funsec mailing list archives
Adware with a rootkit - contextplus.net
From: "Wayne J. Hauber" <wjhauber () iastate edu>
Date: Wed, 16 Nov 2005 13:08:20 -0600
One of our student computer cleaners used RootkitRevealer to find a rootkit with thousands of hidden files. I looked at the system and was surprised to find what looks like adware protected by a rootkit.
The relevant hidden registry entry mentions a website and the rootkit executables:
http://adchannel.contextplus.net/legal-note/nonbranded.htmlwhich returns a little bit of nonsense. There is a cache directory with what looks like thousands of html files. An index file lists the URLs represented in the cache file. McAfee VirusScan was crippled by the rootkit. It was hidden from the OS.
I've attached the registry entry for your reading pleasure.Are any of you familiar with contextplus.net? I haven't seen adware use rootkit techniques before. Is this the first?
Administrative Contact: Apropos Business Owner 26 Avenue Kleber Paris, 75116 FR Phone: +44 7788 718 770 Email: bizdev () peopleonpage com Wayne Hauber (515) 294-9890 Information Technology Services IT Security and Policies 109 Durham Center, ISU, Ames, Iowa 50011 wjhauber () iastate edu
Attachment:
reg1.reg.txt
Description:
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Adware with a rootkit - contextplus.net Wayne J. Hauber (Nov 16)
- <Possible follow-ups>
- Re: Adware with a rootkit - contextplus.net Calamity Jane (Nov 17)
- Re: Adware with a rootkit - contextplus.net Wayne J. Hauber (Dec 13)