Background, What it
I was first alerted to this suspicious-looking program by Mike of
Of The Public, which details the DSSAGENT app and several others on
page. DSSAGENT is a tool that lets software developers push a new splash
screen into a program at any time, e.g. for bug reports and product updates--but
I think it's probably more centered around advertising :( This program
has been seen most often bundled with children's software titles from Mattel
Interactive/Broderbund. I have also had a report of the module being installed
by AOL 6.0 and hammering the DNS server with "MILLIONS" of requests for
"The idea behind Brodcast was that the splash screen didn't have to be static and stay the same for the life of the program. It could be changed when there was some information that the company wanted to pass along to its customers. The availability of new versions or related products or services could be made known on the splash screen."Apparently, the view from the corporate administrator's standpoint is
"I can tell you what dssagent.exe does on a corporate network............it hammers the DNS server with repeated and continuous calls for www.brodcast.net and all other suffixes that appear in your domain suffix search order. Needless to say that Corporate security will be looking at this and other such software."Reports of the DSSAGENT using large amounts of CPU also appear fairly common.
"I am a network engineer for a large pharma corporation. Last week, we noticed certain workstations hitting our internal DNS servers with MILLIONS of requests for "www.brodcast.net". [...] As an example, in a 15 minute trace we took of just DNS and ICMP (in order to find others like this crap)...a station infected with DSSAGENT would send over 10,000 DNS requests to our DNS...that is *1* station."
My attempts to access the
that it connects to have been met with only a "Connection Refused" error
spit out by my ISP's proxy. This program has been reported by various sources
as everything from a "benevolent" software-update notification to a malicious
spy application, and even implicated
in an AOL password-stealing hack, PWSteal. I did manage to find an article
on it at The
Salon, but it couldn't tell me anything useful or provide much in the
way of "hard facts" amidst about 2 pages of editorial and wild speculation
Note: According to Bruce, the program VDO Live Update also installs a file named dssAgent.exe, which may not be related to the Brodcast app.
As is often the case, a significant discrapancy exists between what the company PR stiffs tell you it does and what its unwilling recipients say. Company PR claims that the user is offered the choice to enable/disable DSSAGENT during install. User reports indicate that the agent is installed anyway, regardless of the user's choice. Other users, and even the PR stiffs themselves, have verified that DSSAGENT is loaded onto the system regardless of the user's selection, but company reps claim that the program is loaded in a "deactivated" state, and must still be loaded because it's part of a complete software package. (Ed. note: This tells me that either (A) they're lying, or (B) they have some VERY lazy programmers. Having an installer conditionally install a file is trivial, and the (legitimate) software being installed is not dependent on the DSSAGENT being available.) For what it's worth, the spinsters also claim that the app does not collect personal information.
Infection method and
The program places a reference to itself in your Registry's Run key so that it silently loads every time you start the computer. Since most apps only load via Registry if they have to load before other programs (anti-virus scanners) or have something to hide, I have a hard time trusting this program's intentions.
Fortunately, Mattel has at least seen the error of its ways (sorta) and now provides a DSSAGENT
utility. The program can also be removed manually by finding and deleting
the DSSAgent.exe file on your computer (usually in C:\Windows) and removing
its registry reference.
For anyone who's interested,
here are the addresses it connects to:
FileMonitor log for DSSAGENT - Unlike some other spyware products that tamper with your browser settings, there's nothing in there that looks too suspicious...
article (not too informative, unfortunately)
Note: There is also a
program called "DSS Agent" mentioned in a confusing, densely-worded
press release--but while they share the name, I have the sneaking suspicion
that the DSSAGENT referred to by MicroStrategy is completely unrelated
to the "Brodcast" app.
"All trademarks are hereby
acknowledged as the property of their respective owners." So don't even
THINK about suing me :)