Update: Information on the types of systems infected here. Information on the fix here.

Apologies that we couldn’t post more information — we simply ran out of time. This has been a pretty intense project and in the middle of it, I also had to go out of town. I am currently blogging from a remote location.

Computer World got the scoop on the story, and the author is largely correct. InformationWeek also got it.

We also shared this information with a very small number of trusted security experts, including Suzi Turner at Spywarewarrior. You can see her reaction here.

Here is a quick idea of what happened: Patrick Jordan, our most senior CoolWebSearch (CWS) expert, was doing research on a CWS exploit. During the course of infecting a machine, he discovered that a) the machine he was testing became a spam zombie and b) he noticed a call back to a remote server. He traced back the remote server and found an incredibly sophisticated criminal identity theft ring. (Jordon, previous to being employed by Sunbelt, was known to the security community as WebHelper)

Note that we are still trying to ascertain whether or not this is directly related to CWS.

The scale is unimaginable. There are thousands of machines pinging back daily. There is a keylogger file that grows and grows, and then is zipped off and then the cycle continues again (note that while thousands of machines are pinging back, the amount that are being logged into the keylogger file is less than that, but still significant). The server is in the US, but the domain is registered to an offshore entity.

It is very sophisticated, however, we aren’t sharing a lot of data for obvious reasons. We are in contact with the FBI.

The types of data in this file are pretty sickening to watch. You have search terms, social security numbers, credit cards, logins and passwords, etc.

In a number of cases, we were so disturbed by what we saw that we contacted individuals who were in direct jeopardy of losing a considerable amount of money. One particularly poignant moment was a family in Alabama whom I contacted personally last night and warned them of what was going on. This was a family where the father had just had open heart surgery, and they had very little money. Everything personal was recorded in the keylogger — social security numbers, their credit card, DOBs, login and password info for their bank and credit card companies, etc. We were able to warn them in time before they were seriously hurt.

But there is only so much we can do without bringing in extensive external resources. The scale of this thing is massive. As I’ve mentioned before, the keylog file itself grows and grows and then is removed, only to replaced by a new one. So we are taking down the files as rapidly as possible to save the information. Maybe some law enforcement group can use this information to warn people.

People who ask me what to do get a simple answer: Get a software firewall in fast. Just any decent free one will do the job.

I may be posting samples of the keylog files later but the effort is in the redaction…


Get your free 30-day GFI LanGuard trial

Get immediate results. Identify where you’re vulnerable with your first scan on your first day of a 30-day trial. Take the necessary steps to fix all issues.