Advertising Spyware: Brodcast DSSAGENT

Your generous donations help keep this site online! ~~Click here~~ to support cexx.org.

Advertising Spyware: DSSAGENT.exe (Brodcast) by Broderbund

Background, What it is
I was first alerted to this suspicious-looking program by Mike of ~~Voice Of The Public~~, which details the DSSAGENT app and several others on its ~~Spyware~~ page. DSSAGENT is a tool that lets software developers push a new splash screen into a program at any time, e.g. for bug reports and product updates--but I think it's probably more centered around advertising :( This program has been seen most often bundled with children's software titles from Mattel Interactive/Broderbund. I have also had a report of the module being installed by AOL 6.0 and hammering the DNS server with "MILLIONS" of requests for www.brodcast.net.

"The idea behind Brodcast was that the splash screen didn't have to be static and stay the same for the life of the program. It could be changed when there was some information that the company wanted to pass along to its customers. The availability of new versions or related products or services could be made known on the splash screen."

Apparently, the view from the corporate administrator's standpoint is ~~not so rosy~~:

"I can tell you what dssagent.exe does on a corporate network............it hammers the DNS server with repeated and continuous calls for www.brodcast.net and all other suffixes that appear in your domain suffix search order. Needless to say that Corporate security will be looking at this and other such software."
Rik writes:
"I am a network engineer for a large pharma corporation. Last week, we noticed certain workstations hitting our internal DNS servers with MILLIONS of requests for "www.brodcast.net". [...] As an example, in a 15 minute trace we took of just DNS and ICMP (in order to find others like this crap)...a station infected with DSSAGENT would send over 10,000 DNS requests to our DNS...that is *1* station."

Reports of the DSSAGENT using large amounts of CPU also appear fairly common.

My attempts to access the ~~server~~ that it connects to have been met with only a "Connection Refused" error spit out by my ISP's proxy. This program has been reported by various sources as everything from a "benevolent" software-update notification to a malicious spy application, and even ~~implicated~~ in an AOL password-stealing hack, PWSteal. I did manage to find an article on it at ~~The Salon~~, but it couldn't tell me anything useful or provide much in the way of "hard facts" amidst about 2 pages of editorial and wild speculation :).

Note: According to Bruce, the program VDO Live Update also installs a file named dssAgent.exe, which may not be related to the Brodcast app.

Installation controversy
As is often the case, a significant discrapancy exists between what the company PR stiffs tell you it does and what its unwilling recipients say. Company PR claims that the user is offered the choice to enable/disable DSSAGENT during install. User reports indicate that the agent is installed anyway, regardless of the user's choice. Other users, and even the PR stiffs themselves, have verified that DSSAGENT is loaded onto the system regardless of the user's selection, but company reps claim that the program is loaded in a "deactivated" state, and must still be loaded because it's part of a complete software package. (Ed. note: This tells me that either (A) they're lying, or (B) they have some VERY lazy programmers. Having an installer conditionally install a file is trivial, and the (legitimate) software being installed is not dependent on the DSSAGENT being available.) For what it's worth, the spinsters also claim that the app does not collect personal information.

Infection method and removal procedure
The program places a reference to itself in your Registry's Run key so that it silently loads every time you start the computer. Since most apps only load via Registry if they have to load before other programs (anti-virus scanners) or have something to hide, I have a hard time trusting this program's intentions.
Fortunately, Mattel has at least seen the error of its ways (sorta) and now provides a DSSAGENT ~~removal utility~~. The program can also be removed manually by finding and deleting the DSSAgent.exe file on your computer (usually in C:\Windows) and removing its registry reference.

For anyone who's interested, here are the addresses it connects to:
www.brodcast.net/perl/DSS/querySS.cgi
stage.broder.com:9050/perl/DSS/querySS.cgi

More
FileMonitor log for DSSAGENT - Unlike some other spyware products that tamper with your browser settings, there's nothing in there that looks too suspicious...

Links

~~Privacy Power! Reference~~
~~Slashdot discussion~~
~~Salon article~~ (not too informative, unfortunately)

Note: There is also a program called "DSS Agent" mentioned in a confusing, densely-worded ~~MicroStrategy press release~~--but while they share the name, I have the sneaking suspicion that the DSSAGENT referred to by MicroStrategy is completely unrelated to the "Brodcast" app.

"All trademarks are hereby acknowledged as the property of their respective owners." So don't even THINK about suing me :)