If you admin a Windows network, or even just a network off which Windows machines hang, then you need to be aware of this recent discovery by the folks at Sunbelt.

It seems that they were playing around with CoolWebSearch, a fairly notorious spyware program in its own right, and were stunned to discover two trojans which slipped in with the CoolWebSearch download. One was a spam zombie, but it was the second, a keylogger program, which took their breath away.

The keystroke logging program, undetectable by current anti-spyware and anti-virus programs, was scouring their machine for usernames, passwords, and bank account information, and reporting it back to its mothership. And what a mothership it was. Or, perhaps, motherlode is a better term. Following the keylogger’s trail, Sunbelt’s Patrick Jordan found a massive server, located in Texas, to which thousands of machines infected with the keylogger were reporting back daily. The keyloggers were filling up a log file as fast as they could with usernames, passwords, bank account information, and more. As soon as one log file would get to a certain size, it would be zipped up and another would be opened.

Says Sunbelt’s president, Alex Eckelberry, in his blog, “The types of data in this file are pretty sickening to watch. You have search terms, social security numbers, credit cards, logins and passwords, etc…”

Testing some of the data, they found that they had immediate easy access to personal bank accounts (so far at least 50 banks have been implicated), where they could have readily withdrawn the money (as, undoubtedly, the criminals behind this ring are doing as we speak).

“In a number of cases, we were so disturbed by what we saw that we contacted individuals who were in direct jeopardy of losing a considerable amount of money…

[Continue reading Thousands of Windows Machines Compromised, Millions at Risk]