Wiz's Computer and Website Security Blog

There is a new malware threat in the wild circulating among various file sharing networks. The threat is spread by duping file sharing users into downloading fake mp3 audio and mpeg movie files, which have very enticing filenames (some listed below in extended comments). All of these fake files have very small file sizes, which should be a giveaway that something is wrong with them. Despite that fact, almost 400,000 PCs are now infected in just a few days, after their users downloaded and opened some of these rigged files.

When a file sharing user double-clicks to play one of these files they get a surprise. Instead of seeing a movie or hearing a music file they are presented with a browser page that displays a EULA consisting of about 4800 words. The scam tells them that they must install a special media player, from fastmp3player.com - to playback the file they are trying to hear/see. Upon agreeing to the EULA the user is redirected to fastmp3player.com where a file download box appears, for a file named (at this time) "PLAY_MP3.exe." This file will install two separate adware and spyware applications; "FBrowsingAdvisor" and "SurfingEnhancer."

Apparently, in samples that have been analyzed in the last two days, these attacks are specifically designed to work in the Firefox browser. If Firefox is not found on the victim's computer, they will get a Windows error message and will be urged to download and install Firefox.

Most major anti virus and anti spyware companies can already detect and remove this threat, which has been elevated to a "medium threat" status by McAfee, for home users.

People who like to obtain copyrighted music or movies without paying a fair price for a licensed copy are left at risk from botmasters looking to increase their botnets, and criminals using affiliate programs to earn commissions for installing spyware and adware onto as many computers as possible.

What you can do to protect your computer from this threat.

1. Stop using file sharing programs like Limewire or Kaaza, or others, that allow people to distribute (share) copyrighted works illegally. They are riddled with malware files of all sorts. Instead, use one of the legitimate music or movie websites, like Apple's iTunes, Real Rhapsody, or Napster.


2. Install a modern, legitimate anti virus program that offers multiple daily updates and set it to receive automatic updates every hour. If you can't set it to an hourly schedule then run a manual check for updates as often as you think about it. Or, use Windows Task Scheduler to run the updater executable every hour. Reputable anti virus companies include Trend Micro, Symantec, McAfee, NOD32 and AVG.


3. Install a reputable anti spyware program and keep it updated as often as possible. Recommended companies include PCTools Spyware Doctor, Webroot's Spy Sweeper, Trend Micro PC-cillin, Lavasoft's Ad-Aware and anti-virus, and Spybot Search and Destroy.


4. Scan for threats every day, before you get busy online, or every night, before you turn off the computer for the night.

Posted by Wiz at 11:30 PM | Permalink

back to top ^

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you already are using "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Additions made on May 7, 2008:

Hijackers
+ SearchALot

Keyloggers (Keyloggers steal your logins and passwords)
+ SpyBossPro

Malware Includes fake anti-virus and anti-spyware programs
++ Delf.12.an (2)
++ Fake.SecurityAlert
+ MalwareBell
++ MalwareCore
++ Win32.Agent.cs
+ Win32.BHO.je (3)
+ Win32.Renos
++ WinIFixer

PUPS Possibly Un(popular|wanted) Software
+ Enter.Casino.PT

Security
+ Microsoft.Windows.AppFirewallBypass

Spyware
+ Conducent.TimeSink

Trojans Includes 5 new Zlob* Trojan detections
++ CNNIC.cn
+ Smitfraud-C.MSVPS
+ Virtumonde.dll
++ Win32.Agobot.aoi
++ Win32.Tibia.de
++ Win32.VB.bks
++ Win32.VB.me
+ Win32.Zhelatin.ah (a.k.a: Storm Trojan)
++ Zlob.Downloader.fvn
++ Zlob.Downloader.jau
++ Zlob.Downloader.vat
+ Zlob.Downloader.vdt
+ Zlob.ZipCodec

Total: 595073 fingerprints in 154556 rules for 3893 products!

False positive detections fixed this week:
False Positive for "ContraVirus" and "VirusBlast" has been fixed with this week's definition updates. Also removed from the immunizations list is Hotlinkfiles.com. This was done after they implemented anti malware scanning of all uploaded files.

* The "Zlob Trojan" is a common infection that has been in the wild since 2005. It is often downloaded intentionally by people who are tricked into thinking that they are installing some missing ActiveX Video Codec, or other (Java) application, needed to view a presentation, or pornographic movie. Once installed on the target computer the Zlob Trojan allows hackers to deliver all manner of downloaders, adware, fake anti-spyware and backdoor components to it. The Zlob family of Trojans are constantly modified by it's maintainers to try to avoid detection by anti-malware applications. These criminals earn commissions for every computer they infect with the Zlob and its companion products. Spybot Search and Destroy can detect and remove most known variants of the Zlob Trojans, with new definitions being released every Wednesday to detect the latest incarnations of Zlob.

This article has extended content.
Continue reading "Spybot Search and Destroy Definitions Updated on 5/7/2008" »

Posted by Wiz at 9:36 PM | Permalink

back to top ^

This is the latest entry in a series about classifications of spam, according to my custom filter rules used by the anti-spam tool, MailWasher Pro.

In the beginning of this series I was using MailWasher Pro filters exclusively, to detect and delete incoming spam email. Since then I have instituted email spam filters on my website's mail server, which has greatly reduced the amount of spam I see at all. The balance that does get through is identified and either flagged as spam, or instantly deleted, by my POP3 mail anti-spam tool; MailWasher Pro. MailWasher Pro identifies what is spam by a combination of methods, including the use of custom written personal spam filter rules. I have created a large assortment of spam filters which "plug-in" to MailWasher Pro, to flag or delete known spam. You can read about them, or download and use them in your own registered copy of MailWasher Pro.

My analysis of this week's spam shows that male enhancement pills, Viagra and other pharmaceuticals occupy the top spot in my spam categories, with counterfeit brands of watches, clothes and shoes, pirated software and Google redirect exploits to fake "video codecs" (e.g: the Zlob Trojan and other Trojan Horse executables) falling further behind. All of the spam emails for pharmaceuticals have links to websites hosted in China or Korea. Most of the fake and counterfeit goods, drugs, enhancement pills and herbal solutions being spamvertised are produced in China. Foremost among these are fake pharmacy websites, like the so called "Canadian Pharmacy," which is not in Canada at all (it's in China and Indo-China), nor, despite the presence of fake accreditation logos, are they approved to sell pharmaceuticals in the US or Canada. Most of the fraudulent "Canadian Pharmacy" web pages are now hosted on compromised home or office PC's, that are unknowingly members of various spam Botnets. In fact, virtually all of the billions of spam messages hitting our inboxes these days comes from zombie computers, used as spam relays, in various Botnets.

As is usually the case, the category "Other Filters" has the second largest percentage in this week's spam analysis. That category contains all manner of miscellaneous filters that are matched by supposedly clever email subjects, such as: one word subject, digits and consonants senders, various HTML tricks, 2 line spam tricks, and some lottery and financial fraud and phishing scams. The spam main categories that rated a measurable percentage are listed below.

The current percentage of identified spam that made it through the filters on my mail server is 38% for the week ending May 4, 2008. These messages were all identified and dealt with by MailWasher Pro. I assigned some truly miscellaneous messages to the "learning filter" which then flags any similar messages as spam, making them easy to spot in the message list. This has earned the category "Learning Filter" a small spot in the list below. :-)

Download MailWasher Pro Here

MailWasher Pro spam category breakdown for April 28 through May 4, 2008.

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as an incoming email screener for your POP email program (Microsoft Outlook, Microsoft Outlook Express, Microsoft Mail, Eudora, Mozilla and other stand-alone email programs).

Posted by Wiz at 3:33 PM | Permalink

back to top ^