CoolWebSearch: Extremely Dangerous Spyware!

Patrick Jordan, a researcher at Sunbelt Software, discovered a major identify theft ring when testing a machine infected with the CoolWebSearch (CWS) spyware application. Jordan found that the machine he was testing had become spam zombie and he noticed a call back to a remote server. He traced back the remote server and found an incredibly sophisticated criminal identity theft ring. The remote server itself is located in the U.S., but the domain is registered overseas (in China). Sunbelt Software contacted the FBI and they are now working on the case.

There is a keylogger file involved with this exploit that grows and grows until it is sent off to the remote server and then the cycle begins again. As the company began to research other infected machines, they found that he data contained in this keylogger file was very disturbing: IM chat sessions, search terms, social security numbers, credit cards, logins and passwords, etc. It was so bad that Subelt Software contacted some people personally to warn them. In the case of one particular family where the father had just been through open heart surgery, the file contained social security numbers, their credit card, DOBs, login and password info for their bank and credit card companies, etc. The family had very little money and could have been devasted had they not been warned.

Sunbelt can not confirm that this exploit is directly related to the CWS spyware program, but I wouldn’t be surprised if it was. CWS is a notoriously difficult-to-remove software program. Sunbelt’s recommendation to anyone concerned about what to do was this: get a software firewall. NOW. I would recommend ZoneAlarm. They offer a software firewall that’s free for personal use. If you have yet to install a software firewall, there is no time like the present!