[72442] in North American Network Operators' Group
RE: Spyware becomes increasingly malicious
daemon@ATHENA.MIT.EDU (Hannigan, Martin)
Mon Jul 12 12:42:05 2004
From: "Hannigan, Martin" <hannigan@verisign.com>
To: nanog@merit.edu
Date: Mon, 12 Jul 2004 12:37:37 -0400
Errors-To: owner-nanog-outgoing@merit.edu
This appears to have been dealt with at the browser level
in MS Security Bulletin MS03-011.
I have a hard time blaming MS for everything since in most cases
of these things they do react. How do they force the users to update?
Could they implement a switch that says "no update, no working browser"?
At least for IE?
Scob was dealt with via the hammer, this could be too.
There's 39 variants at the moment:
http://www.spywareinfo.com/~merijn/cwschronicles.html
The difficulty in cleaning is due to the variants:
http://www.spywareinfo.com/~merijn/cwschronicles.html#cwshredder
Disclaimer: That site "looks/feels" credible, but I did just a little
correlation. Thanks.
ARIN:
The IP number for their website is allocated to cogent, but not SWIP'd.
Apparent last mile:
16 p6-0.core01.jfk02.atlas.cogentco.com (66.28.4.82) 107.092 ms 104.713
ms 107.080 ms
17 p5-0.core01.jfk01.atlas.cogentco.com (66.28.4.9) 108.177 ms 108.023 ms
109.115 ms
18 g49.ba01.b001362-1.jfk01.atlas.cogentco.com (66.28.66.42) 106.147 ms
105.769 ms 109.537 ms
19 HyperSpace_Communications.demarc.cogentco.com (66.250.5.30) 110.872 ms
108.745 ms 106.978 ms
20 66.250.74.150 (66.250.74.150) 107.939 ms 108.364 ms 104.599 ms
Apparent Registration:
domain: coolwebsearch.com
status: production
organization: InterWeb Solutions Inc
owner: InterWeb Solutions Inc
email: admin@iweb-commerce.com
address: P.O. Box 362
address: Road Town
city: Tortola
postal-code: 65113
country: IO
admin-c: admin@iweb-commerce.com#0
tech-c: admin@iweb-commerce.com#0
billing-c: admin@iweb-commerce.com#0
nserver: ns1.maximumhost.com
nserver: ns2.rosexxxgarden.com
registrar: JORE-1
created: 2001-06-01 04:51:34 UTC JORE-1
modified: 2004-03-17 14:59:02 UTC JORE-1
expires: 2007-05-31 22:51:23 UTC
source: joker.com
-M
--
Martin Hannigan (c) 617-388-2663
VeriSign, Inc. (w) 703-948-7018
Network Engineer IV Operations & Infrastructure
hannigan@verisign.com
coolwebsearch:
> -----Original Message-----
> From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of
> Paul Vixie
> Sent: Monday, July 12, 2004 12:19 PM
> To: nanog@merit.edu
> Subject: Re: Spyware becomes increasingly malicious
>
>
>
> somebody, probably sean, mentioned scaling earlier in this thread.
>
> > >> coolwebsearch has become more and more sneaky.. so bad that
> > >> development of cws shredder has been abandoned by its developer..
> ...
> > > the first time only about 3 days ago and I got rid of it
> in 10 minutes!
> > > I can see how it would be a problem for a newbie but it
> shouldn't be
> > > anything more than 10 minutes work for anyone here with Windows
> > > experience.
> ...
> > There are dozen of variants, obviously you've seen only one.
>
> so, this bit of spyware (which was resistant to ad-aware as
> of last week,
> though ad-aware seems to publish a new definition file every
> day now) relies
> on a web site, and that web site relies on the spyware for
> its traffic and
> eyeballs, and the spyware and website are
> owned/operated/"published" by the
> same company. the website does not move around, it's at a
> fixed location.
>
> the scaling issue, please:
>
> "why does that company still have an internet connection?"
>
> or, to put it less mildly:
>
> "why does that company's provider still have an upstream?"
>
> or, to put it in terms you can all understand:
>
> "why does that provider's upstream still have bgp peers?"
>
> if you give people the means to hurt you, and they do it, and
> you take no
> action except to continue giving them the means to hurt you,
> and they take
> no action except to keep hurting you, then one of the ways
> you can describe
> the situation is "it isn't scaling well."
> --
> Paul Vixie
>