|
UPDATE: Aureate Media changed its name to Radiate. Other companies aside from Aureate/Radiate offer spyware. They use quite the same technique, so what I describe here should help you identifying and thwarting every spyware.
Lately I recieved a mail with a warning of a thing called there "Aureate-Spy". If you've heard of that, you'd possibly noticed that much is exaggerated. Unfortunately not all of it is.
Nonetheless some caution is in order. I could not verify yet that Aureate Media (www.aureate.com) is truly sending very personal data (aside from the data gathered at the start or during usage of the ad-ware) over to their server. Even if they don't do it by now, the possibility still exists and that makes their technique a potential leak.
Aureate created a software, that is distributed with so-called "ad-ware". Two examples of ad-ware are CuteFTP 3.0 and Go!zilla Downloadmanager (they're not the only ones, only those I could positively identify to be distributed with the so-called "Aureate Spy"). While you've got them running, banners with advertisments are displayed on your desktop and data are gathered from your actions (clicking a banner for example).
What's new here is the fact, that this ad-ware is a demo of the product you should buy later. Or shouldn't. If you're like me, you'd never buy from a company that associates with Aureate Media. As far as I know some software distributed as ad-ware is freeware, so be careful here, too.
When I got the mail mentioned above, I decided to find out some more of this. What I did to get rid of the thing What to do if you want to keep the ad-ware
- advert.dll gets installed in your <%syspath> (in most cases: c:\windows\system) - amcis.dll is also installed in the <%syspath> - some registry keys are created to store information for Aureate Media's software - when the ad-ware is run the first time, you are supposed to enter some very personal data. You can abort this and should do so. - the data you enter are stored in the registry in so many places, that it's impossible for the inexperienced user to find all of them - a hidden directory is created under your <%winpath>, which containes about 20 banners, a file called 1.ctl, and another file ending in .chk
- the advert.dll starts a hidden window, that gets WM_TIMER-messages in a high frequency. I consider this most impolite to other applicaitons, but it's not a threat. - when you double-click the ad within the ad-ware, advert.dll gets notified of this (WM_DOUBLECLICK). After the notification it calls - the shell to start the primary browser and passes the URL of the company who advertised. This too is nothing dangerous, in fact the same thing happens, if you click a link within a mail. What's unusual here is the fact, that the so-called "Aureate Spy" stores the ads you clicked to send notification of it to Aureate Media. - when the banner changes, advert.dll is notified of it. I could not find out what it does with the message. Perhaps it's just like Aureate said, that a banner you've seen is replaced. Well, I saw banners more than once. - when the ad-ware is closed, so is the hidden window (WM_QUIT)
- the next time you start a (not only the primary) browser, another hidden window (owner: advert.dll) is opened up - soon as you connect to the net, a connection with Aureate Media is made, sending data _to_ Aureate's server and receiving data _from_ their server. The user is not notified of it. Aureate themselves state that only new banners are sent. - this window closes with the browser, no sooner - all the while your browser's open, the connection with Aureate remains in ESTABLISHED state and data flow to and fro - the hidden window receives messages of WM_USER, WM_TIMER, and WM_CLICK until it is closed (together with the browser)
- the DLLs stay within your <%syspath> - the registry-entries of Aureate are not removed -
the hidden directory is not removed, nor is the content
The company creating the ad-ware contracts with Aureate Media for the use of their DLLs. They display banners and thus cut the cost for the creator of the ad-ware.
Aureate Media themselves contract with companies, who want their advertisments displayed. According to Aureate Media, these ads are transmitted to the end-user - you.
After the installation of the ad-ware a set of windows comes up, asking you some quite intimate questions. One of them is the amount of your pay. You are not forced to enter these data, it's up to you and the ad-ware will still function. Rumour has it, that this window, which is the only notification of the use of Aureate Media's software (aside from a not necessarily distributed EULA), is not displayed in all cases.
Aureate Media say, the information you volunteer is used to gain statistical data on the user and send it over to the creator of the ad-ware.
They inform the advertiser on the banners shown. Also, Aureate Media says, that the connection is made solely for the transfer of the data you volunteered to them and new banners to you.
The next statement of Aureate Media's is, that all files of theirs are destroyed as soon as there is no ad-ware left on the system. According to Aureate Media this is the case when either all ad-ware is uninstalled or registered.
I
refrained from quoting Aureate Media. Please refer to their site
for the full statement.
You are forced to accept data from an untrusted source, without notification of the arrival or the possibility to reject. This reeks of spam.
You can't even check it for virii or other harmful content.
Just imagine some data would be sent that are against the law to possess (child-pornography or things like that). You'd be liable for the content on your machine even though you never even intended to violate the law. Of course, you could trust Aureate Media, not to transfer such illegal material to your machine, but it's possible and you would not be able to hinder it.
The sheer number of the WM_TIMER-messages slowed my system down considerably. I think this most impolite and while programming this interfered with my programs most annoyingly.
Under windows the extension of a file determines its usage, but there's no reason not to give extensions with another meaning than the usual. The extension .ctl (file 1.ctl of Aureate Media's design) would point to an uncompiled user-control under Visual Basic. 1.ctl is no such user-control, so the extension is misleading, if not deliberately deceiving.
The other file in the hidden directory which I could not identify has the extension .chk. This usually announces a file created by checkdisk, but that is not the true use or origin of the file.
The transfer of data, even if a connection is allready made, raises the cost for users, even those who pay per time-unit, not for the amount of transferred data. You can't close the dial-up-connection while the transfer is going on and this results in longer on-line times when doing short tasks (such as downloading mail or just hopping to a newsticker and saving the page to read it off-line).
If you sum these times up, the ad-ware is more expensive than you assumed. You pay for trying the thing out and as the term "demo-software" usually means a trial without cost, ad-ware should refrain from using the term. This is even more the case for so-called "freeware". I
did not register an ad-ware and thus am not sure, whether the
registered product still calls Aureate Media's software and thus
leads to cost even after the registration. I will not try that
out, as I'd never buy from a company, who associates with Aureate
Media.
I never saw a clear statement or a sample-contract for both the designer of the ad-ware and the advertiser.
As far as I know such a selling of data is against German law if not explicitely allowed by the person who's data are used, but I'm no lawyer and thus not sure. Please ask one, if you want to be certain.
It is true, that the user enters the data voluntarily and is informed of the possibility of not answering the questions, so perhaps the providing of the data could be interpreted as consent. Nonetheless you're left under the impression, that without entering the information the application will not work properly.
If the latter is the case, which file is it and is it - unlike the registry for example - restored to its original state?
Of course I have some assumptions, what the answer to some of the questions will be. But maybe my suspicion and mistrust misleads me. If
I get an answer from Aureate Media and the permission to quote it,
I shall post it here.
What I did to get rid of the thing First think a moment. Do you want to use the ad-ware? If so, you can not delete Aureate Media's files, as the ad-ware will stop working.
Refer to What to do if you want to keep the ad-ware instead.
If you registered an ad-ware or uninstalled it, and still have the Aureate Media's software on your machine, you should be able to delete it safely. At least if Aureate Media is to be believed.
I'll tell you what I did to rid me of the software. It did not hurt my machine and should not hurt yours. Yet your machine is quite likely very different from mine. If you're not very sure what you do and don't understand why every single step is done, ask someone who knows the stuff (your vendor for example). DO IT! You're on your own and I won't take any responsibility. You've been warned.
1. I uninstalled every ad-ware I found with the proper uninstaller. In my case it was only one, but you may have more. If Aureate Media was true, this should have been all that was necessary. Well, it wasn't.
2. The hidden directory in the <%winpath>. On my machine it had been named \amc, containing a subfolder "1", and in this 20 ads and the aforementioned files. I deleted it.
3. advert.dll and amcis.dll in the <%syspath>. I couldn't delete them while a browser was up, so I closed it. I deleted the files.
4. I ran <%winpath>\regedit.exe and searched for Aureate. Quite a lot of keys were found in very unusual places. I deleted them all.
5. I wrote a mail to the manufacturer of the software "infected" with the so-called Aureate-Spy, informing them of my mistrust and the reason never to buy their software.
6.
I downloaded a software from another company, which does not
associate with Aureate Media.
What to do if you want to keep the ad-ware There are some ways to thwart the attempts on your machine by Aureate Media. Well, I personally would not use a software from a company that contracts with Aureate Media, but you must decide for yourself. Do as you think fit.
1. Get yourself a good personal firewall (buy it if necessary, they're well worth the money) and create the appropriate rules.
1.1. With regedit.exe look into your registry and copy the server's names, that Aureate Media wants to access.
1.2. Start a DOS-window and type: ping <servername>, with <servername> the name you copied from the registry. Do this for every server named in the registry and carefully write down the IPs you get from this.
1.3. Block the IPs within your personal firewall. The help of the firewall will show you, how this is done.
1.4. As far as I could find out, the remote port accessed by Aureate Media's software is 1975, but this may change. You'll find the port in the registry immediately under the server's name, please verify the port, it may be different! Create a rule for your personal firewall blocking the port for all addresses. If this interferes with a connection you want to use, exempt this connection by creating a rule with higher precedence allowing it.
2. In your <%winpath> look for a file named hosts.txt. If it isn't there, you'll find a hosts.sam. If you find the latter, copy it to hosts.txt (.sam in this case means "Sample").
Hosts.txt is a file matching IPs to names. Usually this is done by a nameserver, but you can override the nameserver with this file.
2.1. Open hosts.txt with the notepad.
2.2. Insert the following lines in hosts.txt, change them if necessary (replacing the servernames with those you found in your own registry (Step 1.1) if necessary). Please doublecheck the servernames. # Aureate-Block 127.0.0.1 aim1.adsoftware.com 127.0.0.1 aim2.adsoftware.com 127.0.0.1 aim3.adsoftware.com 127.0.0.1 aim4.adsoftware.com 127.0.0.1 aim1.adware.com 127.0.0.1 aim2.adware.com 127.0.0.1 aim3.adware.com 127.0.0.1 aim4.adware.com
2.3. Save the changed hosts.txt. 3.
Make the hidden directory write-protected. |
When
you install the ad-ware:
Who
gets the data the user enters?