December 30, 2007

My Spam analysis for Dec 24 - 30, 2007

This article is about current email spam categories and percentages, based on rule sets created for and reported by the anti spam tool - MailWasher Pro.

I use MailWasher Pro to screen all of my various incoming POP email accounts, and for which I write my own custom spam filter rules. I give each rule a unique name so I can track the different types of spam I am deleting and reporting. The program has an interesting incoming email statistics window, that includes a pie chart breakdown of the various types of spam that are recognized and dealt with by the software. I thought I would start sharing my spam pie chart results with you all. This is the first installment, which I will try to update during, or at the end of the week. I'll post a new report each week, running from Monday through Sunday.

My analysis of this week's spam shows that various pharmaceuticals, including illicit prescription drugs, male and female enhancement pills and weight loss capsules lead the pack, again, accounting for well over 60% of all incoming spam. All of them have links to websites hosted in China, where the counterfeit drugs are produced. One has to wonder how many people are dying, or ending up in emergency rooms every day, because they foolishly bought spamvertised, counterfeit medicine?

Noticeably reduced, again, this week, were spam for financing (0), lottery scams (0), phishing scams (1), and pump and dump stocks (0). Due to my ongoing procedures I have merged some filters to simplify the reporting process, so the categories shown below may differ from the previous weeks' results.

My current statistics show that spam is now 64% of all my incoming email, for the week of December 24 through 30, 2007. This is up 9% from last week. Without my MailWasher Pro filters identifying and automatically deleting most of this onslaught of spam, email would be essentially useless for me (if I had to sort out the spam manually). Thanks to those custom filters, which I work hard to keep updated, I only have to manually delete a handful of spam messages on a daily basis (which I then classify into filters). The machines sending this deluge of spam are all members of BotNets, with spam relays and remote command and control software surreptitiously installed, mostly by the Storm Worm Trojan. I see many identical spam messages in my statistics (sorted by subject), but sent from different places in the World, all with forged sender names, confirming that this is a World-wide Spam-demic."

MailWasher Pro spam category breakdown for December 24 through 30, 2007.
MailWasher Pro by Firetrust
Blacklisted (by pattern matching): 28.31%
Elite Herbal Spam: 4.11%
RX Spam: 8.68%
Male enhancement spam: 25.58%
Weight loss pills: 2.28%
Postcard Trojan scams: 3.65%
HGH filter: 2.38%
Known Spam Subjects: 1.72%
Viagra and Viagra.com: 7.31%
Other filters: 14.61%
DNS Blacklists: 1.37%

These spam categories and their relative percentages will probably shift a bit each week, as the BotMasters send new spam scripts to the zombie computers under their control. I will try to keep the percentages updated and merge miscellaneous categories as I am able to identify what they were spamvertising. Also, beginning this week, I have begun blacklisting particular forged senders that match a pattern. The blacklisted category is quickly rising above all independent spam classifications, proving that my pattern matching is working.

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as a front-end screener to your POP email program (Outlook, Outlook Express, Microsoft Mail, Thunderbird, Eudora, etc).

Regarding my custom MailWasher Pro spam filters; due to my continuing work of refining these filter rules, their accuracy has increased to the point that less than 1/4% of the spam detections flew under my radar and were classified as DNS Blacklists, for this reporting period (ditto for the learning filter). All other spam was classified and dealt with by my custom filters.

Try Firetrust Mailwasher® Pro
Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

December 29, 2007

Say goodbye to the Netscape Browser

AOL announces the end of development and support for Netscape web browsers.

In1999, AOL acquired the floundering Netscape Communications Corporation, which included their flagship Netscape browser. AOL has announced, on the Netscape Blog, on December 28, 2007, that all development and technical support for it's Netscape line of browsers will end on February 1, 2008. This support includes security patches and stability updates. After February 1, there will be no more active product support for Navigator 9, or any previous Netscape Navigator browser. This includes Netscape v1-v4.x, Netscape v6, Netscape v7 Suite, Netscape Browser v8, and Netscape Navigator/Messenger 9.

The folks running the Netscape division of AOL recommend that people who have been using their branded version of Netscape switch to Firefox and I second that opinion. Netscape, in its current incarnation, is based on the the same rendering engine as Mozilla Foundation's Firefox browser. Mozilla is the parent of Firefox. You can download Firefox here. It is updated frequently and is actively being developed and supported.

Their recommendation for the nostalgic out there is to download Mozilla Firefox, and add on the Netscape theme and Netscape extensions which are available here:

https://addons.mozilla.org/en-US/firefox/user/56836

Despite the demise of the Netscape browser, the Netscape.com portal will remain online and active.

For those who have never used Firefox before and have been using Internet Explorer, one phase of installation will offer to import you IE Favorites and Cookies, which I recommend. With Firefox your IE "Favorites" will now be named "Bookmarks." Firefox uses tabs to open new web pages, instead of new windows, unless you prefer it the old way (it's an option). Firefox's preferences are called "Options" and are found at the bottom of the "Tools" menu item. Firefox has a default setting to automatically check for browser updates, but you can manually do so via "Help" > "Check for Updates."

A brief history of Netscape browsers

The history of the Netscape brand of web browsers encompasses 17 years, from its beginnings in 1994, through its announced demise. on February 1, 2008. The first beta versions of the browser were released in 1994 and known as Mosaic and then Mosaic Netscape until a legal challenge led to the name change to Netscape Navigator. The company's name also changed from Mosaic Communications Corporation to Netscape Communications Corporation.

By the time that Netscape Navigator reached version 3, in August of 1996, it had accumulated over an 80% share of the Internet browser market. It was even offered as an optional browser plug-in by AOL, during 1996 (I remember downloading and using it in those days). Back then, AOL came with a really simple browser, coded entirely by AOL staff, so the optional Netscape Navigator browser was like a space artifact to advanced AOL users.

Netscape Navigator versions 1 through 3 supported many new features such as new plug-ins, background colors for tables, the archive attribute and the applet element. They had an email button which could be used with Navigator's built-in POP3 e-mail client: "Netscape Mail." The "Gold" version 3 browser also sported a built-in WYSIWYG HTML editor, which allowed one to create entire web sites using just the browser and editor.

In June of 1997 Netscape released Navigator 4.0, which featured some CSS1 support and the most current JavaScript engine, along with many HTML and rendering improvements. This version also introduced the world to absolutely positioned, hidden and visible Layers. Netscape 4 series browsers were available either as stand-alone "Navigator" browsers, or as part of a suite of applications, named Netscape Communicator.

Development of the independently owned Netscape browser peaked in late 1998, at version 4.08. In November of 1998 Netscape was sold to AOL. Under AOL's funding the Netscape browser received many improvements, that included a total rewrite of its rendering engine, beginning in January 1998. A series of untimely development delays caused the Netscape 5 to be skipped entirely. It was only due to extreme pressure, from the folks who wrote the paychecks, that version 6.0 was released, on November 14, 2000. Unfortunately for Netscape, this release was badly flawed and was rejected by the very people it was meant to win over. This two year delay, and flaky release caused immeasurable damage to Netscape's browser market share, which was lost to Internet Explorer.

In 2003, AOL closed down its Netscape division and laid-off or re-assigned all of Netscape's employees. Mozilla.org continued, however, as the independent Mozilla Foundation, taking on many of Netscape's ex-employees. AOL continued to develop Netscape in-house, but, due to there being no staff committed to it, improvements were minimal (version 7.2 in August 2004). Between 2005 and 2007, Netscape's releases became known as Netscape Browser. AOL chose to base Netscape Browser on the relatively successful Mozilla Firefox, a re-written version of Mozilla produced by the Mozilla Foundation.

Mozilla has been constantly improving the Firefox line of browsers, as shown by their gaining a decent portion of the browser market. With AOL's announcement that the Netscape branded browsers will come to an end, on February 1, 2008, they and I recommend that people seeking a secure, standards compliant browser should switch to Mozilla's Firefox, which is updated frequently and well respected. You can download the latest Firefox release here.

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

December 28, 2007

Is your computer infected with the Storm Trojan?

First, some background information about the Storm Trojan.

Since July 1, 2007, I have written several blog articles warning people to be on the lookout for email scams that contain links that cause Windows computers to become infected with the Storm Trojan. This malware threat has already infected more PCs than any other in the history of personal computing. In August of 2007 estimates put the total number of infected computers at anywhere from 1 million to over 5 million! All of the infected computers acquired the Storm Trojan through social engineering trickery of their human owners.

Early varieties of the Storm Trojan, which began circulating widely in January, 2007, used catchy news headlines (some true, some false), such as news of hundreds of people killed by storms raging across Europe. Early payloads were carried in hostile attachments, offering more information or the full story, but were rigged with the Storm Trojan malware. Later, in mid-2007, the authors began shifting away from using attachments and started providing links to the already infected computers, which were now used to host web pages that carried exploit codes and copies of the Trojan itself. The owners of these computers had no idea that their machines were being used for this purpose, and other purposes even more sinister.

It was in June 2007 that I began to notice suspicious numeric links in email spam messages, that characterized the new breed of the Storm Trojan. There were several phases where different techniques were employed, all designed to appeal to human curiosity and which snared more and more unsuspecting victims into the ever-growing Storm Botnet. There were e-cards, postcards, verification messages, free music, free games, funny cats, dancing skeletons, Naughty Christmas cards and now, New Years greetings postcards. All of these scams contain a link which the person reading the email must click on. If you are running a windows computer that has not been fully patched against all known vulnerabilities in the wild, and you clicked on one of those links, chances are good that your computer has become a "zombie" member of the Storm Botnet.

Most of the time, the owners of these compromised machines don't know what is happening behind the scenes, as all of this activity is hidden from the user interface. The only give-away that something is amiss would be occasional unexplainable computer and Internet slowdowns, along with periods of high activity on their (external or broadband) modem "activity" lights, as thousands of spam emails, or DDoS attacks are launched from their computer. So, aside from flickering modem lights, how can you tell if your Windows computer has been infected with the Storm Trojan?

Since the Storm Trojan has been around for about a year now, it is safe to say that all anti virus and anti spyware programs have definitions to detect and eliminate this threat. If you have an anti virus and/or spyware program, make sure your scanning engine is fully current, and the definitions are up to date, then reboot into Safe Mode and scan all files. Safe Mode scanning is recommended, because, although the Storm Trojan installs its "service" as a hidden "rootkit," it still has supporting processes and files that can be stopped and deleted from Safe Mode. After the support files and registry entries are terminated the rootkit infector will be vulnerable. With any luck your security program will find and remove the files and services associated with this Trojan.

If you don't have an anti virus or anti spyware program on your Windows computer you are probably already infected with all manner of malware. There is a manual method that you can use to determine if your computer has/might have the Storm Trojan. A rootkit keeps its own main operational files from being viewed in Windows Explorer, or in Command Windows, by intercepting attempts to find those file names, or slight variations of their names and sending a null result to the screen. These are known as "super hidden" files. So, if your computer does have a rootkit infector and you were to look for their presence using a Windows Search, or a "Dir" command in a DOS Command window, the rootkit file(s) would not reveal themselves to you. Interestingly, if you were to create a new text file on your Windows desktop, with the same prefix as the rootkit's files, that file would instantly disappear from view, or would not appear in a DOS Window directory listing.

While the Windows desktop file may or may not work as described, a Command Window can be used to reveal the presence of the Storm Trojan's rootkit.

Since Windows Explorer refuses to display super hidden rootkit files and services, a good old DOS window and some special commands might do the trick, by hiding a specially named file that you just created. Here's what you need to do to check for the presence of the Storm Trojan rootkit component.


  1. Go to Start > Run and type in: CMD and press Enter

  2. A "Command" Window will open, with a blinking cursor, waiting for text input from you.

  3. Case doesn't matter with these commands.

  4. In the Command Window type this: copy con spooldr.txt

  5. Press Enter. The blinking cursor should move down to a blank line.

  6. Type a few words to create some filesize, then press F6. You should see a ^Z, after the last character that you typed.

  7. Now, press Enter. You should see "1 file(s) copied" and the cursor will blink again on a new command line.

  8. At the blinking cursor, type: DIR spooldr.txt and press Enter.

  9. If you see a report showing 1 file(s) and a filesize in bytes and the file name, you have passed the first test.

  10. Repeat rules 4-8, substituting these filenames each time: noskrnl.txt, wincom.txt, clean.txt, bldy.txt

  11. If all of these files are listed in the DIR results, you're probably ok (the file names are now being changed frequently), but, if the DIR command shows 0 files found for any of these files, you are infected with the Storm Trojan and it's rootkit.

  12. If all of these files show in a DIR listing, you should delete them by typing: DEL filename.txt (substituting the actual filenames) and press Enter and the named file will be deleted.


I advise you to leave disinfection of rootkit threats to professional grade security applications, like Norton, McAfee, Kaspersky, or TrendMicro Anti Virus programs, or Webroot Spy Sweeper, or PCTools Spyware Doctor. There are links to some of these programs on this blog. Some of them offer a free trial download, and others offer a free online scan. If you can't afford one of these commercial programs you can download (install and update!) AVG Free Anti-Virus, or SpyBot Search and Destroy, which is also free, from the links in the right sidebar >>>

If I come up with some effective manual removal instructions, that can be used by the average computer owner, I will post them in a follow-up blog article.

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

Spybot Search & Destroy Malware Definitions Updated on December 26, 2007

With New Years Eve fast approaching it is no surprise that malware authors are ramping up their efforts to infect as many computers as possible, either to draft them into zombie Botnets, or to cause unwanted popup advertisements, or to install hidden keyloggers, to steal your logins to online banks and other personal information. If you operate a Windows based computer you are the primary target of these criminals and you must protect your computer from these spyware threats. Many people use commercial anti-malware applications, which are updated daily against new threats, while others rely upon the freely available Spybot Search & Destroy - to handle their security against spyware, keyloggers, adware and Trojans. As free anti-spyware programs go it is one of the best, although it is only updated once a week.

If you use the famed, freeware, anti-spyware program "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on Wednesday, this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a + sign are additions, or updated detections, with multiple additions indicated by a number in parenthesis or a double ++ in front of it's name. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in version 1.4 and 1.5. If you don't do this the new immunizations against hostile ActiveX programs will not be applied.

Updates - now published every Wednesday

Additions made on 12/26/2007 (and false positive removals)

Keyloggers
+ Ardamax

Malware
+ Nous-Tech.UCleaner
+ Win32.Adrenaline.a
+ Win32.Agent.pz

LocusSoftware.PCPrivacyTool - Removed as false positive

PUPS (Possibly Unpopular Software)
+ Win32.Delf.afm

Security
+ Microsoft.Windows.RedirectedHosts (DNS poisoning threats)

Trojan
+ Hupigon
+ MalwareAlarm
+ Smitfraud-C.MSVPS
+ Win32.Agent.bfj
+ Win32.Agent.bxh
+ Win32.Agent.msgr
+ Win32.AutoRun.aiv
+ Win32.BHO.acw
+ Win32.MicroJoiner
+ Win32.Nakuru.a
+ Win32.Rbot.bdu

Total: 523607 fingerprints in 113030 rules for 3545 products.

Spybot Search & Destroy version 1.5x is compatible with Windows Vista and features a nicer interface and sports a separate updater window and application. If you are still using version 1.4 I recommend that you update to 1.5, using the company links below.

English Language Company Links:
Spybot Search and Destroy English Home Page
Spybot Search and Destroy (Multi-Lingual Landing Page. Choose your language).
Spybot Search and Destroy Download page - Program and definition updates. You can download the latest version of Spybot S&D plus definition and tool updates here for inclusion later on.
Full tutorial about using and setting up Spybot Search and Destroy
Spybot Search and Destroy Update History

See all security program update notices in this catagory

A consequence of acquiring many of the parasites, keyloggers, hijackers and downloaders is that their files and startup settings are usually saved to your System Restore hidden folder, from whence they are automatically restored upon rebooting the computer. To completely remove these threats, and others, you should disable System Restore, then reboot, then clean all threats, then re-start System Restore, setting a new Restore Point, with a clean machine. Many people overlook this and are constantly reinfected after removing threats. There are few, if any security programs that can clean or remove infected files that are backed up in your protected System Restore directory.

To disable System Restore, go to My Computer and right-click on it's icon. From the flyout options select Properties. From the "System Properties" select the "System Restore" tab. There you will find a checkbox labeled "Turn off System Restore." Check it, then click Apply and wait while the System Restore files are deleted (takes some time). After the deletions are finished, click OK to close the Properties box, then reboot.

When you have thoroughly removed all infections follow the same procedure as above, unchecking the box that turned off System Restore.

In the event that Spybot mistakenly removes a file(s) due to a faulty detection update (a.k.a False Positive), you can restore it from the program itself. Just click on the "Recovery" button, that looks like a first aid kit, with a red cross in it, then locate the item(s) you wish to restore. Click on the select box(es) on the left of the detection name(s), to place a check mark in it/them, then click on "Recover selected items." The files, and/or registry entries will be replaced, from where they were deleted. The Spybot forums have discussions about false positives here.

For those of you who have not yet used Spybot Search and Destroy, if you were wondering if it "plays nice" with other anti spyware programs, it most certainly does! I have used Spybot S&D since it's inception, along with various other free and commercial security programs, and it has never caused any problems on my, or my customers' computers.

Spybot Search and Destroy has a Malware Removal Forum where trained volunteers can help you with spyware removal problems.

As you can see from the long list of new detections this has grown into a major piece of work for the author and he could sure use some financial assistance to cover the huge amount of time it takes to update these definitions. There is a donation button on this page and I know he will appreciate your contributions!

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

December 26, 2007

Beware of "New Year" email "Postcard" threats

This is a heads up to you all to beware of a new round of Storm Trojan email threats, now making the rounds. They contain a New Year subject and one line of body text and a link on the second line that contains the word postcard, or a variation thereof. Do not click on this link. Delete the message. The destination is a Storm Worm Trojan infected computer, running an Nginx small web server, with but one page. The page contains code to instantly redirect you to an automatic download location, where you will receive your very own copy of the Storm Trojan. If you visit the first page with JavaScript disabled, you will be presented with an enticement to manually install the Trojan; to view your "postcard." Not! The three spammed email messages I analyzed this morning all contained variations of the following two lines of deactivated text:

As the new year...
h**p://uhavepostcard.***/

That URL was spammed out on Christmas day, three days ago. The current Storm Trojan spam messages now have links to happycards2008.com, or newyearcards2008.com, or familypostcards2008.com, which are different URLs than in the attacks that began on Christmas Day and more changes are expected over this weekend.

The emails I have analyzed so far today led to infected computers, with web pages containing a clickable link to a locally hosted file named "happy-2008.exe," or "happynewyear.exe," which is the Storm Trojan itself. The infected host computers are zombie members of the Storm Botnet and are all over the World. The redirects in them lead to exploited servers, similarly all over the World. These servers have been compromised over the year in anticipation of serving up payloads on demand. They are zombie servers in that no unusual activity would be noticed from them until people start arriving from redirects on infected PCs. Unless people report these infected servers they will remain online long enough to do a lot of damage. One way to report them is to become a reporting member of SpamCop.

If, like me, you use an anti spam front end for your email client, such as MailWasher Pro, and it allows you to create regular expression spam filters, try adding these rules to detect the Storm Postcard threats:

UPDATED 12/30/2007 to add new target domain names and shorter RegExpr.
The subject contains any of these words: "(e-) card, or greeting, or postcard, or New Year, or New 2008 Year"
AND, The body contains any of the same words; AND
The body contains a hyperlink containing this regular expression:

http://(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/|(.+postcards?|newyearwithlove|.+cards2008)\.com)

Here is that entire updated rule, in MailWasher Pro format, for use in the MailWasher filters.txt file (This code should be on one long line):

[enabled],"Postcard Trojan Scam","Postcard Scam",16711680,AND,Delete,Automatic,Subject,containsRE,"\b(e-?)?(card|greeting|postcard|new\ year|Happy\ 2008!|New\ Hope\ and\ New\ Beginnings|new\s.*year)",Body,containsRE,"\b((e-?)?(post|greeting\s)?card)|new\ year\b",Body,containsRE,"\bhttp://(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/|(.+postcards?|newyearwithlove|.+cards2008)\.com)"

I am posting updates as I detect changes to the target domain name or subject/body text. Remember, the authors of the Storm Trojan are constantly altering the text and payload URLs, to fool spam filters and people. If you are not screening your incoming POP email you leave your computer at risk, should one of these threats fool you into clicking on a link to an infected computer, or server. I have a full page describing the email screening program - MailWasher Pro, with links where you can download it for a free trial. It is very inexpensive to license, for the life of the product. You don't have to pay for version updates like you do with most security programs these days. The only recurring charge associated with MailWasher Pro is voluntary membership in their managed spam reporting group, called FirstAlert.

MailWasher Pro is free to try for 30 days, and still costs only $37.00 to register, which includes a one year, renewable subscription to the FirstAlert! spam reporting system, plus, FREE Mailwasher program updates for life.

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

December 23, 2007

My Spam analysis for Dec 17 - 23, 2007

This article is about current email spam categories and percentages, based on rule sets created for and reported by the anti spam tool - MailWasher Pro.

I use MailWasher Pro to screen all of my various incoming POP email accounts, and for which I write my own custom spam filter rules. I give each rule a unique name so I can track the different types of spam I am deleting and reporting. The program has an interesting incoming email statistics window, that includes a pie chart breakdown of the various types of spam that are recognized and dealt with by the software. I thought I would start sharing my spam pie chart results with you all. This is the first installment, which I will try to update during, or at the end of the week. I'll post a new report each week, running from Monday through Sunday.

My analysis of this week's spam shows that various pharmaceuticals, including illicit prescription drugs, male and female enhancement pills and weight loss capsules lead the pack, again, accounting for well over 70% of all incoming spam. All of them have links to websites hosted in China, where the counterfeit drugs are produced. One has to wonder how many people are dying, or ending up in emergency rooms every day, because they foolishly bought spamvertised, counterfeit medicine?

Noticeably reduced, again, this week, were numeric links to Storm Trojan infected computers (0) and spam for finances (0), lottery scams (0), phishing scams (0), and pump and dump stocks (0). Due to my ongoing procedures I have merged some filters to simplify the reporting process, so the categories shown below may differ from the previous weeks' results.

My current statistics show that spam is now 55% of all my incoming email, for the week of December 17 through 23, 2007. This is down 15% from last week. Without my MailWasher Pro filters identifying and automatically deleting most of this onslaught of spam, email would be essentially useless for me (if I had to sort out the spam manually). Thanks to those custom filters, which I work hard to keep updated, I only have to manually delete a handful of spam messages on a daily basis (which I then classify into filters). The machines sending this deluge of spam are all members of BotNets, with spam relays and remote command and control software surreptitiously installed, mostly by the Storm Worm Trojan. I see many identical spam messages in my statistics (sorted by subject), but sent from different places in the World, all with forged sender names, confirming that this is a World-wide Spam-demic."

MailWasher Pro spam category breakdown for December 17 through 23, 2007.
MailWasher Pro by Firetrust
Blacklisted (by pattern matching): 22.22%
Elite Herbal Spam: 16.11%
Pharmaceutical spam: 2.78%
RX Spam: 9.44%
Pirated software spam: 5.56%
Counterfeit Watches spam: 0.10%
Male enhancement spam: 7.78%
Weight loss pills: 0.10%
Casino spam: 0.10%
5 line spam: 3.89%
Viagra and Viagra.com: 6.67%
Other filters: 24.69%
DNS Blacklists: 0.56%

These spam categories and their relative percentages will probably shift a bit each week, as the BotMasters send new spam scripts to the zombie computers under their control. I will try to keep the percentages updated and merge miscellaneous categories as I am able to identify what they were spamvertising. Also, beginning this week, I have begun blacklisting particular forged senders that match a pattern. The blacklisted category is quickly rising above all independent spam classifications, proving that my pattern matching is working.

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as a front-end screener to your POP email program (Outlook, Outlook Express, Microsoft Mail, Thunderbird, Eudora, etc).

Regarding my custom MailWasher Pro spam filters; due to my continuing work of refining these filter rules, their accuracy has increased to the point that less than 1/4% of the spam detections flew under my radar and were classified as DNS Blacklists, for this reporting period (ditto for the learning filter). All other spam was classified and dealt with by my custom filters.

Try Firetrust Mailwasher® Pro
Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

December 19, 2007

Adobe Flash Player-Plug-in Security Update

In a release dated December 3, 2007, but I did not become aware of until today, December 19, 2007, Adobe Systems posted an updated version of the Shockwave Flash ActiveX object for Internet Explorer, and the Flash Player plug-in for Firefox and Opera browsers. The new version is currently listed as 9.0.115.0.

Since this is a security upgrade, to block exploits already in the wild, you should update your Flash player or plug-in, both to maintain your PC's security and for compatibility with Flash videos on YouTube and other websites.

One way to update is simply to visit the Flash download page and download it to your computer, then perform an in-place upgrade. Thankfully, this new installer also uninstalls all old versions of Flash, which previous installers did not do. After downloading the Flash setup file, close all of your browsers (Internet Explorer, Firefox and Opera), run the installer until it completes, then open your browser(s).

The second method to update Flash uses this path (assuming that Windows is installed on the C drive and resides inside the "Windows" directory):

C:\WINDOWS\Downloaded Program Files\Shockwave Flash Object. The version number may be displayed on the right, or not, depending on your "view" settings. If not, right-click on that file and select "Update." If nothing happens you probably already have the current version, but, to be sure, right-click on the file and select Properties. The version number will be available from the Properties box. If your version is out of date, accept the download warnings and allow the signed Flash Installer to download and install the new version. Afterward, hit F5 to refresh to folder view and you should see the newer version number, for the flash file (or right-click and view it's "Properties" to see the version).

Failure to update to the current version of Flash player/plug-in may limit your ability to view Flash videos and leave you at risk of exploitation, should you try to view a malware infected Flash presentation.

You can also obtain information about any insecure versions of Flash or other common applications, by running the Secunia Software Inspector, from your browser. See my blog entry from earlier today, for more details about this tool.

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

Spybot Search & Destroy Malware Definitions Updated on December 19, 2007

With Christmas fast approaching it is no surprise that malware authors are ramping up their efforts to infect as many computers as possible, either to draft them into zombie Botnets, or to cause unwanted popup advertisements, or to install hidden keyloggers, to steal your logins to online banks and other personal information. If you operate a Windows based computer you are the primary target of these criminals and you must protect your computer from these spyware threats. Many people use commercial anti-malware applications, which are updated daily against new threats, while others rely upon the freely available Spybot Search & Destroy - to handle their security against spyware, keyloggers, adware and Trojans. As free anti-spyware programs go it is one of the best, although it is only updated once a week.

If you use the famed, freeware, anti-spyware program "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on Wednesday, this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a + sign are additions, or updated detections, with multiple additions indicated by a number in parenthesis or a double ++ in front of it's name. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in version 1.4 and 1.5. If you don't do this the new immunizations against hostile ActiveX programs will not be applied.

Updates - now published every Wednesday

Additions made on 12/19/2007

Keyloggers
+ Ardamax
+ SpyBossPro

ALERT!
Protexis.MOD is a False Positive detection, which will be corrected next Wednesday, when the new definitions are released. The program is a key-logger - for a typing tutor application! ;-)
If Spybot deleted this program, you can restore it now, if you actually use the typing tutor. Click on the Recovery button (First Aid box w/green cross) and find Protexis.MOD and follow the instructions to recover the file(s)
.

Malware
+ ErrorClean

+ LocusSoftware.PCPrivacyTool
Watch out for false positives on this detection!
Use Google to verify, or disprove, any threats identified as PCPrivacyTool. Spybot falsely flagged my sqlite3.dll file as infected, which it was not.

+ NoAdware
+ RegistryFix
+ SpywareSolver
+ Vario.AntiVirus
+ Win32.Banker.cuk
+ Win32.VB.ays
+ Win32.Benvie
+ Win32.Agent.ph
+ Win32.BHO.je
+ WinClear


PUPS (Possibly Unpopular Software)
+ Yazzle

Security
+ Microsoft.Windows.RedirectedHosts (DNS poisoning threats)

Spyware
+ Protexis.RecOnServer

Trojan
+ AdSpy.TTC
+ Hupigon
+ MalwareAlarm (2)
+ PWS.LDPinchIE (Password Stealing Trojan)
+ Smitfraud-C.generic
+ Smitfraud-C.MSVPS
+ Virtumonde.Dll (1508)
+ Win32.Agent.ahj
+ Win32.AutoRun.aiv
+ Win32.SCKeyLog.au
+ Win32.Shark.bw (618)
+ Win32.Small.azl
+ Win32.VB.ang
+ Zlob.Downloader.jot
+ Zlob.Downloader.rid (2)
+ Zlob.Downloader.vdt

Total: 528810 fingerprints in 112826 rules for 3544 products.

Spybot Search & Destroy version 1.5x is compatible with Windows Vista and features a nicer interface and sports a separate updater window and application. If you are still using version 1.4 I recommend that you update to 1.5, using the company links below.

English Language Company Links:
Spybot Search and Destroy English Home Page
Spybot Search and Destroy (Multi-Lingual Landing Page. Choose your language).
Spybot Search and Destroy Download page - Program and definition updates. You can download the latest version of Spybot S&D plus definition and tool updates here for inclusion later on.
Full tutorial about using and setting up Spybot Search and Destroy
Spybot Search and Destroy Update History

See all security program update notices in this catagory

A consequence of acquiring many of the parasites, keyloggers, hijackers and downloaders is that their files and startup settings are usually saved to your System Restore hidden folder, from whence they are automatically restored upon rebooting the computer. To completely remove these threats, and others, you should disable System Restore, then reboot, then clean all threats, then re-start System Restore, setting a new Restore Point, with a clean machine. Many people overlook this and are constantly reinfected after removing threats. There are few, if any security programs that can clean or remove infected files that are backed up in your protected System Restore directory.

To disable System Restore, go to My Computer and right-click on it's icon. From the flyout options select Properties. From the "System Properties" select the "System Restore" tab. There you will find a checkbox labeled "Turn off System Restore." Check it, then click Apply and wait while the System Restore files are deleted (takes some time). After the deletions are finished, click OK to close the Properties box, then reboot.

When you have thoroughly removed all infections follow the same procedure as above, unchecking the box that turned off System Restore.

For those of you who have not yet used Spybot Search and Destroy, if you were wondering if it "plays nice" with other anti spyware programs, it most certainly does! I have used Spybot S&D since it's inception, along with various other free and commercial security programs, and it has never caused any problems on my, or my customers' computers.

Spybot Search and Destroy has a Malware Removal Forum where trained volunteers can help you with spyware removal problems.

As you can see from the long list of new detections this has grown into a major piece of work for the author and he could sure use some financial assistance to cover the huge amount of time it takes to update these definitions. There is a donation button on this page and I know he will appreciate your contributions!

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

Secunia Software Inspector detections updated on December 19, 2007

Secunia has updated the detections for their online Software Inspector tool. If you are not using this free service to check your computer for insecure versions of typically exploited software you are blowing an excellent opportunity to learn the state of your computer's security. Here is what this tool does:

Feature Overview - The Secunia Software Inspector:
* Detects insecure versions of applications installed
* Verifies that all Microsoft patches are applied
* Assists you in updating your system and applications
* Runs through your browser. No installation or download is required.

How it Works:
The Secunia Software Inspector relies on Secunia File Signatures to recognize applications on your system. The detected applications are then matched against the Secunia Advisory Intelligence to determine whether an application is up-to-date or not. The results are then used to advise you on how to update to more secure releases of the insecure applications, including any missing security updates from Microsoft.

The Secunia Software Inspector covers the most common and popular end user applications:
* Internet browsers
* Internet browser plug-ins
* Instant messaging clients
* Email clients
* Media players
* Operating systems

Note that the Secunia Software Inspector works by inspecting version information on your system and therefore it does not take into account if you have applied a workaround to address a particular vulnerability.

To use the Secunia Software Inspector, go to the Software Inspector web page and click on the "Start Now" button. The tool uses the latest Java Virtual Machine to perform it's tasks, so if you don't have Java support in your browser, you will be prompted to install it (from java.com, a division of Sun Corporation). With Java installed in your browser, when you click on the "Start Now" button the page will change and the button will be replaced with one that just says "Start." Click on this button and wait for about 45 seconds for the scans to complete. The time required depends on the speed of your Internet connection. Mine takes 40 seconds, on a 3 mbps down / 512 kbps up - DSL line.

The results of the scan will be displayed in the browser, under the start button area. If you see all green checkmarks, everything is up to date. If some programs are out of date, or if insecure copies are lying around your hard drive, there will be red Xs that you can click on - to read the details. Insecure versions of Flash or Java can still be exploited and should be deleted.

After I ran the Software Inspector today I learned that my Adobe Flash player and Opera browser had been updated, since I last ran the tool, a week ago. Both of these are security updates to fix critical vulnerabilities. The new version of Flash is 9,0,115,0 and the new version of Opera is 9.25, after upgrading them today.

If you have installed any of the software they scan for in a non-standard location - place a check in the checkbox that offers to scan non-default locations, before you begin the scan.

Note to software firewall users:
If you use ZoneAlarm, or another software firewall, which blocks access to changed executables that access the Internet, be sure to allow the upgraded (changed) Opera browser to continue to access the Internet and tell the firewall to remember your decision. This applies to any program that you upgrade, if it access the Internet and your firewall challenges changed files that try to connect to the 'Net.

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

December 16, 2007

My Spam analysis for Dec 10 - 16, 2007

This article is about current email spam categories and percentages, based on rule sets created for and reported by the anti spam tool - MailWasher Pro.

I use MailWasher Pro to screen all of my various incoming POP email accounts, and for which I write my own custom spam filter rules. I give each rule a unique name so I can track the different types of spam I am deleting and reporting. The program has an interesting incoming email statistics window, that includes a pie chart breakdown of the various types of spam that are recognized and dealt with by the software. I thought I would start sharing my spam pie chart results with you all. This is the first installment, which I will try to update during, or at the end of the week. I'll post a new report each week, running from Monday through Sunday.

My analysis of this week's spam shows that various pharmaceuticals, including illicit prescription drugs, male and female enhancement pills and weight loss capsules lead the pack, again, accounting for well over 70% of all incoming spam. All of them have links to websites hosted in China, where the counterfeit drugs are produced. One has to wonder how many people are dying, or ending up in emergency rooms every day, because they foolishly bought spamvertised, counterfeit medicine?

Noticeably reduced, again, this week, were numeric links to Storm Trojan infected computers (0) and spam for finances (0), lottery scams (0), phishing scams (0), and pump and dump stocks (0). Due to my ongoing procedures I have merged some filters to simplify the reporting process, so the categories shown below may differ from the previous weeks' results.

My current statistics show that spam is now 70% of all my incoming email, for the week of December 10 through 16, 2007. This is up 5% from last week. Without my MailWasher Pro filters identifying and automatically deleting most of this onslaught of spam, email would be essentially useless for me (if I had to sort out the spam manually). Thanks to those custom filters, which I work hard to keep updated, I only have to manually delete a handful of spam messages on a daily basis (which I then classify into filters). The machines sending this deluge of spam are all members of BotNets, with spam relays and remote command and control software surreptitiously installed, mostly by the Storm Worm Trojan. I see many identical spam messages in my statistics (sorted by subject), but sent from different places in the World, all with forged sender names, confirming that this is a World-wide Spam-demic."

MailWasher Pro spam category breakdown for December 10 through 16, 2007.
MailWasher Pro by Firetrust
Blacklisted: 16.67%
Elite Herbal Spam: 14.68%
Pharmaceutical spam: 12.30%
RX Spam: 10.32%
Pirated software spam: 6.75%
Counterfeit Watches spam: 6.35%
Male enhancement spam: 4.76%
Weight loss pills: 4.76%
Casino spam: 3.17%
5 line spam: 2.38%
Other filters: 17.46%
DNS Blacklists: 0.4%

These spam categories and their relative percentages will probably shift a bit each week, as the BotMasters send new spam scripts to the zombie computers under their control. I will try to keep the percentages updated and merge miscellaneous categories as I am able to identify what they were spamvertising. Also, beginning this week, I have begun blacklisting particular forged senders that match a pattern. The blacklisted category is quickly rising above all independent spam classifications, proving that my pattern matching is working.

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as a front-end screener to your POP email program (Outlook, Outlook Express, Microsoft Mail, Thunderbird, Eudora, etc).

Regarding my custom MailWasher Pro spam filters; due to my continuing work of refining these filter rules, their accuracy has increased to the point that less than 1/4% of the spam detections flew under my radar and were classified as DNS Blacklists, for this reporting period (ditto for the learning filter). All other spam was classified and dealt with by my custom filters.

Try Firetrust Mailwasher® Pro
Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

December 13, 2007

Spybot Search & Destroy Malware Definitions Updated on December 12, 2007

With Christmas fast approaching it is no surprise that malware authors are ramping up their efforts to infect as many computers as possible, either to draft them into zombie Botnets, or to cause unwanted popup advertisments, or to install hidden keyloggers, to steal your logins to online banks and other personal information. If you operate a Windows based computer you are the primary target of these criminals and you must protect your computer from these spyware threats. Many people use commercial anti-malware applications, which are updated daily against new threats, while others rely upon the freely available Spybot Search & Destroy - to handle their security against spyware, keyloggers, adware and Trojans. As free anti-spyware programs go it is one of the best, although it is only updated once a week.

If you use the famed, freeware, anti-spyware program "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on Wednesday, this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a + sign are additions, or updated detections, with multiple additions indicated by a number in parenthesis or a double ++ in front of it's name. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in version 1.4 and 1.5. If you don't do this the new immunizations against hostile ActiveX programs will not be applied.

Updates - now published every Wednesday

Additions made on 12/12/2007 (19 new or updated Trojans!)

Keylogger
+ Ardamax (2)
+ Perfect Keylogger (2)

Malware
+ NoAdware
+ SpywareBot
+ Vario.AntiVirus
+ Win32.PcClient.agu
+ Win32.Renos

Security
+ Microsoft.Windows.AppFirewallBypass

Trojan
+ AstaKiller
+ IRC.Zapchast
+ Smitfraud-C.MSVPS
+ Stration.Warezov
+ Virtumonde.Crack
+ Win32.Agent.BU
+ Win32.Agent.mf
+ Win32.Agent.nn
+ Win32.MancSync
+ Win32.OnLineGames.na
+ Win32.Pakes.bqn
+ Win32.Porntool.a
+ Win32.QQPass.nt
+ Win32.Shark.af
+ Win32.Virut.ak
+ Zlob.Downloader
+ Zlob.Downloader.oid
+ Zlob.Downloader.rid
+ Zlob.Downloader.vdt

Total: 521800 fingerprints in 112377 rules for 3520 products.

Spybot Search & Destroy version 1.5x is compatible with Windows Vista and features a nicer interface and sports a separate updater window and application. If you are still using version 1.4 I recommend that you update to 1.5, using the company links below.

English Language Company Links:
Spybot Search and Destroy English Home Page
Spybot Search and Destroy (Multi-Lingual Landing Page. Choose your language).
Spybot Search and Destroy Download page - Program and definition updates. You can download the latest version of Spybot S&D plus definition and tool updates here for inclusion later on.
Full tutorial about using and setting up Spybot Search and Destroy
Spybot Search and Destroy Update History

See all security program update notices in this catagory

A consequence of acquiring many of the parasites, keyloggers, hijackers and downloaders is that their files and startup settings are usually saved to your System Restore hidden folder, from whence they are automatically restored upon rebooting the computer. To completely remove these threats, and others, you should disable System Restore, then reboot, then clean all threats, then re-start System Restore, setting a new Restore Point, with a clean machine. Many people overlook this and are constantly reinfected after removing threats. There are few, if any security programs that can clean or remove infected files that are backed up in your protected System Restore directory.

To disable System Restore, go to My Computer and right-click on it's icon. From the flyout options select Properties. From the "System Properties" select the "System Restore" tab. There you will find a checkbox labeled "Turn off System Restore." Check it, then click Apply and wait while the System Restore files are deleted (takes some time). After the deletions are finished, click OK to close the Properties box, then reboot.

When you have thoroughly removed all infections follow the same procedure as above, unchecking the box that turned off System Restore.

For those of you who have not yet used Spybot Search and Destroy, if you were wondering if it "plays nice" with other anti spyware programs, it most certainly does! I have used Spybot S&D since it's inception, along with various other free and commercial security programs, and it has never caused any problems on my, or my customers' computers.

Spybot Search and Destroy has a Malware Removal Forum where trained volunteers can help you with spyware removal problems.

As you can see from the long list of new detections this has grown into a major piece of work for the author and he could sure use some financial assistance to cover the huge amount of time it takes to update these definitions. There is a donation button on this page and I know he will appreciate your contributions!

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

Secunia Software Inspector detections updated - Are you using it yet?

Secunia has updated the detections for their online Software Inspector tool. If you are not using this free service to check your computer for insecure versions of typically exploited software you are blowing an excellent opportunity to learn the state of your computer's security. Here is what this tool does:

Feature Overview - The Secunia Software Inspector:
* Detects insecure versions of applications installed
* Verifies that all Microsoft patches are applied
* Assists you in updating your system and applications
* Runs through your browser. No installation or download is required.

How it Works:
The Secunia Software Inspector relies on Secunia File Signatures to recognize applications on your system. The detected applications are then matched against the Secunia Advisory Intelligence to determine whether an application is up-to-date or not. The results are then used to advise you on how to update to more secure releases of the insecure applications, including any missing security updates from Microsoft.

The Secunia Software Inspector covers the most common and popular end user applications:
* Internet browsers
* Internet browser plug-ins
* Instant messaging clients
* Email clients
* Media players
* Operating systems

Note that the Secunia Software Inspector works by inspecting version information on your system and therefore it does not take into account if you have applied a workaround to address a particular vulnerability.

To use the Secunia Software Inspector, go to the Software Inspector web page and click on the "Start Now" button. The tool uses the latest Java Virtual Machine to perform it's tasks, so if you don't have Java support in your browser, you will be prompted to install it (from java.com, a division of Sun Corporation). With Java installed in your browser, when you click on the "Start Now" button the page will change and the button will be replaced with one that just says "Start." Click on this button and wait for about 45 seconds for the scans to complete. The time required depends on the speed of your Internet connection. Mine takes 45 seconds, on a 3 mbps down / 512 kbps up - DSL line.

The results of the scan will be displayed in the browser, under the start button area. If you see all green checkmarks, everything is up to date. If some programs are out of date, or if insecure copies are lying around your hard drive, there will be red Xs that you can click on - to read the details. Insecure versions of Flash or Java can still be exploited and should be deleted.

If you have installed any of the software they scan for in a non-standard location - place a check in the checkbox that offers to scan non-default locations, before you begin the scan.

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

December 12, 2007

Wildcard additions for your MailWasher Pro blacklist

MailWasher Pro is a commercial, anti-spam, email screening program for your POP3 desktop email client. The program uses a combination of techniques to intercept and remove spam, viruses, exploits and scams, from the email server, before they are downloaded to your regular email client. One of these detection techniques is user created blacklists. If you are already using MailWasher Pro to screen your incoming POP3 email, I have some additions for your blacklist, that may help reduce the amount of unclassified spam you have to sort through.

Many of you have been reading my weekly blog spam analysis reports, which are obtained from my MailWasher Pro Statistics. The statistics are categorized into the various types of spam that my custom filters match and delete. For the last few months I have been using custom filters to catch and categorize spam, exclusively, as opposed to creating a blacklist of spammers. This usually makes sense, because spam is always sent with a forged "From" address, often comprised of random characters, making it impractical to blacklist these fake and (usually) non-repetitive addresses (some are repeated).

However, during the last few months I have been able to find a filterable pattern in some of the spam messages, in their "From" field. I have created two new rules which you can add to your MailWasher Pro "Blacklist" to match and delete a large number of the current spam messages, in the wild at this time. Using these rules in addition to the learning filter and databases of known spam, and possibly my custom filters, will reduce the amount of spam you see to a dribble, instead of a waterfall.

MailWasher Pro by Firetrust

With MailWasher Pro open, click on the "Spam Tools" button, then on "My Blacklist." Next, click the +ADD button and click the "radio" option for "Wildcard expression." Enter this expression:

dw+m@+.+

Click OK to save it. Now, create another new rule, with this expression:

lin+met@+.de

Click OK to save it. Look in the "Action" section of the Blacklist options and choose the action you are comfortable with. I would recommend selecting "Mark the mail for deletion" and 'On "Process Mail" (Recommended).' Before you leave this area, click on the "List Options" button, in the upper right. There are check-boxes and options for how long the blacklist will keep watching for these email addresses, before deleting them. Since it is rare to see the same forged email addresses persist over very long periods of time, you can set the times to expire unused addresses as follows:

Unused individual addresses: 7 to 10 days
Unused wildcard addresses: 90 to 180 days

Expiring useless addresses and wildcards will keep the blacklist to a smaller file size, which means it will load faster and be able to match incoming messages more quickly. When you have made your expiration selections click OK, to close the List Options, then OK, to close "My Blacklist" and the "Spam Tools."

Be sure you set your MailWasher Pro options (Tools > Options > Summary) to "Enable Message Logging" and to "Allow deleted email to be restored from the Summary Screen." Be sure you read your (MailWasher Pro Recycle Bin) statistics every day, as often as possible. If you see a legitimate email that was deleted by the blacklist, or any other filter, you can restore all, or at least part of it, from the Recycle Bin Statistics page. The amount of lines restored is determined by the option on the General tab, for "Spam Throttle - Download first (selected number) lines." I use 300 lines, which is not the fastest scanning, but is more accurate at catching spam that uses HTML tricks. If you want faster scanning, try reducing the number of lines to 200. This will get the scanning done faster, but if a legitimate HTML email was deleted only a percentage of it can be restored. If it was a newsletter you may only recover a small percentage, whereas a personal email may be fully recovered with only 200 lines saved. 300 lines seems to recover a fair amount of HTML content, but not everything, in newsletters.

How much spam those two wildcard filters will block is hard to say for certain, but it sure will make a dent in the level of messages that make it through your defenses. These particular filters match a technique used by certain spammers to identify their products as distinct from those of other spammers. They are sent from infected computers that are members of a spam Botnet. After a while the spammers using these identifying techniques may discard them for new ones, and I will post new details for blacklist rules, when that happens.

NOTE: Always whiltelist your contacts by adding them to your MailWasher Pro "Friends" list! The Friends list overrides the spam filters, unless you specify that the opposite should occur.

For information about the custom filters mentioned earlier, read my web page about MailWasher Pro Filters. To read about the program itself, and download a trial copy, go to my MailWasher Pro web page.

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

December 10, 2007

Grisoft (AVG) Acquires Exploit Prevention Labs

December 5, 2007:

There is big news for AVG anti-virus users. Grisoft, the makers of AVG, have just announced the acquisition of Exploit Prevention Labs, the makers of LinkScanner Pro. The deal is expected to be finalized by December 31st 2007. According to the announcement, the code for LinkScanner Pro is going to be included in all versions of AVG anti-virus.

For those who are not familiar with LinkScanner Pro, it is a security program for PCs that monitors the codes on websites you visit and looks for and removes dangerous exploit codes, as the site is downloading to your browser. It is exceptionally good at stopping iframe and redirection exploits that lead to so many infections. According to what I read, LinkScanner Pro was able to remove these dangerous exploit codes from the pages you wanted to view, delivering only the safe content. This type of exploit has recently been used against MySpace users and some major sports information web sites, not to mention the thousands of personal and business web sites that have have redirection codes injected into their home pages.

The news that this functionality is about to be rolled into AVG is fabulous. I don't know the time table for the inclusion of LinkScanner into AVG, but the news release mentions that the "Lite" version will be added to AVG Free, while the stronger version will go into the paid version of AVG Pro, and the AVG anti spyware program (formerly Ewido).

Short-term product integration plans include adding LinkScanner technology to AVG Anti-Virus Free and offering LinkScanner Online, a free on-demand URL scanning service, directly from the AVG web site. AVG also expects to maintain LinkScanner Pro, Exploit Prevention Labs’ flagship product, as a standalone offering.

Related to this announcement is the hiring of Roger Thompson, the co-founder and CTO of Exploit Prevention Labs, to become the Chief Research Officer at Grisoft, while other staff and facilities will also be absorbed into the Grisoft operation. Seems like a big win for Roger and his staff. AVG users will also be winners when this product gets included in the various AVG programs in use around the world.

In the short term, there will be no change to update deliveries or support procedures, and the websites at www.linkscanner.com and www.explabs.com will remain operational. Over time, these procedures and websites will merge with AVG’s procedures and websites;

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

December 9, 2007

My Spam analysis for Dec 3 - 9, 2007

This article is about current email spam categories and percentages, based on rule sets created for and reported by the anti spam tool - MailWasher Pro.

I use MailWasher Pro to screen all of my various incoming POP email accounts, and for which I write my own custom spam filter rules. I give each rule a unique name so I can track the different types of spam I am deleting and reporting. The program has an interesting incoming email statistics window, that includes a pie chart breakdown of the various types of spam that are recognized and dealt with by the software. I thought I would start sharing my spam pie chart results with you all. This is the first installment, which I will try to update during, or at the end of the week. I'll post a new report each week, running from Monday through Sunday.

My analysis of this week's spam shows that various pharmaceuticals, including illicit prescription drugs, male and female enhancement pills and weight loss capsules lead the pack, again, accounting for well over 70% of all incoming spam. All of them have links to websites hosted in China, where the counterfeit drugs are produced. One has to wonder how many people are dying, or ending up in emergency rooms every day, because they foolishly bought spamvertised, counterfeit medicine?

Noticeably reduced, again, this week, were numeric links to Storm Trojan infected computers (1) and spam for casinos (3), finances (0), lottery scams (0), phishing scams (1), and pump and dump stocks (0). Due to my ongoing procedures I have merged some filters to simplify the reporting process, so the categories shown below may differ from the previous weeks' results.

My current statistics show that spam is now 65% of all my incoming email, for the week of December 3 through 9, 2007. This is down 4% from last week (Yippee!) and the second consecutive week of decline. Without my MailWasher Pro filters identifying and automatically deleting most of this onslaught of spam, email would be essentially useless for me (if I had to sort out the spam manually). Thanks to those custom filters, which I work hard to keep updated, I only have to manually delete a handful of spam messages on a daily basis (which I then classify into filters). The machines sending this deluge of spam are all members of BotNets, with spam relays and remote command and control software surreptitiously installed, mostly by the Storm Worm Trojan. I see many identical spam messages in my statistics (sorted by subject), but sent from different places in the World, all with forged sender names, confirming that this is a World-wide Spam-demic."

MailWasher Pro spam category breakdown for December 3 through 9, 2007.
MailWasher Pro by Firetrust
Elite Herbal Spam: 24.91%
Male enhancement spam: 18.05%
Pharmaceutical spam: 12.63%
RX Spam: 6.86%
Counterfeit Watches spam: 2.89%
Pirated software spam: 8.66%
Weight loss pills: 2.53%
Unclassified One word subjects: 3.61%
Known Spam Subjects: 3.61%
Viagra and Viagra.com: 0.1%
Other filters: 16.15%

These spam categories and their relative percentages will probably shift a bit each week, as the BotMasters send new spam scripts to the zombie computers under their control. I will try to keep the percentages updated and merge miscellaneous categories as I am able to identify what they were spamvertising.

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as a front-end screener to your POP email program (Outlook, Outlook Express, Microsoft Mail, Thunderbird, Eudora, etc).

Regarding my custom MailWasher Pro spam filters; due to my continuing work of refining these filter rules, their accuracy has increased to the point that less than 1/4% of the spam detections flew under my radar and were classified as DNS Blacklists, for this reporting period (ditto for the learning filter). All other spam was classified and dealt with by my custom filters.

Try Firetrust Mailwasher® Pro
Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

December 7, 2007

Spybot Search & Destroy Malware Definitions Updated on December 5, 2007

If you use the famed, freeware, anti-spyware program "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on Wednesday, this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a + sign are additions, or updated detections, with multiple additions indicated by a number in parenthesis or a double ++ in front of it's name. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in version 1.4 and 1.5. If you don't do this the new immunizations against hostile ActiveX programs will not be applied.

Updates - now published every Wednesday

Additions made on 12/05/2007 (25 new or updated Trojans!)

Adware
+ Zango

Keylogger
+ Ardamax (5)
+ ProData.DoctorKeylogger

Malware
+ OnlineGuard
+ SpywareLocker
+ StartGuard
+ UltraSoft.Xlib
+ VirusProtect
+ Win32.Agent.cmn
+ Win32.Renos

PUPS (Possibly Unpopular Software)
+ FusionBomber

Security
+ Microsoft.Windows.AppFirewallBypass
+ Microsoft.Windows.RedirectedHosts

Trojan
+ DeepThroat
+ MalwareAlarm
+ Nous-Tech.UDefender
+ Search2Find
+ Smitfraud-C.MSVPS
+ Vario.Antivirus
+ Virtumonde
+ Virtumonde.Crack
+ Virtumonde.dl
+ Virtumonde.Dll
+ Virtumonde.SecCenter
+ Win32.Agent.bid
+ Win32.Bandok.av
+ Win32.Banload.evb
+ Win32.Delf.arg
+ Win32.Delf.xo
+ Win32.EST.avg
+ Win32.Kapucen.b
+ Win32.Nuclear.ax
+ Win32.Optix.Pro
+ Win32.PePatch.dk
+ Win32.Tiny.abk (2)
+ Win32.Zlob.bbo.rtk
+ Zlob.Downloader.vdt
+ Zlock.uc

Total: 515624 fingerprints in 110352 rules for 3497 products.

Spybot Search & Destroy version 1.5x is compatible with Windows Vista and features a nicer interface and sports a separate updater window and application. If you are still using version 1.4 I recommend that you update to 1.5, using the company links below.

English Language Company Links:
Spybot Search and Destroy English Home Page
Spybot Search and Destroy (Multi-Lingual Landing Page. Choose your language).
Spybot Search and Destroy Download page - Program and definition updates. You can download the latest version of Spybot S&D plus definition and tool updates here for inclusion later on.
Full tutorial about using and setting up Spybot Search and Destroy
Spybot Search and Destroy Update History

See all security program update notices in this catagory

A consequence of acquiring many of the parasites, keyloggers, hijackers and downloaders is that their files and startup settings are usually saved to your System Restore hidden folder, from whence they are automatically restored upon rebooting the computer. To completely remove these threats, and others, you should disable System Restore, then reboot, then clean all threats, then re-start System Restore, setting a new Restore Point, with a clean machine. Many people overlook this and are constantly reinfected after removing threats. There are few, if any security programs that can clean or remove infected files that are backed up in your protected System Restore directory.

To disable System Restore, go to My Computer and right-click on it's icon. From the flyout options select Properties. From the "System Properties" select the "System Restore" tab. There you will find a checkbox labeled "Turn off System Restore." Check it, then click Apply and wait while the System Restore files are deleted (takes some time). After the deletions are finished, click OK to close the Properties box, then reboot.

When you have thoroughly removed all infections follow the same procedure as above, unchecking the box that turned off System Restore.

For those of you who have not yet used Spybot Search and Destroy, if you were wondering if it "plays nice" with other anti spyware programs, it most certainly does! I have used Spybot S&D since it's inception, along with various other free and commercial security programs, and it has never caused any problems on my, or my customers' computers.

Spybot Search and Destroy has a Malware Removal Forum where trained volunteers can help you with spyware removal problems.

As you can see from the long list of new detections this has grown into a major piece of work for the author and he could sure use some financial assistance to cover the huge amount of time it takes to update these definitions. There is a donation button on this page and I know he will appreciate your contributions!

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

December 2, 2007

My Spam analysis for Nov 26 - Dec 2, 2007

This article is about current email spam categories and percentages, based on rule sets created for and reported by the anti spam tool - MailWasher Pro.

I use MailWasher Pro to screen all of my various incoming POP email accounts, and for which I write my own custom spam filter rules. I give each rule a unique name so I can track the different types of spam I am deleting and reporting. The program has an interesting incoming email statistics window, that includes a pie chart breakdown of the various types of spam that are recognized and dealt with by the software. I thought I would start sharing my spam pie chart results with you all. This is the first installment, which I will try to update during, or at the end of the week. I'll post a new report each week, running from Monday through Sunday.

My analysis of this week's spam shows that various pharmaceuticals, including illicit prescription drugs, male and female enhancement pills and weight loss capsules lead the pack, again, accounting for well over 78% of all incoming spam. All of them have links to websites hosted in China, where the counterfeit drugs are produced. One has to wonder how many people are dying, or ending up in emergency rooms every day, because they foolishly bought spamvertised, counterfeit medicine?

Noticeably reduced this week were numeric links to Storm Trojan infected computers and spam for casinos, finances, lottery scams, phishing scams, and pump and dump stocks. Due to my ongoing procedures I have merged some filters to simplify the reporting process, so the categories shown below may differ from the previous weeks' results.

My current statistics show that spam is now 69% of all my incoming email, for the week of November 26 through December 2, 2007. This is down 7% from last week (Yippee!). Without my MailWasher Pro filters identifying and automatically deleting most of this onslaught of spam, email would be essentially useless for me (if I had to sort out the spam manually). Thanks to those custom filters, which I work hard to keep updated, I only have to manually delete a handful of spam messages on a daily basis (which I then classify into filters). The machines sending this deluge of spam are all members of BotNets, with spam relays and remote command and control software surreptitiously installed, mostly by the Storm Worm Trojan. I see many identical spam messages in my statistics (sorted by subject), but sent from different places in the World, all with forged sender names, confirming that this is a World-wide Spam-demic."

MailWasher Pro spam category breakdown for November 26 through December 2, 2007.
MailWasher Pro by Firetrust
Pharmaceutical spam: 13.50%
Male enhancement spam: 19.28%
Elite Herbal Spam: 18.18%
RX Spam: 7.99%
Counterfeit Watches spam: 2.75%
Pirated software spam: 7.16%
Canadian Pharmacy spam: Merged into Pharmaceutical filters
Unclassified One word subjects: Too small to measure
Known Spam Subjects: 3.86%
Viagra and Viagra.com: 2.76%
Other filters: 24.52%

These spam categories and their relative percentages will probably shift a bit each week, as the BotMasters send new spam scripts to the zombie computers under their control. I will try to keep the percentages updated and merge miscellaneous categories as I am able to identify what they were spamvertising.

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as a front-end screener to your POP email program (Outlook, Outlook Express, Microsoft Mail, Thunderbird, Eudora, etc).

Regarding my custom MailWasher Pro spam filters; due to my continuing work of refining these filter rules, their accuracy has increased to the point that less than 1/4% of the spam detections flew under my radar and were classified as DNS Blacklists, for this reporting period (ditto for the learning filter). All other spam was classified and dealt with by my custom filters.

Try Firetrust Mailwasher® Pro
Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

December 1, 2007

Spybot Search & Destroy Malware Definitions Updated on November 28, 2007

If you use the famed, freeware, anti-spyware program "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on Wednesday, this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a + sign are additions, or updated detections, with multiple additions indicated by a number in parenthesis or a double ++ in front of it's name. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in version 1.4 and 1.5. If you don't do this the new immunizations against hostile ActiveX programs will not be applied.

Updates - now published every Wednesday

Additions made on 11/28/2007

Hijacker
+ IESearchToolbarHelper.vbs

Keylogger
+ Perfect Keylogger

Malware
+ Awola.Anti-Spyware
+ BPS Spyware Cops
+ BPS Spyware Remover
+ BPS SpywareStriker
+ BPS.SpywareZapper
+ IEDefender
+ SecureMyPC
+ SpyLax
+ SpyStriker
+ SpyViper
+ SpywareAnnihilatorPro
+ TrustCleaner
+ Vcodec.eMedia
+ WiperWizard

PUPS (Possibly Unpopular Software)
+ Maxion.MaxnetShield

Security
+ Microsoft.Windows.RedirectedHosts

Trojan
+ Bancos.Qhost.tu
+ DropAgent.rtk
+ FakeMSUpdate.ede
+ Smitfraud-C.MSVPS
+ Virtumonde.ddc
+ Zlob.Downloader
+ Zlob.Downloader.iec
+ Zlob.Downloader.oid
+ Zlob.Downloader.vcd
+ Zlob.Downloader.vdt
+ Zlob.VideoActiveXObject

Total: 512562 fingerprints in 109474 rules for 3428 products.

Spybot Search & Destroy version 1.5x is compatible with Windows Vista and features a nicer interface and sports a separate updater window and application. If you are still using version 1.4 I recommend that you update to 1.5, using the company links below.

English Language Company Links:
Spybot Search and Destroy English Home Page
Spybot Search and Destroy (Multi-Lingual Landing Page. Choose your language).
Spybot Search and Destroy Download page - Program and definition updates. You can download the latest version of Spybot S&D plus definition and tool updates here for inclusion later on.
Full tutorial about using and setting up Spybot Search and Destroy
Spybot Search and Destroy Update History

See all security program update notices in this catagory

A consequence of acquiring many of the parasites, keyloggers, hijackers and downloaders is that their files and startup settings are usually saved to your System Restore hidden folder, from whence they are automatically restored upon rebooting the computer. To completely remove these threats, and others, you should disable System Restore, then reboot, then clean all threats, then re-start System Restore, setting a new Restore Point, with a clean machine. Many people overlook this and are constantly reinfected after removing threats. There are few, if any security programs that can clean or remove infected files that are backed up in your protected System Restore directory.

To disable System Restore, go to My Computer and right-click on it's icon. From the flyout options select Properties. From the "System Properties" select the "System Restore" tab. There you will find a checkbox labeled "Turn off System Restore." Check it, then click Apply and wait while the System Restore files are deleted (takes some time). After the deletions are finished, click OK to close the Properties box, then reboot.

When you have thoroughly removed all infections follow the same procedure as above, unchecking the box that turned off System Restore.

For those of you who have not yet used Spybot Search and Destroy, if you were wondering if it "plays nice" with other anti spyware programs, it most certainly does! I have used Spybot S&D since it's inception, along with various other free and commercial security programs, and it has never caused any problems on my, or my customers' computers.

Spybot Search and Destroy has a Malware Removal Forum where trained volunteers can help you with spyware removal problems.

As you can see from the long list of new detections this has grown into a major piece of work for the author and he could sure use some financial assistance to cover the huge amount of time it takes to update these definitions. There is a donation button on this page and I know he will appreciate your contributions!

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

Blog Links

Sponsored Message

I recommend Malwarebytes to protect your computers and Android devices from malicious code attacks. Malwarebytes detects and blocks spyware, viruses and ransomware, as well as rootkits. It removes malware from an already infected device. Get an 18 month subscription to Malwarebytes here.

If you're a fan of Robert Jordan's novels, you can buy boxed sets of The Wheel Of Time, here.

As an Amazon and Google Associate, I earn commissions from qualifying purchases.


CIDR to IPv4 Address Range Utility Tool | IPAddressGuide
CIDR to IPv4 Conversion



About the author
Wiz FeinbergWiz's Blog is written by Bob "Wiz" Feinberg, an experienced freelance computer consultant, troubleshooter and webmaster. Wiz's specialty is in computer and website security. Wizcrafts Computer Services was established in 1996.

I produce this blog and website at my own expense. If you find this information valuable please consider making a donation via PayPal.

Follow @Wizcrafts on Twitter, where I post short updates on security issues, spam trends and things that just eat at my craw.

Follow Wizcrafts on Twitter


Malwarebytes' Anti-Malware is the most frequently recommended malware removal tool in malware removal forums, like Bleeping Computers. It is extremely effective for removing fake/rogue security alerts, Bots, Spyware and the most prevalent and current malware threats in the wild. Learn about Malwarebytes Anti-Malware.


MailWasher Pro is an effective spam filter that protects your desktop email client. Using a combination of blacklists and built-in and user configurable filters, MailWasher Pro recognizes and deletes spam before you download it. MailWasher Pro reveals the actual URL of any links in a message, which protects you from most Phishing scams. Try it free for 30 days.





Creative Commons License This weblog is licensed under a Creative Commons License.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.
Powered by Movable Type

back to top ^