RE: w00w00 on AIM Filter (Backdoors & SpyWare)

[Tim Yardley <liquid () dqc org>]

I did the modifications to aimfilter so I will offer a little clarification 
on the issue.  What was in the original aimfilter was not anything that was 
overtly harmful to your system.  There were just a few things that provided 
backdoor entries into your machine by the original author.  Following is a 
quick overview of what I removed and what they did:

The query user packet would send a message to robbie saunders with the ip 
address of your machine.
The dc packet would open 4 web browsers to various porn sites.
The dc loop packet  would send the dc packet in a message over and over, 
until length of 7900 was reached (max transmission size I guess).
On connect, the software would connect to 2 different sites using robbie's 
click id (to generate money for him).  There was also a timer that did this 
same thing.
There was commented code that would send a hardcoded login packet.
All "potentially annoying or malicious" IM send's were removed.  This was 
done to make AimFilter what the name suggests, a filter instead of a tool 
of abuse.
Logging was changed so that remote admin attempts would be logged with the 
offenders handle.
Identifying text was changed slightly to differentiate the original from my 
modifications, tagging it with w00w00 and stating the original was done by 
Robbie Saunders.  There was no stated license, but I tried to maintain the 
credit as best as possible (even though the recipient of that credit had 
potential malintent).

The username's that it would react to for backdoors was either 
"robbieiship" or "eriksjolund" for query user (ip announce) and just 
"robbieiship" for the dc packet and the corresponding loop.  Other 
usernames that Robbie had that may have been related to the "robbieiship" 
username showed up in the commented out code, specifically "sobbie raunders".

In closing, the cleanup was done quickly but all offending code/functions 
have been disabled or removed that I found in the few hours I spent 
analyzing and modifying the code.  w00aimfilter should act solely as a 
filter now, instead of anything else that Robbie had intended it to do.  I 
won't get into any debates about his intent nor will I attack him for what 
he coded into the binary, but I will state my opinion on one thing.  Any 
software that is released to the public, or even privately, should do what 
it is advertised to do and nothing else.  People should not be coding 
backdoors, money generation schemes, or other covert options into 
applications.  This should especially not be done without statement to the 
users of said application.  I don't know about the legality of putting such 
backdoors in an application, but I would guess that it would be frowned 
upon by US law at least.  I hope that one thing good comes out of this and 
that is that Robbie realizes that what he did was wrong if not legally, 
then at least socially.

With that, our modifications to aimfilter were made public and hosted from 
our site at http://www.w00w00.org/files/w00aimfilter.zip  I hope you find 
the modifications useful.  We offer no warranty for the code, but included 
the source with the release so that you can do what you want with it.  Take 
care.

-- from lst @ efnet on behalf of w00w00 Security Development.

/tmy

> ---- Forwarded message from Michelle Mueller <muellerm () mtmary edu> -----
>
> From: "Michelle Mueller" <muellerm () mtmary edu>
> To: "'Jordan Ritter'" <jpr5 () darkridge com>
> Subject: RE: w00w00 on AIM Filter (Backdoors & SpyWare)
> Date: Tue, 8 Jan 2002 16:08:05 -0600
>
> You mention that the program contained backdoors and spyware, but not
> how to remove those once that filter was installed.  Since I am now
> going to have to do clean up on friend's and family's machines after
> forwarding your suggestion to use the filter on to them, I'd like to
> know exactly what it installs, where it installs it, what it does, and
> if it goes away after uninstalling the filter.  I knew I should have
> listened to my instincts about that filter, but unfortunately I didn't.
> If you can please pass this info on to me I would appreciate it.
>
> Thanks,
> Michelle
>
>
>
> -----Original Message-----
> From: Jordan Ritter [mailto:jpr5 () darkridge com]
> Sent: Tuesday, January 08, 2002 2:43 PM
> To: bugtraq () securityfocus com
> Subject: w00w00 on AIM Filter (Backdoors & SpyWare)
>
>
> BugTraq readership:
>
>     It has recently come to our attention that AIM Filter, which we
>     recommended as an appropriate temporary solution for the AIM
>     buffer overflows we published, actually contains backdoors and
>     spyware.  This became obvious when the source was released on
>     January 5th, 2002.
>
>     At the time, Robbie Saunders' AIM Filter seemed like a nice
>     temporary solution.  Unfortunately, it instead produces cash-paid
>     click-throughs over time intervals and contains backdoor code
>     combined with basic obfuscation to divulge system information and
>     launch several web browsers to porn sites. We only took the time
>     to verify that it blocked the attack, since an analysis of AIM
>     filter wasn't our priority. Mea culpa.
>
>     In the meantime, we've cleaned up the AIM Filter code and produced
>     a modified version available on our website, and we've removed all
>     the backdoors and spyware.  For those of you who are still
>     interested in using the software, we strongly recommend you use
>     this modified version instead.  You will find it at:
>
>          http://www.w00w00.org/files/w00aimfilter.zip
>
>     We apologize to the security community at large for this mistake.
>     However, we think this is a very apt example of why closed-source
>     programs can be deadly.  You never know for sure what lurks under
>     the hood of a binary executable, and of course U.S. Law (DMCA)
>     forbids you from trying to find out.  Once again, disclosure is
>     your best friend.
>
>     We urge readers to find out more about the DMCA at
>     http://www.anti-dmca.org/.
>
>     We would also like to take this opportunity to provide updated
>     reference information on the original AIM vulnerability, which has
>     now been assigned a CVE Candidate ID: CVE-2002-0005.
>
>
> --jordan and the w00w00 Security Team
>
>
> ----- End forwarded message -----


-- Diving into infinity my consciousness expands in inverse
   proportion to my distance from singularity

+-------- ------- ------ ----- ---- --- -- --- ------ ------- -------- -
--------------+
| Tim Yardley (liquid () dqc org)
| http://nmedia.net/~liquid/
+-------- ------- ------ ----- ---- --- -- --- ------ ------- -------- -
--------------+