Home > Threat descriptions >

Aureate 'Spying' case

Classification

Category: Malware

Type: -

Aliases: Aureate 'Spying' case, Aureate rumours

Summary


A message appeared to one Internet forum in March, 2000, which accused Aureate.com of spying computer users that have Aureate components installed.

F-Secure and other companies have been unable to confirm these rumours to be true or false. The company behind Aureate, called Radiate, has denied all such allegations.

Removal


F-Secure Anti-Virus doesn't detect Aureate, TimSink and other 'adware'.

Knowledge Base

Find the latest advice in our Community Knowledge Base.

About the product

See the manual for your F-Secure product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details


Here's the original message that was forwarded to the forum by another person:

It seems that a company named aureate.com has been secretly
collecting data off everyone who uses applications that
incorprate their banner ad software. Look at the below email
for details. Also its true last night the freind that sent me
this ran netstat -a to monitor his ports and sure enough while
running gozilla and downloaading something through it.
The following is a listing of all software known to install the
Aureate spy on your system. The Aureate spy keeps track of your
Internet activities and sends a report to Aureate every time you
open your browser. The Aureate spy places the following files on
a Windows machine. [It is not known, yet, to affect Macintosh or
Linux machines.]
The installed files are some or all of:
adimage.dll
advert.dll
advpack.dll
amcis.dll
amcis2.dll
amcompat.tlb
amstream.dll
anadsc.ocx
anadscb.ocx
htmdeng.exe
ipcclient.dll
msipcsv.exe
tfde.dll
========== ========== ========== ==========
Dale said:
OK folks, living up to my reputation as a 'bulldog' when I get
my teeth into something, I have been busy 'reviewing' the
contents and code contained in the DLL's that Aureate makes use
of. Here are a few of my findings up to this point:
advert.dll
=======
This DLL creates a hidden window every time you open your
browser. It creates and sends 4 pages of information to the
Aureate servers using port 1749 on your system, these pages
include:
1. Your name as listed in the system registry ( not the name you

 installed one of the programs with )
2. Your IP address
3. The reverse DNS match of your address. ( tells them what ISP

 and area of country you are in )
4. A listing of ALL software that is shown in your registry as

 being installed. ( Not just the companies they work with )
5. This DLL sends the following information to their server on

 all URL's you visit:

A.) ad banners you may click on

B.) all downloads you do showing the filename/file



size/date/time/type of file(image,
zip,executable, etc)

C.) full time and date stamps of all your actions while using



your browser

D.) the remote dialup number you are dialing in on (taken out



of your dialer configuration)

E.) dialup password if saved, does not "appear" at first



glance to send this through to them.
 6. Contains programmers note: "Show me the money! I want to be Mike!"
 advpack.dll
=========
Used during the installation only to check for other needed
files.
amcis.dll
=======
This DLL modifies the following registry keys:
1. HKEY_CURRENT_CONFIG
2. HKEY_DYN_DATA
3. HKEY_PERFORMANCE_DATA
4. HKEY_USERS
5. HKEY_LOCAL_MACHINE
6. HKEY_CURRENT_USER
7. HKEY_CLASSES_ROOT
Unregisterss oleaut32.dll from memory as provided by M$oft and
replaces with its own calls. Switches back to M$oft's when
browser is closed. Creates stub processes to be started anytime
your browser is opened.
amcompat.tlb
===========
This guy tracks any multimedia clips ( video/pictures/sound )
that you view It tracks the rating level on the
video/picture/sound and title / location Contains references to
DblClick ( still digging on this one! )
amstream.dll
==========
Setups TWO way communications between your system and theirs.
Used to send info and receive update commands/files Open port
1749 for communications
==================================================
The programs that are known to install the Aureate spy are:
123Search
3d Anarchy
3D-FTP
3rd block
Abe's FTP Client
Abe's Image Viewer
Abe's MP3 Finder
Abe's Picture Finder
Abe's SMB Client
Access Diver III
Acorn Email
AcqURL
ActionOutline Light 1.6
Active 'Net
Add URL
Add/Remove Plus!
Address Rover 98
Admiral VirusScanner
Advanced Call Center
Advanced Maillist Verify
AdWizard
Alive and Kicking
alphaScape QuickPaste
ASP1-A3
Auction Explorer
Aureate Group Mail
Aureate SpamKiller
AutoFTP PRO
AutoWeb
AxelCD
Beatle
Binary Boy
BinaryVortex
Blue Engine
BookSmith : Original
buddyPhone 2
Calypso email
CamGrab
Capture Express 2000
Cascoly Screensaver
CDDB-Reader
CDMaster32
ChanStat
Charity Banner
Cheat Machine
Check4New
ChinMail
Clabra clipboard viewer
Classic Peg Solitaire
ComTry Music Downloader
Crystal FTP
CSE HTML Validator Lite
CuteFTP 3.0
CuteFTP 3.0
CuteFTP/Tripod
CuteMX
CutePage
Danzig Pref Engine
DateTime
Delphi Component Test
Delphi Tester
Dialer 2000
DigiBand NewsWatch
DigiCams - The WebCam Viewer
Digital Postman
DirectUpdate
DL-Mail Pro 2000
DNScape
Doorbell 1.18
Download Minder 1.5
Download Wonder
DownLoader v.1.1
Dwyco Video Conferencing
EasySeeker
EmmaSoft ChatCat
EmmaSoft dBrow
EmmaSoft KeepLan
EmmaSoft Soundz
EnvoyMail
EZ-Forms FREE
File Mag-Net
FileSplit
Folder Guard Jr.
FourTimes
Free Picture Harvester
Free Solitaire
Free Spades
Free Submitter Pro
FreeImageEditor
FreeIRC
FreeNotePad
FreeSite
FreeWebBrowser
FreeWebMail
FreeZip!
FTPEditor
GetRight
Go!Zilla
Go!Zilla WebAttack
GovernMail
Grafula
Gunther's PasswordSentry
HangWeb
hesci Private Label
HTML Translator
HTTP Proxy-Spy
Huey v1.8 Color Picker
Iban Technologies IP Tools 3.1
Idyle GimmIP
Idyle GimmIP
iFind Graphics
imageN
Infinite Patience
InfoBlast
InnovaClub
InstallZIP
Internet Tree
Internetrix
InterWebWord Companion
JetCar
JFK Research
jIRC
JOC Email Checker
JOC Web Finder
JOC Web Spider
KVT Diplom
LapLink FTP
LineSoft Download
LOL Chat
LOL Chat
Mail Them
Meracl FontMap
Meracl ImageMap Generator
Midnight Oil Solitaire
MirNik Internet Finder
More Space 99
MouseAssist
MP3 Album Finder
MP3 Fiend
MP3 Grouppie
MP3 Mag-Net
MP3 Renamer
Mp3 Stream Recorder
MP3INFO-Editor
MultiSender
Music Genie
MX Inspector BIG AD
My Genie Patriots
My Genie SE
My GetRight
NeatFTP
Net CB
Net Scan 2000
Net Vampire
Net-A-Car Feature Car Screensaver
NetAnts
NetBoard
Netbus Pro 2.10
NetCaptor 5.0
Netman Downloader
NetNak
NetSuck 3.10.5
NetTime Thingy
Network Assistant
NeuroStock
NewsBin
NewsShark
NewsWire
NfoNak
NotePads+
Notificator 1.0b
Octopus
Pattern Book
People Seek 98
Personal Search Agent
Photocopier
PicPluck
Pictures In News
Ping Thingy
PingMaster
Planet.Billboard
Planet.MP3Find
PMS
ProtectX 3
ProxyChecker
QuadSucker/Web
Quadzle Puzzles
QuikLink Autobot
QuikLink Explorer
QuikLink Explorer Gold Edition
QuoteWatch
QWallet
Real Estate Web Site Creator
Recipe Review
ReGet 1.6
Resume Detective
RingSurf
RoboCam 1.10
Rosemary's Weird Web World
SaberQuest Page Burner
SBJV
SBWcc
Scout's Game
ScreenFIRE
ScreenFIRE - FileKing
ScreenFlavors
Sea Battle
Shizzam
Simple Submit
SimpleFind
SimpleSubmit v1.0
SK-111
Smart 'n Sticky
SmartBoard 200 FREE Edition
SmartSum calculator
SonicMail
Sound Agent
Space Central Screen Saver
Splash! Siterave
StartDrive
Static FTP
StockBrowser
Subscriber
SunEdit 2K
SuperIDE
Sweep
SweepsWinner
Text Transmogrifier
The Mapper
TheNet
TI-FindMail
TIFNY
Total Finger
Total Whois
Tracking The Eye
Trade Site Creator
TWinExplorer Standard
TypeWriter 1.0
UK Phone Codes
Vagabond's Realm
VeriMP3
Vertigo QSearch
Virtual Access
Visual Cyberadio
Visual Surfer
VOG Backgammon Main
VOG Backgammon Table
VOG Chess Main
VOG Chess Table
VOG Reversi Main
VOG Reversi Table
VOG Shell
VOG Shell
VOG Shell History
W3Filer
Web Coupon
Web Page Authoring Software
Web Registrant PRO
Web Resume
Web SurfACE
WEB2SMS
WebCamVCR
WebCopier
Web-N-Force
WebSaver
Website Manager
WebStripper
WebType
WhoIs Thingy
Win A Lotto
WinEdit 2000
Word+
Wordwright
WorldChat Client
Worm
www.devgames.com
xBlock
Your ESP Test
Zion
Zip Express 2000

Here is Aureate's answer to the published allegations:

A variety of false rumors have been started, and we would
appreciate your help in finding the source of these rumors so
that we can clarify what our technology actually does and put
these to rest.
As you may already know, what Aureate Media does is work with
software companies to make their products advertising supported.
Aureate's technology allows for these advertisements to be
delivered and displayed within the software products of these
software products.
The following concerns are those that have been brought to our
attention.
If you have additional concerns, please do contact
us directly.

Advert.dll creates a hidden window every time you open your

browser
This is true, but this happens because of the way that Microsoft
Windows networking works.
You will find that in running almost
any windows program that hidden windows are created as this is
how the OS was designed.

Advert.dll creates and sends 4 pages of information to Aureate

on port 1749
We aren't sure exactly what is being referred to here.
The
first time someone installs software they are presented with an
optional demographic survey (none of the information is
required), and this information is sent to us one time (after
the survey is completed). Prior to answering these questions,
the user is presented with information explaining why we ask
these questions and how the answers are used.
The information
sent is only the information provided.
The use of port 1749 is misleading, as again this is something
built into the way that Microsoft Windows networking works.
Windows will pick a high numbered port (1500+) in a largely
random fashion.
Again, this is how the OS works.

Advert.dll will send your name to Aureate as it is listed in

the system registry
Completely false.

Advert.dll will send your IP address to Aureate
Your IP address is sent, again because of the way that Microsoft
Windows networking and TCP/IP protocol works.
An IP address is
obviously required in order to communicate with an internet
server in any instance.

Advert.dll performs a reverse DNS lookup on your IP address
Here again, it is Microsoft Windows networking that does this as
part of the OS networking system.

Advert.dll creates a process anytime your browser is open.
This is true.
This process delivers advertisements to a cache
on the users PC which are displayed while the software is being
run. This works in a similar way to how the browser works, with
content and images (including ads) being delivered to a cache on
the users PC and then are displayed in the browser window.

Advert.dll sends a list of all software listed in your

registry
Completely false.

Advert.dll sends a list of all URL's you click on/visit
Completely false.

Advert.dll sends a list of all ad banners you click on
Completely false.
We will of course know when you click on an
ad banner that we delivered such that we can send the user to
that advertisers web site in the same way that any ad network
works.

Advert.dll will send all downloads you perform and related

information
Completely false.

Advert.dll will send full time and date stamps of all your

actions while you use your browser.
Completely false.

Advert.dll contains the string "Show me the money!
I want to

be Mike!"
This is true.
It's a text string used by the DLL.
DLLs contain
many text strings which are used by the DLL itself.
For
example, if a particular program displayed a window which
contained the text "Hello World", then the "Hello World" text
string would be present inside that DLL.

Advpack.dll (and all comments relating to it)
Completely false.
Advpack.dll is not one of our DLLs.

Amcis.dll modifies the following registry keys: (list of keys

removed)
Amcis.dll will only add itself to the HKEY_CLASSES_ROOT registry
key, as does any DLL installed on your system.
It simply tells
Windows where to find the DLLs your programs use.

Amcompat.tlb (and all comments relating to it)
Completely false.
Amcompat.tlb is not one of our files.

Amstream.dll (and all comments relating to it)
Completely false.
Amstream.dll is not one of our DLLs.

We performed our own investigation and we can not confirm these rumours to be true or false. Aureate components cause some extra Internet traffic when you browse the Net. 60-100 bytes long data packets are periodically sent to several websites including Aureate and its business partners.

We have found no indication that any confidential details of the user or any data is sent out with those packets and so we can not give conclusive statement whether Aureate is a privacy threat or not.

To use Aureate or not to use? F-Secure Corporation cannot make this decision for you.

There is no fate but what we make for ourselves.

[F-Secure Corp., 2000]