Wiz's Computer and Website Security Blog  

For the third week in a row, the percentage of spam to all of my accounts has dropped. This time it decreased by 9% from last week, which is a significant decline and might signal a trend (one can only hope).

My total email received this week is up by 81 from last week. But, the volume of spam only increased by 28 messages. I noticed a big increase (pardon the pun) in Male Enhancement pill scams and a slight increase in the amount of the phony "ClubVIP" Casino spam.

Happily, there was a significant drop in the number of spam messages containing links to malware. These scams typically pretend to be failed or pending ACH transaction notices from NACHA, or a bank. There have been some very significant arrests and naming of suspects who are behind many of the top botnets, including the KoobFace gang. Many of the persons named or arrested, or on the run, are Russian, Romanian and Ukrainian citizens who are responsible for installing banking Trojans onto victim's computers. My guess is that the remaining active bot masters are laying low right now, until the heat dies down.

The following is my analysis of spam for the week of January 22, through 29, 2012.

This article has extended content.
Continue reading "My spam analysis January 22 - 29, 2012" »

Posted by Wiz at 2:12 PM | Permalink

Get Norton 360 Version 5.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 5.0.

back to top ^

After surging around January 1, my level of spam has shown signs of decreasing. It has dropped 2% from last week, making spam 38% of my total incoming email, from January 16 through 22, 2012.

In addition to the percentage drop, there was also a large drop in the actual number of messages classified as spam. In fact, I saw about 50% fewer spam email messages this week as compared to the previous week.

The email threats this week were mostly BBB Fraud, with links to fake complaint reports, which redirected to malware servers. There were also several miscellaneous scams with fake query strings appended to .htm files. These links lead to compromised websites and redirected to the Russian Blackhole Exploit Kit. People with JavaScript enabled and out-dated versions of the Java Virtual Machine installed would be exploited silently. Their PCs would become members of a botnet and begin spewing out spam and DDoS attacks. Some of these exploits also install bank account stealing Trojans.

The following is my analysis of spam for the week of January 16, through 22, 2012.

This article has extended content.
Continue reading "My spam analysis and threat assessment for 1/16-1/22, 2012" »

Posted by Wiz at 2:44 PM | Permalink

Get Norton 360 Version 5.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 5.0.

back to top ^

I just compiled my personal spam statistics for the 2nd week of January, 2012 and found that spam accounted for about 40% of my incoming email. This is down 4% from the same period last year, but 1% higher than the previous week.

The leading category by a long shot was for the fake ClubVIP Casino. There is no website with such a name, just a bunch of various recently registered domain names that all point to fake casino pages. As was the case last week, these casino pages display an image that is wrapped in a hyperlink, which leads to the downloading of a suspicious executable. Once you install that file, you will part with a lot more money than if you shot craps at a real casino.

The second highest spam category was for fake (replica) watches, followed by counterfeit Cialis and Viagra. All other categories had smaller percentages, as outlined in my extended comments.

These spam statistics are derived from MailWasher Pro, which is a POP3 email screening program that runs on a Windows desktop. It intercepts all incoming email and analyzes it, based upon several factors, the most prominent of which are my own custom spam filters.

Total incoming email from January 9 through 16 (4 PM EDT): 516
Good mail: 308
Classified as spam: 208
Percentage rated spam: 40.3%

This article has extended content.
Continue reading "My spam analysis and spam filter updates, for Jan 9 - 16, 2012" »

Posted by Wiz at 3:23 PM | Permalink

Get Norton 360 Version 5.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 5.0.

back to top ^

For the second week in a row, my email spam percentage has exceeded the amounts recorded during the last quarter of 2011. At 39% it is 7% higher than the same period last year. I will review the various percentages of spam by category, as obtained from my anti-spam program, MailWasher Pro.

For the last couple of weeks there has been a huge amount of spam for the ClubVIP Casino. The links in the email messages spamvertising this currently Romanian based casino use various domain names, all of which redirect to a server running on the Russian Nginx software. When a victim is enticed to click on a link to this casino, rather than arriving at an actual online casino (currently hosted at 89.136.223.126), all they see is an image that is a clickable link to a suspicious file download, currently named SetupClubVIP.exe. This file hooks into the Windows Kernel file, Kernel32.dll, where it can do whatever evil it was designed to do. I tried to have it analyzed at VirusTotal, but the Romanian server is blocking their efforts to download that file.

I would advise anybody who asks my opinion to stay away from this type of scam. Do not download suspicious files to your computer to play any online games. Above all else, make sure you have the very latest and up-to-date anti-malware program installed, to protect your PC, just in case you slip up.

Now, on to the percentages of spam by category, for the week ending January 8, 2012.

This article has extended content.
Continue reading "Spam percentage continues to increase in 1st week of 2012" »

Posted by Wiz at 2:20 PM | Permalink

Get Norton 360 Version 5.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 5.0.

back to top ^

Here it is, New Years day, 2012 and I have just analyzed my email statistics for the past 9 days. After being down for months, spam levels have returned to last year's level of 49%, from Dec 23, through Jan 1. Spammers have indeed ended 2011 with a bang!

After some reading from my security sources blogs, I have learned that most of this spam blast over the last week+ was spewed out by one of the few remaining big botnets: the Cutwail Botnet. This botnet, like most of the others already taken down this year, is based in Russia. The Russian Bot Master may have just been fingered by Brian Krebs, in his "Pharma Wars" article posted on Jan 1, 2012.

The top categories of products and services being spammed the most over the last 9 days were for casinos, male enhancement gimmicks and various illicit pharmaceuticals sold from fake Internet pharmacies.

Lesser categories of spam included replica watches, fake diplomas, Russian dating and bride scams, Nigerian 419 scams and a few malware links to Russian exploit kits. I even got some unreadable spam in the Russian language and character set iso-1251.

As for totals, from December 23, 2011, through January 1, 2012, of the 339 messages I received, 169 were classified as spam, equaling 49% of all email for that period. This is exactly the same percentage of spam from the same time period last year.

This article has extended content.
Continue reading "My end of 2011 spam analysis" »

Posted by Wiz at 12:03 AM | Permalink

Get Norton 360 Version 5.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 5.0.

back to top ^

This article is targeted at security-conscious people who have purchased Trend Micro security programs to protect their PC's and also want to keep an existing installation of Malwarebytes' Anti-Malware on those computers.

I am one of those people. I have a subscription for Trend Micro Titanium Anti-Virus and Malwarebytes' Anti-Malware (MBAM). I recently was notified that I was entitled to a free upgrade to version 2012 of Trend Micro, so I downloaded it from their website. Up to that point both programs were getting along just fine. Ah, but change awaited me.

The upgrade was a simple process that combines uninstalling the previous edition (2011) and installing the newer version (2012). After the uninstaller removes the previous version you are instructed to reboot. Here is where I encountered my first obstacle.

Privileges

I operate as a Windows 7 "Standard User" - which is similar to a Windows XP Pro Power User. That means I have more privileges than a "Limited User" - but less than an Administrator. I like it that way. This type of account reduces my chances of accidental exploitation to single digits (see my articles about privileges, here, here and here). It means that in order to install security programs, or any program requiring access to operating system files, I must use the "Run As Administrator" right-click option when installing such programs.

I was working inside my Standard User account when I received the notice about the free upgrade to Trend Micro 2012, so I ran the installer using Run As Administrator. The first step was to uninstall my existing version (2011) of Trend Micro Titanium, then reboot. Everything went fine until I rebooted into my Standard User account.

This article has extended content.
Continue reading "How to install MBAM and Trend Micro Internet Security on same PC" »

Posted by Wiz at 11:18 PM | Permalink

Get Norton 360 Version 5.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 5.0.

back to top ^

Takeaway:

Do you know what your employees are doing online, on company time? How can their online activities impact not just productivity, but also your company's bank accounts? Are you or your admins monitoring your employees' online activities to find out what they are doing that could negatively impact your company?

As an administrator or a security professional your job is greatly dependent on information. Both of these professions require that you stay on top of things and are always aware about what is going on throughout your network. There are different ways to acquire the information required to effectively do the job and to gather the type of information one is seeking.

By monitoring internet usage the following information can be ascertained:

1. Internet Usage: This may be stating the obvious but information on internet usage is essential for an administrator and/or a security professional. With this information one can find out:
   • How much time users spend browsing
   • How much bandwidth is being consumed and for what
   • Which sites people are visiting the most.
2. Policies adherence: A good Internet usage monitor will give you reports on which internet usage policies users have tried to breach, how often they have attempted to breach them, and how many users have attempted to breach these policies. This information can then be used to identify the reasons for these attempted breaches. Is it because the policy is too strict and it stops people from doing their job? This analysis can help identify any changes required to make the policy less restricting without compromising the underlying security reason for it. It could also be the case that people don't understand the reasons for a particular security policy so this would be the perfect opportunity to educate your users.
3. Bandwidth: When you use an internet usage monitoring solution you can get a clear picture of which websites are eating up a lot of bandwidth and those users whose activity online is consuming excessive bandwidth. If your bandwidth is being used by employees who are streaming media that has no relevance to the business, you can proactively limit bandwidth use through quotas or by blocking certain sites altogether.
4. Threats: It's very important to know if and when users try to access malicious sites, because if a sudden increase is seen it can be an indication that someone is either targeting your organization or some other security mechanism has failed - for example the anti-spam solution is no longer catching phishing emails and users are clicking on links which they should not. This information can also potentially pinpoint troublesome employees. If you see a user trying to access sites that are infected with Trojans and other malware it should raise a red flag and you should investigate why that user is accessing those sites.

With a good internet usage monitoring solution you can keep an eye on what is happening within your organization enabling you to be proactive on issues that you would otherwise not be aware of.

This guest post was provided by Emmanuel Carabott on behalf of GFI Software Ltd and edited by Wiz Feinberg. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. Learn more about why you need to monitor internet usage.

Posted by Wiz at 11:43 AM | Permalink

Get Norton 360 Version 5.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 5.0.

back to top ^

This past week, I saw another consecutive 2% increase in my percentage of spam, vs legitimate email, bringing my spam percentage up to 26%. This week last year, my spam percentage was 47%. This year I am seeing just over half as much spam as in 2010.

As for email-borne malware threats, I received 11 messages leading to malware servers and none that carried malware in attached files. Of these malware threats, 7 spoofed NACHA and ACH pending bank transaction notices, 1 spoofed the BBB, 3 had fake query strings appended to files ending with a .htm extension. All of the above led to Russian crimeware exploit kits which use Java exploits to install either the Zeus or SpyEye banking Trojans, plus make those PC's members of spam botnets.

The balance of the incoming spam email was divided among the usual spam categories of pharmaceuticals, casinos, fake diplomas, replica watches, weight loss, and ridiculous Russian Bride dating scams, most of which had male names for the senders, but Russian female names in the message body (like "Olga from Russia, Moscow"). The grammar is absolutely horrible in those scams.

Top Spam Categories for the week ending on December 18, 2011:

These statistics were obtained from MailWasher Pro, an anti spam program that goes between email servers and your desktop email client.

This article has extended content.
Continue reading "Spam and email threat analysis for the week ending Dec 18, 2011" »

Posted by Wiz at 1:55 PM | Permalink

Get Norton 360 Version 5.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 5.0.

back to top ^

For the past week, I have been seeing and reporting (to SpamCop), scam email messages claiming to come from various financial agencies, or banks, with unusual links; all leading to malware servers. This is a continuation of the ACH, FDIC, etc., malware fraud that has been making the rounds for the past few months.

What's different about the links in these new scams is that they are HUGE! They all start out like any normal hyperlink, with a domain name and a particular file. But, appended to the end of the file name is a humongous "query string" (query strings begin with a question mark), containing multiple long groups of letters and numbers, separated by = signs. I have just analyzed one that has 214 alpha-numeric characters in the query string!

But, like octopus ink, things aren't always as they appear to be!

Being a Webmaster and web page writer, it didn't take me long to figure out that the file type that had the query string appended to it was not a valid active content file. Sure, it could possibly have been rigged to be such a file, like a php type, but these are not. They are Plain Jane simple html files, ending in the extension .htm. The .htm file type does not accept any query strings. If you append such a string of characters to it, the server will ignore them completely. All you see is the htm, or html file contents.

All of the rigged links I have traced are placed on compromised websites hosted on Apache web servers. The standard configuration of Apache web servers does NOT parse .htm, or .html files for active content. They are treated as "static" or flat files. No matter what the characters are that follow the file name and extension, the Apache servers where these links are pointing will ignore the phony query strings.

But, the .htm file type link in the scam emails is not where this story ends. The contents of each and every one I have analyzed contains a few simple lines of straight forward HTML code and an "iframe" (inline frame) - which imports a page hosted on a Russian website named csredret.ru (or variation thereof), containing a JavaScript array that leads to targeted attacks based on the brand of browser you are using and the installed plug-ins, especially unpatched versions of Java.

After seeing another such scam email link tonight, I decided to write a spam filter to detect this type of link. I named the filter: "Fake Query String In Link." The filter is for the anti-spam program MailWasher Pro.

This article has extended content.
Continue reading "MailWasher spam filter for links to .htm files with huge query strings " »

Posted by Wiz at 11:31 PM | Permalink

Get Norton 360 Version 5.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 5.0.

back to top ^

Oracle, the current keeper of Java software, has released a new version to fix stability problems in previous versions and improve performance (see bug fix page). The new version's common name is Java 6 update 30. The official version number is actually 1.6.0_30-b12. If you have Java installed I recommend keeping it updated to the latest version, whenever Oracle releases one.

I often write about Java vulnerabilities being exploited by criminals who install exploit attack kits onto web servers under their control; mostly in the former Soviet Union. The number one exploit targets vulnerabilities in Java. In my last blog article I wrote a couple of paragraphs about how Java vulnerabilities are exploited to take over computers with no user interaction.

If you have Java installed on any of your PCs, it is important to check for updates and apply them as soon as possible. Windows PC users can check for updates by using the Control Panel Java applet's "Update" tab. On that tab there is a section where you can select automatic checking for updates on a schedule of your choice. Since Oracle doesn't seem to have any regular schedule for updating Java, I recommend setting the automatic checks to every day, at a time when the PC is turned on. The updater hides in the System Tray, be the clock, and only appears if there is an update available.

You can also check for Java updates manually, from the same Java applet icon in Control Panel. It is found on the Update tab page, as a button labeled Update Now. Use it to install the latest version, if you haven't already received notification by the auto-updater.

It is important that you uninstall all previous versions of Java, in order to protect your computers from exploits that target them by their default folder location. Use your Control Panel "Add/Remove Programs," or the Windows 7 "Programs and Features" icon, to get rid of all previous builds prior to the latest version. Reboot after you run all of the old Java uninstallers. Then, after you re-enter Windows, go to Start and click to open "(My) Computer" - then double-click on the C drive, then on Program Files, and look for the Java folder. Open it (double-click) and look for any leftover older Java version number folders and delete them manually. Keep in mind that the new current version, as of 12/12/2011, is version 6 build 30.

You can also check to see if you have Java installed on this page on Java.com. You can download the latest stable version of Java from java.com.

If your computers have Java installed (even an old insecure version), you can check to see if you have any insecure software installed, or are missing any Windows Updates, by using the Secunia Online Software Inspector. It uses Java to scan your computer for out-dated software and browser plug-ins, including Java and provides download links to get the latest versions of those programs or plug-ins. I recommend scanning from Secunia one a week, just to be sure you are fully patched!

Posted by Wiz at 1:13 AM | Permalink

Get Norton 360 Version 5.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 5.0.

back to top ^