Forgot your password?
typodupeerror
Security Privacy

Spyware Based ID Theft Ring Uncovered 143

Posted by Zonk
from the dirty-pool dept.
phaedo00 wrote to mention an Ars Technica article discussing a massive identity theft ring uncovered by security software firm Sunbelt. From the article:"According to one of their employees, Alex Eckelberry, during the course of one of their recent investigations into a particular Spyware application--rumored to be called CoolWebSearch--they've discovered that the personal information of those 'infected' was being captured and uploaded to a server."
This discussion has been archived. No new comments can be posted.

Spyware Based ID Theft Ring Uncovered

Comments Filter:
  • Not surprising. Also, this is one spyware app I find almost everytime I "fix" someone's computer. It's very widespread among those who are idiots with their security.
    • CoolWebSearch does seem to be one of the more prevalent infections, like the flu.
      • Concur. It's widespread in the UK too.

        That said, we brits have a reputation for being heavily infected, as our ISPs don't do what a lot of US ISPs consider standard practice, and either issue a router or block RPC ports 135-139 and 593

        I'm surprised that so common an infection could be linked to organised crime and nobody realised until now though. I think i'll go and hit all my MSN communities with a warning about this...
      • yup. and its a pain in the @$$ to fully remove. You basically have to drop into safe mode to fully rip that sucker out.
        • by CaptnMArk (9003) on Saturday August 06, 2005 @02:24PM (#13258936)
          LOL

          It is funny how many people run anti virus and anti spyware software to clean up the mess while viruses and spyware might be still running on their machines.

          The only correct procedure is to boot from CD (or other read-only media (or perhaps move the disk to another machine and being very careful not to run anything from it).

          Then you verify hashes of all non-data files with known good values (easier said than done).

          Handling messy file formats where code and data are mixed (word, excel and to some extent html) is problematic too.

          Of course, an OS that can be actually booted from CD and has a real packaging system makes this much easier.
          • agree its best practice to scan from outside the infected enviroment if possible but its often not very feasible with windows.

            also most of the problems on windows are well known viruses. cleaning up what you belive is a deliberate attack on YOUR system would obviously justify far more care.
            • "also most of the problems on windows are well known viruses. cleaning up what you belive is a deliberate attack on YOUR system would obviously justify far more care."

              I thought the whole point of the article was that the common malware may be being used for uncommonly nefarious purpose. Just because 10,000 people got hit by the same malware doesn't make it any less specific a threat to you. The "My city got hit by a nuke, so it is okay as they weren't targeting me personally" logic.

              People have to learn that
          • I'm still a little surprised that UBCD for Windows [ubcd4win.com] (its a full featured Windows boot disk creation toolset) hasn't caught on more then it has.

            I'm assuming you're trying to be silly even mentioning hash checking, because that would be overkill for the average desktop users (but certainly something you'd have already done on a production system, and there are plenty of tools for that already).

            Just the boot disk should do fine for most peoples needs: from it run your AV (its always a good idea to run a sec
    • I would be assume that all the spywares are actually uploading info. What does it matter if they do directly or indirectly? The fact that something was written to indirectly infect you, you know they are up to no good.

      What is amazing is that people accept that as being ok.
    • This is *the* spyware program right now. It used to be Gator (as that was included with Kazaa and many other popular programs) but CoolWebSearch has, at last glance (I no longer do tech support for a living), vastly surpassed it for number of infected PCs.

      If you happen to be in the unfortunate majority infected by it, download CWShredder [intermute.com] (free) to get rid of it, then get something like Ad-Aware [lavasoft.de] to get rid of anything else you might have gotten along with it (as spyware often gets installed in packs, so to
    • I've seen very resonably "secure" desktops get spyware all the time. Windows firewall, linksys NAT routers, no admin login, passworded accounts, etc.

      There's been so many dozens of IE vulnerabilties that allow software to be installed with *zero* user interaction that it doesn't take a security "idiot" to get smacked by these things.
      • There's been so many dozens of IE vulnerabilties that allow software to be installed with *zero* user interaction that it doesn't take a security "idiot" to get smacked by these things.

        Even with all those things, only a security "idiot" would use IE.

  • Dude, that is so not cool.
  • CWS (Score:2, Interesting)

    by IconBasedIdea (838710)
    This is something that has been around for years, no? I haven't run windows in 3 years, but I remember removing CWS many, many times over the years...
    • by jdwest (760759)
      It was a a CWS infection in July 2003 that made me realized I was working for my computer, instead of the other way around. That one piece of malware did more to make me appreciate Linux and OS X than any MS marketing material could ever hope to overcome.
    • Re:CWS (Score:1, Insightful)

      by MrShaggy (683273)
      I agree with the other responder. Its why I jumped back into linux as a home machine. It was become a daily thing. Run 2 hours a day of scans. I was on a win2k box. Ihavent had any such problems since.

      If I didnt know any better I think that MS leaves things like that unpatched to force you to upgrade to the latest and greatest.
      • by fbjon (692006)
        I wish I could share your experience, kind of. I've never encoutered a bad infection on any machine I've owned. My Windows-machines don't really crash that often, and work rather nicely. I'd like some incentive to switch.

        Speaking of which, does anyone know of a good tracker (modern, full-featured, MIDI, arbitrary channels, like Renoise) for linux?

  • One can only speculate about why someone would do such a thing

    That's about as dumb a statement as I can expect to see in print this week. We know why someone would do it. Information is valuable in many different ways. Get a clue!

  • Wow... (Score:1, Funny)

    by HyperShadowDC (841714)
    I have had to delete this numerous times on my parent's computers... I'm gonna have to go and make sure it's still not on there.
    • I'm gonna have to go and make sure it's still not on there.

      Give a man a fish, and he eats for a day, teach a man to fish, and he eats for a lifetime.
      • More than a few members of older generations are so baffled by computers that there's little you can teach that they'll be able to understand. Best thing to do is add passive protection, like a hosts file, antispyware ap with real time protection, a firewall, etc.
      • "Give a man a fish, and he eats for a day, teach a man to fish, and he eats for a lifetime."

        And I thought it was:

        Give a man a fish, feed him for a day. Teach a man to fish, he's gone every weekend.

        Or, maybe:

        Give a man a fish, feed him for a day. Teach a man to fish, you've lost your fish monopoly.
  • Didn't the old Prodigy service (a competitor to Compuserve, in the days before AOL) get a bad rap for a similar offense? Grabbing personal info and uploading it back to the Borg?
    • The borg are now into stealing personal information?

      Man, ever since Braga and Berman got their hands on the franchise it's been nothing but downhill!

      Now they've got the borg stealing peoples personal information.
    • Prodigy got in trouble because people found personal information inside its cache files. It turned out that the only reason that information was present was because prodigy's software didn't initialize the contents of the cache files when they were created. They contained whatever random junk that had been left behind by other software. They weren't spying on their users.
      • That, and the other big black eye they got in the public opinion was for editing and deleting forum posts that had any anti-Prodigy sentiment or were complaining about the censoring of posted content.

        I think there were even an/some court case(s), and IIRC it was decided that since they run a private forum they can edit any content they want to, and your "speech" there is not 1st Amendment protected. That was about the same time it started to dawn on most people that email and such on other people systems o
  • as intended (Score:2, Insightful)

    by Anonymous Coward
    isnt this exactly what all spyware does?
    hence the name "spyware"
  • It does WHAT? (Score:4, Interesting)

    by BandwidthHog (257320) <inactive.slashdo ... icallyenough.com> on Saturday August 06, 2005 @01:56PM (#13258809) Homepage Journal
    Let's see how much attention this gets in middle America. The level of hystrionics will be a good indicator of what proportion of the public was consciously aware that spyware actually, you know, spies on you.
  • How is this news? (Score:2, Informative)

    by I.M.O.G. (811163)
    CWS has been around and is greatly prevalent... There are very well developed tools to remove infections also, as manual removal of this one is VERY complicated.

    You can download the original removal tool here (no longer updated): http://www.majorgeeks.com/download4086.html [majorgeeks.com]

    You can download the currently maintained removal tool here, as intermute took over development from merjin and was aquired by trend micro: http://www.majorgeeks.com/Trend_Micro_CWShredder_d 3019.html [majorgeeks.com]

    • how do we know that the removal tools don't actually install more spyware. or simply hide the existing spyware better?
      • Re:"removal" tools (Score:2, Insightful)

        by I.M.O.G. (811163)
        Lots of factors, just like RL. Compare going to a jewelry store to going to a pawn shop - there are recognizable differences when you look at them. In the same way, you have to evaluate the author and the source. Like Trend Micro, its very easy to see that they are a reputable company. Previously when merjin was working on the tool, you would have had to know something about him, what other reputable people said who used the tool, and the nature of the site the download was coming from. You'll notice m
  • Misinformation? (Score:5, Informative)

    by LFS.Morpheus (596173) on Saturday August 06, 2005 @02:01PM (#13258836) Homepage
    If you RTFA, you find that what they really found was that CoolWebSearch (or, more accurately, one if its variants) sends sensitive information to a server. There is no information that they have uncovered a "massive ring" of people involved. They have contacted the FBI and they'll be responsible for finding those responsible.

    I did some research on CoolWebSearch (or "CWS") which is a pretty common spyware app, and it seems there are tons of variants. The majority of these apps are designed to get you to coolwebsearch.com in order to create affiliate money for the variant's creator - or at least that was the original idea. My guess is that only some of these variants capture privacy information.

    More information on CWS is available from:
    http://en.wikipedia.org/wiki/CoolWebSearch [wikipedia.org]
    http://www.google.com/search?q=CoolWebSearch [google.com]
    • Re:Misinformation? (Score:2, Interesting)

      by Anonymous Coward
      Did anyone else read http://en.wikipedia.org/wiki/CoolWebSearch [wikipedia.org]?

      I very much disagree with the statment at the end: "Microsoft Windows' System Restore, which is a Windows utility that restores some registry keys and some settings in Windows, can remove some, but not all, variants of CoolWebSearch, if there is still a restoration point. To be safe, use System Restore as a last resort as some files will remain if you use that utility."

      I posted this in the discussion section:

      "Notes from a traveling computer tec
    • ``They have contacted the FBI and they'll be responsible for finding those responsible.''

      And if they fail, the ones responsible for finding the ones responsible will be sacked. And if the ones responsible for getting the ones responsible for finding the ones responsible sacked fail, they will be sacked. And the new write-up on CWS will be completed at great expenses and in a completely different style.
  • by Tuxedo Jack (648130) on Saturday August 06, 2005 @02:01PM (#13258837) Homepage
    But they're basically commissioning it with their PPC search engine model.

    Also, if you've not read up on CWS and what they do - and how they do it - read this:

    http://merijn.org/cwschronicles.html [merijn.org]

    Merijn's the original developer of CWShredder, and while his recording of CWS stops at the original about:blank strain, that's enough to tell you what kind of scum pull this.

    Disclaimer: I use CWShredder in my work on SpywareInfo's antispyware boards.
  • C'mon. This has been around for years. Has noone ever happened to turn on a packet sniffer or something while CoolWebSearch was active and seen some dodgy traffic? And CWS is pretty well known. I'd bet it's been deconstructed at least once. And if someone's taken the time to reverse-engineer it, I'm sure they'd look through the code they got back, and notice that there were some socket writing subroutines.
  • How can it be called ID Theft if the original owner still has his identity?
    • by Dunbal (464142) on Saturday August 06, 2005 @02:11PM (#13258877)
      How can it be called ID Theft if the original owner still has his identity?

            You're right. It sounds more like ID Piracy arr arr...! That's good, everyone knows the penalties for piracy are much steeper than those for theft...(ducking).
      • That's good, everyone knows the penalties for piracy are much steeper than those for theft...(ducking).


        And pirates are very easy to detect!
        if (-e $parrot ){
            arrest_pirate();
        };
        [badum-ching]
    • How can it be called ID Theft if the original owner still has his identity?
      Parent post is not a troll; it identifies the main error in the article.
      What happened is that some spyware harvested very personal info about some people. That's bad, possibly criminal. But it's not identity theft.
      Identity theft occurs whebn somebody takes the personal information and uses it to pose as you, draining your bank account, sleeping with your girlfriend, or in some way abusing the illicit information. There's no direct e
      • It was pedantic. The definition of theft is not a relevant issue, and it's usage is grammatically correct anyway.

        The word identity is a relative term, and since the point of view from which the theft occurred (could be from the POV of a electronic business transaction that exists for milliseconds in which posession is determined once and never considered again) it is a waste of time to question the author's grammar when there are much more important issues in question.
      • >How can it be called ID Theft if the original owner still has his identity?

        This is just a pathetically lame attempt to confuse the issue. It doesn't matter that "the original owner still has it" since a liability has been associated with it and its owner may even wish he didn't "still have it". This isn't like stealing software or music.

        What happened is that some spyware harvested very personal info about some people. That's bad, possibly criminal. But it's not identity theft.
        Identity theft occurs whebn
  • If you haven't heard of it before, CoolWebSearch has reigned as one of the nastier pieces of spyware for quite a while now. [cwshredder.net] It's hardly surprising they would sink this low.
  • Ow wait, they stole passwords and such too... Nice, maybe this will make things more clear for some people:

    spyware = criminals
  • by loraksus (171574) on Saturday August 06, 2005 @02:11PM (#13258874) Homepage
    CoolWebSearch is among - if not the most - annoying, underhanded, and pain in the ass to remove spyware aps out there.
    Not only were most people infected via a security exploit in MS Java, they constantly release updates that break or modify spyware removal programs, windows utilities such as MSconfig, regedit as well as blocking the sites on which the removal tools are hosted.

    I have no problem with the book being thrown at these punks.
  • by Hawthorne01 (575586) on Saturday August 06, 2005 @02:25PM (#13258939)
    My Dad bought a new ThnkPad, and before I let him anywhere near it, I spent an hour downloading CWSShredder, Spybot, Ad-Awaare, et al before I connected to the 'net. It's been 10 years since I owned a Windows machine, and this was the first one I'd set up since then. It was an eye-opener for me as to just how bad it is out there in the Windows world.
  • by Dynamoo (527749) on Saturday August 06, 2005 @02:39PM (#13259003) Homepage
    CoolWebSearch is one of the very most spyware apps that I have to deal with.. it's a pig to remove (sometimes it's just easier to nuke the infected machine and start over) and it installs an alarming amount of Slimeware [slimeware.com].

    Quite apart from the issue of identity theft.. the installation of the software itself is done illegally according to the laws of most countries. Silent drive-by downloads constitute unauthorised access.

    HOWEVER.. CoolWebSearch have claimed in the past that these silent drive-by installations were the work of "affiliates" and not CoolWebSearch itself. Personally, I have always suspected that the affiliates were working in this way with the tacit approval of CoolWebSearch.

    It's about time somebody got sent to jail for a LONG time for this kind of crap.

  • by titten (792394) on Saturday August 06, 2005 @02:42PM (#13259020)
    Well, this page [spywareinfo.com] lists [spywareinfo.com] all the URLs associated with CWS.

    Add these hosts to your webfilter/proxy blocking list:

    coolwebsearch.com, webcoolsearch.com, 193.125.201.50, 1stpagehere.com, 66.250.130.194, adulthyperlinks.com, allhyperlinks.com, approvedlinks.com, bestcrawler.com, cantfind.com, carsands.com, cool-web-search.com, coolfreepage.com, coolwwwsearch.com, couldnotfind.com, defaultsearch.net, dev.ntcor.com, ewebsearch.net, findloss.com, findwhat.com, firstbookmark.net, freebookmark.net, freebookmarks.net, global-finder.com, itseasy.us, jethomepage.com, jetseeker.com, kazaa-lite.ws, martfinder.com, mommykiss.com, mywebsearch.net, noblindlinks.com, ok-search.com, pedo.ws, runsearch.com, search-2003.com, search.xrenoder.com, searchdesire.com, searchv.com, searchxp.com, sharempeg.com, slawsearch.com, slotch.com, stopxxxpics.com, super-spider.com, super-websearch.com, the-exit.com, the-huns-yellow-pages.com, topsearcher.com, unipages.cc, web-search.tk, white-pages.ws, youfindall.com, youfindall.net, yourbookmarks.info, yourbookmarks.ws

    And/or add 127.0.0.1 before each host, and add those to your /etc/hosts.
  • by AndroidCat (229562) on Saturday August 06, 2005 @02:50PM (#13259081) Homepage
    And posted about a network of sites I found over a year ago on news.admin.net-abuse.email [google.com] when looking at a Scientology management company I notice that someone tossed a cancel at my post within a day. (By coincidence, Sunbelt Software is up to its eyebrows in Scientology too.)
  • a lot of people ask will middle america wake up to this? the answer is no. there is many types of free kinds of software available online to combat spyware. there are online services from trendmicro that will scan your machine for viruses and spyware. why not take the time out to do that?

    oh wait.. previous slashdot article.. people with spyware infected machines think that their computer is just running slow and it's just time for a new one.

    probably in 5 or so years, spyware and virus will usually be
  • "security" firm sunbelt just now stumbled upon coolwebsearch and discovered it's recording users data? Let's clarify, EVERYONE knows that coolwebsearch is spyware, and has for a long time. Hell, my uncle can barely turn on a computer and he knows CWS is spyware.

    Main Entry: spyware
    Part of Speech: noun
    Definition: any software that covertly gathers information about a user while he/she navigates the Internet and transmits the information to an individual or company that uses it for marketing or ot
    • CWS being spyware is nothing new, and the article does seem to contain a lot of scaremongering, but Sunbelt did discover something new: they found the actual stolen/recorded information, including a lot of stuff that is considerably more invasive than surfing habits, real names, etc. And I thought they only made junk food [sunbeltsnacks.com]...
      Sunbelt's blog [blogspot.com] entries [blogspot.com] are, in my opinion, better than the ars article.
    • Here is the information right from the source (me):

      I work for Sunbelt Software as VP of Research & Development. While one of my spyware researchers was tracking down new variants of CoolWebSearch he came a cross a payload of crap that was downloaded to his VMware. This payload included a program that monitored the user internet traffic, chat activity and Windows protected storage store. When using Internet Explorer with autocomplete turned on, your autocomplete info gets stored in protected storage. Th

  • Couldn't they just present a someone else's info when arrested?

    Then when they get out on bail, skip town.

    Then the police would find themselves starting all over again?

    I guess the only way that might not work is if the police already have their prints and true identity on file.

    But then, the other ID on file might be false too.
  • by phaedo00 (143820) on Saturday August 06, 2005 @05:08PM (#13259880) Homepage

    Hi, I'm the author of the Ars article and the submitter of this story, Alex from sunbelt got back to me with a bit more information:

    Basically, it went like this:

    Patrick Jordan, our CoolWebSearch expert, was doing research on a CWS exploit. During the course of the research, he disovered that a) the machine he was testing became a spam zombie and b) it send a call back to a remote server. He traced back the remote server and found what you have heard about.

    The scale is unimaginable. There are thousands of machines pinging back in a day. There is a keylogger file that grows and grows, and then is zipped off and then the cycle continues again.

    It is sophisticated. There are nifty little PHP scripts that help the criminals get reports. There is a special upload area.

    It's really quite sucktastic.

  • The inside info (Score:2, Informative)

    by EricSites (905703)
    Here is the information right from the source (me):

    I work for Sunbelt Software as VP of Research & Development. While one of my spyware researchers was tracking down new variants of CoolWebSearch he came a cross a payload of crap that was downloaded to his VMware. This payload included a program that monitored the user internet traffic, chat activity and Windows protected storage store. When using Internet Explorer with autocomplete turned on, your autocomplete info gets stored in protected storage. T

  • But how could one get a CWS variant for study? Are there archives online for infected programs and trojans such as these?

    I run Linux for my primary desktop -- have for 5 years. I run WinXP in VMWare, with snapshots enabled. So when I wish to experiment with questionable sites and programs, I roll back when I'm done.

    That said, if CWS is as nasty as every says, I'd *love* to let it loose in a sterile VM and try my hand at removing it manually (mainly using the Sysinternals suite of programs to find the

  • a major nuisance (Score:1, Interesting)

    by Anonymous Coward
    Because of crap like this, I've opened another savings account in which I keep most of my money. The difference between this new one and the prior one - which I still maintain, but with smaller dollar amounts - is that I'll never check the new account's status online. Pretty ridiculous as I do everything online (yes, even sex!) but the security risk involved and the fact I could lose a good amount of money, with little chance of recovery (or having to jump through a million hoops to get anything back) has l
  • Whenever I come across a computer with CWS I've cringed. It's good to learn of CWShredder, and hopefully that will make my life easier.

    Now that story is out there, hopefully people will realize that spyware writers are no better than virus writers, and should be put into jail.
  • about spyware? Let's face it, Sunbelt Software has a long [google.com] history [google.com] of spamming [google.com]...

    Not to mention the entire Clearwater [sptimes.com]/$cientology [xenu.net] thing...

    Then again, who better to look into the entire spam/spyware connection. They're simply vetting out the competition, right? What a world.

  • by telemonster (605238) on Saturday August 06, 2005 @11:11PM (#13261754) Homepage
    Some of the referenced articles point to the CWS website being hosted by an ISP in the USA (State of MA). It would seem like that would be an opportunity to get the information of those responsible... either by gaining access to systems / physical property or simply beating the answer out of the company owners.....

    Another nice tactic would be if virus writers would release other malicious viruses using the CWS name and website, set CWS up for a nice fall and huge legal action.

    You can always follow the money. Heck, offer to pay CWS to run banner ads on their hijack search engine then go rm the people accepting the money.

I have not yet begun to byte!

Working...