https

OptOut Logo
A Little Bit of Seduction for Spyware!
by Steve Gibson, Gibson Research Corporation
Introducing the Internet Spyware Analyzer
Sometimes a bit of seduction is required to convince a spy to come in from the cold. A bit of sweet talking is usually required to convince it to reveal all of its secrets. Our Internet Spyware Analyzer simulates trans-Internet dialogs to make any spyware under analysis believe that it has successfully "phoned home" when, in fact, it is talking to us . . .

The image above depicts the beginning of a typical spyware dialog. This screen shot was taken from our research into the operation and capabilities of the Aureate/Radiate software.

You can see the Internet Spyware Analyzer system starting up, followed by its preparation to simulate the interactive command and reply sequences of a standard Aureate/Radiate Internet server.

After accepting and acknowledging a connection on the default Aureate server port 1975, the Aureate ADVERT.DLL component, mistakenly believing that is has contacted one of Aureate's Internet servers, sends a series of four bytes of data identifying its major and minor version and its build number. In the case of the ADVERT.DLL component we studied, and as shown above, it was version 2.01 (build 3).

After identifying its version number, the ADVERT.DLL idles while awaiting remote commands. This Spyware Analyzer allowed us to "talk to" the ADVERT.DLL for the purpose of exploring and verifying the command structure and operation which we had determined from a static examination of the code.

Our plans for the Internet Spyware Analyzer

Despite its rather innocent appearance, the Internet Spyware Analyzer is a full, high capacity, high performance, multithreaded, asynchronous I/O, Internet server capable of simultaneously servicing the needs of any number of Spyware agents. (And, of course, I wrote it in assembly language so it's super small and super fast!)

I built it at the beginning of my research into the Aureate system in anticipation of being asked to produce proof of whatever malicious behavior I uncovered. It was my intention to allow members of the press and technical analysts to receive a complete demonstration of the Aureate system's malicious capabilities over the Internet. Though Aureate would be foolish to do so, if they should deny any of my findings, I can easily produce any required degree of proof in that fashion.

This Internet Spyware Analyzer is a potent tool for researching and uncovering the detailed behavior and characteristics of any Internet-communicating software under analysis, however, it has little application beyond that. Since we have no intention or desire to promote or encourage the hacking and malicious use of Internet-based systems, the Analyzer will be used as an internal analysis tool belonging to Gibson Research Corporation and will not be made available to the public.

However, the point is . . . this tool's RESULTS certainly WILL be made available under no uncertain terms. You may rest assured that we have — and can easily develop — whatever technology is required, now or in the future, to track down and nail any spyware system believed to be conducting clandestine communications across the Internet.

It is our sincere hope that present and
future users of the Internet backchannel
will appreciate the substantial benefits
of adopting and abiding by the articles
of the Code of Backchannel Conduct.

To continue, please see: Known Spyware

You are invited to browse these pages for additional information:

1  OptOut Homepage 
5  Suspected Spyware 
9  Privacy On The Net 
2  Code Of Conduct 
6  The OptOut Program 
10  GRC Privacy Forums 
3  Spyware Analyzer 
7  OptOut User's Guide 
11  Keeping Informed 
4  Known Spyware 
8  OptOut User's FAQ 
12  GRC Privacy FAQ 

Jump to top of page
Gibson Research Corporation is owned and operated by Steve Gibson.  The contents
of this page are Copyright (c) 2014 Gibson Research Corporation. SpinRite, ShieldsUP,
NanoProbe, and any other indicated trademarks are registered trademarks of Gibson
Research Corporation, Laguna Hills, CA, USA. GRC's web and customer privacy policy.
Jump to top of page

Last Edit: Oct 06, 2003 at 14:29 (3,846.65 days ago)Viewed 11 times per day