Slashdot Mirror
Spyware Based ID Theft Ring Uncovered
phaedo00 wrote to mention an Ars Technica article discussing a massive identity theft ring uncovered by security software firm Sunbelt. From the article:"According to one of their employees, Alex Eckelberry, during the course of one of their recent investigations into a particular Spyware application--rumored to be called CoolWebSearch--they've discovered that the personal information of those 'infected' was being captured and uploaded to a server."
This is something that has been around for years, no? I haven't run windows in 3 years, but I remember removing CWS many, many times over the years...
Let's see how much attention this gets in middle America. The level of hystrionics will be a good indicator of what proportion of the public was consciously aware that spyware actually, you know, spies on you.
Quantum materiae materietur marmota monax si marmota monax materiam possit materiari?
CoolWebSearch is among - if not the most - annoying, underhanded, and pain in the ass to remove spyware aps out there.
Not only were most people infected via a security exploit in MS Java, they constantly release updates that break or modify spyware removal programs, windows utilities such as MSconfig, regedit as well as blocking the sites on which the removal tools are hosted.
I have no problem with the book being thrown at these punks.
1q2w3e4r5t6y7u8i9o0pqawsedrftgthyjukilo;p'azsxdcf
Quite apart from the issue of identity theft.. the installation of the software itself is done illegally according to the laws of most countries. Silent drive-by downloads constitute unauthorised access.
HOWEVER.. CoolWebSearch have claimed in the past that these silent drive-by installations were the work of "affiliates" and not CoolWebSearch itself. Personally, I have always suspected that the affiliates were working in this way with the tacit approval of CoolWebSearch.
It's about time somebody got sent to jail for a LONG time for this kind of crap.
Never email donotemail@WeAreSpammers.com
And posted about a network of sites I found over a year ago on news.admin.net-abuse.email when looking at a Scientology management company I notice that someone tossed a cancel at my post within a day. (By coincidence, Sunbelt Software is up to its eyebrows in Scientology too.)
One line blog. I hear that they're called Twitters now.
Hi, I'm the author of the Ars article and the submitter of this story, Alex from sunbelt got back to me with a bit more information:
Basically, it went like this:
Patrick Jordan, our CoolWebSearch expert, was doing research on a CWS exploit. During the course of the research, he disovered that a) the machine he was testing became a spam zombie and b) it send a call back to a remote server. He traced back the remote server and found what you have heard about.
The scale is unimaginable. There are thousands of machines pinging back in a day. There is a keylogger file that grows and grows, and then is zipped off and then the cycle continues again.
It is sophisticated. There are nifty little PHP scripts that help the criminals get reports. There is a special upload area.
It's really quite sucktastic.
Is this the same Sunbelt Software that did a study with the Yankee group that resulted in the claim that the TCO of Windows is less than that of Linux?
The real "Libtards" are the Libertarians!
Downloaded on my Mac, burned to CD, installed on the ThinkPad. Next question.
"Only two things are infinite, the universe and human stupidity, and I'm not sure about the former."
Did anyone else read http://en.wikipedia.org/wiki/CoolWebSearch?
I very much disagree with the statment at the end: "Microsoft Windows' System Restore, which is a Windows utility that restores some registry keys and some settings in Windows, can remove some, but not all, variants of CoolWebSearch, if there is still a restoration point. To be safe, use System Restore as a last resort as some files will remain if you use that utility."
I posted this in the discussion section:
"Notes from a traveling computer technician: System Restore rarely works, in fact most of the cases I've seen you cannot remove CWS until the System Restore is deleted (via System Properties). The CWS hides in the System Restore and then re-infects the system on reboot after you delete it from the systems32 directory (or wherever on the system). System Restore is not a good option for virus removal, or for anything for that matter (maybe hardware problems?). I usually remove CWS by first turning off system restore, and then deleting temp files with CCleaner (within each user) After that, I use AVG (www.grisoft.com or free.grisoft.com), Ad-aware, hijackthis, msconfig, sometimes CWShredder, and sometimes About Buster. I'll usually have to remove some programs in Ad/remove programs as well. It's hard these days to tell what's CWS and what's other spyware/adware/viruses because CWS pulls in so much other junk. One other thing to note is that Norton does not work for this! Mcafee usually will and I think Avast does too, but Norton completely drops the ball on this one."
Does anyone else have thoughts on the matter?
Because of crap like this, I've opened another savings account in which I keep most of my money. The difference between this new one and the prior one - which I still maintain, but with smaller dollar amounts - is that I'll never check the new account's status online. Pretty ridiculous as I do everything online (yes, even sex!) but the security risk involved and the fact I could lose a good amount of money, with little chance of recovery (or having to jump through a million hoops to get anything back) has led me to this.
Another reason to open a secure offline account is that my old account is connected to Paypal. All sorts of stories what can happen there.
The future? Everyone has a secure offline account and an online account. Kind of like everyone has a real email, and a throwaway hotmail or yahoo account.
"also most of the problems on windows are well known viruses. cleaning up what you belive is a deliberate attack on YOUR system would obviously justify far more care."
I thought the whole point of the article was that the common malware may be being used for uncommonly nefarious purpose. Just because 10,000 people got hit by the same malware doesn't make it any less specific a threat to you. The "My city got hit by a nuke, so it is okay as they weren't targeting me personally" logic.
People have to learn that as soon as someone finds a way to get malware on your box it is effectively game over. If one person does it undetected, so can someone else. Reinstall.
about spyware? Let's face it, Sunbelt Software has a long history of spamming...
Not to mention the entire Clearwater/$cientology thing...
Then again, who better to look into the entire spam/spyware connection. They're simply vetting out the competition, right? What a world.
Yup - that's pretty much the process I use for cleaning client machines.
The only problem is when the client machine is so hosed you can't run anything without booting from a CD using Bart's PE or Windoes Ultimate Boot CD. I usually have to try that first, running Ad-Aware from Bart's to get enough spyware off that I can then boot the machine and install the rest of the anti-spyware stuff and run it.
If necessary, I boot into Safe Mode as well and run a scan.
Neither of those catches running processes, though, so a scan with the machine in normal mode is usually necessary.
I intend to help with that problem by setting up a system to boot Windows 98 from a USB HD and running from there if I can. I specifically want Windows 98 because some client machines are too weak in RAM or CPU to boot Windows XP from Bart's.
After I clean off the majority of spyware with Ad-Aware and Spybot Search and Destroy, I run HijackThis, a full AV scan AND a trojan scan using TDS-3. That leaves only the crap that NONE of these things can get rid of, which entails manually inspecting running processes, identifying the crap and killing them and then removing their keys from the Registry manually - usually only a couple malware need this treatment.
When I get done, the system is clean. Then I install SpywareBlaster and Kerio Personal Firewall, and tell the client to use Firefox and Thunderbird from now on, and keep the spyware stuff updated and run it once a week and just default to removing everything they find (except HijackThis - I don't let the client run that.)
Haven't had to do a reinstall yet, but I wouldn't be surprised if it has to be done on somebody's machine sooner or later. Some of these people have literally hundreds or even thousands of spyware and dozens of - up to over a hundred - trojans.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
Some of the referenced articles point to the CWS website being hosted by an ISP in the USA (State of MA). It would seem like that would be an opportunity to get the information of those responsible... either by gaining access to systems / physical property or simply beating the answer out of the company owners.....
Another nice tactic would be if virus writers would release other malicious viruses using the CWS name and website, set CWS up for a nice fall and huge legal action.
You can always follow the money. Heck, offer to pay CWS to run banner ads on their hijack search engine then go rm the people accepting the money.
Southeastern Virginia REPRESENT!