I did the modifications to aimfilter so I will offer a little clarification on the issue. What was in the original aimfilter was not anything that was overtly harmful to your system. There were just a few things that provided backdoor entries into your machine by the original author. Following is a quick overview of what I removed and what they did: The query user packet would send a message to robbie saunders with the ip address of your machine. The dc packet would open 4 web browsers to various porn sites. The dc loop packet would send the dc packet in a message over and over, until length of 7900 was reached (max transmission size I guess). On connect, the software would connect to 2 different sites using robbie's click id (to generate money for him). There was also a timer that did this same thing. There was commented code that would send a hardcoded login packet. All "potentially annoying or malicious" IM send's were removed. This was done to make AimFilter what the name suggests, a filter instead of a tool of abuse. Logging was changed so that remote admin attempts would be logged with the offenders handle. Identifying text was changed slightly to differentiate the original from my modifications, tagging it with w00w00 and stating the original was done by Robbie Saunders. There was no stated license, but I tried to maintain the credit as best as possible (even though the recipient of that credit had potential malintent). The username's that it would react to for backdoors was either "robbieiship" or "eriksjolund" for query user (ip announce) and just "robbieiship" for the dc packet and the corresponding loop. Other usernames that Robbie had that may have been related to the "robbieiship" username showed up in the commented out code, specifically "sobbie raunders". In closing, the cleanup was done quickly but all offending code/functions have been disabled or removed that I found in the few hours I spent analyzing and modifying the code. w00aimfilter should act solely as a filter now, instead of anything else that Robbie had intended it to do. I won't get into any debates about his intent nor will I attack him for what he coded into the binary, but I will state my opinion on one thing. Any software that is released to the public, or even privately, should do what it is advertised to do and nothing else. People should not be coding backdoors, money generation schemes, or other covert options into applications. This should especially not be done without statement to the users of said application. I don't know about the legality of putting such backdoors in an application, but I would guess that it would be frowned upon by US law at least. I hope that one thing good comes out of this and that is that Robbie realizes that what he did was wrong if not legally, then at least socially. With that, our modifications to aimfilter were made public and hosted from our site at http://www.w00w00.org/files/w00aimfilter.zip I hope you find the modifications useful. We offer no warranty for the code, but included the source with the release so that you can do what you want with it. Take care. -- from lst @ efnet on behalf of w00w00 Security Development. /tmy >---- Forwarded message from Michelle Mueller <muellerm@mtmary.edu> ----- > >From: "Michelle Mueller" <muellerm@mtmary.edu> >To: "'Jordan Ritter'" <jpr5@darkridge.com> >Subject: RE: w00w00 on AIM Filter (Backdoors & SpyWare) >Date: Tue, 8 Jan 2002 16:08:05 -0600 > >You mention that the program contained backdoors and spyware, but not >how to remove those once that filter was installed. Since I am now >going to have to do clean up on friend's and family's machines after >forwarding your suggestion to use the filter on to them, I'd like to >know exactly what it installs, where it installs it, what it does, and >if it goes away after uninstalling the filter. I knew I should have >listened to my instincts about that filter, but unfortunately I didn't. >If you can please pass this info on to me I would appreciate it. > >Thanks, >Michelle > > > >-----Original Message----- >From: Jordan Ritter [mailto:jpr5@darkridge.com] >Sent: Tuesday, January 08, 2002 2:43 PM >To: bugtraq@securityfocus.com >Subject: w00w00 on AIM Filter (Backdoors & SpyWare) > > >BugTraq readership: > > It has recently come to our attention that AIM Filter, which we > recommended as an appropriate temporary solution for the AIM > buffer overflows we published, actually contains backdoors and > spyware. This became obvious when the source was released on > January 5th, 2002. > > At the time, Robbie Saunders' AIM Filter seemed like a nice > temporary solution. Unfortunately, it instead produces cash-paid > click-throughs over time intervals and contains backdoor code > combined with basic obfuscation to divulge system information and > launch several web browsers to porn sites. We only took the time > to verify that it blocked the attack, since an analysis of AIM > filter wasn't our priority. Mea culpa. > > In the meantime, we've cleaned up the AIM Filter code and produced > a modified version available on our website, and we've removed all > the backdoors and spyware. For those of you who are still > interested in using the software, we strongly recommend you use > this modified version instead. You will find it at: > > http://www.w00w00.org/files/w00aimfilter.zip > > We apologize to the security community at large for this mistake. > However, we think this is a very apt example of why closed-source > programs can be deadly. You never know for sure what lurks under > the hood of a binary executable, and of course U.S. Law (DMCA) > forbids you from trying to find out. Once again, disclosure is > your best friend. > > We urge readers to find out more about the DMCA at > http://www.anti-dmca.org/. > > We would also like to take this opportunity to provide updated > reference information on the original AIM vulnerability, which has > now been assigned a CVE Candidate ID: CVE-2002-0005. > > >--jordan and the w00w00 Security Team > > >----- End forwarded message ----- -- Diving into infinity my consciousness expands in inverse proportion to my distance from singularity +-------- ------- ------ ----- ---- --- -- --- ------ ------- -------- - --------------+ | Tim Yardley (liquid@dqc.org) | http://nmedia.net/~liquid/ +-------- ------- ------ ----- ---- --- -- --- ------ ------- -------- - --------------+
