Wiz's Computer and Website Security Blog

This is the latest entry in a series about classifications of spam, according to my custom filter rules used by the anti-spam tool, MailWasher Pro.

MailWasher Pro is a spam screening program that goes between your email servers and your desktop email client (application). It uses a variety of techniques to recognize what is and isn't spam, including a learning filter and user created custom filter rules. I personally write and use MailWasher Pro custom filters to detect and delete most incoming spam email. I have created and published a large assortment of spam filters which "plug-in" to MailWasher Pro, to flag or delete known spam. You can read about them, or download and use them in your own registered copy of MailWasher Pro.

MailWasher Pro has a "Statistics" display page that breaks down the types of spam it has deleted, listed by categories. Each program and user-created filter has a name and when a measurable percentage of spam is matched by a particular filter it shows up in the Statistics, with its percentage shown next to it. The percentages for various categories of spam listed below are taken from my MailWasher Pro "Statistics" page.

The category "Other Filters" combines several of my custom filters which did not receive enough spam to rate a measurable percentage, thus were all grouped into the one category; "Other."

I want to make mention that the largest type of spam/scam I saw this week is from the Storm Botnet, in the form of ludicrous news headlines in the subject and body and a single link to website where your computer is bombarded with multiple exploits. Should your computer be too well protected to fall for the automatic exploits there is one left trick that is netting as many victims as the auto-exploits do. The web page presents you with a fake PornTube or YouTube player containing a notice that you must click to download a missing video codec to play the movie. Of course, the only thing downloaded when one clicks on the image is a copy of the Storm Trojan installer file and your computer instantly becomes a Zombie member of the Storm Botnet.

MailWasher Pro spam category breakdown for July 14 - 20, 2008. Spam amounted to 44% of incoming email this week.

Other filters: (See my MWP Filters page)	22.35%
Male enhancement spam (subject and body):	12.29%
Blacklisted Domains/Senders:	11.17%
"Opera Mail" Spam from Russia (Storm Trojan):	10.06%
"Apple Mail" Spam (Storm Trojan):	8.38%
Exploit link to Trojan download:	8.38%
Pharmaceutical spam (inc. Viagra, Cialis, Levitra & misc. pills & herbals):	8.38%
Digits or Consonants forged sender:	6.70%
Loans/Bankruptcy/Insurance Scams:	6.15%
DNS Blacklists:	3.91%
Blocked Countries:	2.23%

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as an incoming email screener for your POP email program (Microsoft Outlook, Microsoft Outlook Express, Microsoft Live Mail, Eudora, Mozilla and other stand-alone email programs).

Posted by Wiz at 2:00 PM | Permalink

back to top ^

I usually write articles about computer or website security on my blog and a lot of people seem to benefit from my articles. Security is on almost everybody's mind these days, whether it relates to your computer, website, job, car, or home. Today I would like to address the problem that I see a lot in the local news; home burglaries where the thieves gain entry by kicking in a door. One of the frequently stolen items in these crimes is a computer, so in a way this is about securing your computer - physically. It is also a plug for a local Flint, Michigan business owned by people I know personally, who are trying to make a difference.

The days of simply closing your front door and retiring for the evening have given way to deadbolt locks and chains. But today, even deadbolts and chains don't seem to offer enough security against determined home invasion burglars. A determined thief won't waste time trying to pick the lock; he'll just kick the door open, breaking through the lock jam in the wood, ripping it out by the screws, taking you by surprise in the middle of the night! If you live in a place where this kind of crime happens you need a better method of protecting your doors and your family. Enter the Taylor Brothers "NIGHTLOCK" Door Lock.

The NIGHTLOCK Door Lock is a floor mounted solution to kick-ins and forced door jams. It is made out of solid aluminum, with an anodized brass finish and matching solid brass screws and can be mounted into any type of floor, including cement floors - using the plastic anchors supplied with the kit. The NIGHTLOCK is mounted directly behind the door, on the side where it opens, which is the point of least resistance when somebody forces the door open. The NIGHTLOCK stopper bracket easily slides into the 7/16" high floor-mounted base plate and sticks up about 2 inches above the bottom of the door. This takes away the freedom of motion that burglars count on when they kick in or force the door open. Unless they are able to break it off the hinges, on the other side, they ain't getting in through that door! I have tried forcing an unlocked door open with NIGHTLOCK behind it and almost threw out my shoulder! It really works (ouch!).

There is a short video presentation demonstrating how the NIGHTLOCK protects you from door kick-ins on the NIGHTLOCK website home page. They are made in Flint, Michigan, by the Taylor Brothers, cost $29.95, plus UPS or Priority Post shipping (+ sales tax for Michigan residents). They are always in stock and are shipped fast. If you live within driving distance of Flint, Michigan, you can see them on display and buy them in person at Taylor Steel Co, on Coldwater Rd, just west of Dort Highway. Tell them Wiz sent you!

Posted by Wiz at 2:53 PM | Permalink

back to top ^

On July 16, 2008, Mozilla released Firefox 3.01, patching three critical vulnerabilities, and 2.0.0.16, patching two critical security vulnerabilities, as reported by Secunia and other locations. Here is an outline of what has been patched in FF 3.01:

• Fixed these security issues:
  
  
  
  1. MFSA 2008-36 Crash with malformed GIF file on Mac OS X
  
  
  2. MFSA 2008-35 Command-line URLs launch multiple tabs when Firefox not running
  
  
  3. MFSA 2008-34 Remote code execution by overflowing CSS reference counter
  
  
  
  


• Fixed several stability issues.


• Fixed an issue where the phishing and malware database did not update on first launch.


• Under certain circumstances, Firefox 3.0 did not properly save the SSL certificate exceptions list.
  
• Updated the internal Public Suffix list (List of known domain suffixes).


• In certain cases, installing Firefox 2 in the same directory in which Firefox 3 has been installed resulted in Firefox 2 being unstable. This issue was fixed as part of Firefox 2.0.0.16.


• Fixed an issue where, when printing a selected region of content from the middle of a page, some of the output was missing (bug 433373).


• Fixed a Linux issues where, for users on a PPP connection (dialup or DSL) Firefox always started in "Offline" mode (bug 424626).

If you haven't already received your notice to upgrade, from the browser itself, go to the Firefox download page and get it manually. Just install over your previous installation, overwriting your existing installation of Firefox. You won’t lose any of your bookmarks or browsing history, but some of your extensions and other add-ons might not work until updates for them are made available (or you learn how to hack the install.rdf files like I do).

As always, after you update your browser you may have to allow it to connect to the Internet, if you have ZoneAlarm FIrewall, or a similar firewall that monitors for program md5 signature changes.

Firefox can be installed onto any of these operating systems:

Windows Operating Systems
* Windows 2000
* Windows XP
* Windows Server 2003
* Windows Vista

Mac
Mac OS X 10.4 and later

Linux
Firefox will not run at all without the following Linux libraries or packages:

* GTK+ 2.10 or higher
* GLib 2.12 or higher
* Pango 1.14 or higher
* X.Org 1.0 or higher

If you are still using Firefox version 2.x I recommend that you upgrade to 3.x as soon as possible. Although Firefox 2 has been patched regularly and is now up to version 2.0.0.16 (as of July 15, 2008), that is set to come to an end sometime in December, 2008. After that time there will be no more security or stability updates for that series.

A lot of people are probably holding out because their beloved extensions or add-ons haven't been updated to be compatible with the series 3 Firefox browsers. Did you guys and gals know that in many cases you can hack the install files, or sometimes just from a downloaded extension onto an open Firefox browser window and it will begin the installation routine?

Hacking the installation files requires an unzipping program like Winzip, WinRar, 7zip, Unzip, etc. A downloaded add-on always has the file extension .xpi which is a compressed archive that can be opened in any of the above mentioned unzipping programs. I use Winzip to do this. Here is my routine.

• Right-click on the desired add-on or extension and select Save As.


• Download the file to my downloads folder for Firefox stuff.


• When the extensions are all downloaded I open them, one at a time, by right-clicking and selecting "Open With:" > "Winzip."


• Winzip opens with a list of files and folder locations, of the archive.


• Find the file named "install.rdf" and right-click on it and select "View with Notepad." If that option isn't listed yet, use the right-click option "View with internal viewer" and place a dot in "Viewer," making sure that "Notepad" is showing in the input field, then click VIEW.


• Search the text in the rdf file until you find a section labeled "(numbers/letters)"


• Look at the numbers right after that tag and make sure they say, or change them to say: 3.0.*


• Click File > Save then close Notepad. Winzip popos up a box asking if you want to "update the archive with this file?" ... answer "Yes."

As long as the add-on or extension doesn't use a procedure or call accessory files that are forbidden in the newer versions of Firefox - it should install and work just like it did in the 2.x series browsers. Just be prepared for the occasional rejection of totally incompatible extensions.

Ok, class is out. Time for recess! Wiz Out!

Posted by Wiz at 8:02 PM | Permalink

back to top ^

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you already are using "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

News Flash!
Spybot Search and Destroy 1.6 was released on July 8, 2008. Upgrade now! Read more about it in my extended comments.

Additions made on July 16, 2008:

Adware
+ BaiduBar

Keyloggers (Keyloggers steal your typed logins and passwords)
+ Ardamax
+ PerfectKeylogger

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners)
+ Fraud.XPAntivirus
+ IEDefender
+ Win32.BHO.je
+ Win32.Renos

Spyware
++ PassView

Trojans
+ Bifrose.LA
+ Smitfraud-C.MSVPS
++ Nurech
+ Virtumonde
+ Virtumonde.dll
+ Virtumonde.prx
+ Virtumonde.sci
+ Virtumonde.sdn
++ Win32.Agent.51
+ Win32.Agent.aaw
++ Win32.Agent.agh
+ Win32.Autoit.p
++ Win32.AutoRun.lx
++ Win32.Bifrose.da
++ Win32.Delf.Crypt.c
++ Win32.Delf.qc
++ Win32.VB.f
+ Win32.Rbot
+ Zlob.Downloader.pit
+ Zlob.Downloader.wet
+ Zlob.MovieBox

Total: 700725 fingerprints in 178431 rules for 4069 products.

False positive detections reported or fixed this week:

In Spybot v1.6.0 a few users, including me, have reported what appears to be multiple false positive reports of Smitfraud-C and Worldsecurityonline.FakeAlert, with the July 9 2008 definition updates, but only after right-clicking and scanning a particular drive, folder, or file. The false positives are only displayed in the "Heuristic" scan analysis; not in standard scans from the program interface, or in the Malware (top) section of the right-click-scan window. Some of these false positives are being fixed this week, while others may take longer to isolate and fix.

The heuristics scan will be more reliable with the upcoming update, but changes still have to be made.
So if in doubt about a heuristics result (after the update today), you can also submit the file to detections@spybot.info for analysis.

There is a confirmed false positive detection of "Performance Optimizer" in a legitimate product named MySecurityCenter PC Performance Optimizer and possibly other "optimizers." The actual fake product being searched for is named "Sellmosofts Performance Optimizer." This has been narrowed to fix the problem with today's updates.

If you are still using Spybot S&D 1.3, or 1.4, please read this!

I have read several false positive reports regarding CoolWWWSearch.hjg and HellzLittleSpy from people still using the old versions 1.3 and 1.4 of Spybot Search and Destroy. I must stress that you cannot trust these versions to be 100% accurate when updated with current definitions. In fact, the opposite appears to be true; they are producing false positive detections with recent updates.

These are false positive which occur because Spybot 1.3 is outdated and does not understand the more complex rules made for 1.5.2 and newer.

Apply the main update that shows up within the internal updater to upgrade to (1.6.x).

If your computer gets stuck in a logon/logoff loop, after updating and scanning with these older versions of Spybot, visit this forum page for a solution, from Team Spybot.

If you are using any version older than 1.5.2, please upgrade to the current version of Spybot S&D, which is now 1.6.0.

If you get an alert about that detection for a file you think is legitimate you should submit it to Team Spybot for analysis.

Spybot Search & Destroy version 1.6.0, the latest release, is compatible with Windows Vista and features a nicer interface and sports a separate updater window and application. It scans for threats much faster than 1.5.2 does. If you are still using version 1.3 or 1.4, I strongly recommend that you update to 1.6.x, using the company links below. These older versions are giving more frequent false positives than ever before.

Some users are having problems with Spybot S&D updates when running as less privileged users (Limited or Power Users). First off, less privileged users can no longer apply most immunization rules from within their accounts, unless they use the "Run as" command to run the program as an administrator. Your solution is to first run the Spybot Updater, from your Start menu > Programs > "Spybot - Search & Destroy" > "Update Spybot-S&D." The updater is now a separate application. To avoid possible account corruption from the rootkit detections, run the Spybot Updater before you open the actual Spybot S&D program. Download all available updates from the best server location (I prefer the Safer Networking servers). Exit the updater after all definitions have been installed and green checkmarks are displayed for all updates.

After the updater has exited you can right-click on the shortcut to Spybot S&D and "Run As" an administrator, with your administrator account password (only if you login as a Limited or Power User). When the program opens you should immediately use the Immunize button to apply the level of protection you desire to the selectable applications. These typically include major browsers, domains, cookies, and the Windows HOSTS file. If you are an advertiser or publisher in an affiliate network be sure you exclude cookies for your affiliate programs that are in the detections list, or you'll have problems logging into your affiliate accounts. I have to exclude Commission Junction and Linkshare detections in both cookies, domains and HOSTS immunizations. Apparently, the authors of Spybot are down on advertising cookies and domains. Oh well (sigh).

Another problem being reported is when you run some versions of Spybot S&D it stops with a warning about problems including the file C:\Program Files\Spybot-Search_Destroy\Includes\TrojansC.sbi. The current errors with the Trojans.sbi and TrojansC.sbi files are caused by new detection rules that are incompatible with versions of Spybot prior to 1.5.2. These new detection rules use the new Anti-Rootkit plugins #1, #2 and #3 that only have been offered as updates to Spybot 1.5.2. If you upgrade to Spybot 1.5.2 you will not only eliminate the error messages but in also will be performing rootkit searches while doing a Spybot "Check for problems".

English Language Company Links:
Spybot Search and Destroy English Home Page
Spybot Search and Destroy (Multi-Lingual Landing Page. Choose your language).
Spybot Search and Destroy Download page - Program and definition updates. You can download the latest version of Spybot S&D plus definition and tool updates here for inclusion later on.
Full tutorial about using and setting up Spybot Search and Destroy
Spybot Search and Destroy Update History

See all security program update notices in this catagory

A consequence of acquiring many of the parasites, keyloggers, hijackers and downloaders is that their files and startup settings are usually saved to your System Restore hidden folder, from whence they are automatically restored upon rebooting the computer. To completely remove these threats, and others, you should disable System Restore, then reboot, then clean all threats, then re-start System Restore, setting a new Restore Point, with a clean machine. Many people overlook this and are constantly reinfected after removing threats. There are few, if any security programs that can clean or remove infected files that are backed up in your protected System Restore directory.

To disable System Restore, go to My Computer and right-click on it's icon. From the flyout options select Properties. From the "System Properties" select the "System Restore" tab. There you will find a checkbox labeled "Turn off System Restore." Check it, then click Apply and wait while the System Restore files are deleted (takes some time). After the deletions are finished, click OK to close the Properties box, then reboot.

When you have thoroughly removed all infections follow the same procedure as above, unchecking the box that turned off System Restore.

In the event that Spybot mistakenly removes a file(s) due to a faulty detection update (a.k.a False Positive), you can restore it from the program itself. Just click on the "Recovery" button, that looks like a first aid kit, with a red cross in it, then locate the item(s) you wish to restore. Click on the select box(es) on the left of the detection name(s), to place a check mark in it/them, then click on "Recover selected items." The files, and/or registry entries will be replaced, from where they were deleted. The Spybot forums have discussions about false positives here.

For those of you who have not yet used Spybot Search and Destroy, if you were wondering if it "plays nice" with other anti spyware programs, it most certainly does! I have used Spybot S&D since it's inception, along with various other free and commercial security programs, and it has never caused any problems on my, or my customers' computers.

Spybot Search and Destroy has a Malware Removal Forum where trained volunteers can help you with spyware removal problems.

Finally, as an individuals who benefits from the free software that is produced and updated by the good folks who run Spybot Search and Destroy, at their own expense, it won't hurt us to send occasional donations to them, to help them financially in their efforts. There is a donate button on most pages of the Spybot S & D website. Think seriously about using it. Send what you can.

Posted by Wiz at 3:05 AM | Permalink

back to top ^

Note: Updated on July 20, 2008, with new information

There is a surge going on right now in the amount of spammed email messages being blasted out by Botnets, with ludicrous news headlines in the Subjects. The subjects try to tempt you to read the message, then click on the enclosed link to read the details about the subject, or some other alleged news story. The headlines are sucker bait, with a nasty payload at the other end of the links contained in the message bodies.

Different from any news flashes to which you may actually subscribe, these arrived unsolicited in your inbox, from unknown, forged sender names and addresses and from domains you have to relationship with. Many are sent using forged .de (German) domains in the From address, in addition to .it, .ru and others.

If you hold your mouse pointer over the links in these messages you will see a lot of domains extensions for various countries around the World. Some I have seen just today include .de, .it, .fr and .ru. The domain name is followed by a forward slash (/) and a file name. The initial spam run file name was "main.html" (e.g. example.com/main.html). Other Trojan link file names have already appeared, such as "start.html" and "news.html." If you were to go to those domains in the links, using "wannabrowser," with "follow redirects" unchecked, you would see that many of the first responding domains are hosted on hacked Microsoft IIS servers. They all contain meta redirect tags that forward normal browsers to another domain, usually a zombie PC in the Storm Botnet, or a web site hosted in China or Russia. Once you arrive there your browser gets assaulted by numerous hostile JavaScript codes and iframe exploits. Should all those fail to automatically exploit your computer they supply self-infection links!

And what method do they employ to get you to click on these links to infect your own computer? The bait is a fake, look-alike "Porntube" video player that requires a special video "codec" to play the free sample movie. They even provide fake reviews under the fake player placeholder, from make-believe happy viewers before you! These guys are professionals and very good at the Con Game they are playing.

The payload file name may vary, but so far I have seen "video.exe," "watch.exe" and "view.exe" as the name of the payload file it delivers. That file is actually the "Storm Trojan" and it is infecting unprotected computers, or gullible computer owners, all around the World.

If you know, or suspect that you have become a victim of the Storm, or any other Trojan, you should obtain legitimate anti-malware software and scan for and remove all threats, after updating the program with the latest definitions. I use Spybot Search and Destroy, which is updated weekly and is totally free, but which you must remember to update manually and scan manually. It is one of my routine tasks that I do on Wednesdays, when the Spybot S&D definition updates are released.

Most people don't want to mess with security programs that they have to micro manage every time they want to use them. For you folks a commercial application makes more sense. While I know of many security products and have ads for them I am leaning towards Trend Micro Internet Security now. Their existing program used to be called PC-cillin and is well respected in the anti virus field. But, they are venturing where no man has gone before: to the Cloud!

I'll tell you more about this new development soon. For now, if you need a really solid anti-virus | anti-spyware | anti phishing | and anti-spam solution, you will not go wrong with Trend Micro Internet Security 2008. As a favor to my readers, enter coupon code TrendIS08 during your purchase and I'll save you 10% off the going rate!

Till next time, practice safe hex !

Posted by Wiz at 3:16 PM | Permalink

back to top ^

This is the latest entry in a series about classifications of spam, according to my custom filter rules used by the anti-spam tool, MailWasher Pro.

MailWasher Pro is a spam screening program that goes between your email servers and your desktop email client (application). It uses a variety of techniques to recognize what is and isn't spam, including a learning filter and user created custom filter rules. I personally write and use MailWasher Pro custom filters to detect and delete most incoming spam email. I have created and published a large assortment of spam filters which "plug-in" to MailWasher Pro, to flag or delete known spam. You can read about them, or download and use them in your own registered copy of MailWasher Pro.

MailWasher Pro has a "Statistics" display page that breaks down the types of spam it has deleted, listed by categories. Each program and user-created filter has a name and when a measurable percentage of spam is matched by a particular filter it shows up in the Statistics, with its percentage shown next to it. The percentages for various categories of spam listed below are taken from my MailWasher Pro "Statistics" page.

The category "Other Filters" combines several of my custom filters which did not receive enough spam to rate a measurable percentage, thus were all grouped into the one category; "Other."

MailWasher Pro spam category breakdown for July 7 - 13, 2008. Spam amounted to 53% of incoming email this week.

Other filters: (See my MWP Filters page)	21.69%
Blacklisted Domains/Senders:	21.08%
Male enhancement spam (subject and body):	13.85%
Hidden ISO Subject:	10.24%
Pharmaceutical spam (inc. Viagra, Cialis, Levitra & misc. pills & herbals):	9.63%
Loans/Bankruptcy/Insurance Scams:	7.23%
"Opera Mail" Spam from Russia (Enlargement herbals):	5.42%
"Apple Mail" Spam (Male Enhancement, ED, etc):	4.22%
Digits or Consonants forged sender:	3.01%
DNS Blacklists:	2.41%
Bayesian learning filter:	1.20%

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as an incoming email screener for your POP email program (Microsoft Outlook, Microsoft Outlook Express, Microsoft Live Mail, Eudora, Mozilla and other stand-alone email programs).

Posted by Wiz at 12:44 PM | Permalink

back to top ^

Checkpoint, the owners of the famous ZoneAlarm Personal Firewall, has released a patched version of their firewall, to fix a problem caused when Windows 2000 and XP computers received the July 8, 2008 Windows Updates patch MS08-037. You can read about what happened to me and millions of other ZoneAlarm users on this blog article, which I wrote on July 8, after I used System Restore to get back online. It took several hours of troubleshooting to discover that the ZoneAlarm firewall was the cause of my loss of Internet access. As it turned out all one had to do to get reconnected was to lower a security slider from high to medium! Doh!

Before I go into the details about why this happened I want to give you a direct link to the ZoneAlarm download page, where you can download the appropriate upgrade to the program you are using, which caused a loss of Internet access after applying MS08-037.

The official statement from the ZoneAlarm folks, on July 8, was that you should uninstall the Microsoft patch to get back online! "Bullshit! What's that you say?" They began to change their tone yesterday and issued a patched version of five ZoneAlarm security products that are known to cause this loss of connectivity after installing MS08-037 on Windows 2000 and XP computers (see page linked to above).

So what actually caused ZoneAlarm for Windows 2000 and XP to freak out and deny Internet access to all their firewall users, on July 8? Was it a fundamental design flaw? Was it Microsoft's patch being flawed? None of those was the cause. It was because ZoneAlarm uses "undocumented hooks" into the Windows 2000 and XP "kernel" to enforce security against malware infections. Windows Vista closed this undocumented feature and forces security vendors to use other methods to perform their jobs, thus Vista users were not knocked offline on Tuesday.

So, what really happened is that ZoneAlarm did its job too well, because the "kernel" components that manage Internet connections got altered by the Windows Update "DNS Spoofing" patch, and the nature of that update was so profound that the ZoneAlarm firewall blocked all Internet access believing that the OS had been invaded by malware.

If you have already reduced your ZoneAlarm security slider to Medium, or have uninstalled the Microsoft patch to get back online, I recommend that you download the new ZoneAlarm program that was updated to address the problem, but set a System Restore Point first (XP only). That way if the updated ZoneAlarm program is still buggy you can roll back to the previous version and leave the slider at medium, until they produce a stable upgrade. If you uninstalled the MS08-037 patch you should reinstall it, via Windows Updates.

This is all in flux right now. I will post a follow-up to this once the dust settles.

Posted by Wiz at 11:36 AM | Permalink

back to top ^

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you already are using "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

News Flash!
Spybot Search and Destroy 1.6 was just released on July 8, 2008. Upgrade now!

Additions made on July 9, 2008:

Keyloggers (Keyloggers steal your typed logins and passwords)
+ Ardamax
+ PerfectKeylogger

Malware (Includes fake anti-virus and anti-spyware programs, like VirusHeat and Vario and fake registry cleaners)
+ AllInOneKeylogger
+ AntiSpyCheck
+ Fake.SecurityAlert
+ FakeAlert.cc
++ Fraud.XpCleaner
+ Win32.BHO.je (6)
++ Win32.AOLPass.i

Security
+ Microsoft.Windows.AppFirewallBypass

Trojans
+ CoolWWWSearch.hjg (5)
++ Fagianom
+ Smitfraud-C.MSVPS
+ Virtumonde
+ Virtumonde.dll
+ Virtumonde.sdn
+ Win32.Agent.pn
++ Win32.Autoit.p
++ Win32.AutoRun.dli (63)
++ Win32.Buzus.jqw
++ Win32.Delf.Crypt.c
++ Win32.Delf.es
++ Win32.Emogen-K
++ Win32.Podnuha.ee
++ Win32.Small.UBV
++ Win32.VB.cj
++ Win32.Webdir.b
+ Win32.Zhelatin.ah (Storm Trojan)
+ Zlob.Downloader.lor
+ Zlob.Downloader.pit
++ Zlob.Downloader.wet

Total: 691992 fingerprints in 176938 rules for 4055 products.

False positive detections reported or fixed this week:

In Spybot v1.6.0 a few users have reported what appears to be multiple false positive reports of Smitfraud-C, with today's definition updates (7/9/08) but only after right-clicking and scanning a particular drive, folder, or file.

No fp's reported concerning version 1.5.2. Plenty concerning versions 1.3 and 1.4.

If you are still using Spybot S&D 1.3, or 1.4, please read this!

I have read several false positive reports regarding CoolWWWSearch.hjg and HellzLittleSpy from people still using the old versions 1.3 and 1.4 of Spybot Search and Destroy. I must stress that you cannot trust these versions to be 100% accurate when updated with current definitions. In fact, the opposite appears to be true; they are producing false positive detections with recent updates.

These are false positive which occur because Spybot 1.3 is outdated and does not understand the more complex rules made for 1.5.2 and newer.

Apply the main update that shows up within the internal updater to upgrade to (1.6.x).

If your computer gets stuck in a logon/logoff loop, after updating and scanning with these older versions of Spybot, visit this forum page for a solution, from Team Spybot.

If you are using any version older than 1.5.2, please upgrade to the current version of Spybot S&D, which is now 1.6.0.

If you get an alert about that detection for a file you think is legitimate you should submit it to Team Spybot for analysis.

Spybot Search & Destroy version 1.6.0, the latest release, is compatible with Windows Vista and features a nicer interface and sports a separate updater window and application. It scans for threats much faster than 1.5.2 does. If you are still using version 1.3 or 1.4, I strongly recommend that you update to 1.6.x, using the company links below. These older versions are giving more frequent false positives than ever before.

Some users are having problems with Spybot S&D updates when running as less privileged users (Limited or Power Users). First off, less privileged users can no longer apply most immunization rules from within their accounts, unless they use the "Run as" command to run the program as an administrator. Your solution is to first run the Spybot Updater, from your Start menu > Programs > "Spybot - Search & Destroy" > "Update Spybot-S&D." The updater is now a separate application. To avoid possible account corruption from the rootkit detections, run the Spybot Updater before you open the actual Spybot S&D program. Download all available updates from the best server location (I prefer the Safer Networking servers). Exit the updater after all definitions have been installed and green checkmarks are displayed for all updates.

After the updater has exited you can right-click on the shortcut to Spybot S&D and "Run As" an administrator, with your administrator account password (only if you login as a Limited or Power User). When the program opens you should immediately use the Immunize button to apply the level of protection you desire to the selectable applications. These typically include major browsers, domains, cookies, and the Windows HOSTS file. If you are an advertiser or publisher in an affiliate network be sure you exclude cookies for your affiliate programs that are in the detections list, or you'll have problems logging into your affiliate accounts. I have to exclude Commission Junction and Linkshare detections in both cookies, domains and HOSTS immunizations. Apparently, the authors of Spybot are down on advertising cookies and domains. Oh well (sigh).

Another problem being reported is when you run some versions of Spybot S&D it stops with a warning about problems including the file C:\Program Files\Spybot-Search_Destroy\Includes\TrojansC.sbi. The current errors with the Trojans.sbi and TrojansC.sbi files are caused by new detection rules that are incompatible with versions of Spybot prior to 1.5.2. These new detection rules use the new Anti-Rootkit plugins #1, #2 and #3 that only have been offered as updates to Spybot 1.5.2. If you upgrade to Spybot 1.5.2 you will not only eliminate the error messages but in also will be performing rootkit searches while doing a Spybot "Check for problems".

English Language Company Links:
Spybot Search and Destroy English Home Page
Spybot Search and Destroy (Multi-Lingual Landing Page. Choose your language).
Spybot Search and Destroy Download page - Program and definition updates. You can download the latest version of Spybot S&D plus definition and tool updates here for inclusion later on.
Full tutorial about using and setting up Spybot Search and Destroy
Spybot Search and Destroy Update History

See all security program update notices in this catagory

A consequence of acquiring many of the parasites, keyloggers, hijackers and downloaders is that their files and startup settings are usually saved to your System Restore hidden folder, from whence they are automatically restored upon rebooting the computer. To completely remove these threats, and others, you should disable System Restore, then reboot, then clean all threats, then re-start System Restore, setting a new Restore Point, with a clean machine. Many people overlook this and are constantly reinfected after removing threats. There are few, if any security programs that can clean or remove infected files that are backed up in your protected System Restore directory.

To disable System Restore, go to My Computer and right-click on it's icon. From the flyout options select Properties. From the "System Properties" select the "System Restore" tab. There you will find a checkbox labeled "Turn off System Restore." Check it, then click Apply and wait while the System Restore files are deleted (takes some time). After the deletions are finished, click OK to close the Properties box, then reboot.

When you have thoroughly removed all infections follow the same procedure as above, unchecking the box that turned off System Restore.

In the event that Spybot mistakenly removes a file(s) due to a faulty detection update (a.k.a False Positive), you can restore it from the program itself. Just click on the "Recovery" button, that looks like a first aid kit, with a red cross in it, then locate the item(s) you wish to restore. Click on the select box(es) on the left of the detection name(s), to place a check mark in it/them, then click on "Recover selected items." The files, and/or registry entries will be replaced, from where they were deleted. The Spybot forums have discussions about false positives here.

For those of you who have not yet used Spybot Search and Destroy, if you were wondering if it "plays nice" with other anti spyware programs, it most certainly does! I have used Spybot S&D since it's inception, along with various other free and commercial security programs, and it has never caused any problems on my, or my customers' computers.

Spybot Search and Destroy has a Malware Removal Forum where trained volunteers can help you with spyware removal problems.

Finally, as an individuals who benefits from the free software that is produced and updated by the good folks who run Spybot Search and Destroy, at their own expense, it won't hurt us to send occasional donations to them, to help them financially in their efforts. There is a donate button on most pages of the Spybot S & D website. Think seriously about using it. Send what you can.

Posted by Wiz at 12:37 PM | Permalink

back to top ^

Today, July 8, 2008, is Patch Tuesday for supported Microsoft operating systems, so I dutifully visited Microsoft Updates manually and installed the DNS patch referred to in this bulletin: Microsoft Security Bulletin MS08-037 – Important: Vulnerabilities in DNS Could Allow Spoofing (953230). This is rated as an "important" patch by Microsoft. Applying this patch is supposed to protect one's PC from DNS spoofing attacks.

However, the patch appears to be overzealous in its implementation. After restarting Windows I was unable to access the Internet whatsoever! I had to use System Restore to rollback to just before I installed this patch, then I was able to get back online and write this article.

I recommend that my readers use caution before installing this patch today. First, be sure you have System Restore turned on. Even then you could wait until tomorrow in case Microsoft discovers the problem and patches the patch!

I don't know if this loss of connectivity was caused by the patch itself, or by a bad interaction with one of my security applications. Therefore, I am going to list my operating system and security program details, in case any of you have a similar setup. This might save you from having to run System Restore, or reinstalling Windows if you have System Restore turned off.

My setup:
OS: Windows XP Professional with Service Pack 3
All previous Windows Updates were installed; I am fully up to date.
No viruses, no spyware, no hostile LSPs are present after multiple scans.
I operate as a Power User, not an Administrator, except to run Windows Updates, install drivers, or uninstall applications requiring administrator privileges.

My security is provided by the following applications:
Avira AntiVir Free current version and up to date (no problems)
Trend Micro Web Protection Add-on v 1.2 (90 day trial - works perfectly)
>> ZoneAlarm Personal Firewall Causes this problem! (See extended comments)
Spybot Search and Destroy 1.5.2, without Tea Timer (no resident module)

Everything returned to normal as soon as I restored my PC to just before I installed Windows Update MS08-037, a.k.a: Kb953230. Knowledge Base article Kb953230 is found here and has a list of known problems that users are experiencing after installing this flawed update. They need to go back to the drawing board with this patch. I recommend that you read the aforementioned article before installing the patch on your computer.

I'll add information as a follow-up, once I learn the exact cause of my loss of Internet connectivity, as relates to patch #MS08-037.

The cause and solution for my loss of Internet connectivity after applying MS patch MS08-037 has been found and is detailed in my extended comments.

Wiz

Cause of my loss of Internet access after applying Microsoft patch MS08-037

The ZoneAlarm Personal Firewall (v7.0.470.000) is the cause!

It appears that ZoneAlarm's Firewall has a built in detection that catalogs certain system files that have to do with Internet connectivity and if they change it denies them access to the 'net. Normally one would get a pop-up program alert about a change in the file signature, but I got no such alert from this change in the TCP stack. Therefore, I had no chance to allow the change, as one normally can do when a file gets updated. But, I experimented with various program settings and found one that fixed the problem in an instant.

To restore your Internet access after losing it, by applying patch MS08-037, open the ZoneAlarm control center by double-clicking on the "Z" in the System Tray. When the control center opens click on the word "Firewall" on the left, then on the "Main" tab on the right, and lower the "Internet Zone Security" slider from High to Medium. That will instantly fix the connectivity problem, but removes your stealth status, leaving you more at risk than before from TCP attacks. This is more of a problem for people who are directly connected to a broadband or dial-up modem, rather than to a router (or combo modem/router). Computers behind a NAT router (wired or wireless) are already hidden from most hostile TCP probes from the 'Net.

After you reset the "Internet Zone Security" in the ZoneAlarm Personal Firewall to Medium, go ahead and re-install the DNS spoofing patch MS08-037 (Hotfix #951478, via Windows Updates. Be sure you reboot. Unless another security program is watching for and blocking program signature changes, you should be connected again upon entering the Wonderful World of Windows (WWW).

Hopefully, ZoneAlarm will realize that their firewall is causing problems with Windows PCs that are patched against the DSN spoofing attacks and will quickly issue an updated version to cope with this situation.

Posted by Wiz at 2:12 PM | Permalink

back to top ^

"Stupid Russian Blog Spammers Still Wasting Their Time" makes for a catchy, surreal title, but it's true. The same country that produced the brilliant criminal masterminds behind the Storm and Grisbi Worms has also produced some of the stupidest blog spammers to ever set finger to keyboard!

Let me explain what I am referring to regarding stupid blog spammers. First of all, look up in the upper right corner of this blog, just under the Google search field. Here's what it says in capital letters: "SORRY: NO COMMENTS, NO TRACKBACKS!" That should be self explanatory to almost anybody who can read English words, including people intent on spamming a blog such as this one, using English words. You know the crap I'm talking about; links to buy unlicensed or illegal drugs or herbal solutions, to cure "ED" or enlarge one's "natural size." When I first started this blog I did allow trackbacks and comments and that is what I was getting submitted, all in English and all traced to Russian and Ukrainian IP addresses.

As soon as I realized that only blog spammers were trying to comment on my blog I decided to disable the codes and modules that allowed comments and trackbacks. Still, these idiots in Russia and the Ukraine continued trying to POST comments and trackbacks to the now disabled modules that used to handle those functions. This led me to write three articles about these incidents, during the spring and summer of 2007. Their names and links to them are as follows:

1. Stupid Blog Trackback Spammers Don't Understand Server 403 Responses


2. Russian and Ukrainian Blog Spammers are STUPID!


3. Blog spammers still wasting their time tying to spam this unspammable blog

I wrote those articles about a year ago, yet, I still see daily access log entries being blocked with server 403 responses, belonging to Russian IP addresses trying to POST spam comments or Trackbacks to this blog. It is obvious that these spammers are using scripts, but, being stupid spammers they don't bother to verify if those scripts are being allowed to complete their submissions, or check my blog to see if their comments were even posted. I'll bet somebody is paying these idiots to send blog spam for them and they are ripping off the guys with the money. If my blog is any indication of their lack of any level of intelligence, then I am guessing that they are having a similar lack of success trying to spam your blogs. Still, some of their attempts may work on unsecured servers.

Anyway, insults to the enemy aside (it feels good though!), I never see the comments they are typing, just an access log entry containing a 403 Forbidden, or 302 redirect back to their own websites (lol). My Apache-based, shared-hosting web server is protected with a custom ".htaccess" file that contains my entire, now-famous, "Russian Blocklist!" Many webmasters are using this blocklist to keep Russian and Turkish spammers and hackers from accessing their web sites.

If your web site and blog is hosted on a shared Apache/Linux based web server and you want to block access to IP addresses in the former Soviet Union and Turkey, just download my Russian .Htaccess Blocklist and either use it as your new .htaccess file, or merge the "deny from" list into your existing .htaccess. Full instructions are included on my .htaccess blocklists landing page and on each blocklist page. The landing page has links to all of my existing .htaccess IP blocklists (Chinese, Nigerian, Russian and Exploited Servers), as well as my iptables Linux firewall blocklist equivalents.

An actual access log entry and codes you can use to block web site access to these people, are in my extended content.

Here, for the immediate protection of your blogs, is the IP address of this latest Russian blog spammer, whom I am redirecting back to his own Russian server (he-he), which laughably is a password protected login page requiring his credentials to access it (results in a 401 Authorization Required error):

82.146.58.235 - - [06/Jul/2008:23:15:03 -0600] "POST /blogs/2007/08/stupid_blog_trackback_spammers_dont_understa.html HTTP/1.1" 302 763 "-" "-"

.htaccess block rule:
order deny,allow
<Files *>
deny from 82.146.58.235
# other deny from IPs
</Files>

Better yet, let's block his entire ISP; "ISPsystem-RU at CORBINA," using their CIDR:

order deny,allow
<Files *>
deny from 82.146.56.0/21
# other deny from IPs
</Files>

These rules deny HTTP or https access to all files and folders on an Apache hosted web site, to all IP addresses encompassed by multiple individual IPs, or CIDRs.

Here is my .htaccess mod_rewrite rule to redirect blog spammers back to their own IP address:

RewriteCond %{THE_REQUEST} ^POST\ /blogs/.+
RewriteRule (.*) http://%{REMOTE_ADDR} [L]

To block access to ALL services, including ftp, ssh and email, you must have administrator access to the Linux operating system. If you have root access you can apply my iptables blocklists to the APF.

Posted by Wiz at 6:28 PM | Permalink

back to top ^

This is the latest entry in a series about classifications of spam, according to my custom filter rules used by the anti-spam tool, MailWasher Pro.

MailWasher Pro is a spam screening program that goes between your email servers and your desktop email client (application). It uses a variety of techniques to recognize what is and isn't spam, including a learning filter and user created custom filter rules. I personally write and use MailWasher Pro custom filters to detect and delete most incoming spam email. I have created and published a large assortment of spam filters which "plug-in" to MailWasher Pro, to flag or delete known spam. You can read about them, or download and use them in your own registered copy of MailWasher Pro.

MailWasher Pro has a "Statistics" display page that breaks down the types of spam it has deleted, listed by categories. Each program and user-created filter has a name and when a measurable percentage of spam is matched by a particular filter it shows up in the Statistics, with its percentage shown next to it. The percentages for various categories of spam listed below are taken from my MailWasher Pro "Statistics" page.

The category "Other Filters" combines several of my custom filters which did not receive enough spam to rate a measurable percentage, thus were all grouped into the one category; "Other."

MailWasher Pro spam category breakdown for June 30 - July 6, 2008. Spam amounted to 51% of incoming email this week.

Other filters: (See my MWP Filters page)	23.08%
"Opera Mail" Spam from Russia (Enlargement herbals):	17.31%
Blacklisted Domains/Senders:	16.03%
Pharmaceutical spam (inc. Viagra, Cialis, Levitra & misc. pills & herbals):	14.10%
Male enhancement spam (subject and body):	10.26%
"Apple Mail" Spam (Male Enhancement, etc):	6.41%
Counterfeit Watches:	3.85%
HTML Tricks:	3.85%
Pirated Software:	3.85%
DNS Blacklists:	0.64%
Bayesian learning filter:	0.64%

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as an incoming email screener for your POP email program (Microsoft