This isn't a "real" reversing essay, I'm just presenting a funny
(yet working) easy trick... non semper ea sunt quae videntur
It's almost Xmas, eh, supermarkets, malls and virtual e-shops
are full 7/7 and 24/24 of people "consuming" themselves black and blue...
and who am I to avoid our societal "obligation" to make
presents on command?
I would like to offer as my own first Xmas present to
all readers (yep, not only reversers) a simple yet effective method to get rid of
advertisement banners inside "free" (or after all "not so free") software.
Some days ago I was investigating the aureate spysystem
This sniffing approach
consists of various dll-libraries and executable files, that are run every time
you connect to the Web.
Aureate seems to collect quite a lot of info... your name (an entry in the
system registry),
a listing of the software that
is installed on your system
(entries in the system registry) and "your web
surfing habits", i.e. what sites you have
visited and what "banners" you have clicked onto (assuming that someone
really clicks on banners,
which I fail to believe).
Now, in a world where even small commercial firms can now offer on sale
aerial fotographs with
[1 meter resolution] such attacks on
our privacy are almost irrelevant
(frightening eh? And it's a five years old technology...
think what any average secret agency could do now), but I'm digressing. Back to Aureate.
You can easily check if you already have
this Aureate sniffing system inside
your own
windoze box right now (and, oh-boy, chances are that you indeed have it without even
noticing it): [click here with the right mouse button] and
choose "open in new window", now scroll a little and see if you have a dll called
"advert.dll" (yes you most prolly do :-).
I wont go now into the intricacies of advertisement-based statistical methods...
basically,
as anyone knows nowadays, the commercial bastards are ready to tramp over your dead kids' bodies
in order to fetch some of your personal data in order to stuff
their databases (so that they can re-sell them to other similar
bastards). Some of the aureate DLLs set (mostly trough port 1749) a "plug" into your box. Each user is given a unique user ID by the Aureate system,
thus allowing quite complex spying activities. Note also that the Aureate system actively sends
and receives data over the web even when the advertising-trojan program is not running or has been
deleted or deinstalled!
You'll find all the necessary explanations
[here].
Keep in mind
that in the silly world we are living in, a lot is due to 'user inattention': many
tricks are allowed and blessed by a social system that encourages fraud and
discourages (or even punishes) "reversing frauds": when accepting "free
software", lusers often blithely skip through the
fine print that displays
across their monitors. The fact that more and more people are installing
"always-on" broadband
connections to the
Internet is a godsend for all kind of advertisement bastards: a friend of mine was
scared to hell after I suggested him to install blackICE (network ice aka "blackice", see
[fosi] if
you don't have the money to pay it): you'r most probably thoroughly
sniffed at least a dozen
times during each one of your Internet sessions (again, if you don't believe it, [check] it).
Chances are that you have Aureate sitting in the guts of your system
if you have installed just one single application out of a
[growing
number] of
so-called "free" applications that compel you to slurp advertisements "in exchange" of their
graciously being oh so free..
Among other "aureatish" spysoftware there are CuteFTP, Crystal FTP, Go!Zilla and many
other wide used
programs (most of them, for obvious reasons, being FTP or URL-gathering applications,
see [this
list] or the link above to fetch various more or less
"complete" lists of them).
Now I know that most readers are NOT reversing savvy experts, and therefore I'll show you a very
simple method of disabling both the eyes-irritating ads inside the software and destroying
the "validity" of
the whole aureate's
spying system bazar through a trick so easy to apply that even the aunt of
your girl-friend will be able to
do it by herself (and you'r girl-friend will thank you for it)...
So, without no longer ado... here is what you can do to heal
your box (if you'r
really so unhappy that you have to use windoze instead of GNU/Linux... but beware the appearence of
Linux aureate programs).
This approach is moreover so straightforward and
easy that anyone will be able to apply it on the fly :-) How nice...
Pass auf reader! Now we come to the interesting Xmas present...
in order to
screw (back) black and blue ALL SOFTWARE with embedded sniffing functions made by
these Aureate clowns, simply go to your windows/system subdirectory
and boldly and quietly RENAME following files:
AMSTREAM DLL ---> AMSTREAM FRV 81,920 23/04/99 22:22 amstream.frv
ADVPACK DLL ---> ADVPACK FRV 89,360 03/12/99 06:08 advpack.frv
AMCOMPAT TLB ---> AMCOMPAT FRV 16,832 27/10/00 19:20 amcompat.frv
AMCIS DLL ---> AMCIS FRV 45,056 01/04/99 14:52 amcis.frv
Nachtrag March 2001
Josh pointed out that AMSTREAM.DLL, ADVPACK.DLL and AMCOMPAT.TBL are not real Aureate files,
and are used respectively for MS multimedia functions, MS installations, and ActiveMovie
components, and suggested that only AMCIS.DLL needs to be renamed. However,
field experimentations still seem to prove that all four the above files must be renamed in
order to kill Aureate fully. Further observations on these matters would be welcome.
Note that datestamps and hourstamps often betray WHICH trojan "free" software did install
these bugs-files... anyway, renaming these four dll (of course not necessarily to *.frv... be inventive) should be enough to cover
all aureate snooping trojan on your system. Should you have some kind of funny
problems (you wont, but one never knows: in doubt always disclaim :-) just
rename them back to their original *.dll extension. At that point it
would be nice if you could - if possible and capable -
start a little research
on your own and try to pinpoint the culprit application, or even better, the parts of the code
that are doing it,
and then (if after having worked a while on such matters you deem such info important) send your findings over to me...
ACHTUNG:
Do not, I repeat DO NOT, rename advert.dll, leave that library ALONE.
Rest assured that this "trojan dll" wont "work" for aureate
without its dll-syblings (that you renamed into the void), so don't worry. On the other hand,
if you directly attack it and
rename it, it will -alas-
screw your "oh so free" applications after you have nuked it (on purpose: these people are evil).
Once you have renamed the four files I have listed above, you'll be free from aureate
sniffing AND from compelled advertisement banners! You don't believe me?
Just have a look at the wondrous new "post-fravian eingriff"
developments through a given target: start, for
instance,
Crystal FTP 2000, a nice ftp-program but, alas, aureate-advertisement infested
(if you don't have nor use Crystal FTP,
start whatever other Aureate-pushing application you wish)... woah... the program runs fine and... no more ads...
yep, that's it... commercial bastards annihilated through windoze's RENAME function,
ahah... quod erat demonstrandi...
Merry Xmas to all of you, enjoy some nice [Tre Marie] Panettone ("buono e basso") if you
manage to find it...