Spyware Based ID Theft Ring Uncovered

phaedo00 wrote to mention an Ars Technica article discussing a massive identity theft ring uncovered by security software firm Sunbelt. From the article:"According to one of their employees, Alex Eckelberry, during the course of one of their recent investigations into a particular Spyware application--rumored to be called CoolWebSearch--they've discovered that the personal information of those 'infected' was being captured and uploaded to a server."

How is this news?

[I.M.O.G.]

CWS has been around and is greatly prevalent... There are very well developed tools to remove infections also, as manual removal of this one is VERY complicated.

You can download the original removal tool here (no longer updated): http://www.majorgeeks.com/download4086.html [majorgeeks.com]

You can download the currently maintained removal tool here, as intermute took over development from merjin and was aquired by trend micro: http://www.majorgeeks.com/Trend_Micro_CWShredder_d 3019.html [majorgeeks.com]

Misinformation?

[LFS.Morpheus]

If you RTFA, you find that what they really found was that CoolWebSearch (or, more accurately, one if its variants) sends sensitive information to a server. There is no information that they have uncovered a "massive ring" of people involved. They have contacted the FBI and they'll be responsible for finding those responsible.

I did some research on CoolWebSearch (or "CWS") which is a pretty common spyware app, and it seems there are tons of variants. The majority of these apps are designed to get you to coolwebsearch.com in order to create affiliate money for the variant's creator - or at least that was the original idea. My guess is that only some of these variants capture privacy information.

More information on CWS is available from:
http://en.wikipedia.org/wiki/CoolWebSearch [wikipedia.org]
http://www.google.com/search?q=CoolWebSearch [google.com]

CWS claimed "affiliates" do it...

[Tuxedo Jack]

But they're basically commissioning it with their PPC search engine model.

Also, if you've not read up on CWS and what they do - and how they do it - read this:

http://merijn.org/cwschronicles.html [merijn.org]

Merijn's the original developer of CWShredder, and while his recording of CWS stops at the original about:blank strain, that's enough to tell you what kind of scum pull this.

Disclaimer: I use CWShredder in my work on SpywareInfo's antispyware boards.

Re:Bound to happen eventually

[CaptnMArk]

LOL

It is funny how many people run anti virus and anti spyware software to clean up the mess while viruses and spyware might be still running on their machines.

The only correct procedure is to boot from CD (or other read-only media (or perhaps move the disk to another machine and being very careful not to run anything from it).

Then you verify hashes of all non-data files with known good values (easier said than done).

Handling messy file formats where code and data are mixed (word, excel and to some extent html) is problematic too.

Of course, an OS that can be actually booted from CD and has a real packaging system makes this much easier.

It's unbelievable at times

[Hawthorne01]

My Dad bought a new ThnkPad, and before I let him anywhere near it, I spent an hour downloading CWSShredder, Spybot, Ad-Awaare, et al before I connected to the 'net. It's been 10 years since I owned a Windows machine, and this was the first one I'd set up since then. It was an eye-opener for me as to just how bad it is out there in the Windows world.

Update your webfilter or /etc/hosts

[titten]

Well, this page [spywareinfo.com] lists [spywareinfo.com] all the URLs associated with CWS.

Add these hosts to your webfilter/proxy blocking list:

coolwebsearch.com, webcoolsearch.com, 193.125.201.50, 1stpagehere.com, 66.250.130.194, adulthyperlinks.com, allhyperlinks.com, approvedlinks.com, bestcrawler.com, cantfind.com, carsands.com, cool-web-search.com, coolfreepage.com, coolwwwsearch.com, couldnotfind.com, defaultsearch.net, dev.ntcor.com, ewebsearch.net, findloss.com, findwhat.com, firstbookmark.net, freebookmark.net, freebookmarks.net, global-finder.com, itseasy.us, jethomepage.com, jetseeker.com, kazaa-lite.ws, martfinder.com, mommykiss.com, mywebsearch.net, noblindlinks.com, ok-search.com, pedo.ws, runsearch.com, search-2003.com, search.xrenoder.com, searchdesire.com, searchv.com, searchxp.com, sharempeg.com, slawsearch.com, slotch.com, stopxxxpics.com, super-spider.com, super-websearch.com, the-exit.com, the-huns-yellow-pages.com, topsearcher.com, unipages.cc, web-search.tk, white-pages.ws, youfindall.com, youfindall.net, yourbookmarks.info, yourbookmarks.ws

And/or add 127.0.0.1 before each host, and add those to your /etc/hosts.

Re:Windoze

[ettlz]

OK, OK, calm down. Let me just say that there are many good pieces of software on other platforms. In my line of work, the selection of technical software available for Linux can't be beaten. But there are also a lot of folks out there who like Windows, and its software satisfies their needs. And that's all good.

Now:

the best available solution is a good firewall, good spyware cleaner, good antivirus, and a bit of common sense that, no, you really shouldn't install every neat little gadget without knowing what you're putting in your box.

That's good, but some of these cost money on top of the base operating system. Common sense is a very good defense too, but what's required is computer common sense. A lot of people aren't experienced enough to know all the ins and outs of a system. Furthermore you missed the biggest, most effective shield of all, one that is sorely overlooked by anti-malware forums:

For the love of ... whatever,

use a limited access account.

And no, I'm sorry but "such-and-such program doesn't work with this" is no excuse. There are nearly always routes around it. If not, drop the program. Write to the author and tell them to produce decent code that doesn't require admin privileges for non-administrative tasks.

Couple that with an alternative browser for that extra layer, and the Windows XP firewall blocking all incoming ports, and you should do fine. The worse that could happen is something attempts to infect your user profile (and very few malware, if any, do this because compromised systems are of more use); in which case, just take off your work and nuke the account. It's not impossible to secure Windows XP, but I think it does require more than common sense.

The inside info

[EricSites]

Here is the information right from the source (me):

I work for Sunbelt Software as VP of Research & Development. While one of my spyware researchers was tracking down new variants of CoolWebSearch he came a cross a payload of crap that was downloaded to his VMware. This payload included a program that monitored the user internet traffic, chat activity and Windows protected storage store. When using Internet Explorer with autocomplete turned on, your autocomplete info gets stored in protected storage. This piece of spyware collected your protected storage info plus URLs, chat activity and website usernames and passwords. The real problem with this spyware was that it collected this information and posted it back to a public website that anyone could go to and read all of your personal information. Some examples of this include all the credit card info entered on HTML forms while purchasing something online. It did not matter that the webpage was using HTTPS. This website had collected over 500 different computers very private information within a 24 hours period. Including chat activity and login info to online bank accounts. One company had over $380,000 in a compromised account. The information was not the normal info collected for hacking purposes. It was collected to steal your money, SSN, credit card info, address, and identity. We have already found two variants of this spyware with multiple locations for its stolen info upload. We are working with the FBI and Secret Service to track everything back to the source.

Eric Sites
VP of Research & Development
Sunbelt Software, Inc.

Re:Let me get this straight

[EricSites]

Here is the information right from the source (me):

I work for Sunbelt Software as VP of Research & Development. While one of my spyware researchers was tracking down new variants of CoolWebSearch he came a cross a payload of crap that was downloaded to his VMware. This payload included a program that monitored the user internet traffic, chat activity and Windows protected storage store. When using Internet Explorer with autocomplete turned on, your autocomplete info gets stored in protected storage. This piece of spyware collected your protected storage info plus URLs, chat activity and website usernames and passwords. The real problem with this spyware was that it collected this information and posted it back to a public website that anyone could go to and read all of your personal information. Some examples of this include all the credit card info entered on HTML forms while purchasing something online. It did not matter that the webpage was using HTTPS. This website had collected over 500 different computers very private information within a 24 hours period. Including chat activity and login info to online bank accounts. One company had over $380,000 in a compromised account. The information was not the normal info collected for hacking purposes. It was collected to steal your money, SSN, credit card info, address, and identity. We have already found two variants of this spyware with multiple locations for its stolen info upload. We are working with the FBI and Secret Service to track everything back to the source.

Eric Sites
VP of Research & Development
Sunbelt Software, Inc.

Re:Sunbelt Software connected to Scientology?

[AndroidCat]

Well... Here's some fun. My original post showed the harvested domain did a 302 Found redirection to 66.96.215.226. That rinky-dink NET-66-96-215-215-1 block hasn't changed since 2001-06-29. Taking the address of the owner and dropping it into Mapquest, and .. voila! [mapquest.com] Just down the road from Clearwater. (Doesn't prove anything. Florida is loaded with spammers and scammers of all types.)