Cool Web Search

Security Software Veterans Launch Exploit Prevention Labs to Deliver Breakthrough Protection Against Zero-Day Exploits @ SYS-CON Media

2006-05-02T15:22:00.001+00:00

Security Software Veterans Launch Exploit Prevention Labs to Deliver Breakthrough Protection Against Zero-Day Exploits @ SYS-CON Media: "Microsoft and other applications vendors require an average of two months, and sometimes up to six months, to develop patches to fix newly discovered vulnerabilities. During this time period, known as 'the risk window,' Internet users are unprotected against exploits. In December of 2005, for example, the Windows Metafile (WMF) vulnerability was discovered and, within days, cyber-criminals such as the CoolWebSearch gang were distributing drive- by downloads to victims' computers. There even emerged an underground exchange where exploit authors were offering to sell their crimeware code to the highest bidders."

Technology News: Security : Anti-Spyware Pros Launch SocketShield Beta

2006-05-02T15:22:00.000+00:00

Technology News: Security : Anti-Spyware Pros Launch SocketShield Beta: "n December 2005, for example, the Windows Metafile (WMF) vulnerability was discovered and, within days, cyber-criminals such as the CoolWebSearch gang were distributing drive-by downloads to victims' computers. There even emerged an underground exchange where exploit authors were offering to sell their crimeware code to the highest bidders."

Technology News: Security : Anti-Spyware Pros Launch SocketShield Beta

2006-05-02T01:30:00.000+00:00

Technology News: Security : Anti-Spyware Pros Launch SocketShield Beta: "Closing the Risk Window

Microsoft (Nasdaq: MSFT) and other software vendors require an average of two months, and sometimes up to six months, to develop patches to fix newly discovered vulnerabilities. During this time period, known as 'the risk window,' Internet users are unprotected against exploits.

In December 2005, for example, the Windows Metafile (WMF) vulnerability was discovered and, within days, cyber-criminals such as the CoolWebSearch gang were distributing drive-by downloads to victims' computers. There even emerged an underground exchange where exploit authors were offering to sell their crimeware code to the highest bidders.

SocketShield is designed to prevent uninvited access to users' computers during the risk window before the permanent patch can be applied."

Security Software Veterans Launch Exploit Prevention Labs to Deliver Breakthrough Protection Against Zero-Day Exploits

2006-05-01T18:47:00.000+00:00

Security Software Veterans Launch Exploit Prevention Labs to Deliver Breakthrough Protection Against Zero-Day Exploits : "Microsoft and other applications vendors require an average of two
months, and sometimes up to six months, to develop patches to fix newly
discovered vulnerabilities. During this time period, known as 'the risk
window,' Internet users are unprotected against exploits. In December of
2005, for example, the Windows Metafile (WMF) vulnerability was discovered
and, within days, cyber-criminals such as the CoolWebSearch gang were
distributing drive- by downloads to victims' computers. There even emerged
an underground exchange where exploit authors were offering to sell their
crimeware code to the highest bidders.
'It's simply impossible for application vendors to develop instant
fixes for newly-discovered exploits,' said Roger Thompson, co-founder and
chief technical officer of Exploit Prevention Labs. 'It takes weeks or
months for application vendors to release a patch because it must be
thoroughly tested to ensure it doesn't adversely affect the application or
any other application that might be installed on the user's system.
SocketShield prevents exploits from gaining access to users' computers
during the risk window before the permanent patch can be applied.'"

Blog This: � More super rogue anti-spyware | Spyware Confidential | ZDNet.com

2006-01-26T07:26:00.000+00:00

More super rogue anti-spyware by ZDNet's Suzi Turner -- Be on the lookout for another new supposed anti-spyware program that might be hijacking desktops any day now. This one is called PestTrap and it's a clone of SpySheriff. Last week I mentioned ISPs hosting spyware, but where are these CWS related rogue apps being hosted?

US charges 'Botmaster' in unique computer crime

2005-11-06T19:34:00.000+00:00

LOS ANGELES (Reuters) - A 20-year-old man accused of using thousands of hijacked computers, or "bot nets," to damage systems and send massive amounts of spam across the Internet was arrested on Thursday in what authorities called the first such prosecution of its kind.

Jeanson James Ancheta, who prosecutors say was a well-known member of the "Botmaster Underground" -- or the secret network of computer hackers skilled at bot attacks -- was taken into custody after being lured to FBI offices in Los Angeles, said U.S. Attorney's spokesman Thom Mrozek.

A bot is a program that surreptitiously installs itself on a computer and allows the hacker to control the computer. A bot net is a network of such robot computers, which can harness their collective power to do considerable damage or send out huge quantities of spam.

Mrozek said the prosecution was unique because, unlike in previous cases, Ancheta was accused of profiting from his attacks -- by selling access to his "bot nets" to other hackers and planting adware -- software that causes ads to pop up -- into infected computers.

"Normally what we see in these cases, where people set up these bot systems to do, say, denial of service attacks, they are not doing it for profit, they are doing it for bragging rights," he said. "This is the first case in the nation that we're aware of where the guy was using various bot nets in order to make money for himself."

Ancheta has been indicted on a 17-count federal indictment that charges him with conspiracy, attempted transmission of code to a protected computer, transmission of code to a government computer, accessing a protected computer to commit fraud and money laundering.

Ancheta, who was expected to make an initial court appearance late on Thursday or Friday, faces a maximum term of 50 years in prison if convicted on all counts, though federal sentencing guidelines typically call for lesser penalties.

Prosecutors did not name the companies that they said paid Ancheta and said the firms did not know any laws were broken.

Mrozek said Ancheta, who lives in the Los Angeles suburb of Downey, was thought to have made nearly $60,000 from the planted adware, using the money to pay for servers to carry out additional attacks, computer equipment and a BMW.

He said Ancheta was taken into custody after FBI agents called him into their offices to pick up computer equipment that had been seized in an earlier raid.

Among the computers he attacked, Mrozek said, were some at the Weapons Division of the U.S. Naval Air Warfare Center in China Lake, California and at the U.S. Department of Defense.

Webhelper4u - CWS Hackers, Hijackers, and Adware Infesters

2005-10-29T04:42:00.000+00:00

Webhelper4u - CWS Hackers, Hijackers, and Adware Infesters: " Sept 10 2005 Webhelper Complete CWS works in MS Office Excel format
700KB in Size"

CWS Waite.html Exploit and Scare Scam For RazeSpyware

2005-10-29T04:36:00.000+00:00

CWS Waite.html Exploit and Scare Scam For RazeSpyware: "In late August 2005, I was given a link by my friend Suzi of Spywarewarrior that was an IP address 195.225.177.33 that ran a massive CWS infestations similar to that of the infamous vxiframe.biz infestations. Upon further research I found that this IP was also being used by two well known CWS porn sites along with an IP of Esthost/Estdomains as an 404 error page that calls a page called waite.html which also contains 195.225.177.33 in an IFRAME to load the IP automatically thus infesting users.

The waite.html page is an old scare scam for RazeSpyware. See Spywarewarrior Rogue Anti-Spyware listing for details. This waite.html page will only be seen about a second and then will close and the CWS infestations will begin. Below is what the page looks like without the live CWS link.
"

SpyFerret - Spyware, Adware and Trojan Removal

2005-10-29T04:31:00.000+00:00

SpyFerret - Spyware, Adware and Trojan Removal: "What is Spyware?

Spyware, also known as Adware, are programs installed on your computer (usually without your explicit knowledge) that transmit personal information to companies. The companies use this information in a number of ways including selling it to others, using it for marketing data, or tracking browsing habits. Secretly piggybacking on downloaded Internet software, spyware programs are known to generate pop-up advertisements and to cause PC crashes and other annoyances."

Radio: Your Browser's Been Hijacked!

2005-09-18T04:18:00.000+00:00

Radio: Your Browser's Been Hijacked!: "The programmers at Cool Web Search modify their parasite daily by altering its program so it cannot be easily eradicated, and make it self-replicating so it will change every time an attempt at removing it is made. A CWS infection will even prevent the user from accessing spyware information websites. New versions are released so often that virus programs cannot keep up."

www.shopcentar.hr :: View topic - Tutorial Spyware

2005-09-16T21:59:00.000+00:00

www.shopcentar.hr :: View topic - Tutorial Spyware: "COOLWEBSEARCH
(ruski proizvod, CWS)

- ruski pay-per-click internet pretraživa�
- prikazuje rezultate koje je pla�eno, a i neke relevantne
- kompliciran model pretrage tražilice

WEB: http://www.coolwebsearch.com/ - stranica koju ne želite posjetiti!

Osniva�ica: Louise Vitte
Programeri i administratori:Alex S. Hatkinson, Sergej Stepantsov, 'Viktor'

CWS NUSPOJAVE:
- mijenja postavke u IE
- prisiljava korisnika na više posjeta
- preusmjeravaju po�etnu stranu na CWS
- prikazivanje oglasa
- usporava rad, IE
- problemi sigurnosnog propusta IE
- teška deinstalacija

UKLANJANJE CWS:
CWShredder - napisao Nizozemac Bellekom - jednostavno uklanjanje i ne zahtjeva kopanje po registry-ma i sistemskih direktorija Windowsa"

VejaSeek Payouts

2005-09-16T21:57:00.000+00:00

VejaSeek Payouts: "Coolwebsearch........... AKA. InterWeb Solutions Inc
Whois had a country code as IO
IO is in the British Indian Ocean

However in a domain court case over another domain they had> they are listed as:

Internet Solutions Inc., the British Virgin Islands-based entity that owns and operates “www.coolwebsearch.com”

Owner: Alex S. Hatkinson

http://arbiter.wipo.int/domains/decisions/...d2004-0468.html

In addition they use Hyperspace Communications in the United States to make payments to affiilates via check. Hyperspace Communications, Inc is a 3rd party check issuer.... That in Canada..... Uses the Royal Bank in Quebec

From one of the few checks I have previously received Coolwebsearch account id is: 03021-400-118-6

If they owe you $15000 I would be taking some of this info to try to find them.
I am curious on where you found a phone number and that they wont return your calls. I have looked High and Low for thier phone number. If you could be so kind as to share it. I would have no issue trying to help in this situation as I know of several people who are owed money by them."

ExtremeTech: Weekly Spyware Alert: CoolWebSearch

2005-09-16T21:48:00.000+00:00

ExtremeTech: Weekly Spyware Alert: CoolWebSearch: "Security Issues: In the Bootconf variant, coolwebsearch.com is added to IE's Trusted Sites Zone, allowing it to download and install any code it likes.

Stability Issues: DataNotary and BootConf variants may cause significant slowdown when typing in a browser window on some systems (particularly when entering information into forms). The SvcHost variant prevents you from completely reaching Google or the search services of MSN or Yahoo.

Removal Process: Manual removal is possible for most of the variants, but can be time consuming. As of this writing, most anti-spyware programs aren't currently addressing all variants.

Merijn Bellekom has fully documented the metamorphosis of CoolWebSearch and has prepared a tool called CWShredder which should be able to remove all known CoolWebSearch variants automatically. To access both, visit The CoolWebSearch Chronicles.

Vendor: www.CoolWebSearch.com

Copyright � 2003 Ziff Davis Media Inc. All Rights Reserved. Originally appearing in ExtremeTech."

Cyberlaw Central � Spyware part of ID Theft Ring

2005-08-21T21:58:00.000+00:00

Cyberlaw Central � Spyware part of ID Theft Ring: "Spyware part of ID Theft Ring
Posted by Kevin A. Thompson under Security

This is very, very disturbing. An article over at Eweek claims that the spyware called CoolWebSearch is actually a keylogger. A test by a spyware removal company found that the program is sending passwords, user names and bank account information to a server in Texas. The FBI has been notified, but the article does not state what action, if any, has been taken as of this date.

I sound like a broken record - Clean your computer of this stuff. The Internet is not always a pretty place. Take appropriate precautions and you will be fine, but if you don’t you can be in serious trouble."

Hardware Analysis - Forum - Massive ID Theft Ring Via CoolWebSearch

2005-08-15T04:36:00.000+00:00

Hardware Analysis - Forum - Massive ID Theft Ring Via CoolWebSearch

IT Observer - Two new spyware threats emerge

2005-08-13T06:31:00.000+00:00

IT Observer - Two new spyware threats emerge: "Two new spyware threats emerge
Friday, 12 August 2005, 07:32 GMT

Far from getting a handle on the issue of spyware, two events this week have demonstrated the growing problem.

Sunbelt Software, maker of the CounterSpy spyware remover program, announced its researchers had discovered a new spyware distribution that installs itself via an Internet Explorer security exploit and is powered by the CoolWebSearch spyware application.

The code uses components of the VX2/Transponder spyware application together with an unknown Trojan horse application to steal sensitive financial and personal information and send it to a remote server.

Read More at TechWorld"

CoolWebSearch

2005-08-12T22:49:00.000+00:00

CoolWebSearch: "Alias: CWS, Cool Web Serach, CoolWwwSearch

Threat type: Browser Hijacker - Browser hijackers are malicious programs that change a user's web browser settings, usually altering designated default start and search pages. In addition a browser hijacker can modify nearly every aspect of a web browser including adding bookmarks, and redirecting search traffic to alternative sites.

Advice: Remove This is a very high risk threat and should be removed immediately as to prevent harm to your computer or your privacy.

Threat risk: Elevated Risk
Elevated threats are usually threats that fall into the range of adware in which data about a user's habits are tracked and sent back to a server for analysis without your consent or knowledge.

Description: CoolWebSearch is a name given to a wide range of different browser hijackers. Though the code is very different between variants, they are all used to redirect users to coolwebsearch.com and other sites affiliated with its operators.

CoolWebSearch is part of a strain of trojans that have recently been identified that all have one thing in common: they install through the ByteVerify exploit in the MS Java VM and change the IE homepage, search page, search bar, etc.

CoolWebSearch Symptoms:
- Hijacks to various search engines. Different variants of CoolWebSearch will redirect you to different sites.
- When a URL is mistyped in the browser, CoolWebSearch will redirect the page to affiliate websites as well as CoolWebSearch.com.
- Installs bookmarks to adult websites in the favorites menu.
- Installs toolbars into the browser.
- Slows down PC.
- Can cause reboots.
- Targets anti-spyware websites, usually vendors of spyware removal tools. Once infected with CoolWebSearch, you may be unable to visit these websites to download their products.
- Will open porn popups if it thinks the website being viewed is pornographic in nature.
- Can cause significant slowdowns when attempting to type into a browser.
- Will add CoolWebSearch.com to the trusted sites list.

CoolWebSearch has a number of variants:

CWS.Aboutblank
IE pages changed to about-blank.ws and 213.159.118.226 (1-se.com), hijack returning on system restart. This variant does everything in its powers to redirect you to a domain owned by 1-se.com. IE is hijacked to it, the hosts file is replaced to redirect about 100 porn and CWS domains to 1-se.com, and a randomly named stylesheet is dropped that redirects to 1-se.com when certain keywords appear in webpages.

CWS.Smartfinder
IE hijacked to nkvd.us and smart-finder.biz, redirections to nkvd.us and smart-finder.biz when typing incomplete URLs into address bar.

CWS.Datanotary
There only were several threads of users experiencing enormous slowdowns in IE when typin messages into text boxes. Delays of over a minute before the typed text appeared were reported. Also some redirections to www.datanotary.com were reported. The hijack installed a stylesheet that used a flaw in Internet Explorer and allowed a .css stylesheet file to execute Javascript code. The code in the file was encrypted, and spawned a popup off-screen that did the redirecting. However, this file was called on almost every action taken in IE, slowing it down - this was the most obvious when typing text.

CWS.Gonnasearch
IE hijacked to gonnasearch.com.

CWS.Xrectar
A browser helper object that changes your Home Page and open pop-up windows based on the currently visited url.

CWS.Xplugin
also known as TROJ_ESEPOR.A, TROJ_ESEPOR.B or TROJ_ESEPOR.C, operations seems to vary from opening pop-up windows, to changing search results from popular search engines.

Author: CoolWebSearch.com

Author URL: http://www.coolwebsearch.com

Author description: Coolwebsearch is a company located in Russia. From their site: 'Cool Web Search is a Pay-Per-Click search engine. [..] If you get a lot of visitors on your website, we will pay you 50% for each search, that your visitors make on our search engine. We also will pay you 5% of the revenues earned by every webmaster you referred to us. Since their emergence last year they have accumulated over

CoolWebSearch Signature Details: The following information includes some of the standard signatures* associated with this spyware threat. Please do not attempt to manually remove these items from your computer; Removing these items incorrectly or partially can cause your computer to experience critical errors, prevent your computer from restarting or cause loss of Internet connectivity. Should you be infected with CoolWebSearch, you can clean your machine of this spyware threat for free by downloading CounterSpy now."

TechBlog: Updated: There's a reason it's called "spyware"

2005-08-12T22:47:00.000+00:00

TechBlog: Updated: There's a reason it's called "spyware": "Updated: There's a reason it's called 'spyware'

A company that develops antispyware software believes it has found a massive identity theft ring that appears to be using the evil and persistent CoolWebSearch spyware program.

Anyone who's been unfortunate enough to be infected with CoolWebSearch knows that a bear it is to remove. If Sunbelt Software is correct, while it clings to your hard drive it's sending private information to evildoers:

In some recent research into a spyware exploit, our research team has discovered a massive identity theft ring.

We also found the keylogger transcript files that are being uploaded to the servers.

This is real spyware stuff-chat sessions, user names, passwords, bank information, etc. We have confirmed that this data is valid. Highly personal information, including even one fellow who has a penchant for pedophilia -- all logged in detail and returned a webserver."

Cool Web Search - the Search you Trust - news release

2005-08-12T22:44:00.000+00:00

Cool Web Search - the Search you Trust: "News Update (2005-08-09):

As you may have heard, there is a new spyware identity theft ring out there:
http://news.yahoo.com/s/zd/20050808/tc_zd/157623
http://sunbeltblog.blogspot.com/

For some obscure reason, they keep claiming that it has something to do with coolwebsearch. It does not. We urge anyone who has any evidence on this actually being linked to us to come forward and let us know. If one of these people is actually working for us, we will contact the FBI and release his information immediately. In addition we will of course close his account and withhold his or her payment for violation of our rules, as we have done with all the so called 'hijackers'.

Our lawyers are currently thinking of suing yahoo and all the other places who posted this article with 'CoolWebSearch' in it as the name of the so called exploit for slander. Please get your facts straight before doing these things.

For reference purposes, this is how you find out whether or not a site is related to coolwebsearch: you click a link and you track where the redirections go. If it goes through the CWS ip, which is currently 66.250.74.152, or the domain coolwebsearch.com then it's CWS, otherwise, IT'S NOT! There are dozens of hijacker outlets out there, and they are all called 'CoolWebSearch' by those who do not bother to check their facts before posting articles on news sites."

Antispyware firm warns of massive ID theft ring - Computerworld

2005-08-06T06:29:00.000+00:00

Antispyware firm warns of massive ID theft ring - Computerworld
AUGUST 05, 2005 (COMPUTERWORLD) - Officials at Sunbelt Software, a Clearwater, Fla.-based vendor of antispyware tools, said the company stumbled upon a massive ID theft ring that is using a well-known spyware program to break into and systematically steal confidential information from an unknown number of computers worldwide.
The operation was discovered yesterday during research Sunbelt was doing on a spyware program belonging to a particularly dangerous class of browser hijacking tools called CoolWebSearch (CWS), according to Sunbelt's president, Alex Eckelberry.
CWS programs are extremely hard to detect and remove, and are used to redirect users to Web sites that use spyware tools to collect a variety of information from infected computers.
The CWS variant being researched by Sunbelt turned infected systems into spam zombies and uploaded a wide variety of personal information to a remote server apparently located in the U.S. That server holds a "treasure trove of information" for ID thieves, Eckelberry said.
Sunbelt's research showed that the information being uploaded to the remote server included chat sessions, user names, passwords and bank information, he said. The bank information included details on one company bank account with more than $350,000 in deposits and another belonging to a small California company with over $11,000 in readily accessible cash, he said.
Many of the records being uploaded also contained eBay account information, he said. Among the highly personal bits of information Sunbelt was able to retrieve from the server were one family's vacation plans, instructions to a limo driver to pick up passengers from an airport and details about one computer user with a penchant for pedophilia.
Sunbelt officials did not say how they accessed the material. But the existence of a large file that the company said it retrieved from the remote server was confirmed by Computerworld. Sunbelt said the file contained user names, addresses, account information, phone numbers, chat session logs, monthly car payment information and salary data.
"It's one of the most egregious things we have ever seen," Eckelberry. "We know this kind of data is out there, but this is the first time we actually have the data that the criminals are using."
Information gathered from infected computers is uploaded to the remote server and stored in highly organized files that appear to be accessed by multiple ID thieves, Eckelberry said. The files grow to anywhere from 10MB to 20MB in size before they are refreshed with new information, he said.
The FBI has been contacted and is working on the case, Eckelberry said. In addition, Sunbelt has contacted some of the individuals and banks whose data has been logged to warn them of the compromise.
The domain of the remote server appears to have been registered in China, although the server itself is located in the U.S., Eckelberry said. "We are working to get that server taken down."
He declined to offer more details.
A spokesman for the FBI could not be reached for comment.
Sunbelt's discovery brings home the seriousness and scope of the growing ID theft problem, said Pete Lindstrom, an analyst at Spire Security LLC in Malvern, Pa.
"I think this stuff is much more significant than the notification of [compromises] by credit card companies," Lindstrom said. That's because the credit card industry as a whole has better controls in place to detect and prevent abuses resulting from such compromises than individuals, he said.
"This stuff hits home because it's personal. It's like taking something out of your home," Lindstrom said. "Each and every one of these accounts can be compromised, and it hurts someone."

M&A roundup

2005-08-02T05:40:00.000+00:00

M&A roundup: "M&A roundup

Perot buys DOE supplier
Perot Systems Corp. of Plano, Texas, has bought safety, environmental and engineering services company PrSM Corp. for $7.2 million.

The acquisition will let Perot Systems Government Services provide a wider range of safety and engineering services to the Energy Department, which is Knoxville, Tenn.-based PrSM's largest client, and expand its offerings in others such as the Defense Department and NASA.

The transaction is subject to approval by PrSM's shareholders.

IBM to acquire PureEdge Solutions
IBM Corp. has agreed to acquire PureEdge Solutions Inc. The newly acquired company offers business process automation frameworks to create, manage and deploy Extensible Markup Language forms-based processes.

PureEdge worked with IBM on its WebSphere Portal, which integrates with PureEdge XML-based e-forms and lets users work on e-forms online and offline.

Government customers for Victoria, British Columbia-based PureEdge include the U.S. Air Force and Army and the National Institutes of Health, according to the company's Web site.

VeriSign acquires iDefense
VeriSign Inc. has acquired security intelligence provider iDefense of Reston, Va., for about $40 million in cash.

IDefense, which has a multilingual network of more than 200 research contributors in more than 30 countries, publishes intelligence on network security threats and vulnerabilities for financial services firms, government agencies, retailers and other enterprises. Customers use the reports to modify their security infrastructure and respond to threats on a real-time basis.

VeriSign, Mountain View, Calif., provides intelligent infrastructure services for the Internet and telecommunications networks.

HyperSpace closes MPC deal
HyperSpace Communications Inc. completed the acquisition of PC maker MPC Computers LLC in an all stock deal. The deal was announced in March when HyperSpace of Denver agreed to issue 4.3 million shares to acquire MPC from Gores Technology Group of Los Angeles.

HyperSpace also agreed to issue warrants for the purchase of 5 million shares with an exercise price of $3 and 1.5 million shares with an exercise price of $5.50.

MPC, which ranks No. 39 on Washington Technology's Top 100, will operate as a wholly owned subsidiary."

2005-07-21T21:21:00.000+00:00

cool web search :: coolwebsearch

doxdesk.com: database: CoolWebSearch

2005-07-15T04:07:00.000+00:00

doxdesk.com: database: CoolWebSearch : "Around October 2004, many mainstream web servers, including major advertising networks, were hacked by a CoolWebSearch affiliate (apparently using security holes in old versions of PHP and/or OpenSSL via Apache). Visitors to these sites were served with exploits that installed CoolWebSearch variants along with other parasites such as BargainBuddy/BullsEye and /Cashback, BookedSpace, HuntBar/WinTools, FavoriteMan/ATPartners, Look2Me/V3, InternetOptimizer, ISTbar/XXXToolbar, /SideFind, /ActiveX and /YSB, nCase, NeoToolbar, PowerScan, SaveNow/VVSN, SearchMiracle, TIBS (dialler), TopConverting, TopMoxie/WebRebates, WildMedia/WMService and WindUpdates/WinAdTools. Previous CoolWebSearch exploits had also installed some of these, as well as Tubby and OnlineDialer/Ole, zombie botnet clients and even internet banking password-stealing trojans."

Coolwebsearch - the Amazing Retecool -

2005-07-13T01:23:00.000+00:00

Coolwebsearch - the Amazing Retecool -: "Coolwebsearch

Het liefst zou ik alle onwetende familieleden, kennissen, buren en andere prutsers een computer-, of in ieder geval een surfverbod op willen leggen, want ik begin echt knettergek te worden van de vele uren die ik achter een oude Pentium 2 moet doorbrengen om weer eens een hoop virus- en spywarerommel te verwijderen die mijn oom/buurman/vader/kennis in slechts enkele weken heeft weten te verzamelen door nachtelijke zoektochten naar porno. 'Ik? Porno? Welneeeeee!' 'Hoe komt dat icoon met klitjes.exe dan op je desktop?' Enfin, de meest afgrijselijke en steeds moeilijker te verwijderen vorm van computerverkrachting heet coolwebsearch. Variлrend van startpagina's tot een constante stroom van pron-advertenties. Uiteraard loopt er al een uitgebreid onderzoek naar de herkomst van deze varkens, en uiteraard hoop ik dat wij daar ook een klein steentje aan kunnen bijdragen. UPDATE: en hier nog meer over deze 'scumware'. Overigens heel erg jammer dat website van Merijn niet meer werkt."

Parasite: CoolWebSearch

2005-07-13T01:20:00.000+00:00

Parasite: CoolWebSearch: "CoolWebSearch is an umbrella term for a wide range of disparate browser hijackers not otherwise sorted into separate parasite families. The actual code of the different variants is generally differs wildly, and there are multiple competing groups writing and distributing the CoolWebSearch hijackers, many of whom operate in Russia and the Eastern European countries. CoolWebSearch variants are united by their methods of installation and their target search engines, which are affiliates of coolwebsearch.com.

CoolWebSearch hijackers are invariably installed by exploitation of a wide variety of web browser security holes, the vast majority (but not all) of which target Internet Explorer and its MS Java virtual machine. Since the appearance of the first variant mid-2003, CoolWebSearch exploits have become extremely common, going from hiding on blind links in isolated porn pages, to typosquatting domains, to infesting site message boards, to spawning from pop-up adverts on mainstream web pages. Exploits are often chained through traffic redirectors, making multiple infections of different variants at once very likely.

Around October 2004, many mainstream web servers, including major advertising networks, were hacked by a CoolWebSearch affiliate (apparently using security holes in old versions of PHP and/or OpenSSL via Apache). Visitors to these sites were served with exploits that installed CoolWebSearch variants along with other parasites such as BargainBuddy/BullsEye and /Cashback, BookedSpace, HuntBar/WinTools, FavoriteMan/ATPartners, Look2Me/V3, InternetOptimizer, ISTbar/XXXToolbar, /SideFind, /ActiveX and /YSB, nCase, NeoToolbar, PowerScan, SaveNow/VVSN, SearchMiracle, TIBS (dialler), TopConverting, TopMoxie/WebRebates, WildMedia/WMService and WindUpdates/WinAdTools. Previous CoolWebSearch exploits had also installed some of these, as well as Tubby and OnlineDialer/Ole, zombie botnet clients and even internet banking password-stealing trojans.

Other parasites related to CoolWebSearch and often considered part of the same family include Winshow, SuperSpider, SCAgent, SRE and FreshBar.

The script at this site cannot detect some but not all of the variants listed here; further, this is not a complete list of all CWS-related parasites. Some further variants are detailed in the CWS Chronicles."