To catch a thief

Coolwebsearch is the most feared spyware on the web, taking over PCs and causing misery to users. How, asks Michael Pollitt, can we protect ourselves?
Click to follow
The Independent Online

Merijn Bellekom knows when he's beaten. The Dutch chemistry postgraduate has spent days, months, years of his life trying to save other internet users' bacon. Indeed, your computer might be one that has benefited from his work developing CWShredder, a program to remove a pernicious spyware program called "CoolWebSearch" from Windows PCs.

Merijn Bellekom knows when he's beaten. The Dutch chemistry postgraduate has spent days, months, years of his life trying to save other internet users' bacon. Indeed, your computer might be one that has benefited from his work developing CWShredder, a program to remove a pernicious spyware program called "CoolWebSearch" from Windows PCs.

But now he's called it a day. CoolWebSearch's programmers, who remain unknown but very definitely active, have finally worn him down with the latest revisions of their vicious product.

"The latest variants are a living hell," says Mr Bellekom. "They install through a vulnerability in IE [Microsoft Internet Explorer] and hide very, very well. There are two variants going around that are the most widespread right now, that were basically the reasons I stopped [developing] CWShredder - I couldn't remove them programmatically."

CWShredder is a popular removal tool to help people whose PCs are infected by many of the 40-odd versions of CoolWebSearch - a notorious web browser hijacker that's nearly impossible to eliminate.

Although CoolWebSearch is often installed through "drive-by downloads" involving pop-ups from "warez" or porn sites - when the window pops up, your computer begins downloading the code - it may lurk anywhere on the internet. And you won't know until it's too late.

If it does hit you, there will be various indications, such as Internet Explorer running remarkably slowly, or pop-ups offering "enhanced results" when searching Google, Yahoo and Altavista. (Read more at www.spywareinfo.com/~merijn/cwschronicles.html and a more recent version at cwshredder.net/cwshredder/cwschronicles.html).

The CoolWebSearch malware is clearly written to take over your machine; the purpose seems to be to drive hapless users to various "affiliate" sites of paid-for search companies such as Coolwebsearch.com (I don't suggest you visit this site). If you click on a link at the search site, the affiliate gets paid. The CoolWebSearch malware drives you there, even if you don't want to go. (There's no evidence that Coolwebsearch.com has any part in the authorship of the malware; but because early variants took people there, the name for the malware stuck.)

What's scary is that the people behind the software are clearly intimately familiar with Windows, and know a plethora of ways to hide their work and make it almost impossible for an amateur to remove.

But it's not all going the bad guys' way. On October 19, the American company InterMute bought CWShredder for an undisclosed amount from Mr Bellekom, who has begun an information science course at the University of Utrecht.

"CoolWebSearch is probably one of the most vicious and hardest to eliminate pieces of spyware circulating on the internet," said Ed English, chief executive of InterMute. "We are proud to offer CWShredder as a free download". He said it will also be integrated into his company's paid-for product, SpySubtract PRO, "to give our customers the most robust protection available against invasive forms of software."

Should you feel any safer if you've installed Microsoft's Service Pack 2 for Windows XP? Released in late August, SP2 includes a pop-up blocker for IE, suppression of ActiveX downloads - intended by Microsoft to add functionality to Internet Explorer, and gleefully exploited by all manner of hackers - and other enhancements that limit deceptive behaviour.

However Christine Stevenson, vice-president of US marketing at protection software company Webroot, says the only additional protection against spyware involves ActiveX.

"SP2 makes it more difficult for spies to install [themselves] via ActiveX controls with Internet Explorer. It also prevents websites from sending an automatic installer download prompt once a page is opened," she says. (That prompt would make your machine begin installing software without asking you.) "However, there are already examples of websites asking users to disable the 'new ActiveX protection' because it makes it too difficult for their users to install their legitimate software. SP2 does absolutely nothing to stop CoolWebSearch from installing. CWS uses exploits in Java, compiled help modules, and speciality Internet Explorer protocols to access the system, not ActiveX."

Another anti-spyware company, PestPatrol, was recently acquired by Computer Associates (the product is now called eTrust PestPatrol.)

Their verdict? "SP2 has no effect whatsoever on a hijacker like CWS. It's like a digital game of cat and mouse, with new variants appearing all the time," says product manager Kelly Macklin at Computer Associates. "Key loggers, drive-by downloads, diallers, social engineering tricks like certain spyware that mimics anti-spy products, all get through. SP2 is helpful, but is like attacking a battleship with a ball peen hammer. The power of a user inadvertently clicking through is enough to defeat most efforts to protect."

The Independent asked Prevx, an intrusion protection specialist, to test CoolWebSearch against SP2. CoolWebSearch won, swiftly making a "total mess" of the machine, hijacking home and search pages, adding porn links, rogue diallers, pop-up adverts, and causing system instability, random re-boots and heavy resource utilisation. Detailed investigations found complex exploits and hidden lists of hundreds of porn-related sites in China, Czech Republic, Gibraltar, USA, The Netherlands, and Russia.

Although Prevx says that older variants of CoolWebSearch are blocked by SP2, newer variants are not. Most disturbingly of all, SP2 proved oblivious to serious spyware activity. This included multiple outbound hidden connections through the Windows XP firewall to steal your e-mail address and other information; the silent addition of websites to Internet Explorer's "trusted" list; the installation of malicious toolbars that could be used for "phishing"; and hijacking of your internet home page. Not a single Windows warning message was seen. And where CoolWebSearch leads, other spyware isn't far behind.

And what about users without XP? "We do not currently have plans to make the enhancements available in XP SP2 on Windows 2000, NT 4, Windows 98, or Windows Me," says Paul Randle, Windows client product manager, Microsoft. "We remain committed to keeping our customers secure on all supported Windows versions and are evaluating the technical feasibility of providing these new enhancements for older Windows versions."

Practical advice on spyware remains patchy. Wanadoo only offers technical support for internet connection and e-mail issues. An AOL spokeswoman merely stressed the importance of having "adequate safety and security products" while ntl and Dell pointed to information on their web sites. Only internet service provider Pipex would spell it out: "We would always recommend that customers use a multi-layer approach to security - use of firewalls, anti-spam/anti-virus, ensure they receive regular updates of bug fixes and service packs from software vendors," said a Pipex spokeswoman. "Concentrating on a single layer is like installing a burglar alarm but forgetting to arm it and leaving the front door open."

But the burglars are getting more high-tech. In early October, MessageLabs, the leading provider of managed e-mail security services to businesses, saw a pornographic e-mail with an opt-out link to a web page. Following that link in Internet Explorer and scrolling down the page would download a malicious file that would turn your PC into a spam-sending zombie under a hacker's control.

While everyone waits for the next hole in Windows to be found, there's something new to help. By detecting suspicious or known bad behaviour, Prevx Home ( www.prevx.com) offers free intrusion-prevention software for Windows XP against worms, hackers and spyware.

Already downloaded nearly 100,000 times, Prevx Home prevented CoolWebSearch from insinuating itself, by blocking the installation of programs while protecting the Windows registry and system files. In fact, the software is so simple and effective that it provides real confidence that your system is secure.

Other suggestions? Drop Internet Explorer, as it helps spyware get onto your machine, and is easily hijacked. Spyware-resistant browsers include Firefox ( www.spreadfirefox.com) and Opera ( www.opera.com). If you must use Internet Explorer, upgrade to Windows XP SP2, disable ActiveX and block pop-ups. Also, keep Windows up-to-date, install anti-virus and anti-spyware software, and get a good firewall.

And finally, always remember that spyware-writing criminals like nothing better than to find new victims.

Comments