Slashdot Mirror
Spyware Based ID Theft Ring Uncovered
phaedo00 wrote to mention an Ars Technica article discussing a massive identity theft ring uncovered by security software firm Sunbelt. From the article:"According to one of their employees, Alex Eckelberry, during the course of one of their recent investigations into a particular Spyware application--rumored to be called CoolWebSearch--they've discovered that the personal information of those 'infected' was being captured and uploaded to a server."
This is something that has been around for years, no? I haven't run windows in 3 years, but I remember removing CWS many, many times over the years...
isnt this exactly what all spyware does?
hence the name "spyware"
Let's see how much attention this gets in middle America. The level of hystrionics will be a good indicator of what proportion of the public was consciously aware that spyware actually, you know, spies on you.
Quantum materiae materietur marmota monax si marmota monax materiam possit materiari?
You can download the original removal tool here (no longer updated): http://www.majorgeeks.com/download4086.html
You can download the currently maintained removal tool here, as intermute took over development from merjin and was aquired by trend micro: http://www.majorgeeks.com/Trend_Micro_CWShredder_d 3019.html
Overclockers
If you RTFA, you find that what they really found was that CoolWebSearch (or, more accurately, one if its variants) sends sensitive information to a server. There is no information that they have uncovered a "massive ring" of people involved. They have contacted the FBI and they'll be responsible for finding those responsible.
I did some research on CoolWebSearch (or "CWS") which is a pretty common spyware app, and it seems there are tons of variants. The majority of these apps are designed to get you to coolwebsearch.com in order to create affiliate money for the variant's creator - or at least that was the original idea. My guess is that only some of these variants capture privacy information.
More information on CWS is available from:
http://en.wikipedia.org/wiki/CoolWebSearch
http://www.google.com/search?q=CoolWebSearch
The space unintentionally left unblank.
But they're basically commissioning it with their PPC search engine model.
Also, if you've not read up on CWS and what they do - and how they do it - read this:
http://merijn.org/cwschronicles.html
Merijn's the original developer of CWShredder, and while his recording of CWS stops at the original about:blank strain, that's enough to tell you what kind of scum pull this.
Disclaimer: I use CWShredder in my work on SpywareInfo's antispyware boards.
Striking fear in the authors of godawful fanfiction, I am here, appearing in darkness, Tuxedo Jack!
As a general rule, spyware apps have the lamest titles ever to grace a program. Run Spybot S&D - it lists the name of each piece of software as it looks for them, and every last one of them has a stupid name.
CoolWebSearch is among - if not the most - annoying, underhanded, and pain in the ass to remove spyware aps out there.
Not only were most people infected via a security exploit in MS Java, they constantly release updates that break or modify spyware removal programs, windows utilities such as MSconfig, regedit as well as blocking the sites on which the removal tools are hosted.
I have no problem with the book being thrown at these punks.
1q2w3e4r5t6y7u8i9o0pqawsedrftgthyjukilo;p'azsxdcf
How can it be called ID Theft if the original owner still has his identity?
You're right. It sounds more like ID Piracy arr arr...! That's good, everyone knows the penalties for piracy are much steeper than those for theft...(ducking).
Seven puppies were harmed during the making of this post.
LOL
It is funny how many people run anti virus and anti spyware software to clean up the mess while viruses and spyware might be still running on their machines.
The only correct procedure is to boot from CD (or other read-only media (or perhaps move the disk to another machine and being very careful not to run anything from it).
Then you verify hashes of all non-data files with known good values (easier said than done).
Handling messy file formats where code and data are mixed (word, excel and to some extent html) is problematic too.
Of course, an OS that can be actually booted from CD and has a real packaging system makes this much easier.
My Dad bought a new ThnkPad, and before I let him anywhere near it, I spent an hour downloading CWSShredder, Spybot, Ad-Awaare, et al before I connected to the 'net. It's been 10 years since I owned a Windows machine, and this was the first one I'd set up since then. It was an eye-opener for me as to just how bad it is out there in the Windows world.
"Only two things are infinite, the universe and human stupidity, and I'm not sure about the former."
Quite apart from the issue of identity theft.. the installation of the software itself is done illegally according to the laws of most countries. Silent drive-by downloads constitute unauthorised access.
HOWEVER.. CoolWebSearch have claimed in the past that these silent drive-by installations were the work of "affiliates" and not CoolWebSearch itself. Personally, I have always suspected that the affiliates were working in this way with the tacit approval of CoolWebSearch.
It's about time somebody got sent to jail for a LONG time for this kind of crap.
Never email donotemail@WeAreSpammers.com
Well, this page lists all the URLs associated with CWS.
/etc/hosts.
Add these hosts to your webfilter/proxy blocking list:
coolwebsearch.com, webcoolsearch.com, 193.125.201.50, 1stpagehere.com, 66.250.130.194, adulthyperlinks.com, allhyperlinks.com, approvedlinks.com, bestcrawler.com, cantfind.com, carsands.com, cool-web-search.com, coolfreepage.com, coolwwwsearch.com, couldnotfind.com, defaultsearch.net, dev.ntcor.com, ewebsearch.net, findloss.com, findwhat.com, firstbookmark.net, freebookmark.net, freebookmarks.net, global-finder.com, itseasy.us, jethomepage.com, jetseeker.com, kazaa-lite.ws, martfinder.com, mommykiss.com, mywebsearch.net, noblindlinks.com, ok-search.com, pedo.ws, runsearch.com, search-2003.com, search.xrenoder.com, searchdesire.com, searchv.com, searchxp.com, sharempeg.com, slawsearch.com, slotch.com, stopxxxpics.com, super-spider.com, super-websearch.com, the-exit.com, the-huns-yellow-pages.com, topsearcher.com, unipages.cc, web-search.tk, white-pages.ws, youfindall.com, youfindall.net, yourbookmarks.info, yourbookmarks.ws
And/or add 127.0.0.1 before each host, and add those to your
And posted about a network of sites I found over a year ago on news.admin.net-abuse.email when looking at a Scientology management company I notice that someone tossed a cancel at my post within a day. (By coincidence, Sunbelt Software is up to its eyebrows in Scientology too.)
One line blog. I hear that they're called Twitters now.
OK, OK, calm down. Let me just say that there are many good pieces of software on other platforms. In my line of work, the selection of technical software available for Linux can't be beaten. But there are also a lot of folks out there who like Windows, and its software satisfies their needs. And that's all good.
Now:
That's good, but some of these cost money on top of the base operating system. Common sense is a very good defense too, but what's required is computer common sense. A lot of people aren't experienced enough to know all the ins and outs of a system. Furthermore you missed the biggest, most effective shield of all, one that is sorely overlooked by anti-malware forums:
And no, I'm sorry but "such-and-such program doesn't work with this" is no excuse. There are nearly always routes around it. If not, drop the program. Write to the author and tell them to produce decent code that doesn't require admin privileges for non-administrative tasks.
Couple that with an alternative browser for that extra layer, and the Windows XP firewall blocking all incoming ports, and you should do fine. The worse that could happen is something attempts to infect your user profile (and very few malware, if any, do this because compromised systems are of more use); in which case, just take off your work and nuke the account. It's not impossible to secure Windows XP, but I think it does require more than common sense.
I've seen very resonably "secure" desktops get spyware all the time. Windows firewall, linksys NAT routers, no admin login, passworded accounts, etc.
There's been so many dozens of IE vulnerabilties that allow software to be installed with *zero* user interaction that it doesn't take a security "idiot" to get smacked by these things.
- It's not the Macs I hate. It's Digg users. -
Hi, I'm the author of the Ars article and the submitter of this story, Alex from sunbelt got back to me with a bit more information:
Basically, it went like this:
Patrick Jordan, our CoolWebSearch expert, was doing research on a CWS exploit. During the course of the research, he disovered that a) the machine he was testing became a spam zombie and b) it send a call back to a remote server. He traced back the remote server and found what you have heard about.
The scale is unimaginable. There are thousands of machines pinging back in a day. There is a keylogger file that grows and grows, and then is zipped off and then the cycle continues again.
It is sophisticated. There are nifty little PHP scripts that help the criminals get reports. There is a special upload area.
It's really quite sucktastic.
Is this the same Sunbelt Software that did a study with the Yankee group that resulted in the claim that the TCO of Windows is less than that of Linux?
The real "Libtards" are the Libertarians!
Lots of factors, just like RL. Compare going to a jewelry store to going to a pawn shop - there are recognizable differences when you look at them. In the same way, you have to evaluate the author and the source. Like Trend Micro, its very easy to see that they are a reputable company. Previously when merjin was working on the tool, you would have had to know something about him, what other reputable people said who used the tool, and the nature of the site the download was coming from. You'll notice my links are from majorgeeks, who supply a lot of downloads, some of the tools they supply are great, some are marginal, but all are clean and the site is maintained well if problems are found with any files.
Overclockers
I work for Sunbelt Software as VP of Research & Development. While one of my spyware researchers was tracking down new variants of CoolWebSearch he came a cross a payload of crap that was downloaded to his VMware. This payload included a program that monitored the user internet traffic, chat activity and Windows protected storage store. When using Internet Explorer with autocomplete turned on, your autocomplete info gets stored in protected storage. This piece of spyware collected your protected storage info plus URLs, chat activity and website usernames and passwords. The real problem with this spyware was that it collected this information and posted it back to a public website that anyone could go to and read all of your personal information. Some examples of this include all the credit card info entered on HTML forms while purchasing something online. It did not matter that the webpage was using HTTPS. This website had collected over 500 different computers very private information within a 24 hours period. Including chat activity and login info to online bank accounts. One company had over $380,000 in a compromised account. The information was not the normal info collected for hacking purposes. It was collected to steal your money, SSN, credit card info, address, and identity. We have already found two variants of this spyware with multiple locations for its stolen info upload. We are working with the FBI and Secret Service to track everything back to the source.
Eric Sites
VP of Research & Development
Sunbelt Software, Inc.
I work for Sunbelt Software as VP of Research & Development. While one of my spyware researchers was tracking down new variants of CoolWebSearch he came a cross a payload of crap that was downloaded to his VMware. This payload included a program that monitored the user internet traffic, chat activity and Windows protected storage store. When using Internet Explorer with autocomplete turned on, your autocomplete info gets stored in protected storage. This piece of spyware collected your protected storage info plus URLs, chat activity and website usernames and passwords. The real problem with this spyware was that it collected this information and posted it back to a public website that anyone could go to and read all of your personal information. Some examples of this include all the credit card info entered on HTML forms while purchasing something online. It did not matter that the webpage was using HTTPS. This website had collected over 500 different computers very private information within a 24 hours period. Including chat activity and login info to online bank accounts. One company had over $380,000 in a compromised account. The information was not the normal info collected for hacking purposes. It was collected to steal your money, SSN, credit card info, address, and identity. We have already found two variants of this spyware with multiple locations for its stolen info upload. We are working with the FBI and Secret Service to track everything back to the source.
Eric Sites
VP of Research & Development
Sunbelt Software, Inc.
"also most of the problems on windows are well known viruses. cleaning up what you belive is a deliberate attack on YOUR system would obviously justify far more care."
I thought the whole point of the article was that the common malware may be being used for uncommonly nefarious purpose. Just because 10,000 people got hit by the same malware doesn't make it any less specific a threat to you. The "My city got hit by a nuke, so it is okay as they weren't targeting me personally" logic.
People have to learn that as soon as someone finds a way to get malware on your box it is effectively game over. If one person does it undetected, so can someone else. Reinstall.
Well... Here's some fun. My original post showed the harvested domain did a 302 Found redirection to 66.96.215.226. That rinky-dink NET-66-96-215-215-1 block hasn't changed since 2001-06-29. Taking the address of the owner and dropping it into Mapquest, and .. voila! Just down the road from Clearwater. (Doesn't prove anything. Florida is loaded with spammers and scammers of all types.)
One line blog. I hear that they're called Twitters now.
about spyware? Let's face it, Sunbelt Software has a long history of spamming...
Not to mention the entire Clearwater/$cientology thing...
Then again, who better to look into the entire spam/spyware connection. They're simply vetting out the competition, right? What a world.
Yup - that's pretty much the process I use for cleaning client machines.
The only problem is when the client machine is so hosed you can't run anything without booting from a CD using Bart's PE or Windoes Ultimate Boot CD. I usually have to try that first, running Ad-Aware from Bart's to get enough spyware off that I can then boot the machine and install the rest of the anti-spyware stuff and run it.
If necessary, I boot into Safe Mode as well and run a scan.
Neither of those catches running processes, though, so a scan with the machine in normal mode is usually necessary.
I intend to help with that problem by setting up a system to boot Windows 98 from a USB HD and running from there if I can. I specifically want Windows 98 because some client machines are too weak in RAM or CPU to boot Windows XP from Bart's.
After I clean off the majority of spyware with Ad-Aware and Spybot Search and Destroy, I run HijackThis, a full AV scan AND a trojan scan using TDS-3. That leaves only the crap that NONE of these things can get rid of, which entails manually inspecting running processes, identifying the crap and killing them and then removing their keys from the Registry manually - usually only a couple malware need this treatment.
When I get done, the system is clean. Then I install SpywareBlaster and Kerio Personal Firewall, and tell the client to use Firefox and Thunderbird from now on, and keep the spyware stuff updated and run it once a week and just default to removing everything they find (except HijackThis - I don't let the client run that.)
Haven't had to do a reinstall yet, but I wouldn't be surprised if it has to be done on somebody's machine sooner or later. Some of these people have literally hundreds or even thousands of spyware and dozens of - up to over a hundred - trojans.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
Some of the referenced articles point to the CWS website being hosted by an ISP in the USA (State of MA). It would seem like that would be an opportunity to get the information of those responsible... either by gaining access to systems / physical property or simply beating the answer out of the company owners.....
Another nice tactic would be if virus writers would release other malicious viruses using the CWS name and website, set CWS up for a nice fall and huge legal action.
You can always follow the money. Heck, offer to pay CWS to run banner ads on their hijack search engine then go rm the people accepting the money.
Southeastern Virginia REPRESENT!