This appears to have been dealt with at the browser level in MS Security Bulletin MS03-011. I have a hard time blaming MS for everything since in most cases of these things they do react. How do they force the users to update? Could they implement a switch that says "no update, no working browser"? At least for IE? Scob was dealt with via the hammer, this could be too. There's 39 variants at the moment: http://www.spywareinfo.com/~merijn/cwschronicles.html The difficulty in cleaning is due to the variants: http://www.spywareinfo.com/~merijn/cwschronicles.html#cwshredder Disclaimer: That site "looks/feels" credible, but I did just a little correlation. Thanks. ARIN: The IP number for their website is allocated to cogent, but not SWIP'd. Apparent last mile: 16 p6-0.core01.jfk02.atlas.cogentco.com (66.28.4.82) 107.092 ms 104.713 ms 107.080 ms 17 p5-0.core01.jfk01.atlas.cogentco.com (66.28.4.9) 108.177 ms 108.023 ms 109.115 ms 18 g49.ba01.b001362-1.jfk01.atlas.cogentco.com (66.28.66.42) 106.147 ms 105.769 ms 109.537 ms 19 HyperSpace_Communications.demarc.cogentco.com (66.250.5.30) 110.872 ms 108.745 ms 106.978 ms 20 66.250.74.150 (66.250.74.150) 107.939 ms 108.364 ms 104.599 ms Apparent Registration: domain: coolwebsearch.com status: production organization: InterWeb Solutions Inc owner: InterWeb Solutions Inc email: admin@iweb-commerce.com address: P.O. Box 362 address: Road Town city: Tortola postal-code: 65113 country: IO admin-c: admin@iweb-commerce.com#0 tech-c: admin@iweb-commerce.com#0 billing-c: admin@iweb-commerce.com#0 nserver: ns1.maximumhost.com nserver: ns2.rosexxxgarden.com registrar: JORE-1 created: 2001-06-01 04:51:34 UTC JORE-1 modified: 2004-03-17 14:59:02 UTC JORE-1 expires: 2007-05-31 22:51:23 UTC source: joker.com -M -- Martin Hannigan (c) 617-388-2663 VeriSign, Inc. (w) 703-948-7018 Network Engineer IV Operations & Infrastructure hannigan@verisign.com coolwebsearch:
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Paul Vixie Sent: Monday, July 12, 2004 12:19 PM To: nanog@merit.edu Subject: Re: Spyware becomes increasingly malicious
somebody, probably sean, mentioned scaling earlier in this thread.
coolwebsearch has become more and more sneaky.. so bad that development of cws shredder has been abandoned by its developer.. ... the first time only about 3 days ago and I got rid of it in 10 minutes! I can see how it would be a problem for a newbie but it shouldn't be anything more than 10 minutes work for anyone here with Windows experience. ... There are dozen of variants, obviously you've seen only one.
so, this bit of spyware (which was resistant to ad-aware as of last week, though ad-aware seems to publish a new definition file every day now) relies on a web site, and that web site relies on the spyware for its traffic and eyeballs, and the spyware and website are owned/operated/"published" by the same company. the website does not move around, it's at a fixed location.
the scaling issue, please:
"why does that company still have an internet connection?"
or, to put it less mildly:
"why does that company's provider still have an upstream?"
or, to put it in terms you can all understand:
"why does that provider's upstream still have bgp peers?"
if you give people the means to hurt you, and they do it, and you take no action except to continue giving them the means to hurt you, and they take no action except to keep hurting you, then one of the ways you can describe the situation is "it isn't scaling well." -- Paul Vixie