First things first, Hats off to Reverser+ and troupes.
A Little History:
A few weeks back I bought 3 magazines, they have become little more than advertisements. I mean where is the content? And where did all my money go? As if that weren't bad enough, I just got a new machine. I bet you can guess, a full screen banner programmed right into the friggin bios! Now I can't see what is going on while my machine is booting. Finally, getting to the topic of this essay. I start dling the latest appz for my new toy...yawp you guessed it. Now I am being dazzled by banners that are piped right into the parent frame of these appz. What's a poor beggar to do?
I'll tell you what. I got pissed on first and then I got pissed off and now I am pissed up! I may not be no fancy-pants, pocket-protector type, but I'll be damned if I am going to let the companies of the world come into my home, take my personal information, use my personal resources, and then use it to target market me like I'm some cheap statistic. I'll fight back first that's what I'll do. Hell I'll even learn to think if I have to!
--knocks a frothy one over (DAMN IT) and decides to go to a Black-Cider Ale--
OUR TARGET: Companies that are out to Demographically market us. You see it isn't enough to just give false information to this type. They've found a way right into the heart and soul of our personal knowledge base, our HD's. Gates and AOL have been doing it for years, now that is pretty bad, but at least they weren't selling this info to anyone with a check book! Errrr, ok, AOL has been doing precisely that. Anyway, just recently I dl'd a hex editor and actually took a peek into my user.dat. If you've just taken reverser's word for it up until now, DON'T! You owe it to yourself to open the thing and really take the time to go through it. It really will scare the hell out of you.
OUR TOOLS: Well in all I think I used CuteFtp v3.0.15 beta (any ad-ware will do), netstat.exe, tracert.exe, telnet.exe, editpad.exe (I recommend you get and copy it over notepad.exe), a browser and a hex editor with the last two being semi-optional. Oh yea, I almost forgot one of the most important tools. In fact, it is soooo important that I am surprised that Reverser's site has never gotten around to dealing with it at one level or another. I used the telephone and not just to call the net :)
-- To find and eliminate our communication with the machines that are targeting us with ads.
-- To find out how they are really targeting us (using a more social approach).
-- To start our own database, readily publishing this NFO and explaining the most up to date technique for blocking their attempts???
(Political Note: I am not so against the developers who are resorting to this type of thing in an attempt to receive financial enhancements for the labors they have put forth as I am against them providing my personal information to companies who would otherwise not have access to it. Unfortunately, even if I choose to register the developer's warez and am sent a patch to stop the ads. My info has already been carted away and sent to a company who's only purpose is to try and keep the average guy (me) spending, to try and keep the average guy in economical slavery or living from hand to mouth.)
OUR LEVEL OF COVERAGE: As I am sure you already understand, I am by no means writing an exhaustive essay on this subject. I am simply planting a seed and pushing to make sure that some of you are aware of another tool that you do have and will need if you plan to crack the net (the telephone). I also hope to keep this essay very simple and instructive. Thus, it can be rated as Baby Beginner Level.
The first thing that you will need to do is to pull up a DOS window and at the command line type the following: netstat
Netstat is a unix style app that is included with all win9x and NT OS's (Operating System's) it gives you current information on all your active connections and was originally written for network administrators and anyone else who might trouble shoot a network. For our purposes we want to pay attention to the machine names, domain names, and port numbers.
Newbie Tip: People play around with this command. Run it, then F3 it frequently while doing your normal net activities. Remember each connection usually only stays open for a set interval so after going from one site to the next, F3 it. In fact I suggest you create a stat.log in your win directory and direct the info into it.
Example: netstat >> stat.log
All your information will be logged so you can look at it at a later date. You might be surprised at some of the connections that are taking place between your machine and others (not to mention ports) that you didn't even know existed.
On with the lesson, you want to run netstat and take a look at your active connections. Then open CuteFtp (you don't need to connect it to anything just run it while on the net) and run netstat again. Look for a new active connection or two. There are a few possibilities so you might want to open and close CuteFtp several times, running netstat after each time you open CuteFtp.
The connections that you are looking for will be stigmatized by the port number 1975, a rather unusual port number. Most sites that you surf to will return a port number of 80, ftp, and telnet connections will say ftp, and telnet respectively. I'm not sure if SMTP will say smtp or 25 which is it's standard assigned port, but you can find that out on your own. Anyway, a port number of 1975 is very interesting, indeed. Lets investigate further.
Open your browser and try going to the url:
First I try homer.aureate.com and get a connection with server could not be established error
Second I try just aureate.com. Bingo! Aureate Media…snoop the site and see what you can learn about them. Don't forget to write that toll free telephone number and a name or two down. Remember that? We are going to use the phone to shine a little light on all of this. But first lets see what else we can find out. Keeping playing with CuteFtp and netstat off and on. Meanwhile why don't you try telneting into homer (i.e., homer.aureate.com). No luck ;x Well try telneting into homer at port 1975. Hey! It might not seem like much right now but homer.aureate.com port 1975 is open and if you give it a minute and then press the enter key you'll get even more nuggets of NFO. Go ahead, tap once, then twice. The first tap generates a message:
aim3.adsoftware.com aim4.adsoftware.com aim5.adsoftware.com
Repeat the above steps using these new urls:
Now you should do a whois on both aureate.com and adsoftware.com, Perhaps a tracert or two as well. If your still messing with cuteftp and netstat you have probably gotten some form of a ???.onecall.net:1975 returned in your NFO, check that out too. If your lucky you will even catch some interaction with flycast.com. They aren't really who we are dealing with right now but they do figure into the equation.
Btw, we have enough information to start eliminating (some of/all of) the ads already but we can't be sure of this and so we fire up our hex editor to double check our work. Besides, how am I going to interest those wanna be fancy-pants if we don't ever look at any code or hex? I mean there has to be a call to one of the suspected machines from somewhere in the proggy. Right? Well I go through all the files in the CuteFtp directory and have had no luck until I open a text file by the name of install.log. It points out that not all the files were placed in the CuteFtp directory. It has placed two files in the windows/system directory named cuteshell.dll and advert.dll. I'll leave it to you to do your own work from here. Which file to pick, which file to pick? Not a real problem we'll give you two tries at it :)
Okay, now you've double checked your info and read through the appropriate dll, found out a few other things you didn't know and your ready to put an end to the communication between your machine and theirs. This of course is very simple. Search your machine for winsock. It is most likely in your Win directory. Create a text file called Hosts with no extension on it. This file acts as a mini default Name Server for winsock and winsock will only go to your real name server if it can't find what it is looking for here. Hence, if you create a host file and add:
…saving it to the same directory as winsock. It will tell your machine to loop the call for their machine back onto your machine. Aureate Media never has it's beacon turned on and you'll get no ads because they don't even know that your online.
Our first objective has been fulfilled and we haven't cut the advertising off for just cuteftp but for all appz that are using the Aureate Media plug in (advert.dll).
Okay, okay, on to the telephone part. Well now that we know who they are and where they are located, toll free phone number, etc., lets see if we can't find out even more about them and what they can really do. Draw up a dossier for yourself. Mine went something like this:
Points of Concern:
Anyway, it is more or less just a bunch of BS but I RP'd it and got some useful tads of NFO in a very short amount of time. How long do you think it would have taken to trace through all the code to be sure that your area code and/or HD hadn't been snooped?
-- They also referred me to flycast, remember them?
One closing Note: Aureate Media is tied in with flycast.com, but not as a partner, not too sure what the exact relationship is at this point. However, I do know that the ads that are actually displayed are generated via flycast.com. I should have asked more!