Threat Description

Aureate 'Spying' case

Details

Aliases: Aureate 'Spying' case, Aureate rumours
Category: Malware
Type:
Platform: W32

Summary


A message appeared to one Internet forum in March, 2000, which accused Aureate.com of spying computer users that have Aureate components installed.

F-Secure and other companies have been unable to confirm these rumours to be true or false. The company behind Aureate, called Radiate, has denied all such allegations.



Removal


F-Secure Anti-Virus doesn't detect Aureate, TimSink and other 'adware'.



Technical Details


Here's the original message that was forwarded to the forum by another person:

It seems that a company named aureate.com has been secretly  collecting data off everyone who uses applications that  incorprate their banner ad software. Look at the below e-mail  for details. Also its true last night the freind that sent me  this ran netstat -a to monitor his ports and sure enough while  running gozilla and downloaading something through it.  The following is a listing of all software known to install the  Aureate spy on your system. The Aureate spy keeps track of your  Internet activities and sends a report to Aureate every time you  open your browser. The Aureate spy places the following files on  a Windows machine. [It is not known, yet, to affect Macintosh or  Linux machines.]  The installed files are some or all of:  adimage.dll  advert.dll  advpack.dll  amcis.dll  amcis2.dll  amcompat.tlb  amstream.dll  anadsc.ocx  anadscb.ocx  htmdeng.exe  ipcclient.dll  msipcsv.exe  tfde.dll  ========== ========== ========== ==========  Dale said:  OK folks, living up to my reputation as a 'bulldog' when I get  my teeth into something, I have been busy 'reviewing' the  contents and code contained in the DLL's that Aureate makes use  of. Here are a few of my findings up to this point:  advert.dll  =======  This DLL creates a hidden window every time you open your  browser. It creates and sends 4 pages of information to the  Aureate servers using port 1749 on your system, these pages  include:  1. Your name as listed in the system registry ( not the name you     installed one of the programs with )  2. Your IP address  3. The reverse DNS match of your address. ( tells them what ISP     and area of country you are in )  4. A listing of ALL software that is shown in your registry as     being installed. ( Not just the companies they work with )  5. This DLL sends the following information to their server on     all URL's you visit:    A.) ad banners you may click on    B.) all downloads you do showing the filename/file        size/date/time/type of file(image,  zip,executable, etc)    C.) full time and date stamps of all your actions while using        your browser    D.) the remote dialup number you are dialing in on (taken out        of your dialer configuration)    E.) dialup password if saved, does not "appear" at first        glance to send this through to them.   6. Contains programmers note: "Show me the money! I want to be Mike!"   advpack.dll  =========  Used during the installation only to check for other needed  files.  amcis.dll  =======  This DLL modifies the following registry keys:  1. HKEY_CURRENT_CONFIG  2. HKEY_DYN_DATA  3. HKEY_PERFORMANCE_DATA  4. HKEY_USERS  5. HKEY_LOCAL_MACHINE  6. HKEY_CURRENT_USER  7. HKEY_CLASSES_ROOT  Unregisterss oleaut32.dll from memory as provided by M$oft and  replaces with its own calls. Switches back to M$oft's when  browser is closed. Creates stub processes to be started anytime  your browser is opened.  amcompat.tlb  ===========  This guy tracks any multimedia clips ( video/pictures/sound )  that you view It tracks the rating level on the  video/picture/sound and title / location Contains references to  DblClick ( still digging on this one! )  amstream.dll  ==========  Setups TWO way communications between your system and theirs.  Used to send info and receive update commands/files Open port  1749 for communications  ==================================================  The programs that are known to install the Aureate spy are:  123Search  3d Anarchy  3D-FTP  3rd block  Abe's FTP Client  Abe's Image Viewer  Abe's MP3 Finder  Abe's Picture Finder  Abe's SMB Client  Access Diver III  Acorn Email  AcqURL  ActionOutline Light 1.6  Active 'Net  Add URL  Add/Remove Plus!  Address Rover 98  Admiral VirusScanner  Advanced Call Center  Advanced Maillist Verify  AdWizard  Alive and Kicking  alphaScape QuickPaste  ASP1-A3  Auction Explorer  Aureate Group Mail  Aureate SpamKiller  AutoFTP PRO  AutoWeb  AxelCD  Beatle  Binary Boy  BinaryVortex  Blue Engine  BookSmith : Original  buddyPhone 2  Calypso E-mail  CamGrab  Capture Express 2000  Cascoly Screensaver  CDDB-Reader  CDMaster32  ChanStat  Charity Banner  Cheat Machine  Check4New  ChinMail  Clabra clipboard viewer  Classic Peg Solitaire  ComTry Music Downloader  Crystal FTP  CSE HTML Validator Lite  CuteFTP 3.0  CuteFTP 3.0  CuteFTP/Tripod  CuteMX  CutePage  Danzig Pref Engine  DateTime  Delphi Component Test  Delphi Tester  Dialer 2000  DigiBand NewsWatch  DigiCams - The WebCam Viewer  Digital Postman  DirectUpdate  DL-Mail Pro 2000  DNScape  Doorbell 1.18  Download Minder 1.5  Download Wonder  DownLoader v.1.1  Dwyco Video Conferencing  EasySeeker  EmmaSoft ChatCat  EmmaSoft dBrow  EmmaSoft KeepLan  EmmaSoft Soundz  EnvoyMail  EZ-Forms FREE  File Mag-Net  FileSplit  Folder Guard Jr.  FourTimes  Free Picture Harvester  Free Solitaire  Free Spades  Free Submitter Pro  FreeImageEditor  FreeIRC  FreeNotePad  FreeSite  FreeWebBrowser  FreeWebMail  FreeZip!  FTPEditor  GetRight  Go!Zilla  Go!Zilla WebAttack  GovernMail  Grafula  Gunther's PasswordSentry  HangWeb  hesci Private Label  HTML Translator  HTTP Proxy-Spy  Huey v1.8 Color Picker  Iban Technologies IP Tools 3.1  Idyle GimmIP  Idyle GimmIP  iFind Graphics  imageN  Infinite Patience  InfoBlast  InnovaClub  InstallZIP  Internet Tree  Internetrix  InterWebWord Companion  JetCar  JFK Research  jIRC  JOC Email Checker  JOC Web Finder  JOC Web Spider  KVT Diplom  LapLink FTP  LineSoft Download  LOL Chat  LOL Chat  Mail Them  Meracl FontMap  Meracl ImageMap Generator  Midnight Oil Solitaire  MirNik Internet Finder  More Space 99  MouseAssist  MP3 Album Finder  MP3 Fiend  MP3 Grouppie  MP3 Mag-Net  MP3 Renamer  Mp3 Stream Recorder  MP3INFO-Editor  MultiSender  Music Genie  MX Inspector BIG AD  My Genie Patriots  My Genie SE  My GetRight  NeatFTP  Net CB  Net Scan 2000  Net Vampire  Net-A-Car Feature Car Screensaver  NetAnts  NetBoard  Netbus Pro 2.10  NetCaptor 5.0  Netman Downloader  NetNak  NetSuck 3.10.5  NetTime Thingy  Network Assistant  NeuroStock  NewsBin  NewsShark  NewsWire  NfoNak  NotePads+  Notificator 1.0b  Octopus  Pattern Book  People Seek 98  Personal Search Agent  Photocopier  PicPluck  Pictures In News  Ping Thingy  PingMaster  Planet.Billboard  Planet.MP3Find  PMS  ProtectX 3  ProxyChecker  QuadSucker/Web  Quadzle Puzzles  QuikLink Autobot  QuikLink Explorer  QuikLink Explorer Gold Edition  QuoteWatch  QWallet  Real Estate Web Site Creator  Recipe Review  ReGet 1.6  Resume Detective  RingSurf  RoboCam 1.10  Rosemary's Weird Web World  SaberQuest Page Burner  SBJV  SBWcc  Scout's Game  ScreenFIRE  ScreenFIRE - FileKing  ScreenFlavors  Sea Battle  Shizzam  Simple Submit  SimpleFind  SimpleSubmit v1.0  SK-111  Smart 'n Sticky  SmartBoard 200 FREE Edition  SmartSum calculator  SonicMail  Sound Agent  Space Central Screen Saver  Splash! Siterave  StartDrive  Static FTP  StockBrowser  Subscriber  SunEdit 2K  SuperIDE  Sweep  SweepsWinner  Text Transmogrifier  The Mapper  TheNet  TI-FindMail  TIFNY  Total Finger  Total Whois  Tracking The Eye  Trade Site Creator  TWinExplorer Standard  TypeWriter 1.0  UK Phone Codes  Vagabond's Realm  VeriMP3  Vertigo QSearch  Virtual Access  Visual Cyberadio  Visual Surfer  VOG Backgammon Main  VOG Backgammon Table  VOG Chess Main  VOG Chess Table  VOG Reversi Main  VOG Reversi Table  VOG Shell  VOG Shell  VOG Shell History  W3Filer  Web Coupon  Web Page Authoring Software  Web Registrant PRO  Web Resume  Web SurfACE  WEB2SMS  WebCamVCR  WebCopier  Web-N-Force  WebSaver  Website Manager  WebStripper  WebType  WhoIs Thingy  Win A Lotto  WinEdit 2000  Word+  Wordwright  WorldChat Client  Worm  www.devgames.com  xBlock  Your ESP Test  Zion  Zip Express 2000  

Here is Aureate's answer to the published allegations:

A variety of false rumors have been started, and we would  appreciate your help in finding the source of these rumors so  that we can clarify what our technology actually does and put  these to rest.  As you may already know, what Aureate Media does is work with  software companies to make their products advertising supported.  Aureate's technology allows for these advertisements to be  delivered and displayed within the software products of these  software products.  The following concerns are those that have been brought to our  attention.  If you have additional concerns, please do contact  us directly.    Advert.dll creates a hidden window every time you open your    browser  This is true, but this happens because of the way that Microsoft  Windows networking works.  You will find that in running almost  any windows program that hidden windows are created as this is  how the OS was designed.    Advert.dll creates and sends 4 pages of information to Aureate    on port 1749  We aren't sure exactly what is being referred to here.  The  first time someone installs software they are presented with an  optional demographic survey (none of the information is  required), and this information is sent to us one time (after  the survey is completed). Prior to answering these questions,  the user is presented with information explaining why we ask  these questions and how the answers are used.  The information  sent is only the information provided.  The use of port 1749 is misleading, as again this is something  built into the way that Microsoft Windows networking works.  Windows will pick a high numbered port (1500+) in a largely  random fashion.  Again, this is how the OS works.    Advert.dll will send your name to Aureate as it is listed in    the system registry  Completely false.    Advert.dll will send your IP address to Aureate  Your IP address is sent, again because of the way that Microsoft  Windows networking and TCP/IP protocol works.  An IP address is  obviously required in order to communicate with an internet  server in any instance.    Advert.dll performs a reverse DNS lookup on your IP address  Here again, it is Microsoft Windows networking that does this as  part of the OS networking system.    Advert.dll creates a process anytime your browser is open.  This is true.  This process delivers advertisements to a cache  on the users PC which are displayed while the software is being  run. This works in a similar way to how the browser works, with  content and images (including ads) being delivered to a cache on  the users PC and then are displayed in the browser window.    Advert.dll sends a list of all software listed in your    registry  Completely false.    Advert.dll sends a list of all URL's you click on/visit  Completely false.    Advert.dll sends a list of all ad banners you click on  Completely false.  We will of course know when you click on an  ad banner that we delivered such that we can send the user to  that advertisers web site in the same way that any ad network  works.    Advert.dll will send all downloads you perform and related    information  Completely false.    Advert.dll will send full time and date stamps of all your    actions while you use your browser.  Completely false.    Advert.dll contains the string "Show me the money!  I want to    be Mike!"  This is true.  It's a text string used by the DLL.  DLLs contain  many text strings which are used by the DLL itself.  For  example, if a particular program displayed a window which  contained the text "Hello World", then the "Hello World" text  string would be present inside that DLL.    Advpack.dll (and all comments relating to it)  Completely false.  Advpack.dll is not one of our DLLs.    Amcis.dll modifies the following registry keys: (list of keys    removed)  Amcis.dll will only add itself to the HKEY_CLASSES_ROOT registry  key, as does any DLL installed on your system.  It simply tells  Windows where to find the DLLs your programs use.    Amcompat.tlb (and all comments relating to it)  Completely false.  Amcompat.tlb is not one of our files.    Amstream.dll (and all comments relating to it)  Completely false.  Amstream.dll is not one of our DLLs.  

We performed our own investigation and we can not confirm these rumours to be true or false. Aureate components cause some extra Internet traffic when you browse the Net. 60-100 bytes long data packets are periodically sent to several websites including Aureate and its business partners.

We have found no indication that any confidential details of the user or any data is sent out with those packets and so we can not give conclusive statement whether Aureate is a privacy threat or not.

To use Aureate or not to use? F-Secure Corporation cannot make this decision for you.

There is no fate but what we make for ourselves.

[F-Secure Corp., 2000]






SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More