spyware and id theft

[briannell]

Spyware Researchers Discover ID Theft Ring Ryan Naraine - eWEEK
Mon Aug 8,10:43 AM ET



Spyware researchers picking apart one of the more notorious spyware programs have stumbled upon what appears to be a massive identity theft ring hijacking confidential data from millions of infected computers.


Sunbelt Software Inc., makers of the enterprise-grade CounterSpy spyware protection product, made the discovery during an audit of "CoolWebSearch," a program that routinely hijacks Web searchers, browser home pages and other Internet Explorer settings.


During the research, Sunbelt researcher Patrick Jordan deliberately installed the "CoolWebSearch application on a machine and immediately noticed that the infected system became a spam zombie that was placing callbacks to a remote server.


When Jordan visited the remote server, he was shocked to find that it was being used to distribute sensitive personal information from millions of PC users infected by the spyware application.


"We found the keylogger transcript files that are being uploaded to the servers. We're talking real spyware stuff…chat sessions, usernames, passwords, bank account information, full names, addresses," said Sunbelt president Alex Eckelberry.


Read more here about the many faces of spyware.


In an interview with Ziff Davis Internet News, Eckelberry said the sophistication of the operation suggests it's the work of a "massive identity theft ring" that used keystroke loggers to grab confidential information that could be used to create fake online identities.


"I'm not being dramatic. This is the most repulsive thing I've ever seen. It's very painful to see what's in these log files that are being uploaded in real time. We're seeing a lot of bank information and usernames and passwords to get in," Eckelberry said.


He said the log files included logins to one business bank account with more than $350,000 and another small company in California with over $11,000, readily accessible.


"There are lots of eBay account information and names and addresses of the people owning those accounts. Names, passwords, all matched up," Eckelberry added.


Read more here about Sunbelt's acquisition of a Google-like spyware sniffer.


He said the server, which is hosted out of a data center in Texas, was effectively a "massive repository of stolen data" that was being replenished in real time.

"As the [log] file gets to a certain size, it gets taken down and a new file starts generating. This goes on nonstop. We've been watching it for a few days while trying to get to the FBI, and it just keeps growing and growing."


While the site is being hosted in the United States, Eckelberry said the domain name is registered to an offshore company.


Eckelberry said the huge size of the log files is a clear indication that thousands of machines are pinging back daily.




In some cases, where users appeared to be at immediate risk of losing a considerable amount of money, Sunbelt has contacted the affected individuals.


Eckelberry said the "CoolWebSearch" payload included a typical adware download that immediately scanned the infected machine for e-mails to use for spam runs. It then sets up a "very intelligent keylogger" that looks for very specific information.

"This won't get caught by a typical anti-spyware application," he said, noting that the keystroke logger was able to pick up identity-related data for delivery to the remote server.

Check out eWEEK.com's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's Weblog.





Copyright © 2005 Ziff Davis Inc. All Rights Reserved.

['93HonoluluCat]

Spybot S&D is your best friend in this case--and it's free.

[BobcatLionFan]

Spybot S&D is your best friend in this case--and it's free.

Actually there are three packages I would recommend.

Ad-Aware SE Personal (Free)
Spybot Search and Distroy (Free as noted above)
Microsoft AntiSpyware (Beta - currently Free)

Each cleans up something different (with some overlap). Just make sure you update the datafiles before running them. If you run all three periodically you shouldn't have a huge problem. The only thing that they appear to miss is URL hyjacking and if this happens, the easiest thing is to just reformat your HDD and reload the OS.

[briannell]

have stupid Trogan virus that keeps popping up. tried to kill it, but it wont die. will these work to clear my computer of it? using back up computer, so i don't spread it .

-rebecca

['93HonoluluCat]

have stupid Trogan virus that keeps popping up. tried to kill it, but it wont die. will these work to clear my computer of it? using back up computer, so i don't spread it .

-rebecca

Honestly, I would just admit a losing battle against the Trojan, reformat your hard drive, and reinstall your software.

In reality, if the Trojan was written well enough, it will probably "break" the inner workings of the antispyware, and quite possibly any of your antivirus program(s).

Safest way to go is to completely wipe the HD, and reinstall your software. Make sure all the patches to your version of Windows are applied before hopping online with it. Nowadays it only takes about 12 minutes for an unprotected computer to be hijacked.

['93HonoluluCat]

Spybot S&D is your best friend in this case--and it's free.

Actually there are three packages I would recommend.

Ad-Aware SE Personal (Free)
Spybot Search and Distroy (Free as noted above)
Microsoft AntiSpyware (Beta - currently Free)

Each cleans up something different (with some overlap). Just make sure you update the datafiles before running them. If you run all three periodically you shouldn't have a huge problem. The only thing that they appear to miss is URL hyjacking and if this happens, the easiest thing is to just reformat your HDD and reload the OS.

I find S&D (with its new Registry Change Blocker), coupled with a dose of common sense when surfing, keeps my Windows box completely clean. Other users' mileage, of course, may vary.

EDIT: I will absolutely never trust the Microsoft Antispyware, and will not recommend it to anyone. Since Microsoft looked into buying Claria, they have removed Claria (the makers of Gator) from the blocker.

2ND EDIT: I think the best answer is to switch to Mac OSX and use Firefox!

[BobcatLionFan]

EDIT: I will absolutely never trust the Microsoft Antispyware, and will not recommend it to anyone. Since Microsoft looked into buying Claria, they have removed Claria (the makers of Gator) from the blocker.

2ND EDIT: I think the best answer is to switch to Mac OSX and use Firefox!

All three recommended (Spybot, Ad-Aware, and MS Antispyware) do not find all the items if run alone. You can run Either first and then the other two will STILL find issues. MS has it's attachments with Claria, but Spybot and/or Ad-Aware will then find the MS missed items and clear them out). Likewise, Spybot misses items and MS and Ad-Aware finds and clears those items.

And, Actually all three do not find and/or correct some things (like hyjacking the URL by some nasty people) which is a REALLY Nasty thing.

What you use and why is open for debate. Wise surfing only goes so far.

Use of MAC does help simply because it is out of the main stream and hackers don't spend time on seldom used products (no fun for them and not profitable). This statement doesn't mean a MAC isn't powerfull or user friendly. UNIX (Linux) has the same advantages on an INTEL machine, but likewise it is out of the mainstream.

Possibly the best solution is to go Windows, but don't use IE as the browser.

The reason to use all three packages to clean your machine is to really protect the performance of your machine (slows down by a huge amount if a software package is sending all your private information across the internet) and to protect your identity. The really nasty pirateing can really screw over your finances.

The problem most people have is that they are not necessarily the only person using the PC. That their kids are friends use it too at times and then there is NO SAFE surfing then. Also, some people use Limewire, or some other type of file transfer and they are just Sh*t our of luck.

I do understand Spybot is good and I do use it religiously, but I would rather error on the safe side and remove as much as I can (whether I like Microsoft or not) so I use all three. I also use Windows simply because it's the standard between work and home.

[briannell]

is this how i got the trojan virus on my PC? I'm going to take HC93's advice this weekend and attempt to "fix" my other pc, but am i still going to get these after I install the programs suggested? sorry not a computer guru

-rebecca


Variants of Spreading Windows Worm Emerge By GREG SANDOVAL, AP Technology Writer
43 minutes ago



Several new variants of a computer worm emerged Wednesday to attack corporate networks running the Windows 2000 operating system, just a week after Microsoft Corp. warned of the security flaw.

As experts predicted, the Windows hole proved a tempting target for rogue programmers, who quickly developed more effective variants on a worm that surfaced over the weekend and by Tuesday had snarled computers at several large companies.

Among companies affected by the worm and its variations were ABC, CNN, The Associated Press, The New York Times and Caterpillar Inc. In California, San Diego County said it needed to cleanse 12,000 computers of the bug. ABC News producers had to use electric typewriters Tuesday to prepare copy for their "World News Tonight" broadcast, according to spokesman Jeffrey Schneider.

On Wednesday, four new variants of the worm had been detected by F-Secure Corp. in Finland, bringing the total to 11, said Mikko Hypponen, the company's manager of anti-virus research. He said the creators of the variations had programmed them to compete with each other — one worm will remove another from an infected computer.

Estimates of how many computers are affected are difficult to come by because the worm travels directly over Internet connections rather than through e-mail. But Hypponen said reports of problems were isolated in Europe and Asia, and it appeared the worst damage was happening on U.S. computers.

That means this worm will likely create far less havoc than other notable exploits in recent years, such as Sasser or Blaster, he added.

Most anti-virus companies rated the threat as low to moderate Wednesday morning. McAfee Inc. considered one variant of the worm a high risk, but it categorized other versions as low risk.

The worms were causing the most problems at companies with large, networked computer systems, rather than among individual computer users, David Perry, a security analyst at Trend Micro Inc., a computer security company, said Tuesday. The worms can attack a system without needing to open any software, so some users would be infected without knowing it.

Microsoft Corp. released a "critical" patch Aug. 9 for the vulnerability, which is most severe on Windows 2000 systems. Those computers can be accessed remotely through the operating system's "Plug and Play" hardware detection feature. Protective patches, plus instructions for remedying infected systems, are posted on Microsoft's Web site.

Companies that were slow to bolster their systems when Microsoft issued its security alert about the flaw may have left themselves vulnerable to the worm, said David Maynor, a security researcher with Atlanta-based Internet Security Systems Inc.

He said some IT professionals who considered their networks safe because they run Windows XP or 2003 were mistaken. The worms are automated Internet "bots" that need find only one unprotected computer running Windows 2000 within a network to propagate in the system.

Perry said the worm copies itself and then searches networks for other unprotected machines, causing no damage to data but clogging networks and rebooting its host computer.

"We did not see a widespread or fast spread of this in the first 24 hours," said Debby Fry Wilson, director of Microsoft's Security Response Center. "Over the last 24 hours, we've see variance, where other hackers will take the work and try to unleash a variant of the worm. So the worm continues to take on different forms."

Caterpillar worked Tuesday to clean up effects from the worm, which disrupted computer operations at several company plants and offices over the weekend, the Peoria Ill.-based heavy equipment maker said. The problem was controlled by Monday afternoon, company spokesman Rusty Dunn said.

San Diego County officials assembled a 200-person team to mend the computers and said it could fix about 3,000 a day.

___

On the Net:

Microsoft Security site http://www.microsoft.com/technet/security/default.mspx

[BobcatLionFan]

A simplified answer to help define SpySoftware vs worm vs virus.

A virus typically is something that comes to you in a email attachment and sometimes (less likely) in the body of an email. When you open the attachment, it executes software that writes itself to you PC disk. Some are nasty (they try to destroy files on your PC and make it unusable). Some are relatively benign. Most try to then send themselves to other PCs by using your address list via emails from your machine that you have no idea are being sent. They come from you and mess up your friends and business assoicates.

A worm is something that digs into your machine and then tries to dig into other machines on the same LAN or across the internet. The recent problem with 2000 (identified in the message above concerning San Diego) is a worm taking advantage of a crack in MS 2000. This problem is fixed by Microsoft if you have the most Recent updates to 2000 (available last week). You can update your machine easy via IE (the Browser Internet Explorer) or clicking Start at the bottom left of your screen and there should be a Windows update selection in the popup box.

Spyware is software that is loaded typically by you saying OK when asked. Most all the file sharing internet applications (like Limewire, Katsu, etc) get their money by putting software on people's machines. This Spyware can be nasty or denign again. The benign simply sends your surfing preferences across the internet to monitoring services. It will also show popup ADs on your machine. The nasty versions sit in your machine and try to capture all the passwords that you enter (to Quicken, Bank accounts accessed via the internet, ect), also your Credit Card information (or PayPal information on Ebay). It then sends all this information and any confidental information you might have on you PC (such as Quicken files, TAX Files, etc) to a server across the internet. This can obviously be very nasty in the worst forms (and this is expanding).

URL Hijacking - This is where IE (your browser) is affected. When you bring it up, something changes your home page, adds links to your favorites list (the links tend to be porn links), etc. Typically caused by some user of you PC (not necessarily you) going to web site that takes over your browser. When you are infected with this, to clean it is tough. Even for the computer people. With some, it's easier to reformat the disk (losing everything) and reload the OS and applications. (A day of work). But to truly clean it, it probably takes more time and then might not be gone. The Hijacking URL can actually stop you from getting windows updates and other critical services.


SOLUTIONS you ask:

Virus - Well there are multiple Anti-Virus packages (MacAfee, Norton, etc). You buy an annual license and you should set it up so you get periodic updates to the viruses data files. This software will also scan your machine and detect if there is one there and clean it for you.

Worm - The Virus software helps here also, but keeping your Windows updated is important. In the past, updates were typically for only correcting problems and typically not needed for most people. Now, seems like most are to fix holes that nasty people are finding and trying to get worms into. Also, FIREWALLs are great things here. It stops people from coming into your machine from the outside (across the internet)

Spy Software - This is the SpyBot, Ad-Aware, and Micro-Soft. You have to run these fairly often and get updates. As I said earlier, there is NO ONE package that finds them all. Most give you an idea of if the package identified is nasty or denign and gives you a choice to remove it. Some if you remove will stop the application from working that you loaded (such as limewire). You might chose to keep it (if benign).
After running these packages the first time, you will be surprised now much faster your PC is running again (back to like it was when it was new).

HiJack URL - some of the packages (like Microsoft Anti-spyware - I know people don't like it) do help. You can place security on your browser so that it monitors any thing that wants to change a URL and/or home page. It will display a popup that will ask if you want this done and tells you what is being requested. You will probably be surprised because you are unaware it is happening. You can chose to say no or yes. The other protection is to just not visit some sites (which ruins all your fun).

I'm sure others have better definitions and recommendations, but this is a starting point.

['93HonoluluCat]

BLF had a great rundown on the differences between viruses, spyware, and worms, so I won't attempt to amend his excellent summary.

The first line of defense has got to be a firewall of some sort. I have a Linksys router at home (it acts as a hardware firewall), but am in the process of building a PC box into a dedicated firewall that will run Linux as the Firewall OS.

I beg you not to trust solely in Microsoft's firewall that was included in Windows XP Service Pack 2--there have been several folks that have penetrated its "protection"--mainly by pushing packets of data that masqueraded as legitimate data.

Anyway, your second line of defense should be your browser. IE is not a good choice. It is far too easy to dupe IE into accepting malicious code as legitimate, as well as any other holes that Microsoft hasn't fixed yet. Firefox is my browser of choice, and it absolutely superb. No more pop-up ads, and I've downloaded an extension to block any ads from websites I visit. It really is a thing of beauty.

Thirdly, smart surfing (and emailing) should be the norm. Don't accept attachments from anyone, unless you are expecting them. When surfing, don't allow any website to install anything, unless you were actively seeking that peice of software.

Finally, the myriad anti-spyware programs (the good ones are free) will catch whatever chaff you may have picked up from anywhere. It really shouldn't catch much, though--I can't remember the last time Spybot or AdAware found anything on either my Mac or my PC.

This analogy just popped into my head: web surfing is like sex. Abstinence is the best policy, but if you're going to "do it", use protection, and be informed.

Aside:

Use of MAC does help simply because it is out of the main stream and hackers don't spend time on seldom used products (no fun for them and not profitable). This statement doesn't mean a MAC isn't powerfull or user friendly. UNIX (Linux) has the same advantages on an INTEL machine, but likewise it is out of the mainstream.

Possibly the best solution is to go Windows, but don't use IE as the browser.

I switched from Windows to Mac as my main OS because of the many security holes in Windows--some Microsoft doesn't even acknowledge as vulnerabilities (they label them as "features")--and have never looked back. The only reason I still have a PC is that my wife is more comfortable on that machine, and my two girls have their Dora, VeggieTales, and Pooh games on it.

[BobCatFan]

There is a simple solution to spyware, virus and worm. Buy a Mac! There are 0 virus that affect a Mac.

[briannell]

thank you from this tech challenged mommy. I will get help wiping the drive, and reinstalling the software (I have never done that before) and get good anti virus program.

As for the MAC comment. Why would i support Steve Jobs, he's competition?

[tailbone]

Here's a free virus (& worm) scanner.

http://www.download.com/Avast-Home-Edit ... 75520.html

It is very good (featuring real-time updates and boot-time scans).
You will need to register but it is free.

I have recommended or installed for many home clients and have had very good results.
The boot scan can be useful when virus cleaning from within windows is difficult.

[BobcatLionFan]

Good luck on cleaning your machine. It's not as hard as you might expect.

As for MACs, They are good machines/software, however it is a niche marketplace. The users with those products are very happy with it, however, the PC environment has a 1000 times more people trying to extend it's capabilities. Thus moving into the future the PC will continue to increase the gap.

As for no viruses, true enough, the hackers just don't want to spend their time to piss off only a handfull of loyal zealots . But those zealots are happy zealots.

First step is virus protection (it screws up your machine), then spywear (it steals your information and slows it down), finally a Firewall (just because it is more difficult to setup and there is less people trying to get into single machines (they tend to go after networks, big companies/schools).

Honestly I've never looked at firefox, but I am going to with the recommendation above. It should be interesting. I was reading about the new browsers (next generation) in a PC magizine and meant to.

Again, good luck.

BLF

[BobcatLionFan]

Here's a free virus (& worm) scanner.

http://www.download.com/Avast-Home-Edit ... 75520.html

It is very good (featuring real-time updates and boot-time scans).
You will need to register but it is free.

I have recommended or installed for many home clients and have had very good results.
The boot scan can be useful when virus cleaning from within windows is difficult.

These free guys do work well, the problem is they lag behind in finding new and nasty viruses. Being free, it's a hobby by someone and they cannot keep up with all the latest viruses. The big boys don't charge much and they have large staffs of programmers just looking at viruses and they respond immediately to look at new viruses. Most of the time you hear about a NEW NASTY virus on the news and Norton and McAfee have already found the solution and have a fix.

If you can afford the $30 yearly, it well worth it. If you get a virus, you will wish you had paid the 30.

The key is to keep your Virus data file current (at least weekly if not daily). This is free and easy once you get your license.

Also, many of these also provide you a firewall (some protection) and such. choice is yours.

[briannell]

BLF-

my reference to MAC being competition has nothing to do with them being bad products. MAC is good, just my family is heavily involved with Sun and there's a "friendly" feud between MAC, Sun, HP, and Microsoft, goes back to the early '80's. actaully Steve Jobs is a nice man and attended the Touch of Liberty ceremony for my uncle Robert Sackman (Sun capitalist) and his funeral. Has known the family since the late 70's.

I thank you for your PC knowledge, as I am not a tech girl. I'm a happy broodmare

[tailbone]

Avast is not a "hobby" AV.

Avast is produced by Alwil, who has enterprise products as well.
The free home version is less configurable than their commercial version, but is very good (The free version, I'm sure is meant as an inducement to upgrade to the commercial professional version). as I stated, updates occur in real time and believe it or not, in some cases they have beaten SARC to the punch. Check out their website www.avast.com

In any event, I do this for a living (and have since 1981...yeah, i'm old.) and have no problem recommending Avast. For a free product, it is very good and in most cases is at least as good as commercial AV programs.

If you are going to spend money on a product, as much as I like Symantec AV corp. ed., I would recommend Trend "PC-Cillin internet security" as the best all around solution. Cost is about 50.00/year.
PC-Cillin is better at non-Virus threats, than Norton.

I would still, however, recommend regular scans with Spybot, Adaware, MS-antispyware beta and also recommend spyware blaster for some innoculation against vulnerabilities.
Webroot spysweeper is also a good product (one of the best) but costs about 30.00/year.

As for Firefox (Browser) I use it more often than not and generally only use Internet explorer for trusted sites that are not Firefox friendly.

['93HonoluluCat]

As for no viruses, true enough, the hackers just don't want to spend their time to piss off only a handfull of loyal zealots . But those zealots are happy zealots.

I rather think the BSD backbone of OS 10.3+ is the reason behind the lack of hacks and viruses (virii?) for the Mac OS. There are some determined people out there, and there have been VERY few exploits for BSD.

First step is virus protection (it screws up your machine), then spywear (it steals your information and slows it down), finally a Firewall (just because it is more difficult to setup and there is less people trying to get into single machines (they tend to go after networks, big companies/schools).

Just make sure all your software is updated with the latest patches before bringing it back online...or else you'll end up at square 1.

Honestly I've never looked at firefox, but I am going to with the recommendation above. It should be interesting. I was reading about the new browsers (next generation) in a PC magizine and meant to.

You won't regret it. Tabbed browsing, more extensions than you can shake a stick at, etc...wonderful stuff. If you need a list of some of the better extensions, just go to https://addons.mozilla.org/?application=firefox

[tailbone]

Good luck on cleaning your machine. It's not as hard as you might expect.

........
First step is virus protection (it screws up your machine), then spywear (it steals your information and slows it down), finally a Firewall (just because it is more difficult to setup and there is less people trying to get into single machines (they tend to go after networks, big companies/schools)....


Again, good luck.

BLF

There is an adage regarding viruses and spyware that is very good to remember.

"A virus can ruin your computer - Spyware can ruin your life."


From http://www.idtheftcenter.org/facts.shtml

FACTS & STATISTICS

More than ever, the information explosion, aided by an era of easy credit, has led to the expansion of a crime that feeds on the inability of consumers to control who has access to sensitive information and how it is safeguarded. That crime is identity theft.

Please note: ITRC's 2003 study: Identity Theft- The Aftermath -2003 is now out. It is filled with information and was co-written with Dr. Dale Pletcher (CSU Sacramento, Economics Dept. (click to study)

Identity theft remains the #1 concern among consumers contacting the Federal Trade Commission. Their fears are not unfounded. The facts on identity theft speak for themselves.
According to 2 studies done in July 2003 (Gartner Research and Harris Interactive), approximately 7 million people became victims of identity theft in the prior 12 months. That equals 19,178 per day, 799 per hour, 13.3 per minute.
The incidence of victimization increased 11-20% between 2001-2002 and 80% between 2002 -2003 (Harris Interactive). This same study found that 91% of respondents do not see an "end to the tunnel" and expect a heavy increase in victimization. 49% also stated that they do not feel they know how to adequately protect themselves from this crime.
The new ITRC study, Identity Theft: The Aftermath, reveals the following

1. Victims now spend an average of 600 hours recovering from this crime, often over a period of years. Three years ago the average was 175 hours of time*, representing an increase of about 2470%.

2. Based on 600 hours times the indicated victim wages, this equals nearly $16,000 in lost potential or realized income.

3. While victims are finding out about the crime more quickly, it is taking far longer than ever before to clear their records and recover from the situation.

4. Even after the thief stops using the information, victims struggle with the impact of identity theft. That might include increased insurance or credit card fees, inability to find a job, higher interest rates and battling collection agencies and issuers who refuse to clear records despite substantiating evidence of the crime. This "tail" may continue for more than 10 years after the crime was first discovered.

5. Based on the ITRC study, today the business community loses between $40,000 - $92,000 per name in fraudulent charges, based on reported fraud losses seen by surveyed victims. While this conflicts with other findings by other groups, there was a wide range of responses by the ITRC study respondents. The answer is that we may never know the true financial impact of this crime due to mis-classification of identity theft crime definitions by the business community and by victims.

6. The emotional impact on victims is likened to that felt by victims of more violent crime, including rape, violent assault and repeated battering. Some victims feel dirty, defiled, ashamed and embarrassed, and undeserving of assistance. Others report a split with a significant other or spouse and of being unsupported by family members.

7. Today victims spend an average of $1,400 in out-of-pocket expenses, an increase of 85% from years past.

8. Approximately 85% of victims found out about the crime due to an adverse situation - denied credit or employment, notification by police or collection agencies, receipt of credit cards or bills never ordered, etc. Only 15% found out through a positive action taken by a business group that verified a submitted application or a reported change of address.

9. Victims report a lack of responsiveness from those entities to whom they turned for help similar to results reported in 2000*. These include police, collection agencies, credit issuers, utility companies and financial institutions.

As the purpose of some types of spyware is identity theft, I think it is a more significant threat than viruses. With good computer habits, you can rcover from virus attacks with little more damage than an annoying rebuild. Spyware often goes unnoticed until long after it's damage is done.

[BobCatFan]

.

As for the MAC comment. Why would i support Steve Jobs, he's competition?

As the old saying goes. If you can't beat them, join them.