Skip to comments.CoolWebSearch, Dubbed Adware's "Ebola," Tops Spyware Threat List
Posted on 03/30/2005 9:34:51 PM PST by Eagle9
CoolWebSearch, adware that generates more than $300 million a year for its maker, is the "Ebola" of adware, and easily the most significant spyware threat on the Internet, an anti-spyware security firm said Wednesday.
CoolWebSearch, which comes in multiple forms, can hijack Web search errors, usurp the browser's home page, and modify other Internet Explorer settings. Recent variants have taken to exploiting vulnerabilities in IE, such as those in the HTML Help system, to install on PCs.
"It's only purpose is to get on a PC, and stay on that PC, even at the cost of killing that machine," said Richard Stiennon, the vice president of threat research for Boulder, Colo.-based Webroot, which publishes the Spy Sweeper line of anti-spyware software.
According to Webroot, nearly half of the PCs it's audited for spyware or adware are infected with CoolWebSearch.
"It's the Ebola of the Internet," said Stiennon. "It's so malicious that it tends to break the ability of a machine to browse effectively, and therefore limits the number of ads and click-throughs that can be generated. Like Ebola, it kills its host before it can be productive."
Webroot's newest Top 10 list -- it releases a list of the ten most significant spyware/adware threats every quarter -- is based on the free spyware audits it conducts from its own Web site, and those it runs in cooperation with EarthLink, the Atlanta-based ISP.
"We rank programs on both prevalence and perniciousness," said Stiennon.
Second on Webroot's list is Gator/GAIN, adware that may display banners ads based on Web surfing habits. Gator is a long-time adware package that often gets on systems because it's bundled with free software, most notably the P2P file-sharing program Kazaa. By the SpyAudit scanning results, Gator/GAIN is on about 15 percent of all machines.
"If we take the leap and assume that the sample is representative of the Internet in total, we can estimate how many machines have Gator," said Stiennon. His best guess: 38.4 million PCs. Others on Webroot's list include (in descending order), 180search Assistant, ISTbar/Aupdate, Transponder, Internet Optimizer, BlazeFind, Hot as Hell, Advance Keylogger, and TIBS Dialer. Most are adware in composition -- not that that means they're benign; they typically hijack search errors and re-direct them to another site, and/or blitz the PC with endless popups -- but some are true spyware.
"We're finding keyloggers on about 15 percent of the machines audited," said Stiennon, "and Advanced Keylogger is the most prevalent right now. It's on relatively few machines -- about 9,000 that we've found -- but a keylogger on that many PCs is a scary concept in and of itself.
"Spyware writers are continuing to innovate and find new, more deviant ways to infiltrate systems," said Stiennon. "The increased presence of hijackers, dialers, and keyloggers demonstrates that the new trend for these threats is to go straight for the jugular."
Spyware/adware writers are doing that for one reason: money.
Stiennon, who has analyzed the spyware/adware economy, has come up an average cash flow per "customer installation" per year of $2.40. For each system infected, then, he estimates that the adware author generates $2.40 annually in pop-up fees, redirect fees, and other charges.
His cash-flow projection for the creator of CoolWebSearch -- which using his formula may be on more than 127 million machines worldwide -- is thus $306 million. The company behind Gator/GAIN -- the Redwood City, Calif.-based Claria -- is bringing in around $92 million a year, while 180search Assistant is raking in $86 million.
"These guys make spammers look like two-bit back alley operations," said Stiennon. "No wonder there's a gold rush to get in on this."
And no wonder some adware firms are pushing anti-spyware vendors to "de-list" them from their detection and deletion scanners.
The most recent such move was by Computer Associates, which sells the PestPatrol anti-spyware line after acquiring the company in 2004. Last week, CA removed all Claria products -- including Gator/GAIN -- from its database under its Vendor Appeal program.
CA has been criticized in the past for de-listing software other anti-spyware vendors continue to list as malicious, and even Microsoft has backed down in at least one instance.
"One reason Webroot publishes the Top 10 list," said Stiennon, "is to help provide an idea of the scope of the whole spyware and adware issue, so that going forward, as the discussion of adware heats up and definition battles with the vendors begin, people will have some basic information about the extent of the problem."
I've used PestPatrol, along with other anti-spy/adware, for the past two years. It was a good program that just became a worthless.
(Denny Crane: "Sometimes you can only look for answers from God and failing that... and Fox News".)
There's a better idea - don't use IE.
Better yet, get a Mac.
Install Luinx, problem solved.
I use Spybot Search & Destroy.
Current release is v1.3
One warning, if you see that it's not finding any updates it likely means that there's a new version available (they don't tell you automatically). Still, the price is right.
Download "cwshredder" - if you have CoolWebSearch, this will find and delete it.
The bastards are determined to destroy a magnificent technology.
Is this some new breed of OS?
Thanks for the advice, but I've avoided CWS, so far.
Spybot S&D is one of several anti-spyware programs that I run on a regular basis.
I had Cool Web Search installed and Spybot Search & Destroy did not get rid of it.
I agree -- use Firefox.
These will keep most of the bad stuff away and will alert you if browser is configured in an unsafe way.
This virus has become more devious.
I had this CW infection that kept coming back after you would think you had deleted it. CW shredder was useless. So was SPYBOT, Hijackthis and Adware and Microsoft AntiSpyware. It was a vicious circle.
I finally, after figuring out what processes were causing the return, got hold of X-raypc. Cool program, free and small. It gives you info on all running processes and lets you off load them and/or delete the file causing the running process. Careful what you delete!
Check it out:
Did S&D find it tho' ?
thanks for the info
Nope. This stuff exploits holes in how IE loads pages and handles BHOs. The new modifications help a little, but to really fix the hole they would have to rewrite IE.
It is a miracle program.
I wonder why CWShredder worked for me. Other variations of Cool Web Search much more devastating?
CWS Shredder will take care of this.
When I get a brain slug, I'll get a Mac.
You were fortunate. There are apparently all kinds of variations. This site taught me a lot:
Now if someone could tell us which of the processes, one actually needs, we could offload the rest...lol.
Actually I am learning what they all do. If you use Hijackthis you will get to recognize some of them.
Just ask backhoe...lol.
Nah, it seems there is no program that will detect and remove them all.
Download "cwshredder" - if you have CoolWebSearch, this will find and delete it.
Backhoe gave me the link to the spyware forum.
Or get Mosaic... Ok, that was to old for a joke. :)
Sounds like CWS needs to be introduced to a Columbian necktie party. Or at least start with them.
He's Got A Plan
Seven Dead Monkeys Page O Tunes
Firefox gives a better browsing experience and is less vulnerable.
I also use Spybot Search and Destroy both at home and on our office computers - about 30 of them. It has some very good advanced features such as locking the hosts file and a very nice interface to examine and manipulate startup settings - takes a while to get familar with everything, but it's worth it. Having said that, I think there is still room in the marketplace for a commercial anti-spyware product that would be easier for the average user to understand and configure. hmmmm...
CWShredder is a magnificient program but, much like real life viruses, the spyware 'diseases' are constantly evolving. This is not something that you can run and expect that your machine will be clear forever. On all the adware/spyware removal tools, you have to download new additions constantly and also take steps to secure your system as well.
[I once spent 3 days getting CoolWebSearch off of my wife's machine because NONE of the tools at the time would do the trick. I won in the end, though!]
|Browser Wars, take two
various FR links | 12-22-04 | The Heavy Equipment Guy
...and let your compiler of links drop out of Lurk & Link mode for comment and advice:
Ditch IE. Honest to God, almost anything else will give you fewer problems. Try and compare- use IE, then run Ad-Aware and Spybot Search & Destroy... then try another browser and repeat. You will be stunned at the garbage IE attracts.
Keep your OS updated & patched.
Run a hardware firewall-- with today's LAN's, it's easy. You need a hardware firewall.
Thanks for the post. This makes it really convenient.
Thanks for looking.
thanks for the link to spyware blaster -- I'm also switching my browser to firefox
We ought to send an invoice to Bill Gates for all the time that his lousy security and insane design choices cost us.
CWShredder is useful, but the best way to get rid of CoolWebSearch variants is to salvage your data, format your hard drive and do a complete reinstall of OS and applications, a major pain in the a$$. Then install netscape or firefox and use IE only for updating windows. Or better still, buy a Mac or install Linux/OpenBSD/etc.
MS software is like a useful tool with fish hooks and razor blades glued all over the handle. If you reach in there just right, grip it hard, and are VERY careful how you use it, you can get your work done. But one slip...blood all over the place.
I got a variant of CWS that behaved nasty as well. It put a key in the registry that was delete protected. Nothing could touch it buyt manual intervention..
How did you get rid of it....editing the registry?