Sunbeltblog posted a document (PDF) found by their researchers today that gives a glimpse into the spyware pushers' minds. The document is in Russian with the English translation inserted line by line. The discussion seems to be a planning session for development and deployment of new spyware. The statements are rather chilling. Excerpts: "Well, we need to infect user’s computer that visits our web site with maximum efficiency." "It will disable all firewall and antivirus software in all possible ways. And this must be done as fast as possible." "When loader is done with files it should ping our server. This will tell us that given loader is alive on online and also will let us to find out how many such loaders are online at the moment." They go on to talk about their advertisers and how to track the total number of referrals by country and by advertiser, as well as plans for web masters to become involved. Of course, money comes into play. "That’s a huge advantage because we can, for instance install our software such as Toolbars and earn money on it." The discussion ends with contingency plans in case their server is shut down.
In yesterday's post about Webroot's State of Spyware report, I noted it says on page 8 "The majority of spyware is coming from the U.S., with Poland coming in second and the Netherlands in third." That statement surprises me because in my reading and research, an awful lot of spyware is hosted on domains and IP addresses in Russia or former Soviet Union nations, especially sites distributing CoolWebSearch. Webhelper, aka Patrick Jordan who is now a Sunbelt researcher, has tracked the CoolWebSearch domains and IP addresses and maintains an extensive list at his site.
Sunbeltblog also posted the discovery of another variant of the trojan keylogger named Srv.SSA-KeyLogger. Their free removal tool has been updated to detect and remove this variant. As I noted yesterday, Lavasoft, makers of Ad-Aware, has also discovered 2 additional variants of this same keylogger.
In the next few days, I'll blog about prevention and how to lockdown your computer to reduce your chances of being infected.
Full disclosure: since April 2005 I have performed part-time consulting work as an independent contractor for Sunbelt Software.