OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: All Advantage Spyware
From: Jonathan Rickman (jonathanXCORPS.NET)
Date: Sun Sep 10 2000 - 17:27:58 CDT

On Sat, 9 Sep 2000, Daehlie Owns wrote:

> Attention AllAdvantage Users:
>
> It has come to my attention, that All Advantage corp. 's software for
> surfing the net for money, has some dll files that do some interesting
> things.
> They are detailed in this text file, written by acecww,
> http://home.cyberarmy.com/acecww/advert.txt , please read it, it shows
> many things, such as screwing with the registery, and unregistering
> dll's, replacing the code, then when your browser closes, putting
> everything back to the way it was. Anyone else have any comments,
> questions, or just plain outrage, please reply to this email.
>
> --Daehlie
>

This is not exactly breaking news, but it should still spark plenty of
outrage. A few of us on the list have been working on a project to
document the various spyware systems and detail how they operate from a
"techie's" point of view. If you'd like to help out with this project you
can visit my site or email me directly. We are currently focused on the
Aureate / Radiate system, which uses the advert.dll file you mentioned.
After reading through the disassembly (over 200,000 lines) it appears that
nothing is amiss. Let me know if you'd like a copy of the disassembly and
I'll send you a link. It's a 7 meg download, but it never hurts to have
some extra pairs of eyeballs looking it over. Steve Gibson has performed
some research on this in the past and has come to the same conclusion that
we are rapidly approaching, the advert.dll is basically harmless unless
used in conjunction with another exploit, such as using a browser
vulnerability to write to the hosts file, thus redirecting the dll to a
server of your choosing. There it will download and run any exe named
update-dll.exe, regardless of it's size. In short, the potential for abuse
is there, it's up to us to find a practical way to exploit it and raise
the level of awareness. It is our hope that this approach might put an end
to this problem once and for all. 

--
Jonathan Rickman
X Corps Security
http://www.xcorps.net

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGP 6.5.2

mQENAzm0QZQAAAEIAN3uNRQlWHMrHwKgTNzpYps6SLipfNvH+0uZi0TvxyXFHiiH
kivQYxlcPn/4Za4eyl5XZvP6lGQ3DXcCzT+9di75HqFtTiHeE9YScR0WEeBB1ywL
j8nKxFdGMCJ3a3khSafPvyTUQKGaEWQGnui+6UieWeBhDHdE/o21qNd0+6M49P73
0pVTdmdn1jPj1cU+vrqkNWMfNNNhLyPjrdPzoL6SoYzCs6p5YhLWaNOiet/91RhK
VpC8uy2cUIWNOAyAOtDJwF4GY+AIVP2WTLg6L/FByDH507HP4NvkbnwPAkDSTh7M
TlXvdoeNiaEUCYCgx8CFSCAg/pl819+gts810D8ABRG0JkpvbmF0aGFuIFJpY2tt
YW4gPGpvbmF0aGFuQHhjb3Jwcy5uZXQ+iQEVAwUQObRBlNffoLbPNdA/AQETwwf/
d4W131UXeWd1+hcCR1bkFJRx+08fNtHzbMzjqquA4IRPftt72M6RzDsRn1xpsdh+
RqP0oeZ0IfnByhXQ7x65JxRUaYW2mw8GNQOeTkJ2uNDg3SaFG2HGYxASohP2r8D6
Yh1WIfEgf3YDwoKyGAfJTgcfHZe85+hgg6R60KbGMAhWf5Tbb6IEpzdvBi/HoYHC
c1km8esjnMPDmR1aLjcRffaMmWGwXk/33oZRo3Q0SO/MvqWyo1kZnq2JIxX0MDAm
nm2p0cZtQc1sECkC1XyyyH8tgWhXwzYpucpsQ3IhWFrCuL7y4t/wREOgd4KaSxkN
OKraa8g7Nyh4s8rSHFvq5A==
=XYFV
-----END PGP PUBLIC KEY BLOCK-----

On Sat, 9 Sep 2000, Daehlie Owns wrote: