CWS History - Any experts among you?

[cico]

Hi Wilders community,
for many years I've been investigating fraudulent activities in the internet and telecommunication sector, originally starting with dialers in 2003 (and - more or less - limited to Germany)

At the moment I'm trying to "combine" various existing investigations, it's a long story...

For several reasons I would love to get in touch with an expert in CWS background investigations, and - because I'm not that fluid in English - I am looking for someone who's speaking German or is a native German.

If someone is not German, but can tell me about CWS backgrounds, let's try to communicate

Is there any (english or german) "overview" about CWS? Where and when did it start? Who are known "central characters"?

Well, you may ask "who's that guy stepping through the door and asking questions"... I can't tell you who I am, but I am very busy on some German boards. The fact that I am asking this question NOW is that I want to "confirm" some theories about links between CWS and other "structures" (not only, but for example RBN)

Any help appreciated,

kind regards
Cico

sorry if I did offend your eyes with insufficient language skills

in German:
http://www.trojaner-board.de/108478-...-experten.html

[noone_particular]

One individual who led the fight against CoolWebSearch is Wewbhelper. Not sure if it's still there, but he had a full history of their activity on his site.
http://webhelper4u.net/

[cico]

Thank you.
I have archived information from webhelper4u from 2004 on, but I never tried to get in touch with webhelper. So I know a lot of his wonderful research, but it's hard to find the jigsaw pieces that I need...

Anyway, I hope that he steps in here, because as far as I understand most of the information about CWS is from his investigations.

Ok, I will just write "webhelper, come here, Webhelper, come here". Let's see if it works

[siljaline]

Wikipedia has some information.

Trend Micro currently owns the now defunct application as it is fully blocked by software such as Spyware Blaster and MVPS Hosts

In some cases of a unique malware infection scenario, the Trend tool would be used in full.

Regards,

[stapp]

Don't know if you have seen this

http://www.pieter-arntz.info/cwschronicles.html which gives a lot of info.

Pieter_Arntz visits Wilders a lot and was responsible for the name CWShredder I believe.

[CloneRanger]

@ cico

Kevin McAleavey formaly of BOClean etc @ "Privacy Software Corporation" knows a LOT about CWS & plenty of others. Moreover he went out of his way to identify the coders of Malware, by examining their code. He found that, more often than not, they left/included identifying traces in there, so was able to keep track of them over Many years

He is now at http://www.knosproject.com & also a member here. You might like to contact him to see if can spare any time to provide you with some background insights etc into CWS etc.

RBN info

http://rbnexploit.blogspot.com

Quote:

One of our readers, David Bizeul, spent the past three months researching the Russian Business Network (RBN). The RBN is a virtual safe house for Russian criminals responsible for malicious code attacks, phishing attacks, child pornography and other illicit operations (we previously provided an analysis of the RBN that was produced by iDefense.) The 70-page paper is on David's web site, and David said that he may update it in the future. We are mirroring the paper for him just in case his site gets overloaded. David's contact information is in the paper so if you like what you see please let him know.

https://isc.sans.edu/diary.html?storyid=3681

Mirror link not working, but David Bizeul's link is

http://www.bizeul.org/files/RBN_study.pdf

@ stapp

Excellent link

[cico]

Bizeul did great work. And thank you so much for the other links so far!
Pieter Arntz

Quote:

Please note that this article was written originally by the creator of a program designed to remove all CoolWebSearch related infections, Merijn Bellekom.
My most noteworthy contribution was coming up with the name for the program, CWShredder.

more technical at first glance, but I'll take a closer look.

By the way: The quick and informed response to my inquiry is deeply impressive!

[Corrine]

Quote:

Originally Posted by cico

Thank you.
I have archived information from webhelper4u from 2004 on, but I never tried to get in touch with webhelper. So I know a lot of his wonderful research, but it's hard to find the jigsaw pieces that I need...

Anyway, I hope that he steps in here, because as far as I understand most of the information about CWS is from his investigations.

Ok, I will just write "webhelper, come here, Webhelper, come here". Let's see if it works

Webhelper (Patrick Jordan) has been working for Sunbelt Software, now GFI, for many years.

[cico]

I have studied lists for hours and I still don't understand why some domains/names are listed in CWS lists. At the moment I fear that I was chasing a mirage, or at least I did overinterpret some information. I hope to see clearer in a life or two

[Pieter_Arntz]

Hi cico,

I'm Dutch, but fluent in German and was a close-by follower of the battle against "CWS"
If you want, you can PM me your email address and I will get in touch with you.

[Kevin McAleavey]

Quote:

Originally Posted by CloneRanger

@ cico

Kevin McAleavey formaly of BOClean etc @ "Privacy Software Corporation" knows a LOT about CWS & plenty of others. Moreover he went out of his way to identify the coders of Malware, by examining their code. He found that, more often than not, they left/included identifying traces in there, so was able to keep track of them over Many years

How I wish I could help here, but when COMODO took over our company and tossed my butt to the curb, they own ALL that I knew in the BOClean days and did NOT convey *any* of the rights to what existed in my brain during my prior days. If I were to offer anything I knew about "their" property or branding, I'd end up being sued for helping. I'm not even permitted under my separation agreement to *think* about malware and Windows, which is the reason why I'm doing what I'm doing now.

Wish I could help, but I'm not even allowed to talk to any of our former customers since they too are owned now by COMODO.

[cico]

Quote:

Originally Posted by Kevin McAleavey

How I wish I could help here, but ... I'm not even permitted under my separation agreement to *think* about malware and Windows

What a pity for me - and what an even greater pity for you to be in this situation.
Many thanks to you and my best wishes.
Sometimes things are so unnecessarily difficult, and when things are impossible because of that, things that just would be good, it makes one angry.
Thank you again for your reply!!!

[cico]

Quote:

Originally Posted by Pieter_Arntz

I'm Dutch, but fluent in German and was a close-by follower of the battle against "CWS"

I'm glad and thankful to read this.
Ik ben blij dat je Duits spreekt. Ik wilde niet te vragen, omdat het lijkt misschien arrogant te zeggen over een Nederlander 'Duits spreken met mij', alleen maar omdat mijn Engels is niet goed genoeg. En arrogantie jegens Nederland is 'typisch' Duits. Maar met "Google Translator" het gewoon niet zou werken...


-----

to show you what I'm talking about

In 2004 I archived a file from Patrick's site "Browse Complete Listing Updated: 29 July, 2004 12:55:52 PM -0400"
This was because we had reports in Germany about a rogue dialer and it could be linked to CWS.
In that 2004 file you can read

Quote:

69.31.85.147 cc20foreva.com (Magel, Irgi zoro_ru@hotmail.com)

This is one of the aliases within the Cactus Dimpy Group (JFP)
and here this person is identified (from the Sophos analyses)
http://nakedsecurity.sophos.com/koobface-7/

I'm absolutely certain that the Sophos analysis will lead to massive attempts to cover up evidence. We just need to be faster.