Wiz's Computer and Website Security Blog

Yesterday, in an unusual move, Microsoft issued an out-of-cycle patch through it's automatic Windows Updates service. This update fixes issues caused by the US changes to Daylight Saving Time.

In a very long Microsoft support article titled "August 2007 cumulative time zone update for Microsoft Windows operating systems" (kb933360), the company explains the reason for this re-release of the DST patch originally issued in January 2007.

This update supersedes and replaces update KB931836, released in January 2007. This update also includes additional time zone changes that were signed in to law after update KB931836 was created.

Important Before you apply the update that is described by this article, be aware of potential issues that may affect Microsoft Office Outlook.

See this Microsoft article; kb931667, for details about how to address the daylight saving time changes in 2007 by using the Time Zone Data Update Tool for Microsoft Office Outlook.

Kb931667 APPLIES TO:
• Microsoft Office Outlook 2007
• Microsoft Office Outlook 2003
• Microsoft Outlook 2002 Standard Edition
• Microsoft Outlook 2000 Standard Edition

If you want a complete white paper describing these issues just read the new knowledgebase article. Otherwise, just download the patch manually, if you haven't already received it via Automatic Windows Updates.

Interesting note to Limited Users and Power Users
As a Windows XP Professional "Power User" I am not accustomed to seeing Windows Updates unless I have logged into an Administrator level account. But, last night, as I was turning off my computer I saw a notice that an important Windows Update was waiting to be installed and to "Click Turn Off to continue installing it." In a few moments my DST patch was installed and my 'puter shut itself off for the night. This is good news for it provides a means to deliver system level patches to users operating with reduced user privileges, for their own protection. It's actually the second time this year that I have received a Windows Update while signing off for the night.

For those who are curious about why I would run with less than administrator privileges, read my blog article titled "Limited User Privileges Protect Against Malware Infections."

When I booted into Windows this morning I logged into an administrator level account to see what patch I had received the night before. I opened Internet Explorer to Microsoft Updates and clicked on the left link; "Update History." There I learned that this was a new Daylight Saving Time patch. For the heck of it I clicked on Update Home, then on the "Express" (Updates) button. I was surprised again to see a brand new update available for Windows Media Player 11, which I installed. This is something that is normally pushed out over Automatic Windows Updates, to administrator level accounts. While you are grabbing the DST patch check to see if you are offered the Media Player 11 patch also.

There was also a definition update issued today for Microsoft Defender.

Posted by Wiz at 9:35 PM | Permalink

back to top ^

Sometimes people who you'd think know what they're doing are just so completely clueless that it makes me laugh! I am referring to Blog spammers; the guys in Russia, The Ukraine, Estonia and other parts of the former Soviet Union, who relentlessly pound away at their keyboards, sending comment and trackback spam messages to every MovableType blog they can locate. They must assume that most of these blogs accept these comments and blindly publish them, because they keep trying to post spam messages to MT blogs, linking back to their spamvertised websites hawking various drugs, or pornography.

Well, I for one don't allow any comments or trackbacks on my blog. It says so in plain, bold English and Russian words, at the top-right of every blog page, and in all of my blog search results pages. Look under the Google Search box, at the top right of this page, and you'll plainly see where it says:

SORRY: NO COMMENTS, NO TRACKBACKS
КОММЕНТАРИИ и TRACKBACKS ВЫКЛЮЧЕНЫ и НЕ ИЗДАНЫ!

Now, if I was wanting to spam this blog and I read that, I'd move along to an easier target and not waste my time on this one. Yet, when I read my server access logs I see that somebody keeps trying to post comments and trackbacks to specific articles in my archives (all of which get a server 403 response), then tries to search for them on the pages to which they were targeted. However, since I don't want any comments or trackbacks I have deleted the Perl files that handle them and disabled those functions in my global settings. Heck, I have even stripped out all the codes referring to trackbacks from my page templates. Even I can't post a trackback on this blog!

Since these spam comments never reach my blog, when the idiots who try to post them search for them on the target pages, nothing is found matching those spam terms. Boris the Spammer needs to get a life or find less secure targets to pester. Instead, he plugs away fruitlessly on this blog, filling my access logs with all kinds of new IP addresses for me to add to my ever-growing Russian Blocklist.

Countless webmasters are using my Russia+Exploited Servers Blocklist. Most of the IP addresses in the Russian blocklist are gathered from my own raw access logs, from stupid blog spammers who evidently can't read the English or Russian notice that I don't allow comments or trackbacks.

If you have a blog or forum that is getting scammed by Nigerians, or spammed by Russians, one or more of my .htaccess blocklists may help you get rid of these leeches. Note that they only work on Apache web servers, unless your Windows server has an isapi rewrite module installed by the company leasing the server space to you. You can use my Webmaster Contact page to hire me as a consultant to help keep scammers and spammers off your website.

Posted by Wiz at 11:34 PM | Permalink

back to top ^

If you use the famed, freeware, anti-spyware program "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released today, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a + sign are additions, or updated detections, with multiple additions indicated by a number in parenthesis or a double ++ in front of it's name. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in version 1.4. If you don't do this the new immunizations against hostile ActiveX programs will not be applied.

2007-08-29

Cookie
++ Burstmedia

Hijacker
+ 180Solutions.SearchAssistant
+ 2020Search
+ 7FaSSt
+ Hyperlinker
+ LocatorBar

Keylogger
+ Elite Keylogger
+ Perfect Keylogger

Malware
+ ABetterInternet
+ AzeSearch
+ Contra-Virus
++ DoctorSpyware
+ Nous-Tech.UCleaner
+ SpywareBot
+ Win32.Renos

Security
+ Microsoft.Windows.AppFirewallBypass

Spyware
+ VX2.h.ABetterInternet
+ SecondThought.STCLoader
++ EZ-Snoop.Server
++ SurfSpy
++ WarezP2P.cck

Trojan
+ Cimuz
++ SDBot.SideBySide
+ Smitfraud-C. (2)
+ Virtumonde (132)
++ Win32.Agent.bnx
+ Win32.ConHook.ah
++ Win32.Peed
++ Win32.Small.Of
+ Zlob.Downloader
++ Zlob.XXXPlugin

Total: 434858 fingerprints in 80919 rules for 3275 products.

Spybot Search & Destroy is now compatible with Windows Vista, but needs administrator rights to perform it's security functions. A new version, 1.5, will soon be released that will carry the Works With Windows Vista Logo. Stay tuned for more information about version 1.5.

English Language Company Links:
Spybot Search and Destroy English Home Page
Spybot Search and Destroy (Multi-Lingual Landing Page. Choose your language).
Spybot Search and Destroy Download page - Program and definition updates. You can download the latest version of Spybot S&D plus definition and tool updates here for inclusion later on.
Full tutorial about using and setting up Spybot Search and Destroy
Spybot Search and Destroy Update History

See all security program update notices in this catagory

A consequence of acquiring many of the parasites, keyloggers, hijackers and downloaders is that their files and startup settings are usually saved to your System Restore hidden folder, from whence they are automatically restored upon rebooting the computer. To completely remove these threats, and others, you should disable System Restore, then reboot, then clean all threats, then re-start System Restore, setting a new Restore Point, with a clean machine. Many people overlook this and are constantly reinfected after removing threats. There are few, if any security programs that can clean or remove infected files that are backed up in your protected System Restore directory.

To disable System Restore, go to My Computer and right-click on it's icon. From the flyout options select Properties. From the "System Properties" select the "System Restore" tab. There you will find a checkbox labeled "Turn off System Restore." Check it, then click Apply and wait while the System Restore files are deleted (takes some time). After the deletions are finished, click OK to close the Properties box, then reboot.

When you have thoroughly removed all infections follow the same procedure as above, unchecking the box that turned off System Restore.

For those of you who have not yet used Spybot Search and Destroy, if you were wondering if it "plays nice" with other anti spyware programs, it most certainly does! I have used Spybot S&D since it's inception, along with various other free and commercial security programs, and it has never caused any problems on my, or my customers' computers.

Spybot Search and Destroy has a Malware Removal Forum where trained volunteers can help you with spyware removal problems.

As you can see from the long list of new detections this has grown into a major piece of work for the author and he could sure use some financial assistance to cover the huge amount of time it takes to update these definitions. There is a donation button on this page and I know he will appreciate your contributions!

Posted by Wiz at 11:00 PM | Permalink

back to top ^

If you use the famed, freeware, anti-spyware program "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released today, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a + sign are additions, or updated detections, with multiple additions indicated by a number in parenthesis or a double ++ in front of it's name. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in version 1.4. If you don't do this the new immunizations against hostile ActiveX programs will not be applied.

2007-08-22

Adware
+ CouponBar

Dialer
+ Casinopalazzo
+ Tele Team Work Aps

Hijacker
+ AdsContex.URLChanger

Keylogger
+ Ardamax

Malware
+ ISearchTech
+ Mirar
+ Win32.Agent.pz

Security
+ Microsoft.Windows.RedirectedHosts

Trojan
+ 1und1Bill.Fake
+ Ardamax.Rose
+ DR.Small.n
+ Fraud.ProtectionBar
+ Haxdoor-H
+ Hupigon
+ Hupigon.BitLord
+ Smitfraud-C.
+ Spambot.bxz
+ Win32.Agent.arc
+ Win32.Agent.byh
+ Win32.Bifrose.aci
+ Win32.Bifrose.kt
+ Win32.Delf.vw
+ Win32.Hupigon.mc
+ Win32.IceSword
+ Win32.Magania.rs
+ Win32.VLAuto
+ Zlob.VideoActiveXAccess
+ Zlock.uc

Total: 433527 fingerprints in 80647 rules for 3250 products.

Spybot Search & Destroy is now compatible with Windows Vista, but needs administrator rights to perform it's security functions. A new version, 1.5, will soon be released that will carry the Works With Windows Vista Logo. Stay tuned for more information about version 1.5.

English Language Company Links:
Spybot Search and Destroy English Home Page
Spybot Search and Destroy (Multi-Lingual Landing Page. Choose your language).
Spybot Search and Destroy Download page - Program and definition updates. You can download the latest version of Spybot S&D plus definition and tool updates here for inclusion later on.
Full tutorial about using and setting up Spybot Search and Destroy
Spybot Search and Destroy Update History

See all security program update notices in this catagory

A consequence of acquiring many of the parasites, keyloggers, hijackers and downloaders is that their files and startup settings are usually saved to your System Restore hidden folder, from whence they are automatically restored upon rebooting the computer. To completely remove these threats, and others, you should disable System Restore, then reboot, then clean all threats, then re-start System Restore, setting a new Restore Point, with a clean machine. Many people overlook this and are constantly reinfected after removing threats. There are few, if any security programs that can clean or remove infected files that are backed up in your protected System Restore directory.

To disable System Restore, go to My Computer and right-click on it's icon. From the flyout options select Properties. From the "System Properties" select the "System Restore" tab. There you will find a checkbox labeled "Turn off System Restore." Check it, then click Apply and wait while the System Restore files are deleted (takes some time). After the deletions are finished, click OK to close the Properties box, then reboot.

When you have thoroughly removed all infections follow the same procedure as above, unchecking the box that turned off System Restore.

For those of you who have not yet used Spybot Search and Destroy, if you were wondering if it "plays nice" with other anti spyware programs, it most certainly does! I have used Spybot S&D since it's inception, along with various other free and commercial security programs, and it has never caused any problems on my, or my customers' computers.

Spybot Search and Destroy has a Malware Removal Forum where trained volunteers can help you with spyware removal problems.

As you can see from the long list of new detections this has grown into a major piece of work for the author and he could sure use some financial assistance to cover the huge amount of time it takes to update these definitions. There is a donation button on this page and I know he will appreciate your contributions!

Posted by Wiz at 12:42 AM | Permalink

back to top ^

This is a follow-up to an article I wrote about the Storm Worm, in my blog a couple of days ago. That entry was meant to warn you about the new variations in the subjects and body text, designed to trick you into getting your computer infected. This article presents a brief history and analysis of the methods used to infect computers, as well as a description of the actual payload, of the so-called "Storm Worm" Trojan downloader.

History of the Storm Worm Trojan

Distributed through massive blasts of spam emails, the threat now known as the "Storm Worm" Trojan-Downloader was first noticed in the wild in November, 2006 and has gone through many external alterations since then, although the payload has remained basically the same. Various anti virus companies have labeled the variants with such names as: Win32/Nuwar, Trojan.Peacomm, Trojan-Downloader.Win32.Small.DAM, Trojan.Downloader-647, Trojan.DL.Tibs.Gen!Pac13, Win32.Zhelatin, and of course: "Storm Worm."

The Trojan now called the "Storm Worm" got it's name after a huge spam run on Friday, January 19, 2007, which used the subject line "230 dead as storm batters Europe," to trick people into clicking on links to supposedly read news articles and emergency bulletins about the terrible storms that ravaged Europe during that week. By the following Monday the Storm Worm accounted for 8% of all spam, on a global basis. It received even more notoriety when it was used by infected zombie computers, all members of a BotNet using the eDonkey/Overnet P2P protocol, to launch DDoS attacks against several well known anti spam websites, from January through June, 2007. In fact, some of those attacks are still ongoing against Spamhaus and CastleCops.

How the Storm Worm is able to carry out such large scale attacks is directly related to it's success in getting a huge installed base of zombie computers, with different security sources giving varying numbers of infected machines ranging from 2 to 20 million. Either number is too many. There are enough members of the Storm Worm Botnets to bring down an entire country! This has been done entirely by using social engineering tricks to deceive people into clicking on links in spam emails, which lead the victim to other infected computers, where they become infected and join the largest peer-to-peer Botnet ever assembled in the history of Botnets. Each new member of this network receives copies of the Storm Worm Trojan Downloader, a copy of the Nginx web server, an email address collection program, a spam sending program (SMTP Server), a DDoS tool, and connection scripts related to the P2P node in which it has been enlisted. All of these machines are remote controlled by criminal masterminds, known as "BotMasters." The owners of this Botnet are suspected of residing in various parts of the Former Soviet Union and are the most prolific spammers in the World.

Method of Infection

As I said in the previous paragraph, the Storm Worm spreads by tricking people into clicking on links to a web page hosted on an already infected computer, where they are then infected and zombified into the Botnet. There, they await remote control orders to do the bidding of the BotMaster. So how are these computers infected with the Worm/Trojan itself?

When a person using any version of Windows arrives at the fraudulant web page being hosted on a Storm Worm infected computer there are two things that can occur, depending on whether or not the visitor's browser has JavaScript enabled (most do, by default).

1. If JavaScript is disabled they will see a plain text message claiming that the website they want is undergoing some tests, or that an additional plug in or applet is needed to view the content they were enticed with, followed by a text link to click to manually get or see the needed file, or applet. Now, what should I do? It says to click here, but I don't know if I should or not... Oh well, I'll just try it real fast to see what it does and back out if it doesn't look right -> "Click" ... They just infected themselves with the Storm Worm! Idiots!


2. If JavaScript is enabled a script will instantly redirect them to a foreign server which is acting as a Worm host for their Botnet node. Once there their browser will be subjected to at least three attempts to exploit different known vulnerabilities in unpatched Windows computers. Chances are very good that one of these attempts will be successful, unless the computer is very well protected and completely up to date with all available Windows Patches and Internet Explorer 7 with all patches installed. Older versions of Firefox may also be at risk (prior to 2.0.0.6), if JavaScript is enabled, because the script initiates a file download. If the victim arrives using an older, unsupported version of Windows (9x, M.E, 2000 before SP4, or XP with SP1), or is running an invalid pirated copy of Windows XP, they will NOT be up to date with critical patches and WILL probably be infected immediately (except for Limited User or Power User accounts).
   

Subjects recently used in the Storm Worm e-mail messages include:
Postcard scams:
You've received a (postcard, ecard, greeting card) from a (Friend, Worshipper, Mate, Class-Mate, Family Member, etc).

Newest scam subjects as of mid-August, 2007:
Cat Lovers, Dated Confirmation, Internal Support, Internal Verification, Login Info, Login Information, Login Verification, Member Confirm, Member Details, Member Registration, Membership Details, Membership Support, New Member Confirmation, New User Confirmation, New User Details, New User Letter, New User Support, Poker World, Registration Confirmation, Registration Details, Secure Registration, Tech Department, Thank You For Joining, User Info, User Verification, Your Member Info, Welcome New Member

And the senders aliases have been:

Bartenders guide, Bartenders Guide, Coolpics, Dog lovers, Entertaining pics, Entertaining pros, Fun World, Free ringtones, Free web tools, Game Connect, Internet Dating, Job search pros, Joke-a-day, Mobile Fun, MP3 world, Net gambler, Net-jokes, Online hook-up, Poker world, Resume Hunters, Ringtone heaven, Web, Web cooking, Web connects, Webtunes, Wine Lovers

To learn more about the payload delivered when a PC is infected with the Storm Worm, read my extended comments...

The Payload

Once infected with the Storm Worm a rootkit will be installed that uses a hidden driver file named "Wincom32.sys" that will be injected into the Windows System file "Services.exe" and set to run at startup as a Windows "Service." The Trojan may then hide the presence of the "device" service and its associated file. A file named "peers.ini" will be deposited into the Windows or Winnt (Win2000) directory, while another named "Wincom32.ini" will appear in the %System% directory (C:\Windows\System or C:\Windows\System32 or C:\Winnt\System32). In order to ensure two way communications with the Bot Network peers several UDP ports will be opened, including creating Windows XP Firewall exceptions, if required. However, they will require user approval where a 3rd part firewall like ZoneAlarm is used.

It may also reboot the computer without prompt when the threat is first executed, to start the "service" running and get your computer registered and operating on the P2P BotNet to which it is assigned. After joining it's assigned Botnet node the newly enlisted PC will receive several payload files to use in various types of illegal activity. These include:

game0.exe - Backdoor/downloader
game1.exe - SMTP relay
game2.exe - Email address stealer
game3.exe - Email virus spreader
game4.exe - DDoS attack tool
game5.exe - Updated copy of Storm Worm dropper

From that point onward, unless you are able to remove the rootkit and it's component files, or have the threat removed professionally, your computer is not yours anymore. It now belongs to Comrades Boris Badenough and Natasha Darlinck, who are chuckling to themselves in Russian, singing "All your compooter are belong to us!"

Every now and then you may notice the hard drive whirring away and your modem activity lights going mad, but don't worry, it is just busy sending out about 1500 spam messages in 5 minute bursts. Nobody will notice. That is until somebody like me receives one of these scams and reports it to SpamCop, who in turn will trace the sending IP address and time it was sent, and send a spam report to your ISP, who in turn will lookup to whom that IP was assigned at that moment, and they will probably suspend your Internet connection until you get your computer disinfected and protected against future repeat performances.

Posted by Wiz at 12:35 AM | Permalink

back to top ^

On July 1, 2007, I wrote a blog article titled "Warning; Trojan in Email Link: You've received a greeting postcard from a family member!" For well over a month my various email accounts were inundated with a constant daily flow of these Postcard scams. There is now an entirely new variation of these threats, in circulation World wide. For those who for some reason don't know what this is about (what rock have you been hiding under?), read the next paragraph. If you understand the basic nature of this threat you can skip to my extended comments.

Since sometime in June this year a Trojan Horse threat, called the "Storm Worm Trojan," has been circulating across the Internet, infecting millions of Windows PCs along it's path. At first the subject and message body text referred to ecards, or (greeting) postcards supposedly sent to you from a "Friend," or "Worshipper," or "Class-Mate," or "Mate." They all provided a link (with a numeric IP address in the URL), to visit a website where you could view your card, which would remain viable for "the next 30 days." If you've been on the Internet for a long enough time you are probably aware that URLs are not usually numeric, but are in the form of named websites. Seeing a link that is numeric usually sets off alarm bells! A person would either have to be a total newbie to the Internet, or not accustomed to looking at the destination of links in their email client's status bar, or are using browser based email that does not reveal the destination of links found in emails. Maybe the person receiving that email is a young child who isn't aware of the danger of such links and was excited to think they had received a greeting card.

Anybody who was tricked into clicking on the link was transported to a web page hosted on a compromised zombie computer on a home or business broadband network, located at the numeric IP found in the link they clicked on. This computer is already infected with the Storm Worm and has had a micro Web Server installed on it and is hosting a single web page. That web page contains JavaScript redirection codes and a plain text link to a copy of the Worm that has been placed on that computer. People going to that hostile web page with JavaScript disabled will see the link and the text will urge them to click on it to see their (ecard/message). If the victim arrived using a browser with JavaScript enabled, as most are, a hidden script on that page would send their browser to yet another website, where an image of a fake greeting card, or text about it is displayed. What the victim didn't know is that while they were looking at the fake ecard a hidden download was occurring that was automatically infecting their computer with the Storm Worm Trojan. This turned their computer into both a host of a similar redirection web page and as a sender of spam emails containing a link to their hostile web page, but sent through another compromised computer somewhere else in the World.

Judging by the millions of infected computers hosting these hostile web pages and sending spam links out, there are a lot of folks who have not been practicing "safe hex" (computing). They have not been keeping their Windows computers thoroughly updated and patched, and are not running up-to-date security software (both definitions and program updates). Read the tips in my extended comments about securing your PCs against this and other modern threats to your security.

The new variation of the Storm Worm email messages.

From August 13 onward the subjects and body text have been changing to the point that they no longer mention ecards or postcards at all. Now, the subjects might contain "Tech Department," or "New Membership Confirmation," or "Membership Support," or many random enticing phrases. The new message bodies jive with the subject, as did their predecessors, although the amount of text seems to be reduced. In fact, I have reported a few of these to SpamCop that only contained the word: "click." There is one thing that every single one of these Storm Worm scam messages have in common, to this point; they all contain a hyperlink that starts with http then has a numeric IP instead of a website name, as the destination. At first the URLs contained a question mark and query string, when they were pretending to go to postcards or ecards, but that pretense has now been discarded. The current flavor of the hostile URL looks like this deactivated, imaginary example: ht*p://192.168.103.20/ . If that was a real URL and you copied it and pasted it into a Whois Lookup at DomainTools or DnsStuff, you would find that it belonged to a customer of a major broadband Internet Service Provider. I have seen IP addresses belonging to RoadRunner, ATT/SBC/Prodigy DSL customers, Charter and Comcast cable Internet home and business computers and many computers around the World. Just about any computer running Windows, using any ISP, could become a Zombie victim, unless every possible Windows Update has been applied and every possible security measure has been put in place. These folks don't know that their PCs are members of a Zombie BotNet, owned by the criminals behind the Storm Worm, and that they are sending out spam emails themselves and that they are actually hosting a hostile web page contain the code that leads to the infection sources.

What you can do to protect your PC from the Storm Worm.

The first step in protecting your Windows personal or business computers from Internet Worms and Trojan Horse threats is to obtain every available Critical update and patch issued through Windows or Microsoft Updates. Many of you already have turned on Automatic Windows Updates, thus you receive them sometime on or just after they are pushed out, by Microsoft, on Patch Tuesdays (the second Tuesday of every month). Of course, this assumes that you all are good Netizens and are running legitimate activated and validated copied of Windows 2000 w/SP4, or Windows XP w/SP2, or Windows Vista, or Windows Server 2003. If you are not using legitimate Windows software you may not receive all available updates, or possibly any at all. You are part of the problem and should do the right thing and purchase a valid license, install and validate it, then get all the updates and patches available for your computer.

Second, equip your network with a NAT router between the broadband modem and all of your computers. This hides your computer from direct attack via TCP/IP port attacks by separating your public IP (assigned by your ISP) from your personal computer(s). See my article about Networking for more information.

Third, stop sharing pirated files with strangers via file sharing services! Many of the personal computers of other file sharers are infected!

Fourth, be sure you are using legitimate, up to date, active security software to watch for, scan for, and if found, remove Viruses, Trojans, Rootkits, Keyloggers, Spyware, Adware, Backdoors, etc. There are links all over my blog for various free and commercial anti virus and anti spyware products.

Fifth, install a software firewall to monitor and challenge incoming and outgoing connection attempts to the Internet. Approve your acceptable programs, like your browsers and auto updaters, ftp programs, email clients, and the like, but watch for unexpected popup warnings about strange program files trying to connect to numeric IPs that cannot be explained by your immediate behavior. If you see a firewall warning that some program that is totally unknown to you is trying to establish an outgoing connection on port xxx, and you didn't just install or update anything you are aware of, it just might be a piece of malware trying to "phone home."

Sixth, If you are using Windows 2000, or XP you should not be running as an "Administrator" for your daily browsing account. Virtually every current malware threat requires full Administrator Privileges to install itself into the operating system. Instead, go to Control Panel > "User Accounts (and Passwords)" and create a new password protected account that has Computer Administrator privileges, log off your original account, then and log into the new one. From there, open Control Panel > User Accounts and locate your original account and click Change Account Type. Change your regular account from "(Computer) Administrator" to either "Users" or "Limited User" (Win2000 or XP Home), or "Power Users" for Win 2000 or XP Professional. Log off the Administrator account and log back into your regular account, which will now have reduced, safe, user privileges. I have written these articles about how to use lower user privileges to protect you computer:
* Limited User Privileges Protect Against Malware Infections
* Limited User Privileges Protect PCs From Adware, Rootkits, Spyware and Viruses
* Windows 2000 and XP User Account Privileges Explained

Posted by Wiz at 2:28 PM | Permalink

back to top ^

If you use the famed, freeware, anti-spyware program "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released today, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a + sign are additions, or updated detections, with multiple additions indicated by a number in parenthesis or a double ++ in front of it's name. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in version 1.4. If you don't do this the new immunizations against hostile ActiveX programs will not be applied.

2007-08-(08 & 15) (two weeks of updates listed today)

Dialer
++ CrazyGirls

Keylogger
+ Ardamax (2)
+ Perfect Keylogger

Malware
+ Contra-Virus
++ Goldun.IESwap
+ InetLoader
+ LordOfTibia
+ Smitfraud-C.
+ Smitfraud-C.FakeAlert
++ SpyShredder
+ SysProtect
+ Virtumonde
+ VirusProtectPro
+ Win32.Banker
+ Win32.Poison.l

PUPS (Potentially Unwanted Programs)
++ Ask.MyGlobalSearch

Security
+ Microsoft.Windows.AppFirewallBypass

Trojan
++ Crypt.RegScan (23)
+ CoolWWWSearch.PinAccessCode
+ Fraud.ProtectionBar
+ Keygen.elk
+ MagicAntiSpy
+ MSNRaptor
+ Nod32Crack
+ Nous-Tech.SecurityCenter
+ Search2Find
+ ServU.H
++ Srv.RegScan.quk
++ Talex.FTP.RegScan
+ Tibiabot.crk
+ Tibiabot.pk
+ Toolster.MSCheck
+ Virtumonde
+ Virtumonde.WinPop
+ Win32.Agent.bgy
+ Win32.Agent.bid
+ Win32.Agent.brk
+ Win32.Agent.pb
+ Win32.Bancos.aam
+ Win32.Bifrose.aci
+ Win32.ConHook.ah
+ Win32.Delf.eq
+ Win32.Iroffer.b
+ Win32.SdBot.alz
+ Win32.SdBot.bkx
+ Win32.SdBot.FirewallControls
+ Win32.ZenoSearch
+ Zlob.ImageActiveXAccess
+ Zlob.ImageActiveXObject (2)
+ Zlob.VideoAXObject
+ Virtumonde (2)
+ Zlock.uc

Total: 432577 fingerprints in 80325 rules for 3235 products.

Spybot Search & Destroy is now compatible with Windows Vista, but needs administrator rights to perform it's security functions. A new version, 1.5, will soon be released that will carry the Works With Windows Vista Logo. Stay tuned for more information about version 1.5.

As you can see from the long list of new detections this has grown into a major piece of work for the author and he could sure use some financial assistance to cover the huge amount of time it takes to update these definitions. There is a donation button on this page and I know he will appreciate your contributions!

See links to and more information about using Spybot Search and Destroy in my extended comments...

English Language Company Links:
Spybot Search and Destroy English Home Page
Spybot Search and Destroy (Multi-Lingual Landing Page. Choose your language).
Spybot Search and Destroy Download page - Program and definition updates. You can download the latest version of Spybot S&D plus definition and tool updates here for inclusion later on.
Full tutorial about using and setting up Spybot Search and Destroy
Spybot Search and Destroy Update History

See all security program update notices in this catagory

A consequence of acquiring many of the parasites, keyloggers, hijackers and downloaders is that their files and startup settings are usually saved to your System Restore hidden folder, from whence they are automatically restored upon rebooting the computer. To completely remove these threats, and others, you should disable System Restore, then reboot, then clean all threats, then re-start System Restore, setting a new Restore Point, with a clean machine. Many people overlook this and are constantly reinfected after removing threats. There are few, if any security programs that can clean or remove infected files that are backed up in your protected System Restore directory.

To disable System Restore, go to My Computer and right-click on it's icon. From the flyout options select Properties. From the "System Properties" select the "System Restore" tab. There you will find a checkbox labeled "Turn off System Restore." Check it, then click Apply and wait while the System Restore files are deleted (takes some time). After the deletions are finished, click OK to close the Properties box, then reboot.

When you have thoroughly removed all infections follow the same procedure as above, unchecking the box that turned off System Restore.

For those of you who have not yet used Spybot Search and Destroy, if you were wondering if it "plays nice" with other anti spyware programs, it most certainly does! I have used Spybot S&D since it's inception, along with various other free and commercial security programs, and it has never caused any problems on my, or my customers' computers.

Spybot Search and Destroy has a Malware Removal Forum where trained volunteers can help you with spyware removal problems.

Posted by Wiz at 11:59 PM | Permalink

back to top ^

By now most of you have seen hundreds of "Postcard" email scams in your inboxes and are getting tired of hitting the delete button (hopefully you are deleting them!). These messages have subjects containing phrases implying that a Friend, or Class-Mate or "Worshipper" (etc) has sent you a postcard, or ecard, or greeting postcard, etc. They all contain false details about an alleged e-card that is waiting for you if you click on the link supplied, usually with a numeric IP, followed a forward slash, a question mark, then a bunch of random characters, leading to a compromised PC hosting a web page containing hostile JavaScript to redirect you to a website that has the Storm Worm infector. Anybody who is foolish enough to click on that link, in a Windows PC, or Windows powered hand-held device, will probably be infected with the Storm Worm, or a variant thereof, and their PC will become a spam relay in a BotNet.

If you use MailWasher Pro to screen your incoming email I have an automatic solution for detecting and deleting these, and most other spam messages in the wild; my custom MailWasher filter rules targeting current types of spam. MailWasher Pro uses a text file called filters.txt to list custom conditions for identifying and acting against spam that matches the statements in these user configurable rules. A default installation produces a very basic filters.txt file, which is waiting for you to add your own custom rules to it.

If you don't know how to create your own MailWasher filters, visit my MailWasher Pro Filters page, where you will find my own list of custom filters for use with the MailWasher Pro email program. The filters will load into an iframe in the middle of the page (No, this is not an exploit, just an HTML inline frame with visible contents). There is a large set and a smaller set of filters. I use the smaller set which is targeted at the most recent varieties of spam in the wild. The large set includes the new rules plus anti-spam rules going back about 5 years.

To use my filters in your MailWasher application you should first copy the contents of the set you prefer to use (click inside iframe, press Control + A, press Control + C), or right-click on one of the file links on the web page and save it as "filters.txt" on your desktop. With MailWasher open click on Help > "About" which will open a box with the version and copyright details. At the bottom of this box there is a link to your personal profile data folder for MailWasher Pro. Click on the link at the bottom of the About box to open the MailWasherPro Application Data folder in a window, then close MailWasher. You must close MailWasher before editing filters.txt, otherwise your changes will be overwritten by the program. The only time you can work on filters with MailWasher open is if you use the Filters utility from within the program, to create or edit rules.

There will be a file named filters.txt in your MailWasher Pro application data folder. You will either overwrite it's contents, or add to them, depending on if you have created any of your own filter rules. If you haven't created your own filters and you downloaded one of my filters files and saved it as "filters.txt" just drag it from your desktop into the MailWasher Pro data folder and drop it there, allowing it to overwrite the existing copy.

If you chose to copy the contents in the iframe for pasting into the program's filters.txt, open filters.txt in NotePad, in the "MailWasherPro" Application Data folder. If you are going to add my filters to your existing rules choose a line where you want them to start (the beginning is a great place), click on the beginning of that line and press Control + V, to paste them in at that point. If you are going to overwrite the existing filters entirely click inside it and press Control + A (Select All), to highlight all of the contents, then press Control + V to paste my filter rules into the document, overwriting the contents, then save the changes (Alt > F > S). Make sure you don't have any blank lines between rules and that each rule begins on a new line. Turn off Word Wrap. Instructions are typed in the top comments of my rules.

After you have pasted in the new rules, close filters.txt, then open MailWasher Pro. My filters should now be loaded into the program and will delete most current incoming spam, either automatically, or manually. Use Control + F7 to display or hide the filter sidebar, in the program interface. Watch for spam messages that are hidden by some rules, which you must delete manually, by clicking on Process Mail (F6), on top of MailWasher Pro. Make it a practice to click on the Process Mail button every hour, whether there is anything marked for deletion or not. This frees up RAM and removes temporary data files created while the program is running. It will also delete hidden spam messages.

I update my rules very frequently, sometimes more than once on the same date. I post the last updated date in the comments of the filters, in the top of the files. Comments begin with //. Be sure you bookmark my MWP filters page and check it often for new or altered filters. There is a link under the iframe to sign up for alerts from ChangeDetection.com whenever it detects a new date stamp on the page.

Wizcrafts Custom MailWasher Pro Filters are discussed on the Firetrust MailWasher forum, where I post notices about filter updates and where other MailWasher users provide input about them.

Posted by Wiz at 11:50 PM | Permalink

back to top ^

If you have Spybot Search & Destroy installed on your PC and you forgot to run a check for updates recently, new definitions have been released this week. It's time to update your Spybot Search & Destroy anti-spyware definitions, then immunize, then scan for and remove any detected malware. I see from this week's definitions that is was an unusually busy week for new variants and sub-classes of the Zlob Trojans, with a whopping 64 new or updated detections added to the definitions, just for this class of malware! In fact, Trojans dominate the 2007-08-01 malware definitions, making it all the more important that you keep Spybot up to date and scan for threats often.

For those who don't know, Spybot Search & Destroy is one of the best known freeware anti-spyware/malware tools available. I use it and recommend it to PC users everywhere (it is available in many languages). The program works on all versions of Windows and is updated weekly to detect and remove new or altered threats (There are a lot of malware programs that are altered every week or two by the authors, to try to slip past your security defenses, in case you haven't updated your security program definitions recently).

If you see a program listed in these detections by name you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a + sign are additions, or updated detections, and are dangerous to your computer, and/or personal security or privacy. Update your Spybot Search and Destroy definitions, then scan for and fix any malware that is detected.

After updating your Spybot S&D definitions, if they include new Immunization definitions you need to click on the Immunize button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in version 1.4. If you don't do this the new immunizations against hostile ActiveX programs will not be applied.

2007-08-01

Adware
++ CouponBar

Keylogger
+ Ardamax
+ SpyArsenal.Family Keylogger

Malware
+ SpyCrush
+ SpyHeal
++ VirusLocker
+ VirusProtectPro
+ Winfixer

PUPS (Potentially Unwanted Programs)
+ DriveCleaner 2006
+ FunWebProducts
+ Hotbar
+ I-Won
+ MalwareWipe
+ MyWay.MyWebSearch
+ NewDotNet
+ SideStep

Security
+ Microsoft.Windows.AppFirewallBypass
+ Microsoft.Windows.RedirectedHosts

Spyware
+ Comet Cursors
+ Cydoor
+ eZula HotText
+ StarWare
+ Zango
++ Zango.WindUpdates

Trojan
++ ClipRex.DVDCodec
+ CoolWWWSearch.SearchToolbar (2)
+ CurePCSolution
+ Hupigon (2)
++ Ourxin.A
++ Peflog.RP
+ QQ-Pass
+ QQRob
++ Vanbot
+ Virtumonde (2)
++ Win32.Agent.BN
++ Win32.Agent.hjo
++ Win32.Agent.Zz
+ Win32.Banload
+ Win32.Bifrose.LA
++ Win32.Delf.dtm
+ Win32.Delf.zq
++ Win32.FakeClient
++ Win32.Hupigon.pv
++ Win32.Joel
+ Win32.OnLineGames
++ Win32.Silent.ce
++ Win32.Small.ay
++ Win32.SpyBuddy.c
+ Zlob.AdultAccess
+ Zlob.BrainCodec
+ Zlob.DigiPassword
+ Zlob.DirectVideo
++ Zlob.DNSChanger.Rtk
+ Zlob.EliteCodec
+ Zlob.FreeVideo.DVDCodec
+ Zlob.GoldCodec
+ Zlob.HomepageMonitor
+ Zlob.HQCodec
+ Zlob.HQvideo
+ Zlob.iCodecPack
+ Zlob.ImageActiveXAccess
+ Zlob.ImageActiveXObject
+ Zlob.ImageAXObject
+ Zlob.iMediaCodec
+ Zlob.IVideoCodec
+ Zlob.JPEG-Encoder
+ Zlob.KeyCodec
+ Zlob.KeyGenerator
+ Zlob.Mediacodec
+ Zlob.MMediaCodec
+ Zlob.MovieBox
+ Zlob.MovieCommander
+ Zlob.MPVideoCodec
+ Zlob.MyPassGenerator
+ Zlob.NewMediaCodec
+ Zlob.PerfectCodec
+ Zlob.PornMagPass
+ Zlob.PornPassManager
+ Zlob.PowerCodec
+ Zlob.PPlayer
+ Zlob.PrivateVideo
+ Zlob.QualityCodec
++ Zlob.SecurityTools
+ Zlob.SilverCodec
+ Zlob.SiteEntry
+ Zlob.SiteTicket
+ Zlob.SoftCodec
+ Zlob.strCodec
+ Zlob.SuperCodec
+ Zlob.TrueCodec
+ Zlob.VAXCodec
+ Zlob.Vcodec
+ Zlob.VidCodec
+ Zlob.VideoAccess
+ Zlob.VideoAccessActiveXObject
+ Zlob.VideoActiveXAccess
+ Zlob.VideoActiveXObject
+ Zlob.VideoAXObject
+ Zlob.VideoBox
+ Zlob.VideoCodec2007
+ Zlob.VideoCompressionCodec
+ Zlob.VideoKeyCodec
+ Zlob.VideoPlugin
+ Zlob.WinMediaCodec
+ Zlob.XpassGenerator
+ Zlob.XPasswordManager
++ Zlob.XXXAccess
+ Zlob.ZCodec
+ Zlob.ZipCodec

Total: 433225 fingerprints in 80825 rules for 3223 products.

Spybot Search & Destroy is now compatible with Windows Vista, but needs administrator rights to perform it's security functions. A new version, 1.5, will soon be released that will carry the Works With Windows Vista Logo. Stay tuned for more information about version 1.5.

As you can see from the long list of new detections this has grown into a major piece of work for the author and he could sure use some financial assistance to cover the huge amount of time it takes to update these definitions. There is a donation button on this page and I know he will appreciate your contributions!

See links to and more information about using Spybot Search and Destroy in my extended comments...

English Language Company Links:
Spybot Search and Destroy English Home Page
Spybot Search and Destroy (Multi-Lingual Landing Page. Choose your language).
Spybot Search and Destroy Download page - Program and definition updates. You can download the latest version of Spybot S&D plus definition and tool updates here for inclusion later on.
Full tutorial about using and setting up Spybot Search and Destroy
Spybot Search and Destroy Update History

See all security program update notices in this catagory

A consequence of acquiring many of the parasites, keyloggers, hijackers and downloaders is that their files and startup settings are usually saved to your System Restore hidden folder, from whence they are automatically restored upon rebooting the computer. To completely remove these threats, and others, you should disable System Restore, then reboot, then clean all threats, then re-start System Restore, setting a new Restore Point, with a clean machine. Many people overlook this and are constantly reinfected after removing threats. There are few, if any security programs that can clean or remove infected files that are backed up in your protected System Restore directory.

To disable System Restore, go to My Computer and right-click on it's icon. From the flyout options select Properties. From the "System Properties" select the "System Restore" tab. There you will find a checkbox labeled "Turn off System Restore." Check it, then click Apply and wait while the System Restore files are deleted (takes some time). After the deletions are finished, click OK to close the Properties box, then reboot.

When you have thoroughly removed all infections follow the same procedure as above, unchecking the box that turned off System Restore.

For those of you who have not yet used Spybot Search and Destroy, if you were wondering if it "plays nice" with other anti spyware programs, it most certainly does! I have used Spybot S&D since it's inception, along with various other free and commercial security programs, and it has never caused any problems on my, or my customers' computers.

Spybot Search and Destroy has a Malware Removal Forum where trained volunteers can help you with spyware removal problems.

Posted by Wiz at 2:36 PM | Permalink

back to top ^

The title of this article tells it all: "Stupid Blog Spammers Don't Understand Server 403 Responses!" Many months ago I discovered that although comments and trackbacks were not being posted to my blog, due to automatic moderation and classification of them as spam, nonetheless they kept on a-comin'. The comments spammers gave up a couple of months ago when they searched my blog only to learn that their bullshit comments had not been posted and never would be (I told them so on the search results page). However, the idiots who are trying to post trackback spam messages don't bother to search the blogs they are posting to, nor do they apparently read the responses sent by the script they are aimed at. If they did all they would see from my blog is a steady stream of server 403 responses; "Access Denied!" I don't even have the comments or trackbacks Perl modules installed anymore, so even I can't post comments or trackbacks to my own blog! I removed them when it became obvious that only spammers were commenting or tracking back.

If you run a MovableType blog and don't care to allow comments or trackbacks, yet you are seeing numerous attempts to spam your blog (in the list of junk comments and trackbacks), you can do what I did and disable them altogether, then delete or rename the files used to post these comments. To disable them in MovableType, log into your MT installation, then click on the left sidebar item "Settings" then click on the "New Entry Defaults" tab, then under "Default settings for new entries" uncheck both "Accept Comments" and "Accept Trackbacks," then scroll down to the bottom of the page and click on the "Save Changes" button. This will remove the Comments and Trackbacks links under all of your posts. You may still have to manually remove existing comments and trackbacks from old topics, or delete the old topics entirely if they have a lot of useless commenting in them.

Despite the fact that you have disabled accepting comments the spammers may still try to go straight to your Perl scripts that handle comments and trackbacks, bypassing the choices you made to exclude them. To prevent this you can either remove or rename these two files that are in the standard MT installation, under the CGI folder/MT (typically cgi-bin/MT/):
mt-comments.cgi
mt-tb.cgi

Without those files nobody is going to Post a spam comment to your blog and you can never accidentally re-enable comments or trackbacks unless you upgrade, or replace those files.

As I said in the beginning these spammers are not reading the results of their attempted trackback messages (success or failure), thus they are probably using automated scripts to send them out blindly from a spam list supplied to them by somebody even dumber than they are, without any concern about success or failure of their efforts. If you run your blog on an Apache hosted web server and want to deny access to these assholes read the technical details in my extended comments.

Here is evidence from today's raw access log showing that a trackback spammer, using rotating hijacked proxy IP addresses, repeatedly tries and fails to Post to my blog, gets a 403 response and keeps coming back having never read the failure report in his software (dumb software from Russia).

69.89.25.184 - - [04/Aug/2007:01:21:35 -0600] "POST /cgi-bin/mt/mt-tb.cgi/46 HTTP/1.0" 403 457 "-" "TrackBack/1.02"
66.79.163.173 - - [04/Aug/2007:01:27:40 -0600] "POST /cgi-bin/mt/mt-tb.cgi/49 HTTP/1.0" 403 264 "-" "TrackBack/1.02"
195.12.48.41 - - [04/Aug/2007:04:27:20 -0600] "POST /cgi-bin/mt/mt-tb.cgi/51 HTTP/1.0" 403 273 "-" "TrackBack/1.02"
85.234.144.215 - - [04/Aug/2007:04:29:19 -0600] "POST /cgi-bin/mt/mt-tb.cgi/2 HTTP/1.0" 403 363 "-" "TrackBack/1.02"
64.151.124.5 - - [04/Aug/2007:04:31:59 -0600] "POST /cgi-bin/mt/mt-tb.cgi/30 HTTP/1.0" 403 449 "-" "TrackBack/1.02"
69.50.210.8 - - [04/Aug/2007:04:41:28 -0600] "POST /cgi-bin/mt/mt-tb.cgi/47 HTTP/1.0" 403 404 "-" "TrackBack/1.02"
217.160.230.182 - - [04/Aug/2007:05:33:54 -0600] "POST /cgi-bin/mt/mt-tb.cgi/33 HTTP/1.0" 403 391 "-" "TrackBack/1.02"
64.202.165.132 - - [04/Aug/2007:05:34:21 -0600] "POST /cgi-bin/mt/mt-tb.cgi/35 HTTP/1.0" 403 326 "-" "TrackBack/1.02"
67.159.45.54 - - [04/Aug/2007:06:35:06 -0600] "POST /cgi-bin/mt/mt-tb.cgi/9 HTTP/1.0" 403 492 "-" "TrackBack/1.02"
70.87.244.242 - - [04/Aug/2007:07:18:00 -0600] "POST /cgi-bin/mt/mt-tb.cgi/38 HTTP/1.0" 403 286 "-" "TrackBack/1.02"
67.159.45.54 - - [04/Aug/2007:07:44:08 -0600] "POST /cgi-bin/mt/mt-tb.cgi/21 HTTP/1.0" 403 377 "-" "TrackBack/1.02"
64.202.165.201 - - [04/Aug/2007:10:02:30 -0600] "POST /cgi-bin/mt/mt-tb.cgi/19 HTTP/1.0" 403 271 "-" "TrackBack/1.02"
207.58.179.71 - - [04/Aug/2007:13:11:56 -0600] "POST /cgi-bin/mt/mt-tb.cgi/48 HTTP/1.0" 403 317 "-" "TrackBack/1.02"
70.87.34.146 - - [04/Aug/2007:13:49:46 -0600] "POST /cgi-bin/mt/mt-tb.cgi/_1016 HTTP/1.0" 403 189 "-" "Snoopy v1.2.3"
70.87.34.146 - - [04/Aug/2007:14:03:06 -0600] "POST /cgi-bin/mt/mt-tb.cgi/_1060 HTTP/1.0" 403 189 "-" "Snoopy v1.2.3"
70.87.34.146 - - [04/Aug/2007:14:46:10 -0600] "POST /cgi-bin/mt/mt-tb.cgi/_1461 HTTP/1.0" 403 207 "-" "Snoopy v1.2.3"


Despite the fact that these hits all come from IP addresses in the different countries I have previously tracked most of them down to spammers in Russia and The Ukraine. I won't tell you how I did that; just trust me on this.

If you are wondering how I managed to send every one of these attempts a server 403 Forbidden response, the answer lies in the Apache web server module Mod_Rewrite. In my previous article I wrote about my .htaccess blocklists, where I showed how to block unwanted traffic based on IP addresses. Those blocklists use the Apache Mod_Access module inside a file called ".htaccess." This method is very effective as long as the spammers are using computers or servers from within the countries, or IP ranges that are on those blocklists, especially the Russia and Exploited Server Blocklist. So how do I block the ones that use proxy servers in non-blocked locations like the ISPs in the USA?

In order to block people or scripts that use rotating hijacked computers, or open proxy servers to spam your blog you need to add another weapon to your arsenal. That weapon is the Apache module "Mod_Rewrite." I will write about using Mod_Rewrite in my next article in this series about blocking spammers and scammers and exploitation attempts using .htaccess. In the meantime, if you haven't read the previous article about using .htaccess blocklists, read it now. It will bring you up to speed so you can grok what is coming in the next installment.

Gotta go for now. Look for more details in the next day or two.

Posted by Wiz at 5:44 PM | Permalink

back to top ^

There are millions of websites that host blogs and/or forums and many of them are targeted by scammers, spammers and hackers. Webmasters everywhere are searching for solutions to these problem-causing individuals and scripts. Some of you already know that I can help you block this unwanted traffic from your websites, but a great many more may just be discovering this fact. If your website, or blog, or forum is hosted on an Apache web server, and your hosting allows personal .htaccess overrides, read on.

For those who don't know what .htaccess is, it is an access control file used on Apache servers, on a per-website basis, to define who may or may not access all or parts of a website, and to rewrite requests for certain files, or folders, or URLs to other files, folders, or URLs. You will notice that the file name has no prefix ; just a period followed by htaccess. This makes it a normally hidden-system file on the Apache hosted web server. Hidden Apache files can be revealed by using a special FTP command: -al or a website control panel function on the file manager page, to display these hidden files for downloading or editing (show hidden files, etc). Your website may or may not already have a .htaccess file. If you upload with an FTP tool use the "remote file mask" -AL ( or -al) and refresh the remote view to see if .htaccess exists in your home, or public_html or / directory (more info in the extended comments). Otherwise, look at your website's file manager, or ftp tools in your Cpanel, or other website control panel. There should be some option to reveal hidden files beginning with a period.

If you do not use an FTP Client to upload files, but are using a web-based control panel, it is entirely up to your web host as to whether or not you can view, alter, or upload .htaccess files.

Important Notice! Be careful when creating, editing, or pasting codes into a .htaccess file, because if you type an invalid term, directive, or character, or add an unescaped space in a regular expression, you may cause a Server 500 error to occur, locking everybody out of the website, except via FTP access (with login credentials).

The blocklists that I am about to tell you about use the Apache Module mod_access which is almost always available in Linux based shared, vps, semi-dedicated, or dedicated hosting. Unfortunately, if your website is hosted on a Windows Server you are out of luck, unless your host has installed, or is willing to install the ISAPI_Rewrite module for you.

Assuming that your website is hosted on a Linux box running an Apache web server, and you are allowed to use a personal .htaccess file with mod_access - IP "deny from" directives, the following web pages may be of great help to you in blocking access from unwanted countries, ISPs or hostile servers that are trying to spam or exploit your server (or website).

First on the list is my first work in the field of blocking scammers from forums and auction sites; my Nigerian Blocklist. I have been and still am compiling this list of IP addresses assigned to Nigeria and most of it's neighboring countries in Africa, from which Nigerian scammers and other African fraudsters have operated against forums and auction sites around the (non-African) World. It is extremely effective at denying access to anybody trying to access your website from within Nigeria or other African countries, including via satellite Internet services. If you have a blog, auction site, or forum that is plagued by Nigerian scammers - try embedding my .htaccess directives into your .htaccess file, or create one by copying and pasting the contents of the one on my Nigerian Blocklist web page into a new plain text file (Notepad) and save it as .htaccess. If your computer's operating system won't allow you to save it without a file prefix, choose htaccess.txt then upload it to your server and rename it there to .htaccess . You will see an instant drop in the number of Nigerian scammers on your website.

The second blocklist deals with unwanted traffic coming from ISPs and servers within China, Korea and surrounding countries. This is my Chinese Blocklist. All of the same methods listed above apply to this mod_access deny from list. It can be copied and pasted into your .htaccess file just like the Nigerian list details show, or it can be added to that list by merging the two groups inside just one set of <Files *> directives. Note that if you do business with anybody in China, Korea or neighboring countries, they will not be able to access your website unless you "poke a hole" in the list to allow their IP address(s) in.

Lastly, I present for your viewing pleasure, the Russia and Exploited Servers Blocklist. This list is growing faster than the other two because I am getting hit constantly by so many Russian based blog and log spammers and server exploit attempts, from both shared and dedicated servers around the World. This blocklist contains a large number of IP addresses and CIDRs (basically means IP ranges) from Russia, The Ukraine and other former Soviet Bloc Countries, Turkey, Algeria, and from a huge number of exploited web servers, co-location server farms, and hosting companies around the World. Servers should not be trying to contact other servers, unless they have a relationship with each other. These servers want to hack or spam your server or websites and should be blocked.

All of these blocklists are still being added to or modified as new information is discovered about the sources of scams, spamming or hacking attempts from exploited servers. Each page has a button (under the bold last-modified date, before the directives) for you to use to sign up for alerts from the ChangeDetection bot, which will email a notice to you once a day, only on days that I have modified the blocklist you are monitoring. This is a free service that I use myself. Next to that button you will see a PayPal Donate button that I have placed there, where people who benefit from my voluntary work can show some financial appreciation. Any amount will be gladly accepted, with a $10 minimum please.

There are links to contact me for assistance or to provide input, on all of the blocklists, in the footer area.

Unhiding the normally hidden, Apache web server .htaccess file.

The .htaccess file begins with a period, which makes it appear to have no prefix to Windows users. However, to a Unix based web server any file that begins with a period is considered a hidden system file. If you manage your website by using an FTP Client (program) to upload files it may require you to enter a special code, or check a box that allows hidden server files to be displayed. For example, WS_FTP (a very popular FTP Client) has a place to add the code -al (that is a lowercase L) in the startup configuration of sites that are added to the Site list. This code tells the server to display hidden files like .htaccess. If you are using WS_FTP open the Site Manager, create a website connection, or select an existing one (left click once), click the Edit button to open the Site Options, then click on the Startup link in Site Options. Find the input field named "Remote file mask" and type -al in it, then click OK to save the change. Now, when you log onto the website you will be able to view, edit, upload or download normally hidden files like .htaccess.

Posted by Wiz at 5:30 PM | Permalink

back to top ^