Wiz's Computer and Website Security Blog

This article is about current email spam categories and percentages, based on rule sets created for and reported by the anti spam tool - MailWasher Pro.

I use MailWasher Pro to screen all of my various incoming POP email accounts, and for which I write my own custom spam filter rules. I give each rule a unique name so I can track the different types of spam I am deleting and reporting. The program has an interesting incoming email statistics window, that includes a pie chart breakdown of the various types of spam that are recognized and dealt with by the software. I thought I would start sharing my spam pie chart results with you all. This is the first installment, which I will try to update during, or at the end of the week. I post a new report each week, running from Monday through Sunday.

My analysis of this week's spam shows that male enhancement pills and other pharmaceuticals were finally displaced from the top spot in my spam categories, with Nigerian 419 and lottery scams, counterfeit brands of watches, clothing and footware, fake diplomas and debt consolidation loans, leading the pack. Most of the spam emails have links to websites hosted in China or Korea. Most of the fake and counterfeit watches, clothing, drugs, enhancement pills and herbal solutions being spamvertised are produced in China. Foremost among these are fake pharmacy websites, like the so called "Canadian Pharmacy," which is not in Canada at all (it's in China and Indo-China), nor, despite the presence of fake accreditation logos, are they approved to sell pharmaceuticals in the US or Canada. Most of the fraudulent "Canadian Pharmacy" web pages are now hosted on compromised home or office PC's, that are unknowingly members of various spam Botnets.

< rant >
The only rational explanation for the continued existence of these fake pharmacies must be that there are enough gullible people in the World, who will purchase enough drugs from links in spam emails to make it financially worth while for spammers to pay to rent botnets to send this crap. Considering the fact that most of these pharmaceuticals are fake, or contaminated, one has to wonder how many people get sick, or die, because they foolishly bought spamvertised, counterfeit medicine from fraudulent, online pharmacies?
< /rant >

Due to my ongoing procedures I have merged some filters to simplify the reporting process, so the categories shown below may differ from the previous weeks' results. I have also created a special sender recognition filter, that when matched, assigns the status "BlackList" to those spam messages. This excludes lots of spam emails being categorized, since my blacklist rule is processed first. This saves processing power that is normally required by my custom filters. Furthermore, I have now applied some of my blacklist terms to the email server, on my website, automatically eliminating a huge portion of certain types of forged sender spam.

My current statistics show that spam is now 55% of all my incoming email, for the week of March 24 through 30, 2008. Without my custom MailWasher Pro filters identifying and automatically deleting most of this crap, email would be essentially useless for me (if I had to sort out the spam manually). Thanks to those custom filters, which I work hard to keep updated, I only have to manually delete a handful of spam messages on a daily basis (which I then classify into filters for you all). The machines sending this deluge of spam are all members of BotNets, with spam relays and remote command and control software surreptitiously installed, mostly by Trojans people are tricked into clicking on. I see many identical spam messages in my statistics (sorted by subject), but sent from different places in the World, all with forged sender names, confirming that this is a World-wide Spam-demic."

MailWasher Pro spam category breakdown for March 24 through 30, 2008.

Download MailWasher Pro Here

These spam categories and their relative percentages shift a bit each week, as the BotMasters send new spam scripts to the zombie computers under their control. I will try to keep the percentages updated and merge miscellaneous categories as I am able to identify what they were spamvertising. Also, for over two months now, I have been blacklisting particular forged senders that match a pattern. The blacklisted category is quickly rising above all independent spam classifications, proving that my pattern matching is working. Many of the blacklisted spam messages are for counterfeit Viagra, illegal HGH, dubious male enhancement drugs, or pirated software.

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as a front-end screener to your POP email program (Outlook, Outlook Express, Microsoft Mail, Thunderbird, Eudora, etc).

I mentioned in this article that I use MailWasher Pro to screen and filter out spam, before it is downloaded to Outlook Express (or your equivalent POP3 email client), and that it allows the use of special pattern matching of senders' addresses to blacklist them. I thought I would share the five main pattern matching blacklist filters with you. You can use them in MailWasher, if you have it, or on your web site's cPanel, in the account-wide email filters section, if you know how to use that feature. Here are the four 'biggies" that typically block 26+% of all spam.

I set my blacklist to automatically delete, so I never see a message that is matched by these filters. If you choose to do the same you had better add all of your legitimate contacts to your Friends List, just in case. I also apply the same filter rules to my email server, on my website, thus eliminating a sizable percentage of spam without making MailWasher do the work. Those rules are listed below the equivalent MailWasher filters.

My MailWasher Pro custom BlackList wildcard patterns for current forged senders of spam:

MailWasher BlackList code: _+@+.+
Regular Expression for mail server filter use: _.+@.+
Plain text filter for mail server: FROM: BEGINS WITH: _
Discard message

MailWasher BlackList code: -+@+.+
Regular Expression for mail server filter use: -.+@.+
Plain text filter for mail server: FROM: BEGINS WITH: —
Discard message

MailWasher BlackList code: dw+m@+.+
Regular Expression for mail server filter use: dw.+m@.+
Discard message

MailWasher BlackList code: lin+met@+.de
Regular Expression for mail server filter use: lin.+met@.+\.de
Discard message

MailWasher BlackList code: tequil*a+@+.com
Regular Expression for mail server filter use: tequil.*a.+@.+\.com
Discard message

MailWasher Blacklist code: +@bestdebtrepair.net
Regular Expression for mail server filter use: .+@bestdebtrepair\.net
Discard message

NEW MailWasher Blacklist code (3/27/08): +@freenet.de
Regular Expression for mail server filter use: .+@freenet\.de
Discard message

Here is my custom filter rule that matches senders with a forged domain name on both sides of the @ sign:

[enabled],XdomainY@domain.tld,BlackList,0,AND,Delete,Automatic,EntireHeader,containsRE,"^Received: from.*@(([\w\d]*)\.\w{2,4}).*^From:.*<\w{2,}\2\w+?@\1"

Learn more about MailWasher Pro, or Get MailWasher Pro here

Posted by Wiz at 3:39 PM | Permalink

back to top ^

Lately, I have been getting lots of Nigerian 419 Lottery scams, with the originating IP located in Spain, especially the ISPs - Ono.com and Telefonica.es. However, when I report these scams to SpamCop, a lot of the sending (not originating) IP addresses end up belonging to residential customers of broadband services in the US, Europe and South America. This tells me that the Nigerian crime gangs have buddied up with the owners of a botnet and are using it to relay some of their scam messages. Furthermore, some, but not all, of the scam emails also contain clickable links that lead to instant downloads of Trojan Horse downloaders, Keyloggers and Backdoors. This stinks of the Storm-Worm-Zhelatin Gang, located in St. Petersburg, Russia, although it could be a different botnet being rented out to Nigerians.

The main point of this article is not about botnets. Rather, it is to point out that many Nigerian 419 fraudsters are moving out of Africa, and Amsterdam (where they got arrested, convicted and deported), and settling in Spain. Not wanting to have their scam/spam messages traced directly to them, they have taken to the airwaves, literally. They are "piggybacking" on their neighbors' unsecured wireless routers, in apartment complexes or houses, using IP addresses assigned to other legitimate customers, to send scam runs. The victims are completely unaware that anything illegal is happening, until the Police come knocking on their door. Fortunately, the Nigerians who are piggybacking on the broadband accounts are in the same buildings. This has allowed the Spanish Police to locate and arrest some of them, as happened on February 18, 2008. Here is a quote from the Sophos article about those arrests:

Ten Nigerians arrested in Spain for email lottery scam
February 18, 2008

The ten people, all Nigerian nationals, are suspected of making more than 19,000 Euros ($28,000) in three months by demanding payments from innocent internet users who believed they had won a lottery.

Police report that the emails sent by the suspects were sent from the Teatinos area of Malaga in Spain, by piggybacking on a neighbour's wi-fi internet connection without permission. Seven arrests were made in Malaga, and three more in Huelva province.

Malaga is no stranger to Nigerian-run email scams. In 2005, 310 people were arrested in Malaga in what was said to be the biggest ever bust of a lottery scam gang. The arrests followed an investigation by the FBI and Spanish police into a scam run by Nigerian gangs.

If you run a forum or website that is plagued by Nigerian scammers you can block them from accessing it by employing a "blocklist." I publish and maintain a Nigerian Blocklist in two common formats:

1. .htaccess - for most Apache-based, shared hosting websites, where the webmaster only has control over his/her own website. The .htaccess rules will only block browsing you site and form submissions, but not email scams.


2. iptables - for those administrator-webmasters, who have Root access to dedicated, or VPS - Linux based servers. Iptables rules can be imported into your APF firewall, to block all access to undesirables, including email access.

End users, who receive email via a POP client (Outlook, Outlook Express, Microsoft Mail, Thunderbird, Eudora), and are tired of sorting through dozens or hundreds of daily email scams and other spam, can use the program I use to filter out spam and scams. That program is MailWasher Pro, which you can read about here.

In the meantime, do not fall for any lottery scams, or other free money pitches coming from Nigerian criminals. To see the details about what they have been up to recently, read my blog article about the sudden surge in Nigerian lottery scams.

Posted by Wiz at 1:14 PM | Permalink

back to top ^

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you already are using "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on Wednesday, this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Additions made on March 26, 2008:

Keyloggers (Keyloggers steal your logins and passwords)
+ SpyKeylogger
+ SpyMyPC
+ StaticX

Malware Includes fake anti-virus and anti-spyware programs
+ AlfaCleaner
+ AntiSpywareSoldier
+ AzeSearch
+ Cleanator
+ FakeAlert.cc
+ Fraud.XPAntivirus
+ MalwareWipe
+ Performance Optimizer
+ Smitfraud-C.gp
+ SpyCrush
+ SpyDawn
+ SpyHeal
+ SpyShredder
+ SpywareIsolator
+ TrustCleaner
+ Vcodec.Intcodec
+ Virtumonde.dll (incl: 5955 variants)
+ VirusBurst
+ Win32.BHO.je
+ Win32.Renos
+ WinXDefender

Trojans Featuring 12 updated detections of Zlob* Trojans
+ Smitfraud-C.
+ Smitfraud-C.MSVPS
+ Win32.Dropper.Agent.byv
+ Win32.EESbinder
+ Zlob.DirectVideo
+ Zlob.Downloader.se
+ Zlob.Downloader.sg
+ Zlob.GoldCodec
+ Zlob.HQVideoCodec
+ Zlob.ImageActiveXObject
+ Zlob.KeyGenerator
+ Zlob.MMediaCodec
+ Zlob.QualityCodec
+ Zlob.SiteTicket
+ Zlob.VideoAccess
+ Zlob.VideoKeyCodec

Total: 565762 fingerprints in 126261 rules for 3758 products!

* The "Zlob Trojan" is a common infection that has been in the wild since 2005. It is often downloaded intentionally by people who are tricked into thinking that they are installing some missing ActiveX Video Codec, or other (Java) application, needed to view a presentation, or pornographic movie. Once installed on the target computer the Zlob Trojan allows hackers to deliver all manner of downloaders, adware, fake anti-spyware and backdoor components to it. The Zlob family of Trojans are constantly modified by it's maintainers to try to avoid detection by anti-malware applications. These criminals earn commissions for every computer they infect with the Zlob and its companion products. Spybot Search and Destroy can detect and remove most known variants of the Zlob Trojans, with new definitions being released every Wednesday to detect the latest incarnations of Zlob.

Spybot Search & Destroy version 1.5.2, the latest release, is compatible with Windows Vista and features a nicer interface and sports a separate updater window and application. If you are still using version 1.4 I recommend that you update to 1.5.x, using the company links below.

NOTE
I just experienced something unusual and I suspect a lot more Spybot S&D users may have this happen also. I normally operate as a Power User, in Windows XP Professional. I switch to my administrator level account to upgrade programs like Spybot S&D and apply system-wide immunization, which cannot be as easily done from a Limited User account. After installing the available updates for March 26, 2008, I ran Spybot and let it remove some cookies it found. After that, having defragged and run Windows Update from the Admin account, I logged off that account and into what I thought was my regular account. When I got there most of my desktop icons were missing, the custom settings were gone and things were not right in Whoville. I quickly thought about what might cause this and instinctively I restarted the computer. After logging in at the Welcome screen all of my icons and settings were restored. Whew! If this happens to you, it is caused by the new anti-rootkit plug-ins, as I have since learned. After you update the Spybot S&D program in an Admin account, reboot before logging in to a lesser privileged account. This way you won't lose any personalized settings. I hope they fix this soon!

I just found this information posted by a member of Team Spybot, on the official Forum, regarding multiple account computers having profile corruption issues:

That's a problem when you run the update while Spybot-S&D is open. To avoid this completely, just run the updater from the start menu while Spybot-S&D is closed. But as I wrote, a restart will allow login again. 1.5.3 will have it fixed as well.

English Language Company Links:
Spybot Search and Destroy English Home Page
Spybot Search and Destroy (Multi-Lingual Landing Page. Choose your language).
Spybot Search and Destroy Download page - Program and definition updates. You can download the latest version of Spybot S&D plus definition and tool updates here for inclusion later on.
Full tutorial about using and setting up Spybot Search and Destroy
Spybot Search and Destroy Update History

See all security program update notices in this catagory

A consequence of acquiring many of the parasites, keyloggers, hijackers and downloaders is that their files and startup settings are usually saved to your System Restore hidden folder, from whence they are automatically restored upon rebooting the computer. To completely remove these threats, and others, you should disable System Restore, then reboot, then clean all threats, then re-start System Restore, setting a new Restore Point, with a clean machine. Many people overlook this and are constantly reinfected after removing threats. There are few, if any security programs that can clean or remove infected files that are backed up in your protected System Restore directory.

To disable System Restore, go to My Computer and right-click on it's icon. From the flyout options select Properties. From the "System Properties" select the "System Restore" tab. There you will find a checkbox labeled "Turn off System Restore." Check it, then click Apply and wait while the System Restore files are deleted (takes some time). After the deletions are finished, click OK to close the Properties box, then reboot.

When you have thoroughly removed all infections follow the same procedure as above, unchecking the box that turned off System Restore.

In the event that Spybot mistakenly removes a file(s) due to a faulty detection update (a.k.a False Positive), you can restore it from the program itself. Just click on the "Recovery" button, that looks like a first aid kit, with a red cross in it, then locate the item(s) you wish to restore. Click on the select box(es) on the left of the detection name(s), to place a check mark in it/them, then click on "Recover selected items." The files, and/or registry entries will be replaced, from where they were deleted. The Spybot forums have discussions about false positives here.

For those of you who have not yet used Spybot Search and Destroy, if you were wondering if it "plays nice" with other anti spyware programs, it most certainly does! I have used Spybot S&D since it's inception, along with various other free and commercial security programs, and it has never caused any problems on my, or my customers' computers.

Spybot Search and Destroy has a Malware Removal Forum where trained volunteers can help you with spyware removal problems.

Finally, as an individuals who benefits from the free software that is produced and updated by the good folks who run Spybot Search and Destroy, at their own expense, it won't hurt us to send occasional donations to them, to help them financially in their efforts. There is a donate button on most pages of the Spybot S & D website. Think seriously about using it. Send what you can.

Posted by Wiz at 11:34 PM | Permalink

back to top ^

For the last two days I have been getting lots of spam messages sent by Nigerian criminals, who are running a new 419 Advance Fee Fraud campaign. The current crop of 419 scams are mostly composed using all capital letters in the subject (but not always), and when you read the message body, it appears to come from a Barrister, or Solicitor, or a lottery, or a Will Executor. Huge rewards supposedly await the Mugu's (Fools) who respond and are willing to pay some processing fees to get this money transferred into their soon to be emptied bank accounts.

This request for fees to be paid in advance of the transfer of the imaginary funds is referred to as a 419 scam. That is the number of the statute in the Nigerian Criminal Code that covers financial advance fee fraud.

Here is a list of the subjects from the email scams I have received in the past 60 hours (Updated 3/28/08):

Download MailWasher Pro here

ASSISTANCE
ATM PAYMENT
Attention, Attention,, Attention
Attn:Beneficiary
CONTACT EFEX COURIER COMPANY ASAP
CONTACT FEDEX COURIER COMPANY FOR YOUR DELIVERY
CONTACT FEDEX COURIER COMPANY FOR YOUR PARCEL
CONTACT REV. DR. KENNETH OKOM DIRECTOR OF ATM CARD BANK
CONTACT YOUR ATM MASETR CARD
CONTACT YOUR ATM PAYMENT CENTER
Contact your claims agent
Dear Friend
From Barrister James.
FROM: PETER SUMEN. (NPA)
GOOD NEWS
IMPORTANT NOTICE
THIS IS FOR YOUR ATTENTION.
WILL EXECUTION
YOUR CONTRACT PAYMENT
Your Payment
GOOD NEWS CONTACT HALLMARK DELIVERY COMPANY FOR THE DELIVERY OF YOUR CONSIGNMENT ASAP.

Many of the message bodies begin with "Dear Friend,". Every one of these spam messages was an attempted 419 scam. If you get any email with these subjects you can probably be safe deleting it without reading the crap inside. If your email system allows for special filter rules, create one to delete or flag as spam all messages containing ALL CAPS. Spam Assassin already has this rule built into it. I personally use MailWasher Pro to screen all of my incoming POP email, before I download it to Outlook Express. MailWasher Pro uses a variety of methods to recognize spam and scams, including user created custom filters. I happen to write and maintain a group of filters for MailWasher Pro. They are available on my MailWasher Filters Page.

If you already have MailWasher and need a filter rule to detect messages containing all capital letters, here it is (the rule should be on one long continuous line):

[enabled],"Subject All Caps/Missing (S)","Subject All Caps/Missing (S)",33023,OR,Delete,Subject,doesn'tContainRE,(?-i)[a-z],Subject,doesn'tContainRE,.

Here is my MailWasher filter for known 419 scams (one long line):

[enabled],"Nigerian 419 Scams","419 Scam",16711680,OR,Blacklist,Delete,Body,containsRE,"^(?-i)Dear\ (Sir/Madam|Friend),(
)?$",Body,contains,"URGENT AND CONFIDENTIAL",Body,contains,"BANK OF NIGERIA",Subject,is,"URGENT AND CONFIDENTIAL",Body,containsRE,"unclaimed\ (benefits|funds)",Subject,contains,"CONFIDENTIAL MUTUAL BUSINESS PROPOSAL",Body,contains,"contacting you based on Trust",From,contains,"Department of National Lotteries",Subject,contains,"UNITEDN NATION",Subject,containsRE,"TREAT\ (AS|VERY)\ (CONFIDENTIAL|URGENT)"

Just copy and paste that rule into your MailWasher filters.txt file, which is found in (Windows XP) your logged in identity > Documents and Settings > Application Data > MailwasherPro folder. Make sure MailWasher is closed before you add this rule, save the file, then open MWP again. The rule should be visible when you click on View > Filter Sidebar (Ctrl+F7). You can download MailWasher Pro here.

Do not ever fall for the pitches from these Con men in Nigeria. They are very good at relieving North Americans and Brits of their excess money, using greed as the bait.

If you have a website, with a forum, hosted on an Apache web server, and your members are getting harassed by Nigerian scammers, you should consider applying my .htaccess Nigerian Blocklist, to your web or forum root folder. This will block them from viewing posts, or signing up for accounts, using a browser, but won't block email or ftp access. On the other hand, if you have administrator access to the operating system itself, applying my Nigerian iptables blocklist to your Linux APF firewall will block not only http browsing, but also, email from Nigerian criminals, signups and ftp access. They won't be able to access your server whatsoever, if you apply the firewall rules.

.htaccess blocklist (recommended for most non-admin webmasters):
My .htaccess Nigerian Blocklist is found here

Linux APF firewall - iptables blocklist, for admins with root access:
My iptables Nigerian Blocklist is located here

I also publish blocklists in both .htaccess and iptables formats, to block Chinese and Korean traffic, Russian and Turkish spammers and exploited servers.

Posted by Wiz at 9:42 PM | Permalink

back to top ^

March 25, 2008

Tonight, while I was browsing with Firefox, it was suddenly upgraded from version 2.0.0.12 to 2.0.0.13. This is because I set the option for Firefox to automatically check for and apply updates. Being the curious type I looked up the release notes, to find out why this new sub-version was pushed out, so quietly tonight. Here is the skinny.

What's New in Firefox 2.0.0.13

Release Date: March 25, 2008
Security Update: The following security issues were fixed.

1. MFSA 2008-19: XUL popup spoofing variant (cross-tab popups) - High
2. MFSA 2008-18: Java socket connection to any local port via LiveConnect - High
3. MFSA 2008-17: Privacy issue with SSL Client Authentication - Low
4. MFSA 2008-16: HTTP Referrer spoofing with malformed URLs - Moderate
5. MFSA 2008-15: Crashes with evidence of memory corruption (rv:1.8.1.13) - Critical
6. MFSA 2008-14: JavaScript privilege escalation and arbitrary code execution - Critical

This is half the vulnerabilities that were patched in the previous upgrade, from 2.0.0.11 to 2.0.0.12, which was released on February 7, 2008. If you use Firefox Browsers you should check for updates as soon as you go online with a computer it is installed on. It may beat you to the draw though! Otherwise, open Firefox and click on the Menu Item: "Help" > "Check for Updates." If you need the update it will be displayed prominently, with a button to Download and Install now. It'll only take a minute or so, on Broadband, after which a box will pop-up telling you that Firefox was upgraded and must be restarted. Click Ok to restart, even if you have multiple tabs open. They will reopen when Firefox restarts. You may have to login to password protected sites. After the update and restart, if you use and Add-Ons, or Extensions, run a check for updates to those items. It may take a few days for the authors to catch up and issue new releases to remain compatible with the latest updates. Most of the time everything I have added on still works after numerous upgrades.

If this is all news to you and you have not tried the FIrefox browser, here is a link to the official Firefox download page, for all languages. If you, like me, are in the US (or Canada), and use the US English version, on a Windows based computer, here is your Firefox download link, for the 5.7 Mb file. Save it to your hard drive and run setup. During the setup process Firefox will offer to import your Internet Explorer Favorites and Cookies. Allow it to import these items and finish the installation. Once Firefox opens you will have Bookmarks instead of Favorites, but, all of your previously saved Favorites will be available by clicking on Bookmarks > "From Internet Explorer." Mouse over this folder and all your Favorites will flyout in a list. Clicking on any bookmark will open it in the browser. Since you told it to import your cookies your preferences will carry over as well, although you may have to re-type your logins to some websites, manually. If this is necessary, tell Firefox to remember your login for that website and it will be safely stored for you.

Firefox is a tabbed browser and can open links you click on in a new tab, instead of a new Window. You have the option of giving the new tab focus, or staying put where you were when you clicked on the link. Furthermore, Firefox does not run any ActiveX controls, thus making it infinitely more safe to browse with then Internet "Exploder." Give Firefox a try today.

Posted by Wiz at 11:36 PM | Permalink

back to top ^

I read the access logs for my website every day and sometimes I see something that jumps out and grabs my attention, as not right. This month, that something is a bunch of attempts to grab various pages on my blog, in an unusual manner, with a very unusual user agent: WordPress/2.1.1

At first I thought that somebody is just trying to pick up my MovableType RSS feed, but that is not what they are after. So, I did a little research on "WordPress/2.1.1" and learned that it represents a hacker compromised version of the popular WordPress PHP blogging software, which was updated months ago, to version 2.1.2, by Wordpress.org. I suppose that there may be some Wordpress users who haven't heard that this version was hacked with a backdoor, and haven't bothered to check for updates, but the log entries I am seeing are not from a Wordpress blog. I decided to do a little investigating, which is something I am good at. So, I followed the IP addresses to see from whence they came.

What I have learned so far, regarding the visitors who have configured their browser with the user agent "WordPress/2.1.1" is that, (A) - they come at me with no "Referer" field entry, (B) - they always try to GET a blog article itself, followed immediately with a request for the HEAD, and (C) - they change IP addresses after getting my 403 (Forbidden) message and try again. This cloaking of IP addresses has no effect, since I am also blocking them by their User Agent string.

Let's take a look at the access log entries for this user agent (stretch out or maximize your browser):

67.228.198.50 - - [02/Mar/2008:00:58:01 -0700] "GET /blogs/2008/02/my_spam_analysis_for_february_18_24_2008.html HTTP/1.1" 403 350 "-" "WordPress/2.1.1"
67.228.198.50 - - [02/Mar/2008:01:04:52 -0700] "HEAD /blogs/2008/02/my_spam_analysis_for_february_11_17_2008.html HTTP/1.1" 403 238 "-" "WordPress/2.1.1"

69.50.177.18 - - [13/Mar/2008:12:06:49 -0600] "GET /blogs/2008/03/2wire_modem_dns_poisoning_attack_returns_to.html HTTP/1.1" 403 351 "-" "WordPress/2.1.1"
69.50.177.18 - - [13/Mar/2008:12:07:14 -0600] "HEAD /blogs/2008/03/2wire_modem_dns_poisoning_attack_returns_to.html HTTP/1.1" 403 238 "-" "WordPress/2.1.1"

83.222.14.129 - - [23/Mar/2008:16:52:57 -0600] "GET /blogs/2008/03/windows_vista_sp1_released_some_driver_probl.html HTTP/1.1" 403 269 "-" "WordPress/2.1.1"
83.222.14.129 - - [23/Mar/2008:16:52:57 -0600] "HEAD /blogs/2008/03/windows_vista_sp1_released_some_driver_probl.html HTTP/1.1" 403 236 "-" "WordPress/2.1.1"

89.108.85.75 - - [23/Mar/2008:16:52:38 -0600] "GET /blogs/2008/03/windows_vista_sp1_released_some_driver_probl.html HTTP/1.1" 403 269 "-" "WordPress/2.1.1"
89.108.85.75 - - [23/Mar/2008:16:53:08 -0600] "HEAD /blogs/2008/03/windows_vista_sp1_released_some_driver_probl.html HTTP/1.1" 403 236 "-" "WordPress/2.1.1"

91.192.116.2 - - [23/Mar/2008:18:56:59 -0600] "GET /blogs/2008/03/windows_vista_sp1_released_some_driver_probl.html HTTP/1.1" 403 269 "-" "WordPress/2.1.1"
91.192.116.2 - - [23/Mar/2008:18:57:14 -0600] "HEAD /blogs/2008/03/windows_vista_sp1_released_some_driver_probl.html HTTP/1.1" 403 236 "-" "WordPress/2.1.1"

216.255.185.178 - - [24/Mar/2008:10:15:07 -0600] "GET /blogs/2008/03/followup_article_about_windows_vista_sp1_rel.html HTTP/1.1" 403 269 "-" "WordPress/2.1.1
216.255.185.178 - - [24/Mar/2008:10:15:22 -0600] "HEAD /blogs/2008/03/followup_article_about_windows_vista_sp1_rel.html HTTP/1.1" 403 236 "-" "WordPress/2.1.1

These are definitely not typical access log entries and nothing a normal search engine or human visitor would do. Wordpress is a software blog application that gets installed onto web servers. It is not a browser. User agents are words that identify a browser, or a search engine, or robot. Despite the diversity of IP addresses, these visits are not unrelated. Read my extended comments to see where these IP addresses are allocated and my conclusions about their source and probable intent.

We are following the strange access log entries of a visit from somebody, or some bot, using the distinct user agent string: Wordpress/2.1.1. It hit my server over most of the month of March (so far), always using a GET followed by a HEAD request, for the same blog files. Let's trace those IP addresses to their home bases.

67.228.198.50 belongs to SoftLayer, a web host full of compromised servers and websites, that is on my Exploited Servers Blocklist.

69.50.177.18 belongs to Concord Intercage / Atrivo.com, with a CIDR of 69.50.160.0/19.

NetRange: 69.50.160.0 - 69.50.191.255
CIDR: 69.50.160.0/19
NetName: INTERCAGE-NETWORK-GROUP
NetHandle: NET-69-50-160-0-1
Parent: NET-69-0-0-0-0
NetType: Direct Allocation
NameServer: MAIL.ATRIVO.COM
NameServer: PAVEL.ATRIVO.COM

A quick lookup of the IP in question, 69.50.177.18, at Spamhaus.org, reveals this interesting tidbit, under Ref: SBL53320:

69.50.160.0/19 is listed on the Spamhaus Block List (SBL)

Hosting: inhoster.com spammer/cybercrime hosting front

See:

http://www.spamhaus.org/sbl/sbl.lasso?query=SBL36702

http://www.spamhaus.org/sbl/sbl.lasso?query=SBL36453
descr: Inhoster hosting company
descr: OOO Inhoster, Poltavskij Shliax 24, Kharkiv, 61000, Ukraine

What is the connection between Intercage, Atrivo and Inhoster? Inhoster is registered via estdomains, which is hosted on Intercage/Atrivo, all of which are owned by the same person.

83.222.14.129 belongs to MASTERHOST-COLOCATION, which is located at Lyalin lane 3, bld 3, 105062, Moscow, Russia. The CIDR for Masterhost is 83.222.0.0/19.

89.108.85.75 is assigned to Agava Company, based in B. Novodmitrovskaya str., 36/4, 127015 Moscow, Russia. Their CIDR is 89.108.64.0/19.

91.192.116.2 is hosted in the United Kingdom, on servers owned by TodayHost Ltd. IP addresses within their CIDR; 91.192.116.0/22, have been harassing my website for a couple of months now. All of their efforts are blocked thusfar.

216.255.185.178 is owned by none other than Intercage! This particular net block has a CIDR of 216.255.176.0/20.

These unusual visits from multiple IPs, are traced back to Russian concerns. Inhoster is involved here, as probably is the RBN. Whatever they are up to, it is no good. My guess is that this is either an attempt to read the source code of my blog, looking for a way to send automated comment spam, or to test my security fences. The single British host is no surprise to me either. I have already learned that the RBN is now farming out servers from certain UK concerns, but using them for their own, malicious purposes.

My recommendations for other webmasters.
Apply my Exploited Servers Blocklist and my Russian Blocklist to your Apache Server .htaccess file, as soon as possible. If you have root access to your Linux based server, use my iptables blocklists instead, in your Linux APF firewall.

A sample of the blocklist for .htaccess, for just these aforementioned IP CIDRs, is:

<Files *>
order deny,allow
deny from 67.228.0.0/16 69.50.160.0/19 83.222.0.0/19 89.108.64.0/19 91.192.116.0/22 216.255.176.0/20
</Files>

Additionally. block access to anybody with the exact user agent "WordPress/2.1.1" - in your .htaccess, with the following rule:

RewriteCond %{HTTP_USER_AGENT} ^WordPress/2\.1\.1$
RewriteRule .* - [F]

Posted by Wiz at 8:18 PM | Permalink

back to top ^

This article is about current email spam categories and percentages, based on rule sets created for and reported by the anti spam tool - MailWasher Pro.

I use MailWasher Pro to screen all of my various incoming POP email accounts, and for which I write my own custom spam filter rules. I give each rule a unique name so I can track the different types of spam I am deleting and reporting. The program has an interesting incoming email statistics window, that includes a pie chart breakdown of the various types of spam that are recognized and dealt with by the software. I thought I would start sharing my spam pie chart results with you all. This is the first installment, which I will try to update during, or at the end of the week. I post a new report each week, running from Monday through Sunday.

My analysis of this week's spam shows that male enhancement pills and other fake pharmaceuticals dominated all spam categories, but, with counterfeit brands of watches, clothing and footware, along with fake diplomas, making a big comeback. Most of the spam emails for pharmaceuticals have links to websites hosted in China or Korea. Much of the fake and counterfeit drugs, enhancement pills and herbal solutions being spamvertised are produced in China. Foremost among these are fake pharmacy websites, like the so called "Canadian Pharmacy," which is not in Canada at all (it's in China and Indo-China), nor, despite the presence of fake accreditation logos, are they approved to sell pharmaceuticals in the US or Canada. Most of the fraudulent "Canadian Pharmacy" web pages are now hosted on compromised home or office PC's, that are unknowingly members of various spam Botnets.

< rant >
The only rational explanation for the continued existence of these fake pharmacies must be that there are enough gullible people in the World, who will purchase enough drugs from links in spam emails to make it financially worth while for spammers to pay to rent botnets to send this crap. Considering the fact that most of these pharmaceuticals are fake, or contaminated, one has to wonder how many people get sick, or die, because they foolishly bought spamvertised, counterfeit medicine from fraudulent, online pharmacies?
< /rant >

Due to my ongoing procedures I have merged some filters to simplify the reporting process, so the categories shown below may differ from the previous weeks' results. I have also created a special sender recognition filter, that when matched, assigns the status "BlackList" to those spam messages. This excludes lots of spam emails being categorized, since my blacklist rule is processed first. This saves processing power that is normally required by my custom filters. Furthermore, I have now applied some of my blacklist terms to the email server, on my website, automatically eliminating a huge portion of certain types of forged sender spam.

My current statistics show that spam is now 50% of all my incoming email, for the week of March 17 through 23, 2008. This is 6% down from last week, much of which is attributable to me applying pattern matching spam filters to my mail server. However, 50% spam is still getting through and without my custom MailWasher Pro filters identifying and automatically deleting most of this crap, email would be essentially useless for me (if I had to sort out the spam manually). Thanks to those custom filters, which I work hard to keep updated, I only have to manually delete a handful of spam messages on a daily basis (which I then classify into filters for you all). The machines sending this deluge of spam are all members of BotNets, with spam relays and remote command and control software surreptitiously installed, mostly by Trojans people are tricked into clicking on. I see many identical spam messages in my statistics (sorted by subject), but sent from different places in the World, all with forged sender names, confirming that this is a World-wide Spam-demic."

MailWasher Pro spam category breakdown for March 17 through 23, 2008.

Download MailWasher Pro Here

These spam categories and their relative percentages shift a bit each week, as the BotMasters send new spam scripts to the zombie computers under their control. I will try to keep the percentages updated and merge miscellaneous categories as I am able to identify what they were spamvertising. Also, for over two months now, I have been blacklisting particular forged senders that match a pattern. The blacklisted category is quickly rising above all independent spam classifications, proving that my pattern matching is working. Many of the blacklisted spam messages are for counterfeit Viagra, illegal HGH, dubious male enhancement drugs, or pirated software.

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as a front-end screener to your POP email program (Outlook, Outlook Express, Microsoft Mail, Thunderbird, Eudora, etc).

I mentioned in this article that I use MailWasher Pro to screen and filter out spam, before it is downloaded to Outlook Express (or your equivalent POP3 email client), and that it allows the use of special pattern matching of senders' addresses to blacklist them. I thought I would share the five main pattern matching blacklist filters with you. You can use them in MailWasher, if you have it, or on your web site's cPanel, in the account-wide email filters section, if you know how to use that feature. Here are the four 'biggies" that typically block 26+% of all spam.

I set my blacklist to automatically delete, so I never see a message that is matched by these filters. If you choose to do the same you had better add all of your legitimate contacts to your Friends List, just in case. I also apply the same filter rules to my email server, on my website, thus eliminating a sizable percentage of spam without making MailWasher do the work. Those rules are listed below the equivalent MailWasher filters.

My MailWasher Pro custom BlackList wildcard patterns for current forged senders of spam:

MailWasher BlackList code: _+@+.+
Regular Expression for mail server filter use: _.+@.+
Plain text filter for mail server: FROM: BEGINS WITH: _
Discard message

MailWasher BlackList code: -+@+.+
Regular Expression for mail server filter use: -.+@.+
Plain text filter for mail server: FROM: BEGINS WITH: —
Discard message

MailWasher BlackList code: dw+m@+.+
Regular Expression for mail server filter use: dw.+m@.+
Discard message

MailWasher BlackList code: lin+met@+.de
Regular Expression for mail server filter use: lin.+met@.+\.de
Discard message

MailWasher BlackList code: tequil*a+@+.com
Regular Expression for mail server filter use: tequil.*a.+@.+\.com
Discard message

NEW MailWasher Blacklist Rule: +@bestdebtrepair.net
Regular Expression for mail server filter use: .+@bestdebtrepair\.net
Discard message

Here is my custom filter rule that matches senders with a forged domain name on both sides of the @ sign:

[enabled],XdomainY@domain.tld,BlackList,0,AND,Delete,Automatic,EntireHeader,containsRE,"^Received: from.*@(([\w\d]*)\.\w{2,4}).*^From:.*<\w{2,}\2\w+?@\1"

Learn more about MailWasher Pro, or Get MailWasher Pro here

Posted by Wiz at 12:45 PM | Permalink

back to top ^

If I got this, you will too. Be on the lookout for a spam email with the name of a major female recording artist in a subject and a message body claiming it has a link to a video or mp3 file. Clicking on said link will result in the download and possible execution of a file named mgp.exe, which has been identified by AVG as Backdoor IRCBOT.DNZ. Activating this threat will give control of your PC to hackers who will control it using IRC channels and commands. After that, there is no telling what other malware or spam-ware will be installed onto your computer.

The file I tested (mgp.exe) is 61.5 kb in size and was delivered from a compromised Italian website, AlterVista.org, whose IP address range is from 75.126.135.128 - 75.126.135.143, which is hosted on servers leased from Softlayer, Inc.

Those of you who use my exploited servers blocklist are already aware that Softlayer's IP range is in the list of servers being exploited for spam and hosting malware. The IP range is expressed as what is known as a CIDR and in the case of Softlayer the CIDR to block is 75.126.0.0/16 - which covers all IP addresses from 75.126.0.0 through 75.126.255.255. The CIDR assigned to the infected Italian website is 75.126.135.128/28. This message has already been reported to SpamCop, by numerous reporting recipients. They will notify the companies involved in hosting this malware threat, but, the timing of this spam threat is no coincidence. This threat was released on the Easter long holiday weekend, when support personnel may be out or short-handed until Tuesday, in the hopes of maximizing the usability of the ruse.

If you have control over incoming email on your web server, you may wish to apply a filter to block traffic from these CIDRs, unless you have business with websites hosted there. Otherwise, create a filter to block email where the Subject contains "Stunning video" and "Carmen Electra" - and the body contains "Only 1 day trial" and "download it now."

The full text of the spam threat I examined is as follows...

Subject: Stunning video without cowards Carmen Electra Message Body:

Milla Jovovich Interesting video with a naked celebrity.

The video is Kick-up!

Only 1 day trial - get this Full mp3 now!

{link removed} Download it now!

Read about what you should do if you have already clicked on such a link, in my extended comments...

If you have already clicked on the link you should scan your computer immediately, with the most up to date anti-virus definitions for your anti virus program. Also, empty your browser's cache, or Temporary Internet Files to delete the copy that is hiding in that location. If your anti virus program is expired, it is useless and you may as well uninstall it and replace it with something up to date and functional. You will either need to purchase a subscription to a commercial anti malware program or download a free one, like AVG or Avast. Free programs are alright for casual use, but don't give you anywhere near the protection and frequency of updates that a paid version offers. I have links to some well respected anti virus programs at the end of this section.

Most anti virus vendors already have released definitions to identify this Backdoor Trojan and will delete it if you haven't already activated the executable. If the virus is already installed they will remove it, but you may need to reboot and scan again. If you have already shut down your computer since becoming infected with this backdoor threat, you may also have to disable System Restore, to totally eliminate it. This is because these types of malware programs hook themselves into system files and locations, which are automatically backed up in System Restore Points. You may remove the threat and think it is gone, but, next time you reboot - System Restore will reinstall it! Sucks, don't it? Anyway, after turning off System Restore and disinfecting your computer thoroughly, you can turn it back on and set a new, clean restore point.

To disable or enable System Restore, right click on "My Computer" and choose "Properties." On the Properties sheet there is a tab labeled System Restore, which you should click on to open. In the System Restore property sheet there is a checkbox labeled "Turn off System Restore." Click in the box to select the option, click Apply, then acknowledge the pop-up challenge box, warning you that all restore points will be lost. Click Ok, to close the porperties sheets, then scan again, reboot, scan another time, then repeat the steps to goet to the System Restore sheet and uncheck the selection and Apply it. This will turn on System Restore again. Next, click on (All) Programs > Accessories > System Tools > System Restore and when the Restore Wizard opens, have it create a new Restore Point.

Next time you get a spam email inviting you to click on a link to view a video, or hear an mp3, don't do it and you won't have to go through this misery!

Links to legitimate anti virus programs and discount links

• Right now I can offer you a BIG discount rate on McAfee Internet Security Suite. Save $30 instantly on McAfee Total Protection and Internet Security Suite! This offer is only good through April 13, 2008.


• Kaspersky Anti-Virus Products. See this page for package big discounts on all Kaspersky security products.


• Special discounts on Norton Security software.


• 20% Off - 1 YR- Trend Micro AntiVirus plus AntiSpyware 2008 - Use Coupon Code: TrendAVS08.


• Save $10.00 now on ZoneAlarm Anti-Virus with the famous ZoneAlarm Pro Firewall. Get Comprehensive Antivirus Protection with ZoneAlarm Antivirus


• AVG Free Anti Vrus


• Avast Free Anti Vrus

Posted by Wiz at 11:35 AM | Permalink

back to top ^

On March 20, 2008, I published an article on my blog about the release of Windows Vista Service Pack 1 and problems it was causing for some customers. Today, I learned some specifics about one of the pieces of hardware which is especially problematic for SP1 upgraders. That hardware is the Intel 945G Express series chipset that is found in thousands of computers that are being distributed and have been for the last year or so. I was building computers with Intel motherboards containing the 945G chipsets last summer. Most of these computers were loaded with XP Professional, but many were getting Vista Business installed. They all worked fine with the initial release of Vista, but that has come to a sudden halt, with the release of Vista SP1, for those machines.

The 945G Express chipset driver versions between numbers 7.14.10.1322 and 7.14.10.1403 won't work with Vista SP1, according to Microsoft. These chipsets are found in Asus and Intel OEM motherboards, and major name brands, like Gateway, Lenovo, Hewlett-Packard and others. The 945G Express chipset includes Intel's GMA 950 graphics core, which also won't work with Vista SP1 if those drivers are used. Intel has released updated drivers for the 945G Express chipsets, to the manufacturers of the motherboards and computer builders using them. You should visit the support website for your computer builder, or motherboard, to update all of your hardware to the latest drivers before even attempting to install SP1. Note, that in the case of certain drivers, Microsoft itself may release updated versions that are compatible with Vista SP1, via Automatic Windows Updates, or manual Microsoft Updates. If all else fails and your motherboard is made by Intel, go to their website, input your motherboard part number and look for the latest Vista drivers. The Intel 945G chipset information page is here.

Admittedly, this is a bunch of techno-babble to most people, but, if you attempted to upgrade to Vista SP1 and your motherboard hardware has all yellow exclamation marks next to each chipset, in Device Manager, you will want to understand what is causing it and where to start looking for solutions.

Posted by Wiz at 10:33 PM | Permalink

back to top ^

On Tuesday, March 18, 2008, Microsoft released the first service pack, SP-1, for general dispersion, via Windows Updates. Microsoft describes the improvements contained in this service pack, as follows:

"In addition to all previously released updates, SP1 contains changes focused on addressing specific reliability and performance issues, supporting new types of hardware, and adding support for several emerging standards. SP1 also continues to make it easier for IT administrators to deploy and manage Windows Vista. Service Packs are not intended to be a vehicle for releasing significant new features or functionality; however some existing components do gain slightly enhanced functionality in SP1 to support industry standards and new requirements."

For most users the update to Vista SP-1 has been going smoothly, but there are others who are not so fortunate. Those folks are experiencing driver failures after rebooting from the upgrade process. Let's look into what is going wrong and what can be done to either prevent, or correct this problem.

Microsoft has been testing SP-1 for quite a while now and already knows about which hardware device drivers will experience trouble after the upgrade. For this reason Microsoft has been releasing its own driver updates for some of the most widely deployed chipsets which are at risk of failing during the upgrade to SP-1. Among those chipsets and drivers is the widely used Realtek AC97 audio device. Also listed as needing updated drivers are the following: SigmaTel, Creative Audigy and Conexant HD Audio. An Intel display driver also needs to be updated. I recommend visiting the Microsoft Support page describing these affected devices. On that page you are urged to visit the manufacturer's websites to search for updated drivers. This is always your best first option regarding device drivers. However, in the case of the Realtek drivers, Microsoft has written and made available its own upgraded driver and is making it available via Microsoft Updates.

When you run Microsoft Updates it will first check your installed hardware to see if any devices are on the list of affected hardware. If so, you will be offered an optional hardware update to fix that driver, in preparation for the installation of SP-1. Note, that these devices may be functionally perfectly under the initial release of Windows Vista. However, until you update the affected drivers you will not be offered the update to service pack 1. This is to protect your computer from device failures upon installing SP-1 and rebooting. Some of you may be tempted to go to the Microsoft download site and install the service pack manually. If you haven't taken care of the driver compatibility issues you will experience problems, such as are described on this Microsoft Support page. The following is a quote from the Microsoft Vista SP-1 Support page titled "Things to know before you download."

"Some Windows Vista users may encounter an issue with a small set of hardware devices that may not function properly after updating a Windows Vista PC to Windows Vista SP1. This is an issue with the way the device drivers were re-installed during the Windows Vista SP1 update process, not with the drivers themselves—these drivers worked on Windows Vista RTM and they work on Windows Vista SP1. This problem is typically corrected by simply uninstalling and reinstalling the driver. We are working with the manufacturers of these devices to get the known problematic drivers and their install programs updated, and also on other solutions we can use to ensure a smooth customer experience when updating to Windows Vista SP1 using Windows Update. For new PCs provisioned with Windows Vista SP1, this is not an issue."

There are bound to be improvements in the interaction of various applications and Windows Vista, as a result of the changes made in Vista Service Pack 1. One improvement I just learned about involves Acronis True Image, which was reportedly failing to lock certain disk volumes for making backups and were causing NTFS 137 errors, in the "default transaction resource manager." Microsoft worked with the Acronis team and discovered that there was a bug in the Vista code, causing this error. That bug has been fixed in Service Pack 1. I have a web page with information about the current version of Acronis True Image and download links to buy it at a special discounted price.

Posted by Wiz at 4:00 PM | Permalink

back to top ^

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you already are using "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on Wednesday, this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Additions made on March 19, 2008:

Dialer
+ Aconti

Keyloggers (Keyloggers steal your logins and passwords)
++ SpyBuddy
+ SWAgent

Malware Includes fake anti-virus and anti-spyware programs
+ AntiVirGear
+ FakeAlert
++ FakeAlert.mhg
++ MalWarrior
+ Smitfraud-C.gp
+ SpyLocked
++ SpywareLocked
++ SpywareRemover
+ Vario.RogueAntiSpy
+ Vcodec.eMedia
+ Virtumonde.dll (24)
++ Virtumonde.mhg (2911)
+ Win32.BHO.je
+ Win32.Renos
++ WinPerformance
PUPS Possibly Unpopular Software
+ Accoona

Spyware
+ AdBreak

Trojans Featuring 20 new or updated detections of Zlob* Trojans!
++ Banker
+ CnsMin
+ Smitfraud-C.MSVPS
++ Win32.Gamec.cq
++ Win32.Zhelatin.vg
+ Zlob.DNSChanger.rtk (12)
+ Zlob.Downloader
++ Zlob.Downloader.bs
+ Zlob.Downloader.iec
+ Zlob.Downloader.oid
+ Zlob.Downloader.rid
+ Zlob.Downloader.se
+ Zlob.Downloader.sot
+ Zlob.Downloader.vdt
+ Zlob.Downloader.xot
+ Zlob.MovieBox
+ Zlob.MovieCommander
+ Zlob.PPlayer
+ Zlob.SecurityTools
+ Zlob.VideoAccessActiveXObject
+ Zlob.VideoActiveXAccess
+ Zlob.VideoAXObject
+ Zlob.VideoBox
+ Zlob.XXXAccess
+ Zlock.uc

Total: 554199 fingerprints in 123295 rules for 3731 products.

* The "Zlob Trojan" is a common infection that has been in the wild since 2005. It is often downloaded intentionally by people who are tricked into thinking that they are installing some missing ActiveX Video Codec, or other (Java) application, needed to view a presentation, or pornographic movie. Once installed on the target computer the Zlob Trojan allows hackers to deliver all manner of downloaders, adware, fake anti-spyware and backdoor components to it. The Zlob family of Trojans are constantly modified by it's maintainers to try to avoid detection by anti-malware applications. These criminals earn commissions for every computer they infect with the Zlob and its companion products. Spybot Search and Destroy can detect and remove most known variants of the Zlob Trojans, with new definitions being released every Wednesday to detect the latest incarnations of Zlob.

Spybot Search & Destroy version 1.5.2, the latest release, is compatible with Windows Vista and features a nicer interface and sports a separate updater window and application. If you are still using version 1.4 I recommend that you update to 1.5.x, using the company links below.

English Language Company Links:
Spybot Search and Destroy English Home Page
Spybot Search and Destroy (Multi-Lingual Landing Page. Choose your language).
Spybot Search and Destroy Download page - Program and definition updates. You can download the latest version of Spybot S&D plus definition and tool updates here for inclusion later on.
Full tutorial about using and setting up Spybot Search and Destroy
Spybot Search and Destroy Update History

See all security program update notices in this catagory

A consequence of acquiring many of the parasites, keyloggers, hijackers and downloaders is that their files and startup settings are usually saved to your System Restore hidden folder, from whence they are automatically restored upon rebooting the computer. To completely remove these threats, and others, you should disable System Restore, then reboot, then clean all threats, then re-start System Restore, setting a new Restore Point, with a clean machine. Many people overlook this and are constantly reinfected after removing threats. There are few, if any security programs that can clean or remove infected files that are backed up in your protected System Restore directory.

To disable System Restore, go to My Computer and right-click on it's icon. From the flyout options select Properties. From the "System Properties" select the "System Restore" tab. There you will find a checkbox labeled "Turn off System Restore." Check it, then click Apply and wait while the System Restore files are deleted (takes some time). After the deletions are finished, click OK to close the Properties box, then reboot.

When you have thoroughly removed all infections follow the same procedure as above, unchecking the box that turned off System Restore.

In the event that Spybot mistakenly removes a file(s) due to a faulty detection update (a.k.a False Positive), you can restore it from the program itself. Just click on the "Recovery" button, that looks like a first aid kit, with a red cross in it, then locate the item(s) you wish to restore. Click on the select box(es) on the left of the detection name(s), to place a check mark in it/them, then click on "Recover selected items." The files, and/or registry entries will be replaced, from where they were deleted. The Spybot forums have discussions about false positives here.

For those of you who have not yet used Spybot Search and Destroy, if you were wondering if it "plays nice" with other anti spyware programs, it most certainly does! I have used Spybot S&D since it's inception, along with various other free and commercial security programs, and it has never caused any problems on my, or my customers' computers.

Spybot Search and Destroy has a Malware Removal Forum where trained volunteers can help you with spyware removal problems.

Finally, as an individuals who benefits from the free software that is produced and updated by the good folks who run Spybot Search and Destroy, at their own expense, it won't hurt us to send occasional donations to them, to help them financially in their efforts. There is a donate button on most pages of the Spybot S & D website. Think seriously about using it. Send what you can.

Posted by Wiz at 10:02 PM | Permalink

back to top ^

This article is about current email spam categories and percentages, based on rule sets created for and reported by the anti spam tool - MailWasher Pro.

I use MailWasher Pro to screen all of my various incoming POP email accounts, and for which I write my own custom spam filter rules. I give each rule a unique name so I can track the different types of spam I am deleting and reporting. The program has an interesting incoming email statistics window, that includes a pie chart breakdown of the various types of spam that are recognized and dealt with by the software. I thought I would start sharing my spam pie chart results with you all. This is the first installment, which I will try to update during, or at the end of the week. I post a new report each week, running from Monday through Sunday.

My analysis of this week's spam shows that fraudulent pharmaceuticals, mostly Viagra and male enhancement pills, dominated all spam categories, but, with counterfeit brands of watches, clothing and footware, along with fake diplomas, making a big comeback. Most of the spam emails for pharmaceuticals have links to websites hosted in China or Korea. Much of the fake and counterfeit drugs and herbal solutions being spamvertised are produced in China. Foremost among these are fake pharmacy websites, like the so called "Canadian Pharmacy," which is not in Canada at all (it's in China and Indo-China), nor, despite the presence of fake accreditation logos, are they approved to sell pharmaceuticals in the US or Canada. Most of the fraudulent "Canadian Pharmacy" web pages are now hosted on compromised home or office PC's, that are unknowingly members of various spam Botnets.

< rant >
The only rational explanation for the continued existence of these fake pharmacies must be that there are enough gullible people in the World, who will purchase enough drugs from links in spam emails to make it financially worth while for spammers to pay to rent botnets to send this crap. Considering the fact that most of these pharmaceuticals are fake, or contaminated, one has to wonder how many people get sick, or die, because they foolishly bought spamvertised, counterfeit medicine from fraudulent, online pharmacies?
< /rant >

Due to my ongoing procedures I have merged some filters to simplify the reporting process, so the categories shown below may differ from the previous weeks' results. I have also created a special sender recognition filter, that when matched, assigns the status "BlackList" to those spam messages. This excludes lots of spam emails being categorized, since my blacklist rule is processed first. This saves processing power that is normally required by my custom filters. Furthermore, I have now applied some of my blacklist terms to the email server, on my website, automatically eliminating a major portion of certain types of forged sender spam.

My current statistics show that spam is now 56% of all my incoming email, for the week of March 10 through 16, 2008. This is the same amount as last week. Without my custom MailWasher Pro filters identifying and automatically deleting most of this onslaught of spam, email would be essentially useless for me (if I had to sort out the spam manually). Thanks to those custom filters, which I work hard to keep updated, I only have to manually delete a handful of spam messages on a daily basis (which I then classify into filters). The machines sending this deluge of spam are all members of BotNets, with spam relays and remote command and control software surreptitiously installed, mostly by the Storm Worm or related Trojans. I see many identical spam messages in my statistics (sorted by subject), but sent from different places in the World, all with forged sender names, confirming that this is a World-wide Spam-demic."

MailWasher Pro spam category breakdown for March 10 through 16, 2008.

Download MailWasher Pro Here

These spam categories and their relative percentages shift a bit each week, as the BotMasters send new spam scripts to the zombie computers under their control. I will try to keep the percentages updated and merge miscellaneous categories as I am able to identify what they were spamvertising. Also, for over two months now, I have been blacklisting particular forged senders that match a pattern. The blacklisted category is quickly rising above all independent spam classifications, proving that my pattern matching is working. Many of the blacklisted spam messages are for counterfeit Viagra, illegal HGH, dubious male enhancement drugs, or pirated software.

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as a front-end screener to your POP email program (Outlook, Outlook Express, Microsoft Mail, Thunderbird, Eudora, etc).

I mentioned in this article that I use MailWasher Pro to screen and filter out spam, before it is downloaded to Outlook Express (or your equivalent POP3 email client), and that it allows the use of special pattern matching of senders' addresses to blacklist them. I thought I would share the five main pattern matching blacklist filters with you. You can use them in MailWasher, if you have it, or on your web site's cPanel, in the account-wide email filters section, if you know how to use that feature. Here are the four 'biggies" that typically block 26+% of all spam.

I set my blacklist to automatically delete, so I never see a message that is matched by these filters. If you choose to do the same you had better add all of your legitimate contacts to your Friends List, just in case. I also apply the same filter rules to my email server, on my website, thus eliminating a sizable percentage of spam without making MailWasher do the work. Those rules are listed below the equivalent MailWasher filters.

My MailWasher Pro custom BlackList wildcard patterns for current forged senders of spam:

MailWasher BlackList code: _+@+.+
Regular Expression for mail server filter use: _.+@.+
Plain text filter for mail server: FROM: BEGINS WITH: _
Discard message

MailWasher BlackList code: -+@+.+
Regular Expression for mail server filter use: -.+@.+
Plain text filter for mail server: FROM: BEGINS WITH: —
Discard message

MailWasher BlackList code: dw+m@+.+
Regular Expression for mail server filter use: dw.+m@.+
Discard message

MailWasher BlackList code: lin+met@+.de
Regular Expression for mail server filter use: lin.+met@.+\.de
Discard message

MailWasher BlackList code: tequil*a+@+.com
Regular Expression for mail server filter use: tequil.*a.+@.+\.com
Discard message

NEW MailWasher Blacklist Rule: +@bestdebtrepair.net
Regular Expression for mail server filter use: .+@bestdebtrepair\.net
Discard message

Here is my custom filter rule that matches senders with a forged domain name on both sides of the @ sign:

[enabled],XdomainY@domain.tld,BlackList,0,AND,Delete,Automatic,EntireHeader,containsRE,"^Received: from.*@(([\w\d]*)\.\w{2,4}).*^From:.*<\w{2,}\2\w+?@\1"

Learn more about MailWasher Pro, or Get MailWasher Pro here

Posted by Wiz at 1:40 PM | Permalink

back to top ^

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you already are using "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on Wednesday, this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a + sign are additions, or updated detections, with multiple additions indicated by a number in parenthesis or a double ++ in front of it's name. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Additions made on March 12, 2008:

Dialer
+ Win32.Dialer.aeh

Keyloggers (Keyloggers steal your logins and passwords)
+ XPAdvancedKeylogger

Malware Includes fake anti-virus and anti-spyware programs
+ AntiSpyWare2007
+ NousTech.SysCleaner
+ NousTech.SystemDefender
+ RegClean
+ SpywareBOT.SpywareStop
+ Win32.BHO.je
+ Win32.VB.ck
+ WinSpyKiller

Trojans 6 new classes of Zlob* Trojans and 141 variants!
+ FakeAlert (273)
+ Smitfraud-C.MSVPS (28)
+ Win32.Agent.ahj
+ Win32.Agent.jmh
+ Zlob.DNSChanger.Rtk (13)
+ Zlob.Downloader.mld
+ Zlob.Downloader.se (115)
+ Zlob.Downloader.sg (5)
+ Zlob.Downloader.sot (8)
+ Zlob.Downloader.vdt

Total: 554374 fingerprints in 122623 rules for 3701 products.

* The "Zlob Trojan" is a common infection that has been in the wild since 2005. It is often downloaded intentionally by people who are tricked into thinking that they are installing some missing ActiveX Video Codec, or other (Java) application, needed to view a presentation, or pornographic movie. Once installed on the target computer the Zlob Trojan allows hackers to deliver all manner of downloaders, adware, fake anti-spyware and backdoor components to it. The Zlob family of Trojans are constantly modified by it's maintainers to try to avoid detection by anti-malware applications. These criminals earn commissions for every computer they infect with the Zlob and its companion products. Spybot Search and Destroy can detect and remove most known variants of the Zlob Trojans, with new definitions being released every Wednesday to detect the latest incarnations of Zlob.

Spybot Search & Destroy version 1.5.2, the latest release, is compatible with Windows Vista and features a nicer interface and sports a separate updater window and application. If you are still using version 1.4 I recommend that you update to 1.5.x, using the company links below.

English Language Company Links:
Spybot Search and Destroy English Home Page
Spybot Search and Destroy (Multi-Lingual Landing Page. Choose your language).
Spybot Search and Destroy Download page - Program and definition updates. You can download the latest version of Spybot S&D plus definition and tool updates here for inclusion later on.
Full tutorial about using and setting up Spybot Search and Destroy
Spybot Search and Destroy Update History

See all security program update notices in this catagory

A consequence of acquiring many of the parasites, keyloggers, hijackers and downloaders is that their files and startup settings are usually saved to your System Restore hidden folder, from whence they are automatically restored upon rebooting the computer. To completely remove these threats, and others, you should disable System Restore, then reboot, then clean all threats, then re-start System Restore, setting a new Restore Point, with a clean machine. Many people overlook this and are constantly reinfected after removing threats. There are few, if any security programs that can clean or remove infected files that are backed up in your protected System Restore directory.

To disable System Restore, go to My Computer and right-click on it's icon. From the flyout options select Properties. From the "System Properties" select the "System Restore" tab. There you will find a checkbox labeled "Turn off System Restore." Check it, then click Apply and wait while the System Restore files are deleted (takes some time). After the deletions are finished, click OK to close the Properties box, then reboot.

When you have thoroughly removed all infections follow the same procedure as above, unchecking the box that turned off System Restore.

In the event that Spybot mistakenly removes a file(s) due to a faulty detection update (a.k.a False Positive), you can restore it from the program itself. Just click on the "Recovery" button, that looks like a first aid kit, with a red cross in it, then locate the item(s) you wish to restore. Click on the select box(es) on the left of the detection name(s), to place a check mark in it/them, then click on "Recover selected items." The files, and/or registry entries will be replaced, from where they were deleted. The Spybot forums have discussions about false positives here.

For those of you who have not yet used Spybot Search and Destroy, if you were wondering if it "plays nice" with other anti spyware programs, it most certainly does! I have used Spybot S&D since it's inception, along with various other free and commercial security programs, and it has never caused any problems on my, or my customers' computers.

Spybot Search and Destroy has a Malware Removal Forum where trained volunteers can help you with spyware removal problems.

Finally, as an individuals who benefits from the free software that is produced and updated by the good folks who run Spybot Search and Destroy, at their own expense, it won't hurt us to send occasional donations to them, to help them financially in their efforts. There is a donate button on most pages of the Spybot S & D website. Think seriously about using it. Send what you can.

Posted by Wiz at 11:29 AM | Permalink

back to top ^

If you operate a Windows 98, ME, or NT computer online, with AVG Anti-Virus Free Edition protection, this statement on the AVG Free Supported Platforms page will be of utmost importance to you.

"* Some older operating systems such as Microsoft Windows ME, Microsoft Windows NT and Microsoft Windows 98 will only be supported until August 2008 as a minimum."

People with these affected operating systems may think that by simply not upgrading, they will be able to continue to use the existing version. It is true that their version of AVG will still function, but when Grisoft stops releasing automatic updates for the previous versions, these folks are going to be unprotected against new and altered threats. In today's world that is tantamount to no protection at all.

AVG Anti-Virus Free Edition is currently updated automatically, once a day,