RE: Spyware becomes increasingly malicious

["Hannigan, Martin" <hannigan () verisign com>]

This appears to have been dealt with at the browser level
in MS Security Bulletin MS03-011.

I have a hard time blaming MS for everything since in most cases
of these things they do react. How do they force the users to update?
Could they implement a switch that says "no update, no working browser"?
At least for IE?


Scob was dealt with via the hammer, this could be too.


There's 39 variants at the moment:

http://www.spywareinfo.com/~merijn/cwschronicles.html

The difficulty in cleaning is due to the variants:

http://www.spywareinfo.com/~merijn/cwschronicles.html#cwshredder

Disclaimer: That site "looks/feels" credible, but I did just a little
correlation. Thanks.



ARIN:

The IP number for their website is allocated to cogent, but not SWIP'd.

Apparent last mile:

16  p6-0.core01.jfk02.atlas.cogentco.com (66.28.4.82)  107.092 ms  104.713
ms  107.080 ms
17  p5-0.core01.jfk01.atlas.cogentco.com (66.28.4.9)  108.177 ms  108.023 ms
109.115 ms
18  g49.ba01.b001362-1.jfk01.atlas.cogentco.com (66.28.66.42)  106.147 ms
105.769 ms  109.537 ms
19  HyperSpace_Communications.demarc.cogentco.com (66.250.5.30)  110.872 ms
108.745 ms  106.978 ms
20  66.250.74.150 (66.250.74.150)  107.939 ms  108.364 ms  104.599 ms

Apparent Registration:

domain:       coolwebsearch.com
status:       production
organization: InterWeb Solutions Inc
owner:        InterWeb Solutions Inc
email:        admin () iweb-commerce com
address:      P.O. Box 362
address:      Road Town
city:         Tortola
postal-code:  65113
country:      IO
admin-c:      admin () iweb-commerce com#0
tech-c:       admin () iweb-commerce com#0
billing-c:    admin () iweb-commerce com#0
nserver:      ns1.maximumhost.com   
nserver:      ns2.rosexxxgarden.com 
registrar:    JORE-1
created:      2001-06-01 04:51:34 UTC JORE-1
modified:     2004-03-17 14:59:02 UTC JORE-1
expires:      2007-05-31 22:51:23 UTC 
source:       joker.com


-M




--
Martin Hannigan                         (c) 617-388-2663
VeriSign, Inc.                          (w) 703-948-7018
Network Engineer IV                       Operations & Infrastructure
hannigan () verisign com


coolwebsearch:




> -----Original Message-----
> From: owner-nanog () merit edu [mailto:owner-nanog () merit edu]On Behalf Of
> Paul Vixie
> Sent: Monday, July 12, 2004 12:19 PM
> To: nanog () merit edu
> Subject: Re: Spyware becomes increasingly malicious
>
>
>
> somebody, probably sean, mentioned scaling earlier in this thread.
>
> > > > coolwebsearch has become more and more sneaky.. so bad that
> > > > development of cws shredder has been abandoned by its developer..
> ...
> > > the first time only about 3 days ago and I got rid of it 
> in 10 minutes!
> > > I can see how it would be a problem for a newbie but it 
> shouldn't be
> > > anything more than 10 minutes work for anyone here with Windows
> > > experience.
> ...
> > There are dozen of variants, obviously you've seen only one.
>
> so, this bit of spyware (which was resistant to ad-aware as 
> of last week,
> though ad-aware seems to publish a new definition file every 
> day now) relies
> on a web site, and that web site relies on the spyware for 
> its traffic and
> eyeballs, and the spyware and website are 
> owned/operated/"published" by the
> same company.  the website does not move around, it's at a 
> fixed location.
>
> the scaling issue, please:
>
>         "why does that company still have an internet connection?"
>
> or, to put it less mildly:
>
>         "why does that company's provider still have an upstream?"
>
> or, to put it in terms you can all understand:
>
>         "why does that provider's upstream still have bgp peers?"
>
> if you give people the means to hurt you, and they do it, and 
> you take no
> action except to continue giving them the means to hurt you, 
> and they take
> no action except to keep hurting you, then one of the ways 
> you can describe
> the situation is "it isn't scaling well."
> -- 
> Paul Vixie