Wiz's Computer and Website Security Blog

This article is about current email spam categories and percentages, based on rule sets created for and reported by the anti spam tool - MailWasher Pro.

I use MailWasher Pro to screen all of my various incoming POP email accounts, and for which I write my own custom spam filter rules. I give each rule a unique name so I can track the different types of spam I am deleting and reporting. The program has an interesting incoming email statistics window, that includes a pie chart breakdown of the various types of spam that are recognized and dealt with by the software. I thought I would start sharing my spam pie chart results with you all. This is the first installment, which I will try to update during, or at the end of the week. I'll post a new report each week, running from Monday through Sunday.

My analysis of this week's spam shows that various pharmaceuticals, including illicit prescription drugs, male and female enhancement pills and weight loss capsules lead the pack, again, accounting for well over 70% of all incoming spam. All of them have links to websites hosted in China, where the counterfeit drugs are produced. One has to wonder how many people are dying, or ending up in emergency rooms every day, because they foolishly bought spamvertised, counterfeit medicine?

Noticeably reduced this week were numeric links to Storm Trojan infected computers (5) and spam for casinos (3) and "pump and dump stocks" (1).

My current statistics show that spam is now 72% of all my incoming email, for the week of October 22 through 28, 2007. This is a 1% decrease from last week, which topped out at 73%. Without my MailWasher Pro filters identifying and automatically deleting most of this onslaught of spam, email would be essentially useless for me (if I had to sort out the spam manually). Thanks to those custom filters, which I work hard to keep updated, I only have to manually delete a handful of spam messages on a daily basis (which I then classify into filters). The machines sending this deluge of spam are all members of BotNets, with spam relays and remote command and control software surreptitiously installed, mostly by the Storm Worm Trojan. I see many identical spam messages in my statistics (sorted by subject), but sent from different places in the World, all with forged sender names, confirming that this is a World-wide Spam-demic."

MailWasher Pro spam category breakdown for October 22 through 28, 2007.

These spam categories and their relative percentages will probably shift a bit each week, as the BotMasters send new spam scripts to the zombie computers under their control. I will try to keep the percentages updated and merge miscellaneous categories as I am able to identify what they were spamvertising.

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as a front-end screener to your POP email program (Outlook, Outlook Express, Microsoft Mail, Thunderbird, Eudora, etc).

Regarding my custom MailWasher Pro spam filters; due to my continuing work of refining these filter rules, their accuracy has increased to the point that less than 1/4% of the spam detections flew under my radar and were classified as DNS Blacklists, for this reporting period (ditto for the learning filter). All other spam was classified and dealt with by my custom filters.

Posted by Wiz at 1:07 PM | Permalink

back to top ^

If you use the famed, freeware, anti-spyware program "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released today, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a + sign are additions, or updated detections, with multiple additions indicated by a number in parenthesis or a double ++ in front of it's name. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in version 1.4 and 1.5. If you don't do this the new immunizations against hostile ActiveX programs will not be applied.

Additions made on 10-24, 2007

Hijacker
+ Munga_Bunga

Keylogger
+ Ardamax
+ ComputerMonitorKeylogger
++ Powered Keylogger
++ QuickKeylogger
++ Win32.PoisonIvy.j
++ Win32.Iroffer.af

Malware
+ Smitfraud-C.
+ Nous-Tech.UCleaner
+ Vario.AntiVirus (27)
++ WebSpyShield
+ Win32.Renos

PUPS (Potentially Unwanted Programs)
++ ErrorDoctor
+ Zango

Trojan
++ NNC.MGRS (15)
+ SDWin32.Websearch24 (6)
+ Search2Find
+ Smitfraud-C.MSVPS
+ Virtumonde
++ Win32.Banker.aipy.rtk
++ Win32.Delf.ais
++ Win32.Hupigon.Bx
++ Win32.Hupigon.I
++ Win32.Hupigon.qcj
+ Win32.Small.kj
++ Win32.Small.ls (18)
++ Zlob.Downloader.sdt
+ Zlob.Downloader.oid
++ Zlob.Downloader.vdt

Total: 468694 fingerprints in 94024 rules for 3370 products.

Spybot Search & Destroy version 1.5x is compatible with Windows Vista and features a nicer interface and sports a separate updater window and application. If you are still using version 1.4 I recommend that you update to 1.5, using the company links below.

English Language Company Links:
Spybot Search and Destroy English Home Page
Spybot Search and Destroy (Multi-Lingual Landing Page. Choose your language).
Spybot Search and Destroy Download page - Program and definition updates. You can download the latest version of Spybot S&D plus definition and tool updates here for inclusion later on.
Full tutorial about using and setting up Spybot Search and Destroy
Spybot Search and Destroy Update History

See all security program update notices in this catagory

A consequence of acquiring many of the parasites, keyloggers, hijackers and downloaders is that their files and startup settings are usually saved to your System Restore hidden folder, from whence they are automatically restored upon rebooting the computer. To completely remove these threats, and others, you should disable System Restore, then reboot, then clean all threats, then re-start System Restore, setting a new Restore Point, with a clean machine. Many people overlook this and are constantly reinfected after removing threats. There are few, if any security programs that can clean or remove infected files that are backed up in your protected System Restore directory.

To disable System Restore, go to My Computer and right-click on it's icon. From the flyout options select Properties. From the "System Properties" select the "System Restore" tab. There you will find a checkbox labeled "Turn off System Restore." Check it, then click Apply and wait while the System Restore files are deleted (takes some time). After the deletions are finished, click OK to close the Properties box, then reboot.

When you have thoroughly removed all infections follow the same procedure as above, unchecking the box that turned off System Restore.

For those of you who have not yet used Spybot Search and Destroy, if you were wondering if it "plays nice" with other anti spyware programs, it most certainly does! I have used Spybot S&D since it's inception, along with various other free and commercial security programs, and it has never caused any problems on my, or my customers' computers.

Spybot Search and Destroy has a Malware Removal Forum where trained volunteers can help you with spyware removal problems.

As you can see from the long list of new detections this has grown into a major piece of work for the author and he could sure use some financial assistance to cover the huge amount of time it takes to update these definitions. There is a donation button on this page and I know he will appreciate your contributions!

Posted by Wiz at 1:41 PM | Permalink

back to top ^

This article is about current email spam categories and percentages, based on rule sets created for and reported by the anti spam tool - MailWasher Pro.

I use MailWasher Pro to screen all of my various incoming POP email accounts, and for which I write my own custom spam filter rules. I give each rule a unique name so I can track the different types of spam I am deleting and reporting. The program has an interesting incoming email statistics window, that includes a pie chart breakdown of the various types of spam that are recognized and dealt with by the software. I thought I would start sharing my spam pie chart results with you all. This is the first installment, which I will try to update during, or at the end of the week. I'll post a new report each week, running from Monday through Sunday.

My analysis of this week's spam shows that various pharmaceuticals, including illicit prescription drugs, male and female enhancement pills and weight loss capsules lead the pack, again, accounting for well over 70% of all incoming spam. All of them have links to websites hosted in China, where the counterfeit drugs are produced. One has to wonder how many people are dying, or ending up in emergency rooms every day, because they foolishly bought spamvertised, counterfeit medicine?

Noticeably missing, or greatly reduced this week, were numeric links to Storm Trojan infected computers (1) and spam for casinos and counterfeit watches (1).

My current statistics show that spam is now 73% of all my incoming email, for the week of October 15 through 21, 2007. This is an 9% increase from two weeks ago, which topped out at 64%. Without my MailWasher Pro filters identifying and automatically deleting most of this onslaught of spam, email would be essentially useless for me (if I had to sort out the spam manually). Thanks to those custom filters, which I work hard to keep updated, I only have to manually delete a handful of spam messages on a daily basis (which I then classify into filters). The machines sending this deluge of spam are all members of BotNets, with spam relays and remote command and control software surreptitiously installed, mostly by the Storm Worm Trojan. I see many identical spam messages in my statistics (sorted by subject), but sent from different places in the World, all with forged sender names, confirming that this is a World-wide Spam-demic."

MailWasher Pro spam category breakdown for October 15 through 21, 2007.

These spam categories and their relative percentages will probably shift a bit each week, as the BotMasters send new spam scripts to the zombie computers under their control. I will try to keep the percentages updated and merge miscellaneous categories as I am able to identify what they were spamvertising.

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as a front-end screener to your POP email program (Outlook, Outlook Express, Microsoft Mail, Thunderbird, Eudora, etc).

Regarding my custom MailWasher Pro spam filters; due to my continuing work of refining these filter rules, their accuracy has increased to the point that less than 1/4% of the spam detections flew under my radar and were classified as DNS Blacklists, for this reporting period (ditto for the learning filter). All other spam was classified and dealt with by my custom filters.

Posted by Wiz at 3:21 PM | Permalink

back to top ^

Mozilla Foundation has just released a security update to their flagship browser; Firefox. The new version is 2.0.0.8, which was released on October 18, 2007. This is primarily a security update, which fixes the following documented security issues:

Fixed in Firefox 2.0.0.8
MFSA 2007-36: URIs with invalid %-encoding mishandled by Windows
MFSA 2007-35: XPCNativeWrapper pollution using Script object
MFSA 2007-34: Possible file stealing through sftp protocol
MFSA 2007-33: XUL pages can hide the window titlebar
MFSA 2007-32: File input focus stealing vulnerability
MFSA 2007-31: Browser digest authentication request splitting
MFSA 2007-30: onUnload Tailgating
MFSA 2007-29: Crashes with evidence of memory corruption (rv:1.8.1.8)

You can download the current version here: http://www.mozilla.com/en-US/firefox/.

The release notes about installation and known issues are found here

Posted by Wiz at 2:49 PM | Permalink

back to top ^

If you use the famed, freeware, anti-spyware program "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released today, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a + sign are additions, or updated detections, with multiple additions indicated by a number in parenthesis or a double ++ in front of it's name. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in version 1.4 and 1.5. If you don't do this the new immunizations against hostile ActiveX programs will not be applied.

Additions from 09-26 through 10-17, 2007

Adware
++ Rabio.SearchEnhancer
+ Infomeca
+ Winzix

Hijacker
+ TNS-Search

Keylogger
++ 123Keylogger
+ Ardamax
+ PCSpyKeylogger
+ RevealerKeylogger
+ SpyAgent

Malware
+ Adware-Remover
+ AntiSpyWare2007
++ AntiVirGear
+ FlashDollars.AntiVirusProtection
+ FlashDollars.RegistryRepair
+ FlashDollars.SpywareRemover
++ LocusSoftware.BestsellerAntivirus
+ LocusSoftware.PCPrivacyTool
+ LocusSoftware.SecurePCCleaner
++ Nous-Tech.UCleaner
+ Performance Optimizer
++ Smitfraud-C.
+ SurfSideKick
+ Swizzor
+ UtileProtection
+ Vario.Antivirus
+ Win32.CDN
++ Win32.OnLineGames.NCU
+++ Win32.Renos
+ Worldsecurityonline.FakeAlert

PUPS (Potentially Unwanted Programs)
+ DriveCleaner 2006
+ Yazzle

Security
+ Microsoft.WindowsSecurityCenter.RegistryTools

Trojan
+ 1und1_Haxdoor
++ Bifrose.gen
+ Bifrose.LA
+ Cassava
+ DivoCodec
+ Fraud.ProtectionBar
+ GoAstro.rtk
+ Haxdoor.DVB03a
+ Haxdoor-H
+ Hookdump
++ Hupigon
+ LiveSVC.Wintrim
+ Kalmarte
+ MailSkinner.rtk
+ MessengerSkinner.rtk
+ Nous-Tech.UDefender
+ PurityScan
+ Smitfraud-C.
+ Virtumonde
+ Win32.Agent.afgm
+ Win32.Agent.aqf
++ Win32.Agent.bcn
+ Win32.Bifrose.aci
++ Win32.Agent.ci
+ Win32.Agent.cnp
++ Win32.Agent.xi
+ Win32.BHO.df
++ Win32.Delf.acv
+ Win32.Delf.ayr
++ Win32.Delf.ck
+ Win32.EST.avg
+ Win32.LoadAdv.h
+ Win32.Murlo.ff
++ Win32.Murlo.ff.rtk
+ Win32.OnLineGames
+ Win32.OnLineGames.bkz
+ Win32.Pakes
+ Win32.Poison.k
+ Win32.PSW.Game
+ Win32.SdBot.aea
+ Win32.Small.azl
+ Win32.StartPage.arf
++ Win32.VB.ke
+ Win32.Virtualizer
+ Winsoftware.WinAntiVirusPro2007
++ Zlob.Downloader.odn
+++ Zlob.Downloader.oid
+++ Zlob.Downloader.omd
++ Zlob.Downloader.ned
++ Zlob.Downloader.vcd
+ Zlob.ImageActiveXAccess
+++ Zlob.VideoActiveXAccess
+ Zlob.XXXPlugin

Total: 455437 fingerprints in 89232 rules for 3346 products.

English Language Company Links:
Spybot Search and Destroy English Home Page
Spybot Search and Destroy (Multi-Lingual Landing Page. Choose your language).
Spybot Search and Destroy Download page - Program and definition updates. You can download the latest version of Spybot S&D plus definition and tool updates here for inclusion later on.
Full tutorial about using and setting up Spybot Search and Destroy
Spybot Search and Destroy Update History

See all security program update notices in this catagory

A consequence of acquiring many of the parasites, keyloggers, hijackers and downloaders is that their files and startup settings are usually saved to your System Restore hidden folder, from whence they are automatically restored upon rebooting the computer. To completely remove these threats, and others, you should disable System Restore, then reboot, then clean all threats, then re-start System Restore, setting a new Restore Point, with a clean machine. Many people overlook this and are constantly reinfected after removing threats. There are few, if any security programs that can clean or remove infected files that are backed up in your protected System Restore directory.

To disable System Restore, go to My Computer and right-click on it's icon. From the flyout options select Properties. From the "System Properties" select the "System Restore" tab. There you will find a checkbox labeled "Turn off System Restore." Check it, then click Apply and wait while the System Restore files are deleted (takes some time). After the deletions are finished, click OK to close the Properties box, then reboot.

When you have thoroughly removed all infections follow the same procedure as above, unchecking the box that turned off System Restore.

For those of you who have not yet used Spybot Search and Destroy, if you were wondering if it "plays nice" with other anti spyware programs, it most certainly does! I have used Spybot S&D since it's inception, along with various other free and commercial security programs, and it has never caused any problems on my, or my customers' computers.

Spybot Search and Destroy has a Malware Removal Forum where trained volunteers can help you with spyware removal problems.

As you can see from the long list of new detections this has grown into a major piece of work for the author and he could sure use some financial assistance to cover the huge amount of time it takes to update these definitions. There is a donation button on this page and I know he will appreciate your contributions!

Posted by Wiz at 12:12 AM | Permalink

back to top ^

This article is about current email spam categories and percentages, based on rule sets created for and reported by the anti spam tool - MailWasher Pro.

I use MailWasher Pro to screen all of my various incoming POP email accounts, and for which I write my own custom spam filter rules. I give each rule a unique name so I can track the different types of spam I am deleting and reporting. The program has an interesting incoming email statistics window, that includes a pie chart breakdown of the various types of spam that are recognized and dealt with by the software. I thought I would start sharing my spam pie chart results with you all. This is the first installment, which I will try to update during, or at the end of the week. I'll post a new report each week, running from Monday through Sunday.

My analysis of this week's spam shows that various pharmaceuticals, including illicit prescription drugs, male and female enhancement pills and weight loss capsules lead the pack, again, accounting for well over 70% of all incoming spam. All of them have links to websites hosted in China, where the counterfeit drugs are produced. One has to wonder how many people are dying, or ending up in emergency rooms every day, because they foolishly bought spamvertised, counterfeit medicine?

Noticeably missing, or greatly reduced this week, were numeric links to Storm Trojan infected computers and spam for casinos and counterfeit watches.

My current statistics show that spam is now 64% of all my incoming email, for the week of October 1 through 7, 2007. This is an 18% decrease from the week before, which topped out at 82%. Without my MailWasher Pro filters identifying and automatically deleting most of this onslaught of spam, email would be essentially useless for me (if I had to sort out the spam manually). Thanks to those custom filters, which I work hard to keep updated, I only have to manually delete a handful of spam messages on a daily basis (which I then classify into filters). The machines sending this deluge of spam are all members of BotNets, with spam relays and remote command and control software surreptitiously installed, mostly by the Storm Worm Trojan. I see many identical spam messages in my statistics (sorted by subject), but sent from different places in the World, all with forged sender names, confirming that this is a World-wide "Spam-demic" (Wow, I think I just coined a new word!).

MailWasher Pro spam category breakdown for October 1 through 7, 2007.

These spam categories and their relative percentages will probably shift a bit each week, as the BotMasters send new spam scripts to the zombie computers under their control. I will try to keep the percentages updated and merge miscellaneous categories as I am able to identify what they were spamvertising.

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as a front-end screener to your POP email program (Outlook, Outlook Express, Microsoft Mail, Thunderbird, Eudora, etc).

Regarding my custom MailWasher Pro spam filters; due to my continuing work of refining these filter rules, their accuracy has increased to the point that less than 1/4% of the spam detections flew under my radar and were classified as DNS Blacklists, for this reporting period (ditto for the learning filter). All other spam was classified and dealt with by my custom filters.

Posted by Wiz at 2:51 PM | Permalink

back to top ^

If you use the famed, freeware, anti-spyware program "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released today, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a + sign are additions, or updated detections, with multiple additions indicated by a number in parenthesis or a double ++ in front of it's name. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied.

2007-10-04

Keylogger
+ Ardamax

Malware
+ Adware-Remover
+ FlashDollars.RegistryRepair
+ FlashDollars.SpywareRemover
+ LocusSoftware.PCPrivacyTool
+ LocusSoftware.SecurePCCleaner
+ Smitfraud-C.
+ Vario.Antivirus
+ Win32.CDN
+ Win32.Renos
+ Worldsecurityonline.FakeAlert

Security
+ Microsoft.WindowsSecurityCenter.RegistryTools

Trojan
+ GoAstro.rtk
+ Haxdoor.DVB03a
+ LiveSVC.Wintrim
+ Kalmarte
+ Win32.Bifrose.aci
+ Win32.Delf.ayr
+ Win32.OnLineGames.bkz
+ Win32.OnLineGames
+ Win32.Pakes
+ Win32.PSW.Game
+ Win32.SdBot.aea
+ Win32.VB.ke
+ Winsoftware.WinAntiVirusPro2007
+ Zlob.VideoActiveXAccess

Total: 452122 fingerprints in 88448 rules for 3316 products.

English Language Company Links:
Spybot Search and Destroy English Home Page
Spybot Search and Destroy (Multi-Lingual Landing Page. Choose your language).
Spybot Search and Destroy Download page - Program and definition updates. You can download the latest version of Spybot S&D plus definition and tool updates here for inclusion later on.
Full tutorial about using and setting up Spybot Search and Destroy
Spybot Search and Destroy Update History

See all security program update notices in this catagory

A consequence of acquiring many of the parasites, keyloggers, hijackers and downloaders is that their files and startup settings are usually saved to your System Restore hidden folder, from whence they are automatically restored upon rebooting the computer. To completely remove these threats, and others, you should disable System Restore, then reboot, then clean all threats, then re-start System Restore, setting a new Restore Point, with a clean machine. Many people overlook this and are constantly reinfected after removing threats. There are few, if any security programs that can clean or remove infected files that are backed up in your protected System Restore directory.

To disable System Restore, go to My Computer and right-click on it's icon. From the flyout options select Properties. From the "System Properties" select the "System Restore" tab. There you will find a checkbox labeled "Turn off System Restore." Check it, then click Apply and wait while the System Restore files are deleted (takes some time). After the deletions are finished, click OK to close the Properties box, then reboot.

When you have thoroughly removed all infections follow the same procedure as above, unchecking the box that turned off System Restore.

For those of you who have not yet used Spybot Search and Destroy, if you were wondering if it "plays nice" with other anti spyware programs, it most certainly does! I have used Spybot S&D since it's inception, along with various other free and commercial security programs, and it has never caused any problems on my, or my customers' computers.

Spybot Search and Destroy has a Malware Removal Forum where trained volunteers can help you with spyware removal problems.

If you haven't already upgraded to the new version, Spybot S&D version 1.5 is now available on the downloads page.

As you can see from the long list of new detections this has grown into a major piece of work for the author and he could sure use some financial assistance to cover the huge amount of time it takes to update these definitions. There is a donation button on this page and I know he will appreciate your contributions!

Posted by Wiz at 11:35 PM | Permalink

back to top ^