Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Spyware Based ID Theft Ring Uncovered

Zonk posted more than 9 years ago | from the dirty-pool dept.

Security 143

phaedo00 wrote to mention an Ars Technica article discussing a massive identity theft ring uncovered by security software firm Sunbelt. From the article:"According to one of their employees, Alex Eckelberry, during the course of one of their recent investigations into a particular Spyware application--rumored to be called CoolWebSearch--they've discovered that the personal information of those 'infected' was being captured and uploaded to a server."

cancel ×

143 comments

Sorry! There are no comments related to the filter you selected.

Bound to happen eventually (2, Insightful)

magicchex (898936) | more than 9 years ago | (#13258765)

Not surprising. Also, this is one spyware app I find almost everytime I "fix" someone's computer. It's very widespread among those who are idiots with their security.

Re:Bound to happen eventually (1)

sound+vision (884283) | more than 9 years ago | (#13258800)

CoolWebSearch does seem to be one of the more prevalent infections, like the flu.

Re:Bound to happen eventually (1)

CdBee (742846) | more than 9 years ago | (#13258833)

Concur. It's widespread in the UK too.

That said, we brits have a reputation for being heavily infected, as our ISPs don't do what a lot of US ISPs consider standard practice, and either issue a router or block RPC ports 135-139 and 593

I'm surprised that so common an infection could be linked to organised crime and nobody realised until now though. I think i'll go and hit all my MSN communities with a warning about this...

Re:Bound to happen eventually (0, Troll)

Dunbal (464142) | more than 9 years ago | (#13258919)

That said, we brits have a reputation for being heavily infected,

      Not as much as Africa. Oh wait, what infection are we talking about here?

Re:Bound to happen eventually (1)

michael186 (827808) | more than 9 years ago | (#13259458)

Oh wait, what infection are we talking about here? Harsh but true.

Re:Bound to happen eventually (1)

notsoanonymouscoward (102492) | more than 9 years ago | (#13258868)

yup. and its a pain in the @$$ to fully remove. You basically have to drop into safe mode to fully rip that sucker out.

Re:Bound to happen eventually (4, Informative)

CaptnMArk (9003) | more than 9 years ago | (#13258936)

LOL

It is funny how many people run anti virus and anti spyware software to clean up the mess while viruses and spyware might be still running on their machines.

The only correct procedure is to boot from CD (or other read-only media (or perhaps move the disk to another machine and being very careful not to run anything from it).

Then you verify hashes of all non-data files with known good values (easier said than done).

Handling messy file formats where code and data are mixed (word, excel and to some extent html) is problematic too.

Of course, an OS that can be actually booted from CD and has a real packaging system makes this much easier.

Re:Bound to happen eventually (1)

petermgreen (876956) | more than 9 years ago | (#13259726)

agree its best practice to scan from outside the infected enviroment if possible but its often not very feasible with windows.

also most of the problems on windows are well known viruses. cleaning up what you belive is a deliberate attack on YOUR system would obviously justify far more care.

You make it sound more complicated then it is.. (1)

msimm (580077) | more than 9 years ago | (#13259820)

I'm still a little surprised that UBCD for Windows [ubcd4win.com] (its a full featured Windows boot disk creation toolset) hasn't caught on more then it has.

I'm assuming you're trying to be silly even mentioning hash checking, because that would be overkill for the average desktop users (but certainly something you'd have already done on a production system, and there are plenty of tools for that already).

Just the boot disk should do fine for most peoples needs: from it run your AV (its always a good idea to run a second scan using another program, 3 were provided last time I checked) and run your AW scan (I don't recall if it includes more then one). Another good idea is running a tool like Cexx's lspfix [cexx.org] which can be used to remove unwanted software directly from you TCP/IP stack (which of course means if you don't know what your doing you can ruin your stack).

99% of the average computer users problems can be solved with that toolset alone.

Of course your right, the correct procedure does start with shutting down the compromised system but after that most windows users can stick to a road more frequently traveled. :)

Re:Bound to happen eventually (1)

WindBourne (631190) | more than 9 years ago | (#13258958)

I would be assume that all the spywares are actually uploading info. What does it matter if they do directly or indirectly? The fact that something was written to indirectly infect you, you know they are up to no good.

What is amazing is that people accept that as being ok.

Re:Bound to happen eventually (1)

TheSpoom (715771) | more than 9 years ago | (#13259715)

This is *the* spyware program right now. It used to be Gator (as that was included with Kazaa and many other popular programs) but CoolWebSearch has, at last glance (I no longer do tech support for a living), vastly surpassed it for number of infected PCs.

If you happen to be in the unfortunate majority infected by it, download CWShredder [intermute.com] (free) to get rid of it, then get something like Ad-Aware [lavasoft.de] to get rid of anything else you might have gotten along with it (as spyware often gets installed in packs, so to speak).

By the by, if you'd like to slashdot these people a bit, here's the CoolWebSearch website [coolwebsearch.com] , though I obviously don't condone anything like that. ;^)

You don't have to be an "idiot" for IE vulns (2)

cbreaker (561297) | more than 9 years ago | (#13259789)

I've seen very resonably "secure" desktops get spyware all the time. Windows firewall, linksys NAT routers, no admin login, passworded accounts, etc.

There's been so many dozens of IE vulnerabilties that allow software to be installed with *zero* user interaction that it doesn't take a security "idiot" to get smacked by these things.

CoolWeb Search? (1)

slicenglide (735363) | more than 9 years ago | (#13258766)


Dude, that is so not cool.

Re:CoolWeb Search? (1)

Nom du Keyboard (633989) | more than 9 years ago | (#13258792)

I have been smacked in the ass 0 times for posting incorrect information.

Is that 0 times today so far?

Re:CoolWeb Search? (1)

slicenglide (735363) | more than 9 years ago | (#13258815)

Haven't been smacked yet... so, today, yesterday, and in a long time.

Re:CoolWeb Search? (0)

Anonymous Coward | more than 9 years ago | (#13258796)

Where are those Russian anti-spammers when you need them?

Re:CoolWeb Search? (2, Insightful)

Dachannien (617929) | more than 9 years ago | (#13258857)

As a general rule, spyware apps have the lamest titles ever to grace a program. Run Spybot S&D - it lists the name of each piece of software as it looks for them, and every last one of them has a stupid name.

CWS (2, Interesting)

IconBasedIdea (838710) | more than 9 years ago | (#13258774)

This is something that has been around for years, no? I haven't run windows in 3 years, but I remember removing CWS many, many times over the years...

Re:CWS (1)

jdwest (760759) | more than 9 years ago | (#13258818)

It was a a CWS infection in July 2003 that made me realized I was working for my computer, instead of the other way around. That one piece of malware did more to make me appreciate Linux and OS X than any MS marketing material could ever hope to overcome.

Re:CWS (1, Insightful)

MrShaggy (683273) | more than 9 years ago | (#13259059)

I agree with the other responder. Its why I jumped back into linux as a home machine. It was become a daily thing. Run 2 hours a day of scans. I was on a win2k box. Ihavent had any such problems since.

If I didnt know any better I think that MS leaves things like that unpatched to force you to upgrade to the latest and greatest.

Re:CWS (1)

fbjon (692006) | more than 9 years ago | (#13259803)

I wish I could share your experience, kind of. I've never encoutered a bad infection on any machine I've owned. My Windows-machines don't really crash that often, and work rather nicely. I'd like some incentive to switch.

Speaking of which, does anyone know of a good tracker (modern, full-featured, MIDI, arbitrary channels, like Renoise) for linux?

Re:CWS (0)

Anonymous Coward | more than 9 years ago | (#13259876)

Have you looked at SoundTracker http://www.soundtracker.org/ [soundtracker.org] ?

Re:CWS (0)

Anonymous Coward | more than 9 years ago | (#13259952)

Maybe he meant one that's not 20 years old when he said "modern"!

Oh Really? (1)

Nom du Keyboard (633989) | more than 9 years ago | (#13258776)

One can only speculate about why someone would do such a thing

That's about as dumb a statement as I can expect to see in print this week. We know why someone would do it. Information is valuable in many different ways. Get a clue!

Re:Oh Really? (0)

Anonymous Coward | more than 9 years ago | (#13258842)

I'm fairly certain that was tounge in cheek stab at journalistic impartiality. You know, innocent until proven guilty and all that jazz...

Really (0, Flamebait)

Saeed al-Sahaf (665390) | more than 9 years ago | (#13258890)

I'm fairly certain that was tounge in cheek stab at journalistic impartiality.

And it sounded like it came from the pompous ass of Comic Book Man. Some people just need to get over themselves.

hmm... (0)

Anonymous Coward | more than 9 years ago | (#13258779)

Gotta love em.

Thanks Bill! (-1)

Anonymous Coward | more than 9 years ago | (#13258782)

Thanks Mr. Gates!

bounty hunters (1)

ILKO_deresolution (352578) | more than 9 years ago | (#13258793)

i want some cash

Wow... (2, Funny)

HyperShadowDC (841714) | more than 9 years ago | (#13258795)

I have had to delete this numerous times on my parent's computers... I'm gonna have to go and make sure it's still not on there.

Re:Wow... (1)

azrane2005 (860037) | more than 9 years ago | (#13259313)

I'm gonna have to go and make sure it's still not on there.

Give a man a fish, and he eats for a day, teach a man to fish, and he eats for a lifetime.

been around for years... (1)

cmaxwell (868018) | more than 9 years ago | (#13258799)

Didn't the old Prodigy service (a competitor to Compuserve, in the days before AOL) get a bad rap for a similar offense? Grabbing personal info and uploading it back to the Borg?

Re:been around for years... (1)

EvilMonkeySlayer (826044) | more than 9 years ago | (#13258926)

The borg are now into stealing personal information?

Man, ever since Braga and Berman got their hands on the franchise it's been nothing but downhill!

Now they've got the borg stealing peoples personal information.

Re:been around for years... (1)

Detritus (11846) | more than 9 years ago | (#13258962)

Prodigy got in trouble because people found personal information inside its cache files. It turned out that the only reason that information was present was because prodigy's software didn't initialize the contents of the cache files when they were created. They contained whatever random junk that had been left behind by other software. They weren't spying on their users.

Re:been around for years... (1)

Mister Transistor (259842) | more than 9 years ago | (#13259724)

That, and the other big black eye they got in the public opinion was for editing and deleting forum posts that had any anti-Prodigy sentiment or were complaining about the censoring of posted content.

I think there were even an/some court case(s), and IIRC it was decided that since they run a private forum they can edit any content they want to, and your "speech" there is not 1st Amendment protected. That was about the same time it started to dawn on most people that email and such on other people systems or business networks is NOT PRIVATE nor protected in any way.

P.S. Love your nick - reminds me of:

Q. What do you call the little pieces of automobiles you find on the side of the road?
A. Detroitus!

as intended (2, Insightful)

Anonymous Coward | more than 9 years ago | (#13258803)

isnt this exactly what all spyware does?
hence the name "spyware"

One by one they fall... (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#13258804)

And so it goes. One by one all the Iraq-war insiders who've turned against the war [bbc.co.uk] fall.

Down they go either because of a "suicide" [bbc.co.uk] or, as in the case of Cook, "sudden illness".

The ugly truth behind the whole clusterfuck in Iraq must never be revealed even if it takes organizing terror attacks against your own people and killing those who know too much but have lost faith in the cause.

Fascism is coming.

lets talk (0, Offtopic)

ILKO_deresolution (352578) | more than 9 years ago | (#13258846)

giuiliani cancer in the balls then hillariski.
ummm i stopped tryin to archive all the 2&2
when cnn started deleting all the good old artical.

Re:One by one they fall... (0)

Anonymous Coward | more than 9 years ago | (#13258905)

looney leftist alert What does this have to do with the topic of spyware?

Note: This does not apply to leftist who honestly believe that there is a better way for society to evolve. This applies to those who call themselves leftist because they are so given to hate that they see "W" is worse than the tyrant he has taken out.

GNAA outreach program hailed as an overwhelming su (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#13258805)

GNAA Research Division exposes long standing Zionist plot
GNAA Research Division exposes long standing Zionist plot
Impi - Research Division, South Africa.

Due to my extensive research of The Negro archives, I have discovered that the ACTUAL name of the airplane that dropped the atomic bomb on Hiroshima and Nagasaki, was in fact THE ENOLA GAY NIGGER and not, as is widely misrepresented, The Enola Gay. This clear plot, by Zionist oppressors, to besmirch and belittle our glorious Gay Nigger history has left an indelible sense of frustration and desperation on the current generation of our persecuted brothers.

With this in mind: Areems, Fresh from the Counter Strike World Championships (for Mac users), who is stuck in Iraq because no aircraft can accommodate his girth, got a lucky headshot on failed blogger Vincent Stephen.

True to Zionist form, an Ultra Top Secret Wing of MOSSAD, The Jewish Justice League, sprung into action. They concocted a media plot to create the illusion that a disgruntled, never heard of before insurgent group, claimed responsibly for this deed.

Conspiracy theorists among the Negro population have evidence that this type of persecution of The Gay Niggers is due to the fact that most Israeli men are secretly attracted to Gay Niggers. Evidence in point is the term coined by Ariel Sharon, a closet Nigger Lover, "Pulling out of the Gaza Strip". It is a widely known and accepted fact that The Gaza Strip is a term of endearment for BLACK ASS.

About The Jewish Justice League

The Jewish Justice League was founded by the mothers and wives of Israel who were concerned that their men were being drawn to the Nigger Seed and away from their wives.

About Areems

Fat.


About GNAA:
GNAA (GAY NIGGER ASSOCIATION OF AMERICA) is the first organization which gathers GAY NIGGERS from all over America and abroad for one common goal - being GAY NIGGERS.

Are you GAY [klerck.org] ?
Are you a NIGGER [mugshots.org] ?
Are you a GAY NIGGER [gay-sex-access.com] ?

If you answered "Yes" to all of the above questions, then GNAA (GAY NIGGER ASSOCIATION OF AMERICA) might be exactly what you've been looking for!
Join GNAA (GAY NIGGER ASSOCIATION OF AMERICA) today, and enjoy all the benefits of being a full-time GNAA member.
GNAA (GAY NIGGER ASSOCIATION OF AMERICA) is the fastest-growing GAY NIGGER community with THOUSANDS of members all over United States of America and the World! You, too, can be a part of GNAA if you join today!

Why not? It's quick and easy - only 3 simple steps!
  • First, you have to obtain a copy of GAYNIGGERS FROM OUTER SPACE THE MOVIE [imdb.com] and watch it. You can download the movie [idge.net] (~130mb) using BitTorrent.
  • Second, you need to succeed in posting a GNAA First Post [wikipedia.org] on slashdot.org [slashdot.org] , a popular "news for trolls" website.
  • Third, you need to join the official GNAA irc channel #GNAA on irc.gnaa.us, and apply for membership.
Talk to one of the ops or any of the other members in the channel to sign up today! Upon submitting your application, you will be required to submit links to your successful First Post, and you will be tested on your knowledge of GAYNIGGERS FROM OUTER SPACE.

If you are having trouble locating #GNAA, the official GAY NIGGER ASSOCIATION OF AMERICA irc channel, you might be on a wrong irc network. The correct network is NiggerNET, and you can connect to irc.gnaa.us as our official server. Follow this link [irc] if you are using an irc client such as mIRC.

If you have mod points and would like to support GNAA, please moderate this post up.

.________________________________________________.
| ______________________________________._a,____ | Press contact:
| _______a_._______a_______aj#0s_____aWY!400.___ | Gary Niger
| __ad#7!!*P____a.d#0a____#!-_#0i___.#!__W#0#___ | gary_niger@gnaa.us [mailto]
| _j#'_.00#,___4#dP_"#,__j#,__0#Wi___*00P!_"#L,_ | GNAA Corporate Headquarters
| _"#ga#9!01___"#01__40,_"4Lj#!_4#g_________"01_ | 143 Rolloffle Avenue
| ________"#,___*@`__-N#____`___-!^_____________ | Tarzana, California 91356
| _________#1__________?________________________ |
| _________j1___________________________________ | All other inquiries:
| ____a,___jk_GAY_NIGGER_ASSOCIATION_OF_AMERICA_ | Enid Al-Punjabi
| ____!4yaa#l___________________________________ | enid_al_punjabi@gnaa.us [mailto]
| ______-"!^____________________________________ | GNAA World Headquarters
` _______________________________________________' 160-0023 Japan Tokyo-to Shinjuku-ku Nishi-Shinjuku 3-20-2

Copyright (c) 2003-2005 Gay Nigger Association of America [www.gnaa.us]

It does WHAT? (3, Interesting)

BandwidthHog (257320) | more than 9 years ago | (#13258809)

Let's see how much attention this gets in middle America. The level of hystrionics will be a good indicator of what proportion of the public was consciously aware that spyware actually, you know, spies on you.

Re:It does WHAT? (1)

Nom du Keyboard (633989) | more than 9 years ago | (#13258825)

WARNING: This post may contain material on Gravity. Universal Gravity is a theory, not a fact.

Re:It does WHAT? (1)

BandwidthHog (257320) | more than 9 years ago | (#13258941)

Heh. I'd chuckled at your current .sig when I saw it around, but never made the connection. Here's a sneak preview of next year's model. [slashdot.org]

How is this news? (2, Informative)

I.M.O.G. (811163) | more than 9 years ago | (#13258834)

CWS has been around and is greatly prevalent... There are very well developed tools to remove infections also, as manual removal of this one is VERY complicated.

You can download the original removal tool here (no longer updated): http://www.majorgeeks.com/download4086.html [majorgeeks.com]

You can download the currently maintained removal tool here, as intermute took over development from merjin and was aquired by trend micro: http://www.majorgeeks.com/Trend_Micro_CWShredder_d 3019.html [majorgeeks.com]

"removal" tools (1)

zippthorne (748122) | more than 9 years ago | (#13259896)

how do we know that the removal tools don't actually install more spyware. or simply hide the existing spyware better?

Re:"removal" tools (2, Insightful)

I.M.O.G. (811163) | more than 9 years ago | (#13259958)

Lots of factors, just like RL. Compare going to a jewelry store to going to a pawn shop - there are recognizable differences when you look at them. In the same way, you have to evaluate the author and the source. Like Trend Micro, its very easy to see that they are a reputable company. Previously when merjin was working on the tool, you would have had to know something about him, what other reputable people said who used the tool, and the nature of the site the download was coming from. You'll notice my links are from majorgeeks, who supply a lot of downloads, some of the tools they supply are great, some are marginal, but all are clean and the site is maintained well if problems are found with any files.

Misinformation? (4, Informative)

LFS.Morpheus (596173) | more than 9 years ago | (#13258836)

If you RTFA, you find that what they really found was that CoolWebSearch (or, more accurately, one if its variants) sends sensitive information to a server. There is no information that they have uncovered a "massive ring" of people involved. They have contacted the FBI and they'll be responsible for finding those responsible.

I did some research on CoolWebSearch (or "CWS") which is a pretty common spyware app, and it seems there are tons of variants. The majority of these apps are designed to get you to coolwebsearch.com in order to create affiliate money for the variant's creator - or at least that was the original idea. My guess is that only some of these variants capture privacy information.

More information on CWS is available from:
http://en.wikipedia.org/wiki/CoolWebSearch [wikipedia.org]
http://www.google.com/search?q=CoolWebSearch [google.com]

No! NO! Don't look at these facts! Boycott info! (-1, Troll)

Anonymous Coward | more than 9 years ago | (#13258859)

FENT FENT FENT [pornfromharry.com]

CmdrTaco must repent!

FENT FENT FENT! [pornfromharry.com]

CmdrTaco must repent!

Get off the hoochie, CmdrTaco! Slashdot is dying!

To confirm you're not a script,
please type the word in this image: merger

Re:Misinformation? (0)

Anonymous Coward | more than 9 years ago | (#13259693)

They have not heard back from the FBI, but since
they posted their findings to a blog, and it
gets slashdot coverage, the criminals stealing
personal information have been properly alerted.

In other words, don't bother. SunBelt blew
it for law enforcement. Good job, guys.

CWS claimed "affiliates" do it... (4, Informative)

Tuxedo Jack (648130) | more than 9 years ago | (#13258837)

But they're basically commissioning it with their PPC search engine model.

Also, if you've not read up on CWS and what they do - and how they do it - read this:

http://merijn.org/cwschronicles.html [merijn.org]

Merijn's the original developer of CWShredder, and while his recording of CWS stops at the original about:blank strain, that's enough to tell you what kind of scum pull this.

Disclaimer: I use CWShredder in my work on SpywareInfo's antispyware boards.

Re:CWS claimed "affiliates" do it... (1)

loraksus (171574) | more than 9 years ago | (#13258900)

Lets not forget that the writers of CWS have placed several pages on the Internet that say that Merijn was the creator in an apparant attempt to flood his inbox with complaints.

Re:CWS didn't do it... (1)

darkonc (47285) | more than 9 years ago | (#13259358)

It wasn't done by CWS, it was done by someone pretending to be them.

It took this long why? (1)

llamaguy (773335) | more than 9 years ago | (#13258838)

C'mon. This has been around for years. Has noone ever happened to turn on a packet sniffer or something while CoolWebSearch was active and seen some dodgy traffic? And CWS is pretty well known. I'd bet it's been deconstructed at least once. And if someone's taken the time to reverse-engineer it, I'm sure they'd look through the code they got back, and notice that there were some socket writing subroutines.

Pedantic comment (1, Funny)

SA Stevens (862201) | more than 9 years ago | (#13258840)

How can it be called ID Theft if the original owner still has his identity?

Re:Pedantic comment (4, Funny)

Dunbal (464142) | more than 9 years ago | (#13258877)

How can it be called ID Theft if the original owner still has his identity?

      You're right. It sounds more like ID Piracy arr arr...! That's good, everyone knows the penalties for piracy are much steeper than those for theft...(ducking).

Re:Pedantic comment (0)

Anonymous Coward | more than 9 years ago | (#13258992)

Besides, who'd steal Intelligent Design?

Re:Pedantic comment (1)

grassy_knoll (412409) | more than 9 years ago | (#13259635)

That's good, everyone knows the penalties for piracy are much steeper than those for theft...(ducking).


And pirates are very easy to detect!
if (-e $parrot ){
    arrest_pirate();
};
[badum-ching]

Re:Pedantic comment (0)

Anonymous Coward | more than 9 years ago | (#13258899)

You know, this troll gets more tired every time I see it.

Re:Pedantic comment (1)

Dunbal (464142) | more than 9 years ago | (#13258934)

Imagine a beowulf cluster of trolls...

Re:Pedantic comment was not a troll. (1)

arbitraryaardvark (845916) | more than 9 years ago | (#13259138)

How can it be called ID Theft if the original owner still has his identity?
Parent post is not a troll; it identifies the main error in the article.
What happened is that some spyware harvested very personal info about some people. That's bad, possibly criminal. But it's not identity theft.
Identity theft occurs whebn somebody takes the personal information and uses it to pose as you, draining your bank account, sleeping with your girlfriend, or in some way abusing the illicit information. There's no direct evidence of that here.
It's the old kevin mitnick scenario: breaking into a system and wandering around is not the same crime as breaking into a system, changing or destroying files, is not the same crime as breaking into a system and using the info to commit real world crimes such as wire fraud or embezzlement.
Article is FUD.
Spyware is bad. This spyware is bad.
People should avoid broken browsers e.g. microsoft, and run spybot/adaware type sweepers.
Lying about the problem won't help fix it. Mod parent up.

Duh... it's spyware (1)

dbamps (802420) | more than 9 years ago | (#13258845)

Ow wait, they stole passwords and such too... Nice, maybe this will make things more clear for some people:

spyware = criminals

Re:Duh... it's spyware (1)

slackingme (690217) | more than 9 years ago | (#13259924)

How fucking dare you. These companies are out there trying to expand your search horizons in exchange for some information here and there (SSNs, bank account numbers, phone numbers, names, passwords..) and you call them CRIMINALS?

The real criminals are those young punk hackers running around all disorganized, looking at your files here and there, and not MAKING ANY PROFIT. Imagine that--THEY AREN'T PROFITING. Obviously a sign of more malicious deeds than these upstanding capitalists.

So remember: Spyware is "spyware" only when a company designs and executes its distribution; It's only a crime when HACKERS do it for FUN.

Hang them from lamp posts (3, Interesting)

loraksus (171574) | more than 9 years ago | (#13258874)

CoolWebSearch is among - if not the most - annoying, underhanded, and pain in the ass to remove spyware aps out there.
Not only were most people infected via a security exploit in MS Java, they constantly release updates that break or modify spyware removal programs, windows utilities such as MSconfig, regedit as well as blocking the sites on which the removal tools are hosted.

I have no problem with the book being thrown at these punks.

Windoze (1)

daviq (888445) | more than 9 years ago | (#13258897)

And this is why you should use a better OS than Windoze, as their is no spyware, and therefore no ID theft or processor consuming programs.

Re:Windoze (1)

Allison Geode (598914) | more than 9 years ago | (#13259291)

yeah, there's also no "software" on those "better operating systems." some of us enjoy our games, and our mainstream applications that we use at work, and don't have the time, money, or patience to build a second box for that purpose. wouldn't it be better if these idiots were held responsible for their BS? oh, and don't forget the biggest reason those other OS's have less of this crap: the reason is because there aren't enough users for it to be a worthwhile endeavor. want viruses, trojans, and spyware on your linux box, or your mac? keep advocating other non-windows operating systems, and maybe, if large groups of people hear you and migrate, you'll get it. what you have now is "security through obscurity," but when Linux (or mac, or whatever) becomes the mainstream, you'll see what less-vigilant windows users have struggled with for years. the best available solution is a good firewall, good spyware cleaner, good antivirus, and a bit of common sense that, no, you really shouldn't install every neat little gadget without knowing what you're putting in your box. a non-existing, ideal solution would be castrating these jerks who put this crap on other people's computers (which I then have to clean off), or if these people would just learn a way to make money that didn't involve other people's time being wasted... but saying that "oh, you should migrate over to this other platform" is not a good answer, because most people don't have the know-how to make another platform work, or they need the software available on the platform they're on.

Re:Windoze (1)

inode_buddha (576844) | more than 9 years ago | (#13259560)

Actually, I agree with you; asshats that make and use spyware should be found and held responsible for it. Same goes for SPAM. That said, I walked away from MS altogether about a decade ago, and I don't think I'm missing very much. They really need to get their design together, IMHO so that shit like this isn't even possible in the first place. Or at least, it should be *much* more difficult to create and use malware.

Re:Windoze (2, Informative)

ettlz (639203) | more than 9 years ago | (#13259615)

OK, OK, calm down. Let me just say that there are many good pieces of software on other platforms. In my line of work, the selection of technical software available for Linux can't be beaten. But there are also a lot of folks out there who like Windows, and its software satisfies their needs. And that's all good.

Now:

the best available solution is a good firewall, good spyware cleaner, good antivirus, and a bit of common sense that, no, you really shouldn't install every neat little gadget without knowing what you're putting in your box.

That's good, but some of these cost money on top of the base operating system. Common sense is a very good defense too, but what's required is computer common sense. A lot of people aren't experienced enough to know all the ins and outs of a system. Furthermore you missed the biggest, most effective shield of all, one that is sorely overlooked by anti-malware forums:

For the love of ... whatever,
use a limited access account.

And no, I'm sorry but "such-and-such program doesn't work with this" is no excuse. There are nearly always routes around it. If not, drop the program. Write to the author and tell them to produce decent code that doesn't require admin privileges for non-administrative tasks.

Couple that with an alternative browser for that extra layer, and the Windows XP firewall blocking all incoming ports, and you should do fine. The worse that could happen is something attempts to infect your user profile (and very few malware, if any, do this because compromised systems are of more use); in which case, just take off your work and nuke the account. It's not impossible to secure Windows XP, but I think it does require more than common sense.

CWS ain't new (0)

Anonymous Coward | more than 9 years ago | (#13258903)

It's been around for freggin years and it's a very virulent piece of viruspyware; it has about 35 or so versions last time I checked. You can get rid of it by hitting google and looking for an app called "CWShredder" which will remove it.

Make sure you boot into safe mode before running it, heh.

Once again we can thank Microsoft... (1)

Sabathius (566108) | more than 9 years ago | (#13258937)

for the ActiveX technology that makes this Spyware possible.

Good Job doing your part to keep the Internet safe and secure for users.

Re:Once again we can thank Microsoft... (1)

AndroidCat (229562) | more than 9 years ago | (#13259167)

I believe CoolWeb uses exploits in MS's Javascript rather than their ActiveX exploits.

It's unbelievable at times (2, Informative)

Hawthorne01 (575586) | more than 9 years ago | (#13258939)

My Dad bought a new ThnkPad, and before I let him anywhere near it, I spent an hour downloading CWSShredder, Spybot, Ad-Awaare, et al before I connected to the 'net. It's been 10 years since I owned a Windows machine, and this was the first one I'd set up since then. It was an eye-opener for me as to just how bad it is out there in the Windows world.

Re:It's unbelievable at times (2, Funny)

rathehun (818491) | more than 9 years ago | (#13259151)

I spent an hour downloading CWSShredder, Spybot, Ad-Awaare, et al before I connected to the 'net.
How?

Re:It's unbelievable at times (0)

Anonymous Coward | more than 9 years ago | (#13259508)

Through his subdermal 802.11g connection.

Geez, you think you're a Slashdotter??? :)

Re:It's unbelievable at times (4, Interesting)

Hawthorne01 (575586) | more than 9 years ago | (#13259893)

Downloaded on my Mac, burned to CD, installed on the ThinkPad. Next question.

Re:It's unbelievable at times (1)

blackomegax (807080) | more than 9 years ago | (#13259174)

you could have saved yourself alot of trouble and just replaced IE with firefox

Re:It's unbelievable at times (1)

GISGEOLOGYGEEK (708023) | more than 9 years ago | (#13259800)

surprise!

you havent owned a windows machine in 10 years and when you finally use one you have a hard time with it. It's not so bad ... just like a newb trying to do ANYTHING with linux its bad because you were ignorant.

now do tell us how you downloaded that software before connecting to the internet.

scary (0)

Anonymous Coward | more than 9 years ago | (#13258975)

In my travels as a freelance geek, the vast majority of trouble calls in the past few years have been spyware related. Over the past three years, I have done over 400 trouble calls and I estimate that a solid 70% of those were for spyware. CWS was almost always in there somewhere. They must have information on literally millions of people...

not to sound cliche, but if more people would run Linux they would not have to worry! :)

mo3 u4 (-1, Troll)

Anonymous Coward | more than 9 years ago | (#13258983)

Nigger Associa(tion for election, I Future at all Completely before

One of the very worst.. (4, Interesting)

Dynamoo (527749) | more than 9 years ago | (#13259003)

CoolWebSearch is one of the very most spyware apps that I have to deal with.. it's a pig to remove (sometimes it's just easier to nuke the infected machine and start over) and it installs an alarming amount of Slimeware [slimeware.com] .

Quite apart from the issue of identity theft.. the installation of the software itself is done illegally according to the laws of most countries. Silent drive-by downloads constitute unauthorised access.

HOWEVER.. CoolWebSearch have claimed in the past that these silent drive-by installations were the work of "affiliates" and not CoolWebSearch itself. Personally, I have always suspected that the affiliates were working in this way with the tacit approval of CoolWebSearch.

It's about time somebody got sent to jail for a LONG time for this kind of crap.

Re:One of the very worst.. (0, Troll)

Barbarian (9467) | more than 9 years ago | (#13259029)

It's about time somebody got sent to jail for a LONG time for this kind of crap.

Preferably a LONG, HARD, STIFF time in one of those type of jails.

Update your webfilter or /etc/hosts (3, Informative)

titten (792394) | more than 9 years ago | (#13259020)

Well, this page [spywareinfo.com] lists [spywareinfo.com] all the URLs associated with CWS.

Add these hosts to your webfilter/proxy blocking list:

coolwebsearch.com, webcoolsearch.com, 193.125.201.50, 1stpagehere.com, 66.250.130.194, adulthyperlinks.com, allhyperlinks.com, approvedlinks.com, bestcrawler.com, cantfind.com, carsands.com, cool-web-search.com, coolfreepage.com, coolwwwsearch.com, couldnotfind.com, defaultsearch.net, dev.ntcor.com, ewebsearch.net, findloss.com, findwhat.com, firstbookmark.net, freebookmark.net, freebookmarks.net, global-finder.com, itseasy.us, jethomepage.com, jetseeker.com, kazaa-lite.ws, martfinder.com, mommykiss.com, mywebsearch.net, noblindlinks.com, ok-search.com, pedo.ws, runsearch.com, search-2003.com, search.xrenoder.com, searchdesire.com, searchv.com, searchxp.com, sharempeg.com, slawsearch.com, slotch.com, stopxxxpics.com, super-spider.com, super-websearch.com, the-exit.com, the-huns-yellow-pages.com, topsearcher.com, unipages.cc, web-search.tk, white-pages.ws, youfindall.com, youfindall.net, yourbookmarks.info, yourbookmarks.ws

And/or add 127.0.0.1 before each host, and add those to your /etc/hosts.

Re:Update your webfilter or /etc/hosts (1)

infectedRoot (901767) | more than 9 years ago | (#13259889)

For those Windoze people, add 127.0.0.1 to C:\Windows\System32\drivers\etc\hosts

(as CWS doesn't run in Linux)

I saw that connection a year ago (4, Interesting)

AndroidCat (229562) | more than 9 years ago | (#13259081)

And posted about a network of sites I found over a year ago on news.admin.net-abuse.email [google.com] when looking at a Scientology management company I notice that someone tossed a cancel at my post within a day. (By coincidence, Sunbelt Software is up to its eyebrows in Scientology too.)

Re:I saw that connection a year ago (1)

shift.red.avni (858445) | more than 9 years ago | (#13259229)

Maybe a coincidence, but it is very interesting. Could this be some kind of stealh whistleblowing?

Both Sunbelt and Scientology are headquartered here in Clearwater (I live within walking distance of the Scientology complex), and the IT community isn't so huge that there isn't more than a few degrees of seperation between everyone. The Sunbelt researcher very well could have been tipped off.

Re:I saw that connection a year ago (2, Interesting)

AndroidCat (229562) | more than 9 years ago | (#13259350)

I doubt Sunbelt would be involved in stealh whistleblowing. Stealth settling of accounts with some group no longer connected to Co$ would be more their style, but that would be baseless speculation on my part to even suggest such a thing, so I won't.

Sunbelt Software and Linux/Windows TCO (2, Interesting)

whoever57 (658626) | more than 9 years ago | (#13259888)

Is this the same Sunbelt Software that did a study with the Yankee group that resulted in the claim that the TCO of Windows is less than that of Linux? [microsoft-watch.com]

true for the american branch... (0)

Anonymous Coward | more than 9 years ago | (#13259902)

Stue Stoujeman is the editor of sunbelt's newsletter and a member of scientology church, also many many employee of the american branch are members of the church.

I also seem to remember that Sunbelt Software bundled their own "data-mining application" (aka spyware) in the software they reselled and distributed on their website (all software for trial download they distributed had a 2Mo bloat over the same software from its editor - that was 2001-2002)...

More money to be done fighting spyware than exploiting it, it seems...

We (my company) met them for a high availability software they distribute.
Their french sales director is such an ass (
Oliver Cohen, I think, he put us all to sleep during a powerpoint presentation, and he seems to be able to drone uninterestingly on the subject for hours....).

Dunno if he's a scientologist...Just sure he's an asshole...

my thoughts on this (1)

eight and a quarter (904629) | more than 9 years ago | (#13259114)

a lot of people ask will middle america wake up to this? the answer is no. there is many types of free kinds of software available online to combat spyware. there are online services from trendmicro that will scan your machine for viruses and spyware. why not take the time out to do that?

oh wait.. previous slashdot article.. people with spyware infected machines think that their computer is just running slow and it's just time for a new one.

probably in 5 or so years, spyware and virus will usually be in the same sentance, because not a lot of people take it seriously. i believe that a lot of browsers (*cough*IE*cough cough*IE IE*cough*) do very little to stop the spread of spyware. however, microsoft is making slow strides by eating/taking over giant antispyware, who had an awesome product!

basically you need microsoft antispyware, bhodemon (to check for IE BHO's), tcpview from sysinternals, clamwin's free anti-virus scanner, and especially firefox. i don't even have spyware scanners on my desktop anymore since i've stopped using IE.

Let me get this straight (1)

saleenS281 (859657) | more than 9 years ago | (#13259163)

"security" firm sunbelt just now stumbled upon coolwebsearch and discovered it's recording users data? Let's clarify, EVERYONE knows that coolwebsearch is spyware, and has for a long time. Hell, my uncle can barely turn on a computer and he knows CWS is spyware.

Main Entry: spyware
Part of Speech: noun
Definition: any software that covertly gathers information about a user while he/she navigates the Internet and transmits the information to an individual or company that uses it for marketing or other purposes

Even websters knows that "spyware" records personal data. What I'm stuck pondering is why Sunbelt deserve any credit, and why this is news? They didn't discover anything new, it's not a breakthrough. Hell, there's programs out there dedicated solely to removing CWS.

HEADLINE!!!
SPYWARE COLLECTS PERSONAL INFORMATION ON YOU*

*that's why we call it spyware dipshit

Re:Let me get this straight (0)

Anonymous Coward | more than 9 years ago | (#13259265)

They belong to the same mindwash group as Tom Cruise [liquidgeneration.com] , cut them some slack!

Re:Let me get this straight (1)

AndroidCat (229562) | more than 9 years ago | (#13259448)

In fact, Alex Eckelberry [slweekly.com] thinks exactly like Tom Cruise. Who would have figured [xenu.net] that!

Re:Let me get this straight (1)

contagious_d (807463) | more than 9 years ago | (#13259859)

CWS being spyware is nothing new, and the article does seem to contain a lot of scaremongering, but Sunbelt did discover something new: they found the actual stolen/recorded information, including a lot of stuff that is considerably more invasive than surfing habits, real names, etc. And I thought they only made junk food [sunbeltsnacks.com] ...
Sunbelt's blog [blogspot.com] entries [blogspot.com] are, in my opinion, better than the ars article.

One Ring To Steal Them All (0)

Anonymous Coward | more than 9 years ago | (#13259278)

One Ring To Find Them
One Ring To Bring Them All
And To New Body Bind Them
In The Land Of Internet There The SpyWare Lies

TrolL (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#13259368)

Anyone that thInks Usenet. In 1995,

I hope nobody trojans (0)

Anonymous Coward | more than 9 years ago | (#13259437)

Xeyes, they see _EVERYTHING_ I do!

Sunbelt Software connected to Scientology? (0)

Anonymous Coward | more than 9 years ago | (#13259546)

Sunbelt is based in Clearwater, Florida and I believe it founder and COO, Stu Sjouwerman, is a big donator to Scientology. Didn't Stu once apologize for the "Mindtech University" spam? I think Stu's connection and fervent belief is documented in Net Wars by Wendy Grossman (NYU Press).

Of course Scientology would never spy on you; all those surveillance cameras in Clearwater are just to keep the Scientologists safe from Spyware. Aren't they?

Re:Sunbelt Software connected to Scientology? (1)

SpacePunk (17960) | more than 9 years ago | (#13259780)

It looks like to me that Sunbelt is trying to cover up Scientology involvement in CWS from the link http://groups-beta.google.com/group/news.admin.net -abuse.email/browse_frm/thread/5548a6300756d6a0/0f ac1b5d8ff3f14e#0fac1b5d8ff3f14e [google.com] supplied earlier in the thread.

I can't keep thinking "how convenient." Especially since adware/spyware is coming increasingly under the gaze of the Federal Trade Comission and the Justice Department.

With all those IDs in their hands.... (1)

rubberbando (784342) | more than 9 years ago | (#13259685)

Couldn't they just present a someone else's info when arrested?

Then when they get out on bail, skip town.

Then the police would find themselves starting all over again?

I guess the only way that might not work is if the police already have their prints and true identity on file.

But then, the other ID on file might be false too.

Updated information from Sunbelt (4, Interesting)

phaedo00 (143820) | more than 9 years ago | (#13259880)

Hi, I'm the author of the Ars article and the submitter of this story, Alex from sunbelt got back to me with a bit more information:

Basically, it went like this:

Patrick Jordan, our CoolWebSearch expert, was doing research on a CWS exploit. During the course of the research, he disovered that a) the machine he was testing became a spam zombie and b) it send a call back to a remote server. He traced back the remote server and found what you have heard about.

The scale is unimaginable. There are thousands of machines pinging back in a day. There is a keylogger file that grows and grows, and then is zipped off and then the cycle continues again.

It is sophisticated. There are nifty little PHP scripts that help the criminals get reports. There is a special upload area.

It's really quite sucktastic.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>