OptOut Logo
The Whole, Gruesome, Aureate Spyware Story!
by Steve Gibson, Gibson Research Corporation
Aureate / Radiate
Aureate (pronounced: or'-ee-ate) is the granddaddy of the spyware systems. When the whole spyware problem came to my attention, Aureate — which later changed its name to "Radiate" because no one could figure out how to pronounce the original name — was installed in over 30 million (30,000,000) and counting Windows PC's worldwide. And, it was being carried into new machines by more than 500 "advertising supported" programs.

NOTE: While acknowledging Aureate's recent name change, in order to minimize user confusion, this site will continue to refer to them by their historical name of Aureate. All of the software already installed in those 30 million machines — and still being installed everyday — continues to identify itself as "Aureate" as does the version information available in the file properties. I have yet to encounter a single Aureate-carrier application that does otherwise. So while Radiate might wish to lose the "Aureate" aura, it makes no sense for us to do so yet.

Aureate deserved — and continues to deserve today — the "Spyware" moniker not (apparently) because it is sending sensitive personal data out of the user's computer, but because it deliberately slips into the user's system secretly, uses the user's Internet backchannel without the user's knowledge or permission, takes pains to remain secretly installed (instructing its hosting software to leave it installed upon the host's removal), masks its presence by deliberately suspending its use of the backchannel in the absence of keyboard or mouse activity and fails to disclose any of this to the typical user who is never fully informed about what's going on.

When you add to this the fact that the Aureate software has been conclusively found to be directly responsible for significant Windows system and Internet browser crashes, and that it is able to secretly download and cause Windows to execute any arbitrary program into the unsuspecting user's computer, it is indeed difficult to cut these people much slack.

Aureate's CBC Compliance

Code of Backchannel
Conduct Compliance
Aureate / Radiate

Up Front, Full, Plain Language, Disclosure
Aureate is 100 0uilty of not informing their users of the installation, presence, and operation of the system within their machines. I have been told by several developers that Aureate never told them to include the Aureate EULA (End User License Agreement) within their own product EULA's. That has changed now, but there are now 22 million people who have no idea that Aureate's system is installed in their machines.

Also, the Aureate programmer API specifically provides for the deliberate deferral of the presentation of the somewhat intimidating and quite intrusive multi-page demographics profiling dialog. Of all the Aureate hosting programs I've encountered, only CuteFTP presents this dialog at the time of the program's first use.

I have been told that Aureate is working to address this problem by taking direct responsibility for providing an up front, plain language, disclosure. I hope this occurs, since it would be terrific to have them establish a precedent for the rest of the web-surveillance industry to follow.

No Unnecessary Information Gathering
After spending more than 200 hours examining the operation and function of the version 2 Aureate software system, I was unable to discover any capability for it to inventory or browse the user's hard drive or registry. After examining and extensively parsing a 200,000 line disassembly of the main advert.dll file I was able to account for every, apparent, Windows API call which might have been used for such purpose.

This is not to say that it would be impossible for them to have such code deliberately hidden inside their software, so this is not meant to be, and cannot be, an affirmative statement that their software is not capable of such conduct. That being the case, I am extremely disappointed in the other so-called "security experts" who have blindly endorsed amd signed-off on Aureate's claims. Unless these experts have carefully examined the source code for Aureate's software — and I am certain that they have not — their claims must in some fashion be merely self-serving.

The only way for me, or anyone, to know for certain what Aureate's software is capable of doing, would be for them to allow me to examine their source code. I have proposed this course of action in response to their complaints about the negative attention drawn by my uncertainty . . . but they never replied to that request and therefore appear unwilling.

Since this OptOut site declares spyware vendors innocent of specific transgressions until proven guilty, Aureate receives a "double-green" rating for not (apparently) gathering unnecessary information.

No Insecure Capabilities
How would you feel about having a piece of software running inside your computer which was written by a company you've never heard of — and certainly never gave your permission to, whose publicly stated business model is selling information about you, who arranges to have their spyware secretly installed into your system so that it "phones home" every single time you use your web browser, and which can, at their whim, accept and download any file into your system named "update-dll.exe" and then arrange for Windows to run this unknown program — which could be and do anything — when Windows is next restarted?

As if that weren't sufficient cause for alarm, this Trojan Horse spyware — for that's what it surely must be called — is trivial to "redirect" so that instead of phoning home to one of Aureate's servers, it connects to any other arbitrary server on the Internet. It establishes a connection between that unknown server and your computer, sliding right through whatever corporate or personal firewalls you or your employer may have erected (because it functions as a browser parasite which hijacks your browser's Internet usage permissions). Then it awaits further instructions . . . which we now know at least include "here's an executable file, download and run it please."

Of course, Aureate will defend the presence of this much-too-potent-and-insecure capability, by explaining that it's only intended to allow them to update their software in the field (which I suppose is important, since their "users" never even knew it was installed!) and that they have taken deliberate countermeasures to prevent the abuse of this capability. But, with the aid of my Internet Spyware Analyzer, I slid right past those so-called "countermeasures" so easily that I wasn't even aware that they were supposed to be stopping me! It wasn't until I asked the guys at Radiate what that particular nonsense was for, that I understood that what they considered to be a "countermeasure" I thought was an interesting but strange handshake protocol. I implemented it without a second thought so that my spyware analyzing server was able to continue its dialog with the Aureate client.

This is a BIG PROBLEM because any malicious hacker who wishes, can trivially duplicate the work I did. And, once done, they don't even need to scan the Internet looking for Aureate Trojans . . . since any redirected Aureate Trojans WILL CALL THEM! and await instructions the next time the unsuspecting user browses the Internet!

This incredibly and irresponsibly dangerous capability has been absolutely confirmed because three different versions of Aureate's "update-dll.exe" have been discovered on user's machines "in the wild". These users also found, to their dismay, that the Aureate Trojan-installed program was being run every time Windows was started since their machines had entries under the "run" key in the Windows registry.

The files are located in the system's main Windows directory and marked with "hidden" and "read-only" attributes so that they will remain stealthfully hidden. So far we have found files with lengths of 538,624 bytes, 554,496 bytes, and 555,008 bytes. Since these files were NOT part of the original Aureate spyware file set, they had to have been downloaded without the user's awareness while the user was connected to the Internet.

(Note: Since it is not my intention to promote or encourage hacking of the Aureate technology, I have NOT posted additional details on this public web site. Any interested and concerned analysts or members of the press may contact me for additional details under the agreement that they will also NOT propagate additionally detailed information which would aid malicious hackers.)

Formal Online Privacy Statement
Aureate's formal online Privacy Policy has recently been improved and supplemented by a page titled "Addressing False Rumors and Hoaxes about Privacy" as a result of the negative attention they have drawn. Aureate's previous statement was rather "vanilla" and failed to address many users' concerns about the exact nature of Aureate's data collection and surveillance activities.

The only thing missing — and it's really quite necessary — is a specific commitment regarding the "future use" of the collected data. It's one thing for Aureate to state what they are not doing today, but since most of information's value is yielded in the future, users have every right to ask and be informed as to what Aureate will never do with their information. The importance of this is further heightened in light of their documented ability to download new software into their user's machines at any time.

While their original privacy statement fell far short of being adequate, recent additions and clarifications have improved it significantly. Once they add assurances about the future use of any information collected they will be in full compliance with article 4 of the CBC.

Preemptive Request for Consent
Since Aureate's software sneaks into the user's system without notice, it is certainly NOT asking for the user's permission and subsequently receiving consent for its user surveillance and Internet backchannel use. Until that situation changes Aureate earns a double-red for this fifth article of the CBC.

Removable with Windows Add/Remove Programs
For many users, one of the most exasperating revelations about Aureate's technology is that it has remained alive inside their systems long after the removal of whatever program carried it in. Regarding the removal of unwanted software from our machines, I see no reason for us to treat Aureate's software any differently from any other: If we want to remove it, we should be able to do so easily. This simply requires Aureate to place an entry for itself into the standard Windows Add/Remove Programs list so that it may be easily removed at any later date.

Happily, the newest "Version 3" of the Aureate system HAS addressed this problem and installs not only an entry in the standard Windows Add/Remove Programs list, but even places an entry under the user's "Start" button. This is great news! (Note, however, that many more programs continue to use the earlier versions of the Aureate system where no such responsbility was taken.)

No Fine Print "Funny Business"
Aureate has three obvious problems with regard to fine print "funny business" in their End User License Agreement (EULA):

 First, since their ill conceived "operational model" was to package their software as an invisible (to the user) add-on component of other hosting programs, they have been dependent upon those publishers to present the Aureate EULA to the end user.

Aureate of course claims that all licensees were instructed to append the Aureate EULA to the hosting program's license, however, several "Aureate partners" have told me that they were never instructed to do so. In any event, if Aureate should ever want to make any claims for the enforceability of their agreement, they ought to arrange for its reliable display. To date that has never been done.

 The Second problem with the Aureate EULA is its opaque and bizarre language. Here's the key sentence from the Agreement regarding the software's use of the user's Internet backchannel:

"By using this software, you agree that you understand that this software will connect to the Internet UBIQUITOUSLY to download advertisement and/or to provide software updates."

Despite my satisfactory command of English, I'm not at all certain what "connecting to the Internet UBIQUITOUSLY" means, nor whether it's fitting (or legal) to instruct someone that by using software they never asked for and didn't know existed — and which by its very nature they don't know is in their computer or that they're using — they have agreed that they understand something nonsensical.

 The Third problem with the Aureate EULA is that NOWHERE in the entire unabridged Agreement, does it say anything about any information being sent back UP to Aureate along this infamous (and so very ubiquitous) Internet connection. If they were less inept everywhere else, we might think that they were being deliberately sneaky. But in this case all evidence indicates that the executives of Aureate never really cared much what their EULA said, nor whether anyone ever actually read or understood it. In any event, as anyone can see, it's a total disaster.

One final and interesting aspect of the amazing sentence above, is that in saying "... to download advertisement and/or provide software updates" they are confirming their system's ability (... provide software updates) to install new software into the user's machine (ubiquitously). Thus the point made in article 3, above, about the Aureate system containing a dangerous Trojan backdoor is further confirmed.

Additional Concerns and Problems

Confirmed Cause of System and Browser Crashes
An unsuspected benefit arising from the use of the first preview release of OptOut — and its immediate removal of Aureate's spyware — was that a great many systems were immediately cured of significant, chronic, system and/or Internet browser crashes. (See these sample eMail notes we have been receiving.)

We subsequently learned that it has long been common practice in Netscape and Internet Explorer support groups to instruct users suffering from chronic browser crash, to delete any file named "advert.dll" from their Windows system directory. More often than not this immediately cures the user's problem. "Advert.dll" is the key software component used by versions 1.x and 2.x of the Aureate system.

Executives of Aureate were understandably upset with me for labelling their "browser integration" technology a "browser parasite" in the OptOut preview release. But as it turns out, the term is not only technically correct, but also correctly derogatory.

In the Court of Public Opinion
The well-known Simtel.Net archives describes itself as "A worldwide distribution network for Shareware, Freeware, and Public Domain software ... since 1983". They have recently weighed in on the whole Aureate/Radiate "Adware" issue and have given me explicit permission to post this statement:

Effective immediately Simtel Management Policy is that any Adware program that continues to run when applications that use it are not running will be banned from the collections. Authors who submit Adware must state that this will not occur.

The Adware servers have no right to use the user's bandwidth to download ads while they are running programs that do not use the ads. In my opinion they are stealing the user's bandwidth when this occurs.

Additionally, here is Simtel's formal policy regarding Adware:

Simtel.Net does not consider Adware the same thing as Freeware. We expect full disclosure of all Adware to us and to end users in upload announcements and program documentation. We encourage authors to include a privacy statement in their program documentation (available _before_ installation) that clearly spells out any privacy issues users may have (e.g., what information is being transmitted, what is being done with that information, etc.). Authors must state that their Adware has no components that continue to run when their application is not running. Authors must also ensure any Adware components are correctly removed when their program is removed. For detailed comments and requirements please see this URL:

http://www.simtel.net/simtel.net/adware.html

As you can see, this means that any and all freeware and shareware applications based upon the earlier versions of Aureate browser parasite or the Conducent Timesink "TSADBOT" will be banned from the Simtel Archives.

Only software incorporating the latest releases of these adware systems is considered acceptable by SIMTEL. You need to decide if it's acceptable by you!

Aureate / Radiate — Past, Present & Future

The negative attention generated by the initial "Aureate hoax", followed by my creation and widespread release of the preview release of OptOut, focused a great deal of attention upon the previously unsuspected presence of Aureate software in a large number of PC's — and upon the problem represented by the fact that no one had informed those users of any of this.

Then, upon the wholesale removal of what can only be called "Aureate Spyware", the industry next learned that the presence of Aureate's software was actively damaging many systems. This, naturally, further fueled already heightened concerns.

When users next learn of Aureate's proven ability to download and execute any arbitrary program into 22 million computers worldwide, we may see this "concern" reaching to a new level. I'm glad it's not running in my system.

Overall, however, as far as we know, Aureate/Radiate is not guilty of deliberately inventorying any of the contents of users' systems. They appear to produce poor quality code, employ poor judgement and poor legal agreements, and are doubtless rather poor communicators. I can't guess what their future will be, but with an installed base of 22 million PC's, Internet software archives littered with Aureate-carrying "freeware", and millions of browsers and systems being crashed daily by their code, I will certainly continue to provide tools for the safe and quick removal of their "technology" from user's machines, and for the subsequent monitoring of those machines to alert its users of Aureate's unexpected return to their system.

I will also continue to apply my best efforts to the task of maintaining this web site, and these pages, to reflect any changes in the status of this company's software, licenses, and policies. If Aureate chooses to respond quickly enough to the problems which have been identified, I see no reason why they should not remain viable . . . albeit with a few healthy scars which will hopefully provide a few lessons to other similar surveillance companies of how not to conduct themselves and take advantage of their users.

At the moment, we have no way of knowing how far the new Radiate Corporation will go to becoming a good backchannel citizen — but the requirements for that achievement are now clearly specified. So far, they've been making nice noises, but we haven't seen anything yet. Nothing they do now can erase or undo the damage that's been done. They will always be responsible for sneaking 22 million copies of buggy and frightfully insecure spyware into the world's Windows PCs. But moving forward, it is my sincere hope that Radiate will desire to become the first "Previous Publisher of Spyware" and be rewarded by green "excellent" ratings across the complete CBC.

To return to the previous page, press your browser's BACK button.

Jump to top of page
Gibson Research Corporation is owned and operated by Steve Gibson.  The contents
of this page are Copyright (c) 2016 Gibson Research Corporation. SpinRite, ShieldsUP,
NanoProbe, and any other indicated trademarks are registered trademarks of Gibson
Research Corporation, Laguna Hills, CA, USA. GRC's web and customer privacy policy.
Jump to top of page

Last Edit: Oct 06, 2003 at 13:29 (4,807.62 days ago)Viewed 4 times per day