The implications are staggering. Internet security software company Sunbelt Software was investigating CoolWebSearch, a spyware package, when they noticed that stowing away in the CoolWebSearch download were two trojans, a spam zombie engine, and a keystroke logging program. It was the keylogger program which took their breath away.
The keystroke logging program, undetectable by current anti-spyware and anti-virus programs, was scouring their machine for usernames, passwords, and bank account information, and reporting it back to its mothership. And what a mothership it was. Or, perhaps, motherlode is a better term. Following the keylogger’s trail, Sunbelt’s Patrick Jordan found a massive server, located in Texas, to which thousands of machines infected with the keylogger were reporting back daily. The keyloggers were filling up a log file as fast as they could with usernames, passwords, bank account information, and more. As soon as one log file would get to a certain size, it would be zipped up and another would be opened.
Says Sunbelt’s president, Alex Eckelberry, in his blog, “The types of data in this file are pretty sickening to watch. You have search terms, social security numbers, credit cards, logins and passwords, etc..”
Testing some of the data, they found that they had immediate easy access to personal bank accounts (so far at least 50 banks have been implicated), where they could have readily withdrawn the money (as, undoubtedly, the criminals behind this ring are doing as we speak).
“In a number of cases, we were so disturbed by what we saw that we contacted individuals who were in direct jeopardy of losing a considerable amount of money. One particularly poignant moment was a family in Alabama whom I contacted personally last night and warned them of what was going on. This was a family where the father had just had open heart surgery, and they had very little money. Everything personal was recorded in the keylogger — social security numbers, their credit card, DOBs, login and password info for their bank and credit card companies, etc. We were able to warn them in time before they were seriously hurt,” explained Eckelberry on his blog.
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
CashApp us
Venmo us
Paypal us
The sheer numbers and magnitude mean that there are thousands of Windows users who have already had their information compromised, and millions who are potentially at risk. Eckelberry says Windows XP which has not had ServicePack 2 applied is particularly vulnerable, and they are testing now to see whether earlier versions of Windows may also be at risk.
Said SpywareWarrior’s Suzi Turner, “I personally saw the site and it made me feel physically ill. It’s one thing to read about such things online or in the newspaper, but to see it live is devastating.”
So what to do?
In an exclusive (and quick!) interview with Aunty Spam, Eckelberry offered this advice:
“I can’t emphasize strongly enough to Aunty Spam’s readers how critical it is that they make sure that they are updated to the latest Windows security patches asap — as getting patched will significantly reduce your chances of getting infected with this trojan.
A software firewall will help but is not a panacea, as one thing this trojan does is use RunDLL to execute its commands — something that is usually allowed by users on firewalls. We will be coming out with a patch in the next 24 hours which will be shared with AV security vendors, so keep your AV program updated. Knowing if you are infected is pretty difficult at this point — we had one user who was very sophisticated and ran a number of scans with various products to no avail. We’ll be posting more information as we disect this thing and will make it available on our blog as soon as we get it.”
On a sidenote, Eckelberry says that they contacted the FBI when they first discovered this over the weekend, and the FBI is now actively on the case. Howewever, to the best of my knowledge, the server is still up, and keyloggers, perhaps on your computer, are still reporting back to the mothership.
Update: A tool to find and remove this keylogging trojan has been announced, reported, and linked here.
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
CashApp us
Venmo us
Paypal us
The management and programming staff responsible for CoolWebSearch should be sentenced to ten years in a federal prison without opportunity for parole, and fined $100K each. Things like CoolWebSearch may prove in the long run to seriously damage user Internet usage and growth. I’m at the point whereby I don’t trust any software.
amazing.n’t it. the FBI and CIA cannot find terrorists, secure our borders and now let a webnsite like that run for days after they were notified. Just whose family members are involved with it?
When you say “Testing some of the data, they found that they had immediate easy access to personal bank accounts (so far at least 50 banks have been implicated)”, are you saying that the bank’s computers have been infected or that info from 50 personal users showed accessbile info at 50 banks? If it is the banks whose info has become infiltrated and since detection of this insidious trojan is seemingly impossible, can we get a list of the 50 known banks whose information has been compromised?
From your description of this nasty, I have an added concern for which I think the answer may be crucial.
Is this puppy just a keylogger, or does it scour the autocomplete sections of the registry, too?
I try to be thorough in my efforts for clients and, since the only good approach these days is to be proactive before infestation strikes (an ethic I wish was far more widespread in the IT industry), the answer to this question has a major affect on my activities.