AIM+ SpyWare

From: Pedram Amini (pedram.amini@tulane.edu)
Date: 05/31/02 

From: "Pedram Amini" <pedram.amini@tulane.edu>
To: <bugtraq@securityfocus.com>
Date: Fri, 31 May 2002 13:54:49 -0500

        Users of AIM+ are unwittingly sharing information about
themselves every time they connect to AOL. Aside from the spyware, AIM+
in my opinion is an excellent AOL instant messenger wrapper.

        What is AIM+? From the website (www.big-o-software.com): "AIM+
is an add-on to AOL's Instant Messenger for Windows. It integrates
automatically and flawlessly with AIM, adding crucial features like
IM/Chat Logging (with an integrated History Browser), Ad Removal,
Cloning, Customizable Buddy List Window, and Translucent Windows."

        I noticed some odd traffic which upon examination became
immediately identifiable as belonging to AIM+. In version 2.1.1 build 59
(as well as the latest release 2.2 build 63 and probably earlier
releases) an HTTP connection is made to www.big-o-software.com
(63.242.135.29) referencing a PHP script which stores the following
information:

        - AOL instant messenger screen name
        - AIM+ information:
                - all your AIM+ settings
                - AIM+ version
                - AIM+ paths
        - OS and version
        - Computer network name
        - CPU and RAM information
        - Screen resolution
        - Current UID (NT)

        The author of course also gets your IP address and login time
for free from the request. I wrote the author about this issue on
5.6.2002 and have received no response to date.

        There is a simple fix for those who would like to continue using
the software while removing the spyware:

        - Open AIM+.dll from your AIM+ install directory with a hex
editor
        - Locate the string "tracking"
        - Null out the entire URL

        Here are the approximate addresses of the strings to remove in
the latest two releases of AIM+:

        2.1.1 build 59 0x126a0
        2.2 build 63 0x13790

        If you want to be really lazy you can download replacement dll's
from my website, again for the latest two releases of AIM+:

        http://pedram.redhive.com/advisories/AIM+/

-pedram

Relevant Pages

  • Re: What is a Screen Name in Thunderbirds and SeaMonkeys address books?
    ... And what is an "AOL Instant Messenger (AIM) screen name"? ... AOL Instant Messenger is an Instant Messenger system created by AOL. ...
    (Ubuntu)
  • Re: In regards to the insecurity of AOL Instant Messenger
    ... GAIM uses TOC, IIRC -- just use Net::AIM in perl or even dig up some ... It would be easier than hacking up a client to do the ... In regards to the insecurity of AOL Instant Messenger ... >> on AIM. ...
    (Vuln-Dev)
  • Re: cancel msn when starting OE
    ... is also an option on Instant Messenger (preference) not to integrate. ... Simply replace AOL with MSN. ... Sign On/Off preferences category in AIM and disable the "Make AIM my default ...
    (microsoft.public.windows.inetexplorer.ie6_outlookexpress)
  • AIM including the beta 4.8.2646 Local/Remote Buffer Oveflow
    ... If you are running any version of AIM (Aol Instant Messenger) you are: ... AOL's Instant Messenger client has contain a buffer overflow: ...
    (Vuln-Dev)
  • Re: Worm Alert - IM.GiftCom.All
    ... Internet via the major Instant Messenger programs such as AOL Instant Messenger (AIM), ICQ, Windows Messenger, and Yahoo! ... the worm broadcasts a URL (Internet link) in a chat session screen that appears to be site about Santa Claus. ... Once activated, the worm will scan the computer, attempt to shut down anti-virus software, and log keystrokes, which can then be used to steal personal information. ...
    (rec.arts.mystery)