I have had email conversations with a number of people at Sunbelt Software about the ID theft ring they discovered recently. They were kind enough to provide a HijackThis log entry that identifies the keylogger. I promised not to publish it but said I would warn the helpers at the message board to keep an eye out for any victims. Unfortunately, we discovered that dozens of people had been infected. We set about trying to contact them all privately.
Since the HijackThis log entry now has been published elsewhere, including on Sunbelt's web site, I will go ahead and reveal it. Download HijackThis
http://tomcoyote.org/hjt/
and scan the computer. If the following entry is present in the results, then the computer is infected with this spyware and the user(s) of that computer might be victims of identity theft:
O4 - HKLM\..\Run: [load32] C:\WINDOWS\System32\winldra.exe
Sunbelt has created a free tool to remove this trojan safely. If that entry is found on any computer that you are examining or fixing, visit this page
http://research.sunbelt-software.com/ssaclean.cfm)
Download the program linked there, then unplug that computer's modem from the internet. Leave it unplugged until after the trojan has been removed. I've submitted the keylogger to several antispyware and antivirus vendors, so they should be detecting it shortly, if they don't already.
Sunbelt has named this trojan Srv.SSA-KeyLogger.
After that has been done, you then have the sad duty to inform the owner of the machine that they may be the victim of identity theft. From an uninfected machine, they need to log into any web site where they have an account and change their passwords. They also should contact their banks and credit card lenders and inform them of the situation.
Based on that HijackThis entry, some of the spyware gurus at the message board obtained a copy of the keylogger and set about examining it detail. Compared to the browser hijackers and spyware that we see normally, this keylogger is extraordinarily sophisticated.
This keylogger is downloaded and installed by a browser hijacker identified widely as CWS. The computer first has to be infected with a particular variant of this hijacker. After that variant is installed, it downloads this keylogger and then installs it.
At this point, it still is unclear why the hijacker software is installing the keylogger. The person responsible for it might have been paid by a third party to install this file without an explanation of what it does. In that case, then the people responsible for the hijacker are unwitting accomplices in this identity theft operation. It is a common practice for one browser hijacker to download and install several others.
CoolWebSearch.com has released a statement denying any involvement with this situation. The statement says that if anyone has evidence that one of their affiliates is involved, they will contact the FBI with information about the affiliate and immediately suspend their account. I have taken them up on their offer and contacted them to find out if the web sites involved in the browser hijacker belong to one of their affiliates. As much as I personally dislike CoolWebSearch, I would hate to finger them for something like this if they are not responsible.
The keylogger also can be installed separately from the browser hijacker by visiting certain web sites. The main page of these web sites are pay-per-click search portals and have a design very similar to that of coolwebsearch.com and their affiliates.
Once the keylogger is installed, a surprising number of things happen to the infected computer.
Several web sites owned by antivirus and antispyware companies are blocked by modifying the HOSTS file. Mike Burgess of MVPS speculates that since legitimate antimalware web sites are blocked, an infected victim will begin clicking links on the hijacker's web site to find an antispyware program. When that happens, the hijacker ends up being paid for the link referral plus a commission if the victim buys the antispyware program.
I should point out that any antispyware companies advertising on such web sites nearly always are found in the Rogue Antispyware list and are not recommended.
Srv.SSA-KeyLogger > HJT > O4 - HKLM\..\Run: [load32] C:\WINDOWS\System32\winldra.exe
Reply With Quote
