11-14-2005, 01:05 PM
|
|
|
Confirmed User
Join Date: May 2005
Location: Great White North
Posts: 1,333
|
Quote:
|
Originally Posted by Quickdraw
|
From that page
Quote:
After more study of the web sites involved in that http://www2.spywareinfo.com/2005/08/08/569 ID theft keylogger I am no longer convinced that CoolWebSearch has anything to do with it. I am no longer convinced the hijacker software that installed the keylogger is associated with CoolWebSearch.
The version of the keylogger we looked at was downloaded from a site called ipassist[dot]biz. That site's home page redirects to and shares an IP address with clicksearchclick[dot]com, which itself has started recently to redirect to clicksearchclick[dot]biz. Clicksearchclick also happens to be the site to which Internet Explorer's home page is reset after this thing is installed.
I studied the HTTP logs after clicking some links at clicksearchclick. They all link to an IP address which belongs to something called yeahsearch[dot]net. Yeahsearch[dot]net uses DNS servers set up by klikfeed[dot]com, which is owned, or at least affiliated with, klikrevenue[dot]com.
To the best of anyone's knowledge, none of these web sites are related to CoolWebSearch - not the hijack sites, not the servers or IP addresses used by the hijackers, not the servers called by the keylogger and not the server which actually stores the keylogger. According to a source inside the browser hijacker / pay-per-click scene, Klikrevenue and CoolWebSearch are competitors.
I feel comfortable pointing a finger at KlikRevenue, or at least to one of their affiliates.
|
|
|
|