Aureate's Watching You

posted onJune 27, 2000
by hitbsecnews

Let me start by asking you a simple question. How many of these programs
do YOU have installed on your system and/or network?

3D
anarchy, 3D-FTP, any Abe's software ( Abe's FTP, Abe's Imag viewer, etc)
Acorn E-mail, Add URL, Alive and Kicking, Add/Remove PLUS! AdWizard, AutoWeb,
AxelCD, Beatle, BinaryVortex, Blue Engine, CamGrab, Capture Express 2000,
Cheat Machine, ChanStat, CSE HTML Validator, Crystal FTP, CuteFTP 3.0,
CuteFTP/Tripod, CutePage, Digicams - The WebCam Viewer, GetRight, Splash!,
Web Resume, WebCopier, Web-N-Force, WebStripper, Your ESP Test, Zion,
Zip Express 2000.

Its
a fairly safe bet you have at least on of those programs listed above
installed on your system, If you do have one or more of these software
packages installed and you are a security continuos person like myself
and since your reading this page I assume you are, you will be horrified
at what information this software sends about you to a 3rd party called
Aureate. When you install an offending program that is affiliated with
Aureate it installs what people who know of it have come to call the "Aureate
Spy". This Spy program consists of various DLL and EXE files, that are
activated when you launch your WebBrowser. Some of the information that
is sent to Aureate are such things as, your name as it appears in the
system registry, a listing of the software that is installed on your system
as it appears in the system registry as well as your web surfing habits,
what sites you visit and what banners you click on.

The
DLL's and EXE files that are installed by the Aureate spy are adimage.dll,
advert.dll, advpack.dll, amcis.dll, amcis2.dll, amcompat.tlb, amstream.dll,
anadsc.ocx, anadscb.ocx, htmdeng.exe, ipcclient.dll3, msipcsv.exe, tfde.dll.
To my knowledge these files are not used by any other programs. I found
most of these files on my system and upon finding them I renamed then
before deleting them to make sure it didn't affect any of my existing
programs which naturally it didn't effect them in the slightest so I was
able to delete them without any adverse effects to my system. I have found
some information on what each DLL apparently does, This information was
taken from the NT Security Mailing list.

advert.dll
- This DLL creates a hidden window every time you open your browser. It
creates and sends 4 pages of information to the Aureate servers using
port 1749 on your system, these pages include:

1.
Your name as listed in the system registry ( not the name you installed
one of the programs with )

2.
Your IP address

3.
The reverse DNS match of your address. ( Tells them what ISP and area
of country you are in )

4. A listing of ALL software that is shown in your registry as being installed.
( Not just the companies they work with )

5. This DLL sends the following information to their server on all URL's
you visit:

A.)
ad banners you may click on

B.)
all downloads you do showing the filename/file size/date/time/type of
file(image, zip,executable, etc)

C.)
full time and date stamps of all your actions while using your browser

D.) the remote dialup number you are dialing in on (taken out of your
dialer configuration)

E.)
dialup password if saved, does not "appear" at first glance to send this
through to them.

6.
Contains programmers note: "Show me the money! I want to be Mike!"

advpack.dll - Used during the installation only to check for other
needed files.

amcis.dll
- This DLL modifies the following registry keys:

1.
HKEY_CURRENT_CONFIG

2.
HKEY_DYN_DATA

3. HKEY_PERFORMANCE_DATA

4.
HKEY_USERS

5.
HKEY_LOCAL_MACHINE

6.
HKEY_CURRENT_USER

7.
HKEY_CLASSES_ROOT

Unregisterss oleaut32.dll from memory as provided by M$oft and replaces
with its own calls. Switches back to M$oft's when browser is closed. Creates
stub processes to be started anytime your browser is opened.

amcompat.tlb
- This guy tracks any multimedia clips (video / pictures / sound ) that
you view It tracks the rating level on the video/picture/sound and title/ location Contains references to DblClick ( still digging on this one!
)

amstream.dll
- Setups TWO way communications between your system and theirs. Used to
send info and receive update commands/files Open port 1749 for communications"
<---- the port number seems to vary from program to program

When
Aureate was approached with the above information they replied with the
following Aureates Reply to the Above information:

A
variety of false rumors have been started, and we would appreciate your
help in finding the source of these rumors so that we can clarify what
our technology actually does and put these to rest.

As
you may already know, what Aureate Media does is work with software companies
to make their products advertising supported. Aureate's technology allows
for these advertisements to be delivered and displayed within the software
products of these software products.

The following concerns are those that have been brought to our attention.
If you have additional concerns, please do contact us directly.

Advert.dll
creates a hidden window every time you open your browser

This
is true, but this happens because of the way that Microsoft Windows networking
works. You will find that in running almost any windows program that hidden
windows are created as this is how the OS was designed.

Advert.dll
creates and sends 4 pages of information to Aureate on port 1749

We aren't sure exactly what is being referred to here. The first time
someone installs software they are presented with an optional demographic
survey (none of the information is required), and this information is
sent to us one time (after the survey is completed). Prior to answering
these questions, the user is presented with information explaining why
we ask these questions and how the answers are used. The information sent
is only the information provided. The use of port 1749 is misleading,
as again this is something built into the way that Microsoft Windows networking
works.

Windows
will pick a high numbered port (1500+) in a largely random fashion. Again,
this is how the OS works.

Advert.dll
will send your name to Aureate as it is listed in the system registry

Completely
false.

Advert.dll
will send your IP address to Aureate

Your
IP address is sent, again because of the way that Microsoft Windows networking
and TCP/IP protocol works. An IP address is obviously required in order
to communicate with an Internet server in any instance.

Advert.dll performs a reverse DNS lookup on your IP address

Here
again, it is Microsoft Windows networking that does this as part of the
OS networking system.

Advert.dll
creates a process anytime your browser is open.

This
is true. This process delivers advertisements to a cache on the users
PC which are displayed while the software is being run. This works in
a similar way to how the browser works, with content and images (including
ads) being delivered to a cache on the users PC and then are displayed
in the browser window.

Advert.dll
sends a list of all software listed in your registry

Completely
false.

Advert.dll
sends a list of all URL's you click on/visit

Completely
false.

Advert.dll
sends a list of all ad banners you click on

Completely
false. We will of course know when you click on an ad banner that we delivered
such that we can send the user to that advertisers web site in the same
way that any ad network works.

Advert.dll
will send all downloads you perform and related information

Completely
false.

Advert.dll
will send full time and date stamps of all your actions while you use
your browser.

Completely
false.

Advert.dll
contains the string "Show me the money! I want to be Mike!"

This
is true. It's a text string used by the DLL. DLLs contain many text strings
which are used by the DLL itself. For example, if a particular program
displayed a window which contained the text "Hello World", then the "Hello
World" text string would be present inside that DLL.

Advpack.dll
(and all comments relating to it)

Completely false. Advpack.dll is not one of our DLLs.

Amcis.dll
modifies the following registry keys: (list of keys removed)

Amcis.dll
will only add itself to the HKEY_CLASSES_ROOT registry key, as does any
DLL installed on your system. It simply tells Windows where to find the
DLLs your programs use.

Amcompat.tlb
(and all comments relating to it)

Completely false. Amcompat.tlb is not one of our files.

Amstream.dll
(and all comments relating to it)

Completely
false. Amstream.dll is not one of our DLLs.

Well I will leave you to make up your own mind on how _True_ Aureates
reply is but I personally do not trust the corporate reply as far as I
could throw it. I Hope you don't get stung by this invasion of privacy
as so many others have been in the past and probably will continue to
be stung in the future. It kind of leads to the question of who should
people worry more about _Hackers_ or these corporate sleaze bags that
think because they do not ask for money for their programs it gives them
the right to harvest information straight off your computer without you
knowing. Actually this line of thought opens a can of worms because it
brings up the topic of why Antivirus software companies don't detect this
as a Trojan? because in essence that is what it is, this company ( Aureate
) is accessing data from your computer without your knowledge just like
any other backdoor/Trojan that can be placed on a windows machine and
accessed by dare I say it _Hackers_ agh I said it heheh that's gonna cost
me I can feel it already :P.

*
OB-1 *

1.)
Setting
up mserver -
L33tdawg

2.)
Lockdown
: Securing your Linux box (part 2) -
L33tdawg

3.)
Distributed
Information Gathering -
hybrid

4.)
Aureate's
watching you... -
OB-1

5.)
MPAA's
Letter to 2600.org.au -
2600.org.au

6.)
Hackmount
attack -
r00t

Source

Tags

Intel

You May Also Like

Other Articles In This Section

Recent News

Friday, November 29th

North Korean hackers posing as IT workers steal over $1B in cyberattack
OpenAI is at war with its own Sora video testers following brief public leak
Found on VirusTotal: The world’s first UEFI bootkit for Linux

Tuesday, November 19th

CISA Director Jen Easterly, in Place Since 2021, to Step Down
Korea extradites Russian, Vietnamese suspects linked to $16M ransomware scheme
WhatsApp: NSO Group Operates Pegasus Spyware for Customers

Friday, November 8th

North Korean hackers target cryptocurrency with malware
Man sick of crashes sues Intel for allegedly hiding CPU defects
Law enforcement operation takes down 22,000 malicious IP addresses worldwide

Friday, November 1st

Youth of today say passwords are old news, passkeys are the future
Chinese attackers accessed Canadian government networks – for five years
OpenAI launches ChatGPT with Search, taking Google head-on
Here’s the paper no one read before declaring the demise of modern cryptography
Not just ChatGPT anymore: Perplexity and Anthropic’s Claude get desktop apps

Tuesday, July 9th

China's APT40 gang is ready to attack vulns within hours or days of public release
AI-Powered Super Soldiers Are More Than Just a Pipe Dream
The president ordered a board to probe a massive Russian cyberattack. It never did.
Massive car dealer ransom attack is mostly over after 2 weeks of work-arounds

Wednesday, July 3rd

“RegreSSHion” vulnerability in OpenSSH gives attackers root on Linux
Two of the German military’s new spy satellites appear to have failed in orbit

Friday, June 28th

Indonesian Airports, Data Centres Hit By Worst Cyberattack in Years
Cisco Talos warns of wider security implications following Snowflake breach

Thursday, June 27th

I Wore Meta Ray-Bans in Montreal to Test Their AI Translation Skills. It Did Not Go Well
Researchers upend AI status quo by eliminating matrix multiplication in LLMs
YouTube tries convincing record labels to license music for AI song generator
Critical MOVEit vulnerability puts huge swaths of the Internet at severe risk
Julian Assange to plead guilty but is going home after long extradition fight

Thursday, June 13th

Hackers show off jailbroken checkm8-vulnerable iPad and Apple TV running iPadOS 18 & tvOS 18 respectively
One of the major sellers of detailed driver behavioral data is shutting down
Turkish student creates custom AI device for cheating university exam, gets arrested

Wednesday, June 12th

Chinese-Made Biometric Access System Has 24 Vulnerabilities
Apple and OpenAI currently have the most misunderstood partnership in tech
Adobe to update vague AI terms after users threaten to cancel subscriptions
China state hackers infected 20,000 Fortinet VPNs

Tuesday, June 11th

Russia Is Targeting Germany With Fake Information as Europe Votes