Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
Microsoft Ad Client

By Signal 11 in MLP
Fri Aug 17, 2001 at 03:07:09 PM EST
Tags: Software (all tags)
Software

I intercepted an attempted auto-downloading (java?) executable off of MSNBC's site. The redirect came from msn.com. The filename was 'ADSAdClient31.0170610', and a quick cull of the binary data reveals several things you can look for to see if your system has been infected with what I suspect to be yet another MS spyware program. Naturally, there is nothing in Microsoft's knowledge base about this.


For now, I'm calling it "Microsoft Ad Client 3.1", after a text string I found in it. It appears to have been released "Feb 3 2000 18:18:01". It appears to be a java module which allows advertiser(s) to create popup windows at specified intervals after viewing the website in question. It may also attempt to gain additional permissions - it has networking code and local file I/O calls in it. I do not have the tools or ability to reverse engineer a compiled java app, however, so I have to guess based on the text strings in the file. I believe the only reason I got to download this file was because the HTTP request was mangled - sadly, I do not have a log of the http headers.

Checking for the following files should give you a good idea on whether or not you've been infected with this: ADSInet.dll, Accipiter.Ini,ADSAdClient31.dbg, ent31.dll and/or the registry entries:
SYSTEM\CurrentControlSet\Services\EventLog\Application\ADSAdClient31
SYSTEM\CurrentControlSet\Services\ADSAdClient31 ADSAdClientPerf31

The program probably employs a GUID to track you uniquely, going by the text strings. It also is likely that it stores copies of advertising on the local computer.

Despite the DMCA, I'm providing a link for you to inspect the code yourself here (260 KB).

Good luck.

Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Related Links
o knowledge base
o here
o Also by Signal 11


Display: Sort:
Microsoft Ad Client | 25 comments (19 topical, 6 editorial, 0 hidden)
bouh... (3.20 / 5) (#1)
by neuneu2K on Fri Aug 17, 2001 at 11:13:01 AM EST

I hoped it was java bytecode... but it seems to be a dll.
Too bad... 0
- "And machine code, which lies beneath systems ? Ah, that is to do with the Old Testament, and is talmudic and cabalistic..." - Umberto Eco
Hmmmm (4.00 / 6) (#2)
by ucblockhead on Fri Aug 17, 2001 at 11:15:27 AM EST

I'll look later when I have more time. I'm pretty sure that's not a Java program, though. I see links to the C-Runtime.

This appears to be one class id:

D712C134-7E42-11D2-A610-00A0C9D135F

If you don't have that in your registry, you are probably safe.

It is a little premature to say it does the things you say it does. I will play more later.
-----------------------
This is k5. We're all tools - duxup

Depends (4.83 / 6) (#11)
by ucblockhead on Fri Aug 17, 2001 at 12:51:16 PM EST

According to "depends", it uses sockets and multimedia. (winmm.dll, lz32 and ws2_32.dll)

(Though typical Microsoft bloat: it appears to use multimedia solely to get the system time. Go figure.)

As others have said, it is a COM dll of for MS.AdClient. However, it also has a bunch of other entry points, so it is obviously meant to be run directly in-process from straight C++ as well.

It implements the IAdClientSSO interface, which has these methods:

  • HRESULT GetAd( [in] BSTR bstrParams, [out, retval] BSTR* pbstrHTML);
  • HRESULT About([out, retval] BSTR* pbstrBuildString);
  • HRESULT GetServerName([out, retval] BSTR* pbstrServerName);
  • HRESULT GetEngineHost([out, retval] BSTR* pbstrEngineHost);

My guess is that it is part of MSN. Do you use MSN? Otherwise, you should have gotten a certificate box warning of the install. (Unless you said "always trust Microsoft" sometime in the past.)

Actually, your story makes it sound as if you were just browsing MSNBC. I suppose that the first time you visited that sight, you clicked "yes" to get their spiffy ActiveX menu, right? Well, that's where this thing probably came from. It is likely a client to let MSNBC show you spiffy ads.

Anyway, without more info about what exactly you were doing when you got this, I can't really say more. I can't run it on my machine because it obviously isn't standalone. It is likely just one of a set of files that were to be downloaded.

I'm fairly certain that this DLL alone is fairly useless to anyone as it seems designed to by directly loaded with LoadLibrary.

Whether or not it is "spyware" is impossible to tell. It is a DLL, and as such, has full rights to your system, like every other DLL. (A java app would not, BTW.) But looking at the parts of the C runtime it hits, it does not appear to me to be writing files. It calls "fopen", "fgets" and "fclose", but no other file io routines. (They could be doing it with stuff other than the C runtime, but it seems to me unlikely that they'd go through such hoops.) It could be reading almost anything, of course, but without seeing logs of what the DLL actually sends and receives, such a claim is premature.


-----------------------
This is k5. We're all tools - duxup
[ Parent ]

it's not java (4.00 / 8) (#3)
by EricsTrip on Fri Aug 17, 2001 at 11:20:07 AM EST

It's definetely not Java. The string 'Microsoft Visual C++ Runtime Library' and a bunch of Win32 API calls confirm that. So I doubt you'll be able to decompile it.

It's most likely a .dll file. Try this - rename the extension to .dll, right click and check 'properties'. The name is indeed AdClient, released by Microsoft Corp, version number 3,1,0,75. Also, take a look at all the error message, as they should reveal as to what it's supposed to do.

I don't know what all that implies, but there you go.

C++ DLL doing someting with HTTP (3.16 / 6) (#4)
by TheophileEscargot on Fri Aug 17, 2001 at 11:21:05 AM EST

It appears to me to be a binary DLL, doing something with HTTP.

It contains references to "C++ library" and to HTTP functions.

However, I suspect that the ADS refers to "Active Directory Services" rather than advertisements.

Looks to me like just some random Windows DLL.
----
Support the nascent Mad Open Science movement... when we talk about "hundreds of eyeballs," we really mean it. Lagged2Death
ADS? nope. (4.60 / 5) (#8)
by Michael Leuchtenburg on Fri Aug 17, 2001 at 12:22:28 PM EST

Well, if you look at the strings in the file, it's pretty obvious that it's not for AD:

Ad request to engine has exceeded the specified time-out value. An ad will be s erved from the fail-over cache. %1 Unable to get an ad for placement in the high volume ad cache. %1 Unable to get an ad for placement in the fail-over ad cache. %1 Cannot get a connection to the Ad Engine %1. Default house ads will be served u ntil a connection can be reestablished when the network problems go away or the ad engine comes back on line. %1 The rich media ad is too big: %1. Unable to update the impression counts. %1 Unable to get the default ad (for tracking). %1 The ad used for default tracking is invalid. %1

Looks pretty sinister, doesn't it? :)

It appears to use an ADSInet DLL and haev some connection with the name Accipiter. A couple URLs are present: http://ads.msn.com/ads/adredir.asp http://ads.msn.com/ads/redirect.dll

If you look at this ZDnet story about MS using Accipiter to manage their online ads. Accipiter's website unfortunately appears to be down.

Now, as to whether there is global tracking of the served ads as opposed to just tracking wrt a given server of ads (ie, MS) I can't answer.

BTW, all this was learned in a simple 20 minutes poking through the strings of the file and a little bit of googling.

[ #k5: dyfrgi ]
[ TINK5C ]
[ Parent ]

Good point (2.00 / 1) (#10)
by TheophileEscargot on Fri Aug 17, 2001 at 12:41:08 PM EST

I didn't look to closely at the strings in the DLL.

However, when you save it as a DLL it definitely gives the author as Microsoft Corp... why would Accipter pose as Microsoft?

I did an MSDN search for GetAd, and came up with some references to Commerce Server 3 and site server's advertising services. So, it still looks to me like a server DLL.
----
Support the nascent Mad Open Science movement... when we talk about "hundreds of eyeballs," we really mean it. Lagged2Death
[ Parent ]
DMCA provides for reverse engineering (3.75 / 4) (#6)
by Pac on Fri Aug 17, 2001 at 11:49:30 AM EST

It is legal even under your strange law for reverse engineer for interoperability. But many of us are out of DMCA's reach, especially if we follow Alan Cox advise and take our vacations elsewhere.

Decompiling Java is lamely easy, decompiling C++ not so easy but pretty feasible with the right tools. But I don't think its necessary.

Just let the little devil loose in a machine behind a firewall and log everything it does, everyone it talks to. That will give you a very good idea about its intentions.

Also, submit this to Slashdot. I love the thought of the flamefest it will issue...



Evolution doesn't take prisoners


Its a COM dll (4.60 / 5) (#7)
by hulver on Fri Aug 17, 2001 at 12:11:09 PM EST

Or an Active X dll whatever they are called now. It's got a few methods.

About
GetEngineHost
GetServerName
GetAd

Calling About returns Microsoft Ad Client SSO v 3. 1 Build 075 (RELEASE), built on Feb 3 2000 at 18:18:01.

Calling GetEngineHost returns nothing.

Calling GetServerName returns my machine name

Calling GetAd crashes the Automation client because I don't know what to pass as the only parameter.

As to what it's for, I really don't know.

--
HuSi!

Accipiter (3.50 / 4) (#9)
by Ticino on Fri Aug 17, 2001 at 12:25:20 PM EST

I believe that accipiter is an ad managment/bureau software from engage technologies. At least that's where I remember the name. I can't find a reference to it at the moment however.

Active Directory (3.00 / 5) (#13)
by abdera on Fri Aug 17, 2001 at 01:16:39 PM EST

I suspect that this is related to active directory services (ADS), probably an active directory client (Adclient) for 9x/NT.

#224 [deft-:deft@98A9C369.ipt.aol.com] at least i don't go on aol

*Definetly* not Java (3.60 / 5) (#15)
by delmoi on Fri Aug 17, 2001 at 01:25:51 PM EST

That's not a java object, for sure. It looks like a regular windows executable, probably a COM object. You've got your unicode ID strings, Registry setting scripts, etc, in the resource section.

But anyway, while it does have the string "Microsoft Ad Client 3.1" in it, I have no idea where you jumped to the conclusion that it let people popup adds after the browser is closed... you wern't even able to tell what kind of file it was... and I'm sure you could probably call

By the way, you might want to look into a microsoft technology called Active Directory", which microsoft likes to abbrivate "AD"
--
"'argumentation' is not a word, idiot." -- thelizman
Active Directory... (2.00 / 1) (#19)
by Signal 11 on Fri Aug 17, 2001 at 02:50:20 PM EST

I have a hard time believing anything to do with Active Directory would be needed for viewing MSNBC.com's site, nor do I think it would need to be setting cookies and making HTTP requests. It just doesn't seem logical.


--
Society needs therapy. It's having
trouble accepting itself.
[ Parent ]
Well... (3.50 / 2) (#21)
by delmoi on Fri Aug 17, 2001 at 07:04:55 PM EST

From what I've seen programs will sometimes import lots of things even if they only need one function.

However, from reading the other comments, it looks (to me) like it's actualy a server-side COM object thing that got misdirected and sent rather then exicuted, you said the request got mangled, didn't you?

Well, who knows.
--
"'argumentation' is not a word, idiot." -- thelizman
[ Parent ]
Active Directory? (none / 0) (#23)
by WWWWolf on Mon Aug 20, 2001 at 06:38:57 AM EST

By the way, you might want to look into a microsoft technology called Active Directory", which microsoft likes to abbrivate "AD"
I thought Active Directory was just a directory service (in Microsoft's glorious "those who don't understand open protocols are doomed to reinvent them poorly" series)... what has that to do with browsing a web site? I already have a web browser, I don't want to find out information about things and people and computers I don't use. =) Suspicious, I'd say...

-- Weyfour WWWWolf, a lupine technomancer from the cold north...


[ Parent ]
bugtraq (3.50 / 6) (#17)
by cicero on Fri Aug 17, 2001 at 02:00:33 PM EST

have you thought about sending this to bugtraq?
maybe emailing one of microsofts security lists to ask them wtf this thing is?
bugtraqers would probably have this thing decoded pretty quick.


--
I am sorry Cisco, for Microsoft has found a new RPC flaw - tonight your e0 shall be stretched wide like goatse.
Advertising (4.66 / 6) (#18)
by catseye on Fri Aug 17, 2001 at 02:45:04 PM EST

I did a Yahoo search on ADSAdClient31 and came across a nubmer of listings. Most of them came back with URLS like "http://arc3.msn.com/ADSAdClient31.dll?" with a huge querystring. If you go to arc3.msn.com you will see a banner that says, "Microsoft Advertising Technical Operations". Apparently arc1 through arc9 work in the above URL format. All state that you have reached an Advertising Delivery System test page and some have an internal ms link to the AD System ADSTech Web Site at http://adtech. Here are some of the links with the full working querystrings: Link 1 Link 2

Digging a little more, there are a number of references to both Adtech and Microsoft when doing a simple Yahoo search, from education to advertising to adaptive technology for the disabled.

With a little more poking around and clicking on many many more links than anyone would want me to post here, it looks as if this is related to hotmail. Don't hotmail messages have MS advertising in them? This might be their new way of doing it.

To the original poster who found this on his system.... do you use hotmail?



Something different yesterday. (3.00 / 1) (#22)
by Remote on Sat Aug 18, 2001 at 01:10:11 AM EST

This may have absolutely nothing to do with this file, but, anyway...

Yesterday, at work (WinNT 4.0), upon signing off from Hotmail I was, as usual, redirected to MSN's home page. As the page loaded it got all greyed-out (as the desktop does in a Win98 or NT box when you shut the system down). A "dialog box" (not a standard API db, it actually contained an ad) showed up in the middle of the screen, non-greyed. I clicked somewhere outside the box, it went away and the page displayed normally.

I access that account every other day and never saw anything like that. The day before yesterday I downloaded the latest Java plug-in from Sun, so as to be able to see some examples in their tutorial pages, so I assumed this was some Java applet (without the download link ?!) that required some functionality that my machine lacked before. But now that most people say it's definitely not Java...

Hotmail Ad blocking (none / 0) (#25)
by KnightFilm on Fri Jan 17, 2003 at 12:17:57 AM EST

Seems that Microsoft wants you to download the aforementioned dll to allow it to place all those fancy ads in it's Hotmail web pages. It seems to be triggered by a simple asp/html call in the page itself and then self-installs with ActiveX or something of the sort. Blocking all of the ip addresses (of which there are numerous) associated with arc1.msn.com - arc9.msn.com seems to take care of the download, although it might leave you with some ugly-ish holes in your hotmail browser window. Hope that helps!

Microsoft Ad Client | 25 comments (19 topical, 6 editorial, 0 hidden)
Display: Sort:

kuro5hin.org

[XML]
All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!