The aureate scam... and how to scam aureate ~
by fravia+


Courtesy of []

Xmas 2000, part of the remove banners section of the anti-advertisement lab.
The aureate scam... and how to scam aureate
by fravia+

This isn't a "real" reversing essay, I'm just presenting a funny (yet working) easy trick... non semper ea sunt quae videntur

It's almost Xmas, eh, supermarkets, malls and virtual e-shops are full 7/7 and 24/24 of people "consuming" themselves black and blue... and who am I to avoid our societal "obligation" to make presents on command?
I would like to offer as my own first Xmas present to all readers (yep, not only reversers) a simple yet effective method to get rid of advertisement banners inside "free" (or after all "not so free") software.

Some days ago I was investigating the aureate spysystem
This sniffing approach consists of various dll-libraries and executable files, that are run every time you connect to the Web. Aureate seems to collect quite a lot of info... your name (an entry in the system registry), a listing of the software that is installed on your system (entries in the system registry) and "your web surfing habits", i.e. what sites you have visited and what "banners" you have clicked onto (assuming that someone really clicks on banners, which I fail to believe).

Now, in a world where even small commercial firms can now offer on sale aerial fotographs with [1 meter resolution] such attacks on our privacy are almost irrelevant (frightening eh? And it's a five years old technology... think what any average secret agency could do now), but I'm digressing. Back to Aureate.

You can easily check if you already have this Aureate sniffing system inside your own windoze box right now (and, oh-boy, chances are that you indeed have it without even noticing it): [click here with the right mouse button] and choose "open in new window", now scroll a little and see if you have a dll called "advert.dll" (yes you most prolly do :-).

I wont go now into the intricacies of advertisement-based statistical methods... basically, as anyone knows nowadays, the commercial bastards are ready to tramp over your dead kids' bodies in order to fetch some of your personal data in order to stuff their databases (so that they can re-sell them to other similar bastards). Some of the aureate DLLs set (mostly trough port 1749) a "plug" into your box. Each user is given a unique user ID by the Aureate system, thus allowing quite complex spying activities. Note also that the Aureate system actively sends and receives data over the web even when the advertising-trojan program is not running or has been deleted or deinstalled!
You'll find all the necessary explanations [here].

Keep in mind that in the silly world we are living in, a lot is due to 'user inattention': many tricks are allowed and blessed by a social system that encourages fraud and discourages (or even punishes) "reversing frauds": when accepting "free software", lusers often blithely skip through the fine print that displays across their monitors. The fact that more and more people are installing "always-on" broadband connections to the Internet is a godsend for all kind of advertisement bastards: a friend of mine was scared to hell after I suggested him to install blackICE (network ice aka "blackice", see [fosi] if you don't have the money to pay it): you'r most probably thoroughly sniffed at least a dozen times during each one of your Internet sessions (again, if you don't believe it, [check] it).

Chances are that you have Aureate sitting in the guts of your system if you have installed just one single application out of a [growing number] of so-called "free" applications that compel you to slurp advertisements "in exchange" of their graciously being oh so free..

Among other "aureatish" spysoftware there are CuteFTP, Crystal FTP, Go!Zilla and many other wide used programs (most of them, for obvious reasons, being FTP or URL-gathering applications, see [this list] or the link above to fetch various more or less "complete" lists of them).

Now I know that most readers are NOT reversing savvy experts, and therefore I'll show you a very simple method of disabling both the eyes-irritating ads inside the software and destroying the "validity" of the whole aureate's spying system bazar through a trick so easy to apply that even the aunt of your girl-friend will be able to do it by herself (and you'r girl-friend will thank you for it)...

So, without no longer ado... here is what you can do to heal your box (if you'r really so unhappy that you have to use windoze instead of GNU/Linux... but beware the appearence of Linux aureate programs). This approach is moreover so straightforward and easy that anyone will be able to apply it on the fly :-) How nice...

Pass auf reader! Now we come to the interesting Xmas present... in order to screw (back) black and blue ALL SOFTWARE with embedded sniffing functions made by these Aureate clowns, simply go to your windows/system subdirectory and boldly and quietly RENAME following files:
AMSTREAM DLL ---> AMSTREAM FRV  81,920  23/04/99  22:22 amstream.frv
ADVPACK  DLL ---> ADVPACK  FRV  89,360  03/12/99  06:08 advpack.frv
AMCOMPAT TLB ---> AMCOMPAT FRV  16,832  27/10/00  19:20 amcompat.frv
AMCIS    DLL ---> AMCIS    FRV  45,056  01/04/99  14:52 amcis.frv

Nachtrag March 2001
Josh pointed out that AMSTREAM.DLL, ADVPACK.DLL and AMCOMPAT.TBL are not real Aureate files, and are used respectively for MS multimedia functions, MS installations, and ActiveMovie components, and suggested that only AMCIS.DLL needs to be renamed. However, field experimentations still seem to prove that all four the above files must be renamed in order to kill Aureate fully. Further observations on these matters would be welcome.
Note that datestamps and hourstamps often betray WHICH trojan "free" software did install these bugs-files... anyway, renaming these four dll (of course not necessarily to *.frv... be inventive) should be enough to cover all aureate snooping trojan on your system. Should you have some kind of funny problems (you wont, but one never knows: in doubt always disclaim :-) just rename them back to their original *.dll extension. At that point it would be nice if you could - if possible and capable - start a little research on your own and try to pinpoint the culprit application, or even better, the parts of the code that are doing it, and then (if after having worked a while on such matters you deem such info important) send your findings over to me...

ACHTUNG: Do not, I repeat DO NOT, rename advert.dll, leave that library ALONE.
Rest assured that this "trojan dll" wont "work" for aureate without its dll-syblings (that you renamed into the void), so don't worry. On the other hand, if you directly attack it and rename it, it will -alas- screw your "oh so free" applications after you have nuked it (on purpose: these people are evil).

Once you have renamed the four files I have listed above, you'll be free from aureate sniffing AND from compelled advertisement banners! You don't believe me? Just have a look at the wondrous new "post-fravian eingriff" developments through a given target: start, for instance, Crystal FTP 2000, a nice ftp-program but, alas, aureate-advertisement infested (if you don't have nor use Crystal FTP, start whatever other Aureate-pushing application you wish)... woah... the program runs fine and... no more ads... yep, that's it... commercial bastards annihilated through windoze's RENAME function, ahah... quod erat demonstrandum...

Merry Xmas to all of you, enjoy some nice [Tre Marie] Panettone ("buono e basso") if you manage to find it...

This is still in fieri, of course, therefore if your info or advices differs, or if your findings are different, by all means send them over, I'll add and change...

Back to remobann

(c) 1952-2032: [fravia+], all rights reserved