« February 2008 | Blog Home | April 2008 »

March 30, 2008

My Spam analysis for March 24 - 30, 2008

This article is about current email spam categories and percentages, based on rule sets created for and reported by the anti spam tool - MailWasher Pro.

I use MailWasher Pro to screen all of my various incoming POP email accounts, and for which I write my own custom spam filter rules. I give each rule a unique name so I can track the different types of spam I am deleting and reporting. The program has an interesting incoming email statistics window, that includes a pie chart breakdown of the various types of spam that are recognized and dealt with by the software. I thought I would start sharing my spam pie chart results with you all. This is the first installment, which I will try to update during, or at the end of the week. I post a new report each week, running from Monday through Sunday.

My analysis of this week's spam shows that male enhancement pills and other pharmaceuticals were finally displaced from the top spot in my spam categories, with Nigerian 419 and lottery scams, counterfeit brands of watches, clothing and footware, fake diplomas and debt consolidation loans, leading the pack. Most of the spam emails have links to websites hosted in China or Korea. Most of the fake and counterfeit watches, clothing, drugs, enhancement pills and herbal solutions being spamvertised are produced in China. Foremost among these are fake pharmacy websites, like the so called "Canadian Pharmacy," which is not in Canada at all (it's in China and Indo-China), nor, despite the presence of fake accreditation logos, are they approved to sell pharmaceuticals in the US or Canada. Most of the fraudulent "Canadian Pharmacy" web pages are now hosted on compromised home or office PC's, that are unknowingly members of various spam Botnets.

< rant >
The only rational explanation for the continued existence of these fake pharmacies must be that there are enough gullible people in the World, who will purchase enough drugs from links in spam emails to make it financially worth while for spammers to pay to rent botnets to send this crap. Considering the fact that most of these pharmaceuticals are fake, or contaminated, one has to wonder how many people get sick, or die, because they foolishly bought spamvertised, counterfeit medicine from fraudulent, online pharmacies?
< /rant >

Due to my ongoing procedures I have merged some filters to simplify the reporting process, so the categories shown below may differ from the previous weeks' results. I have also created a special sender recognition filter, that when matched, assigns the status "BlackList" to those spam messages. This excludes lots of spam emails being categorized, since my blacklist rule is processed first. This saves processing power that is normally required by my custom filters. Furthermore, I have now applied some of my blacklist terms to the email server, on my website, automatically eliminating a huge portion of certain types of forged sender spam.

My current statistics show that spam is now 55% of all my incoming email, for the week of March 24 through 30, 2008. Without my custom MailWasher Pro filters identifying and automatically deleting most of this crap, email would be essentially useless for me (if I had to sort out the spam manually). Thanks to those custom filters, which I work hard to keep updated, I only have to manually delete a handful of spam messages on a daily basis (which I then classify into filters for you all). The machines sending this deluge of spam are all members of BotNets, with spam relays and remote command and control software surreptitiously installed, mostly by Trojans people are tricked into clicking on. I see many identical spam messages in my statistics (sorted by subject), but sent from different places in the World, all with forged sender names, confirming that this is a World-wide Spam-demic."

MailWasher Pro spam category breakdown for March 24 through 30, 2008.
Blacklisted (by pattern matching): 26.07%
Male enhancement spam: 5.83%
Other Pharmaceutical spam (includes Viagra and Cialis): 3.89%
Other filters: (See my MWP Filters page) 18.29%
Counterfeit Watches and Shoes: 7.39%
Loans and bankruptcy spam: 5.06%
Diploma spam: 5.06%
HTML Tricks: 4.28%
Nigerian 419 and Lottery Scams: 2.72%
Known Spam, by Subject, Body, or Sender: 15.56%
Google Redirect Exploits (to hostile downloads): 4.67%
DNS Blacklists: 0.40%
Bayesian learning filter: 0.78%

These spam categories and their relative percentages shift a bit each week, as the BotMasters send new spam scripts to the zombie computers under their control. I will try to keep the percentages updated and merge miscellaneous categories as I am able to identify what they were spamvertising. Also, for over two months now, I have been blacklisting particular forged senders that match a pattern. The blacklisted category is quickly rising above all independent spam classifications, proving that my pattern matching is working. Many of the blacklisted spam messages are for counterfeit Viagra, illegal HGH, dubious male enhancement drugs, or pirated software.

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as a front-end screener to your POP email program (Outlook, Outlook Express, Microsoft Mail, Thunderbird, Eudora, etc).

Try Firetrust Mailwasher® Pro

I mentioned in this article that I use MailWasher Pro to screen and filter out spam, before it is downloaded to Outlook Express (or your equivalent POP3 email client), and that it allows the use of special pattern matching of senders' addresses to blacklist them. I thought I would share the five main pattern matching blacklist filters with you. You can use them in MailWasher, if you have it, or on your web site's cPanel, in the account-wide email filters section, if you know how to use that feature. Here are the four 'biggies" that typically block 26+% of all spam.

I set my blacklist to automatically delete, so I never see a message that is matched by these filters. If you choose to do the same you had better add all of your legitimate contacts to your Friends List, just in case. I also apply the same filter rules to my email server, on my website, thus eliminating a sizable percentage of spam without making MailWasher do the work. Those rules are listed below the equivalent MailWasher filters.

My MailWasher Pro custom BlackList wildcard patterns for current forged senders of spam:

MailWasher BlackList code: _+@+.+
Regular Expression for mail server filter use: _.+@.+
Plain text filter for mail server: FROM: BEGINS WITH: _
Discard message

MailWasher BlackList code: -+@+.+
Regular Expression for mail server filter use: -.+@.+
Plain text filter for mail server: FROM: BEGINS WITH:
Discard message

MailWasher BlackList code: dw+m@+.+
Regular Expression for mail server filter use: dw.+m@.+
Discard message

MailWasher BlackList code: lin+met@+.de
Regular Expression for mail server filter use: lin.+met@.+\.de
Discard message

MailWasher BlackList code: tequil*a+@+.com
Regular Expression for mail server filter use: tequil.*a.+@.+\.com
Discard message

MailWasher Blacklist code: +@bestdebtrepair[email protected]
Regular Expression for mail server filter use: .+@bestdebtrepair\.net
Discard message

NEW MailWasher Blacklist code (3/27/08): [email protected]
Regular Expression for mail server filter use: .+@freenet\.de
Discard message

Here is my custom filter rule that matches senders with a forged domain name on both sides of the @ sign:

[enabled],[email protected],BlackList,0,AND,Delete,Automatic,EntireHeader,containsRE,"^Received: from.*@(([\w\d]*)\.\w{2,4}).*^From:.*<\w{2,}\2\w+?@\1"

Learn more about MailWasher Pro, or Get MailWasher Pro here

Bookmark and Share

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

back to top ^

March 28, 2008

Nigerian Scammers operating out of Madrid Spain plus, using Botnets

Lately, I have been getting lots of Nigerian 419 Lottery scams, with the originating IP located in Spain, especially the ISPs - Ono.com and Telefonica.es. However, when I report these scams to SpamCop, a lot of the sending (not originating) IP addresses end up belonging to residential customers of broadband services in the US, Europe and South America. This tells me that the Nigerian crime gangs have buddied up with the owners of a botnet and are using it to relay some of their scam messages. Furthermore, some, but not all, of the scam emails also contain clickable links that lead to instant downloads of Trojan Horse downloaders, Keyloggers and Backdoors. This stinks of the Storm-Worm-Zhelatin Gang, located in St. Petersburg, Russia, although it could be a different botnet being rented out to Nigerians.

The main point of this article is not about botnets. Rather, it is to point out that many Nigerian 419 fraudsters are moving out of Africa, and Amsterdam (where they got arrested, convicted and deported), and settling in Spain. Not wanting to have their scam/spam messages traced directly to them, they have taken to the airwaves, literally. They are "piggybacking" on their neighbors' unsecured wireless routers, in apartment complexes or houses, using IP addresses assigned to other legitimate customers, to send scam runs. The victims are completely unaware that anything illegal is happening, until the Police come knocking on their door. Fortunately, the Nigerians who are piggybacking on the broadband accounts are in the same buildings. This has allowed the Spanish Police to locate and arrest some of them, as happened on February 18, 2008. Here is a quote from the Sophos article about those arrests:


Ten Nigerians arrested in Spain for email lottery scam
February 18, 2008

The ten people, all Nigerian nationals, are suspected of making more than 19,000 Euros ($28,000) in three months by demanding payments from innocent internet users who believed they had won a lottery.

Police report that the emails sent by the suspects were sent from the Teatinos area of Malaga in Spain, by piggybacking on a neighbour's wi-fi internet connection without permission. Seven arrests were made in Malaga, and three more in Huelva province.

Malaga is no stranger to Nigerian-run email scams. In 2005, 310 people were arrested in Malaga in what was said to be the biggest ever bust of a lottery scam gang. The arrests followed an investigation by the FBI and Spanish police into a scam run by Nigerian gangs.

If you run a forum or website that is plagued by Nigerian scammers you can block them from accessing it by employing a "blocklist." I publish and maintain a Nigerian Blocklist in two common formats:


  1. .htaccess - for most Apache-based, shared hosting websites, where the webmaster only has control over his/her own website. The .htaccess rules will only block browsing you site and form submissions, but not email scams.

  2. iptables - for those administrator-webmasters, who have Root access to dedicated, or VPS - Linux based servers. Iptables rules can be imported into your APF firewall, to block all access to undesirables, including email access.


Rather than create an entire new blocklist for the Nigerians residing in Spain, I am adding the IP addresses and CIDRs of Spanish IPSs to my Nigerian Blocklists.

End users, who receive email via a POP client (Outlook, Outlook Express, Microsoft Mail, Thunderbird, Eudora), and are tired of sorting through dozens or hundreds of daily email scams and other spam, can use the program I use to filter out spam and scams. That program is MailWasher Pro, which you can read about here.

In the meantime, do not fall for any lottery scams, or other free money pitches coming from Nigerian criminals. To see the details about what they have been up to recently, read my blog article about the sudden surge in Nigerian lottery scams.

Bookmark and Share

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

back to top ^

March 26, 2008

Spybot Search and Destroy Malware Definitions Updated on March 26, 2008

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you already are using "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on Wednesday, this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Additions made on March 26, 2008:

Keyloggers (Keyloggers steal your logins and passwords)
+ SpyKeylogger
+ SpyMyPC
+ StaticX

Malware Includes fake anti-virus and anti-spyware programs
+ AlfaCleaner
+ AntiSpywareSoldier
+ AzeSearch
+ Cleanator
+ FakeAlert.cc
+ Fraud.XPAntivirus
+ MalwareWipe
+ Performance Optimizer
+ Smitfraud-C.gp
+ SpyCrush
+ SpyDawn
+ SpyHeal
+ SpyShredder
+ SpywareIsolator
+ TrustCleaner
+ Vcodec.Intcodec
+ Virtumonde.dll (incl: 5955 variants)
+ VirusBurst
+ Win32.BHO.je
+ Win32.Renos
+ WinXDefender

Trojans Featuring 12 updated detections of Zlob* Trojans
+ Smitfraud-C.
+ Smitfraud-C.MSVPS
+ Win32.Dropper.Agent.byv
+ Win32.EESbinder
+ Zlob.DirectVideo
+ Zlob.Downloader.se
+ Zlob.Downloader.sg
+ Zlob.GoldCodec
+ Zlob.HQVideoCodec
+ Zlob.ImageActiveXObject
+ Zlob.KeyGenerator
+ Zlob.MMediaCodec
+ Zlob.QualityCodec
+ Zlob.SiteTicket
+ Zlob.VideoAccess
+ Zlob.VideoKeyCodec

Total: 565762 fingerprints in 126261 rules for 3758 products!

* The "Zlob Trojan" is a common infection that has been in the wild since 2005. It is often downloaded intentionally by people who are tricked into thinking that they are installing some missing ActiveX Video Codec, or other (Java) application, needed to view a presentation, or pornographic movie. Once installed on the target computer the Zlob Trojan allows hackers to deliver all manner of downloaders, adware, fake anti-spyware and backdoor components to it. The Zlob family of Trojans are constantly modified by it's maintainers to try to avoid detection by anti-malware applications. These criminals earn commissions for every computer they infect with the Zlob and its companion products. Spybot Search and Destroy can detect and remove most known variants of the Zlob Trojans, with new definitions being released every Wednesday to detect the latest incarnations of Zlob.

Spybot Search & Destroy version 1.5.2, the latest release, is compatible with Windows Vista and features a nicer interface and sports a separate updater window and application. If you are still using version 1.4 I recommend that you update to 1.5.x, using the company links below.

NOTE
I just experienced something unusual and I suspect a lot more Spybot S&D users may have this happen also. I normally operate as a Power User, in Windows XP Professional. I switch to my administrator level account to upgrade programs like Spybot S&D and apply system-wide immunization, which cannot be as easily done from a Limited User account. After installing the available updates for March 26, 2008, I ran Spybot and let it remove some cookies it found. After that, having defragged and run Windows Update from the Admin account, I logged off that account and into what I thought was my regular account. When I got there most of my desktop icons were missing, the custom settings were gone and things were not right in Whoville. I quickly thought about what might cause this and instinctively I restarted the computer. After logging in at the Welcome screen all of my icons and settings were restored. Whew! If this happens to you, it is caused by the new anti-rootkit plug-ins, as I have since learned. After you update the Spybot S&D program in an Admin account, reboot before logging in to a lesser privileged account. This way you won't lose any personalized settings. I hope they fix this soon!

I just found this information posted by a member of Team Spybot, on the official Forum, regarding multiple account computers having profile corruption issues:

That's a problem when you run the update while Spybot-S&D is open. To avoid this completely, just run the updater from the start menu while Spybot-S&D is closed. But as I wrote, a restart will allow login again. 1.5.3 will have it fixed as well.

English Language Company Links:
Spybot Search and Destroy English Home Page
Spybot Search and Destroy (Multi-Lingual Landing Page. Choose your language).
Spybot Search and Destroy Download page - Program and definition updates. You can download the latest version of Spybot S&D plus definition and tool updates here for inclusion later on.
Full tutorial about using and setting up Spybot Search and Destroy
Spybot Search and Destroy Update History

See all security program update notices in this catagory

A consequence of acquiring many of the parasites, keyloggers, hijackers and downloaders is that their files and startup settings are usually saved to your System Restore hidden folder, from whence they are automatically restored upon rebooting the computer. To completely remove these threats, and others, you should disable System Restore, then reboot, then clean all threats, then re-start System Restore, setting a new Restore Point, with a clean machine. Many people overlook this and are constantly reinfected after removing threats. There are few, if any security programs that can clean or remove infected files that are backed up in your protected System Restore directory.

To disable System Restore, go to My Computer and right-click on it's icon. From the flyout options select Properties. From the "System Properties" select the "System Restore" tab. There you will find a checkbox labeled "Turn off System Restore." Check it, then click Apply and wait while the System Restore files are deleted (takes some time). After the deletions are finished, click OK to close the Properties box, then reboot.

When you have thoroughly removed all infections follow the same procedure as above, unchecking the box that turned off System Restore.

In the event that Spybot mistakenly removes a file(s) due to a faulty detection update (a.k.a False Positive), you can restore it from the program itself. Just click on the "Recovery" button, that looks like a first aid kit, with a red cross in it, then locate the item(s) you wish to restore. Click on the select box(es) on the left of the detection name(s), to place a check mark in it/them, then click on "Recover selected items." The files, and/or registry entries will be replaced, from where they were deleted. The Spybot forums have discussions about false positives here.

For those of you who have not yet used Spybot Search and Destroy, if you were wondering if it "plays nice" with other anti spyware programs, it most certainly does! I have used Spybot S&D since it's inception, along with various other free and commercial security programs, and it has never caused any problems on my, or my customers' computers.

Spybot Search and Destroy has a Malware Removal Forum where trained volunteers can help you with spyware removal problems.

Finally, as an individuals who benefits from the free software that is produced and updated by the good folks who run Spybot Search and Destroy, at their own expense, it won't hurt us to send occasional donations to them, to help them financially in their efforts. There is a donate button on most pages of the Spybot S & D website. Think seriously about using it. Send what you can.

Bookmark and Share

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

back to top ^

Sudden surge in Nigerian 419 Scam emails

For the last two days I have been getting lots of spam messages sent by Nigerian criminals, who are running a new 419 Advance Fee Fraud campaign. The current crop of 419 scams are mostly composed using all capital letters in the subject (but not always), and when you read the message body, it appears to come from a Barrister, or Solicitor, or a lottery, or a Will Executor. Huge rewards supposedly await the Mugu's (Fools) who respond and are willing to pay some processing fees to get this money transferred into their soon to be emptied bank accounts.

This request for fees to be paid in advance of the transfer of the imaginary funds is referred to as a 419 scam. That is the number of the statute in the Nigerian Criminal Code that covers financial advance fee fraud.

Here is a list of the subjects from the email scams I have received in the past 60 hours (Updated 3/28/08):

ASSISTANCE
ATM PAYMENT
Attention, Attention,, Attention
Attn:Beneficiary
CONTACT EFEX COURIER COMPANY ASAP
CONTACT FEDEX COURIER COMPANY FOR YOUR DELIVERY
CONTACT FEDEX COURIER COMPANY FOR YOUR PARCEL
CONTACT REV. DR. KENNETH OKOM DIRECTOR OF ATM CARD BANK
CONTACT YOUR ATM MASETR CARD
CONTACT YOUR ATM PAYMENT CENTER
Contact your claims agent
Dear Friend
From Barrister James.
FROM: PETER SUMEN. (NPA)
GOOD NEWS
IMPORTANT NOTICE
THIS IS FOR YOUR ATTENTION.
WILL EXECUTION
YOUR CONTRACT PAYMENT
Your Payment
GOOD NEWS CONTACT HALLMARK DELIVERY COMPANY FOR THE DELIVERY OF YOUR CONSIGNMENT ASAP.

Many of the message bodies begin with "Dear Friend,". Every one of these spam messages was an attempted 419 scam. If you get any email with these subjects you can probably be safe deleting it without reading the crap inside. If your email system allows for special filter rules, create one to delete or flag as spam all messages containing ALL CAPS. Spam Assassin already has this rule built into it. I personally use MailWasher Pro to screen all of my incoming POP email, before I download it to Outlook Express. MailWasher Pro uses a variety of methods to recognize spam and scams, including user created custom filters. I happen to write and maintain a group of filters for MailWasher Pro. They are available on my MailWasher Filters Page.

If you already have MailWasher and need a filter rule to detect messages containing all capital letters, here it is (the rule should be on one long continuous line):

[enabled],"Subject All Caps/Missing (S)","Subject All Caps/Missing (S)",33023,OR,Delete,Subject,doesn'tContainRE,(?-i)[a-z],Subject,doesn'tContainRE,.

Here is my MailWasher filter for known 419 scams (one long line):

[enabled],"Nigerian 419 Scams","419 Scam",16711680,OR,Blacklist,Delete,Body,containsRE,"^(?-i)Dear\ (Sir/Madam|Friend),(
)?$",Body,contains,"URGENT AND CONFIDENTIAL",Body,contains,"BANK OF NIGERIA",Subject,is,"URGENT AND CONFIDENTIAL",Body,containsRE,"unclaimed\ (benefits|funds)",Subject,contains,"CONFIDENTIAL MUTUAL BUSINESS PROPOSAL",Body,contains,"contacting you based on Trust",From,contains,"Department of National Lotteries",Subject,contains,"UNITEDN NATION",Subject,containsRE,"TREAT\ (AS|VERY)\ (CONFIDENTIAL|URGENT)"

Just copy and paste that rule into your MailWasher filters.txt file, which is found in (Windows XP) your logged in identity > Documents and Settings > Application Data > MailwasherPro folder. Make sure MailWasher is closed before you add this rule, save the file, then open MWP again. The rule should be visible when you click on View > Filter Sidebar (Ctrl+F7). You can download MailWasher Pro here.

Do not ever fall for the pitches from these Con men in Nigeria. They are very good at relieving North Americans and Brits of their excess money, using greed as the bait.

If you have a website, with a forum, hosted on an Apache web server, and your members are getting harassed by Nigerian scammers, you should consider applying my .htaccess Nigerian Blocklist, to your web or forum root folder. This will block them from viewing posts, or signing up for accounts, using a browser, but won't block email or ftp access. On the other hand, if you have administrator access to the operating system itself, applying my Nigerian iptables blocklist to your Linux APF firewall will block not only http browsing, but also, email from Nigerian criminals, signups and ftp access. They won't be able to access your server whatsoever, if you apply the firewall rules.

.htaccess blocklist (recommended for most non-admin webmasters):
My .htaccess Nigerian Blocklist is found here

Linux APF firewall - iptables blocklist, for admins with root access:
My iptables Nigerian Blocklist is located here

I also publish blocklists in both .htaccess and iptables formats, to block Chinese and Korean traffic, Russian and Turkish spammers and exploited servers.

Bookmark and Share

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

back to top ^

March 25, 2008

Mozilla Releases Firefox Browser 2.0.0.13 Security Update

March 25, 2008

Tonight, while I was browsing with Firefox, it was suddenly upgraded from version 2.0.0.12 to 2.0.0.13. This is because I set the option for Firefox to automatically check for and apply updates. Being the curious type I looked up the release notes, to find out why this new sub-version was pushed out, so quietly tonight. Here is the skinny.

What's New in Firefox 2.0.0.13

Release Date: March 25, 2008
Security Update: The following security issues were fixed.

  1. MFSA 2008-19: XUL popup spoofing variant (cross-tab popups) - High
  2. MFSA 2008-18: Java socket connection to any local port via LiveConnect - High
  3. MFSA 2008-17: Privacy issue with SSL Client Authentication - Low
  4. MFSA 2008-16: HTTP Referrer spoofing with malformed URLs - Moderate
  5. MFSA 2008-15: Crashes with evidence of memory corruption (rv:1.8.1.13) - Critical
  6. MFSA 2008-14: JavaScript privilege escalation and arbitrary code execution - Critical

This is half the vulnerabilities that were patched in the previous upgrade, from 2.0.0.11 to 2.0.0.12, which was released on February 7, 2008. If you use Firefox Browsers you should check for updates as soon as you go online with a computer it is installed on. It may beat you to the draw though! Otherwise, open Firefox and click on the Menu Item: "Help" > "Check for Updates." If you need the update it will be displayed prominently, with a button to Download and Install now. It'll only take a minute or so, on Broadband, after which a box will pop-up telling you that Firefox was upgraded and must be restarted. Click Ok to restart, even if you have multiple tabs open. They will reopen when Firefox restarts. You may have to login to password protected sites. After the update and restart, if you use and Add-Ons, or Extensions, run a check for updates to those items. It may take a few days for the authors to catch up and issue new releases to remain compatible with the latest updates. Most of the time everything I have added on still works after numerous upgrades.

If this is all news to you and you have not tried the FIrefox browser, here is a link to the official Firefox download page, for all languages. If you, like me, are in the US (or Canada), and use the US English version, on a Windows based computer, here is your Firefox download link, for the 5.7 Mb file. Save it to your hard drive and run setup. During the setup process Firefox will offer to import your Internet Explorer Favorites and Cookies. Allow it to import these items and finish the installation. Once Firefox opens you will have Bookmarks instead of Favorites, but, all of your previously saved Favorites will be available by clicking on Bookmarks > "From Internet Explorer." Mouse over this folder and all your Favorites will flyout in a list. Clicking on any bookmark will open it in the browser. Since you told it to import your cookies your preferences will carry over as well, although you may have to re-type your logins to some websites, manually. If this is necessary, tell Firefox to remember your login for that website and it will be safely stored for you.

Firefox is a tabbed browser and can open links you click on in a new tab, instead of a new Window. You have the option of giving the new tab focus, or staying put where you were when you clicked on the link. Furthermore, Firefox does not run any ActiveX controls, thus making it infinitely more safe to browse with then Internet "Exploder." Give Firefox a try today.

Bookmark and Share

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

back to top ^

March 24, 2008

Russian connection to user agent "WordPress/2.1.1" in website access logs

I read the access logs for my website every day and sometimes I see something that jumps out and grabs my attention, as not right. This month, that something is a bunch of attempts to grab various pages on my blog, in an unusual manner, with a very unusual user agent: WordPress/2.1.1

At first I thought that somebody is just trying to pick up my MovableType RSS feed, but that is not what they are after. So, I did a little research on "WordPress/2.1.1" and learned that it represents a hacker compromised version of the popular WordPress PHP blogging software, which was updated months ago, to version 2.1.2, by Wordpress.org. I suppose that there may be some Wordpress users who haven't heard that this version was hacked with a backdoor, and haven't bothered to check for updates, but the log entries I am seeing are not from a Wordpress blog. I decided to do a little investigating, which is something I am good at. So, I followed the IP addresses to see from whence they came.

What I have learned so far, regarding the visitors who have configured their browser with the user agent "WordPress/2.1.1" is that, (A) - they come at me with no "Referer" field entry, (B) - they always try to GET a blog article itself, followed immediately with a request for the HEAD, and (C) - they change IP addresses after getting my 403 (Forbidden) message and try again. This cloaking of IP addresses has no effect, since I am also blocking them by their User Agent string.

Let's take a look at the access log entries for this user agent (stretch out or maximize your browser):

67.228.198.50 - - [02/Mar/2008:00:58:01 -0700] "GET /blogs/2008/02/my_spam_analysis_for_february_18_24_2008.html HTTP/1.1" 403 350 "-" "WordPress/2.1.1"
67.228.198.50 - - [02/Mar/2008:01:04:52 -0700] "HEAD /blogs/2008/02/my_spam_analysis_for_february_11_17_2008.html HTTP/1.1" 403 238 "-" "WordPress/2.1.1"

69.50.177.18 - - [13/Mar/2008:12:06:49 -0600] "GET /blogs/2008/03/2wire_modem_dns_poisoning_attack_returns_to.html HTTP/1.1" 403 351 "-" "WordPress/2.1.1"
69.50.177.18 - - [13/Mar/2008:12:07:14 -0600] "HEAD /blogs/2008/03/2wire_modem_dns_poisoning_attack_returns_to.html HTTP/1.1" 403 238 "-" "WordPress/2.1.1"

83.222.14.129 - - [23/Mar/2008:16:52:57 -0600] "GET /blogs/2008/03/windows_vista_sp1_released_some_driver_probl.html HTTP/1.1" 403 269 "-" "WordPress/2.1.1"
83.222.14.129 - - [23/Mar/2008:16:52:57 -0600] "HEAD /blogs/2008/03/windows_vista_sp1_released_some_driver_probl.html HTTP/1.1" 403 236 "-" "WordPress/2.1.1"

89.108.85.75 - - [23/Mar/2008:16:52:38 -0600] "GET /blogs/2008/03/windows_vista_sp1_released_some_driver_probl.html HTTP/1.1" 403 269 "-" "WordPress/2.1.1"
89.108.85.75 - - [23/Mar/2008:16:53:08 -0600] "HEAD /blogs/2008/03/windows_vista_sp1_released_some_driver_probl.html HTTP/1.1" 403 236 "-" "WordPress/2.1.1"

91.192.116.2 - - [23/Mar/2008:18:56:59 -0600] "GET /blogs/2008/03/windows_vista_sp1_released_some_driver_probl.html HTTP/1.1" 403 269 "-" "WordPress/2.1.1"
91.192.116.2 - - [23/Mar/2008:18:57:14 -0600] "HEAD /blogs/2008/03/windows_vista_sp1_released_some_driver_probl.html HTTP/1.1" 403 236 "-" "WordPress/2.1.1"

216.255.185.178 - - [24/Mar/2008:10:15:07 -0600] "GET /blogs/2008/03/followup_article_about_windows_vista_sp1_rel.html HTTP/1.1" 403 269 "-" "WordPress/2.1.1
216.255.185.178 - - [24/Mar/2008:10:15:22 -0600] "HEAD /blogs/2008/03/followup_article_about_windows_vista_sp1_rel.html HTTP/1.1" 403 236 "-" "WordPress/2.1.1

These are definitely not typical access log entries and nothing a normal search engine or human visitor would do. Wordpress is a software blog application that gets installed onto web servers. It is not a browser. User agents are words that identify a browser, or a search engine, or robot. Despite the diversity of IP addresses, these visits are not unrelated. Read my extended comments to see where these IP addresses are allocated and my conclusions about their source and probable intent.

We are following the strange access log entries of a visit from somebody, or some bot, using the distinct user agent string: Wordpress/2.1.1. It hit my server over most of the month of March (so far), always using a GET followed by a HEAD request, for the same blog files. Let's trace those IP addresses to their home bases.

67.228.198.50 belongs to SoftLayer, a web host full of compromised servers and websites, that is on my Exploited Servers Blocklist.

69.50.177.18 belongs to Concord Intercage / Atrivo.com, with a CIDR of 69.50.160.0/19.

NetRange: 69.50.160.0 - 69.50.191.255
CIDR: 69.50.160.0/19
NetName: INTERCAGE-NETWORK-GROUP
NetHandle: NET-69-50-160-0-1
Parent: NET-69-0-0-0-0
NetType: Direct Allocation
NameServer: MAIL.ATRIVO.COM
NameServer: PAVEL.ATRIVO.COM

What do we know about Atrivo and Intercage? LOTS!

A quick lookup of the IP in question, 69.50.177.18, at Spamhaus.org, reveals this interesting tidbit, under Ref: SBL53320:


69.50.160.0/19 is listed on the Spamhaus Block List (SBL)

Hosting: inhoster.com spammer/cybercrime hosting front

See:

http://www.spamhaus.org/sbl/sbl.lasso?query=SBL36702

http://www.spamhaus.org/sbl/sbl.lasso?query=SBL36453
descr: Inhoster hosting company
descr: OOO Inhoster, Poltavskij Shliax 24, Kharkiv, 61000, Ukraine

What is the connection between Intercage, Atrivo and Inhoster? Inhoster is registered via estdomains, which is hosted on Intercage/Atrivo, all of which are owned by the same person.

83.222.14.129 belongs to MASTERHOST-COLOCATION, which is located at Lyalin lane 3, bld 3, 105062, Moscow, Russia. The CIDR for Masterhost is 83.222.0.0/19.

89.108.85.75 is assigned to Agava Company, based in B. Novodmitrovskaya str., 36/4, 127015 Moscow, Russia. Their CIDR is 89.108.64.0/19.

91.192.116.2 is hosted in the United Kingdom, on servers owned by TodayHost Ltd. IP addresses within their CIDR; 91.192.116.0/22, have been harassing my website for a couple of months now. All of their efforts are blocked thusfar.

216.255.185.178 is owned by none other than Intercage! This particular net block has a CIDR of 216.255.176.0/20.

These unusual visits from multiple IPs, are traced back to Russian concerns. Inhoster is involved here, as probably is the RBN. Whatever they are up to, it is no good. My guess is that this is either an attempt to read the source code of my blog, looking for a way to send automated comment spam, or to test my security fences. The single British host is no surprise to me either. I have already learned that the RBN is now farming out servers from certain UK concerns, but using them for their own, malicious purposes.

My recommendations for other webmasters.
Apply my Exploited Servers Blocklist and my Russian Blocklist to your Apache Server .htaccess file, as soon as possible. If you have root access to your Linux based server, use my iptables blocklists instead, in your Linux APF firewall.

A sample of the blocklist for .htaccess, for just these aforementioned IP CIDRs, is:

<Files *>
order deny,allow
deny from 67.228.0.0/16 69.50.160.0/19 83.222.0.0/19 89.108.64.0/19 91.192.116.0/22 216.255.176.0/20
</Files>

Additionally. block access to anybody with the exact user agent "WordPress/2.1.1" - in your .htaccess, with the following rule:

RewriteCond %{HTTP_USER_AGENT} ^WordPress/2\.1\.1$
RewriteRule .* - [F]

Bookmark and Share

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

back to top ^

March 23, 2008

My Spam analysis for March 17 - 23 2008

This article is about current email spam categories and percentages, based on rule sets created for and reported by the anti spam tool - MailWasher Pro.

I use MailWasher Pro to screen all of my various incoming POP email accounts, and for which I write my own custom spam filter rules. I give each rule a unique name so I can track the different types of spam I am deleting and reporting. The program has an interesting incoming email statistics window, that includes a pie chart breakdown of the various types of spam that are recognized and dealt with by the software. I thought I would start sharing my spam pie chart results with you all. This is the first installment, which I will try to update during, or at the end of the week. I post a new report each week, running from Monday through Sunday.

My analysis of this week's spam shows that male enhancement pills and other fake pharmaceuticals dominated all spam categories, but, with counterfeit brands of watches, clothing and footware, along with fake diplomas, making a big comeback. Most of the spam emails for pharmaceuticals have links to websites hosted in China or Korea. Much of the fake and counterfeit drugs, enhancement pills and herbal solutions being spamvertised are produced in China. Foremost among these are fake pharmacy websites, like the so called "Canadian Pharmacy," which is not in Canada at all (it's in China and Indo-China), nor, despite the presence of fake accreditation logos, are they approved to sell pharmaceuticals in the US or Canada. Most of the fraudulent "Canadian Pharmacy" web pages are now hosted on compromised home or office PC's, that are unknowingly members of various spam Botnets.

< rant >
The only rational explanation for the continued existence of these fake pharmacies must be that there are enough gullible people in the World, who will purchase enough drugs from links in spam emails to make it financially worth while for spammers to pay to rent botnets to send this crap. Considering the fact that most of these pharmaceuticals are fake, or contaminated, one has to wonder how many people get sick, or die, because they foolishly bought spamvertised, counterfeit medicine from fraudulent, online pharmacies?
< /rant >

Due to my ongoing procedures I have merged some filters to simplify the reporting process, so the categories shown below may differ from the previous weeks' results. I have also created a special sender recognition filter, that when matched, assigns the status "BlackList" to those spam messages. This excludes lots of spam emails being categorized, since my blacklist rule is processed first. This saves processing power that is normally required by my custom filters. Furthermore, I have now applied some of my blacklist terms to the email server, on my website, automatically eliminating a huge portion of certain types of forged sender spam.

My current statistics show that spam is now 50% of all my incoming email, for the week of March 17 through 23, 2008. This is 6% down from last week, much of which is attributable to me applying pattern matching spam filters to my mail server. However, 50% spam is still getting through and without my custom MailWasher Pro filters identifying and automatically deleting most of this crap, email would be essentially useless for me (if I had to sort out the spam manually). Thanks to those custom filters, which I work hard to keep updated, I only have to manually delete a handful of spam messages on a daily basis (which I then classify into filters for you all). The machines sending this deluge of spam are all members of BotNets, with spam relays and remote command and control software surreptitiously installed, mostly by Trojans people are tricked into clicking on. I see many identical spam messages in my statistics (sorted by subject), but sent from different places in the World, all with forged sender names, confirming that this is a World-wide Spam-demic."

MailWasher Pro spam category breakdown for March 17 through 23, 2008.
Blacklisted (by pattern matching): 15.49%
Male enhancement spam: 15.96%
Other filters: (See my MWP Filters page) 26.29%
Counterfeit Watches and Shoes: 18.78%
Casino spam: 3.29%
Diploma spam: 6.10%
HTML Tricks: 6.10%
Spam sent to and from same email account: 2.82%
Known Spam Subjects: 4.23%
DNS Blacklists: 0.47%
Bayesian learning filter: 0.47%

These spam categories and their relative percentages shift a bit each week, as the BotMasters send new spam scripts to the zombie computers under their control. I will try to keep the percentages updated and merge miscellaneous categories as I am able to identify what they were spamvertising. Also, for over two months now, I have been blacklisting particular forged senders that match a pattern. The blacklisted category is quickly rising above all independent spam classifications, proving that my pattern matching is working. Many of the blacklisted spam messages are for counterfeit Viagra, illegal HGH, dubious male enhancement drugs, or pirated software.

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as a front-end screener to your POP email program (Outlook, Outlook Express, Microsoft Mail, Thunderbird, Eudora, etc).

Try Firetrust Mailwasher® Pro

I mentioned in this article that I use MailWasher Pro to screen and filter out spam, before it is downloaded to Outlook Express (or your equivalent POP3 email client), and that it allows the use of special pattern matching of senders' addresses to blacklist them. I thought I would share the five main pattern matching blacklist filters with you. You can use them in MailWasher, if you have it, or on your web site's cPanel, in the account-wide email filters section, if you know how to use that feature. Here are the four 'biggies" that typically block 26+% of all spam.

I set my blacklist to automatically delete, so I never see a message that is matched by these filters. If you choose to do the same you had better add all of your legitimate contacts to your Friends List, just in case. I also apply the same filter rules to my email server, on my website, thus eliminating a sizable percentage of spam without making MailWasher do the work. Those rules are listed below the equivalent MailWasher filters.

My MailWasher Pro custom BlackList wildcard patterns for current forged senders of spam:

MailWasher BlackList code: _+@+.+
Regular Expression for mail server filter use: _.+@.+
Plain text filter for mail server: FROM: BEGINS WITH: _
Discard message

MailWasher BlackList code: -+@+.+
Regular Expression for mail server filter use: -.+@.+
Plain text filter for mail server: FROM: BEGINS WITH:
Discard message

MailWasher BlackList code: dw+m@+.+
Regular Expression for mail server filter use: dw.+m@.+
Discard message

MailWasher BlackList code: lin+met@+.de
Regular Expression for mail server filter use: lin.+met@.+\.de
Discard message

MailWasher BlackList code: tequil*a+@+.com
Regular Expression for mail server filter use: tequil.*a.+@.+\.com
Discard message

NEW MailWasher Blacklist Rule: [email protected]
Regular Expression for mail server filter use: .+@bestdebtrepair\.net
Discard message

Here is my custom filter rule that matches senders with a forged domain name on both sides of the @ sign:

[enabled],[email protected],BlackList,0,AND,Delete,Automatic,EntireHeader,containsRE,"^Received: from.*@(([\w\d]*)\.\w{2,4}).*^From:.*<\w{2,}\2\w+?@\1"

Learn more about MailWasher Pro, or Get MailWasher Pro here

Bookmark and Share

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

back to top ^

New backdoor threat in spam email using recording artist names

If I got this, you will too. Be on the lookout for a spam email with the name of a major female recording artist in a subject and a message body claiming it has a link to a video or mp3 file. Clicking on said link will result in the download and possible execution of a file named mgp.exe, which has been identified by AVG as Backdoor IRCBOT.DNZ. Activating this threat will give control of your PC to hackers who will control it using IRC channels and commands. After that, there is no telling what other malware or spam-ware will be installed onto your computer.

The file I tested (mgp.exe) is 61.5 kb in size and was delivered from a compromised Italian website, AlterVista.org, whose IP address range is from 75.126.135.128 - 75.126.135.143, which is hosted on servers leased from Softlayer, Inc.

Those of you who use my exploited servers blocklist are already aware that Softlayer's IP range is in the list of servers being exploited for spam and hosting malware. The IP range is expressed as what is known as a CIDR and in the case of Softlayer the CIDR to block is 75.126.0.0/16 - which covers all IP addresses from 75.126.0.0 through 75.126.255.255. The CIDR assigned to the infected Italian website is 75.126.135.128/28. This message has already been reported to SpamCop, by numerous reporting recipients. They will notify the companies involved in hosting this malware threat, but, the timing of this spam threat is no coincidence. This threat was released on the Easter long holiday weekend, when support personnel may be out or short-handed until Tuesday, in the hopes of maximizing the usability of the ruse.

If you have control over incoming email on your web server, you may wish to apply a filter to block traffic from these CIDRs, unless you have business with websites hosted there. Otherwise, create a filter to block email where the Subject contains "Stunning video" and "Carmen Electra" - and the body contains "Only 1 day trial" and "download it now."

The full text of the spam threat I examined is as follows...

Subject: Stunning video without cowards Carmen Electra Message Body:

Milla Jovovich Interesting video with a naked celebrity.

The video is Kick-up!

Only 1 day trial - get this Full mp3 now!

{link removed} Download it now!

Read about what you should do if you have already clicked on such a link, in my extended comments...

If you have already clicked on the link you should scan your computer immediately, with the most up to date anti-virus definitions for your anti virus program. Also, empty your browser's cache, or Temporary Internet Files to delete the copy that is hiding in that location. If your anti virus program is expired, it is useless and you may as well uninstall it and replace it with something up to date and functional. You will either need to purchase a subscription to a commercial anti malware program or download a free one, like AVG or Avast. Free programs are alright for casual use, but don't give you anywhere near the protection and frequency of updates that a paid version offers. I have links to some well respected anti virus programs at the end of this section.

Most anti virus vendors already have released definitions to identify this Backdoor Trojan and will delete it if you haven't already activated the executable. If the virus is already installed they will remove it, but you may need to reboot and scan again. If you have already shut down your computer since becoming infected with this backdoor threat, you may also have to disable System Restore, to totally eliminate it. This is because these types of malware programs hook themselves into system files and locations, which are automatically backed up in System Restore Points. You may remove the threat and think it is gone, but, next time you reboot - System Restore will reinstall it! Sucks, don't it? Anyway, after turning off System Restore and disinfecting your computer thoroughly, you can turn it back on and set a new, clean restore point.

To disable or enable System Restore, right click on "My Computer" and choose "Properties." On the Properties sheet there is a tab labeled System Restore, which you should click on to open. In the System Restore property sheet there is a checkbox labeled "Turn off System Restore." Click in the box to select the option, click Apply, then acknowledge the pop-up challenge box, warning you that all restore points will be lost. Click Ok, to close the porperties sheets, then scan again, reboot, scan another time, then repeat the steps to goet to the System Restore sheet and uncheck the selection and Apply it. This will turn on System Restore again. Next, click on (All) Programs > Accessories > System Tools > System Restore and when the Restore Wizard opens, have it create a new Restore Point.

Next time you get a spam email inviting you to click on a link to view a video, or hear an mp3, don't do it and you won't have to go through this misery!

Links to legitimate anti virus programs and discount links

Bookmark and Share

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

back to top ^

March 21, 2008

Followup article about Windows Vista SP-1 release problems

On March 20, 2008, I published an article on my blog about the release of Windows Vista Service Pack 1 and problems it was causing for some customers. Today, I learned some specifics about one of the pieces of hardware which is especially problematic for SP1 upgraders. That hardware is the Intel 945G Express series chipset that is found in thousands of computers that are being distributed and have been for the last year or so. I was building computers with Intel motherboards containing the 945G chipsets last summer. Most of these computers were loaded with XP Professional, but many were getting Vista Business installed. They all worked fine with the initial release of Vista, but that has come to a sudden halt, with the release of Vista SP1, for those machines.

The 945G Express chipset driver versions between numbers 7.14.10.1322 and 7.14.10.1403 won't work with Vista SP1, according to Microsoft. These chipsets are found in Asus and Intel OEM motherboards, and major name brands, like Gateway, Lenovo, Hewlett-Packard and others. The 945G Express chipset includes Intel's GMA 950 graphics core, which also won't work with Vista SP1 if those drivers are used. Intel has released updated drivers for the 945G Express chipsets, to the manufacturers of the motherboards and computer builders using them. You should visit the support website for your computer builder, or motherboard, to update all of your hardware to the latest drivers before even attempting to install SP1. Note, that in the case of certain drivers, Microsoft itself may release updated versions that are compatible with Vista SP1, via Automatic Windows Updates, or manual Microsoft Updates. If all else fails and your motherboard is made by Intel, go to their website, input your motherboard part number and look for the latest Vista drivers. The Intel 945G chipset information page is here.

Admittedly, this is a bunch of techno-babble to most people, but, if you attempted to upgrade to Vista SP1 and your motherboard hardware has all yellow exclamation marks next to each chipset, in Device Manager, you will want to understand what is causing it and where to start looking for solutions.

Bookmark and Share

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

back to top ^

March 20, 2008

Windows Vista SP-1 released - some driver problems reported

On Tuesday, March 18, 2008, Microsoft released the first service pack, SP-1, for general dispersion, via Windows Updates. Microsoft describes the improvements contained in this service pack, as follows:

"In addition to all previously released updates, SP1 contains changes focused on addressing specific reliability and performance issues, supporting new types of hardware, and adding support for several emerging standards. SP1 also continues to make it easier for IT administrators to deploy and manage Windows Vista. Service Packs are not intended to be a vehicle for releasing significant new features or functionality; however some existing components do gain slightly enhanced functionality in SP1 to support industry standards and new requirements."

For most users the update to Vista SP-1 has been going smoothly, but there are others who are not so fortunate. Those folks are experiencing driver failures after rebooting from the upgrade process. Let's look into what is going wrong and what can be done to either prevent, or correct this problem.

Microsoft has been testing SP-1 for quite a while now and already knows about which hardware device drivers will experience trouble after the upgrade. For this reason Microsoft has been releasing its own driver updates for some of the most widely deployed chipsets which are at risk of failing during the upgrade to SP-1. Among those chipsets and drivers is the widely used Realtek AC97 audio device. Also listed as needing updated drivers are the following: SigmaTel, Creative Audigy and Conexant HD Audio. An Intel display driver also needs to be updated. I recommend visiting the Microsoft Support page describing these affected devices. On that page you are urged to visit the manufacturer's websites to search for updated drivers. This is always your best first option regarding device drivers. However, in the case of the Realtek drivers, Microsoft has written and made available its own upgraded driver and is making it available via Microsoft Updates.

When you run Microsoft Updates it will first check your installed hardware to see if any devices are on the list of affected hardware. If so, you will be offered an optional hardware update to fix that driver, in preparation for the installation of SP-1. Note, that these devices may be functionally perfectly under the initial release of Windows Vista. However, until you update the affected drivers you will not be offered the update to service pack 1. This is to protect your computer from device failures upon installing SP-1 and rebooting. Some of you may be tempted to go to the Microsoft download site and install the service pack manually. If you haven't taken care of the driver compatibility issues you will experience problems, such as are described on this Microsoft Support page. The following is a quote from the Microsoft Vista SP-1 Support page titled "Things to know before you download."

"Some Windows Vista users may encounter an issue with a small set of hardware devices that may not function properly after updating a Windows Vista PC to Windows Vista SP1. This is an issue with the way the device drivers were re-installed during the Windows Vista SP1 update process, not with the drivers themselves—these drivers worked on Windows Vista RTM and they work on Windows Vista SP1. This problem is typically corrected by simply uninstalling and reinstalling the driver. We are working with the manufacturers of these devices to get the known problematic drivers and their install programs updated, and also on other solutions we can use to ensure a smooth customer experience when updating to Windows Vista SP1 using Windows Update. For new PCs provisioned with Windows Vista SP1, this is not an issue."

There are bound to be improvements in the interaction of various applications and Windows Vista, as a result of the changes made in Vista Service Pack 1. One improvement I just learned about involves Acronis True Image, which was reportedly failing to lock certain disk volumes for making backups and were causing NTFS 137 errors, in the "default transaction resource manager." Microsoft worked with the Acronis team and discovered that there was a bug in the Vista code, causing this error. That bug has been fixed in Service Pack 1. I have a web page with information about the current version of Acronis True Image and download links to buy it at a special discounted price.

Bookmark and Share

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

back to top ^

March 19, 2008

Spybot Search and Destroy Malware Definitions Updated on March 19, 2008

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you already are using "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on Wednesday, this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Additions made on March 19, 2008:

Adware ++ Alertline ++ BaiduBar ++ Doublepoint ++ Windots

Dialer
+ Aconti

Keyloggers (Keyloggers steal your logins and passwords)
++ SpyBuddy
+ SWAgent

Malware Includes fake anti-virus and anti-spyware programs
+ AntiVirGear
+ FakeAlert
++ FakeAlert.mhg
++ MalWarrior
+ Smitfraud-C.gp
+ SpyLocked
++ SpywareLocked
++ SpywareRemover
+ Vario.RogueAntiSpy
+ Vcodec.eMedia
+ Virtumonde.dll (24)
++ Virtumonde.mhg (2911)
+ Win32.BHO.je
+ Win32.Renos
++ WinPerformance
PUPS Possibly Unpopular Software
+ Accoona

Spyware
+ AdBreak

Trojans Featuring 20 new or updated detections of Zlob* Trojans!
++ Banker
+ CnsMin
+ Smitfraud-C.MSVPS
++ Win32.Gamec.cq
++ Win32.Zhelatin.vg
+ Zlob.DNSChanger.rtk (12)
+ Zlob.Downloader
++ Zlob.Downloader.bs
+ Zlob.Downloader.iec
+ Zlob.Downloader.oid
+ Zlob.Downloader.rid
+ Zlob.Downloader.se
+ Zlob.Downloader.sot
+ Zlob.Downloader.vdt
+ Zlob.Downloader.xot
+ Zlob.MovieBox
+ Zlob.MovieCommander
+ Zlob.PPlayer
+ Zlob.SecurityTools
+ Zlob.VideoAccessActiveXObject
+ Zlob.VideoActiveXAccess
+ Zlob.VideoAXObject
+ Zlob.VideoBox
+ Zlob.XXXAccess
+ Zlock.uc

Total: 554199 fingerprints in 123295 rules for 3731 products.

* The "Zlob Trojan" is a common infection that has been in the wild since 2005. It is often downloaded intentionally by people who are tricked into thinking that they are installing some missing ActiveX Video Codec, or other (Java) application, needed to view a presentation, or pornographic movie. Once installed on the target computer the Zlob Trojan allows hackers to deliver all manner of downloaders, adware, fake anti-spyware and backdoor components to it. The Zlob family of Trojans are constantly modified by it's maintainers to try to avoid detection by anti-malware applications. These criminals earn commissions for every computer they infect with the Zlob and its companion products. Spybot Search and Destroy can detect and remove most known variants of the Zlob Trojans, with new definitions being released every Wednesday to detect the latest incarnations of Zlob.

Spybot Search & Destroy version 1.5.2, the latest release, is compatible with Windows Vista and features a nicer interface and sports a separate updater window and application. If you are still using version 1.4 I recommend that you update to 1.5.x, using the company links below.

English Language Company Links:
Spybot Search and Destroy English Home Page
Spybot Search and Destroy (Multi-Lingual Landing Page. Choose your language).
Spybot Search and Destroy Download page - Program and definition updates. You can download the latest version of Spybot S&D plus definition and tool updates here for inclusion later on.
Full tutorial about using and setting up Spybot Search and Destroy
Spybot Search and Destroy Update History

See all security program update notices in this catagory

A consequence of acquiring many of the parasites, keyloggers, hijackers and downloaders is that their files and startup settings are usually saved to your System Restore hidden folder, from whence they are automatically restored upon rebooting the computer. To completely remove these threats, and others, you should disable System Restore, then reboot, then clean all threats, then re-start System Restore, setting a new Restore Point, with a clean machine. Many people overlook this and are constantly reinfected after removing threats. There are few, if any security programs that can clean or remove infected files that are backed up in your protected System Restore directory.

To disable System Restore, go to My Computer and right-click on it's icon. From the flyout options select Properties. From the "System Properties" select the "System Restore" tab. There you will find a checkbox labeled "Turn off System Restore." Check it, then click Apply and wait while the System Restore files are deleted (takes some time). After the deletions are finished, click OK to close the Properties box, then reboot.

When you have thoroughly removed all infections follow the same procedure as above, unchecking the box that turned off System Restore.

In the event that Spybot mistakenly removes a file(s) due to a faulty detection update (a.k.a False Positive), you can restore it from the program itself. Just click on the "Recovery" button, that looks like a first aid kit, with a red cross in it, then locate the item(s) you wish to restore. Click on the select box(es) on the left of the detection name(s), to place a check mark in it/them, then click on "Recover selected items." The files, and/or registry entries will be replaced, from where they were deleted. The Spybot forums have discussions about false positives here.

For those of you who have not yet used Spybot Search and Destroy, if you were wondering if it "plays nice" with other anti spyware programs, it most certainly does! I have used Spybot S&D since it's inception, along with various other free and commercial security programs, and it has never caused any problems on my, or my customers' computers.

Spybot Search and Destroy has a Malware Removal Forum where trained volunteers can help you with spyware removal problems.

Finally, as an individuals who benefits from the free software that is produced and updated by the good folks who run Spybot Search and Destroy, at their own expense, it won't hurt us to send occasional donations to them, to help them financially in their efforts. There is a donate button on most pages of the Spybot S & D website. Think seriously about using it. Send what you can.

Bookmark and Share

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

back to top ^

March 16, 2008

My Spam analysis for March 10 - 16, 2008

This article is about current email spam categories and percentages, based on rule sets created for and reported by the anti spam tool - MailWasher Pro.

I use MailWasher Pro to screen all of my various incoming POP email accounts, and for which I write my own custom spam filter rules. I give each rule a unique name so I can track the different types of spam I am deleting and reporting. The program has an interesting incoming email statistics window, that includes a pie chart breakdown of the various types of spam that are recognized and dealt with by the software. I thought I would start sharing my spam pie chart results with you all. This is the first installment, which I will try to update during, or at the end of the week. I post a new report each week, running from Monday through Sunday.

My analysis of this week's spam shows that fraudulent pharmaceuticals, mostly Viagra and male enhancement pills, dominated all spam categories, but, with counterfeit brands of watches, clothing and footware, along with fake diplomas, making a big comeback. Most of the spam emails for pharmaceuticals have links to websites hosted in China or Korea. Much of the fake and counterfeit drugs and herbal solutions being spamvertised are produced in China. Foremost among these are fake pharmacy websites, like the so called "Canadian Pharmacy," which is not in Canada at all (it's in China and Indo-China), nor, despite the presence of fake accreditation logos, are they approved to sell pharmaceuticals in the US or Canada. Most of the fraudulent "Canadian Pharmacy" web pages are now hosted on compromised home or office PC's, that are unknowingly members of various spam Botnets.

< rant >
The only rational explanation for the continued existence of these fake pharmacies must be that there are enough gullible people in the World, who will purchase enough drugs from links in spam emails to make it financially worth while for spammers to pay to rent botnets to send this crap. Considering the fact that most of these pharmaceuticals are fake, or contaminated, one has to wonder how many people get sick, or die, because they foolishly bought spamvertised, counterfeit medicine from fraudulent, online pharmacies?
< /rant >

Due to my ongoing procedures I have merged some filters to simplify the reporting process, so the categories shown below may differ from the previous weeks' results. I have also created a special sender recognition filter, that when matched, assigns the status "BlackList" to those spam messages. This excludes lots of spam emails being categorized, since my blacklist rule is processed first. This saves processing power that is normally required by my custom filters. Furthermore, I have now applied some of my blacklist terms to the email server, on my website, automatically eliminating a major portion of certain types of forged sender spam.

My current statistics show that spam is now 56% of all my incoming email, for the week of March 10 through 16, 2008. This is the same amount as last week. Without my custom MailWasher Pro filters identifying and automatically deleting most of this onslaught of spam, email would be essentially useless for me (if I had to sort out the spam manually). Thanks to those custom filters, which I work hard to keep updated, I only have to manually delete a handful of spam messages on a daily basis (which I then classify into filters). The machines sending this deluge of spam are all members of BotNets, with spam relays and remote command and control software surreptitiously installed, mostly by the Storm Worm or related Trojans. I see many identical spam messages in my statistics (sorted by subject), but sent from different places in the World, all with forged sender names, confirming that this is a World-wide Spam-demic."

MailWasher Pro spam category breakdown for March 10 through 16, 2008.
Blacklisted (by pattern matching): 17.21%
Male enhancement spam: 15.58%
Other Pharmaceutical spam (includes Viagra and Cialis): 4.51%
Other filters: 17.21%
Pirated software spam: 6.56%
Counterfeit Watches and Shoes: 19.26%
Casino spam: 0.09%
Diploma spam: 4.10%
HTML Tricks: 5.74%
Spam sent to and from same email account: 3.28%
Known Spam Subjects: 4.10%
DNS Blacklists: 1.23%
Bayesian learning filter: 1.23%

These spam categories and their relative percentages shift a bit each week, as the BotMasters send new spam scripts to the zombie computers under their control. I will try to keep the percentages updated and merge miscellaneous categories as I am able to identify what they were spamvertising. Also, for over two months now, I have been blacklisting particular forged senders that match a pattern. The blacklisted category is quickly rising above all independent spam classifications, proving that my pattern matching is working. Many of the blacklisted spam messages are for counterfeit Viagra, illegal HGH, dubious male enhancement drugs, or pirated software.

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as a front-end screener to your POP email program (Outlook, Outlook Express, Microsoft Mail, Thunderbird, Eudora, etc).

Try Firetrust Mailwasher® Pro

I mentioned in this article that I use MailWasher Pro to screen and filter out spam, before it is downloaded to Outlook Express (or your equivalent POP3 email client), and that it allows the use of special pattern matching of senders' addresses to blacklist them. I thought I would share the five main pattern matching blacklist filters with you. You can use them in MailWasher, if you have it, or on your web site's cPanel, in the account-wide email filters section, if you know how to use that feature. Here are the four 'biggies" that typically block 26+% of all spam.

I set my blacklist to automatically delete, so I never see a message that is matched by these filters. If you choose to do the same you had better add all of your legitimate contacts to your Friends List, just in case. I also apply the same filter rules to my email server, on my website, thus eliminating a sizable percentage of spam without making MailWasher do the work. Those rules are listed below the equivalent MailWasher filters.

My MailWasher Pro custom BlackList wildcard patterns for current forged senders of spam:

MailWasher BlackList code: _+@+.+
Regular Expression for mail server filter use: _.+@.+
Plain text filter for mail server: FROM: BEGINS WITH: _
Discard message

MailWasher BlackList code: -+@+.+
Regular Expression for mail server filter use: -.+@.+
Plain text filter for mail server: FROM: BEGINS WITH:
Discard message

MailWasher BlackList code: dw+m@+.+
Regular Expression for mail server filter use: dw.+m@.+
Discard message

MailWasher BlackList code: lin+met@+.de
Regular Expression for mail server filter use: lin.+met@.+\.de
Discard message

MailWasher BlackList code: tequil*a+@+.com
Regular Expression for mail server filter use: tequil.*a.+@.+\.com
Discard message

NEW MailWasher Blacklist Rule: [email protected]
Regular Expression for mail server filter use: .+@bestdebtrepair\.net
Discard message

Here is my custom filter rule that matches senders with a forged domain name on both sides of the @ sign:

[enabled],[email protected],BlackList,0,AND,Delete,Automatic,EntireHeader,containsRE,"^Received: from.*@(([\w\d]*)\.\w{2,4}).*^From:.*<\w{2,}\2\w+?@\1"

Learn more about MailWasher Pro, or Get MailWasher Pro here

Bookmark and Share

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

back to top ^

March 13, 2008

Spybot Search & Destroy Malware Definitions Updated on March 12, 2008

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you already are using "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on Wednesday, this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a + sign are additions, or updated detections, with multiple additions indicated by a number in parenthesis or a double ++ in front of it's name. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Additions made on March 12, 2008:

Adware + Wintouch

Dialer
+ Win32.Dialer.aeh


Keyloggers (Keyloggers steal your logins and passwords)
+ XPAdvancedKeylogger

Malware Includes fake anti-virus and anti-spyware programs
+ AntiSpyWare2007
+ NousTech.SysCleaner
+ NousTech.SystemDefender
+ RegClean
+ SpywareBOT.SpywareStop
+ Win32.BHO.je
+ Win32.VB.ck
+ WinSpyKiller


Trojans 6 new classes of Zlob* Trojans and 141 variants!
+ FakeAlert (273)
+ Smitfraud-C.MSVPS (28)
+ Win32.Agent.ahj
+ Win32.Agent.jmh
+ Zlob.DNSChanger.Rtk (13)
+ Zlob.Downloader.mld
+ Zlob.Downloader.se (115)
+ Zlob.Downloader.sg (5)
+ Zlob.Downloader.sot (8)
+ Zlob.Downloader.vdt

Total: 554374 fingerprints in 122623 rules for 3701 products.

* The "Zlob Trojan" is a common infection that has been in the wild since 2005. It is often downloaded intentionally by people who are tricked into thinking that they are installing some missing ActiveX Video Codec, or other (Java) application, needed to view a presentation, or pornographic movie. Once installed on the target computer the Zlob Trojan allows hackers to deliver all manner of downloaders, adware, fake anti-spyware and backdoor components to it. The Zlob family of Trojans are constantly modified by it's maintainers to try to avoid detection by anti-malware applications. These criminals earn commissions for every computer they infect with the Zlob and its companion products. Spybot Search and Destroy can detect and remove most known variants of the Zlob Trojans, with new definitions being released every Wednesday to detect the latest incarnations of Zlob.

Spybot Search & Destroy version 1.5.2, the latest release, is compatible with Windows Vista and features a nicer interface and sports a separate updater window and application. If you are still using version 1.4 I recommend that you update to 1.5.x, using the company links below.

English Language Company Links:
Spybot Search and Destroy English Home Page
Spybot Search and Destroy (Multi-Lingual Landing Page. Choose your language).
Spybot Search and Destroy Download page - Program and definition updates. You can download the latest version of Spybot S&D plus definition and tool updates here for inclusion later on.
Full tutorial about using and setting up Spybot Search and Destroy
Spybot Search and Destroy Update History

See all security program update notices in this catagory

A consequence of acquiring many of the parasites, keyloggers, hijackers and downloaders is that their files and startup settings are usually saved to your System Restore hidden folder, from whence they are automatically restored upon rebooting the computer. To completely remove these threats, and others, you should disable System Restore, then reboot, then clean all threats, then re-start System Restore, setting a new Restore Point, with a clean machine. Many people overlook this and are constantly reinfected after removing threats. There are few, if any security programs that can clean or remove infected files that are backed up in your protected System Restore directory.

To disable System Restore, go to My Computer and right-click on it's icon. From the flyout options select Properties. From the "System Properties" select the "System Restore" tab. There you will find a checkbox labeled "Turn off System Restore." Check it, then click Apply and wait while the System Restore files are deleted (takes some time). After the deletions are finished, click OK to close the Properties box, then reboot.

When you have thoroughly removed all infections follow the same procedure as above, unchecking the box that turned off System Restore.

In the event that Spybot mistakenly removes a file(s) due to a faulty detection update (a.k.a False Positive), you can restore it from the program itself. Just click on the "Recovery" button, that looks like a first aid kit, with a red cross in it, then locate the item(s) you wish to restore. Click on the select box(es) on the left of the detection name(s), to place a check mark in it/them, then click on "Recover selected items." The files, and/or registry entries will be replaced, from where they were deleted. The Spybot forums have discussions about false positives here.

For those of you who have not yet used Spybot Search and Destroy, if you were wondering if it "plays nice" with other anti spyware programs, it most certainly does! I have used Spybot S&D since it's inception, along with various other free and commercial security programs, and it has never caused any problems on my, or my customers' computers.

Spybot Search and Destroy has a Malware Removal Forum where trained volunteers can help you with spyware removal problems.

Finally, as an individuals who benefits from the free software that is produced and updated by the good folks who run Spybot Search and Destroy, at their own expense, it won't hurt us to send occasional donations to them, to help them financially in their efforts. There is a donate button on most pages of the Spybot S & D website. Think seriously about using it. Send what you can.

Bookmark and Share

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

back to top ^

March 11, 2008

AVG Free to cease support of Windows 98, ME and NT, in Aug 2008

If you operate a Windows 98, ME, or NT computer online, with AVG Anti-Virus Free Edition protection, this statement on the AVG Free Supported Platforms page will be of utmost importance to you.

"* Some older operating systems such as Microsoft Windows ME, Microsoft Windows NT and Microsoft Windows 98 will only be supported until August 2008 as a minimum."

While this policy statement does not specify an actual date in August 2008, for the end of support and the last three words are vague, the intent is quite obvious. At some date in, or shortly after August, 2008, they will probably issue a new version of AVG Free, which will not install on Windows 98, ME, or NT computers.

People with these affected operating systems may think that by simply not upgrading, they will be able to continue to use the existing version. It is true that their version of AVG will still function, but when Grisoft stops releasing automatic updates for the previous versions, these folks are going to be unprotected against new and altered threats. In today's world that is tantamount to no protection at all.

AVG Anti-Virus Free Edition is currently updated automatically, once a day, but users are free to check for updates manually, as often as they wish. Thoise who do will usually find that definition files are updated several times every day. I have even created a means of checking automatically, every hour, on the hour, using Windows Task Scheduler. The details for the current version are shown below. Note, that you should check the path and destination directory names for your installation and alter them accordingly, before using this task.

Start in: "C:\Program Files\Grisoft\AVG7"
Run: "C:\Program Files\Grisoft\AVG7\avginet.exe" /SCHED=
Schedule Task: Daily
Start time: (when you want to start checking for updates)
Schedule Task daily: Every 1 day(s)
ADVANCED settings
Check: Repeat task
Every: 1 Hour(s)
Until: 24 hours
Click OK, then click Apply, then OK again, to save and exit the task scheduler.

These parameters will run the automatic online updater every hour, on the hour. If updates are not available it will appear and disappear in a second or two. If there are updates available at that time they will be downloaded automatically and installed, after which a little box will pop-up, telling you the update was successfully applied. You can click OK to dismiss this notice, or wait 30 seconds for it to go away on its own.

If you are one of those people who are in the soon to be abandoned group, of Windows 98, ME, or NT users, you may want to start searching for an alternative anti-virus product. Avast Home Edition is a free anti virus product that still supports Windows 98, although some new features will not work on that OS. Future versions will have even less functionality under Windows 98 and ME. If you are still running a Windows 98 or ME computer on the Internet, you really should think hard about updating to a newer operating system.

Bookmark and Share

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

back to top ^

March 10, 2008

Windows XP Licensed sales to end on June 30, 2008

What will happen to sales of Windows XP, on June 30, 2008?

On June 30, 2008, all retail outlets, computer manufacturers and custom OEM computer builders will be unable to obtain any more boxed or shrink-wrapped OEM copies of Windows XP CDs. However, they may sell their remaining stock, as long as the disks already have valid product keys on a fresh hologram sticker. All other OEM XP disks will be unlicensable after the cutoff date, because Microsoft will not issue any more product keys. Those disks can only be used to reinstall already licensed XP operating systems.

If you are thinking about building or buying a new computer with Windows XP, you should do it soon. Microsoft will end OEM and shrink-wrapped sales of Windows XP on June 30, 2008, forcing users to shift to Vista. This will not only affect individuals and small local computer shops, but big companies like Dell, who currently offer business computers with XP Professional, instead of Vista Business. Come June 30 they will no longer have this option.

If you want to avoid being forced to move up to Vista, order your XP Pro licensed computers now. Set up terms if you have to, but don't wait for the licenses to expire and hope to find a copy after June 30, 2008.

Also until the end of business on June 30, 2008 (at 23:59 PST), individuals can buy XP licenses online, directly from Microsoft. Those sales pertain to people who already have a valid XP installation CD and need extra licenses for it, to load the software onto a second or third home or office PC. Once purchased from Microsoft, these additional computers can have XP loaded onto them and be legally validated.

Note, that some Microsoft Licensed System Builders may still be able to obtain Windows XP Professional licenses, for orders of 25 or more PCs, but only if those PCs come with a Windows Vista Business, or Vista Ultimate license as well. Essentially, the customer will be allowed to "downgrade" by using the Vista license for the XP installation. As for enterprise volume licenses, those will also include "downgrade rights," so while Microsoft will stop selling XP licenses, a Vista Business or Ultimate volume license can still be used to activate XP installs, provided you supply your own XP installation CDs.

Hardware and driver considerations

As more manufacturers join the Vista only bandwagon, support and drivers for XP will dry up, just like has already happened for Windows 98 devices. In fact, Vista motherboards are now shipping that do not support most of the plug-in cards that worked perfectly under Windows XP. New audio and video cards, or chipsets, that ship with Vista computers may not even have XP drivers available from the manufacturers. However, as of March 2008, Tiger Direct still has a good inventory of XP compatible motherboards, plug-in cards and peripherals, as well as plenty of XP Home, Media Center and Professional OEM CDs, with legitimate hologram product keys. Use the search box below to find computer cases, power supplies, components, motherboards, CPUs, RAM and most available Windows Operating Systems, at Tiger Direct.

If you are using XP Professional, in a business environment and are willing to allow Vista computers into your network, purchase Vista Business Edition, not a consumer version (or you're asking for trouble). However, if you need DVD multi-media support, you will have to add that on with a third party (commercial or freeware) application, as DVD multi-media support doesn't come with Vista Business or Enterprise (M-M does come with Vista Ultimate). These applications are also available through Tiger Direct.

Search at TigerDirect.com:
TigerDirect

XP Service Pack Facts

The last version of Windows XP to go to manufacturing was Service Pack 2. Interestingly, XP Service Pack 3 is about to be released. This will undoubtedly be the final service pack for Windows XP. According to Microsoft, "Windows® XP Service Pack 3 (SP3) includes all previously released updates for the operating system. This update also includes a small number of new functionalities, which do not significantly change customers’ experience with the operating system."

In a related issue, to resolve the shortage of new OEM XP licenses, authorized OEM builders who create computers from XP disk images must obtain a special upgrade to level SP-2c, then integrate it, and create a new image from it. Failure to do so will make it impossible for their customers to activate Windows! This is because only this special sub-version - SP-2c - will allow the use of the newly created validation codes.

System builders who use imaging must create new Windows XP Professional images with Service Pack 2c when shipping Service Pack 2c product keys; otherwise end users will not be able to complete installation.
When will Microsoft will stop supporting Windows XP computers?

For technical support and Windows Updates, Microsoft will end mainstream support for XP on April 14, 2009, for most editions, and it will end extended support on April 8, 2014 for most editions. This will leave most consumers without critical patches and updates, after that date, because extended support is not available for consumer licenses.

Both mainstream and extended support systems include free security updates (Windows Updates). Hot fixes or other issues are free only during the mainstream support period; non-consumer users wanting hot fixes must buy a hot-fix update plan from Microsoft before July 14, 2009.

XP Home Edition is a consumer product, therefore, it will cease being actively supported on April 14, 2009. After that time there will be no further improvements, patches or updates released via Windows Update Service. The version last released to manufacturing was XP with SP-2. The CD's now available for purchase also contain SP-2, which is several years old and don't have most of the available updates. Even if you purchase an XP CD on the last day, and install it later, it will still not have most of the already released updates. You would have to go online and download them while you can.

There is a good explanation of how Microsoft defines mainstream and extended support on their Lifecycle FAQ's page. This is of huge importance to owners of consumer lines of Windows OS's. Here, in a nutshell, here is the definition of what is included in mainstream support.

Mainstream support means that Microsoft supplies the following:
Paid support (per-incident, per hour, and others)
Security update support
Non-security hotfix support
No-charge incident support
Warranty claims
Design changes and feature requests
Product-specific information that is available by using the online Microsoft Knowledge Base
Product-specific information that is available by using the Support site at Microsoft Help and Support to find answers to technical questions

XP Home users cannot get "extended" support, because Microsoft clearly states this, on their LifeCycle FAQ's page:

* Extended Support is not offered for Consumer, Hardware, or Multimedia products.

Once XP Professional and Media Edition reach extended support all Microsoft will provide is:
Paid support (per-incident, per hour, and others); Security update support; Product-specific information that is available by using the online Microsoft Knowledge Base, or by using the Support site at Microsoft Help and Support to find answers to technical questions.

Bookmark and Share

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

back to top ^

March 9, 2008

My Spam analysis for March 3 - 9, 2008

This article is about current email spam categories and percentages, based on rule sets created for and reported by the anti spam tool - MailWasher Pro.

I use MailWasher Pro to screen all of my various incoming POP email accounts, and for which I write my own custom spam filter rules. I give each rule a unique name so I can track the different types of spam I am deleting and reporting. The program has an interesting incoming email statistics window, that includes a pie chart breakdown of the various types of spam that are recognized and dealt with by the software. I thought I would start sharing my spam pie chart results with you all. This is the first installment, which I will try to update during, or at the end of the week. I post a new report each week, running from Monday through Sunday.

My analysis of this week's spam shows that fraudulent pharmaceuticals, mostly Viagra and male enhancement pills, dominated all spam categories, but, with counterfeit brands of watches, clothing and footware making a big comeback. Most of the spam emails for pharmaceuticals have links to websites hosted in China or Korea. Much of the fake and counterfeit drugs and herbal solutions being spamvertised are produced in China. Foremost among these are fake pharmacy websites, like the so called "Canadian Pharmacy," which is not in Canada at all (it's in China and Indo-China), nor, despite the presence of fake accreditation logos, are they approved to sell pharmaceuticals in the US or Canada. Most of the fraudulent "Canadian Pharmacy" web pages are now hosted on compromised home or office PC's, that are unknowingly members of various spam Botnets.

< rant >
The only rational explanation for the continued existence of these fake pharmacies must be that there are enough gullible people in the World, who will purchase enough drugs from links in spam emails to make it financially worth while for spammers to pay to rent botnets to send this crap. Considering the fact that most of these pharmaceuticals are fake, or contaminated, one has to wonder how many people get sick, or die, because they foolishly bought spamvertised, counterfeit medicine from fraudulent, online pharmacies?
< /rant >

Due to my ongoing procedures I have merged some filters to simplify the reporting process, so the categories shown below may differ from the previous weeks' results. I have also created a special sender recognition filter, that when matched, assigns the status "BlackList" to those spam messages. This excludes lots of spam emails being categorized, since my blacklist rule is processed first. This saves processing power that is normally required by my custom filters. Furthermore, I have now applied some of my blacklist terms to the email server, on my website, automatically eliminating a major portion of certain types of forged sender spam.

My current statistics show that spam is now 56% of all my incoming email, for the week of March 3 through 9, 2008. This is up 3% from last week. Without my custom MailWasher Pro filters identifying and automatically deleting most of this onslaught of spam, email would be essentially useless for me (if I had to sort out the spam manually). Thanks to those custom filters, which I work hard to keep updated, I only have to manually delete a handful of spam messages on a daily basis (which I then classify into filters). The machines sending this deluge of spam are all members of BotNets, with spam relays and remote command and control software surreptitiously installed, mostly by the Storm Worm or related Trojans. I see many identical spam messages in my statistics (sorted by subject), but sent from different places in the World, all with forged sender names, confirming that this is a World-wide Spam-demic."

MailWasher Pro spam category breakdown for March 3 through 9, 2008.
Blacklisted (by pattern matching): 19.65%
Male enhancement spam: 19.65%
Viagra and Viagra.com: 3.49%
Other Pharmaceutical spam: 12.66%
Other filters: 12.23%
Counterfeit Watches and Shoes: 13.97%
Casino spam: 0% (1)
Diploma spam: 0% (4)
HTML Tricks: 10.04%
Spam sent to and from same email account: 3.06%
Known Spam Subjects: 4.80%

These spam categories and their relative percentages shift a bit each week, as the BotMasters send new spam scripts to the zombie computers under their control. I will try to keep the percentages updated and merge miscellaneous categories as I am able to identify what they were spamvertising. Also, for over two months now, I have been blacklisting particular forged senders that match a pattern. The blacklisted category is quickly rising above all independent spam classifications, proving that my pattern matching is working. Many of the blacklisted spam messages are for counterfeit Viagra, illegal HGH, dubious male enhancement drugs, or pirated software.

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as a front-end screener to your POP email program (Outlook, Outlook Express, Microsoft Mail, Thunderbird, Eudora, etc).

Try Firetrust Mailwasher® Pro

I mentioned in this article that I use MailWasher Pro to screen and filter out spam, before it is downloaded to Outlook Express (or your equivalent POP3 email client), and that it allows the use of special pattern matching of senders' addresses to blacklist them. I thought I would share the five main pattern matching blacklist filters with you. You can use them in MailWasher, if you have it, or on your web site's cPanel, in the account-wide email filters section, if you know how to use that feature. Here are the four 'biggies" that typically block 26+% of all spam.

I set my blacklist to automatically delete, so I never see a message that is matched by these filters. If you choose to do the same you had better add all of your legitimate contacts to your Friends List, just in case. I also apply the same filter rules to my email server, on my website, thus eliminating a sizable percentage of spam without making MailWasher do the work. Those rules are listed below the equivalent MailWasher filters.

My MailWasher Pro custom BlackList wildcard patterns for current forged senders of spam:

MailWasher BlackList code: _+@+.+
Regular Expression for mail server filter use: _.+@.+
Plain text filter for mail server: FROM: BEGINS WITH: _
Discard message

MailWasher BlackList code: -+@+.+
Regular Expression for mail server filter use: -.+@.+
Plain text filter for mail server: FROM: BEGINS WITH:
Discard message

MailWasher BlackList code: dw+m@+.+
Regular Expression for mail server filter use: dw.+m@.+
Discard message

MailWasher BlackList code: lin+met@+.de
Regular Expression for mail server filter use: lin.+met@.+\.de
Discard message

MailWasher BlackList code: tequil*a+@+.com
Regular Expression for mail server filter use: tequil.*a.+@.+\.com
Discard message

NEW MailWasher Blacklist Rule: [email protected]
Regular Expression for mail server filter use: .+@bestdebtrepair\.net
Discard message

Here is my custom filter rule that matches senders with a forged domain name on both sides of the @ sign:

[enabled],[email protected],BlackList,0,AND,Delete,Automatic,EntireHeader,containsRE,"^Received: from.*@(([\w\d]*)\.\w{2,4}).*^From:.*<\w{2,}\2\w+?@\1"

Learn more about MailWasher Pro, or Get MailWasher Pro here

Bookmark and Share

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

back to top ^

March 6, 2008

Beware of a new round of Storm Trojan e-card scams

The infamous Storm Trojan Botnet has reawakened again, after a brief sleep. It last made it's appearance towards the end of January, stayed active until Valentines' Day, then disappeared. Since July of 2007 the Storm Botnet is most well known for sending out spam messages containing links to view e-cards, or postcards. All of the resulting web pages are hosted on other storm infected botnetted computers and all of the links lead to your PC being infected with the same Trojan.

One of the things that made Storm Trojan links stand out last year was that most of them were numeric IP addresses, rather than domain names, in their links. These links resemble this example: ht*p://123.123.123.123/(some garbage characters may follow). During the last quarter of 2007 the Botnet began using actual registered domain names to reach the target host computers, which are managed on what is known as a Fast-Flux DNS network. Most of these domain names were registered within a few days of the spam run and are usually allowed to die shortly thereafter.

The Storm has become active again and is once again spamming out email messages about e-cards and postcards, most containing the good old numeric IP links. All of the targets are infected PCs and if you are duped into clicking on a link to such a target, exploits await you, including an automatic download of the Trojan. Should this fail, you will be enticed to click on a link, or an image to begin your download, supposedly to view your e-card/postcard. At this point, if you are running a Windows based computer, with Administrator level privileges, your PC is about to become a zombie member of the Storm Botnet.

Norton AntibotWhen, not if, you receive one of these e-card/postcard notices delete it immediately. If the sender looks like a name you know, check the email address to see if it matches that name. If in doubt, contact that person to see if they knowingly sent you an e-card, from that particular e-card company. Chances are they won't know anything about it. You see, the names and addresses used in the From fields are all harvested from infected computer contact lists and address books. All spam email messages since late 2006 have totally forged From and Reply to email addresses. The people whose names and addresses are being used have no idea this is happening and cannot stop it. If you have sent an email to somebody whose computer gets infected with an email harvesting trojan or Worm, your email address will not only receive spam, but will be used in forged From and Reply To fields of spam messages. There is nothing you can do about this. Even my accounts have been harvested from computers of customers and friends and I see spam coming to me, supposedly From me!

Unwanted E-Card/Postcard = DELETE! Leave the curious George stuff to professionals like me and the anti-exploitation labs.

Bookmark and Share

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

back to top ^

2Wire Modem DNS Poisoning Attack Returns to Mexico

On January 13, 2008, I published an article warning owners of certain 2Wire branded DSL modems about a DNS poisoning attack that was ongoing against Mexican banking customers. That attack took advantage of the unfortunate fact that many DSL Internet customers receiving 2Wire modems have not created a unique administrator password to protect their modems from scripted attacks. In the January attacks, spam email messages were sent specifically to Mexican DSL customers, pretending to contain a link to a video that would be of interest to those recipients. Unbeknownst to the recipients, merely opening these messages triggered the running of a script that targeted 2Wire modems with codes that changed the destination URL of the Banamex online bank.

In my January article about this DNS poisoning attack I strongly recommended that all owners of these, and other broadband modems should immediately setup a unique password for the Administrator login to those modems. I also urged them to disable Remote Administration. I should add disabling UPnP to the list of options that will help secure these modems. Apparently, not enough users read and heeded my advice, because I have just learned that a second round of spam attacks has been launched against the very same people, using the same bank in Mexico!

The new round of attacks that is currently underway is again arriving via spammed email messages. This time, though, the email messages are disguised to trick users into thinking that they have received an e-card from Gusanito.com, a popular Mexican eCard Web site. Once a user clicks on the link where the supposed postcard can be viewed, he or she is then directed to a spoofed Gusanito page. That web page loads a couple of Flash controls, including a malicious one that modifies the 2wire modem localhost table. This routine effectively redirects users to a fraudulent site whenever they attempt to access pages related to Banamex.com. Because the spoofed pages so closely resemble the real bank's website, most users wouldn't realize that they were being scammed, until they tried to pay a bill with, or withdraw, money, which they no longer had in their bank accounts.

This DNS poisoning/Phishing technique has a name: "Drive-by Pharming." It is now proving to be a successful attack vector and will certainly be deployed against other 2Wire Modem users in other Countries. I again strongly urge broadband modem users to secure their modems by creating a good, personal Administrator password, plus disabling unnecessary, exploitable services, like remote administration and UPnP. Read my previous article about the exploiting of 2Wire modems and apply the pointers in it to reset and secure your modems.

Get Trend Micro PC-cillin Internet Security protection against web threats This new threat was reported by Trend Micro, on their security alert blog. For its part, Trend Micro will detect the malicious .SWF file as SWF_ADHIJACK.D. All related malicious URLs have also been blocked by Trend Micro Web Threat Protection.

Bookmark and Share

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

back to top ^

Spybot Search & Destroy Malware Definitions Updated on March 5, 2008

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you already are using "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on Wednesday, this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a + sign are additions, or updated detections, with multiple additions indicated by a number in parenthesis or a double ++ in front of it's name. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Additions made on March 5, 2008: and false positive removals

Hijacker
+ CoolWWWSearch.Leftovers

Malware
+ Clickspring.Outerinfo
++ Fake.SpywareRemover
++ Marketflip.FakeSearchAndDestroy
++ RegistryClear
+ RegSweep
+ Smitfraud-C.
++ SpySnipe
+ SpywareBOT
+ Vario.AntiVirus
+ VirusHeat
+ Win32.BHO.je
+ Win32.Renos

Security
+ Microsoft.Windows.AppFirewallBypass

Trojans
++ DL.Small.ddp
+ NousTech.UDefender
++ ShudderLtd.AntiVirusPro
+ Smitfraud-C.MSVPS
++ Spambot.kf
+ Virtumonde
++ Win32.Agent.icb
++ Win32.BHO.abo
+ Zlob.Downloader.se
++ Zlob.Downloader.sot
+ Zlob.Downloader.vdt

Total: 545636 fingerprints in 119654 rules for 3673 products.

Spybot Search & Destroy version 1.5.2, the latest release, is compatible with Windows Vista and features a nicer interface and sports a separate updater window and application. If you are still using version 1.4 I recommend that you update to 1.5.x, using the company links below.

English Language Company Links:
Spybot Search and Destroy English Home Page
Spybot Search and Destroy (Multi-Lingual Landing Page. Choose your language).
Spybot Search and Destroy Download page - Program and definition updates. You can download the latest version of Spybot S&D plus definition and tool updates here for inclusion later on.
Full tutorial about using and setting up Spybot Search and Destroy
Spybot Search and Destroy Update History

See all security program update notices in this catagory

A consequence of acquiring many of the parasites, keyloggers, hijackers and downloaders is that their files and startup settings are usually saved to your System Restore hidden folder, from whence they are automatically restored upon rebooting the computer. To completely remove these threats, and others, you should disable System Restore, then reboot, then clean all threats, then re-start System Restore, setting a new Restore Point, with a clean machine. Many people overlook this and are constantly reinfected after removing threats. There are few, if any security programs that can clean or remove infected files that are backed up in your protected System Restore directory.

To disable System Restore, go to My Computer and right-click on it's icon. From the flyout options select Properties. From the "System Properties" select the "System Restore" tab. There you will find a checkbox labeled "Turn off System Restore." Check it, then click Apply and wait while the System Restore files are deleted (takes some time). After the deletions are finished, click OK to close the Properties box, then reboot.

When you have thoroughly removed all infections follow the same procedure as above, unchecking the box that turned off System Restore.

In the event that Spybot mistakenly removes a file(s) due to a faulty detection update (a.k.a False Positive), you can restore it from the program itself. Just click on the "Recovery" button, that looks like a first aid kit, with a red cross in it, then locate the item(s) you wish to restore. Click on the select box(es) on the left of the detection name(s), to place a check mark in it/them, then click on "Recover selected items." The files, and/or registry entries will be replaced, from where they were deleted. The Spybot forums have discussions about false positives here.

For those of you who have not yet used Spybot Search and Destroy, if you were wondering if it "plays nice" with other anti spyware programs, it most certainly does! I have used Spybot S&D since it's inception, along with various other free and commercial security programs, and it has never caused any problems on my, or my customers' computers.

Spybot Search and Destroy has a Malware Removal Forum where trained volunteers can help you with spyware removal problems.

Bookmark and Share

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

back to top ^

March 4, 2008

Watch out for a new fraudulent anti-virus ploy named MonaDonaRona

Most experienced Windows PC owners know by now that their computers are the primary targets of every type of malware exploit that can be conceived by man or machine. Prudent PC owners take extra precautions and ensure that their computers are protected and scanned regularly, with up-to-date anti virus and anti spyware programs. The also tend to use more secure browser settings, or switch to Firefox for their Internet browsing, instead of Internet Explorer. Yet, millions of PCs are infected every day, with all manner of spyware and viruses, with many of them belonging to fairly new computer users (Newbies). Why is this?

A lot of the reason for the constant increase in infected computers is due to inexperienced, or unaware Windows PC owners operating without proper and active security protection onboard. I have disinfected lots of computers that had either no virus protection at all, or had expired anti virus applications on them. An expired product is as useless as if it wasn't there, and gives a false sense of security to untrained PC users. Most of these products ship with new computers and offer a free 3 or 6 month trial period, after which they become inert, unless a subscription is paid for to keep them updated with new threat definitions.

This background information leads into the subject about which I am posting today. It has to do with a brand new malware threat that is in the Wild, calling itself: "MonaDonaRona." This is a malware "Trojan" that is acquired by downloading and installing a fake software program called RegistryCleaner 2008, although there may also be other means of delivering the infection. Once MonaDonaRona is installed on the victim's PC it pops up an ominous alert, identifying itself by name, and proudly proclaiming its intention to cause harm to your computer, currently using this text:

“Welcome to MonaRonaDona. I am a Virus & I am here to wreck your PC. If you observe strange behavior with your PC, like program Windows disappearing, etc., it’s me who’s doing this.”

This pop-up alert and strong language is meant to panic unsuspecting victims into paying to have it removed by a fraudulent anti virus program, which is a companion to this threat. People who are duped by this two handed ploy will have the MonaRonaDona alerts turned off by the companion malware application, which they had to pay for to use. This is also known as extortion-ware. The MonRonaDona component is only there as bait for the fake anti virus program, which the perpetrators of this fraud want to sell, for about $40 US. The fake anti virus product may be called "Unigray," or other names. It is apparently not linked to directly at this point in time, but the victim is expected to search for anti virus programs that specifically target it.

False information about the fake anti virus program has already been spammed to Google and other search engines, through phoney blogs and spam blog postings, poisoning the results pages. If the victim searches for help removing MonaRonaDona, they will most likely see the fake products listed at the top of the results. This is a new method of delivering fraud-ware, by gaming search results and panicking users into searching for the spammed, fake removal tool.

The fake removal program will tell MonaRonaDona to shut itself down, making the victim believe that the anti virus program actually removed it legitimately. But, this is merely a ploy. Most free anti virus and anti spyware programs will detect and remove this threat within a few hours of its discovery, if you check for updates every day, several times a day.

Early credit for this discovery goes to Eugene Kaspersky and his famous, commercial Kaspersky Anti Virus products. They are often first to intercept malware that comes from certain regions of Russia where much of the World's malware is written and launched.

If you don't have any up-to-date anti virus protection on your Windows PC, give Kaspersky a try, or TrendMicro, or Norton Anti-Virus products. If you can't afford to buy commercial anti virus protection there are various free programs available. I would unhesitatingly recommend AVG Free, although Avast! is also very good.

In addition to maintaining up-to-date, active anti virus software on your Windows PCs, you should also turn on automatic Windows Updates and apply them as they are released, rebooting as required. Windows Updates are pushed out to patch vulnerabilities in various components of the operating system, Internet Explorer browsers and certain supported accessory applications, from Microsoft. If you haven't been able to obtain all available Windows Updates because your copy of Windows does not have a valid license, your computer is going to be part of the problem and may be more easily taken over by malware than a properly licensed and updated computer.

I posted an article on my blog in May of 2006, about converting an unlicensed copy of Windows into a validly activated version. You should read it if you don't already know what to do.

Bookmark and Share

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

back to top ^

March 3, 2008

My Spam analysis for February 25 - March 2, 2008

This article is about current email spam categories and percentages, based on rule sets created for and reported by the anti spam tool - MailWasher Pro.

I use MailWasher Pro to screen all of my various incoming POP email accounts, and for which I write my own custom spam filter rules. I give each rule a unique name so I can track the different types of spam I am deleting and reporting. The program has an interesting incoming email statistics window, that includes a pie chart breakdown of the various types of spam that are recognized and dealt with by the software. I thought I would start sharing my spam pie chart results with you all. This is the first installment, which I will try to update during, or at the end of the week. I post a new report each week, running from Monday through Sunday.

My analysis of this week's spam shows that fraudulent pharmaceuticals, mostly Viagra and male enhancement pills, dominated all spam categories. Most of the spam emails for pharmaceuticals have links to websites hosted in China, where fake and counterfeit drugs are produced. Foremost among these are fake pharmacy websites, like the so called "Canadian Pharmacy," which is not in Canada at all (it's in China and Indo-China), nor, despite the presence of fake accreditation logos, are they approved to sell pharmaceuticals in the US or Canada. Most of the fraudulent "Canadian Pharmacy" web pages are now hosted on compromised home or office PC's, that are unknowingly members of various spam Botnets. The only rational explanation for the continued existence of these fake pharmacies must be that there are enough gullible people in the World, who will purchase enough drugs from links in spam emails to make it financially worth while for spammers to pay to rent botnets to send this crap. Considering the fact that most of these pharmaceuticals are fake, or contaminated, one has to wonder how many people get sick, or die, because they foolishly bought spamvertised, counterfeit medicine from fraudulent, online pharmacies?

Due to my ongoing procedures I have merged some filters to simplify the reporting process, so the categories shown below may differ from the previous weeks' results. I have also created a special sender recognition filter, that when matched, assigns the status "BlackList" to those spam messages. This excludes lots of spam emails being categorized, since my blacklist rule is processed first. This saves processing power that is normally required by my custom filters.

My current statistics show that spam is now 53% of all my incoming email, for the week of February 25 through March 2, 2008. This is the same as last week. Without my custom MailWasher Pro filters identifying and automatically deleting most of this onslaught of spam, email would be essentially useless for me (if I had to sort out the spam manually). Thanks to those custom filters, which I work hard to keep updated, I only have to manually delete a handful of spam messages on a daily basis (which I then classify into filters). The machines sending this deluge of spam are all members of BotNets, with spam relays and remote command and control software surreptitiously installed, mostly by the Storm Worm or related Trojans. I see many identical spam messages in my statistics (sorted by subject), but sent from different places in the World, all with forged sender names, confirming that this is a World-wide Spam-demic."

MailWasher Pro spam category breakdown for February 25 through March 2, 2008.
MailWasher Pro by Firetrust
Blacklisted (by pattern matching): 26.64%
Male enhancement spam: 13.53%
Viagra and Viagra.com: 2.42%
Other Pharmaceutical spam: 11.10%
Other filters: 21.26%
Counterfeit Watches and Shoes: 18.36%
Casino spam: 0% (3 emails)
Diploma spam: 3.86%
HTML Tricks: 4.83%
Spam sent to and from same email account: 0% (4 emails)
Known Spam Subjects: 0% (10 emails)

These spam categories and their relative percentages shift a bit each week, as the BotMasters send new spam scripts to the zombie computers under their control. I will try to keep the percentages updated and merge miscellaneous categories as I am able to identify what they were spamvertising. Also, for over two months now, I have been blacklisting particular forged senders that match a pattern. The blacklisted category is quickly rising above all independent spam classifications, proving that my pattern matching is working. Many of the blacklisted spam messages are for counterfeit Viagra, illegal HGH, dubious male enhancement drugs, or pirated software.

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as a front-end screener to your POP email program (Outlook, Outlook Express, Microsoft Mail, Thunderbird, Eudora, etc).

Try Firetrust Mailwasher® Pro

I mentioned in this article that I use MailWasher Pro to screen and filter out spam, before it is downloaded to Outlook Express (or your equivalent POP3 email client), and that it allows the use of special pattern matching of senders' addresses to blacklist them. I thought I would share the five main pattern matching blacklist filters with you. You can use them in MailWasher, if you have it, or on your web site's cPanel, in the account-wide email filters section, if you know how to use that feature. Here are the four 'biggies" that typically block 26+% of all spam.

I set my blacklist to automatically delete, so I never see a message that is matched by these filters. If you choose to do the same you had better add all of your legitimate contacts to your Friends List, just in case.

My MailWasher Pro custom BlackList wildcard patterns for current forged senders of spam:

MailWasher BlackList code: _+@+.+
Regular Expression for mail server filter use: _.+@.+
Plain text filter for mail server: FROM: BEGINS WITH: _
Discard message

MailWasher BlackList code: -+@+.+
Regular Expression for mail server filter use: -.+@.+
Plain text filter for mail server: FROM: BEGINS WITH:
Discard message

MailWasher BlackList code: dw+m@+.+
Regular Expression for mail server filter use: dw.+m@.+
Discard message

MailWasher BlackList code: lin+met@+.de
Regular Expression for mail server filter use: lin.+met@.+\.de
Discard message

MailWasher BlackList code: tequil*a+@+.com
Regular Expression for mail server filter use: tequil.*a.+@.+\.com
Discard message

Here is my custom filter rule that matches senders with a forged domain name on both sides of the @ sign:

[enabled],[email protected],BlackList,0,AND,Delete,Automatic,EntireHeader,containsRE,"^Received: from.*@(([\w\d]*)\.\w{2,4}).*^From:.*<\w{2,}\2\w+?@\1"

Learn more about MailWasher Pro, or Get MailWasher Pro here

Bookmark and Share

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

back to top ^

About the author
Wiz FeinbergWiz's Blog is written by Bob "Wiz" Feinberg, an experienced freelance computer consultant, troubleshooter and webmaster. Wiz's specialty is in computer and website security. Wizcrafts Computer Services was established in 1996.

I produce this blog and website at my own expense. If you find this information valuable please consider making a donation via PayPal.


Malwarebytes' Anti-Malware is the most frequently recommended malware removal tool in malware removal forums, like Bleeping Computers. It is extremely effective for removing fake/rogue security alerts, Bots, Spyware and the most prevalent and current malware threats in the wild. Learn about Malwarebytes Anti-Malware.


MailWasher Pro is an effective spam filter that protects your desktop email client. Using a combination of blacklists and built-in and user configurable filters, MailWasher Pro recognizes and deletes spam before you download it. MailWasher Pro reveals the actual URL of any links in a message, which protects you from most Phishing scams. Try it free for 30 days. Pay $39.95 US once, for a lifetime license, with free upgrades.

Use OpenDNS

Get Reliable Web Hosting

Get your websites hosted on Bluehost, for as low as $6.95/month. Unlimited everything! Reliable servers, US based phone support, and 1-click software installs.

We are hosted on Bluehost and couldn't be happier!


Creative Commons License This weblog is licensed under a Creative Commons License.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.
Powered by
Movable Type 4.38