Bugtraq mailing list archives
Realnetworks is trojaning people...again!!!
From: pedward () WEBCOM COM (pedward () WEBCOM COM)
Date: Wed, 8 Mar 2000 14:36:25 -0800
Okay, I had a nice long message I wrote, but accidentally canned it in ELM (arggh!) So, I admit to using windows for 2 reasons: playing games and viewing content that can't be viewed on my Unix box. That brings me to this subject. I wanted to watch some classic Southpark and Windows media player wouldn't play it (virgin '98 install), so I got RP 7.0 from RealNetworks. I installed it and so on and soforth. I noticed tonight (3 days later) a program called "Comet Cursor" installed on my machine. I recalled a privacy issue with this and investigated further. Here's the lowdown from their website for those who don't remember: http://www.cometsystems.com/help/privacy.shtml What anonymous information is collected about users of the Comet Cursor? Our software contacts our servers to record logs of cursor impressions using a GUID (Globally Unique IDentifier). When you download the Comet Cursor software, it is issued a GUID from our servers. Using this GUID, we can keep track of how many people are using our software. The GUID is also used every time the software contacts our servers when we log cursors changing (for example, our software could inform our servers that at 12:31pm on November 16, 1999, 143 different people saw their arrow cursor change into a baseball bat cursor on a baseball team's Website). Collecting such statistics is an audit mechanism we use to bill our clients, since some of them pay us on a "per-cursor-impression" basis. Second, our software checks in to see if a new version of the Comet Cursor software is available. If there is a bug fix or version upgrade available for the Comet Cursor, the software will retrieve the new code and replace the outdated code. So, the Comet Cursor is really a backdoor to log your viewing habits, etc. I was fairly confident that I didn't get this 'infection' via unprotected, ahem, viewing of websites. I searched the registry and found the Comet Cursor to be a child of the "RealNetworks" root. I then uninstalled the realnetworks package and comet cursor. I checked back, the only items remaining were: - c:\windows\system\comet.dll -- I deleted this by hand - A registry entry at HKEY_LOCAL_MACHINE\Software\Clients\Comet -- The notable thing about this entry was the following key->value pair: OriginatorId "Real_Dec99" So, I uninstalled, reinstalled, uninstalled, and reinstalled to confirm this hypothesis; RealNetworks is installing a privacy trojan into your system without your permission or documentation. They have been caught once before doing this. FYI, the press release is here: http://www.cometsystems.com/press/pressrels/102099.shtml Grr, I am plenty pissed (not in the UK sense of the word, unfortunately) right now... --Perry -- Perry Harrington Director of zelur xuniL () perry () webcom com System Architecture Think Blue. /\
Current thread:
- NAI/McAfee Viruscan Engine does not scan .VBS files by default Bram Kerkhof (Mar 07)
- Re: NAI/McAfee Viruscan Engine does not scan .VBS files by default Eric Chien (Mar 08)
- Re: NAI/McAfee Viruscan Engine does not scan .VBS files by default Paul Hoffman (Mar 09)
- Re: NAI/McAfee Viruscan Engine does not scan .VBS files by defau Nick FitzGerald (Mar 08)
- Re: NAI/McAfee Viruscan Engine does not scan .VBS files by default Roy Voortman (Mar 08)
- Realnetworks is trojaning people...again!!! pedward () WEBCOM COM (Mar 08)
- [TL-Security-Announce] mtr-0.41 and earlier TLSA2000003-1 (fwd) Katie Moussouris (Mar 08)
- [TL-Security-Announce] htdig-3.1.2-1 and earlier TLSA200005-1 (fwd) Katie Moussouris (Mar 08)
- <Possible follow-ups>
- Re: NAI/McAfee Viruscan Engine does not scan .VBS files by default Roy Voortman (Mar 10)
- Re: NAI/McAfee Viruscan Engine does not scan .VBS files by default Eric Chien (Mar 08)