funsec mailing list archives

Adware with a rootkit - contextplus.net

From: "Wayne J. Hauber" <wjhauber () iastate edu>
Date: Wed, 16 Nov 2005 13:08:20 -0600

One of our student computer cleaners used RootkitRevealer to find arootkit with thousands of hidden files. I looked at the system andwas surprised to find what looks like adware protected by a rootkit.

The relevant hidden registry entry mentions a website and the rootkitexecutables:


http://adchannel.contextplus.net/legal-note/nonbranded.html

which returns a little bit of nonsense. There is a cache directorywith what looks like thousands of html files. An index file lists theURLs represented in the cache file. McAfee VirusScan was crippled bythe rootkit. It was hidden from the OS.


I've attached the registry entry for your reading pleasure.

Are any of you familiar with contextplus.net? I haven't seen adwareuse rootkit techniques before. Is this the first?


 Administrative Contact:
      Apropos
      Business Owner
      26 Avenue Kleber
      Paris,  75116
      FR
      Phone: +44 7788 718 770
      Email: bizdev () peopleonpage com



Wayne Hauber (515) 294-9890
Information Technology Services
IT Security and Policies
109 Durham Center, ISU, Ames, Iowa 50011
wjhauber () iastate edu

Attachment: reg1.reg.txt
Description:

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

Adware with a rootkit - contextplus.net Wayne J. Hauber (Nov 16)
- <Possible follow-ups>
- Re: Adware with a rootkit - contextplus.net Calamity Jane (Nov 17)
  - Re: Adware with a rootkit - contextplus.net Wayne J. Hauber (Dec 13)