Technische Analyse der Spyware von Aureate

Auf dieser Seite finden Sie die Analyse eines Hackers, der die Arbeitsweise des Programmes (angeblich) genauer untersucht hat und eine Stellungsnahme von Aureate Media zu seinen Vorwürfen/ Erkenntnissen. Da ich selbst keine Untersuchungen in dieser Richtung unternommen habe, kann ich keine Verantwortung für die Richtigkeit der Aussagen übernehmen! Weitere Informationen (in deutsch) finden Sie auf meiner Spyware-Seite.

Aussage des Hackers

... this is something you might want to forward on to your readers somehow.
The following is a listing of all software known to install the Aureate spy on your system. The Aureate spy keeps track of your Internet activities and sends a report to Aureate every time you open your browser. The Aureate spy places the following files on a Windows machine. [It is not known, yet, to affect Macintosh or Linux machines.]
 
The installed files are some or all of:
 
adimage.dll
advert.dll
advpack.dll
amcis.dll
amcis2.dll
amcompat.tlb
amstream.dll
anadsc.ocx
anadscb.ocx
htmdeng.exe
ipcclient.dll
msipcsv.exe
tfde.dll
 
Here is a review of the contents and code contained in the DLL's that Aureate makes use of. Here are a few of my findings up to this point:
 

advert.dll

This DLL creates a hidden window every time you open your browser. It creates and sends 4 pages of information to the Aureate servers using port 1749 on your system, these pages include:
 
1. Your name as listed in the system registry ( not the name you installed one of the programs with )
2. Your IP address
3. The reverse DNS match of your address. ( tells them what ISP and area of country you are in )
4. A listing of ALL software that is shown in your registry as being installed. ( Not just the companies they work with )
5. This DLL sends the following information to their server on all URL's you visit:
A.) ad banners you may click on
B.) all downloads you do showing the filename/file size/date/time/type of file(image, zip,executable, etc)
C.) full time and date stamps of all your actions while using your browser
D.) the remote dialup number you are dialing in on (taken out of your dialer configuration)
E.) dialup password if saved, does not "appear" at first glance to send this through to them.
6. Contains programmers note: "Show me the money! I want to be Mike!"

advpack.dll

Used during the installation only to check for other needed files.

amcis.dll

This DLL modifies the following registry keys:
1. HKEY_CURRENT_CONFIG
2. HKEY_DYN_DATA
3. HKEY_PERFORMANCE_DATA
4. HKEY_USERS
5. HKEY_LOCAL_MACHINE
6. HKEY_CURRENT_USER
7. HKEY_CLASSES_ROOT
 
Unregisterss oleaut32.dll from memory as provided by M$oft and replaces with its own calls. Switches back to M$oft's when browser is closed. Creates stub processes to be started anytime your browser is opened.

amcompat.tlb

This guy tracks any multimedia clips ( video/pictures/sound ) that you view It tracks the rating level on the video/picture/sound and title / location Contains references to DblClick ( still digging on this one! )

amstream.dll

Setups TWO way communications between your system and theirs. Used to send info and receive update commands/files Open port 1749 for communications

Das Aureate Statement

A variety of false rumors have been started, and we would appreciate your help in finding the source of these rumors so that we can clarify what our technology actually does and put these to rest. As you may already know, what Aureate Media does is work with software companies to make their products advertising supported. Aureate's technology allows for these advertisements to be delivered and displayed within the software products of these software products.
 
The following concerns are those that have been brought to our attention. If you have additional concerns, please do contact us directly.
 
Advert.dll creates a hidden window every time you open your browser
 
This is true, but this happens because of the way that Microsoft Windows networking works. You will find that in running almost any windows program that hidden windows are created as this is how the OS was designed.
 
Advert.dll creates and sends 4 pages of information to Aureate on port 1749
 
We aren't sure exactly what is being referred to here. The first time someone installs software they are presented with an optional demographic survey (none of the information is required), and this information is sent to us one time (after the survey is completed). Prior to answering these questions, the user is presented with information explaining why we ask these questions and how the answers are used. The information sent is only the information provided. The use of port 1749 is misleading, as again this is something built into the way that Microsoft Windows networking works. Windows will pick a high numbered port (1500+) in a largely random fashion. Again, this is how the OS works.
 
Advert.dll will send your name to Aureate as it is listed in the system registry
 
Completely false.
 
Advert.dll will send your IP address to Aureate Your IP address is sent, again because of the way that Microsoft Windows networking and TCP/IP protocol works. An IP address is obviously required in order to communicate with an internet server in any instance.
 
Advert.dll performs a reverse DNS lookup on your IP address
 
Here again, it is Microsoft Windows networking that does this as part of the OS networking system.
 
Advert.dll creates a process anytime your browser is open.
 
This is true. This process delivers advertisements to a cache on the users PC which are displayed while the software is being run. This works in a similar way to how the browser works, with content and images (including ads) being delivered to a cache on the users PC and then are displayed in the browser window.
 
Advert.dll sends a list of all software listed in your registry
 
Completely false.
 
Advert.dll sends a list of all URL's you click on/visit
 
Completely false.
 
Advert.dll sends a list of all ad banners you click on
 
Completely false. We will of course know when you click on an ad banner that we delivered such that we can send the user to that advertisers web site in the same way that any ad network works.
 
Advert.dll will send all downloads you perform and related information
 
Completely false.
 
Advert.dll will send full time and date stamps of all your actions while you use your browser.
 
Completely false.
 
Advert.dll contains the string "Show me the money! I want to be Mike!"
 
This is true. It's a text string used by the DLL. DLLs contain many text strings which are used by the DLL itself. For example, if a particular program displayed a window which contained the text "Hello World", then the "Hello World" text string would be present inside that DLL.
 
Advpack.dll (and all comments relating to it)
 
Completely false. Advpack.dll is not one of our DLLs.
 
Amcis.dll modifies the following registry keys: (list of keys removed)
 
Amcis.dll will only add itself to the HKEY_CLASSES_ROOT registry key, as does any DLL installed on your system. It simply tells Windows where to find the DLLs your programs use.
 
Amcompat.tlb (and all comments relating to it)
 
Completely false. Amcompat.tlb is not one of our files.
 
Amstream.dll (and all comments relating to it)
 
Completely false. Amstream.dll is not one of our DLLs.
 
If you have any further questions, please don't hesitate to call or write.
 
Thanks,
Jeremy
 
----
Jeremy J. Newton, VP Sales
Aureate Media Corporation


Machen Sie sich also selbst ein Bild von der Bedrohung, die von Aureate Spyware ausgeht!
 

Bei Fragen und Problemen posten Sie bitte in meinem Internet- und Security-Forum.
In besonderen Fällen erreichen Sie mich auch per E-Mail!
Und bitte vergessen Sie nicht, sich in meinem Gästebuch einzutragen?

Homepage [zurück zur Trojaner-Seite]

(Diese Seite wurde erstellt am 02.06.2000,
der letzte Update fand statt am 02.06.2000)


Dieses Angebot ist erreichbar über http://www.tcp-ip-info.de, http://www.trojaner-und-sicherheit.de, http://www.internet-und-sicherheit.de und http://www.tcp-ip.de.gg