The Hidden Money Trail

Fair Warning?

Nastyware: CoolWebSearch puts links to advertisers on any Web page you visit. Site owners have no control over the links.
Nastyware: CoolWebSearch puts links to advertisers on any Web page you visit. Site owners have no control over the links.
Even as adware companies are going after rogue behavior by affiliates, some of them continue to act in ways that privacy-sensitive consumers consider deceptive.

Not all bundled programs give you a clear warning about the adware you're about to install. In some cases, a disclosure may be buried many paragraphs deep in an End User License Agreement (or EULA) that you may or may not read. Even a careful EULA reader might not realize that a paragraph about "third-party software downloads" is, in fact, a subtle reference to adware.

In contrast, when you install the free BearShare peer-to-peer program, you must agree to EULAs from both BearShare and WhenU. You'll see screens describing this "ads for apps" trade-off before and after the installation.

Many prominent adware firms also label their ads. In our testing, we saw Direct Revenue's labels for Aurora appear on the title bar of its ad windows. 180solutions included an icon in the title bar. And Claria and WhenU put both the name of the adware application and its logo in one part of the advertising window.

But while some adware companies are trying to make their activities more transparent, other companies do anything they can to obscure their origin. CoolWebSearch (CWS) is a prime example.

All of the more than 40 variants of CWS get on your PC by means of drive-by installations, or by exploiting other security bugs, according to anti-spyware experts. CWS has no EULA, or even a Web site. (The owners of the coolwebsearch.com domain posted a notice disavowing any affiliation to the CWS spyware program, but didn't respond to requests for comment.) And none of the CWS ads we saw in our tests were labeled.

In fact, even the authorities don't know who's behind CWS: The individuals and companies involved shroud themselves in secrecy, using a jumble of servers, located all over the world, to obscure their network, and registering domain names using fake contact information.

In our tests, CWS inserted its own links into Web pages displayed in Internet Explorer. Clicking one of these CWS-inserted links brought us to "search portals"--sites designed to mimic search results pages from Google or MSN Search--featuring ads from well-known companies. The tested version, and other variants of CWS, also add bookmarks to the Internet Explorer Favorites list; put shortcuts to porn and gambling sites on the desktop; change your browser's home page; and/or alter browser security settings. It also actively fights your attempts to remove it from affected PCs, using techniques similar to those viruses use.

Subscribe to the Security Watch Newsletter

Comments