Coolwebsearch = Spyware = Identity Theft

There are those of you out there who know Coolwebsearch spyware. You know it to be a very sleazy and deeply ingrained spyware that is extremely difficult to completely remove.

It now looks to be an Identity theft operation too.

Antispyware firm warns of massive ID theft ring

Sunbelt Software, a vendor of antispyware tools, said the company stumbled upon a massive ID theft ring that is using a well-known spyware program to break into and systematically steal confidential information from an unknown number of computers worldwide.

The operation was discovered yesterday during research Sunbelt was doing on a spyware program belonging to a particularly dangerous class of browser hijacking tools called CoolWebSearch (CWS).

The CWS variant being researched by Sunbelt turned infected systems into spam zombies and uploaded a wide variety of personal information to a remote server apparently located in the U.S. That server holds a "treasure trove of information" for ID thieves, Eckelberry said.

Sunbelt's research showed that the information being uploaded to the remote server included chat sessions, user names, passwords and bank information, he said. The bank information included details on one company bank account with more than $350,000 in deposits and another belonging to a small California company with over $11,000 in readily accessible cash, he said.

The FBI has been contacted and is working on the case, Eckelberry said. In addition, Sunbelt has contacted some of the individuals and banks whose data has been logged to warn them of the compromise.

The domain of the remote server appears to have been registered in China, although the server itself is located in the U.S., Eckelberry said. "We are working to get that server taken down."

More on the identity theft ring

The scale is unimaginable. There are thousands of machines pinging back daily. There is a keylogger file that grows and grows, and then is zipped off and then the cycle continues again (note that while thousands of machines are pinging back, the amount that are being logged into the keylogger file is less than that, but still significant). The server is in the US, but the domain is registered to an offshore entity.

The types of data in this file are pretty sickening to watch. You have IM chat sessions, search terms, social security numbers, credit cards, logins and passwords, etc.

People who ask me what to do get a simple answer: Get a software firewall in fast. Just any decent free one will do the job.

What you mean there is no honor among theives?
I have long warned my friends / family and customers of the dangers of this "tool".
Maybe now they will take heed.

Man, we just finished cleaning this off one of our poor users machines, at work.
By cleaning it off..I mean we coppied his data, and reformatted, re-installed.
It's a nasty one...VERY hard to remove..and depending on the variant, it's better just to do what we did..rather than rely on any anti spyware product, as good as they may be..This literally happened about an hour ago..

Thanks for the links, I will be forwarding this on, to my "poor user" LOL

I just found a Slashdot thread on it here...

it.slashdot.org.../08/06/170224&tid=172&tid=158

There's also lot's of info on how to clean this up and protect yourself.
.

Thanks Gools,

I have 2 new peices of info on this.

1. It is not coolwebsearch afterall. It was discovered during a coolwebsearch infestation. This means that probably coolwebsearch pointed the infected pc at a web page that installed the keylogger, but the keylogger is not coolwebsearch.

from here
This keylogger is not CoolWebSearch. It was discovered during a CoolWebSearch (CWS) infestation, but it actually is its own sophisticated criminal little trojan that’s independent of CWS.

2. Unfortunatly, there is nothing that will detect or clean this one yet.

from here
This is a very different type of trojan than others, because how it transmits data back. To our knowledge, it’s the first of its kind.

Note that a software firewall is not a guarantee, due to the way this thing operates (one of the things it does is use RunDLL to execute its commands, which is often allowed by firewall users).

An antispyware or antivirus program will likely not catch it—and to our knowledge, there are none out there that can detect this thing through a scan of the system. We had one infected user we found who was quite sophisticated and ran all kinds of scans with various products, to no avail.

we’re working on a free fix to get out to people which will be ready in the next 24 hours. But really, for the time being, just get a software firewall in place. It really will help block this thing from being able to do anything (with the caveat noted above).

I got that stupid thing a few months ago without my notice. This thing was nasty. I had to go into safe mode and remove it. It took hardcore detective work in order to find it's file in my system. My Internet Explorer 6 was ruined because it damaged the core files upon removal, and I had to revert to Netscape. I had to format the hard drive to repair the damage. After that I bought a Firewall and never had a problem since.

They are calling it Srv.SSA-KeyLogger. It is a backdoor program that, among other things, secretly steals data from users’s internet sessions, including logins and passwords from online banking sessions, eBay, PayPal, and other programs that use html forms to collect personal information. It is a new variant of a family of existing trojans generally known as Dumaru or Nibu.

The keylogger executable is winldra.exe.


– It turns off the Windows firewall.
– It steals data in the IE Protected Storage area.
– It steals data from the Windows clipboard
– It steals logins and passwords from a number of programs, including WebMoney, Far Manager and Total Commander.
– It modifies the host file to stop access to Trend Micro, Mcafee.com, Symantec.com, Etrust/Computer Associates, AVP, Kaspersky, F-secure, etc.

They say that they have put out a stand alone detection and removal tool, but all I can find is the 30 day demo download of their spyware removal (it does have the definitions to detect and remove this).

news.tbo.com...

[edit on 10-8-2005 by makeitso]

Here's a good tool that does nothing but deal with CoolWebSearch. It is now owned and maintained by Trend Micro.

www.intermute.com...