Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

CoolWebSearch, Dubbed Adware's "Ebola," Tops Spyware Threat List
TechWeb ^ | March 30, 2005 | Gregg Keizer

Posted on 03/30/2005 9:34:51 PM PST by Eagle9

CoolWebSearch, adware that generates more than $300 million a year for its maker, is the "Ebola" of adware, and easily the most significant spyware threat on the Internet, an anti-spyware security firm said Wednesday.

CoolWebSearch, which comes in multiple forms, can hijack Web search errors, usurp the browser's home page, and modify other Internet Explorer settings. Recent variants have taken to exploiting vulnerabilities in IE, such as those in the HTML Help system, to install on PCs.

"It's only purpose is to get on a PC, and stay on that PC, even at the cost of killing that machine," said Richard Stiennon, the vice president of threat research for Boulder, Colo.-based Webroot, which publishes the Spy Sweeper line of anti-spyware software.

According to Webroot, nearly half of the PCs it's audited for spyware or adware are infected with CoolWebSearch.

"It's the Ebola of the Internet," said Stiennon. "It's so malicious that it tends to break the ability of a machine to browse effectively, and therefore limits the number of ads and click-throughs that can be generated. Like Ebola, it kills its host before it can be productive."

Webroot's newest Top 10 list -- it releases a list of the ten most significant spyware/adware threats every quarter -- is based on the free spyware audits it conducts from its own Web site, and those it runs in cooperation with EarthLink, the Atlanta-based ISP.

"We rank programs on both prevalence and perniciousness," said Stiennon.

Second on Webroot's list is Gator/GAIN, adware that may display banners ads based on Web surfing habits. Gator is a long-time adware package that often gets on systems because it's bundled with free software, most notably the P2P file-sharing program Kazaa. By the SpyAudit scanning results, Gator/GAIN is on about 15 percent of all machines.

"If we take the leap and assume that the sample is representative of the Internet in total, we can estimate how many machines have Gator," said Stiennon. His best guess: 38.4 million PCs. Others on Webroot's list include (in descending order), 180search Assistant, ISTbar/Aupdate, Transponder, Internet Optimizer, BlazeFind, Hot as Hell, Advance Keylogger, and TIBS Dialer. Most are adware in composition -- not that that means they're benign; they typically hijack search errors and re-direct them to another site, and/or blitz the PC with endless popups -- but some are true spyware.

"We're finding keyloggers on about 15 percent of the machines audited," said Stiennon, "and Advanced Keylogger is the most prevalent right now. It's on relatively few machines -- about 9,000 that we've found -- but a keylogger on that many PCs is a scary concept in and of itself.

"Spyware writers are continuing to innovate and find new, more deviant ways to infiltrate systems," said Stiennon. "The increased presence of hijackers, dialers, and keyloggers demonstrates that the new trend for these threats is to go straight for the jugular."

Spyware/adware writers are doing that for one reason: money.

Stiennon, who has analyzed the spyware/adware economy, has come up an average cash flow per "customer installation" per year of $2.40. For each system infected, then, he estimates that the adware author generates $2.40 annually in pop-up fees, redirect fees, and other charges.

His cash-flow projection for the creator of CoolWebSearch -- which using his formula may be on more than 127 million machines worldwide -- is thus $306 million. The company behind Gator/GAIN -- the Redwood City, Calif.-based Claria -- is bringing in around $92 million a year, while 180search Assistant is raking in $86 million.

"These guys make spammers look like two-bit back alley operations," said Stiennon. "No wonder there's a gold rush to get in on this."

And no wonder some adware firms are pushing anti-spyware vendors to "de-list" them from their detection and deletion scanners.

The most recent such move was by Computer Associates, which sells the PestPatrol anti-spyware line after acquiring the company in 2004. Last week, CA removed all Claria products -- including Gator/GAIN -- from its database under its Vendor Appeal program.

CA has been criticized in the past for de-listing software other anti-spyware vendors continue to list as malicious, and even Microsoft has backed down in at least one instance.

"One reason Webroot publishes the Top 10 list," said Stiennon, "is to help provide an idea of the scope of the whole spyware and adware issue, so that going forward, as the discussion of adware heats up and definition battles with the vendors begin, people will have some basic information about the extent of the problem."


TOPICS: Technical
KEYWORDS: adware; lowqualitycrap; microsoft; security; spyware; windows
Navigation: use the links below to view more comments.
first 1-5051-63 next last
The most recent such move was by Computer Associates, which sells the PestPatrol anti-spyware line after acquiring the company in 2004. Last week, CA removed all Claria products -- including Gator/GAIN -- from its database under its Vendor Appeal program.

I've used PestPatrol, along with other anti-spy/adware, for the past two years. It was a good program that just became a worthless.

1 posted on 03/30/2005 9:34:51 PM PST by Eagle9
[ Post Reply | Private Reply | View Replies]

To: Eagle9
CoolWeb? My friend, you need I.E Spy-ad to lock down Internet Explorer and keep CoolWeb from downloading to your machine. And its free. You can also install a free I.E ad blocker called Ad-Shield and you can import a spyware blocklist to it. Adware's "Ebola" can't run with these deadbolt locks in place.

(Denny Crane: "Sometimes you can only look for answers from God and failing that... and Fox News".)
2 posted on 03/30/2005 9:38:10 PM PST by goldstategop (In Memory Of A Dearly Beloved Friend Who Lives On In My Heart Forever)
[ Post Reply | Private Reply | To 1 | View Replies]

To: goldstategop

There's a better idea - don't use IE.

Better yet, get a Mac.


3 posted on 03/30/2005 9:40:36 PM PST by Spktyr (Overwhelmingly superior firepower and the willingness to use it is the only proven peace solution.)
[ Post Reply | Private Reply | To 2 | View Replies]

To: Eagle9

ping


4 posted on 03/30/2005 9:41:02 PM PST by Shaka
[ Post Reply | Private Reply | To 1 | View Replies]

To: Spktyr

Install Luinx, problem solved.


5 posted on 03/30/2005 9:42:17 PM PST by John Will
[ Post Reply | Private Reply | To 3 | View Replies]

To: Eagle9

I use Spybot Search & Destroy.
http://www.safer-networking.org/en/index.html
Current release is v1.3
One warning, if you see that it's not finding any updates it likely means that there's a new version available (they don't tell you automatically). Still, the price is right.


6 posted on 03/30/2005 9:43:28 PM PST by 1066AD
[ Post Reply | Private Reply | To 1 | View Replies]

To: John Will
That works, too. I like Linspire for my end users in such a quandary.
7 posted on 03/30/2005 9:43:47 PM PST by Spktyr (Overwhelmingly superior firepower and the willingness to use it is the only proven peace solution.)
[ Post Reply | Private Reply | To 5 | View Replies]

To: Shaka

Download "cwshredder" - if you have CoolWebSearch, this will find and delete it.


8 posted on 03/30/2005 9:45:28 PM PST by IamConservative (To worry is to misuse your imagination.)
[ Post Reply | Private Reply | To 4 | View Replies]

To: Shaka

The bastards are determined to destroy a magnificent technology.


9 posted on 03/30/2005 9:45:28 PM PST by IGOTMINE (Front Sight. Press. Follow Through. It's a way of life.)
[ Post Reply | Private Reply | To 4 | View Replies]

To: John Will

Install Luinx


Is this some new breed of OS?


10 posted on 03/30/2005 9:45:35 PM PST by philetus (What goes around comes around)
[ Post Reply | Private Reply | To 5 | View Replies]

To: goldstategop

Thanks for the advice, but I've avoided CWS, so far.


11 posted on 03/30/2005 9:53:58 PM PST by Eagle9
[ Post Reply | Private Reply | To 2 | View Replies]

To: 1066AD

Spybot S&D is one of several anti-spyware programs that I run on a regular basis.


12 posted on 03/30/2005 9:58:33 PM PST by Eagle9
[ Post Reply | Private Reply | To 6 | View Replies]

To: 1066AD

I had Cool Web Search installed and Spybot Search & Destroy did not get rid of it.


13 posted on 03/30/2005 9:58:45 PM PST by Wiz
[ Post Reply | Private Reply | To 6 | View Replies]

To: Eagle9
If you have Web Search Assistant/Cool Web Search spyware, get the CWShredder. However, there are some reports that it deletes unnecessary files depending what is confirmed to be deleted so be aware. I have used the lastest (in early 2005) version of AdAware and SpyBot but both could not remove it (however, future definitions may have the abilities). Don't forget to get SpyWare Blaster preventing spyware to be installed.
14 posted on 03/30/2005 10:07:57 PM PST by Wiz
[ Post Reply | Private Reply | To 1 | View Replies]

To: Famishus

???????any interest?????????


15 posted on 03/30/2005 10:09:36 PM PST by mother22wife21
[ Post Reply | Private Reply | To 1 | View Replies]

To: Spktyr
There's a better idea - don't use IE.

I agree -- use Firefox.

16 posted on 03/30/2005 10:09:38 PM PST by Eagle9
[ Post Reply | Private Reply | To 3 | View Replies]

To: Eagle9
If you use I.E. or Firefox you need (at least) these 2 programs from Javacool Software, both are free, but they will take donations.

SpywareBlaster

SpywareGuard

These will keep most of the bad stuff away and will alert you if browser is configured in an unsafe way.

17 posted on 03/30/2005 10:11:59 PM PST by PeaceBeWithYou (De Oppresso Liber! (50 million and counting in Afganistan and Iraq))
[ Post Reply | Private Reply | To 1 | View Replies]

To: potlatch

Ping


18 posted on 03/30/2005 10:17:57 PM PST by ntnychik
[ Post Reply | Private Reply | To 1 | View Replies]

To: IamConservative; IGOTMINE; Eagle9; Wiz; 1066AD

This virus has become more devious.

I had this CW infection that kept coming back after you would think you had deleted it. CW shredder was useless. So was SPYBOT, Hijackthis and Adware and Microsoft AntiSpyware. It was a vicious circle.

I finally, after figuring out what processes were causing the return, got hold of X-raypc. Cool program, free and small. It gives you info on all running processes and lets you off load them and/or delete the file causing the running process. Careful what you delete!

Check it out:

http://www.x-raypc.com/


19 posted on 03/30/2005 10:18:16 PM PST by TheLion
[ Post Reply | Private Reply | To 8 | View Replies]

Comment #20 Removed by Moderator

To: Wiz

Did S&D find it tho' ?


21 posted on 03/30/2005 10:23:21 PM PST by 1066AD
[ Post Reply | Private Reply | To 13 | View Replies]

To: Eagle9

thanks for the info


22 posted on 03/30/2005 10:24:52 PM PST by Quixotical
[ Post Reply | Private Reply | To 1 | View Replies]

To: coosamtn

Nope. This stuff exploits holes in how IE loads pages and handles BHOs. The new modifications help a little, but to really fix the hole they would have to rewrite IE.


23 posted on 03/30/2005 10:25:10 PM PST by Spktyr (Overwhelmingly superior firepower and the willingness to use it is the only proven peace solution.)
[ Post Reply | Private Reply | To 20 | View Replies]

To: IamConservative

It is a miracle program.


24 posted on 03/30/2005 10:25:24 PM PST by rwfromkansas (http://www.xanga.com/home.aspx?user=rwfromkansas)
[ Post Reply | Private Reply | To 8 | View Replies]

To: Eagle9

ping


25 posted on 03/30/2005 10:25:45 PM PST by lunarbicep (Always drink upstream from the herd.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: TheLion

I wonder why CWShredder worked for me. Other variations of Cool Web Search much more devastating?


26 posted on 03/30/2005 10:26:35 PM PST by Wiz
[ Post Reply | Private Reply | To 19 | View Replies]

My computer is not infected with any spyware or adware.
It's the "de-listing" by anti-spyware programs that I found interesting.
27 posted on 03/30/2005 10:27:14 PM PST by Eagle9
[ Post Reply | Private Reply | To 1 | View Replies]

To: Eagle9

CWS Shredder will take care of this.


28 posted on 03/30/2005 10:28:26 PM PST by Natural Law
[ Post Reply | Private Reply | To 1 | View Replies]

To: backhoe

Ping.


29 posted on 03/30/2005 10:29:08 PM PST by Eagle9
[ Post Reply | Private Reply | To 1 | View Replies]

To: Eagle9
"There's a better idea - don't use IE. Better yet, get a Mac."

When I get a brain slug, I'll get a Mac.

30 posted on 03/30/2005 10:32:38 PM PST by Daaave ( I'm afraid, Dave. Dave, my mind is going. I can feel it.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: TheLion
X-raypc - I'll check it out.
Thanks.
31 posted on 03/30/2005 10:34:47 PM PST by Eagle9
[ Post Reply | Private Reply | To 19 | View Replies]

To: Wiz

You were fortunate. There are apparently all kinds of variations. This site taught me a lot:

http://forums.spywareinfo.com/index.php?b=1


32 posted on 03/30/2005 10:35:43 PM PST by TheLion
[ Post Reply | Private Reply | To 26 | View Replies]

To: Eagle9

Now if someone could tell us which of the processes, one actually needs, we could offload the rest...lol.

Actually I am learning what they all do. If you use Hijackthis you will get to recognize some of them.


33 posted on 03/30/2005 10:38:41 PM PST by TheLion
[ Post Reply | Private Reply | To 31 | View Replies]

To: Eagle9

Ping


34 posted on 03/30/2005 10:41:53 PM PST by Tuba Guy (allah fubar)
[ Post Reply | Private Reply | To 1 | View Replies]

To: TheLion
Now if someone could tell us which of the processes, one actually needs, we could offload the rest...lol.

Just ask backhoe...lol.
Nah, it seems there is no program that will detect and remove them all.

35 posted on 03/30/2005 10:46:42 PM PST by Eagle9
[ Post Reply | Private Reply | To 33 | View Replies]

To: IamConservative

Download "cwshredder" - if you have CoolWebSearch, this will find and delete it.


36 posted on 03/30/2005 10:47:48 PM PST by Petronski (The last lonely man in the deep woods.)
[ Post Reply | Private Reply | To 8 | View Replies]

To: Eagle9; backhoe

Backhoe gave me the link to the spyware forum.


37 posted on 03/30/2005 10:50:39 PM PST by TheLion
[ Post Reply | Private Reply | To 35 | View Replies]

To: Daaave

Or get Mosaic... Ok, that was to old for a joke. :)


38 posted on 03/30/2005 10:52:13 PM PST by Wiz
[ Post Reply | Private Reply | To 30 | View Replies]

To: 1066AD
You may wish to also try to use AdAware. Also, be sure to use Spybot's host file replacement.

This is a critical step in defeating most spyware. It prevents IE from going to sites (that the spyware will try to reach to get more spyware).
39 posted on 03/30/2005 10:59:55 PM PST by JSteff
[ Post Reply | Private Reply | To 6 | View Replies]

To: Eagle9

Sounds like CWS needs to be introduced to a Columbian necktie party. Or at least start with them.


40 posted on 03/31/2005 12:27:20 AM PST by biff
[ Post Reply | Private Reply | To 1 | View Replies]

To: biff
Some variants of CWS are really nasty as they utilize your system restore function. Whenever you delete them they silently "restore" your system to re-install themselves. Really hard to purge this one!!!

ABC CBS NBC CNN its all the SAME, Propoganda.
Might as well call them all AmeriJazerra.
Show them how much Gravitas Hugh Bris has. Vote with your remote! Shut down the Alphabet channels.

He's Got A Plan
Zippo Hero
Seven Dead Monkeys Page O Tunes

41 posted on 03/31/2005 2:29:17 AM PST by rawcatslyentist (Man, You should have seen them, kickin Edgar Allen Poe! Koo Koo Kachoo)
[ Post Reply | Private Reply | To 40 | View Replies]

To: Eagle9

Firefox gives a better browsing experience and is less vulnerable.

I also use Spybot Search and Destroy both at home and on our office computers - about 30 of them. It has some very good advanced features such as locking the hosts file and a very nice interface to examine and manipulate startup settings - takes a while to get familar with everything, but it's worth it. Having said that, I think there is still room in the marketplace for a commercial anti-spyware product that would be easier for the average user to understand and configure. hmmmm...


42 posted on 03/31/2005 3:15:12 AM PST by Northern Alliance
[ Post Reply | Private Reply | To 1 | View Replies]

To: Wiz

CWShredder is a magnificient program but, much like real life viruses, the spyware 'diseases' are constantly evolving. This is not something that you can run and expect that your machine will be clear forever. On all the adware/spyware removal tools, you have to download new additions constantly and also take steps to secure your system as well.

[I once spent 3 days getting CoolWebSearch off of my wife's machine because NONE of the tools at the time would do the trick. I won in the end, though!]


43 posted on 03/31/2005 3:23:09 AM PST by WileyC
[ Post Reply | Private Reply | To 26 | View Replies]

To: All
 
Things you need--(all FREE)
Anti-Virus
AVG Anti-Virus version 7 (free) release available...
 Avast
Firewall
Kerio(Direct Download) Zone Alarm
 If are using zone alarm it may slow your PC. Try Outpost Firewall http://www.agnitum.com/products/outpost or Sygate Firewall http://www.sygate.com/ both have FREE and Pro versions and are heads above ZA.
Misc.
IE Spyads SpywareBlaster Spyware Guard
Windows Update- you must keep updated, it is the start of a secure system-
get all CRITICAL Updates

Things you want(Still Free)
 
 Get Firefox I use Firefox. Click the link and give it a try.
 
 

Ad-Aware
Spybot S&D
SpywareBlaster
MS MVP Hosts file
Mike Lin's Homepage and get the Startup Control Panel and Startup Monitor tools.
 
The best forum for malware removal:
-SWI Forums-
 
 
http://www.freerepublic.com/focus/f-news/1315720/posts
 Microsoft Releases Anti-Spyware Beta 1 To Public Today.
Microsoft.com ^
 
=================================================
 
 
  Browser Wars, take two
various FR links | 12-22-04 | The Heavy Equipment Guy
http://www.freerepublic.com/focus/f-news/1306815/posts

...and let your compiler of links drop out of Lurk & Link mode for comment and advice:

Ditch IE. Honest to God, almost anything else will give you fewer problems. Try and compare- use IE, then run Ad-Aware and Spybot Search & Destroy... then try another browser and repeat. You will be stunned at the garbage IE attracts.

Keep your OS updated & patched.

Run a hardware firewall-- with today's LAN's, it's easy. You need a hardware firewall.


44 posted on 03/31/2005 3:24:23 AM PST by backhoe (-30-)
[ Post Reply | Private Reply | To 42 | View Replies]

To: backhoe

Thanks for the post. This makes it really convenient.


45 posted on 03/31/2005 3:36:14 AM PST by P8riot (Growing old is mandatory, growing up is optional.)
[ Post Reply | Private Reply | To 44 | View Replies]

To: P8riot

Thanks for looking.


46 posted on 03/31/2005 3:43:04 AM PST by backhoe (-30-)
[ Post Reply | Private Reply | To 45 | View Replies]

To: Wiz

thanks for the link to spyware blaster -- I'm also switching my browser to firefox


47 posted on 03/31/2005 4:12:18 AM PST by hford02 (I have to get my tinfoil hat refitted -- I keep picking up NPR and Air America)
[ Post Reply | Private Reply | To 14 | View Replies]

To: WileyC

We ought to send an invoice to Bill Gates for all the time that his lousy security and insane design choices cost us.

CWShredder is useful, but the best way to get rid of CoolWebSearch variants is to salvage your data, format your hard drive and do a complete reinstall of OS and applications, a major pain in the a$$. Then install netscape or firefox and use IE only for updating windows. Or better still, buy a Mac or install Linux/OpenBSD/etc.

MS software is like a useful tool with fish hooks and razor blades glued all over the handle. If you reach in there just right, grip it hard, and are VERY careful how you use it, you can get your work done. But one slip...blood all over the place.


48 posted on 03/31/2005 4:33:34 AM PST by Rifleman
[ Post Reply | Private Reply | To 43 | View Replies]

To: TheLion

I got a variant of CWS that behaved nasty as well. It put a key in the registry that was delete protected. Nothing could touch it buyt manual intervention..


49 posted on 03/31/2005 4:49:03 PM PST by IamConservative (To worry is to misuse your imagination.)
[ Post Reply | Private Reply | To 19 | View Replies]

To: IamConservative

How did you get rid of it....editing the registry?


50 posted on 03/31/2005 8:07:49 PM PST by TheLion
[ Post Reply | Private Reply | To 49 | View Replies]


Navigation: use the links below to view more comments.
first 1-5051-63 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson