software companies don't detect this as a Trojan? because in essence that is what it is, this company ( Aureate ) is accessing data from your computer without your knowledge just like any other backdoor/Trojan that can be placed on a windows machine and accessed by dare I say it _Hackers_ agh I said it heheh that's gonna cost me I can feel it already :P. |
|
Return to Index
page
The point here is simple... If Aureate has nothing to hide, why are they hiding?
The law enforcement and security professionals I've spoken to all agree that any software
package that COVERTLY surveils your activity and gathers intelligence is espionage.
SPYWARE is exactly what the software is. The home users I've spoken to were
horrified when they heard about this(even after they looked at the details on the Aureate
web site). I personally feel that such activities are an unauthorized use of my
personal and/or organizations computer systems, but an incredible breach of ethics by both
Aureate and the developers who utilize this technology. As a security professional, I
disagree with their statement that the
software does not transmit any personal information. Are they telling us that they
are not receiving any source identifiers such as IP address, e-mail address, or domain
information? In a corporate environment, I personally, would consider the covert
transmission of such information an act of industrial espionage. First, I would ban
the use of any such software in the organization (and have). Second, I would report
such activities to the appropriate federal authorities. Depending on the
organization, such activities could be a violation of federal law.
If Aureate is as honest about what they say, I challenge them to divulge a fully commented
sample of information they gather, including any headers and/or routing information.
Additionally, I challenge them to divulge exactly how they collect, store and
analyze such "demographic" information. Finally, I challenge them to adjust
their collection activity so that is overt instead of covert; possibly similar to
Microsoft's Critical Update Notification or Symantec's LiveUpdate. Finally, the software
overtly asks you for your year of birth, highest level of education, marital status,
household income, etc. Personally, I do consider this information both person and
private.
-----Original Message-----
From: System Administrator [mailto:reseaux@TECHNOLOGIST.COM]
Sent: Monday, April 03, 2000 9:58 AM
A series of random statements about Aureate software:
* Aureate takes data from our computers but denies that
they do
* Aureate assigns a unique identifier to our computers
* Aureate supported programs don't come with an uninstall utility. (all I've seen haven't
and I'm pretty sure there are no exceptions)
* To the best of my knowledge Aureate didn't even make an uninstall program before Steve
wrote OptOut
* Aureate causes browsers to crash
* Aureate runs invisibly when we use the Internet Explorer or Netscape Navigator
* Aureate doesn't disclose their use of our computer's back channel
* Having Aureate installed introduces security risks above and beyond other Internet
apps that don't invisibly connect with servers we aren't
connected to by choice
* Aureate can and does on occasion download and run executable files to
your computer without your knowledge or explicit consent. They can
install virtually file they what and make whatever changes they wish to
our computers. Most Internet programs don't have the power to do this
* Aureate knows how many unique users it has everyday on the Internet. I
have many Internet applications on my drive but I have no reason to
believe that any of these applications know how many unique users are
signed on to the Internet or for that matter when I'm connected to the
Internet.
* Aureate runs independently of any of the programs that use it
* Many if not most of the Aureate supported will not run if Aureate is not running
* Aureate by its design intended to be as invisible as it could
* Aureate makes a very poor disclosure of what it really does
* Aureate has no page informing users of know bugs
* Aureate has no bugs report page
It might be called "The Spy Who Came in from the Code," and the
latest Internet privacy flap would surely give novelist John le Carré a run for his
plotline.
In recent months, a new breed of advertisement-laden software has drawn scrutiny from
security analysts and consumer advocates. This "spyware," some say, contains
sneaky features that can "call
home" on Net-connected computers to deliver all sorts of information about users.
"The real issue is to what extent do people have control of information flowing out
of their computers," says Lauren Weinstein, co-founder of People for Internet
Responsibility. "In a legal sense, they have none right now."
Software companies and their associates, meanwhile, have fought furiously against any hint
of wrongdoing. They call their programs adware and say the data they bring back from
personal computers have been grossly misunderstood.
"We don't do any of the things folks are concerned about at the moment - tracking
what they're using or seeing online," Bob Regular, marketing director for adware
maker Conducent, told InternetNews.com recently.
"We don't have the capability to do that, and that's not the data we stream
back," he says.
Those corporate assurances haven't placated concerned consumers.Hundreds of free software
titles - including RealDownload, Netscape's AOL Smart Download, Qualcomm's free version of
the Eudora mailer and NetZip's Download Demon - now include advertising within program
windows.
In many cases, security analysts using sophisticated "sniffers" and other tools
have been unable to identify exactly what's being sent out by the programs because it is
encrypted. Encryption is great if
they are trading sensitive personal information about users, say privacy groups, but who
gave them permission to transmit anything in the first place?
The arguments have flown across the Internet in rapid-fire succession since February.
Consumers are told about the transmissions in privacy statements, say software companies.
Those statements are often vague, hidden or couched in legalese, say privacy groups.
Software companies say it's benign data used only to set up advertising within the program
windows. Privacy groups counter that if it's no big deal, why not allow outside scrutiny
of its use?
Puzzled consumers are caught in the middle, and many aren't happy.
Phil Dowd, an Indiana small-business owner, has publicized a letter he wrote the makers of
Go!zilla, a free download utility that critics say can catalog a user's Net activity.
"Your program is free, but my computer information is not," Mr. Dowd wrote.
"It is free to look in my bedroom window at night, but it is not appropriate."
What is spyware?
Spyware, as it has become known, is an application that can be installed on your hard disk
when you download shareware, freeware or code snippets such as game demos.
These third-party components - made by companies including Radiate/Aureate Media and
Conducent - are not inherently evil. Most are set up to relay information used to rotate
banner advertisements
that appear inside program windows.
Radiate/Aureate's ad banner technology is used by more than 300 ad-supported software
packages, including popular utilities such as Go!Zilla and CuteFTP.
Conducent has agreements with portal sites such as Lycos and Go2net, distributing highly
touted freeware such as the PKzip file-compression utility. Other popular titles include
Comet Cursor,
DigiCams, Qualcomm's free version of Eudora, the RealDownload feature of RealPlayer 8.0
and several children's games.
A Canadian, Gilles Lalonde of Infoforce (www.infoforce.qc.ca/spyware),
has set up the Spyware Infested Software List, which says it catalogs 411 uses of spyware
in programming.
When you launch some of these programs, the embedded application "piggybacks" on
your Internet connection and relays data to a remote ad server. Inside the program ad
windows, you may notice
changes in the products and services being offered. The remote servers can use information
from your computer's operating system to feed you ads they believe you might find
appealing.
For privacy experts, the problem is that users often click through or ignore warnings that
they are authorizing such activity.
"What I want to see is something that - when people start up the software for the
first time - very clearly says, 'This software is sending data to our servers. Here is
why. Here is what we do with
it,'" says Mr. Weinstein, the privacy advocate. "It should not be buried in a
click-through licensing agreement that nobody reads and not put on a privacy policy page
that most people won't find, won't
read, won't understand and [that companies] can warp at any time at a moment's
notice."
Software companies and third parties such as Conducent have endeavored to explain their
activities to consumers with limited success.
Conducent, for example, states: "The nonpersonally identifiable information collected
by Conducent is used for the purpose of targeting content and measuring effectiveness on
behalf of Conducent's customers. Conducent does not sell, rent or loan any information
regarding desktop users to any third party. Any information given us is held with the
utmost care and security."
Many software makers, such as RealNetworks, have added longer installation notes about
adware transmissions. RealPlayer, for example, now features a menu of setup options that
specifically
allows users to opt out of the activity.
But questions remain about the potential of this technology. Privacy advocates worry that
such programming can be used by unscrupulous companies to become more snoopy. Beyond that,
with third-party applications involved, whose privacy policies are actually being
employed?
"And if Aureate or Eudora or Qualcomm decides to change its policies ... well, too
bad for us," says Tom Mattox of The Privacy Place (www.privacyplace.com).
Detective work
Much of the furor over spyware no doubt stems from user inattention. When accepting free
software, home computer owners often blithely skip through the fine print that splays
across their monitors.
As more homeowners have installed "always-on" broadband connections to the
Internet, personal firewalls to maintain security have grown in popularity. Some users
have discovered back-channel communications going on between their computers and other Web
sites that they didn't know existed before.
Many such computer exchanges are, indeed, routine and nonthreatening.
Researchers at consumer public interest site Kumite.com (www.kumite.com/myths/myths/myth036.htm)
have examined many of the Aureate products and pronounced them harmless.
"The software does seem to be either poorly designed or implemented," they say.
"For example, uninstalling the applications that include the Aureate spyware often
does not remove the spyware itself. ... Once you have it, you have it forever."
Renowned computer security expert Richard Smith has also said that he sees no "extra
information going out." Users are generally allowed to opt in for ad-targeting
transmissions during the installation
process, which is the proper way to handle the situation, Mr. Smith told Kumite.com.
But another respected security expert, Steve Gibson of Gibson Research Corp. ( www.grc.com ), says his tests show how insidious NetZip's
Download Demon - now licensed by RealNetworks as RealDownload and Netscape/AOL as Netscape
Smart Download - and similar software can be.
More than 14 million people are using the original NetZip Download Demon, says Mr. Gibson,
a security software developer.
"In their default configuration, all of these programs send back a report of every
file downloaded from anywhere on the Internet, even places that might not be anyone's
business. And, except for
RealDownload, which was modified after a weeklong battle with me, these programs tag your
computer with a unique ID, which accompanies every report," Mr. Gibson says.
This data can give companies the ability to compile and create detailed user profiles
based on Web sites visited and files downloaded, Mr. Gibson says.
Mr. Gibson points out that privacy lawsuits have been filed on behalf of consumers in
several states "so perhaps the PC industry will begin to receive the message that
this sort of secret spying and profiling is not OK with the rest of us, even if it is
buried within a lengthy license agreement."
This debate gets stickier. RealNetworks associate general counsel Robert Kimball warns
that many of Mr. Gibson's assertions were incorrect and vaguely threatened legal action.
In a letter displayed on Mr. Gibson's site, Mr. Kimball contends the researcher is trying
to drum up support for his new OptOut software, a free offering that attempts to cleanse
hard drives of spyware
vestiges.
"RealNetworks does not track any individual's use of RealDownload, does not create
profiles of RealDownload customers and does not transmit any unique ID when a customer
downloads files using RealDownload," Mr. Kimball wrote.
"Any use of RealDownload is completely anonymous, and its communications features are
clearly disclosed and optional. Upon installation, users are informed that download URLs
can be
anonymously transmitted, and we offer them a clear choice to opt out of even that
functionality."
Possible solutions
Software such as Mr. Gibson's OptOut can alleviate some user concerns, and more than one
company have turned out products to meet this challenge. AD-aware by Lavasoft (www.lavasoft.de/free.html), for example, also
detects and helps users disengage from the adware cycle.
But, says Mr. Weinstein, spyware can circumvent these programs in an instant.
"It's like getting ants in your kitchen and trying to stop them with your
thumb," he says. "You may feel like you're accomplishing something and you'll
get a dirty thumb, but it's not going to have
any real effect because things can change so rapidly."
Beyond that, wider threats loom. The Privacy Foundation released a report Aug. 30 that
found Microsoft Word documents and other files can be injected with tiny graphics files
that could allow an author to track where a document is being read and how often. Any file
that can render HTML could be tracked using an invisible, one-pixel "Web bug."
Mr. Weinstein says Web bugs
illustrate just how easy it is for anyone to track activity inside Internet-connected
computers. From his perspective, self-regulation of the software industry can't be
expected to curb abuses.
A recent survey of 2,117 Americans by the Pew Internet & American Life Project found
great concern about privacy. At the same time, "a great many Internet users do not
know the basics of how their online activities are observed, and they do not use available
tools to protect themselves," the survey said.
Eighty-six percent of Internet users favor an opt-in privacy policy and say Internet
companies should ask people for permission to use personal information, the study showed.
Although federal officials contend that the software industry should police itself for bad
privacy policies, most Americans in the Pew study doubt that system will protect them.
Nor, said a majority of
respondents, should government get involved.
Privacy advocates say industry software officials must start dealing straight with
consumers to prevent abuses.
"Draw up some basic rules and regulations that say, 'Here are the rights people have
to their data, here are the circumstances under which you're allowed to take data out of
someone's computer,'" says
Mr. Weinstein.
Without guidelines and industry regulation, invisible communications between remote
servers and home users will remain worrisome, he says.
"You're going to be constantly running from leak to leak in the earthen dam, plugging
this hole and watching that one open up," Mr. Weinstein says. "Pretty soon,
you'll be watching a crack open that
will flood you."
And
NOW !
Brilliant
Digital's software (KaZaa
spyware)
Cleaning
KaZaa
Additional Relevent Sources:
CIACTech02-004: Parasite Programs; Adware, Spyware, and Stealth Networks
Some fun with Aureate published at searchlores in October 2001Spyware Message boards:
Spyware General spyware discussion. Help, Q&A, horror stories...
For the spyware hacking experts - share information and get advice, dish the dirt on the latest malware's internals
You be the judge and if you feel your privacy is threatned, I suggest you
boycott all software using this technology.
Thursday, April 05, 2007