Wiz's Computer and Website Security Blog

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you already are using "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on Wednesday, this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a + sign are additions, or updated detections, with multiple additions indicated by a number in parenthesis or a double ++ in front of it's name. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Additions made on Jan 30, 2008: (and false positive removals)

Keyloggers (Keyloggers steal your logins and passwords) + Ardamax

Malware
+ AdwareAlert
+ Win32.Renos

Trojans (3 new Zlob variants)
+ Smitfraud-C.MSVPS
+ Win32.Agent.hjo
++ Win32.Delf.uv
+ Win32.Delf.zq
++ Win32.SDBot.BHLK
++ Win32.Small.BB
+ Zlob.Downloader.dcc
+ Zlob.Downloader.vdt
+ Zlob.Downloader.xot

Total: 524620 fingerprints in 113219 rules for 3578 products.

Spybot Search & Destroy version 1.5x is compatible with Windows Vista and features a nicer interface and sports a separate updater window and application. If you are still using version 1.4 I recommend that you update to 1.5, using the company links below.

English Language Company Links:
Spybot Search and Destroy English Home Page
Spybot Search and Destroy (Multi-Lingual Landing Page. Choose your language).
Spybot Search and Destroy Download page - Program and definition updates. You can download the latest version of Spybot S&D plus definition and tool updates here for inclusion later on.
Full tutorial about using and setting up Spybot Search and Destroy
Spybot Search and Destroy Update History

See all security program update notices in this catagory

A consequence of acquiring many of the parasites, keyloggers, hijackers and downloaders is that their files and startup settings are usually saved to your System Restore hidden folder, from whence they are automatically restored upon rebooting the computer. To completely remove these threats, and others, you should disable System Restore, then reboot, then clean all threats, then re-start System Restore, setting a new Restore Point, with a clean machine. Many people overlook this and are constantly reinfected after removing threats. There are few, if any security programs that can clean or remove infected files that are backed up in your protected System Restore directory.

To disable System Restore, go to My Computer and right-click on it's icon. From the flyout options select Properties. From the "System Properties" select the "System Restore" tab. There you will find a checkbox labeled "Turn off System Restore." Check it, then click Apply and wait while the System Restore files are deleted (takes some time). After the deletions are finished, click OK to close the Properties box, then reboot.

When you have thoroughly removed all infections follow the same procedure as above, unchecking the box that turned off System Restore.

In the event that Spybot mistakenly removes a file(s) due to a faulty detection update (a.k.a False Positive), you can restore it from the program itself. Just click on the "Recovery" button, that looks like a first aid kit, with a red cross in it, then locate the item(s) you wish to restore. Click on the select box(es) on the left of the detection name(s), to place a check mark in it/them, then click on "Recover selected items." The files, and/or registry entries will be replaced, from where they were deleted. The Spybot forums have discussions about false positives here.

For those of you who have not yet used Spybot Search and Destroy, if you were wondering if it "plays nice" with other anti spyware programs, it most certainly does! I have used Spybot S&D since it's inception, along with various other free and commercial security programs, and it has never caused any problems on my, or my customers' computers.

Spybot Search and Destroy has a Malware Removal Forum where trained volunteers can help you with spyware removal problems.

Posted by Wiz at 4:35 PM | Permalink

back to top ^

Prelude:
For the last couple of years I have been compiling and publishing lists of IP addresses belonging to ISP's and commercially hosted web servers in various parts of the World, from which unwanted spam, scams and server hacking attempts emanate. These lists are compiled in a format that is recognized by Apache Web Servers, using - <Files *> deny from - IP address directives (rules). They include both individual IP addresses and ranges of IP's, belonging to web hosts, server farms and ISP's, known as a CIDR. When a group of these blocked IP addresses and CIDR's are compiled into groups they become a "blocklist," sometimes mislabeled as "blacklist."

My blocklists can be used in at least two different Apache Server configuration files; "httpd.conf" (requires server root access like on dedicated servers) and ".htaccess" (used on shared hosting accounts). My blocklists are all used in private .htaccess files that go into the web root (e.g public_html), or individual folders, on an Apache hosted web site. If your web host allows .htaccess overrides on individual websites you can use any of my blocklists. Instructions are found on each page, in comments like this:

# Here is a sample comment as used in a .htaccess file.
# The # sign causes Apache to ignore the rest of this line

The Changes:
I can see from reading my Change Detection reports that a lot of webmasters are using my .htaccess blocklists. Those of you who are using my Russia and Exploited Servers Blocklist need to be aware that it has just been split into two new files. One deals just with ISP's and servers located in the former Soviet Union and Turkey, while the other deals with exploited servers owned by various web hosts and co-location server farms and data centers, in various countries (especially here in the good old USA!). The descriptions of these two blocklists are as follows...

The New Files:
The new Russian Blocklist is now located at www.wizcrafts.net/russian-blocklist.html and it contains IP addresses and CIDR's traced to Russia, The Ukraine, Bulgaria, Romania, Estonia, Latvia, Estonia and Turkey. I included Turkey in this blocklist because I get tons of spam coming through various ISP's in that country (e.g. Turk Telecom), plus numerous server redirection exploit attempts. Basically, the Russian Blocklist is comprised of ISP's, with some web hosting companies thrown if, which are located in Russia or these other Eastern Bloc countries. Most of the traffic I see from these folks are blog, access log and email spam, with the occasional server exploit attempt against my website. New IP addresses and CIDR's are added to this blocklist as I analyze spam sources, or trace log/blog spam attempts (all unsuccessful due to my security measures and filters) to countries covered by this file.

The new Exploited Servers Blocklist is located at www.wizcrafts.net/exploited-servers-blocklist.html and contains long "deny from" lists of various types of web hosting and dedicated server companies, that are, have, or might try to run hostile codes against my web site, or spam my access logs, or bypass my security measures, or try to steal my traffic via proxy services. All of these things are hostile actions and are conducted by criminals and criminal organizations. This blocklist is growing rapidly as I see and trace exploits attempts against my server.

Conclusion:
If you have been using my previous file - russia+exploited-server-blocklist.html - please change your bookmarks to point to one, or both of the new files that have replaced it. Here is a list of my current .htaccess blocklists, as of this posting:

Exploited Servers Blocklist | Russian Blocklist | Nigerian Blocklist | Chinese-Korean Blocklist

Posted by Wiz at 4:56 PM | Permalink

back to top ^

This article is about current email spam categories and percentages, based on rule sets created for and reported by the anti spam tool - MailWasher Pro.

I use MailWasher Pro to screen all of my various incoming POP email accounts, and for which I write my own custom spam filter rules. I give each rule a unique name so I can track the different types of spam I am deleting and reporting. The program has an interesting incoming email statistics window, that includes a pie chart breakdown of the various types of spam that are recognized and dealt with by the software. I thought I would start sharing my spam pie chart results with you all. This is the first installment, which I will try to update during, or at the end of the week. I post a new report each week, running from Monday through Sunday.

My analysis of this week's spam shows that various pharmaceuticals, including illicit prescription drugs, male and female enhancement pills and weight loss capsules lead the pack, again (no surprise here). All of them have links to websites hosted in China, where the counterfeit drugs are produced, or Korea. One has to wonder how many people are dying, or ending up in emergency rooms every day, because they foolishly bought spamvertised, counterfeit, or contaminated medicine?

The Storm Botnet is actively spamming emails proclaiming love messages, getting an early start on the upcoming Valentine's Day greetings season. They all contain a short "love" message and (numeric) links to Storm Trojan infected computers. People who are tricked into clicking on those links will in all likelihood have their PCs drafted into the Storm Botnet. If past history tells us anything it is that the links will not always be numeric, for Storm Trojan spam messages. Just beware of any short email from unknown (or even known) senders, containing a brief (usually one line) message, with just a link that is either numeric, or has a word related to "love" or "Valentine" in the link.

Due to my ongoing procedures I have merged some filters to simplify the reporting process, so the categories shown below may differ from the previous weeks' results. I have also created a special filter rule, that when matched, assigns the status "BlackList" to those spam messages. This excludes lots of spam emails being catagorized, since my blacklist rule is processed first. This saves processing power that is normally required by my custom filters.

My current statistics show that spam is now 60% of all my incoming email, for the week of January 21, through 27, 2008. This is up 13% from last week. Without my MailWasher Pro filters identifying and automatically deleting most of this onslaught of spam, email would be essentially useless for me (if I had to sort out the spam manually). Thanks to those custom filters, which I work hard to keep updated, I only have to manually delete a handful of spam messages on a daily basis (which I then classify into filters). The machines sending this deluge of spam are all members of BotNets, with spam relays and remote command and control software surreptitiously installed, mostly by the Storm Worm Trojan. I see many identical spam messages in my statistics (sorted by subject), but sent from different places in the World, all with forged sender names, confirming that this is a World-wide Spam-demic."

MailWasher Pro spam category breakdown for January 21, through 27, 2008.

Blacklisted (by pattern matching):	37.5%
Male enhancement spam:	12.92%
Viagra and Viagra.com:	8.33%
Pharmaceutical spam:	3.33%
Other filters:	20.83%
RX Spam:	4.58%
Pirated software spam:	2.92%
Storm Trojan links:	0% (3)
Counterfeit Watches spam:	3.33%
Diploma spam:	2.92%
HTML Tricks:	2.50%
DNS Blacklists:	0.83%

These spam categories and their relative percentages will probably shift a bit each week, as the BotMasters send new spam scripts to the zombie computers under their control. I will try to keep the percentages updated and merge miscellaneous categories as I am able to identify what they were spamvertising. Also, beginning this week, I have begun blacklisting particular forged senders that match a pattern. The blacklisted category is quickly rising above all independent spam classifications, proving that my pattern matching is working.

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as a front-end screener to your POP email program (Outlook, Outlook Express, Microsoft Mail, Thunderbird, Eudora, etc).

Regarding my custom MailWasher Pro spam filters; due to my continuing work of refining these filter rules, their accuracy has increased to the point that less than 3% of the spam detections flew under my radar and were classified as DNS Blacklists, for this reporting period (ditto for the learning filter). All other spam was classified and dealt with by my custom filters.

Posted by Wiz at 3:02 PM | Permalink

back to top ^

If you use the famed, freeware, anti-spyware program "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on Wednesday, this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a + sign are additions, or updated detections, with multiple additions indicated by a number in parenthesis or a double ++ in front of it's name. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied.

Additions made on Jan 23, 2008 (and false positive removals)

Keyloggers (Keyloggers steal your logins and passwords)
+ Ardamax
+ NiceSpy.Keylogger
+ NiceSpy.XPKeylogger

Malware
+ Fraud.XPAntivirus
+ Safestrip
+ VirusProtect
+ Win32.Renos


Spyware
+ WebWatcher

Trojans (4 new Zlob variants)
+ Hupigon
+ Smitfraud-C.MSVPS
+ Win32.Agent.bkd
+ Win32.Alphabet.ap (670)
+ Win32.Autorun (10)
+ Win32.Bagle.hi (2)
+ Win32.Small.hk
+ Win32.VB.ke
+ Zlob.Downloader.dcc
+ Zlob.Downloader.oid
+ Zlob.Downloader.vdt
+ Zlob.Downloader.xot

Total: 522840 fingerprints in 112714 rules for 3569 products.

Spybot Search & Destroy version 1.5x is compatible with Windows Vista and features a nicer interface and sports a separate updater window and application. If you are still using version 1.4 I recommend that you update to 1.5, using the company links below.

English Language Company Links:
Spybot Search and Destroy English Home Page
Spybot Search and Destroy (Multi-Lingual Landing Page. Choose your language).
Spybot Search and Destroy Download page - Program and definition updates. You can download the latest version of Spybot S&D plus definition and tool updates here for inclusion later on.
Full tutorial about using and setting up Spybot Search and Destroy
Spybot Search and Destroy Update History

See all security program update notices in this catagory

A consequence of acquiring many of the parasites, keyloggers, hijackers and downloaders is that their files and startup settings are usually saved to your System Restore hidden folder, from whence they are automatically restored upon rebooting the computer. To completely remove these threats, and others, you should disable System Restore, then reboot, then clean all threats, then re-start System Restore, setting a new Restore Point, with a clean machine. Many people overlook this and are constantly reinfected after removing threats. There are few, if any security programs that can clean or remove infected files that are backed up in your protected System Restore directory.

To disable System Restore, go to My Computer and right-click on it's icon. From the flyout options select Properties. From the "System Properties" select the "System Restore" tab. There you will find a checkbox labeled "Turn off System Restore." Check it, then click Apply and wait while the System Restore files are deleted (takes some time). After the deletions are finished, click OK to close the Properties box, then reboot.

When you have thoroughly removed all infections follow the same procedure as above, unchecking the box that turned off System Restore.

In the event that Spybot mistakenly removes a file(s) due to a faulty detection update (a.k.a False Positive), you can restore it from the program itself. Just click on the "Recovery" button, that looks like a first aid kit, with a red cross in it, then locate the item(s) you wish to restore. Click on the select box(es) on the left of the detection name(s), to place a check mark in it/them, then click on "Recover selected items." The files, and/or registry entries will be replaced, from where they were deleted. The Spybot forums have discussions about false positives here.

For those of you who have not yet used Spybot Search and Destroy, if you were wondering if it "plays nice" with other anti spyware programs, it most certainly does! I have used Spybot S&D since it's inception, along with various other free and commercial security programs, and it has never caused any problems on my, or my customers' computers.

Spybot Search and Destroy has a Malware Removal Forum where trained volunteers can help you with spyware removal problems.

Posted by Wiz at 1:12 PM | Permalink

back to top ^

This article is about current email spam categories and percentages, based on rule sets created for and reported by the anti spam tool - MailWasher Pro.

I use MailWasher Pro to screen all of my various incoming POP email accounts, and for which I write my own custom spam filter rules. I give each rule a unique name so I can track the different types of spam I am deleting and reporting. The program has an interesting incoming email statistics window, that includes a pie chart breakdown of the various types of spam that are recognized and dealt with by the software. I thought I would start sharing my spam pie chart results with you all. This is the first installment, which I will try to update during, or at the end of the week. I post a new report each week, running from Monday through Sunday.

My analysis of this week's spam shows that various pharmaceuticals, including illicit prescription drugs, male and female enhancement pills and weight loss capsules lead the pack, again (no surprise here). All of them have links to websites hosted in China, where the counterfeit drugs are produced, or Korea. One has to wonder how many people are dying, or ending up in emergency rooms every day, because they foolishly bought spamvertised, counterfeit, or contaminated medicine?

The Storm Botnet is actively spamming emails proclaiming love messages, getting an early start on the upcoming Valentine's Day greetings season. They all contain a short "love" message and (numeric) links to Storm Trojan infected computers. People who are tricked into clicking on those links will in all likelihood have their PCs drafted into the Storm Botnet. If past history tells us anything it is that the links will not always be numeric, for Storm Trojan spam messages. Just beware of any short email from unknown (or even known) senders, containing a brief (usually one line) message, with just a link that is either numeric, or has a word related to "love" or "Valentine" in the link.

Noticeably reduced, again, this week, were spam for diplomas (0), refinancing (0), lottery scams (0), phishing scams (0), and pump and dump stocks (0). Due to my ongoing procedures I have merged some filters to simplify the reporting process, so the categories shown below may differ from the previous weeks' results.

My current statistics show that spam is now 47% of all my incoming email, for the week of January 14, through 20, 2008. This is down 4% from last week. Without my MailWasher Pro filters identifying and automatically deleting most of this onslaught of spam, email would be essentially useless for me (if I had to sort out the spam manually). Thanks to those custom filters, which I work hard to keep updated, I only have to manually delete a handful of spam messages on a daily basis (which I then classify into filters). The machines sending this deluge of spam are all members of BotNets, with spam relays and remote command and control software surreptitiously installed, mostly by the Storm Worm Trojan. I see many identical spam messages in my statistics (sorted by subject), but sent from different places in the World, all with forged sender names, confirming that this is a World-wide Spam-demic."

MailWasher Pro spam category breakdown for January 14, through 20, 2008.

Blacklisted (by pattern matching):	20.71%
Male enhancement spam:	33.73%
Viagra and Viagra.com:	1.78%
Pharmaceutical spam:	13.01%
Other filters:	14.20%
RX Spam:	2.37%
Storm Trojan links:	3.55%
5 line spam:	4.73%
Counterfeit Watches spam:	2.96%
DNS Blacklists:	2.37%
Bayesian learning filter:	0.59%

These spam categories and their relative percentages will probably shift a bit each week, as the BotMasters send new spam scripts to the zombie computers under their control. I will try to keep the percentages updated and merge miscellaneous categories as I am able to identify what they were spamvertising. Also, beginning this week, I have begun blacklisting particular forged senders that match a pattern. The blacklisted category is quickly rising above all independent spam classifications, proving that my pattern matching is working.

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as a front-end screener to your POP email program (Outlook, Outlook Express, Microsoft Mail, Thunderbird, Eudora, etc).

Regarding my custom MailWasher Pro spam filters; due to my continuing work of refining these filter rules, their accuracy has increased to the point that less than 3% of the spam detections flew under my radar and were classified as DNS Blacklists, for this reporting period (ditto for the learning filter). All other spam was classified and dealt with by my custom filters.

Posted by Wiz at 3:18 PM | Permalink

back to top ^

If you use the famed, freeware, anti-spyware program "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on Wednesday, this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a + sign are additions, or updated detections, with multiple additions indicated by a number in parenthesis or a double ++ in front of it's name. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in version 1.4 and 1.5. If you don't do this the new immunizations against hostile ActiveX programs will not be applied.

Additions made on Jan 16, 2008 (and false positive removals)

Malware
+ LocusSoftware.PCPrivacyTool
++ MalwareCrush
+ Vario.AntiVirus


Spyware
++ Dozorce.Spy
+ eZula HotText **See my note in the extended comments

Trojans (Including banking password-stealing trojans)
+ Ardamax
++ Backdoor.Nok-Nok
+ Smitfraud-C.MSVPS
+ Virtumonde
++ Win32.Agent.oc
++ Win32.Agent.p
+ Win32.Agent.qt
+ Win32.Banker.anv
++ Win32.Banker.BCN
++ Win32.Banker.ekn
++ Win32.Banker.gen
++ Win32.IRCBot.chz
+ Win32.VB
+ Zlob.Downloader.vdt
++ Zlob.Downloader.wot
+ Zlob.VideoActiveXObject

Total: 520902 fingerprints in 112350 rules for 3580 products.

** About eZula HotText. This is an old adware/spyware infection, also called TopText, which is installed on your computer without your direct knowledge. It parses web pages you are reading for keywords that have been purchased by its advertising partners. It then creates dark yellow colored lines under those words and turns them into clickable hyperlinks. If you click on the underlined words, ads will open in pop-up, or pop-over new windows, with items for sale matching the underlined keywords. This adware resides on your computer as an infection, having been bundled with some other program you, or your kids installed (typically a file sharing program). HotText is different than the prolific IntelliTxt underlined ad words used by Vibrant Media, which display small details boxes on web pages when you mouse over them. They are not infections at all, just JavaScript driven advertising, using the same keyword matching techniques as pioneered by eZula. If you use a browser add-on that disables JavaScript, allowing overrides as needed, the HotText and IntelliTxt ad links will disappear. NoScript is a Firefox Add-on that does just that. Unfortunately, there is no equivalent add-on yet, for Internet Explorer.

Spybot Search & Destroy version 1.5x is compatible with Windows Vista and features a nicer interface and sports a separate updater window and application. If you are still using version 1.4 I recommend that you update to 1.5, using the company links below.

English Language Company Links:
Spybot Search and Destroy English Home Page
Spybot Search and Destroy (Multi-Lingual Landing Page. Choose your language).
Spybot Search and Destroy Download page - Program and definition updates. You can download the latest version of Spybot S&D plus definition and tool updates here for inclusion later on.
Full tutorial about using and setting up Spybot Search and Destroy
Spybot Search and Destroy Update History

See all security program update notices in this catagory

A consequence of acquiring many of the parasites, keyloggers, hijackers and downloaders is that their files and startup settings are usually saved to your System Restore hidden folder, from whence they are automatically restored upon rebooting the computer. To completely remove these threats, and others, you should disable System Restore, then reboot, then clean all threats, then re-start System Restore, setting a new Restore Point, with a clean machine. Many people overlook this and are constantly reinfected after removing threats. There are few, if any security programs that can clean or remove infected files that are backed up in your protected System Restore directory.

To disable System Restore, go to My Computer and right-click on it's icon. From the flyout options select Properties. From the "System Properties" select the "System Restore" tab. There you will find a checkbox labeled "Turn off System Restore." Check it, then click Apply and wait while the System Restore files are deleted (takes some time). After the deletions are finished, click OK to close the Properties box, then reboot.

When you have thoroughly removed all infections follow the same procedure as above, unchecking the box that turned off System Restore.

In the event that Spybot mistakenly removes a file(s) due to a faulty detection update (a.k.a False Positive), you can restore it from the program itself. Just click on the "Recovery" button, that looks like a first aid kit, with a red cross in it, then locate the item(s) you wish to restore. Click on the select box(es) on the left of the detection name(s), to place a check mark in it/them, then click on "Recover selected items." The files, and/or registry entries will be replaced, from where they were deleted. The Spybot forums have discussions about false positives here.

For those of you who have not yet used Spybot Search and Destroy, if you were wondering if it "plays nice" with other anti spyware programs, it most certainly does! I have used Spybot S&D since it's inception, along with various other free and commercial security programs, and it has never caused any problems on my, or my customers' computers.

Spybot Search and Destroy has a Malware Removal Forum where trained volunteers can help you with spyware removal problems.

As you can see from the long list of new detections this has grown into a major piece of work for the author and he could sure use some financial assistance to cover the huge amount of time it takes to update these definitions. There is a donation button on this page and I know he will appreciate your contributions!

Posted by Wiz at 11:53 PM | Permalink

back to top ^

In Today's World the Internet is no longer a safe place for Windows PC users (not that it ever was). Criminals are exploiting vulnerabilities in web sites, web servers, email, browsers, and unsecured, or under-secured Windows OS computers.

Some of the current exploits making the rounds are using JavaScript functions to install malware onto vulnerable Windows based PCs. Some of these exploits are being secretly installed into the operating system of web servers, thus causing the exploit code to appear on every web site hosted on that server (a horrible situation). The individual web site customers are at the mercy of their hosting company to detect and repair the rootkit infection that adds the exploit codes to every home page on that server. Web hosts are usually informed about such exploits in the wild, that target their operating systems and they usually apply the necessary patches and re-compile the Apache Kernel, or Windows Server OS, as soon as possible.

Another related attack vector comes from individual web sites, if they are using insecure scripts, for which various hackers are searching. Hackers send bots to probe every website they can find, following links in search results, and on websites they have already visited. The bots are programmed to attempt to run various types of exploits against that website. The exploit attempts I see most often involve trying to exploit PHP scripts, or web pages, to perform http redirects to hostile scripts, hosted on other servers. A website owner who is not fully up to speed about security issues may install a vulnerable script, or copy insecure code from an open source project, only to have his website used a a redirector to hostile codes.

Finally, there are JavaScript exploits being used on the web pages hosted unknowingly, on Windows computers that have been taken over by the Storm Trojan. When people are enticed to visit those web pages the JavaScript routines will attempt to download and run hostile code against them, which if successful will add their computer to this ever-growing BotNet. See my recent blog post about the Storm Botnet, or search my blog for the phrase "Storm Trojan."

Here are 10 steps that PC users can take to protect their computers from all JavaScript exploits.

1. Apply all available Windows/Microsoft Updates, including Office product patches. This is a MUST DO.


2. If you have not updated your copy of Internet Explorer to version 7, do so now, then use Windows Updates to apply all released patches for it. IE 7 has built-in security features that simply cannot be applied to previous versions of that browser.


3. Set your Internet Explorer security level to medium high, or high. This will cause prompts to appear when scripts are asking for permission to run, which will be on almost every website you visit. This will drive you crazy, but at least give you a fighting chance.


4. Turn on the anti-phishing filter in IE 7.


5. To avoid the craziness that goes with securing Internet "Exploder," download and install the latest version of the Firefox browser, make it your default browser for browsing the Internet. Firefox does not run ActiveX controls at all and does not allow stealth downloads or installs. Every add-on or download must be manually approved. Set the options in Firefox to automatically check for updates to both the browser and any add-ons you've installed.


6. Install the No-Script add-on for Firefox, which blocks all known JavaScript and iFrame exploits, if you configure it properly. No-Script blocks JavaScript functions on websites, by default, but allows you to override it selectively, for sites you trust.


7. If you are uncommitted regarding an Internet Security product, try Trend Micro PC-cillin Internet Security 2008. It has resident shields that will intercept hostile scripts embedded in web pages, before they are downloaded to your browser. It also removes viruses, rootkits and spyware.


8. If you are currently operating as the Computer Administrator you should consider reducing your exposure to malware by changing to a Limited User account. This is not a trivial matter, but offers tremendous protection against accidental infections. I have also posted an article on my blog explaining how running with reduced privileges can protect you online.


9. If you are on broadband Internet make sure that you have a NAT (Network Address Translation) router between the modem and your computer. NAT routers hide your computers from incoming TCP/IP and UDP probes by malicious scripts and infected computers. Some modems have built-in NAT router sections, but some don't. A straight connection from a broadband modem to a PC can make it vulnerable to scripted attacks aimed at your TCP ports. A software firewall is a must for PC owners. Windows XP and contains a built-in one way (incoming) firewall, while Vista has a two way firewall (in and out).


10. Scan for acquired malware threats often, using up-to-date applications and definitions.

By applying these 10 steps you will have secured your PC as much as possible, while still allowing it to function on the Internet. The advise about running with reduced user privileges has been officially applied by Microsoft, to their Windows Vista operating system. Vista users normally operate with reduced privileges, unless administrator overrides are required to install, or uninstall a program or driver. It is still up to the user to determine if this is safe or not.

In the end, it is always up to the computer owner to decide what level of security they can tolerate, and what programs or add-ons they will allow to be installed onto their computers. If the user is duped by a cleverly worded spam email message, into clicking on a hostile link, no security warnings known to man will prevent them from installing what might turn out to be a Trojan horse application. It happens every day! Be vigilant and practice safe Hex!

Posted by Wiz at 3:22 PM | Permalink

back to top ^

With Valentine's Day a full month away, the Storm BotNet is becoming active again, after a very brief nap. In what appears to be an early head start on a run of infected Valentine's Day greetings, tonight I received a message with the subject "In Your Arms," with but one line of body text, consisting of this:

I Love You Because http://68.52.93.---/

where the dashes represent numbers I removed, that are the IP address of a Comcast Cable Internet customer, who is unknowingly hosting the Storm Trojan on his or her computer. The spam was sent by another Storm Trojan infected computer, in Brazil. Both of these computers are in far-removed countries, yet they are zombie members of the same Storm BotNet, with a membership estimated to be in the hundreds of thousands, if not millions.

If you get a spam message similar to this one delete it immediately. Do not become curious George and click on the link. The World already has too many Storm Trojan infected computers. Instead of finding a message of love, behind the big heart graphic on the host machine, you will find that you have been deceived by criminals, in the Baltic regions, who do not love you at all, and do not have your best interests in their hearts. You will have downloaded a file named "with_love.exe" (or a variation thereof), which is the Storm Trojan itself. Storm Trojan computers are used for illegal activities, like spamming, scamming, hosting Trojan files and phishing/identity theft web pages and for launching denial of service attacks. That is the love that awaits victims of these scams.

All of the victims clicked on links sent from other infected computers which were programmed to send spam messages, with those links (mostly numeric, but not always). All of the infections occurred when, after clicking on the spammed links, they arrived at the web page with the Trojan file, where they were either infected by a JavaScript activated stealth download, or by clicking on a visible download link. And, in case you were wondering how anybody could be so stupid, they clicked on the visible links like they were going out of style! Why? Because they were already duped into thinking that a greeting card, or love letter awaited them and if they had to click again to actually see it, what harm could that be? Unless those computers were being run with limited user privileges, they were instantly infected, and became members of the ever-growing legions of the Storm BotNet. Within hours or days their computers were also sending out thousands of similar spam email messages and were being used to host the same web page, with the same infection routines.

Are you already infected with the Storm Trojan? There are several ways to find out. One is to read my blog article about detecting a Storm Trojan infection, which I wrote on December 28, 2007.

If you have anti-virus and anti-spyware programs on your PC, update them to the latest versions and definitions, then reboot into Windows Safe Mode, login as the Administrator, then runs scans with everything you've got. Be sure you disable System Restore if any major malware items are found, then disinfect, or you will become re-infected when you reboot.

If you don't have any security protection installed, or what you do have is outdated, you can run a free, reliable online spyware and virus scan with the Kaspersky Online Scanner. Kaspersky Labs produce some of the best anti-virus and anti-spyware programs in the world. They aren't free, but they are reasonable, for the large amount of daily updates registered owners receive and the accuracy of their detections. Using their free online scanner requires that you first download the complete detection database (takes a while), before choosing a system area to scan. Subsequent visits to the service only require small updates to the database, which happen much faster.

I was scanning with the Kaspersky Online Scanner in Internet Explorer, as I typed this in Firefox, and it didn't put any additional load on my system. The scan was quite thorough. The scanning sequence I chose and recommend is this: 1st test; memory. 2nd test; critical system areas, and 3rd test, email databases. If you want to scan selected files or folders there are links to choose the ones you want. There is also a link to scan your entire computer, which will probably take a long time, so only use this if you aren't in any hurry for the results (overnight?).

Posted by Wiz at 9:39 PM | Permalink

back to top ^

This article is about current email spam categories and percentages, based on rule sets created for and reported by the anti spam tool - MailWasher Pro.

I use MailWasher Pro to screen all of my various incoming POP email accounts, and for which I write my own custom spam filter rules. I give each rule a unique name so I can track the different types of spam I am deleting and reporting. The program has an interesting incoming email statistics window, that includes a pie chart breakdown of the various types of spam that are recognized and dealt with by the software. I thought I would start sharing my spam pie chart results with you all. This is the first installment, which I will try to update during, or at the end of the week. I post a new report each week, running from Monday through Sunday.

My analysis of this week's spam shows that various pharmaceuticals, including illicit prescription drugs, male and female enhancement pills and weight loss capsules lead the pack, again, accounting for well over 80% of all incoming spam. All of them have links to websites hosted in China, where the counterfeit drugs are produced. One has to wonder how many people are dying, or ending up in emergency rooms every day, because they foolishly bought spamvertised, counterfeit medicine?

Noticeably reduced, again, this week, were spam for diplomas (3), refinancing (0), lottery scams (0), phishing scams (0), and pump and dump stocks (0). Due to my ongoing procedures I have merged some filters to simplify the reporting process, so the categories shown below may differ from the previous weeks' results.

My current statistics show that spam is now 51% of all my incoming email, for the week of January 7, through 13, 2008. This is down 9% from last week. Without my MailWasher Pro filters identifying and automatically deleting most of this onslaught of spam, email would be essentially useless for me (if I had to sort out the spam manually). Thanks to those custom filters, which I work hard to keep updated, I only have to manually delete a handful of spam messages on a daily basis (which I then classify into filters). The machines sending this deluge of spam are all members of BotNets, with spam relays and remote command and control software surreptitiously installed, mostly by the Storm Worm Trojan. I see many identical spam messages in my statistics (sorted by subject), but sent from different places in the World, all with forged sender names, confirming that this is a World-wide Spam-demic."

MailWasher Pro spam category breakdown for January 7, through 13, 2008.

Blacklisted (by pattern matching):	32.21%
Male enhancement spam:	28.86%
Viagra and Viagra.com:	8.07%
Pharmaceutical spam:	8.06%
Other filters:	12.07%
Pirated software spam:	2.68%
Postcard Trojan scams:	0%
5 line spam:	4.03%
Pills spam:	2.01%
Diploma spam:	2.01%

These spam categories and their relative percentages will probably shift a bit each week, as the BotMasters send new spam scripts to the zombie computers under their control. I will try to keep the percentages updated and merge miscellaneous categories as I am able to identify what they were spamvertising. Also, beginning this week, I have begun blacklisting particular forged senders that match a pattern. The blacklisted category is quickly rising above all independent spam classifications, proving that my pattern matching is working.

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as a front-end screener to your POP email program (Outlook, Outlook Express, Microsoft Mail, Thunderbird, Eudora, etc).

Regarding my custom MailWasher Pro spam filters; due to my continuing work of refining these filter rules, their accuracy has increased to the point that less than 1/4% of the spam detections flew under my radar and were classified as DNS Blacklists, for this reporting period (ditto for the learning filter). All other spam was classified and dealt with by my custom filters.

Posted by Wiz at 3:20 PM | Permalink

back to top ^

In a recent security alert, found on several high profile security websites, it has been revealed that hackers, in parts unknown, are exploiting vulnerabilities in certain models of the 2Wire brand of DSL modems, to steal bank accounts - in Mexico. These modems are also in use in the US, so don't get smug about this happening in Mexico only. That is probably a test run by the hackers, before hitting the US based modems.

The modus operandi of this attack begins with a spammed email that is rigged with hidden codes that are embedded in an image tag, plus a link to view a hostile video, where another piece of malware will try to install itself (TROJ_QHOST.FX). People who don't have the targeted modem won't be affected directly by these codes - this time. On the other hand, people who do have these modems and have not created a personal password for the modem's administrator login, will have these hidden codes passed directly to it. The codes will poison the DNS entry for banamex.com, which is the largest bank in Mexico. This DNS poisoning will automatically redirect all requests for banamex.com to a look-alike phishing website, where, when people login to their account, that login information will be added to the database owned by the criminals behind this exploit. These people will have their accounts emptied, unless they realize that they've been duped before the hackers get to their money (not likely).

Because this attack involves poisoning the DNS entries for the bank's website, in the modem itself, even typing banamex.com — which is the legitimate, fully-qualified domain name for this bank — leads to the fraudulent site instead. This is the same type of exploit that occurs when spyware poisons a computer's HOSTS file, to redirect specific requests to a hostile address. This exploit occurs invisibly for users of the affected modems who have not changed the default administrator password, which is null (none set). If they have created a personal password this exploit will fail. About 2 million of the affected modems have been shipped to customers in Mexico, all without an administrator password set. It is up to the recipients to create an administrator password.

This is a known, unpatched exploit, that was first reported on August 17, 2007. It is known as an "xslt Cross-site request forgery" (CSRF) vulnerability, which affects 2wire modem/router models 1701HG, 1800HW, and 2071, with 3.17.5, 3.7.1, and 5.29.51 software. It allows remote attackers to create DNS mappings as administrators, and conduct DNS poisoning attacks, via the NAME and ADDR parameters. That demonstrates the importance of changing the default modem password to one that is not easily guessed. If you have one of these modems and have not already created a strong administrator password, do so as soon as possible!

---

Background
-------------
This is the most popular router in Mexico and the default installation from the ISP has no system password.

Vulnerability
----------------
It is possible to send a request to the router that will modify its configuration.

It does not validate POST, or Referer or Anything, unless the administrator password has been set by the customer

Exploit
----------------
The client PC sends a request to the router with the configuration changes and they are set instantly.

[examples]

Set a password (NewPassword):
http://192.168.1.254/xslt?PAGE=A05_POST&THISPAGE=A05&NEXTPAGE=A05_POST&ENABLE_PASS=on&PASSWORD=NewPassword&PASSWORD_CONF=NewPassword

Add names to the DNS ( 172.16.32.64 www.example.com):
http://192.168.1.254/xslt?PAGE=J38_SET&THISPAGE=J38&NEXTPAGE=J38_SET&NAM
E=www.example.com&ADDR=172.16.32.64

Disable Wireless Authentication
http://192.168.1.254/xslt?PAGE=C05_POST&THISPAGE=C05&NEXTPAGE=C05_POST&N
AME=encrypt_enabled&VALUE=0

Set Dynamic DNS
http://192.168.1.254/xslt?PAGE=J05_POST&THISPAGE=J05&NEXTPAGE=J05_POST&I
P_DYNAMIC=TRUE

Also, disable the Firewall, reset the device, etc.

Solution
----------------
To undo the redirect to this phishing website you must reset your 2wire modem to its factory default state. Warning: This will wipe out all saved rules and your login credentials! Have your DSL user name and password ready to input into the modem, after you reset it, or you will not be able to get back onto the Internet.

If your modem has a small hole, with a reset button on the back, or bottom, insert a paper clip or ballpoint pen into the hole, push it against the recessed button and hold it in for about 2 minutes, with the power on. After two minutes let go of the button, wait about ten seconds, then, unplug the power to the modem for another two minutes. Plug it back in and let it stabilize. You will have to input your login credentials to get logged onto the DSL service. To do so, open your browser and go to this address: http://gateway.2wire.net/ . You can also access the modem/router, if has no other routers between it and your computer, by typing in: http://192.168.1.254, where you can input your login credentials.

If your modem does not have a reset button you can reset it electronically, by using this method. Open your web browser and type this address into the address/location bar: http://gateway.2wire.net/management or http://192.168.1.254/mdc . On that page you can perform administrator password creation and reset the modem to it's default state (under Troubleshooting, click on: RESET TO FACTORY SETTINGS).

After you reset the modem to factory settings and input your login credentials, log back onto the management page and click on "Run Setup Wizard, " where you can create a strong administrator password and disable unnecessary features, like remote administration, to prevent this type of exploit from repeating itself.

Sources:
----------------
http://www.securityfocus.com/archive/1/archive/1/476595/100/0/threaded

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4387

http://xforce.iss.net/xforce/xfdb/36044

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4389

http://blog.trendmicro.com/targeted-attack-in-mexico-dns-poisoning-via-modems/

Posted by Wiz at 1:51 PM | Permalink

back to top ^

Lavasoft, the makers of Ad-Aware, have announced the end of life and support for the free version of Ad-Aware SE Personal. All users of this version are urged to upgrade to Ad-Aware 2007 Free Edition. Otherwise, if you are still using Ad-Aware SE and check for updates, you will see this message: "No updated components available."

From Lavasoft's Ad-Aware SE Forum:
Ad-Aware SE will be expiring Dec 31, 2007. If you haven't updated your version to Ad-Aware 2007 please do that now.

Lavasoft has made many improvements over SE, in the new version of Ad-Aware, which will allow it to better deal with the newer threats that are emerging from the dark side of the Force. The criminals behind the malware programs are not standing still, so security programs must be improved to deal with new threat techniques.

Main features of Ad-Aware 2007 Free Edition:

• Free manual updates (you must initiate the check for updates)


• On-demand manual scans detect and remove Trojans, worms, spyware, and other malicious programs


• Full-Feature Quarantine


• Repairs damage left by malware


• Prevents Browser Hijacking


• Internet surfing tracks erased with TrackSweep, on multiple browsers, including Internet Explorer, Firefox, and Opera, with one click.


• Incremental updates for faster downloads


• Efficient computer resource footprint


• Free software updates throughout license/version duration


• Free support from a worldwide security volunteer network, at the Lavasoft Support Forums.


• Advanced Code Sequence Identification (CSI) Technology - Ensure your privacy protection with precise detection of embedded malware including Trojans, worms, spyware, and other forms of deceptive malware.


• Advanced Engine Structure - Benefit from superior program flexibility and more accurate scanning methods with all-new program architecture.


• Creates System Restore Point - Easily revert to your clean system to recover from a spyware attack.


• New Straightforward User Interface


• Operating Systems supported:
  Windows Vista (32-bit), Windows XP (Home and Pro), Windows Server 2003, Windows 2000 (Pro and Server)


• Web Browsers supported:
  Internet Explorer (version 5.5 or higher), Firefox (version 1.5 or higher), Opera (version 9 or higher)

For a limited time, Lavasoft is providing manual downloads of definition updates for Ad-Aware SE, at this URL: http://www.lavasoft.com/support/securitycenter/blog/?cat=2 - where you can download the updates as a zip file, from http://download.lavasoft.com/public/defs.zip and install them as follows:

Close Ad-Aware SE, if it is open. Unzip the file which you have downloaded (defs.zip) to extract defs.ref and copy defs.ref to the directory where you have Ad-Aware SE installed, which is typically in "C:\Program Files\Lavasoft\Ad-Aware SE Personal" - overwriting the existing defs.ref.

If you use Winzip you can right click on the downloaded zip file and drag it into the Lavasoft Ad-Aware SE Personal folder, the left click on 'Extract to here'. Or, open the downloaded file with Winzip, click the "Extract" button, then navigate the folder tree to your Ad-Aware installation location and overwrite the existing "defs.ref" file. The date of the new defs will be shown in the Winzip window.

Open Ad-Aware and check to see if the new definition date and number is listed.

Posted by Wiz at 12:12 PM | Permalink

back to top ^

If you use the famed, freeware, anti-spyware program "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on Wednesday, this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a + sign are additions, or updated detections, with multiple additions indicated by a number in parenthesis or a double ++ in front of it's name. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in version 1.4 and 1.5. If you don't do this the new immunizations against hostile ActiveX programs will not be applied.

Additions made on Jan 2 and 9, 2008 (and false positive removals)

Keyloggers
+ Ardamax

Malware
+ AntiSpywareBOT
++ Clickspring.OuterInfo
+ Nous-Tech.UCleaner
+ Win32.BHO.je
+ WinXDefender

Trojan
+ Fotomoto
+ MalwareAlarm
+ Search2Find
+ Smitfraud-C.MSVPS
++ Virtumonde
+ Win32.Agent.gs
+ Win32.Agent.gvu
+ Win32.Banker.anv
+ Win32.Delf.bvz
+ Win32.Delf.xo
++ Win32.Qhost.abh
+ Win32.ProAgent.21
++ Win32.Small.ih
++ Win32.Sohanad.as
+ Win32.Tiny.abk
+ Zlob.Downloader
+ Zlob.Downloader.oid
+ Zlob.Downloader.ol
+ Zlock.uc

Total: 523901 fingerprints in 113066 rules for 3559 products.

Spybot Search & Destroy version 1.5x is compatible with Windows Vista and features a nicer interface and sports a separate updater window and application. If you are still using version 1.4 I recommend that you update to 1.5, using the company links below.

English Language Company Links:
Spybot Search and Destroy English Home Page
Spybot Search and Destroy (Multi-Lingual Landing Page. Choose your language).
Spybot Search and Destroy Download page - Program and definition updates. You can download the latest version of Spybot S&D plus definition and tool updates here for inclusion later on.
Full tutorial about using and setting up Spybot Search and Destroy
Spybot Search and Destroy Update History

See all security program update notices in this catagory

A consequence of acquiring many of the parasites, keyloggers, hijackers and downloaders is that their files and startup settings are usually saved to your System Restore hidden folder, from whence they are automatically restored upon rebooting the computer. To completely remove these threats, and others, you should disable System Restore, then reboot, then clean all threats, then re-start System Restore, setting a new Restore Point, with a clean machine. Many people overlook this and are constantly reinfected after removing threats. There are few, if any security programs that can clean or remove infected files that are backed up in your protected System Restore directory.

To disable System Restore, go to My Computer and right-click on it's icon. From the flyout options select Properties. From the "System Properties" select the "System Restore" tab. There you will find a checkbox labeled "Turn off System Restore." Check it, then click Apply and wait while the System Restore files are deleted (takes some time). After the deletions are finished, click OK to close the Properties box, then reboot.

When you have thoroughly removed all infections follow the same procedure as above, unchecking the box that turned off System Restore.

In the event that Spybot mistakenly removes a file(s) due to a faulty detection update (a.k.a False Positive), you can restore it from the program itself. Just click on the "Recovery" button, that looks like a first aid kit, with a red cross in it, then locate the item(s) you wish to restore. Click on the select box(es) on the left of the detection name(s), to place a check mark in it/them, then click on "Recover selected items." The files, and/or registry entries will be replaced, from where they were deleted. The Spybot forums have discussions about false positives here.

For those of you who have not yet used Spybot Search and Destroy, if you were wondering if it "plays nice" with other anti spyware programs, it most certainly does! I have used Spybot S&D since it's inception, along with various other free and commercial security programs, and it has never caused any problems on my, or my customers' computers.

Spybot Search and Destroy has a Malware Removal Forum where trained volunteers can help you with spyware removal problems.

As you can see from the long list of new detections this has grown into a major piece of work for the author and he could sure use some financial assistance to cover the huge amount of time it takes to update these definitions. There is a donation button on this page and I know he will appreciate your contributions!

Posted by Wiz at 2:32 PM | Permalink

back to top ^

This article is about current email spam categories and percentages, based on rule sets created for and reported by the anti spam tool - MailWasher Pro.

I use MailWasher Pro to screen all of my various incoming POP email accounts, and for which I write my own custom spam filter rules. I give each rule a unique name so I can track the different types of spam I am deleting and reporting. The program has an interesting incoming email statistics window, that includes a pie chart breakdown of the various types of spam that are recognized and dealt with by the software. I thought I would start sharing my spam pie chart results with you all. This is the first installment, which I will try to update during, or at the end of the week. I'll post a new report each week, running from Monday through Sunday.

My analysis of this week's spam shows that various pharmaceuticals, including illicit prescription drugs, male and female enhancement pills and weight loss capsules lead the pack, again, accounting for well over 90% of all incoming spam. All of them have links to websites hosted in China, where the counterfeit drugs are produced. One has to wonder how many people are dying, or ending up in emergency rooms every day, because they foolishly bought spamvertised, counterfeit medicine?

Noticeably reduced, again, this week, were spam for financing (0), lottery scams (0), phishing scams (0), and pump and dump stocks (0). Due to my ongoing procedures I have merged some filters to simplify the reporting process, so the categories shown below may differ from the previous weeks' results.

My current statistics show that spam is now 60% of all my incoming email, for the week of December 31, 2007, through January 6, 2007. This is down 4% from last week. Without my MailWasher Pro filters identifying and automatically deleting most of this onslaught of spam, email would be essentially useless for me (if I had to sort out the spam manually). Thanks to those custom filters, which I work hard to keep updated, I only have to manually delete a handful of spam messages on a daily basis (which I then classify into filters). The machines sending this deluge of spam are all members of BotNets, with spam relays and remote command and control software surreptitiously installed, mostly by the Storm Worm Trojan. I see many identical spam messages in my statistics (sorted by subject), but sent from different places in the World, all with forged sender names, confirming that this is a World-wide Spam-demic."

MailWasher Pro spam category breakdown for December 31, 2007, through January 6, 2008.

Male enhancement spam:	40.83%
Blacklisted (by pattern matching):	26.04%
Viagra and Viagra.com:	9.47%
Other filters:	5.92%
RX Spam:	3.55%
Pirated software spam:	3.55%
Elite Herbal Spam:	2.37%
Postcard Trojan scams:	2.37%
5 line spam:	1.78%
HGH filter:	1.78%
Quit Smoking patches:	1.18%
DNS Blacklists:	1.18%

These spam categories and their relative percentages will probably shift a bit each week, as the BotMasters send new spam scripts to the zombie computers under their control. I will try to keep the percentages updated and merge miscellaneous categories as I am able to identify what they were spamvertising. Also, beginning this week, I have begun blacklisting particular forged senders that match a pattern. The blacklisted category is quickly rising above all independent spam classifications, proving that my pattern matching is working.

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as a front-end screener to your POP email program (Outlook, Outlook Express, Microsoft Mail, Thunderbird, Eudora, etc).

Regarding my custom MailWasher Pro spam filters; due to my continuing work of refining these filter rules, their accuracy has increased to the point that less than 1/4% of the spam detections flew under my radar and were classified as DNS Blacklists, for this reporting period (ditto for the learning filter). All other spam was classified and dealt with by my custom filters.

Posted by Wiz at 3:04 PM | Permalink

back to top ^