A web server with loads of personal financial information is discovered:
http://www.computerworld.com/securitytopics/security/story/0,10801,103737,00.html

Budfred can comment if Sunbelt is a "good guy" or rogue.

Sunbelt is a "good guy".... The slimers they are tracking are not!! :mad:

They're on Spyware Warrior listed as legit/licensed clones. Their product CounterSpy, is powered by Giant (now owned by M$). I've seen CounterSpy listed on other security websites (ComputerCops, I think) and it was rated/reviewed as a pretty good program. I've never used it or any of Sunbelt's products. I'll defer to Budfred.

The information in the article brings home what some of us tried to argue a couple of weeks ago in another thread when someone was vehemently defending the position that a little spyware isn't a big deal. Guess what...those of us who said that was BS might just be right.

Thanks for the Sunbelt Counterspy info Budfred, it always pays to ask.
:)
(Been checking for possible conflicts of interest ever since McKrappee was caught putting lab viruses into their listed detections to show they found more than the "other guys".)

Just saw update of this story. The bad guys server is located in Texas but registered out of the country, primarily porn on that server. The keylogger is independent of CWS but downloads at the same time as CWS.
http://news.zdnet.com/2100-1009_22-5823591.html
also a direct link to e-week story:
http://www.eweek.com/article2/0,1895,1845248,00.asp

Many malcrap programs are bundling these days... Every indication is that the CWS gang is the one doing the bundling in this case...

Budfred,
I have no doubt you are correct.

The problem in this instance is the keylogger is likely a custom one, so it is difficult to detect its existence except for monitoring outgoing data. Normal scanning tools will not pick this up.
Without a software firewall to monitor activity you have no chance at all to detect a problem.
CWS clutters the PC operation and makes the keylogger harder to detect.

It's a very important subject PrntRhd. I'm only partly surprised at the relative lack of interest. Whenever I find a computer with a half dozen or so, randomly named files (trojans?) starting up with the OS, I point it out to the owner and ask them what they think those programs are doing. Most folks just shrug. I should hand out copies of that article.

Nobody wants to call the bank and the credit card companies and have passwords, account number, etc. changed. It seems like to much trouble. I know two people who have had problems with identity theft after a round of malware. They wished that they had taken the time.

Unfortunately removing the spyware from the computer isn't enough sometimes. We have to deal with the problems that spyware causes outside of the computer, too.

Latest update from Sunbelt:
http://sunbeltblog.blogspot.com/2005/08/keylogger-from-hell.html

The keylogger bypasses all the firewalls!

I searched all my machines and came up clean. Hopefully, the file is locatable and not "super hidden".

I gave up online banking quite a while ago, but I do make online purchases so I would definitely still be vulnerable.

Scary stuff.

BOClean will get most of it but the CWS component keeps trying to restore the malware, which means this can hide until exposed.

The keylogger component is very tiny, only 26K, and it has some repacked protection files bundled with it.

I expect Budfred will have some more info shortly as Mike at SWI was given most if not all of the info on this malware bundle, per Eric Howes at SpywareWarrior. Yes I said Bundle.

The main thing is to keep CWS off your PC!

This thing is VERY ugly and many of the top malware experts on the internet are working on it now... It has a number of components and they may not be the same on each computer... They do protect each other and some are well hidden... The most important thing right now is for people to be extremely careful where you surf, keep your computer fully armored, be exceedingly careful about what information you type into your computer and get help immediately if you see any suspicious activity on your computer... We are all under attack at this point... :mad: :mad:

So would finding my banks ip address and using that be a decent safeguard?

Follow Budfred's advice to the letter:

be extremely careful where you surf, keep your computer fully armored, be exceedingly careful about what information you type into your computer and get help immediately if you see any suspicious activity on your computer

That's the best safeguard. You've been around here long enough to know what "fully armored" means.

So would finding my banks ip address and using that be a decent safeguard?
No Hockeyman,
This is not pharming. This is infecting PCs with trojan keylogger/malware bundles that have included protections to prevent their removal and send your financial information to the bad guys.

Thanks. I have macafee antivirus, spybot, Ad-Aware SE Personal, software and hardware firewall, and cwshredder. Any onther recommendations? Plus I only use firefox.

Just follow Budfred's advice on being careful where you surf. mjc used to advise updating Java as CWS was being installed via that route with older versions, it has gone way past that by now but anything that helps is good.

This new stuff is likely installed via drive-by, but we cannot say for certain yet as it is all being investigated by the forensic experts, malware removal experts and law enforcement.

What is certain: getting infected right now is placing you at serious risk of losing money and losing your good name.

Can't go rong being too safe. Do you know if there is a free filter for firefox? I.e, something that blocks potentially harmful sites?

SpywareBlaster now provides some protection for FireFox and there are a number of extensions that provide protection... NoScripts is one I would definitely suggest you get... You will need to allow certain sites, like PCGuide, to run scripts to navigate, but it will prevent a lot of drive-by stuff...

Cool, I'll have to give it a run. . .

Noscript is the answer. You need to be patient as it takes some getting used to. But drive-by installation is pretty hard to accomplish. The combination of:


FireFox
Spywareblaster
A good software firewall
Noscript


is about as safe as you get in this world of malware run amok

Just googled it-I can't find a downloadable program. Any suggestions?

Ops, thats noscript not noscripts. i found it.

If you are referring to NoScript, use the Extensions option in FireFox Tools to find it... If you mean SpywareBlaster, use the link in my signature...

A little more on the keylogger:
http://www.techweb.com/wire/security/168600896
Related to the Dumador/Nibu family of Trojans, this keylogger is especially malevolent, said Eric Sites, the vice president of research and development at Sunbelt. "It doesn't sit and wait around for a password to be typed in," he said, a trait of most keyloggers. "Instead, it steals data from Internet Explorer's Protected Storage area."
Until then, Sunbelt recommended that IE users worried about Srv.SSA-KeyLogger should disable IE's AutoComplete. To turn off AutoComplete in IE, select Internet Options under the Tools menu, click the Content tab, then the AutoComplete button. Clear the box marked "User names and passwords on forms," then click OK in that dialog and the next.
Unchecking IE autocomplete is a really good step.
Other browsers, such as Mozilla's Firefox, do not use Protected Storage to record memorized passwords and usernames, and so are safer against the new keylogger.
A better step.

Not only that, there's some good protection information here also. Note that the bugger also blocks access to AV sites by modifying the hosts file.

http://www.eweek.com/article2/0,1895,1847427,00.asp

As this thing is getting taken apart, the degree of nastiness is just getting greater... I can't give any details yet, but it will blow you away once it all comes out in the open... I really hope this is incentive enough for the government to take international action against these slimemolds...

Mike Healan at SpyWareInfo.com has posted the exploit publicly on that site in his newletter, so some of the details are now public:
http://www.spywareinfo.com/newsletter/archives/2005/aug12.php#Srv.SSA-KeyLogger

A horrific piece of malware.

I really hope this is incentive enough for the government to take international action against these slimemolds...

The problem was and is that our government really does not have an understanding of this from a technical standpoint. I mean, look how far they've come in the past five years - it's pathetic.

While they've managed to slap a small handful of the biggest spammers of our Internet with hefty fines, that's about it. Other than that, they are still arguing over what constitutes one incident of Spyware... At this rate, this problem will only continue to get bigger until it's out of control (if it's not already).

For anyone interested:

Here's another article about the famous recent keylogger:
http://www.securitypipeline.com/news/168601015

Here's an example of one fish out of milliions having to pay a fine:
http://www.securitypipeline.com/news/168601425

Here's a short article claiming that the majority of spams is coming from innocent "zombies".
http://www.securitypipeline.com/168601017

And before I list every article, maybe it's easier if I just refer everyone to this site and let you pick and choose the articles that interest you! It has become one of my favorite sources for IT-related information as of late.
http://www.securitypipeline.com/