December 21, 2004 9:30 AM PST

Worst spyware queues up

Related Stories

ComScore: Spyware or 'researchware'?

December 20, 2004

Microsoft buys anti-spyware technology firm

December 16, 2004

Password imperfect

December 9, 2004

Adware cannibals feast on each other

December 7, 2004
Beware of CoolWebSearch, a program that can change Microsoft Internet Explorer's security settings and wreak havoc on computers.

Anti-spyware company Webroot Software said Tuesday that CoolWebSearch self-installs malicious HTML applications and exploits security flaws in IE.

"This has vexed all of us," said Nick Lewis, managing director of Boulder, Colo.-based Webroot. "For consumers, CoolWebSearch is probably one of the most vicious programs in terms of how nasty it is. It completely hijacks the browser so you can't do anything."

CoolWebSearch is the most dangerous program on Webroot's latest list of the 10 worst spyware and adware threats. Webroot's list of top 10 threats also includes:

•  PurityScan, a program that displays pop-up ads and claims that it can delete pornographic images on the person's computer.

•  Transponder (vx2), an Internet Explorer "browser helper object" that monitors Web browsing and sends relevant advertisements.

•  KeenValue, an adware program that collects personal information and sends advertisements to computer users.

•  Perfect Keylogger, a monitoring tool that records Web sites visited, keystrokes and mouse clicks. It logs passwords, account numbers and other sensitive information.

"The people who write this stuff are gaining sophistication in their coding practices, as they attempt to evade detection and removal," said Richard Stiennon, Webroot's vice president of threat research. "These 10 are the most insidious programs in terms of prevalence and effect."

Webroot recommends that people install Microsoft security patches, avoid using freeware and disable downloads via ActiveX in Internet Explorer.

Dan Ilett of ZDNet UK reported from London.

35 comments

Join the conversation!
Add your comment
Disabling ActiveX is the key
While I think Mozilla Firefox is a technologically and esthetically superior browser than Microsoft's Internet Explorer, I don't subscribe to the view of Firefox zealots that IE is one big security hole. If a user completely disables ActiveX downloading in IE, so-called "browser helper objects" cannot install themselves. I've disabled it for over a year and haven't had a single problem or security breach.

Both browsers have their advantages, to be sure. There are some (mostly cosmetic) things I don't like about Firefox, such as when you force-reload a page in Firefox it doesn't go to the top of the page -- the cursor position stays where it is. Or, when you click on the location bar, the cursor position doesn't go to the end like in Internet Explorer. As well, Firefox doesn't display drop-down menus that many Web sites use and are only displayed in Internet Explorer. One such case is the Uhaul Dealer Web site (www.uhauldealer.com) so, at work, we can't use Firefox for Uhaul transactions. Personally, I dislike IE-only menus, but Firefox should have some cross-browser compatibility. It's another instance where IE has its uses.

Both browsers are clearly good and well-produced. I wish people on both sides would stop using CNET News.com fora as a medium for bashing each other's browser. There's clearly a market for both.

Can't we play nice?

Cheers,
Doug
Posted by dmehus (30 comments )
Reply Link Flag
Can't we play nice?...Only if MS capitulates.
Only if Microsoft decides to play by the standards. Why do you think some websites don't work in FireFox? why do you think some cookie cutter web apps only work in IE?
IE is a standards nightmare. They are creating their own standards on the fly that ONLY work in IE. FireFox may not be perfect but at least they play by the rules. MS makes their own rules up as they go.
Posted by Jonathan (832 comments )
Link Flag
IE vs FF
I am a Firefox fan. IE is always a security risk because "disabling" ActiveX isn't a safeguard. Why? Any virus can potentially re-enable it at any time. Firefox doesn't carry this possibility because it doesn't use ActiveX at all, by design. See the difference? Secondly, clicking the location bar in both IE and FF will highlight the entire bar, and subsequently a single press of the right-arrow key will take the cursor to the end of the bar, in both apps. So what's the difference there? None. Please come up with a valid complaint! Thirdly, you say FF can't render the Uhaul dealer site correctly; well try looking at <a class="jive-link-external" href="http://www.mozilla.org/start/1.0/demos/eagle-sun.html" target="_newWindow">http://www.mozilla.org/start/1.0/demos/eagle-sun.html</a> with IE and see how IE fails miserably. Lastly, you say you wish Cnet users would stop using Cnet as a browser-bashing forum -- but that's precisely what you did with your post! I responded with some counterpoints to even the field, but at least I'm not a hypocrite about it.
Posted by Anonymous1234567890 (53 comments )
Link Flag
IE-only dropdowns
Any company which chooses to use ActiveX dropdown menus should be boycotted.
Why?
HTML can do this by itself, and be fully cross-platform. Even text-based browsers can display an HTML dropdown.
ActiveX dropdowns have absolutely zero benefit, but require all your customers to open a security hole on their computer.

Would you buy a car from a dealer who stated "We will only sell you this car if you leave your garage door open and your house unlocked for the duration of ownership."?
Of course not. Why would you do the same with your computer?
Posted by cbiltcliffe (20 comments )
Link Flag
Executions is the Key
Start executing these ********* and you'll see how fast these malicious programs STOP.
Posted by (75 comments )
Reply Link Flag
Execution? :)
Hehe... that might be a little strong... I would go along with applying something on the order of 10,000 volts to the offending parties' testes... I think that would produce a more rapid result and hey, if they lived, I think they would become a slightly different type of garbologist.

I think it is criminal that it's "okay" somehow to allow this crap to continue in any form. I'm sorry, but I have yet to find anyone that thinks ads that pop up for anything or changes your home page to something difficult at best to change back has any worth. The part that bothers me more is the imbeciles that write this carp get paid good money for it. Why?
Posted by al g (1 comment )
Link Flag
Questionable Link In Article
when you click on the link in the article "10 worst spyware and adware threats" you're taken to a page offering a free tool to analyze your system. i took up that offer and (surprise!) the free tool found a keyboard logger that only the $29.95 tool can remove. the alleged keyboard logger is visual log. well, here's an interesting link:

<a class="jive-link-external" href="http://www.download.com/Visual-Log/3000-2092_4-10286181.html?tag=lst-0-1" target="_newWindow">http://www.download.com/Visual-Log/3000-2092_4-10286181.html?tag=lst-0-1</a>

it's cnet's link to download the shareware version of visual log. well, that doesn't necessarily mean it's not a bad thing; it depends on whether you have it running on purpose or not (ie, are you spying on someone else, or is someone else spying on you?). well, i've never installed it. so, i searched the web and found manual instructions for removing visual log. and, guess what (surprise again!), there's not the least bit of trace evidence that visual log is installed on this system.

interesting. how many else of you are "infected" with visual log? just in case, btw, i'm running adaware and will run spybot right after that. heck, maybe there are two things called "visual log" for all i know.

mark d.
Posted by markdoiron (1138 comments )
Reply Link Flag
Buyer beware!!!
I just had an awful experience with a company that markets themselves as a data recovery software developer. Stay away from GetDataBack from Runtime Software. When I ran it to recover data from another drive with a screwed up boot record. It installed adware! It had to have come from them because I did a fresh install of XP on another drive, upgraded to SP2, then found their software on download.com. I ran it and the ads started popping up. I thought it was just in the trial version, but they didn't go away when I paid for it (you have to in order to recover your files). Their tech support was rude and denyed it.

This is disgraceful and an embarrasement to the industry.
Posted by (1 comment )
Reply Link Flag
Why download.com?
I've run GetDataBack myself, but I downloaded it directly from runtime.org, so I know I'm not getting a "feature-enhanced" version from some spyware company.
I've never seen any popup ads on the machines I've installed it on, and I think you just got a bum download because you didn't get it from the proper source.
Posted by cbiltcliffe (20 comments )
Link Flag
not so simple solutions
Short of changing your OS (though not a bad idea but just as painful)
1. Stop using IE.....period!
2. diable active x controls......all of them
3. download your windows updates and install them manually from Technet. Why? See option 1.
4. change your browser Mozilla, Firefox, Opera Lynx anything and I do mean anything but IE
5. use multiple spyware programs. I have to give MS some credit Giant was a little known but the best spyware remover going. Use Spybot, Ad Aware, Spyware Guard SpyBlaster also keep CWShredder and Hi Jack this in your toolkit as well.
6. Stop using IE.....period!
Posted by Buzz_Friendly (74 comments )
Reply Link Flag
Why not list the Freeware Programs that install the spyware instead
That would be off much more use. Kind of a do not install list. Then followed by the spyware program.
Posted by slim-1 (229 comments )
Reply Link Flag
it would not help c'net and webroot
they are trying to sell and saying that freeware is bad leaves you with no other option just to buy. PROPAGANDA. When i scare you i will be able to sell you what ever, specialy when i tell you that there is no free alternative ...

This is paid advertisment!!! It is no help for anybody just Webroot and C'net!

Thief yells "Catch the thief!"
Posted by (2 comments )
Link Flag
Remove all Microsoft products is the key
It is amazing that you waste so much time on this stuff. You blame
it on the sophistication of those who make adware, etc. when you
should be looking at the real problem - Microsoft has been ripping
you off for years and making you spend your time and money
solving their lack of security.
Posted by (19 comments )
Reply Link Flag
Amen
Firefox has none of the flaws that allow adwarez and spywarez to hijack IE. Why try to stop the creators from messing with your system, when you can just change your system to something they can't mess with?
Posted by (4 comments )
Link Flag
The fire fox solution..
I use FF for months now. Ever since 99% of all spyware was gone. The remaining 1% doesnt' affect me but it some how gets back on my pc. CWS is the only one that pops back up. So I use CWS Shredder, the only program that gets rid of it.

One day when Apple sells a cheaper computer, I can finally live without fear of having my pc all mangled.
Posted by saleen351 (36 comments )
Reply Link Flag
A true solution.
The only way to stop this kind of malitious programming is by making the CBC actual law. The Code of Backchannel Conduct is a group of programing rules that would bring all spyware, adware, and malware to an end.

CWS was, I believe, written by a group of people in russia. A country where they cannot be touched by the rest of the programing community.

Right now the only defense one can get against this kind of program is CWShredder, HijackThis, and Adaware/Spybot. That coupled with Firefox will protect most knowledgeable users from that kind of skum-code programing. But for normal users who understand very little about the computers they use it does very little. Most people use IE and as long as it is the most common browser spyware will win the battle. Only when ActiveX is disabled or not supported will we have a chance at stopping this kind of sneaky, underhanded, and unethical programming...

We can only hope that day comes soon...
Posted by (2 comments )
Link Flag
What about the free cleaners.
Completely glossed over in this "News" report is the fact that CWS has been out there for months and months, and that programs like hijackthis, spybot search &#38; destroy, Lavasoft ad-aware and several other FREE items can remove them fine.

Links to all of these can be found at:
www.kctechgurus.com under the support section.
Posted by (4 comments )
Reply Link Flag
That's not the point...
You NEED to prevent the spyware from actually getting on to your computer in the first place. I've seem some spyware programs employ lots of sneaky tricks so that it is quite difficult to remove them. I saw one that kept changing its memory usage so that you can't just open the task manager (via CTRL+ALT+DEL) and end the process (it keeps dissapearing and reappearing at another spot on the list, thereby losing your selection).

I've seen others delibrately try to associate the most common filetypes with spybotsd.exe, which is Spybot Search &#38; Destroy of course. I've also seen one that changed its own code multiple times!

The cure? Use Firefox (or any other browser instead of IE), install SpywareBlaster and WinPatrol. I've not had a single piece of spyware on my computer for over 3 years.
Posted by hion2000 (115 comments )
Link Flag
"don't install freeware" PROPAGANDA!!!
Just to say no to install freeware is iresponsible and pure propaganda!!! Are you saying that Java is spyware? or tons of other programs that can fully replace pricey software like avast home, open office, zone alarm and so on have anything to do with spyware and adware? NO!!!! It is so transparent when company like Webroot that doesn't have a free version of theyr scaner says "do not buy freeware" to scare peaople from using concurent products like Ad-Aware and SpyBot S&#38;D and make them pay money for something that doesn't even mesure up to those mentioned before.

It is a shame point finger on others and in the same while do something similar ...
Posted by (2 comments )
Reply Link Flag
I wish it were so!
I have been using Spybot S&#38;D, Adaware (and even HiJack This)successfully for some time now to get rid of spyware. Some of the spyware that is currently infecting my notebook, however, is apparently resistant to all of these measures. I can only hope that Microsoft's initiative in acquiring Giant will result in something even more powerful being made available.
Posted by k1msinger (1 comment )
Reply Link Flag
How to test if you have the Cool Web Search hi-jacker and not something els
Open IE and go to www.coolwebsearch.com
(DON'T WORRY, IT WON'T GIVE YOU SPYWARE!)
Then, use their search engine to search for
CoolWebSearch
or
about:blank

it comes up with
Adult Finder - Sex Personals, and stuff like that.

Then, go to the searchpage you are hi-jacked to, and search for the same thing
(CoolWebSearch
or
about:blank)
If it comes up with the same results, then you have CoolWebSearch.
(Which is definitely not cool!)

Download AVG 7.0 from www.grisoft.com and update, then run complete test.
Also download Ad-Aware SE from Lavasoft to get further protection
Hope that helps anyone who was in my position.
Posted by (1 comment )
Reply Link Flag
Trend Micro has been my recommendation.
I have been using Trend Micro Antivirus products for several years now. The Internet Security 2005 has built in firewall and adware/spyware removal with real time monitoring. Since I have had this product I have had minimal issues (and any issues that did arise were handled with ease) as compared to some of my clients who prefer the Symantec or McAfee products and these Ad-Aware and Spybot programs. I have found it to be the most reliable as well as all of my clients who have switched to it on my recommendation.
Posted by (1 comment )
Reply Link Flag
Jail Time
Start sending the authors/distributors of spyware to jail. That will curtail them. I am sure some lawyer can twist multiple laws to fit the case or spyware's malicious nature. I am really sad/surprise no one is prosecuting anyone for this already.
Posted by lechugh (1 comment )
Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.