|
|
|
|
| |
| AIM Filter contains spyware and backdoors in its official release. The w00w00 group has been kind enough to provide a clean version of the product. |
| |
Credit:
The information has been provided by Jordan Ritter of w00w00.
|
| |
The w00w00 group has announced that AIM Filter, a solution to the AIM buffer overflow vulnerability, actually contains backdoors and spyware. This became obvious when the source was released on January 5th, 2002.
At the time, Robbie Saunders' AIM Filter seemed like a nice temporary solution. Unfortunately, it instead produces cash-paid click-through over time intervals and contains backdoor code combined with basic obfuscation to divulge system information and launch several web browsers to porn sites. The w00w00 group only took the time to verify that it blocked the attack, since an analysis of AIM filter was not our priority.
In the meantime, w00w00 has cleaned up the AIM Filter code and produced a modified version available on their website, and they have removed all the backdoors and spyware. For those of you who are still interested in using the software, we strongly recommend you use this modified version instead. You will find it at:
http://www.w00w00.org/files/w00aimfilter.zip
The following is the list of 'features' that was removed by w00w00 security development:
- The query user packet would send a message to robbie saunders with the ip address of your machine.
- The dc packet would open 4 web browsers to various porn sites.
- The dc loop packet would send the dc packet in a message over and over, until length of 7900 was reached (max transmission size perhaps).
- On connect, the software would connect to 2 different sites using robbie's click id (to generate money for him). There was also a timer that did this same thing.
- There was commented code that would send a hardcoded login packet.
- All "potentially annoying or malicious" IM send's were removed. This was done to make AimFilter what the name suggests, a filter instead of a tool of abuse.
- Logging was changed so that remote admin attempts would be logged with the offenders handle.
- Identifying text was changed slightly to differentiate the original from the modified version, tagging it with w00w00 and stating the original was done by Robbie Saunders.
- The username's that it would react to for backdoors was either "robbieiship" or "eriksjolund" for query user (ip announce) and just "robbieiship" for the dc packet and the corresponding loop. Other usernames that Robbie had that may have been related to the "robbieiship" username showed up in the commented out code, specifically "sobbie raunders".
|
|
|
|
|
|
|
