Vulnerability Development mailing list archives
Re: All Advantage Spyware
From: Jonathan Rickman <jonathan () XCORPS NET>
Date: Sun, 10 Sep 2000 18:27:58 -0400
On Sat, 9 Sep 2000, Daehlie Owns wrote:
Attention AllAdvantage Users: It has come to my attention, that All Advantage corp. 's software for surfing the net for money, has some dll files that do some interesting things. They are detailed in this text file, written by acecww, http://home.cyberarmy.com/acecww/advert.txt , please read it, it shows many things, such as screwing with the registery, and unregistering dll's, replacing the code, then when your browser closes, putting everything back to the way it was. Anyone else have any comments, questions, or just plain outrage, please reply to this email. --Daehlie
This is not exactly breaking news, but it should still spark plenty of outrage. A few of us on the list have been working on a project to document the various spyware systems and detail how they operate from a "techie's" point of view. If you'd like to help out with this project you can visit my site or email me directly. We are currently focused on the Aureate / Radiate system, which uses the advert.dll file you mentioned. After reading through the disassembly (over 200,000 lines) it appears that nothing is amiss. Let me know if you'd like a copy of the disassembly and I'll send you a link. It's a 7 meg download, but it never hurts to have some extra pairs of eyeballs looking it over. Steve Gibson has performed some research on this in the past and has come to the same conclusion that we are rapidly approaching, the advert.dll is basically harmless unless used in conjunction with another exploit, such as using a browser vulnerability to write to the hosts file, thus redirecting the dll to a server of your choosing. There it will download and run any exe named update-dll.exe, regardless of it's size. In short, the potential for abuse is there, it's up to us to find a practical way to exploit it and raise the level of awareness. It is our hope that this approach might put an end to this problem once and for all. -- Jonathan Rickman X Corps Security http://www.xcorps.net -----BEGIN PGP PUBLIC KEY BLOCK----- Version: PGP 6.5.2 mQENAzm0QZQAAAEIAN3uNRQlWHMrHwKgTNzpYps6SLipfNvH+0uZi0TvxyXFHiiH kivQYxlcPn/4Za4eyl5XZvP6lGQ3DXcCzT+9di75HqFtTiHeE9YScR0WEeBB1ywL j8nKxFdGMCJ3a3khSafPvyTUQKGaEWQGnui+6UieWeBhDHdE/o21qNd0+6M49P73 0pVTdmdn1jPj1cU+vrqkNWMfNNNhLyPjrdPzoL6SoYzCs6p5YhLWaNOiet/91RhK VpC8uy2cUIWNOAyAOtDJwF4GY+AIVP2WTLg6L/FByDH507HP4NvkbnwPAkDSTh7M TlXvdoeNiaEUCYCgx8CFSCAg/pl819+gts810D8ABRG0JkpvbmF0aGFuIFJpY2tt YW4gPGpvbmF0aGFuQHhjb3Jwcy5uZXQ+iQEVAwUQObRBlNffoLbPNdA/AQETwwf/ d4W131UXeWd1+hcCR1bkFJRx+08fNtHzbMzjqquA4IRPftt72M6RzDsRn1xpsdh+ RqP0oeZ0IfnByhXQ7x65JxRUaYW2mw8GNQOeTkJ2uNDg3SaFG2HGYxASohP2r8D6 Yh1WIfEgf3YDwoKyGAfJTgcfHZe85+hgg6R60KbGMAhWf5Tbb6IEpzdvBi/HoYHC c1km8esjnMPDmR1aLjcRffaMmWGwXk/33oZRo3Q0SO/MvqWyo1kZnq2JIxX0MDAm nm2p0cZtQc1sECkC1XyyyH8tgWhXwzYpucpsQ3IhWFrCuL7y4t/wREOgd4KaSxkN OKraa8g7Nyh4s8rSHFvq5A== =XYFV -----END PGP PUBLIC KEY BLOCK----- On Sat, 9 Sep 2000, Daehlie Owns wrote:
Current thread:
- Re: All Advantage Spyware, (continued)
- Re: All Advantage Spyware Lincoln Yeoh (Sep 12)
- Auto-update software... Scott D. Yelich (Sep 12)
- Re: All Advantage Spyware Daehlie Owns (Sep 12)
- Re: All Advantage Spyware John Masters (Sep 12)
- Re: All Advantage Spyware Brad Griffin (Sep 12)
- Re: All Advantage Spyware zoma (Sep 12)
- RES: All Advantage Spyware Guilherme Mesquita (Sep 12)
- Re: RES: All Advantage Spyware Russel Smith (Sep 13)
- Re: RES: All Advantage Spyware Hue-Bond (Sep 13)
- Re: All Advantage Spyware Jonathan Rickman (Sep 12)
- Re: All Advantage Spyware Scott D. Yelich (Sep 12)
- Re: All Advantage Spyware Jonathan Rickman (Sep 13)
- Re: All Advantage Spyware Daniel McCranie (Sep 13)
- Re: All Advantage Spyware Vitaly Osipov (Sep 14)
- What is AIM Adware? (Re: All Advantage Spyware) Vitaly Osipov (Sep 15)
- Re: What is AIM Adware? (Re: All Advantage Spyware) Juan M. Courcoul (Sep 16)
- Re: What is AIM Adware? (Re: All Advantage Spyware) jlarimer (Sep 16)
- Re: What is AIM Adware? (Re: All Advantage Spyware) Vitaly Osipov (Sep 16)
- Re: All Advantage Spyware Warren Young (Sep 16)