It looks like you're using an Ad Blocker.
Please white-list or disable AboveTopSecret.com in your ad-blocking tool.
Some features of ATS will be disabled while you continue to use an ad-blocker.
Sunbelt Software, a vendor of antispyware tools, said the company stumbled upon a massive ID theft ring that is using a well-known spyware program to break into and systematically steal confidential information from an unknown number of computers worldwide.
The operation was discovered yesterday during research Sunbelt was doing on a spyware program belonging to a particularly dangerous class of browser hijacking tools called CoolWebSearch (CWS).
The CWS variant being researched by Sunbelt turned infected systems into spam zombies and uploaded a wide variety of personal information to a remote server apparently located in the U.S. That server holds a "treasure trove of information" for ID thieves, Eckelberry said.
Sunbelt's research showed that the information being uploaded to the remote server included chat sessions, user names, passwords and bank information, he said. The bank information included details on one company bank account with more than $350,000 in deposits and another belonging to a small California company with over $11,000 in readily accessible cash, he said.
The FBI has been contacted and is working on the case, Eckelberry said. In addition, Sunbelt has contacted some of the individuals and banks whose data has been logged to warn them of the compromise.
The domain of the remote server appears to have been registered in China, although the server itself is located in the U.S., Eckelberry said. "We are working to get that server taken down."
The scale is unimaginable. There are thousands of machines pinging back daily. There is a keylogger file that grows and grows, and then is zipped off and then the cycle continues again (note that while thousands of machines are pinging back, the amount that are being logged into the keylogger file is less than that, but still significant). The server is in the US, but the domain is registered to an offshore entity.
The types of data in this file are pretty sickening to watch. You have IM chat sessions, search terms, social security numbers, credit cards, logins and passwords, etc.
People who ask me what to do get a simple answer: Get a software firewall in fast. Just any decent free one will do the job.
This keylogger is not CoolWebSearch. It was discovered during a CoolWebSearch (CWS) infestation, but it actually is its own sophisticated criminal little trojan that’s independent of CWS.
This is a very different type of trojan than others, because how it transmits data back. To our knowledge, it’s the first of its kind.
Note that a software firewall is not a guarantee, due to the way this thing operates (one of the things it does is use RunDLL to execute its commands, which is often allowed by firewall users).
An antispyware or antivirus program will likely not catch it—and to our knowledge, there are none out there that can detect this thing through a scan of the system. We had one infected user we found who was quite sophisticated and ran all kinds of scans with various products, to no avail.
we’re working on a free fix to get out to people which will be ready in the next 24 hours. But really, for the time being, just get a software firewall in place. It really will help block this thing from being able to do anything (with the caveat noted above).