~ Essays ~
         to malware    essays
(Courtesy of fravia's advanced searching lores)

(`. Teleport Pro 1.29, malware galore .)
by Faulpelz
published at fravia's searchlores in May 2000

Slightly edited by fravia+

See also Noos' Delving deeper into Teleport Pro 1.29 (October 2000) and Faulpelz's Teleport Pro V1.29 (Build 1107) (January 2001) which replaces and completes this essay.

"Teleport Pro 1.29, malware galore"

by Faulpelz

Foreword:
This is not a 'real' essay, just something I discovered. Maybe this is the start of another new section on fravia's nice new site - I don't know. The importance of this essay does not lie in the detail I discovered, but in the typical problem you have nowadays, everytime you conntect to the internet: You'll never know what happens in the background... (and this applies to each Software/Process that is running on your windoze System)
So, it is nowdays even more important to use some 'tools of our trade' before we go online...
Never trust any tool/application, it may jolly well try to collect data about you and your interests! Funny enough that not only the States, but even the Europian Union is now trying to criminalize everybody who uses/publishes the 'so called' cracking/reversing/hacking tools.
If you ask me I think this is very paradox... They should criminalize the commercial bastards who are trying to get every bit of your personal Data, not the wondrous tools which are usefull to defend yourself against snoopers and spies!

The 'logic' they follow is a very dangerous one: 'If you don't give us your data you have something to hide and the one and only reason for this is that you are a criminal...'

Essay: Subject: Teleport Pro 1.29 ( http://www.tenmax.com

Whenever I install/test new software on my System I do some 'security' checks - especially if the software uses an internet connection (or to be more precise if it opens any sockets/ports...) I discovered that Teleport Pro 1.29 connects to www.tenmax.com while you are downloading/mirroring another site. Teleport Pro does not send any data to www.tenmax.com directly (as far as I know...) but it requests the file ROBOTS.TXT from www.tenmax.com and sends in the header of the request 'HOST: thesiteyouaredownloading' I would call this indirect sniffing, because this way they know who you are (at least they get your IP) and what site you are downloading/mirroring and I bet this is more information than you would ever give tenmax voluntary... They just have to analyse their logfile/s at http://www.tenmax.com and they have many interesting data about the Teleport Pro Users. (I don't think that I have to tell you what you can do with logfiles, if you know how to analyse them...) A quick solution to block the sniffing code is to simply add "127.0.0.1 www.tenmax.com" to your windows HOSTS file... (don't forget the www part!)

Currently I don't have the time to reverse Teleport Pro, but it MAY be usefull to check if there are other hidden 'features' in this tool or not, so if YOU have the time/knowledge to analyse the code of Teleport Pro then you should do so and send your findings to Fravia+.
I am quite sure he will publish them or add them to this small essay. Even if you find nothing else that is suspicious, you should let him know. I will take a closer look at Teleport Pro in the future, for now I just can say: Watch out!

PS: It should be interesting to check what happens if you use a Proxy, mirror a PW-protected Site, Firewall etc. There MAY be some routines that are only activated after certain events etc., so until this tool is not completly reversed nearly anything COULD happen to you if you use Teleport - I don't know actually everything: this is an essay that sets a starting point for further developments, other reversers are needed
I just wrote what I have discovered: everything else is just speculation... Anyway, as I said above this applies not only to Teleport! Nearly every software or 'agent' (e.g. Winamp) should nowadays be used with care - I am quite sure that in the near future more and more Software will hide routines trying to collect as much data about you as they can.
Malware reversing is MORE AND MORE IMPORTANT, please concentrate on that your reversing efforts: only crackers can save the world from the commercial evil spammers!

"I believe in coincidence. Coincidences happen every day. But I don't trust coincidences."
- 'Faulpelz', May 2000



Petit image

(c) 2000: [fravia+], all rights reserved