Spyware Based ID Theft Ring Uncovered

phaedo00 wrote to mention an Ars Technica article discussing a massive identity theft ring uncovered by security software firm Sunbelt. From the article:"According to one of their employees, Alex Eckelberry, during the course of one of their recent investigations into a particular Spyware application--rumored to be called CoolWebSearch--they've discovered that the personal information of those 'infected' was being captured and uploaded to a server."

Bound to happen eventually

[magicchex]

Not surprising. Also, this is one spyware app I find almost everytime I "fix" someone's computer. It's very widespread among those who are idiots with their security.

Re:Bound to happen eventually

[sound+vision]

CoolWebSearch does seem to be one of the more prevalent infections, like the flu.

Re:Bound to happen eventually

[CdBee]

Concur. It's widespread in the UK too.

That said, we brits have a reputation for being heavily infected, as our ISPs don't do what a lot of US ISPs consider standard practice, and either issue a router or block RPC ports 135-139 and 593

I'm surprised that so common an infection could be linked to organised crime and nobody realised until now though. I think i'll go and hit all my MSN communities with a warning about this...

Re:Bound to happen eventually

[notsoanonymouscoward]

yup. and its a pain in the @$$ to fully remove. You basically have to drop into safe mode to fully rip that sucker out.

Re:Bound to happen eventually

[Dunbal]

That said, we brits have a reputation for being heavily infected,

      Not as much as Africa. Oh wait, what infection are we talking about here?

Re:Bound to happen eventually

[CaptnMArk]

LOL

It is funny how many people run anti virus and anti spyware software to clean up the mess while viruses and spyware might be still running on their machines.

The only correct procedure is to boot from CD (or other read-only media (or perhaps move the disk to another machine and being very careful not to run anything from it).

Then you verify hashes of all non-data files with known good values (easier said than done).

Handling messy file formats where code and data are mixed (word, excel and to some extent html) is problematic too.

Of course, an OS that can be actually booted from CD and has a real packaging system makes this much easier.

Re:Bound to happen eventually

[WindBourne]

I would be assume that all the spywares are actually uploading info. What does it matter if they do directly or indirectly? The fact that something was written to indirectly infect you, you know they are up to no good.

What is amazing is that people accept that as being ok.

Re:Bound to happen eventually

[michael186]

Oh wait, what infection are we talking about here? Harsh but true.

Re:Bound to happen eventually

[TheSpoom]

This is *the* spyware program right now. It used to be Gator (as that was included with Kazaa and many other popular programs) but CoolWebSearch has, at last glance (I no longer do tech support for a living), vastly surpassed it for number of infected PCs.

If you happen to be in the unfortunate majority infected by it, download CWShredder (free) to get rid of it, then get something like Ad-Aware to get rid of anything else you might have gotten along with it (as spyware often gets installed in packs, so to speak).

By the by, if you'd like to slashdot these people a bit, here's the CoolWebSearch website, though I obviously don't condone anything like that. ;^)

Re:Bound to happen eventually

[petermgreen]

agree its best practice to scan from outside the infected enviroment if possible but its often not very feasible with windows.

also most of the problems on windows are well known viruses. cleaning up what you belive is a deliberate attack on YOUR system would obviously justify far more care.

Re:Bound to happen eventually

root@localhost:/home/userthree# apt-get install CWShredder
Reading Package Lists... Done
Building Dependency Tree... Done
E: Couldn't find package CWShredder

Helllp! I'm vullllnerable!

Re:Bound to happen eventually

[CdBee]

bad teeth, I guess.

Re:Bound to happen eventually

[51mon]

"also most of the problems on windows are well known viruses. cleaning up what you belive is a deliberate attack on YOUR system would obviously justify far more care."

I thought the whole point of the article was that the common malware may be being used for uncommonly nefarious purpose. Just because 10,000 people got hit by the same malware doesn't make it any less specific a threat to you. The "My city got hit by a nuke, so it is okay as they weren't targeting me personally" logic.

People have to learn that as soon as someone finds a way to get malware on your box it is effectively game over. If one person does it undetected, so can someone else. Reinstall.

Re:Bound to happen eventually

Sorry, you have NOT dealt with substantial spyware problems to suggest what you did. Running what amounts to a badly, half implemented tripwire scheme won't cut it.

Your own procedure would miss spyware that runs from a startup file (a plain data file which you except from a hash check) that calls a separate program to re-install itself, a common practice. Furthermore, hash checks mean crap if you don't do a file comparison listing, which you don't even include as part of a sane procedure.

iow, your own procedure would miss spyware that runs gets called plainly due to a registry Run call (I forget the path--Local Machine, Software, Microsoft, Windows, Run I think--IE Plugin Ltd. does this). Furthermore, a hash check on the registry would mean little because the registry is changed and modified on the fly so much, the hash would likely never match even if nothing bad had occurred. (This is not an OS debate to run Linux, even though one should; we are talking within the criteria of removing spyware from an OS, which is widely a Windows dominated problem.) You could run a hash check or simple comparison check on susceptible parts, but usually that ARE data files, you don't exempt them as you suggest.

Further, this has little to do with a clean drive. A clean drive is part of a best practice formula, but is neither necessary nor sufficient. As long as your spyware program is not compromised, running from a clean boot disk as you suggest does squat except waste time. Your anti-spyware program is not going to suddenly gain some additional ability running from a clean drive versus an unclean drive to identify and remove spyware. Anti-spyware programs check for running processes that will compromise it which they know about; a clean disk minimizes that impact because there would be no such process but if it was going to be avoided in the first place, the anti-spyware program isn't going to see it anyways and upon reboot, the spyware will still be there.

I say little because there is an advantage though if your spyware or virus is that smart to make a running process to gloss over itself. Virii and spyware programs usually are not that smart; they only appear to be because the anti-whichever sofware is stupid and isn't going to check the memory contents and running processes for them in the first place, which if happens, means your anti-whatever software wouldn't ID the virus or spwyare in the first place.

It's simple to test all this. You run your software without rebooting. Reboot, and run the anti-spyware, note the results. Then do the same running from a clean boot disk and compare to the second. The third run will find nothing *different* from the second run.

iow, having the most comprehensive anti-spyware data set will reduce spyware far better than a lame hash check or some ridiculous run from a clean drive suggestion. This is why most people in the know will up their browser security settings, run at least both Spybot and Adaware, most will also run WinPatrol and BHOdemon. Most will immunize with SpywareBlaster and check things with HijackThis. Others will additionally use Norton and/or use the tools at housecall.trendmicro.com.

Re:Bound to happen eventually

[Master+of+Transhuman]

Yup - that's pretty much the process I use for cleaning client machines.

The only problem is when the client machine is so hosed you can't run anything without booting from a CD using Bart's PE or Windoes Ultimate Boot CD. I usually have to try that first, running Ad-Aware from Bart's to get enough spyware off that I can then boot the machine and install the rest of the anti-spyware stuff and run it.

If necessary, I boot into Safe Mode as well and run a scan.

Neither of those catches running processes, though, so a scan with the machine in normal mode is usually necessary.

I intend to help with that problem by setting up a system to boot Windows 98 from a USB HD and running from there if I can. I specifically want Windows 98 because some client machines are too weak in RAM or CPU to boot Windows XP from Bart's.

After I clean off the majority of spyware with Ad-Aware and Spybot Search and Destroy, I run HijackThis, a full AV scan AND a trojan scan using TDS-3. That leaves only the crap that NONE of these things can get rid of, which entails manually inspecting running processes, identifying the crap and killing them and then removing their keys from the Registry manually - usually only a couple malware need this treatment.

When I get done, the system is clean. Then I install SpywareBlaster and Kerio Personal Firewall, and tell the client to use Firefox and Thunderbird from now on, and keep the spyware stuff updated and run it once a week and just default to removing everything they find (except HijackThis - I don't let the client run that.)

Haven't had to do a reinstall yet, but I wouldn't be surprised if it has to be done on somebody's machine sooner or later. Some of these people have literally hundreds or even thousands of spyware and dozens of - up to over a hundred - trojans.

Re:Bound to happen eventually

WinPE, BartPE, and Khauyeung are what to search for on P2P. There are some great tools out there.

Re:Bound to happen eventually

Gee, why didn't a few other billion people think of that? Maybe because the systems we have, despite their flaws, are the systems we have.

I am certain that, had you been there at its creation, you could have offered many suggestions for the better ordering of the universe.

And yes, I cribbed the quote from Alphonse the Wise.

Re:Bound to happen eventually

[Grakun]

If everyone got hit by the same malware, and you had several labs reverse engineer it to find out exactly what it does and how to effectively remove it, then you know everything it does and how to remove it. On the other hand, if someone deliberately attacks your system and succeeds, you have no way of knowing what other backdoors they may have left.

Sure, there are exceptions to that. Although, just because Joe Sixpack was infected with some common spyware, he doesn't necessarily need to reformat and start over.

CoolWeb Search?

[slicenglide]

Dude, that is so not cool.

Re:CoolWeb Search?

[Nom+du+Keyboard]

I have been smacked in the ass 0 times for posting incorrect information.

Is that 0 times today so far?

Re:CoolWeb Search?

Where are those Russian anti-spammers when you need them?

Re:CoolWeb Search?

[slicenglide]

Haven't been smacked yet... so, today, yesterday, and in a long time.

Re:CoolWeb Search?

[Dachannien]

As a general rule, spyware apps have the lamest titles ever to grace a program. Run Spybot S&D - it lists the name of each piece of software as it looks for them, and every last one of them has a stupid name.

Re:CoolWeb Search?

I bet this morning, it was o times, or maybe even . times, and now it's O times...

CWS

[IconBasedIdea]

This is something that has been around for years, no? I haven't run windows in 3 years, but I remember removing CWS many, many times over the years...

Re:CWS

[jdwest]

It was a a CWS infection in July 2003 that made me realized I was working for my computer, instead of the other way around. That one piece of malware did more to make me appreciate Linux and OS X than any MS marketing material could ever hope to overcome.

Re:CWS

[MrShaggy]

I agree with the other responder. Its why I jumped back into linux as a home machine. It was become a daily thing. Run 2 hours a day of scans. I was on a win2k box. Ihavent had any such problems since.

If I didnt know any better I think that MS leaves things like that unpatched to force you to upgrade to the latest and greatest.

Re:CWS

[fbjon]

I wish I could share your experience, kind of. I've never encoutered a bad infection on any machine I've owned. My Windows-machines don't really crash that often, and work rather nicely. I'd like some incentive to switch.

Speaking of which, does anyone know of a good tracker (modern, full-featured, MIDI, arbitrary channels, like Renoise) for linux?

Re:CWS

Have you looked at SoundTracker http://www.soundtracker.org/ ?

Re:CWS

Maybe he meant one that's not 20 years old when he said "modern"!

Re:CWS

[fbjon]

Egads! Almost, but it only supports MOD and XM formats. That's good for a start, but way the hell old stuff by now... :(

Oh Really?

[Nom+du+Keyboard]

One can only speculate about why someone would do such a thing

That's about as dumb a statement as I can expect to see in print this week. We know why someone would do it. Information is valuable in many different ways. Get a clue!

Re:Oh Really?

I'm fairly certain that was tounge in cheek stab at journalistic impartiality. You know, innocent until proven guilty and all that jazz...

hmm...

Gotta love em.

bounty hunters

[ILKO_deresolution]

i want some cash

Wow...

[HyperShadowDC]

I have had to delete this numerous times on my parent's computers... I'm gonna have to go and make sure it's still not on there.

Re:Wow...

[azrane2005]

I'm gonna have to go and make sure it's still not on there.

Give a man a fish, and he eats for a day, teach a man to fish, and he eats for a lifetime.

Re:Wow...

[Ponzicar]

More than a few members of older generations are so baffled by computers that there's little you can teach that they'll be able to understand. Best thing to do is add passive protection, like a hosts file, antispyware ap with real time protection, a firewall, etc.

been around for years...

[cmaxwell]

Didn't the old Prodigy service (a competitor to Compuserve, in the days before AOL) get a bad rap for a similar offense? Grabbing personal info and uploading it back to the Borg?

Re:been around for years...

[EvilMonkeySlayer]

The borg are now into stealing personal information?

Man, ever since Braga and Berman got their hands on the franchise it's been nothing but downhill!

Now they've got the borg stealing peoples personal information.

Re:been around for years...

[Detritus]

Prodigy got in trouble because people found personal information inside its cache files. It turned out that the only reason that information was present was because prodigy's software didn't initialize the contents of the cache files when they were created. They contained whatever random junk that had been left behind by other software. They weren't spying on their users.

Re:been around for years...

[Mister+Transistor]

That, and the other big black eye they got in the public opinion was for editing and deleting forum posts that had any anti-Prodigy sentiment or were complaining about the censoring of posted content.

I think there were even an/some court case(s), and IIRC it was decided that since they run a private forum they can edit any content they want to, and your "speech" there is not 1st Amendment protected. That was about the same time it started to dawn on most people that email and such on other people systems or business networks is NOT PRIVATE nor protected in any way.

P.S. Love your nick - reminds me of:

Q. What do you call the little pieces of automobiles you find on the side of the road?
A. Detroitus!

Re:been around for years...

[strikethree]

His nick, Detritus, is the name of a character from Terry Pratchett's Discworld. It's turtles all the way down...

strike

as intended

isnt this exactly what all spyware does?
hence the name "spyware"

It does WHAT?

[BandwidthHog]

Let's see how much attention this gets in middle America. The level of hystrionics will be a good indicator of what proportion of the public was consciously aware that spyware actually, you know, spies on you.

Re:It does WHAT?

[Nom+du+Keyboard]

WARNING: This post may contain material on Gravity. Universal Gravity is a theory, not a fact.

Re:It does WHAT?

[BandwidthHog]

Heh. I'd chuckled at your current .sig when I saw it around, but never made the connection. Here's a sneak preview of next year's model.

How is this news?

[I.M.O.G.]

CWS has been around and is greatly prevalent... There are very well developed tools to remove infections also, as manual removal of this one is VERY complicated.

You can download the original removal tool here (no longer updated): http://www.majorgeeks.com/download4086.html

You can download the currently maintained removal tool here, as intermute took over development from merjin and was aquired by trend micro: http://www.majorgeeks.com/Trend_Micro_CWShredder_d 3019.html

Misinformation?

[LFS.Morpheus]

If you RTFA, you find that what they really found was that CoolWebSearch (or, more accurately, one if its variants) sends sensitive information to a server. There is no information that they have uncovered a "massive ring" of people involved. They have contacted the FBI and they'll be responsible for finding those responsible.

I did some research on CoolWebSearch (or "CWS") which is a pretty common spyware app, and it seems there are tons of variants. The majority of these apps are designed to get you to coolwebsearch.com in order to create affiliate money for the variant's creator - or at least that was the original idea. My guess is that only some of these variants capture privacy information.

More information on CWS is available from:
http://en.wikipedia.org/wiki/CoolWebSearch
http://www.google.com/search?q=CoolWebSearch

Re:Misinformation?

They have not heard back from the FBI, but since
they posted their findings to a blog, and it
gets slashdot coverage, the criminals stealing
personal information have been properly alerted.

In other words, don't bother. SunBelt blew
it for law enforcement. Good job, guys.

Re:Misinformation?

Did anyone else read http://en.wikipedia.org/wiki/CoolWebSearch?

I very much disagree with the statment at the end: "Microsoft Windows' System Restore, which is a Windows utility that restores some registry keys and some settings in Windows, can remove some, but not all, variants of CoolWebSearch, if there is still a restoration point. To be safe, use System Restore as a last resort as some files will remain if you use that utility."

I posted this in the discussion section:

"Notes from a traveling computer technician: System Restore rarely works, in fact most of the cases I've seen you cannot remove CWS until the System Restore is deleted (via System Properties). The CWS hides in the System Restore and then re-infects the system on reboot after you delete it from the systems32 directory (or wherever on the system). System Restore is not a good option for virus removal, or for anything for that matter (maybe hardware problems?). I usually remove CWS by first turning off system restore, and then deleting temp files with CCleaner (within each user) After that, I use AVG (www.grisoft.com or free.grisoft.com), Ad-aware, hijackthis, msconfig, sometimes CWShredder, and sometimes About Buster. I'll usually have to remove some programs in Ad/remove programs as well. It's hard these days to tell what's CWS and what's other spyware/adware/viruses because CWS pulls in so much other junk. One other thing to note is that Norton does not work for this! Mcafee usually will and I think Avast does too, but Norton completely drops the ball on this one."

Does anyone else have thoughts on the matter?

Re:Misinformation?

It makes sense. If XP Lite can hijack the Windows File Protection system to prevent service packs and other Windows updates from re-installing components you removed, why couldn't CoolWebSearch and other spyware do the same to prevent you from uninstalling it?

Re:Misinformation?

[RAMMS+EIN]

``They have contacted the FBI and they'll be responsible for finding those responsible.''

And if they fail, the ones responsible for finding the ones responsible will be sacked. And if the ones responsible for getting the ones responsible for finding the ones responsible sacked fail, they will be sacked. And the new write-up on CWS will be completed at great expenses and in a completely different style.

CWS claimed "affiliates" do it...

[Tuxedo+Jack]

But they're basically commissioning it with their PPC search engine model.

Also, if you've not read up on CWS and what they do - and how they do it - read this:

http://merijn.org/cwschronicles.html

Merijn's the original developer of CWShredder, and while his recording of CWS stops at the original about:blank strain, that's enough to tell you what kind of scum pull this.

Disclaimer: I use CWShredder in my work on SpywareInfo's antispyware boards.

Re:CWS claimed "affiliates" do it...

[loraksus]

Lets not forget that the writers of CWS have placed several pages on the Internet that say that Merijn was the creator in an apparant attempt to flood his inbox with complaints.

It took this long why?

[llamaguy]

C'mon. This has been around for years. Has noone ever happened to turn on a packet sniffer or something while CoolWebSearch was active and seen some dodgy traffic? And CWS is pretty well known. I'd bet it's been deconstructed at least once. And if someone's taken the time to reverse-engineer it, I'm sure they'd look through the code they got back, and notice that there were some socket writing subroutines.

Re:It took this long why?

[Ponzicar]

CWS is a large family of adware/spyware and numerous variants. Most likely this is a recently discovered version.

Pedantic comment

[SA+Stevens]

How can it be called ID Theft if the original owner still has his identity?

Re:Pedantic comment

[Dunbal]

How can it be called ID Theft if the original owner still has his identity?

      You're right. It sounds more like ID Piracy arr arr...! That's good, everyone knows the penalties for piracy are much steeper than those for theft...(ducking).

Re:Pedantic comment

You know, this troll gets more tired every time I see it.

Re:Pedantic comment

[Dunbal]

Imagine a beowulf cluster of trolls...

Re:Pedantic comment

Besides, who'd steal Intelligent Design?

Re:Pedantic comment

[grassy_knoll]

That's good, everyone knows the penalties for piracy are much steeper than those for theft...(ducking).

And pirates are very easy to detect!

if (-e $parrot ){
    arrest_pirate();
};

[badum-ching]

Re:Pedantic comment

You shouldn't make jokes about identity theft. I was a victim and I can tell you it's no laughing matter, it can really ruin your life. Now I don't know who I am.

The worst part is that I'm stuck posting at Score 0.

CoolWebSearch is nasty

[IvyMike]

If you haven't heard of it before, CoolWebSearch has reigned as one of the nastier pieces of spyware for quite a while now. It's hardly surprising they would sink this low.

Duh... it's spyware

[dbamps]

Ow wait, they stole passwords and such too... Nice, maybe this will make things more clear for some people:

spyware = criminals

Hang them from lamp posts

[loraksus]

CoolWebSearch is among - if not the most - annoying, underhanded, and pain in the ass to remove spyware aps out there.
Not only were most people infected via a security exploit in MS Java, they constantly release updates that break or modify spyware removal programs, windows utilities such as MSconfig, regedit as well as blocking the sites on which the removal tools are hosted.

I have no problem with the book being thrown at these punks.

Really

[Saeed+al-Sahaf]

I'm fairly certain that was tounge in cheek stab at journalistic impartiality.

And it sounded like it came from the pompous ass of Comic Book Man. Some people just need to get over themselves.

Windoze

[daviq]

And this is why you should use a better OS than Windoze, as their is no spyware, and therefore no ID theft or processor consuming programs.

Re:Windoze

[Allison+Geode]

yeah, there's also no "software" on those "better operating systems." some of us enjoy our games, and our mainstream applications that we use at work, and don't have the time, money, or patience to build a second box for that purpose. wouldn't it be better if these idiots were held responsible for their BS? oh, and don't forget the biggest reason those other OS's have less of this crap: the reason is because there aren't enough users for it to be a worthwhile endeavor. want viruses, trojans, and spyware on your linux box, or your mac? keep advocating other non-windows operating systems, and maybe, if large groups of people hear you and migrate, you'll get it. what you have now is "security through obscurity," but when Linux (or mac, or whatever) becomes the mainstream, you'll see what less-vigilant windows users have struggled with for years. the best available solution is a good firewall, good spyware cleaner, good antivirus, and a bit of common sense that, no, you really shouldn't install every neat little gadget without knowing what you're putting in your box. a non-existing, ideal solution would be castrating these jerks who put this crap on other people's computers (which I then have to clean off), or if these people would just learn a way to make money that didn't involve other people's time being wasted... but saying that "oh, you should migrate over to this other platform" is not a good answer, because most people don't have the know-how to make another platform work, or they need the software available on the platform they're on.

Re:Windoze

[inode_buddha]

Actually, I agree with you; asshats that make and use spyware should be found and held responsible for it. Same goes for SPAM. That said, I walked away from MS altogether about a decade ago, and I don't think I'm missing very much. They really need to get their design together, IMHO so that shit like this isn't even possible in the first place. Or at least, it should be *much* more difficult to create and use malware.

Re:Windoze

[ettlz]

OK, OK, calm down. Let me just say that there are many good pieces of software on other platforms. In my line of work, the selection of technical software available for Linux can't be beaten. But there are also a lot of folks out there who like Windows, and its software satisfies their needs. And that's all good.

Now:

the best available solution is a good firewall, good spyware cleaner, good antivirus, and a bit of common sense that, no, you really shouldn't install every neat little gadget without knowing what you're putting in your box.

That's good, but some of these cost money on top of the base operating system. Common sense is a very good defense too, but what's required is computer common sense. A lot of people aren't experienced enough to know all the ins and outs of a system. Furthermore you missed the biggest, most effective shield of all, one that is sorely overlooked by anti-malware forums:

For the love of ... whatever, use a limited access account.

And no, I'm sorry but "such-and-such program doesn't work with this" is no excuse. There are nearly always routes around it. If not, drop the program. Write to the author and tell them to produce decent code that doesn't require admin privileges for non-administrative tasks.

Couple that with an alternative browser for that extra layer, and the Windows XP firewall blocking all incoming ports, and you should do fine. The worse that could happen is something attempts to infect your user profile (and very few malware, if any, do this because compromised systems are of more use); in which case, just take off your work and nuke the account. It's not impossible to secure Windows XP, but I think it does require more than common sense.

Re:Windoze

[siliconjunkie]

Your post is spot on, buddy.

Running from a limited user account coupled with using a non-IE browser removes nearly every (current) major malware attack vector. Running under a limited user account can be a pain in the ass, but there are a few things to remember to help improve the experience:

1. Some programs/shortcuts will not show "Run As..." in the context menu (for example: Control Panels). Try holding the shift key down when you right click. Viola! "Run As..." now show in the context menu.

2. If you need to do "drag and drop operations" or manual editing of restricted areas (Program Files directory, Windows directory, etc...) you may have noticed that explorer.exe will not "Run As..." (even if you hold shift). The solution? Use IE. Run IE as admin, navigate to "C:", and now you have an instance if explorer.exe running as admin from within a LUA.

3. When all else fails, you can always install pesky apps to your user space (C:\Documents and Settings\Username\). This is not the "safest" thing, but it is head and shoulders above running from an admin account.

Just throwinng in my .02

Re:Windoze

[fluffy99]

> Running from a limited user account coupled with > using a non-IE browser removes nearly every > (current) major malware attack vector. Except ignorant users. See my earlier post about a user installing cursor from cursormania.com. This was done on a restricted account running FireFox. Also of interest - it installed a Firefox plugin.

CWS ain't new

It's been around for freggin years and it's a very virulent piece of viruspyware; it has about 35 or so versions last time I checked. You can get rid of it by hitting google and looking for an app called "CWShredder" which will remove it.

Make sure you boot into safe mode before running it, heh.

Re:One by one they fall...

looney leftist alert What does this have to do with the topic of spyware?

Note: This does not apply to leftist who honestly believe that there is a better way for society to evolve. This applies to those who call themselves leftist because they are so given to hate that they see "W" is worse than the tyrant he has taken out.

Once again we can thank Microsoft...

[Sabathius]

for the ActiveX technology that makes this Spyware possible.

Good Job doing your part to keep the Internet safe and secure for users.

Re:Once again we can thank Microsoft...

[AndroidCat]

I believe CoolWeb uses exploits in MS's Javascript rather than their ActiveX exploits.

It's unbelievable at times

[Hawthorne01]

My Dad bought a new ThnkPad, and before I let him anywhere near it, I spent an hour downloading CWSShredder, Spybot, Ad-Awaare, et al before I connected to the 'net. It's been 10 years since I owned a Windows machine, and this was the first one I'd set up since then. It was an eye-opener for me as to just how bad it is out there in the Windows world.

Re:It's unbelievable at times

[rathehun]

I spent an hour downloading CWSShredder, Spybot, Ad-Awaare, et al before I connected to the 'net.

How?

Re:It's unbelievable at times

[blackomegax]

you could have saved yourself alot of trouble and just replaced IE with firefox

Re:It's unbelievable at times

Through his subdermal 802.11g connection.

Geez, you think you're a Slashdotter??? :)

Re:It's unbelievable at times

[GISGEOLOGYGEEK]

surprise!

you havent owned a windows machine in 10 years and when you finally use one you have a hard time with it. It's not so bad ... just like a newb trying to do ANYTHING with linux its bad because you were ignorant.

now do tell us how you downloaded that software before connecting to the internet.

Re:It's unbelievable at times

[Hawthorne01]

Downloaded on my Mac, burned to CD, installed on the ThinkPad. Next question.

Re:It's unbelievable at times

[renoX]

Through avian carrier, of course!

Re:It's unbelievable at times

[Hawthorne01]

Too slow. I prefer snail IP.

scary

In my travels as a freelance geek, the vast majority of trouble calls in the past few years have been spyware related. Over the past three years, I have done over 400 trouble calls and I estimate that a solid 70% of those were for spyware. CWS was almost always in there somewhere. They must have information on literally millions of people...

not to sound cliche, but if more people would run Linux they would not have to worry! :)

One of the very worst..

[Dynamoo]

CoolWebSearch is one of the very most spyware apps that I have to deal with.. it's a pig to remove (sometimes it's just easier to nuke the infected machine and start over) and it installs an alarming amount of Slimeware.

Quite apart from the issue of identity theft.. the installation of the software itself is done illegally according to the laws of most countries. Silent drive-by downloads constitute unauthorised access.

HOWEVER.. CoolWebSearch have claimed in the past that these silent drive-by installations were the work of "affiliates" and not CoolWebSearch itself. Personally, I have always suspected that the affiliates were working in this way with the tacit approval of CoolWebSearch.

It's about time somebody got sent to jail for a LONG time for this kind of crap.

Re:One of the very worst..

[Barbarian]

It's about time somebody got sent to jail for a LONG time for this kind of crap.

Preferably a LONG, HARD, STIFF time in one of those type of jails.

Update your webfilter or /etc/hosts

[titten]

Well, this page lists all the URLs associated with CWS.

Add these hosts to your webfilter/proxy blocking list:

coolwebsearch.com, webcoolsearch.com, 193.125.201.50, 1stpagehere.com, 66.250.130.194, adulthyperlinks.com, allhyperlinks.com, approvedlinks.com, bestcrawler.com, cantfind.com, carsands.com, cool-web-search.com, coolfreepage.com, coolwwwsearch.com, couldnotfind.com, defaultsearch.net, dev.ntcor.com, ewebsearch.net, findloss.com, findwhat.com, firstbookmark.net, freebookmark.net, freebookmarks.net, global-finder.com, itseasy.us, jethomepage.com, jetseeker.com, kazaa-lite.ws, martfinder.com, mommykiss.com, mywebsearch.net, noblindlinks.com, ok-search.com, pedo.ws, runsearch.com, search-2003.com, search.xrenoder.com, searchdesire.com, searchv.com, searchxp.com, sharempeg.com, slawsearch.com, slotch.com, stopxxxpics.com, super-spider.com, super-websearch.com, the-exit.com, the-huns-yellow-pages.com, topsearcher.com, unipages.cc, web-search.tk, white-pages.ws, youfindall.com, youfindall.net, yourbookmarks.info, yourbookmarks.ws

And/or add 127.0.0.1 before each host, and add those to your /etc/hosts.

Re:Update your webfilter or /etc/hosts

[infectedRoot]

For those Windoze people, add 127.0.0.1 to C:\Windows\System32\drivers\etc\hosts

(as CWS doesn't run in Linux)

I saw that connection a year ago

[AndroidCat]

And posted about a network of sites I found over a year ago on news.admin.net-abuse.email when looking at a Scientology management company I notice that someone tossed a cancel at my post within a day. (By coincidence, Sunbelt Software is up to its eyebrows in Scientology too.)

Re:I saw that connection a year ago

[shift.red.avni]

Maybe a coincidence, but it is very interesting. Could this be some kind of stealh whistleblowing?

Both Sunbelt and Scientology are headquartered here in Clearwater (I live within walking distance of the Scientology complex), and the IT community isn't so huge that there isn't more than a few degrees of seperation between everyone. The Sunbelt researcher very well could have been tipped off.

Re:I saw that connection a year ago

[AndroidCat]

I doubt Sunbelt would be involved in stealh whistleblowing. Stealth settling of accounts with some group no longer connected to Co$ would be more their style, but that would be baseless speculation on my part to even suggest such a thing, so I won't.

my thoughts on this

[eight+and+a+quarter]

a lot of people ask will middle america wake up to this? the answer is no. there is many types of free kinds of software available online to combat spyware. there are online services from trendmicro that will scan your machine for viruses and spyware. why not take the time out to do that?

oh wait.. previous slashdot article.. people with spyware infected machines think that their computer is just running slow and it's just time for a new one.

probably in 5 or so years, spyware and virus will usually be in the same sentance, because not a lot of people take it seriously. i believe that a lot of browsers (*cough*IE*cough cough*IE IE*cough*) do very little to stop the spread of spyware. however, microsoft is making slow strides by eating/taking over giant antispyware, who had an awesome product!

basically you need microsoft antispyware, bhodemon (to check for IE BHO's), tcpview from sysinternals, clamwin's free anti-virus scanner, and especially firefox. i don't even have spyware scanners on my desktop anymore since i've stopped using IE.

Re:Pedantic comment was not a troll.

[arbitraryaardvark]

How can it be called ID Theft if the original owner still has his identity?
Parent post is not a troll; it identifies the main error in the article.
What happened is that some spyware harvested very personal info about some people. That's bad, possibly criminal. But it's not identity theft.
Identity theft occurs whebn somebody takes the personal information and uses it to pose as you, draining your bank account, sleeping with your girlfriend, or in some way abusing the illicit information. There's no direct evidence of that here.
It's the old kevin mitnick scenario: breaking into a system and wandering around is not the same crime as breaking into a system, changing or destroying files, is not the same crime as breaking into a system and using the info to commit real world crimes such as wire fraud or embezzlement.
Article is FUD.
Spyware is bad. This spyware is bad.
People should avoid broken browsers e.g. microsoft, and run spybot/adaware type sweepers.
Lying about the problem won't help fix it. Mod parent up.

Let me get this straight

[saleenS281]

"security" firm sunbelt just now stumbled upon coolwebsearch and discovered it's recording users data? Let's clarify, EVERYONE knows that coolwebsearch is spyware, and has for a long time. Hell, my uncle can barely turn on a computer and he knows CWS is spyware.

Main Entry: spyware
Part of Speech: noun
Definition: any software that covertly gathers information about a user while he/she navigates the Internet and transmits the information to an individual or company that uses it for marketing or other purposes

Even websters knows that "spyware" records personal data. What I'm stuck pondering is why Sunbelt deserve any credit, and why this is news? They didn't discover anything new, it's not a breakthrough. Hell, there's programs out there dedicated solely to removing CWS.

HEADLINE!!!
SPYWARE COLLECTS PERSONAL INFORMATION ON YOU*

*that's why we call it spyware dipshit

Re:Let me get this straight

They belong to the same mindwash group as Tom Cruise, cut them some slack!

Re:Let me get this straight

[AndroidCat]

In fact, Alex Eckelberry thinks exactly like Tom Cruise. Who would have figured that!

Re:Let me get this straight

[contagious_d]

CWS being spyware is nothing new, and the article does seem to contain a lot of scaremongering, but Sunbelt did discover something new: they found the actual stolen/recorded information, including a lot of stuff that is considerably more invasive than surfing habits, real names, etc. And I thought they only made junk food...
Sunbelt's blog entries are, in my opinion, better than the ars article.

Re:Let me get this straight

[EricSites]

Here is the information right from the source (me):

I work for Sunbelt Software as VP of Research & Development. While one of my spyware researchers was tracking down new variants of CoolWebSearch he came a cross a payload of crap that was downloaded to his VMware. This payload included a program that monitored the user internet traffic, chat activity and Windows protected storage store. When using Internet Explorer with autocomplete turned on, your autocomplete info gets stored in protected storage. This piece of spyware collected your protected storage info plus URLs, chat activity and website usernames and passwords. The real problem with this spyware was that it collected this information and posted it back to a public website that anyone could go to and read all of your personal information. Some examples of this include all the credit card info entered on HTML forms while purchasing something online. It did not matter that the webpage was using HTTPS. This website had collected over 500 different computers very private information within a 24 hours period. Including chat activity and login info to online bank accounts. One company had over $380,000 in a compromised account. The information was not the normal info collected for hacking purposes. It was collected to steal your money, SSN, credit card info, address, and identity. We have already found two variants of this spyware with multiple locations for its stolen info upload. We are working with the FBI and Secret Service to track everything back to the source.

Eric Sites
VP of Research & Development
Sunbelt Software, Inc.

One Ring To Steal Them All

One Ring To Find Them
One Ring To Bring Them All
And To New Body Bind Them
In The Land Of Internet There The SpyWare Lies

Re:CWS didn't do it...

[darkonc]

It wasn't done by CWS, it was done by someone pretending to be them.

I hope nobody trojans

Xeyes, they see _EVERYTHING_ I do!

Sunbelt Software connected to Scientology?

Sunbelt is based in Clearwater, Florida and I believe it founder and COO, Stu Sjouwerman, is a big donator to Scientology. Didn't Stu once apologize for the "Mindtech University" spam? I think Stu's connection and fervent belief is documented in Net Wars by Wendy Grossman (NYU Press).

Of course Scientology would never spy on you; all those surveillance cameras in Clearwater are just to keep the Scientologists safe from Spyware. Aren't they?

Re:Sunbelt Software connected to Scientology?

[SpacePunk]

It looks like to me that Sunbelt is trying to cover up Scientology involvement in CWS from the link http://groups-beta.google.com/group/news.admin.net -abuse.email/browse_frm/thread/5548a6300756d6a0/0f ac1b5d8ff3f14e#0fac1b5d8ff3f14e supplied earlier in the thread.

I can't keep thinking "how convenient." Especially since adware/spyware is coming increasingly under the gaze of the Federal Trade Comission and the Justice Department.

Re:Sunbelt Software connected to Scientology?

[AndroidCat]

That's very speculative. Later I did notice that the outfit apparently in Las Vegas had bought up a hell of lot of pre-owned domains to hook into their malware infesting operation, especially ex small professional/medical sites.

There's nothing visibly connecting that Hubbard management company to that spyware operation other than a lot of their old sites were harvested. And there's nothing showing that the operation that I saw a year ago is the same one as Sunbelt found. And I never disected the spyware to see what its main purpose was. Accusing Sunbelt of other than what the story says would be a heck of reach even for me, and I'm way biased. ;^)

But I do hope law enforcement digs deep into who that malware gang was connected to.

Re:Sunbelt Software connected to Scientology?

[SpacePunk]

Five bucks says that the 'outfit' in Las Vegas has Scientology ties.

Re:Sunbelt Software connected to Scientology?

[AndroidCat]

Well... Here's some fun. My original post showed the harvested domain did a 302 Found redirection to 66.96.215.226. That rinky-dink NET-66-96-215-215-1 block hasn't changed since 2001-06-29. Taking the address of the owner and dropping it into Mapquest, and .. voila! Just down the road from Clearwater. (Doesn't prove anything. Florida is loaded with spammers and scammers of all types.)

Re:Sunbelt Software connected to Scientology?

[SpacePunk]

The ARIN record lists a home.com email address, but that redirects to a com.org site (a network solutions domain according to internic). An MX lookup on home.com doesn't return a record, which doesn't surprise me at all. The contact phone number listed is a 604 area code which turns out to be Canadian...

"Region
British Columbia

Cities
Boston Bar
Chilliwack
Hope
Pemberton
Powell River
Vancouver "

A search on the Canadian number just returns...

"We're sorry. We did not find a listing for the phone number you entered.
The phone number "(604) 313-3412" is a Vancouver, BC based phone number and the registered carrier is TELUS Mobility. However, due to number portability, some numbers have been transferred to a new service provider other than the registered carrier."

Whoever or whatever is holding it doesn't wish to be contacted to the extent that they are willing to falsify ARIN information. I wonder what ARINs policy on that is?

With all those IDs in their hands....

[rubberbando]

Couldn't they just present a someone else's info when arrested?

Then when they get out on bail, skip town.

Then the police would find themselves starting all over again?

I guess the only way that might not work is if the police already have their prints and true identity on file.

But then, the other ID on file might be false too.

You don't have to be an "idiot" for IE vulns

[cbreaker]

I've seen very resonably "secure" desktops get spyware all the time. Windows firewall, linksys NAT routers, no admin login, passworded accounts, etc.

There's been so many dozens of IE vulnerabilties that allow software to be installed with *zero* user interaction that it doesn't take a security "idiot" to get smacked by these things.

Re:You don't have to be an "idiot" for IE vulns

[Aeiri]

There's been so many dozens of IE vulnerabilties that allow software to be installed with *zero* user interaction that it doesn't take a security "idiot" to get smacked by these things.

Even with all those things, only a security "idiot" would use IE.

You make it sound more complicated then it is..

[msimm]

I'm still a little surprised that UBCD for Windows (its a full featured Windows boot disk creation toolset) hasn't caught on more then it has.

I'm assuming you're trying to be silly even mentioning hash checking, because that would be overkill for the average desktop users (but certainly something you'd have already done on a production system, and there are plenty of tools for that already).

Just the boot disk should do fine for most peoples needs: from it run your AV (its always a good idea to run a second scan using another program, 3 were provided last time I checked) and run your AW scan (I don't recall if it includes more then one). Another good idea is running a tool like Cexx's lspfix which can be used to remove unwanted software directly from you TCP/IP stack (which of course means if you don't know what your doing you can ruin your stack).

99% of the average computer users problems can be solved with that toolset alone.

Of course your right, the correct procedure does start with shutting down the compromised system but after that most windows users can stick to a road more frequently traveled. :)

Updated information from Sunbelt

[phaedo00]

Hi, I'm the author of the Ars article and the submitter of this story, Alex from sunbelt got back to me with a bit more information:

Basically, it went like this:

Patrick Jordan, our CoolWebSearch expert, was doing research on a CWS exploit. During the course of the research, he disovered that a) the machine he was testing became a spam zombie and b) it send a call back to a remote server. He traced back the remote server and found what you have heard about.

The scale is unimaginable. There are thousands of machines pinging back in a day. There is a keylogger file that grows and grows, and then is zipped off and then the cycle continues again.

It is sophisticated. There are nifty little PHP scripts that help the criminals get reports. There is a special upload area.

It's really quite sucktastic.

Sunbelt Software and Linux/Windows TCO

[whoever57]

Is this the same Sunbelt Software that did a study with the Yankee group that resulted in the claim that the TCO of Windows is less than that of Linux?

"removal" tools

[zippthorne]

how do we know that the removal tools don't actually install more spyware. or simply hide the existing spyware better?

Re:"removal" tools

[I.M.O.G.]

Lots of factors, just like RL. Compare going to a jewelry store to going to a pawn shop - there are recognizable differences when you look at them. In the same way, you have to evaluate the author and the source. Like Trend Micro, its very easy to see that they are a reputable company. Previously when merjin was working on the tool, you would have had to know something about him, what other reputable people said who used the tool, and the nature of the site the download was coming from. You'll notice my links are from majorgeeks, who supply a lot of downloads, some of the tools they supply are great, some are marginal, but all are clean and the site is maintained well if problems are found with any files.

Re:"removal" tools

Because of the anti-spyware community. Users are not dumb; they know something is wrong many times (which is how spyware and virii are identified in the first place).

The simplest answer though is practical--Most people run several spyware removal tools. Unless there was a ring or in cahoots (which is feasible but unlikely) with the other, one tool would ID another anti-spyware program's spyware. iow, the anti-spyware maker would be stupid to do this, because their reputation would be quickly slammed.

true for the american branch...

Stue Stoujeman is the editor of sunbelt's newsletter and a member of scientology church, also many many employee of the american branch are members of the church.

I also seem to remember that Sunbelt Software bundled their own "data-mining application" (aka spyware) in the software they reselled and distributed on their website (all software for trial download they distributed had a 2Mo bloat over the same software from its editor - that was 2001-2002)...

More money to be done fighting spyware than exploiting it, it seems...

We (my company) met them for a high availability software they distribute.
Their french sales director is such an ass (
Oliver Cohen, I think, he put us all to sleep during a powerpoint presentation, and he seems to be able to drone uninterestingly on the subject for hours....).

Dunno if he's a scientologist...Just sure he's an asshole...

The inside info

[EricSites]

Here is the information right from the source (me):

I work for Sunbelt Software as VP of Research & Development. While one of my spyware researchers was tracking down new variants of CoolWebSearch he came a cross a payload of crap that was downloaded to his VMware. This payload included a program that monitored the user internet traffic, chat activity and Windows protected storage store. When using Internet Explorer with autocomplete turned on, your autocomplete info gets stored in protected storage. This piece of spyware collected your protected storage info plus URLs, chat activity and website usernames and passwords. The real problem with this spyware was that it collected this information and posted it back to a public website that anyone could go to and read all of your personal information. Some examples of this include all the credit card info entered on HTML forms while purchasing something online. It did not matter that the webpage was using HTTPS. This website had collected over 500 different computers very private information within a 24 hours period. Including chat activity and login info to online bank accounts. One company had over $380,000 in a compromised account. The information was not the normal info collected for hacking purposes. It was collected to steal your money, SSN, credit card info, address, and identity. We have already found two variants of this spyware with multiple locations for its stolen info upload. We are working with the FBI and Secret Service to track everything back to the source.

Eric Sites
VP of Research & Development
Sunbelt Software, Inc.

Re:Pedantic comment was not a troll.

[shift.red.avni]

It was pedantic. The definition of theft is not a relevant issue, and it's usage is grammatically correct anyway.

The word identity is a relative term, and since the point of view from which the theft occurred (could be from the POV of a electronic business transaction that exists for milliseconds in which posession is determined once and never considered again) it is a waste of time to question the author's grammar when there are much more important issues in question.

This may sound silly...

[Deagol]

But how could one get a CWS variant for study? Are there archives online for infected programs and trojans such as these?

I run Linux for my primary desktop -- have for 5 years. I run WinXP in VMWare, with snapshots enabled. So when I wish to experiment with questionable sites and programs, I roll back when I'm done.

That said, if CWS is as nasty as every says, I'd *love* to let it loose in a sterile VM and try my hand at removing it manually (mainly using the Sysinternals suite of programs to find the offending process/dlls/etc., snoop the traffic by routing vie the Linux host box, and using a boot disk or LiveCD to disable/remove the thing).

Sure, anyone can run the canned spyware removal tools. It's like hunting deer with spears -- hardly practical given current technology, but you'll sure learn a hell of a lot about your prey. :-)

a major nuisance

Because of crap like this, I've opened another savings account in which I keep most of my money. The difference between this new one and the prior one - which I still maintain, but with smaller dollar amounts - is that I'll never check the new account's status online. Pretty ridiculous as I do everything online (yes, even sex!) but the security risk involved and the fact I could lose a good amount of money, with little chance of recovery (or having to jump through a million hoops to get anything back) has led me to this.

Another reason to open a secure offline account is that my old account is connected to Paypal. All sorts of stories what can happen there.

The future? Everyone has a secure offline account and an online account. Kind of like everyone has a real email, and a throwaway hotmail or yahoo account.

Re:Pedantic comment was not a troll.

[MillionthMonkey]

>How can it be called ID Theft if the original owner still has his identity?

This is just a pathetically lame attempt to confuse the issue. It doesn't matter that "the original owner still has it" since a liability has been associated with it and its owner may even wish he didn't "still have it". This isn't like stealing software or music.

What happened is that some spyware harvested very personal info about some people. That's bad, possibly criminal. But it's not identity theft.
Identity theft occurs whebn somebody takes the personal information and uses it to pose as you, draining your bank account, sleeping with your girlfriend, or in some way abusing the illicit information. There's no direct evidence of that here.

I'd say there's pretty good evidence. A spyware program is uploading keystrokes to a server. What do you think is going on, Officer Barbrady?

It's the old kevin mitnick scenario: breaking into a system and wandering around is not the same crime as breaking into a system, changing or destroying files, is not the same crime as breaking into a system and using the info to commit real world crimes such as wire fraud or embezzlement.

Are you trying to suggest that Mitnick's motive was the one in play here? Mitnick broke into restricted systems mostly to prove that he could do it. Which is an odd motive, but it's still believable. It's simply not a credible hypothesis that someone would design and distribute a spyware program to infect machines, run a keylogger, and upload keystrokes to a server- just to prove they could do it. Nor is it believable that nobody accessed the information accumulating on the server, or even that the server's location was a secret known to a restricted group of people. In this case the researchers showed that anyone with an infected machine would have been able to find the uploaded keystroke logs.

Related post a year ago

[AndroidCat]

Here's the related post to ars just before the one to nanae. Much the same, but it shows a bit more of the detail. (The nanae crowd could do their own homework of that type.)

And I thought it was. . .

[QMO]

"Give a man a fish, and he eats for a day, teach a man to fish, and he eats for a lifetime."

And I thought it was:

Give a man a fish, feed him for a day. Teach a man to fish, he's gone every weekend.

Or, maybe:

Give a man a fish, feed him for a day. Teach a man to fish, you've lost your fish monopoly.

Re:And I thought it was. . .

"Give a man a fish, he eats for a day. Teach a man to fish, and he'll bitch you didn't give him your fish."

Re:And I thought it was. . .

[saskboy]

I've heard that if you give a man fire, he'll cook for a day, but if you set a man on fire, he'll cook for the rest of his life.

I'd like to set a few spyware writers on fire.

Cringe

[saskboy]

Whenever I come across a computer with CWS I've cringed. It's good to learn of CWShredder, and hopefully that will make my life easier.

Now that story is out there, hopefully people will realize that spyware writers are no better than virus writers, and should be put into jail.

So, I'm supposed to trust what a spammer says...

[skippy_twin]

about spyware? Let's face it, Sunbelt Software has a long history of spamming...

Not to mention the entire Clearwater/$cientology thing...

Then again, who better to look into the entire spam/spyware connection. They're simply vetting out the competition, right? What a world.

Find those responsible...

[telemonster]

Some of the referenced articles point to the CWS website being hosted by an ISP in the USA (State of MA). It would seem like that would be an opportunity to get the information of those responsible... either by gaining access to systems / physical property or simply beating the answer out of the company owners.....

Another nice tactic would be if virus writers would release other malicious viruses using the CWS name and website, set CWS up for a nice fall and huge legal action.

You can always follow the money. Heck, offer to pay CWS to run banner ads on their hijack search engine then go rm the people accepting the money.

Why did they publish this?

[0Seeker0]

Is anyone else disturbed in the least by the fact that they chose to post all of this information publically before an investigation was completed? Given that it's on a site as popular as /. the individuals will certainly find out, erase any links between them and their activities, and get the hell outta Dodge.

Granted that it was this publicity that allowed the investigation to begin, what are the chances that this will yield anything useful?

Re:Windoze - Firefox now a spyware target

[fluffy99]

In fact, now that Firefox has gained some market share, it's now a target of some spyware. I just removed MyWebSearch from a computer yesterday. It had a firefox plug-in. The history of this infection is interesting. The friend had install cursors from cursormania.com whose web site claims it installs no spyware or adware. Yea right! It had installed a dozen plugins, one of which prevented Outlook from working. User couldn't send email because Sygate personal firewall wouldn't Outlook contact the websearch site on port 80. (I'm anal and one of the things I did was limit Outlook to the smtp/pop ports on our email servers).

This should be news

[GreenSwirl]

Finally, some hard evidence of spyware being used for identity theft. I hope the major news outlets pick this up. Spyware is not just an annoyance, like spam. Hopefully people will wake up and realize the threat to their privacy and financial security that spyware poses.

Probably not though, unless some gray-hat releases a variant that steals your info and then mails it all back to you. When folks start getting spam that contains their bank account password, then maybe they'll consider taking some action.