Spyware, Rootkit Maker Stops Distribution

ContextPlus, an adware company implicated in a large number of stealth rootkit infections, has stopped distributing its software, citing concerns over the practices of some distribution partners.

In a brief note posted on its home page, ContextPlus said it is "no longer able to ensure the highest standards of quality and customer care" and will stop further distribution of the "one-to-one desktop marketing" software.

The ContextPlus shutdown comes on the heels of several major lawsuits against adware vendors and a class-action lawsuit that accuses Yahoo of partnering with spyware purveyors to perpetrate syndication fraud against online advertisers.

Even as ContextPlus is placing the blame for the shutdown on software distribution partners, a law enforcement source following the companys operations said there are several high-level investigations into the use of rootkits to hide the existence of spyware programs on infected machines.

"This is one of the most notorious companies out there. Theyre doing all kinds of nasty things on [hijacked] machines," said the source, who requested anonymity because on the ongoing nature of the investigations.

Ziff Davis Media eSeminars invite: Join us on May 11 at 2 p.m. ET to learn critical best practices for e-mail and instant messaging applications, including tips on "hygiene" from Gartner.

Not much is publicly known about the operations. Several domains associated with ContextPlus are registered anonymously or by registrants in France and Poland, and several attempts by eWEEK to contact the company has been unsuccessful.

What is well known, according to Finnish anti-virus vendor F-Secure, is that ContextPlus is the company behind the high rate of Windows rootkit infections.

Two programs distributed by ContextPlus—Apropos and PeopleOnPage—employ what are described as "very advanced rootkit technologies" to evade anti-virus and anti-spyware scanners.

Apropos is a spyware program that collects users browsing habits and system information and reports back to the ContextPlus servers.

Like the typical spyware application, Apropos uses the data to serve targeted pop-up advertisements while the user is surfing the Web.

"Theyre using a very sophisticated kernel-mode rootkit that allows the program to hide files, directories, registry keys and processes," F-Secure chief incident officer Mikko Hypponen said in a recent interview.

The rootkit used by Apropos is implemented by a kernel-mode driver that starts automatically early in the boot process.

When the files and registry keys have been hidden, no user-mode process is allowed to access them.

The Apropos rootkit uses kernel-mode drivers that patch the Windows kernel "at a very deep level," Hypponen said. It also modifies several important data structures and native API functions implemented by the kernel.

Click here to read about the chaotic world of defining spyware.

Beyond the stealthy rootkit techniques, ContextPlus has also reportedly used several tricks to avoid desktop security applications: Security researchers say the company has used polymorphic wrappers that constantly changes the appearance of the spyware file so that every time a user downloads the Apropos program from ContextPlus servers, it looks totally different.

The tactic allows the downloading server to regenerate a new program for every single download, making it near impossible for regular security scanners to find the program on infected machines.

According to statistics released by Microsoft, about 20 percent of all malware deleted by its monthly malicious software removal tool are stealth rootkits.

F-Secure has confirmed a noticeable decline in Apropos detections since the ContextPlus shutdown.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.