Sunbelt Software Inc., makers of the enterprise-grade CounterSpy spyware protection product, made the discovery during an
audit of "CoolWebSearch," a program that routinely hijacks Web searchers,
browser home pages and other Internet Explorer settings.
During the research, Sunbelt researcher
Patrick Jordan deliberately installed the "CoolWebSearch application on a
machine and immediately noticed that the infected system became a spam zombie
that was placing callbacks to a remote server.
When Jordan visited the remote server,
he was shocked to find that it was being used to distribute sensitive personal
information from millions of PC users infected by the spyware
application.
"We found the keylogger transcript
files that are being uploaded to the servers. We're talking real spyware
stuff…chat sessions, usernames, passwords, bank account information, full names,
addresses," said Sunbelt president Alex Eckelberry.
In an interview with Ziff Davis
Internet News, Eckelberry said the sophistication of the operation suggests it's
the work of a "massive identity theft ring" that used keystroke loggers to grab
confidential information that could be used to create fake online
identities.
"I'm not being dramatic. This is the
most repulsive thing I've ever seen. It's very painful to see what's in these
log files that are being uploaded in real time. We're seeing a lot of bank
information and usernames and passwords to get in," Eckelberry said.
He said the log files included logins
to one business bank account with more than $350,000 and another small company
in California with over $11,000, readily accessible.
"There are lots of eBay account
information and names and addresses of the people owning those accounts. Names,
passwords, all matched up," Eckelberry added.
He said the server, which is hosted out
of a data center in Texas, was effectively a "massive repository of stolen data"
that was being replenished in real time.
"As the [log] file gets to a certain
size, it gets taken down and a new file starts generating. This goes on nonstop.
We've been watching it for a few days while trying to get to the FBI, and it
just keeps growing and growing."
While the site is being hosted in the
United States, Eckelberry said the domain name is registered to an offshore
company.
Eckelberry said the huge size of the
log files is a clear indication that thousands of machines are pinging back
daily.
In some cases, where users appeared to
be at immediate risk of losing a considerable amount of money, Sunbelt has
contacted the affected individuals.
Eckelberry said the "CoolWebSearch"
payload included a typical adware download that immediately scanned the infected
machine for e-mails to use for spam runs. It then sets up a "very intelligent
keylogger" that looks for very specific information.
"This won't get caught by a typical
anti-spyware application," he said, noting that the keystroke logger was able to
pick up identity-related data for delivery to the remote server.
Anti-virus vendor Trend Micro Inc.
provides a free online scanning tool that detects and deletes the
"CoolWebSearch" application.
The tool is
available for the Microsoft Windows XP, Windows 2000, Windows Millenium Edition and Windows 98 operating
systems.
