ID:182648
 
There's an advertisement banner for "Internet Gamebox" that appears on the forums. It says "Play counter-strike for free!"

Here's a quote from a different forum who also had an Internet Gamebox advertisement appear:


"Internet Gamebox is owned by GAD Network, which is a known spyware supplier. Their setup package, which is needed to play their free online games, reportedly installs a hard to remove rootkit. Uninstallation of their software is only possible through a form (bottom of this page). This also makes me wonder about the proper licensing of all the gaming characters they use (Sonic, Mario, Pacman, Donkey Kong, ...)."


Here's also a follow up post:


"I see the Internet Gamebox ads are still running...

I duplicated one of my Virtual Server images and ran the Internet Gamebox installation on it. I had Filemon running on the background logging newly created files and modifications. The installation created a file named 'noffmmtudd.exe' in the windows\system32 directory and executed it. This file didn't show up in Explorer with 'show hidden/system files' turned on. A registry search didn't find a mention of this file either.

Then I turned off the virtual machine and added the disk as a second (non-booting) disk to a clean virtual machine. The file named 'noffmmtudd.exe' was suddenly visible with Explorer in the windows\system32 directory, along with some data files also starting with 'noffmmtudd'.

After rebooting the infected virtual machine the mentioned files were still not visible in Explorer or the registry. I ran the uninstaller which said it had removed all components of Internet Gamebox.
Loading the disk in the clean virtual machine again showed that the files were still there. I then renamed the exe file.

After rebooting the infected virtual machine the renamed exe and data files finally showed up in Explorer. A registry search came up with 'noffmmtudd.exe' being called on startup.

I hope this proves that Internet Gamebox does indeed install a rootkit. I don't know how to check what the rootkit actually does but it can't be good when it tries to hide itself."



I know the ads are probably being sent indirectly through some advertising company, but is there any way BYOND's staff could contact the advertising company and have them block the said Spyware-promoting advertisements?

~Kujila
Kujila wrote:
I know the ads are probably being sent indirectly through some advertising company, but is there any way BYOND's staff could contact the advertising company and have them block the said Spyware-promoting advertisements?

I blocked internetgamebox.com from the ad script. It may take a few hours to get into the system. Thanks for the heads-up.