[25631] in bugtraq
AIM+ SpyWare
daemon@ATHENA.MIT.EDU (Pedram Amini)
Fri May 31 16:16:58 2002
From: "Pedram Amini" <pedram.amini@tulane.edu>
To: <bugtraq@securityfocus.com>
Date: Fri, 31 May 2002 13:54:49 -0500
Message-ID: <000201c208d4$a3fc11d0$6400000a@monkey>
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
Users of AIM+ are unwittingly sharing information about
themselves every time they connect to AOL. Aside from the spyware, AIM+
in my opinion is an excellent AOL instant messenger wrapper.
What is AIM+? From the website (www.big-o-software.com): "AIM+
is an add-on to AOL's Instant Messenger for Windows. It integrates
automatically and flawlessly with AIM, adding crucial features like
IM/Chat Logging (with an integrated History Browser), Ad Removal,
Cloning, Customizable Buddy List Window, and Translucent Windows."
I noticed some odd traffic which upon examination became
immediately identifiable as belonging to AIM+. In version 2.1.1 build 59
(as well as the latest release 2.2 build 63 and probably earlier
releases) an HTTP connection is made to www.big-o-software.com
(63.242.135.29) referencing a PHP script which stores the following
information:
- AOL instant messenger screen name
- AIM+ information:
- all your AIM+ settings
- AIM+ version
- AIM+ paths
- OS and version
- Computer network name
- CPU and RAM information
- Screen resolution
- Current UID (NT)
The author of course also gets your IP address and login time
for free from the request. I wrote the author about this issue on
5.6.2002 and have received no response to date.
There is a simple fix for those who would like to continue using
the software while removing the spyware:
- Open AIM+.dll from your AIM+ install directory with a hex
editor
- Locate the string "tracking"
- Null out the entire URL
Here are the approximate addresses of the strings to remove in
the latest two releases of AIM+:
2.1.1 build 59 0x126a0
2.2 build 63 0x13790
If you want to be really lazy you can download replacement dll's
from my website, again for the latest two releases of AIM+:
http://pedram.redhive.com/advisories/AIM+/
-pedram
