Curioser and curioser

[ForumFriend]

The activity described here does pose some interesting questions.

Any forum members who are technically minded might like to have a think about what might be going on.  Steve is inviting comments!

[SwampyUK]

mmmmm

That looks very very iffy to me by a long way......

Accessing stephens hard drives, My Documents and Settings plus other areas........

To me....

That looks like a bit of HACKING taking place.......

NAUGHTY NAUGHTY PLATTE

AH well The Computer Misuse Act looks to be broken.........
 
Come on Platte whats your game ?

YOU BUNCH OF SAD HACKERS  GET A LIFE YOU MUPPETS

Iv said all along there a bunch of hackers.........

Steve
   

[dg]

Whatever is going on clearly should NOT be going on

Billing software should exist for the sole purpose of monitoring online access and producing a bill, it should not require constant access to hard drives and/or the registry. There are UK and European laws designed to prevent this kind of activity so I would suggest Platte are operating here on the wrong side of the law. However, of particular importance, there is a law that allows the reverse engineering of copyrighted software in certain circumstances. I would suggest that this is just that kind of circumstance and despite Platte's protestations that it would be illegal for anyone to either attempt to uninstall their software or attempt to reverse engineer it that quite the opposite is the case and anyone who so chooses and who has the technical skills to do so would be perfectly at liberty legally to reverse engineer and find out exactly what is going on. This is potentially a BIG lawsuit against Platte

However, that is my opinion and it would require a court of law to determine whether I am correct or not. But give me a dose of the Plattes and a big enough pot of money and I would just love to bring this before the courts

[jonlewi5]

Just been thinking about this again since recieving an email from forum friend.

By the way this is all specualtion,

but, steve posted on his blog about recieving different information in the "bills" when logging in as guest or any other user account,

Now is it possible thats what the software is doing, could it place a "marker" to know which account downloaded the software to know which bill to display??
But this of course doesnt give reason to go rooting through additional drives.

Also MBS/Platte mentioned there software takes like a digital fingerprint of the computer, using an algorithm (spelling) of their choosing, it may be possible that thats what the software is crawling for, identifiers for the fingerprint, but that leads to the question as to why now and not when the software was first installed??

The second option i think seems more possible, as that could explain them rooting through the registry.

like i said this is all speculation, i may be way off, this is also me thinking they are operating in the right side of the law here, of course there could be other motives here, or it may just be that they are nosey b*****ds.

[Mouse]

Now is it possible thats what the software is doing, could it place a "marker" to know which account downloaded the software to know which bill to display??
But this of course doesnt give reason to go rooting through additional drives.

Also MBS/Platte mentioned there software takes like a digital fingerprint of the computer, using an algorithm (spelling) of their choosing, it may be possible that thats what the software is crawling for, identifiers for the fingerprint, but that leads to the question as to why now and not when the software was first installed??

The second option i think seems more possible, as that could explain them rooting through the registry.

I had certainly considered both those possibilities.

1. The 'marker'. I believe that this is actually contained within the pinf.sys file (found in system32); this file is repeatedly referenced when a bill is about to and then does display.

2. The Platte algorithm appears to take only the disk containing the 'C' drive into account in its computation. If I copy my 'C' drive across to a new disk (and fit it as the 'C' drive) I no longer get the bills although I still get the Platte icon. However, changing any of the other disks appears to have no effect whatever. In the case shown on the blog, the Platte software was already running in another account so should have had no need to repeat those checks - although of course it doesn't make them at all in the account where Platte was installed. I'm not sure if it's relevant, but the Documents folder for the Platte account is entirely empty; maybe their software has already worked that out given that I am now 40 days into my 'subscription'.
I have now added a new screenshot to the post which shows my normal administrator account being logged into; Platte's software doesn't check out the various disks at all, just goes straight to the Documents folder. Checking out the disks for a fingerprint would not be too objectionable, but it is hard to see how a Documents folder could ever form part of that algorithm.

I'm beginning to wonder what would happen if I delete the Platte account on the computer.

[jonlewi5]

couldnt agree more on that last but one sentence, there is certainly no need for MBS/platte to be going anywhere near your "my documents" folder.

Something i want to quickly check with yourself,

You said about when you copy your c drive? like dd in linux (bit for bit copy)? perhaps part of their algorithm (spelling) takes serial number of HDD into account something like that (im jsut thinking out load here to be honest) which would stop the bill being displayed??

like i said im jsut thinking out load lol

[Mouse]

I'm sure you're right. I have Norton Ghost images of my C drive for various stages of the Platte installation through to removal (so yes, bit for bit), hence my ability to 'rewind' to any point I wish (and keep those bills coming) when I'm in a 'Platte' mood. My C drive is very elderly and failed recently. Restoring the Ghost image to a new disk didn't work; I had to dismantle and repair the original drive , all in the interests of research...

[Mouse]

Beyond that of course, as far as the winlogon.exe file was concerned, Platte gave me a flat denial.

[dg]

Have you monitored the ports for any outgoing activity that might be unusual? That is, checked to make sure data from your documents folders have not been sent out via one of the UDP ports

Unfortunately I no longer have the information to hand although if Jon keeps any of my old emails to him he may recall that it was suggested the MBS software hijacked one of the UDP ports and "phoned home". There was specific information on the web at the time which said which UDP port to block on your router and I remember passing that port number to Jon in an email but that's well over a year ago now

[jonlewi5]

Sorry, i wont have that email still, i tend to reformat like every 2 months lol

Iv got vmware now installed on my laptop and desktop, so will be installing xp and platte software again tonight hopefully, so ill try and get the port/s used tonight.

jon

[Mouse]

Because the computer I've been using to run the Platte software contains my own private files, and because of what I found, I was not happy to leave my PC connected to the 'net while the Platte was on, so the answer is no, I didn't. There was another observation I did make though while the Platte was still connected; I'll be posting about it on my blog in the next day or so.

[Mouse]

Jon, If you haven't already done so you might find it interesting to have Process Monitor running while you do the install (and the unsubscribe for that matter). I originally saved the data logs for both but managed to lose them at some point when I was doing one of my endless disk overwrites.

[jonlewi5]

Will do, i monitered an install of the MBS software, but that was over a year so im sure things will have changed, ill try and find my old logger and run whilst installing

[dg]

Sorry, i wont have that email still, i tend to reformat like every 2 months lol

Aren't you lucky I archive everything <g>

I found the information I needed, it's UDP Port 1036

If I remember correctly one of the AV sites listed that port as being related to the original MBS installation and suggested the port was being used for spying. Now, I'm not saying they were correct, but it's looking suspiciously like they might have been. Regardless of whether Platte may like to have you believe otherwise it is perfectly legal to monitor your UDP ports for suspicious traffic and port 1036 is usually an "open" port on most systems, meaning it is a huge security risk and often used by spyware