Wiz's Computer and Website Security Blog

This is the latest entry in a series about classifications of spam, according to my custom filter rules used by the anti-spam tool, MailWasher Pro.

MailWasher Pro is a spam screening program that goes between your email servers and your desktop email client (application). It uses a variety of techniques to recognize what is and isn't spam, including a learning filter and user created custom filter rules. I personally write and use MailWasher Pro custom filters to detect and delete most incoming spam email. I have created and published a large assortment of spam filters which "plug-in" to MailWasher Pro, to flag or delete known spam. You can read about them, or download and use them in your own registered copy of MailWasher Pro.

MailWasher Pro has a "Statistics" display page that breaks down the types of spam it has deleted, listed by categories. Each program and user-created filter has a name and when a measurable percentage of spam is matched by a particular filter it shows up in the Statistics, with its percentage shown next to it. The percentages for various categories of spam listed below are taken from my MailWasher Pro "Statistics" page.

The category "Other Filters" combines several of my custom filters which did not receive enough spam to rate a measurable percentage, thus were all grouped into the one category; "Other."

I want to make mention that the largest type of spam/scam I saw this week is from the Storm Botnet, in the form of ludicrous news headlines in the subject and body and a single link to website where your computer is bombarded with multiple exploits. Should your computer be too well protected to fall for the automatic exploits there is one left trick that is netting as many victims as the auto-exploits do. The web page presents you with a fake PornTube or YouTube player containing a notice that you must click to download a missing video codec to play the movie. Of course, the only thing downloaded when one clicks on the image is a copy of the Storm Trojan installer file and your computer instantly becomes a Zombie member of the Storm Botnet.

MailWasher Pro spam category breakdown for July 14 - 20, 2008. Spam amounted to 44% of incoming email this week.

Other filters: (See my MWP Filters page)	22.35%
Male enhancement spam (subject and body):	12.29%
Blacklisted Domains/Senders:	11.17%
"Opera Mail" Spam from Russia (Storm Trojan):	10.06%
"Apple Mail" Spam (Storm Trojan):	8.38%
Exploit link to Trojan download:	8.38%
Pharmaceutical spam (inc. Viagra, Cialis, Levitra & misc. pills & herbals):	8.38%
Digits or Consonants forged sender:	6.70%
Loans/Bankruptcy/Insurance Scams:	6.15%
DNS Blacklists:	3.91%
Blocked Countries:	2.23%

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as an incoming email screener for your POP email program (Microsoft Outlook, Microsoft Outlook Express, Microsoft Live Mail, Eudora, Mozilla and other stand-alone email programs).

Posted by Wiz at 2:00 PM | Permalink

back to top ^

I usually write articles about computer or website security on my blog and a lot of people seem to benefit from my articles. Security is on almost everybody's mind these days, whether it relates to your computer, website, job, car, or home. Today I would like to address the problem that I see a lot in the local news; home burglaries where the thieves gain entry by kicking in a door. One of the frequently stolen items in these crimes is a computer, so in a way this is about securing your computer - physically. It is also a plug for a local Flint, Michigan business owned by people I know personally, who are trying to make a difference.

The days of simply closing your front door and retiring for the evening have given way to deadbolt locks and chains. But today, even deadbolts and chains don't seem to offer enough security against determined home invasion burglars. A determined thief won't waste time trying to pick the lock; he'll just kick the door open, breaking through the lock jam in the wood, ripping it out by the screws, taking you by surprise in the middle of the night! If you live in a place where this kind of crime happens you need a better method of protecting your doors and your family. Enter the Taylor Brothers "NIGHTLOCK" Door Lock.

The NIGHTLOCK Door Lock is a floor mounted solution to kick-ins and forced door jams. It is made out of solid aluminum, with an anodized brass finish and matching solid brass screws and can be mounted into any type of floor, including cement floors - using the plastic anchors supplied with the kit. The NIGHTLOCK is mounted directly behind the door, on the side where it opens, which is the point of least resistance when somebody forces the door open. The NIGHTLOCK stopper bracket easily slides into the 7/16" high floor-mounted base plate and sticks up about 2 inches above the bottom of the door. This takes away the freedom of motion that burglars count on when they kick in or force the door open. Unless they are able to break it off the hinges, on the other side, they ain't getting in through that door! I have tried forcing an unlocked door open with NIGHTLOCK behind it and almost threw out my shoulder! It really works (ouch!).

There is a short video presentation demonstrating how the NIGHTLOCK protects you from door kick-ins on the NIGHTLOCK website home page. They are made in Flint, Michigan, by the Taylor Brothers, cost $29.95, plus UPS or Priority Post shipping (+ sales tax for Michigan residents). They are always in stock and are shipped fast. If you live within driving distance of Flint, Michigan, you can see them on display and buy them in person at Taylor Steel Co, on Coldwater Rd, just west of Dort Highway. Tell them Wiz sent you!

Posted by Wiz at 2:53 PM | Permalink

back to top ^

On July 16, 2008, Mozilla released Firefox 3.01, patching three critical vulnerabilities, and 2.0.0.16, patching two critical security vulnerabilities, as reported by Secunia and other locations. Here is an outline of what has been patched in FF 3.01:

• Fixed these security issues:
  
  
  
  1. MFSA 2008-36 Crash with malformed GIF file on Mac OS X
  
  
  2. MFSA 2008-35 Command-line URLs launch multiple tabs when Firefox not running
  
  
  3. MFSA 2008-34 Remote code execution by overflowing CSS reference counter
  
  
  
  


• Fixed several stability issues.


• Fixed an issue where the phishing and malware database did not update on first launch.


• Under certain circumstances, Firefox 3.0 did not properly save the SSL certificate exceptions list.
  
• Updated the internal Public Suffix list (List of known domain suffixes).


• In certain cases, installing Firefox 2 in the same directory in which Firefox 3 has been installed resulted in Firefox 2 being unstable. This issue was fixed as part of Firefox 2.0.0.16.


• Fixed an issue where, when printing a selected region of content from the middle of a page, some of the output was missing (bug 433373).


• Fixed a Linux issues where, for users on a PPP connection (dialup or DSL) Firefox always started in "Offline" mode (bug 424626).

If you haven't already received your notice to upgrade, from the browser itself, go to the Firefox download page and get it manually. Just install over your previous installation, overwriting your existing installation of Firefox. You won’t lose any of your bookmarks or browsing history, but some of your extensions and other add-ons might not work until updates for them are made available (or you learn how to hack the install.rdf files like I do).

As always, after you update your browser you may have to allow it to connect to the Internet, if you have ZoneAlarm FIrewall, or a similar firewall that monitors for program md5 signature changes.

Firefox can be installed onto any of these operating systems:

Windows Operating Systems
* Windows 2000
* Windows XP
* Windows Server 2003
* Windows Vista

Mac
Mac OS X 10.4 and later

Linux
Firefox will not run at all without the following Linux libraries or packages:

* GTK+ 2.10 or higher
* GLib 2.12 or higher
* Pango 1.14 or higher
* X.Org 1.0 or higher

If you are still using Firefox version 2.x I recommend that you upgrade to 3.x as soon as possible. Although Firefox 2 has been patched regularly and is now up to version 2.0.0.16 (as of July 15, 2008), that is set to come to an end sometime in December, 2008. After that time there will be no more security or stability updates for that series.

A lot of people are probably holding out because their beloved extensions or add-ons haven't been updated to be compatible with the series 3 Firefox browsers. Did you guys and gals know that in many cases you can hack the install files, or sometimes just from a downloaded extension onto an open Firefox browser window and it will begin the installation routine?

Hacking the installation files requires an unzipping program like Winzip, WinRar, 7zip, Unzip, etc. A downloaded add-on always has the file extension .xpi which is a compressed archive that can be opened in any of the above mentioned unzipping programs. I use Winzip to do this. Here is my routine.

• Right-click on the desired add-on or extension and select Save As.


• Download the file to my downloads folder for Firefox stuff.


• When the extensions are all downloaded I open them, one at a time, by right-clicking and selecting "Open With:" > "Winzip."


• Winzip opens with a list of files and folder locations, of the archive.


• Find the file named "install.rdf" and right-click on it and select "View with Notepad." If that option isn't listed yet, use the right-click option "View with internal viewer" and place a dot in "Viewer," making sure that "Notepad" is showing in the input field, then click VIEW.


• Search the text in the rdf file until you find a section labeled "(numbers/letters)"


• Look at the numbers right after that tag and make sure they say, or change them to say: 3.0.*


• Click File > Save then close Notepad. Winzip popos up a box asking if you want to "update the archive with this file?" ... answer "Yes."

As long as the add-on or extension doesn't use a procedure or call accessory files that are forbidden in the newer versions of Firefox - it should install and work just like it did in the 2.x series browsers. Just be prepared for the occasional rejection of totally incompatible extensions.

Ok, class is out. Time for recess! Wiz Out!

Posted by Wiz at 8:02 PM | Permalink

back to top ^

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you already are using "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

News Flash!
Spybot Search and Destroy 1.6 was released on July 8, 2008. Upgrade now! Read more about it in my extended comments.

Additions made on July 16, 2008:

Adware
+ BaiduBar

Keyloggers (Keyloggers steal your typed logins and passwords)
+ Ardamax
+ PerfectKeylogger

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners)
+ Fraud.XPAntivirus
+ IEDefender
+ Win32.BHO.je
+ Win32.Renos

Spyware
++ PassView

Trojans
+ Bifrose.LA
+ Smitfraud-C.MSVPS
++ Nurech
+ Virtumonde
+ Virtumonde.dll
+ Virtumonde.prx
+ Virtumonde.sci
+ Virtumonde.sdn
++ Win32.Agent.51
+ Win32.Agent.aaw
++ Win32.Agent.agh
+ Win32.Autoit.p
++ Win32.AutoRun.lx
++ Win32.Bifrose.da
++ Win32.Delf.Crypt.c
++ Win32.Delf.qc
++ Win32.VB.f
+ Win32.Rbot
+ Zlob.Downloader.pit
+ Zlob.Downloader.wet
+ Zlob.MovieBox

Total: 700725 fingerprints in 178431 rules for 4069 products.

False positive detections reported or fixed this week:

In Spybot v1.6.0 a few users, including me, have reported what appears to be multiple false positive reports of Smitfraud-C and Worldsecurityonline.FakeAlert, with the July 9 2008 definition updates, but only after right-clicking and scanning a particular drive, folder, or file. The false positives are only displayed in the "Heuristic" scan analysis; not in standard scans from the program interface, or in the Malware (top) section of the right-click-scan window. Some of these false positives are being fixed this week, while others may take longer to isolate and fix.

The heuristics scan will be more reliable with the upcoming update, but changes still have to be made.
So if in doubt about a heuristics result (after the update today), you can also submit the file to [email protected] for analysis.

There is a confirmed false positive detection of "Performance Optimizer" in a legitimate product named MySecurityCenter PC Performance Optimizer and possibly other "optimizers." The actual fake product being searched for is named "Sellmosofts Performance Optimizer." This has been narrowed to fix the problem with today's updates.

If you are still using Spybot S&D 1.3, or 1.4, please read this!

I have read several false positive reports regarding CoolWWWSearch.hjg and HellzLittleSpy from people still using the old versions 1.3 and 1.4 of Spybot Search and Destroy. I must stress that you cannot trust these versions to be 100% accurate when updated with current definitions. In fact, the opposite appears to be true; they are producing false positive detections with recent updates.

These are false positive which occur because Spybot 1.3 is outdated and does not understand the more complex rules made for 1.5.2 and newer.

Apply the main update that shows up within the internal updater to upgrade to (1.6.x).

If your computer gets stuck in a logon/logoff loop, after updating and scanning with these older versions of Spybot, visit this forum page for a solution, from Team Spybot.

If you are using any version older than 1.5.2, please upgrade to the current version of Spybot S&D, which is now 1.6.0.

If you get an alert about that detection for a file you think is legitimate you should submit it to Team Spybot for analysis.

Spybot Search & Destroy version 1.6.0, the latest release, is compatible with Windows Vista and features a nicer interface and sports a separate updater window and application. It scans for threats much faster than 1.5.2 does. If you are still using version 1.3 or 1.4, I strongly recommend that you update to 1.6.x, using the company links below. These older versions are giving more frequent false positives than ever before.

Some users are having problems with Spybot S&D updates when running as less privileged users (Limited or Power Users). First off, less privileged users can no longer apply most immunization rules from within their accounts, unless they use the "Run as" command to run the program as an administrator. Your solution is to first run the Spybot Updater, from your Start menu > Programs > "Spybot - Search & Destroy" > "Update Spybot-S&D." The updater is now a separate application. To avoid possible account corruption from the rootkit detections, run the Spybot Updater before you open the actual Spybot S&D program. Download all available updates from the best server location (I prefer the Safer Networking servers). Exit the updater after all definitions have been installed and green checkmarks are displayed for all updates.

After the updater has exited you can right-click on the shortcut to Spybot S&D and "Run As" an administrator, with your administrator account password (only if you login as a Limited or Power User). When the program opens you should immediately use the Immunize button to apply the level of protection you desire to the selectable applications. These typically include major browsers, domains, cookies, and the Windows HOSTS file. If you are an advertiser or publisher in an affiliate network be sure you exclude cookies for your affiliate programs that are in the detections list, or you'll have problems logging into your affiliate accounts. I have to exclude Commission Junction and Linkshare detections in both cookies, domains and HOSTS immunizations. Apparently, the authors of Spybot are down on advertising cookies and domains. Oh well (sigh).

Another problem being reported is when you run some versions of Spybot S&D it stops with a warning about problems including the file C:\Program Files\Spybot-Search_Destroy\Includes\TrojansC.sbi. The current errors with the Trojans.sbi and TrojansC.sbi files are caused by new detection rules that are incompatible with versions of Spybot prior to 1.5.2. These new detection rules use the new Anti-Rootkit plugins #1, #2 and #3 that only have been offered as updates to Spybot 1.5.2. If you upgrade to Spybot 1.5.2 you will not only eliminate the error messages but in also will be performing rootkit searches while doing a Spybot "Check for problems".

English Language Company Links:
Spybot Search and Destroy English Home Page
Spybot Search and Destroy (Multi-Lingual Landing Page. Choose your language).
Spybot Search and Destroy Download page - Program and definition updates. You can download the latest version of Spybot S&D plus definition and tool updates here for inclusion later on.
Full tutorial about using and setting up Spybot Search and Destroy
Spybot Search and Destroy Update History

See all security program update notices in this catagory

A consequence of acquiring many of the parasites, keyloggers, hijackers and downloaders is that their files and startup settings are usually saved to your System Restore hidden folder, from whence they are automatically restored upon rebooting the computer. To completely remove these threats, and others, you should disable System Restore, then reboot, then clean all threats, then re-start System Restore, setting a new Restore Point, with a clean machine. Many people overlook this and are constantly reinfected after removing threats. There are few, if any security programs that can clean or remove infected files that are backed up in your protected System Restore directory.

To disable System Restore, go to My Computer and right-click on it's icon. From the flyout options select Properties. From the "System Properties" select the "System Restore" tab. There you will find a checkbox labeled "Turn off System Restore." Check it, then click Apply and wait while the System Restore files are deleted (takes some time). After the deletions are finished, click OK to close the Properties box, then reboot.

When you have thoroughly removed all infections follow the same procedure as above, unchecking the box that turned off System Restore.

In the event that Spybot mistakenly removes a file(s) due to a faulty detection update (a.k.a False Positive), you can restore it from the program itself. Just click on the "Recovery" button, that looks like a first aid kit, with a red cross in it, then locate the item(s) you wish to restore. Click on the select box(es) on the left of the detection name(s), to place a check mark in it/them, then click on "Recover selected items." The files, and/or registry entries will be replaced, from where they were deleted. The Spybot forums have discussions about false positives here.

For those of you who have not yet used Spybot Search and Destroy, if you were wondering if it "plays nice" with other anti spyware programs, it most certainly does! I have used Spybot S&D since it's inception, along with various other free and commercial security programs, and it has never caused any problems on my, or my customers' computers.

Spybot Search and Destroy has a Malware Removal Forum where trained volunteers can help you with spyware removal problems.

Finally, as an individuals who benefits from the free software that is produced and updated by the good folks who run Spybot Search and Destroy, at their own expense, it won't hurt us to send occasional donations to them, to help them financially in their efforts. There is a donate button on most pages of the Spybot S & D website. Think seriously about using it. Send what you can.

Posted by Wiz at 3:05 AM | Permalink

back to top ^

Note: Updated on July 20, 2008, with new information

There is a surge going on right now in the amount of spammed email messages being blasted out by Botnets, with ludicrous news headlines in the Subjects. The subjects try to tempt you to read the message, then click on the enclosed link to read the details about the subject, or some other alleged news story. The headlines are sucker bait, with a nasty payload at the other end of the links contained in the message bodies.

Different from any news flashes to which you may actually subscribe, these arrived unsolicited in your inbox, from unknown, forged sender names and addresses and from domains you have to relationship with. Many are sent using forged .de (German) domains in the From address, in addition to .it, .ru and others.

If you hold your mouse pointer over the links in these messages you will see a lot of domains extensions for various countries around the World. Some I have seen just today include .de, .it, .fr and .ru. The domain name is followed by a forward slash (/) and a file name. The initial spam run file name was "main.html" (e.g. example.com/main.html). Other Trojan link file names have already appeared, such as "start.html" and "news.html." If you were to go to those domains in the links, using "wannabrowser," with "follow redirects" unchecked, you would see that many of the first responding domains are hosted on hacked Microsoft IIS servers. They all contain meta redirect tags that forward normal browsers to another domain, usually a zombie PC in the Storm Botnet, or a web site hosted in China or Russia. Once you arrive there your browser gets assaulted by numerous hostile JavaScript codes and iframe exploits. Should all those fail to automatically exploit your computer they supply self-infection links!

And what method do they employ to get you to click on these links to infect your own computer? The bait is a fake, look-alike "Porntube" video player that requires a special video "codec" to play the free sample movie. They even provide fake reviews under the fake player placeholder, from make-believe happy viewers before you! These guys are professionals and very good at the Con Game they are playing.

The payload file name may vary, but so far I have seen "video.exe," "watch.exe" and "view.exe" as the name of the payload file it delivers. That file is actually the "Storm Trojan" and it is infecting unprotected computers, or gullible computer owners, all around the World.

If you know, or suspect that you have become a victim of the Storm, or any other Trojan, you should obtain legitimate anti-malware software and scan for and remove all threats, after updating the program with the latest definitions. I use Spybot Search and Destroy, which is updated weekly and is totally free, but which you must remember to update manually and scan manually. It is one of my routine tasks that I do on Wednesdays, when the Spybot S&D definition updates are released.

Most people don't want to mess with security programs that they have to micro manage every time they want to use them. For you folks a commercial application makes more sense. While I know of many security products and have ads for them I am leaning towards Trend Micro Internet Security now. Their existing program used to be called PC-cillin and is well respected in the anti virus field. But, they are venturing where no man has gone before: to the Cloud!

I'll tell you more about this new development soon. For now, if you need a really solid anti-virus | anti-spyware | anti phishing | and anti-spam solution, you will not go wrong with Trend Micro Internet Security 2008. As a favor to my readers, enter coupon code TrendIS08 during your purchase and I'll save you 10% off the going rate!

Till next time, practice safe hex !

Posted by Wiz at 3:16 PM | Permalink

back to top ^

This is the latest entry in a series about classifications of spam, according to my custom filter rules used by the anti-spam tool, MailWasher Pro.

MailWasher Pro is a spam screening program that goes between your email servers and your desktop email client (application). It uses a variety of techniques to recognize what is and isn't spam, including a learning filter and user created custom filter rules. I personally write and use MailWasher Pro custom filters to detect and delete most incoming spam email. I have created and published a large assortment of spam filters which "plug-in" to MailWasher Pro, to flag or delete known spam. You can read about them, or download and use them in your own registered copy of MailWasher Pro.

MailWasher Pro has a "Statistics" display page that breaks down the types of spam it has deleted, listed by categories. Each program and user-created filter has a name and when a measurable percentage of spam is matched by a particular filter it shows up in the Statistics, with its percentage shown next to it. The percentages for various categories of spam listed below are taken from my MailWasher Pro "Statistics" page.

The category "Other Filters" combines several of my custom filters which did not receive enough spam to rate a measurable percentage, thus were all grouped into the one category; "Other."

MailWasher Pro spam category breakdown for July 7 - 13, 2008. Spam amounted to 53% of incoming email this week.

Other filters: (See my MWP Filters page)	21.69%
Blacklisted Domains/Senders:	21.08%
Male enhancement spam (subject and body):	13.85%
Hidden ISO Subject:	10.24%
Pharmaceutical spam (inc. Viagra, Cialis, Levitra & misc. pills & herbals):	9.63%
Loans/Bankruptcy/Insurance Scams:	7.23%
"Opera Mail" Spam from Russia (Enlargement herbals):	5.42%
"Apple Mail" Spam (Male Enhancement, ED, etc):	4.22%
Digits or Consonants forged sender:	3.01%
DNS Blacklists:	2.41%
Bayesian learning filter:	1.20%

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as an incoming email screener for your POP email program (Microsoft Outlook, Microsoft Outlook Express, Microsoft Live Mail, Eudora, Mozilla and other stand-alone email programs).

Posted by Wiz at 12:44 PM | Permalink

back to top ^

Checkpoint, the owners of the famous ZoneAlarm Personal Firewall, has released a patched version of their firewall, to fix a problem caused when Windows 2000 and XP computers received the July 8, 2008 Windows Updates patch MS08-037. You can read about what happened to me and millions of other ZoneAlarm users on this blog article, which I wrote on July 8, after I used System Restore to get back online. It took several hours of troubleshooting to discover that the ZoneAlarm firewall was the cause of my loss of Internet access. As it turned out all one had to do to get reconnected was to lower a security slider from high to medium! Doh!

Before I go into the details about why this happened I want to give you a direct link to the ZoneAlarm download page, where you can download the appropriate upgrade to the program you are using, which caused a loss of Internet access after applying MS08-037.

The official statement from the ZoneAlarm folks, on July 8, was that you should uninstall the Microsoft patch to get back online! "Bullshit! What's that you say?" They began to change their tone yesterday and issued a patched version of five ZoneAlarm security products that are known to cause this loss of connectivity after installing MS08-037 on Windows 2000 and XP computers (see page linked to above).

So what actually caused ZoneAlarm for Windows 2000 and XP to freak out and deny Internet access to all their firewall users, on July 8? Was it a fundamental design flaw? Was it Microsoft's patch being flawed? None of those was the cause. It was because ZoneAlarm uses "undocumented hooks" into the Windows 2000 and XP "kernel" to enforce security against malware infections. Windows Vista closed this undocumented feature and forces security vendors to use other methods to perform their jobs, thus Vista users were not knocked offline on Tuesday.

So, what really happened is that ZoneAlarm did its job too well, because the "kernel" components that manage Internet connections got altered by the Windows Update "DNS Spoofing" patch, and the nature of that update was so profound that the ZoneAlarm firewall blocked all Internet access believing that the OS had been invaded by malware.

If you have already reduced your ZoneAlarm security slider to Medium, or have uninstalled the Microsoft patch to get back online, I recommend that you download the new ZoneAlarm program that was updated to address the problem, but set a System Restore Point first (XP only). That way if the updated ZoneAlarm program is still buggy you can roll back to the previous version and leave the slider at medium, until they produce a stable upgrade. If you uninstalled the MS08-037 patch you should reinstall it, via Windows Updates.

This is all in flux right now. I will post a follow-up to this once the dust settles.

Posted by Wiz at 11:36 AM | Permalink

back to top ^

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you already are using "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

News Flash!
Spybot Search and Destroy 1.6 was just released on July 8, 2008. Upgrade now!

Additions made on July 9, 2008:

Keyloggers (Keyloggers steal your typed logins and passwords)
+ Ardamax
+ PerfectKeylogger

Malware (Includes fake anti-virus and anti-spyware programs, like VirusHeat and Vario and fake registry cleaners)
+ AllInOneKeylogger
+ AntiSpyCheck
+ Fake.SecurityAlert
+ FakeAlert.cc
++ Fraud.XpCleaner
+ Win32.BHO.je (6)
++ Win32.AOLPass.i

Security
+ Microsoft.Windows.AppFirewallBypass

Trojans
+ CoolWWWSearch.hjg (5)
++ Fagianom
+ Smitfraud-C.MSVPS
+ Virtumonde
+ Virtumonde.dll
+ Virtumonde.sdn
+ Win32.Agent.pn
++ Win32.Autoit.p
++ Win32.AutoRun.dli (63)
++ Win32.Buzus.jqw
++ Win32.Delf.Crypt.c
++ Win32.Delf.es
++ Win32.Emogen-K
++ Win32.Podnuha.ee
++ Win32.Small.UBV
++ Win32.VB.cj
++ Win32.Webdir.b
+ Win32.Zhelatin.ah (Storm Trojan)
+ Zlob.Downloader.lor
+ Zlob.Downloader.pit
++ Zlob.Downloader.wet

Total: 691992 fingerprints in 176938 rules for 4055 products.

False positive detections reported or fixed this week:

In Spybot v1.6.0 a few users have reported what appears to be multiple false positive reports of Smitfraud-C, with today's definition updates (7/9/08) but only after right-clicking and scanning a particular drive, folder, or file.

No fp's reported concerning version 1.5.2. Plenty concerning versions 1.3 and 1.4.

If you are still using Spybot S&D 1.3, or 1.4, please read this!

I have read several false positive reports regarding CoolWWWSearch.hjg and HellzLittleSpy from people still using the old versions 1.3 and 1.4 of Spybot Search and Destroy. I must stress that you cannot trust these versions to be 100% accurate when updated with current definitions. In fact, the opposite appears to be true; they are producing false positive detections with recent updates.

These are false positive which occur because Spybot 1.3 is outdated and does not understand the more complex rules made for 1.5.2 and newer.

Apply the main update that shows up within the internal updater to upgrade to (1.6.x).

If your computer gets stuck in a logon/logoff loop, after updating and scanning with these older versions of Spybot, visit this forum page for a solution, from Team Spybot.

If you are using any version older than 1.5.2, please upgrade to the current version of Spybot S&D, which is now 1.6.0.

If you get an alert about that detection for a file you think is legitimate you should submit it to Team Spybot for analysis.

Spybot Search & Destroy version 1.6.0, the latest release, is compatible with Windows Vista and features a nicer interface and sports a separate updater window and application. It scans for threats much faster than 1.5.2 does. If you are still using version 1.3 or 1.4, I strongly recommend that you update to 1.6.x, using the company links below. These older versions are giving more frequent false positives than ever before.

Some users are having problems with Spybot S&D updates when running as less privileged users (Limited or Power Users). First off, less privileged users can no longer apply most immunization rules from within their accounts, unless they use the "Run as" command to run the program as an administrator. Your solution is to first run the Spybot Updater, from your Start menu > Programs > "Spybot - Search & Destroy" > "Update Spybot-S&D." The updater is now a separate application. To avoid possible account corruption from the rootkit detections, run the Spybot Updater before you open the actual Spybot S&D program. Download all available updates from the best server location (I prefer the Safer Networking servers). Exit the updater after all definitions have been installed and green checkmarks are displayed for all updates.

After the updater has exited you can right-click on the shortcut to Spybot S&D and "Run As" an administrator, with your administrator account password (only if you login as a Limited or Power User). When the program opens you should immediately use the Immunize button to apply the level of protection you desire to the selectable applications. These typically include major browsers, domains, cookies, and the Windows HOSTS file. If you are an advertiser or publisher in an affiliate network be sure you exclude cookies for your affiliate programs that are in the detections list, or you'll have problems logging into your affiliate accounts. I have to exclude Commission Junction and Linkshare detections in both cookies, domains and HOSTS immunizations. Apparently, the authors of Spybot are down on advertising cookies and domains. Oh well (sigh).

Another problem being reported is when you run some versions of Spybot S&D it stops with a warning about problems including the file C:\Program Files\Spybot-Search_Destroy\Includes\TrojansC.sbi. The current errors with the Trojans.sbi and TrojansC.sbi files are caused by new detection rules that are incompatible with versions of Spybot prior to 1.5.2. These new detection rules use the new Anti-Rootkit plugins #1, #2 and #3 that only have been offered as updates to Spybot 1.5.2. If you upgrade to Spybot 1.5.2 you will not only eliminate the error messages but in also will be performing rootkit searches while doing a Spybot "Check for problems".

English Language Company Links:
Spybot Search and Destroy English Home Page
Spybot Search and Destroy (Multi-Lingual Landing Page. Choose your language).
Spybot Search and Destroy Download page - Program and definition updates. You can download the latest version of Spybot S&D plus definition and tool updates here for inclusion later on.
Full tutorial about using and setting up Spybot Search and Destroy
Spybot Search and Destroy Update History

See all security program update notices in this catagory

A consequence of acquiring many of the parasites, keyloggers, hijackers and downloaders is that their files and startup settings are usually saved to your System Restore hidden folder, from whence they are automatically restored upon rebooting the computer. To completely remove these threats, and others, you should disable System Restore, then reboot, then clean all threats, then re-start System Restore, setting a new Restore Point, with a clean machine. Many people overlook this and are constantly reinfected after removing threats. There are few, if any security programs that can clean or remove infected files that are backed up in your protected System Restore directory.

To disable System Restore, go to My Computer and right-click on it's icon. From the flyout options select Properties. From the "System Properties" select the "System Restore" tab. There you will find a checkbox labeled "Turn off System Restore." Check it, then click Apply and wait while the System Restore files are deleted (takes some time). After the deletions are finished, click OK to close the Properties box, then reboot.

When you have thoroughly removed all infections follow the same procedure as above, unchecking the box that turned off System Restore.

In the event that Spybot mistakenly removes a file(s) due to a faulty detection update (a.k.a False Positive), you can restore it from the program itself. Just click on the "Recovery" button, that looks like a first aid kit, with a red cross in it, then locate the item(s) you wish to restore. Click on the select box(es) on the left of the detection name(s), to place a check mark in it/them, then click on "Recover selected items." The files, and/or registry entries will be replaced, from where they were deleted. The Spybot forums have discussions about false positives here.

For those of you who have not yet used Spybot Search and Destroy, if you were wondering if it "plays nice" with other anti spyware programs, it most certainly does! I have used Spybot S&D since it's inception, along with various other free and commercial security programs, and it has never caused any problems on my, or my customers' computers.

Spybot Search and Destroy has a Malware Removal Forum where trained volunteers can help you with spyware removal problems.

Finally, as an individuals who benefits from the free software that is produced and updated by the good folks who run Spybot Search and Destroy, at their own expense, it won't hurt us to send occasional donations to them, to help them financially in their efforts. There is a donate button on most pages of the Spybot S & D website. Think seriously about using it. Send what you can.

Posted by Wiz at 12:37 PM | Permalink

back to top ^

Today, July 8, 2008, is Patch Tuesday for supported Microsoft operating systems, so I dutifully visited Microsoft Updates manually and installed the DNS patch referred to in this bulletin: Microsoft Security Bulletin MS08-037 – Important: Vulnerabilities in DNS Could Allow Spoofing (953230). This is rated as an "important" patch by Microsoft. Applying this patch is supposed to protect one's PC from DNS spoofing attacks.

However, the patch appears to be overzealous in its implementation. After restarting Windows I was unable to access the Internet whatsoever! I had to use System Restore to rollback to just before I installed this patch, then I was able to get back online and write this article.

I recommend that my readers use caution before installing this patch today. First, be sure you have System Restore turned on. Even then you could wait until tomorrow in case Microsoft discovers the problem and patches the patch!

I don't know if this loss of connectivity was caused by the patch itself, or by a bad interaction with one of my security applications. Therefore, I am going to list my operating system and security program details, in case any of you have a similar setup. This might save you from having to run System Restore, or reinstalling Windows if you have System Restore turned off.

My setup:
OS: Windows XP Professional with Service Pack 3
All previous Windows Updates were installed; I am fully up to date.
No viruses, no spyware, no hostile LSPs are present after multiple scans.
I operate as a Power User, not an Administrator, except to run Windows Updates, install drivers, or uninstall applications requiring administrator privileges.

My security is provided by the following applications:
Avira AntiVir Free current version and up to date (no problems)
Trend Micro Web Protection Add-on v 1.2 (90 day trial - works perfectly)
>> ZoneAlarm Personal Firewall Causes this problem! (See extended comments)
Spybot Search and Destroy 1.5.2, without Tea Timer (no resident module)

Everything returned to normal as soon as I restored my PC to just before I installed Windows Update MS08-037, a.k.a: Kb953230. Knowledge Base article Kb953230 is found here and has a list of known problems that users are experiencing after installing this flawed update. They need to go back to the drawing board with this patch. I recommend that you read the aforementioned article before installing the patch on your computer.

I'll add information as a follow-up, once I learn the exact cause of my loss of Internet connectivity, as relates to patch #MS08-037.

The cause and solution for my loss of Internet connectivity after applying MS patch MS08-037 has been found and is detailed in my extended comments.

Wiz

Cause of my loss of Internet access after applying Microsoft patch MS08-037

The ZoneAlarm Personal Firewall (v7.0.470.000) is the cause!

It appears that ZoneAlarm's Firewall has a built in detection that catalogs certain system files that have to do with Internet connectivity and if they change it denies them access to the 'net. Normally one would get a pop-up program alert about a change in the file signature, but I got no such alert from this change in the TCP stack. Therefore, I had no chance to allow the change, as one normally can do when a file gets updated. But, I experimented with various program settings and found one that fixed the problem in an instant.

To restore your Internet access after losing it, by applying patch MS08-037, open the ZoneAlarm control center by double-clicking on the "Z" in the System Tray. When the control center opens click on the word "Firewall" on the left, then on the "Main" tab on the right, and lower the "Internet Zone Security" slider from High to Medium. That will instantly fix the connectivity problem, but removes your stealth status, leaving you more at risk than before from TCP attacks. This is more of a problem for people who are directly connected to a broadband or dial-up modem, rather than to a router (or combo modem/router). Computers behind a NAT router (wired or wireless) are already hidden from most hostile TCP probes from the 'Net.

After you reset the "Internet Zone Security" in the ZoneAlarm Personal Firewall to Medium, go ahead and re-install the DNS spoofing patch MS08-037 (Hotfix #951478, via Windows Updates. Be sure you reboot. Unless another security program is watching for and blocking program signature changes, you should be connected again upon entering the Wonderful World of Windows (WWW).

Hopefully, ZoneAlarm will realize that their firewall is causing problems with Windows PCs that are patched against the DSN spoofing attacks and will quickly issue an updated version to cope with this situation.

Posted by Wiz at 2:12 PM | Permalink

back to top ^

"Stupid Russian Blog Spammers Still Wasting Their Time" makes for a catchy, surreal title, but it's true. The same country that produced the brilliant criminal masterminds behind the Storm and Grisbi Worms has also produced some of the stupidest blog spammers to ever set finger to keyboard!

Let me explain what I am referring to regarding stupid blog spammers. First of all, look up in the upper right corner of this blog, just under the Google search field. Here's what it says in capital letters: "SORRY: NO COMMENTS, NO TRACKBACKS!" That should be self explanatory to almost anybody who can read English words, including people intent on spamming a blog such as this one, using English words. You know the crap I'm talking about; links to buy unlicensed or illegal drugs or herbal solutions, to cure "ED" or enlarge one's "natural size." When I first started this blog I did allow trackbacks and comments and that is what I was getting submitted, all in English and all traced to Russian and Ukrainian IP addresses.

As soon as I realized that only blog spammers were trying to comment on my blog I decided to disable the codes and modules that allowed comments and trackbacks. Still, these idiots in Russia and the Ukraine continued trying to POST comments and trackbacks to the now disabled modules that used to handle those functions. This led me to write three articles about these incidents, during the spring and summer of 2007. Their names and links to them are as follows:

1. Stupid Blog Trackback Spammers Don't Understand Server 403 Responses


2. Russian and Ukrainian Blog Spammers are STUPID!


3. Blog spammers still wasting their time tying to spam this unspammable blog

I wrote those articles about a year ago, yet, I still see daily access log entries being blocked with server 403 responses, belonging to Russian IP addresses trying to POST spam comments or Trackbacks to this blog. It is obvious that these spammers are using scripts, but, being stupid spammers they don't bother to verify if those scripts are being allowed to complete their submissions, or check my blog to see if their comments were even posted. I'll bet somebody is paying these idiots to send blog spam for them and they are ripping off the guys with the money. If my blog is any indication of their lack of any level of intelligence, then I am guessing that they are having a similar lack of success trying to spam your blogs. Still, some of their attempts may work on unsecured servers.

Anyway, insults to the enemy aside (it feels good though!), I never see the comments they are typing, just an access log entry containing a 403 Forbidden, or 302 redirect back to their own websites (lol). My Apache-based, shared-hosting web server is protected with a custom ".htaccess" file that contains my entire, now-famous, "Russian Blocklist!" Many webmasters are using this blocklist to keep Russian and Turkish spammers and hackers from accessing their web sites.

If your web site and blog is hosted on a shared Apache/Linux based web server and you want to block access to IP addresses in the former Soviet Union and Turkey, just download my Russian .Htaccess Blocklist and either use it as your new .htaccess file, or merge the "deny from" list into your existing .htaccess. Full instructions are included on my .htaccess blocklists landing page and on each blocklist page. The landing page has links to all of my existing .htaccess IP blocklists (Chinese, Nigerian, Russian and Exploited Servers), as well as my iptables Linux firewall blocklist equivalents.

An actual access log entry and codes you can use to block web site access to these people, are in my extended content.

Here, for the immediate protection of your blogs, is the IP address of this latest Russian blog spammer, whom I am redirecting back to his own Russian server (he-he), which laughably is a password protected login page requiring his credentials to access it (results in a 401 Authorization Required error):

82.146.58.235 - - [06/Jul/2008:23:15:03 -0600] "POST /blogs/2007/08/stupid_blog_trackback_spammers_dont_understa.html HTTP/1.1" 302 763 "-" "-"

.htaccess block rule:
order deny,allow
<Files *>
deny from 82.146.58.235
# other deny from IPs
</Files>

Better yet, let's block his entire ISP; "ISPsystem-RU at CORBINA," using their CIDR:

order deny,allow
<Files *>
deny from 82.146.56.0/21
# other deny from IPs
</Files>

These rules deny HTTP or https access to all files and folders on an Apache hosted web site, to all IP addresses encompassed by multiple individual IPs, or CIDRs.

Here is my .htaccess mod_rewrite rule to redirect blog spammers back to their own IP address:

RewriteCond %{THE_REQUEST} ^POST\ /blogs/.+
RewriteRule (.*) http://%{REMOTE_ADDR} [L]

To block access to ALL services, including ftp, ssh and email, you must have administrator access to the Linux operating system. If you have root access you can apply my iptables blocklists to the APF.

Posted by Wiz at 6:28 PM | Permalink

back to top ^

This is the latest entry in a series about classifications of spam, according to my custom filter rules used by the anti-spam tool, MailWasher Pro.

MailWasher Pro is a spam screening program that goes between your email servers and your desktop email client (application). It uses a variety of techniques to recognize what is and isn't spam, including a learning filter and user created custom filter rules. I personally write and use MailWasher Pro custom filters to detect and delete most incoming spam email. I have created and published a large assortment of spam filters which "plug-in" to MailWasher Pro, to flag or delete known spam. You can read about them, or download and use them in your own registered copy of MailWasher Pro.

MailWasher Pro has a "Statistics" display page that breaks down the types of spam it has deleted, listed by categories. Each program and user-created filter has a name and when a measurable percentage of spam is matched by a particular filter it shows up in the Statistics, with its percentage shown next to it. The percentages for various categories of spam listed below are taken from my MailWasher Pro "Statistics" page.

The category "Other Filters" combines several of my custom filters which did not receive enough spam to rate a measurable percentage, thus were all grouped into the one category; "Other."

MailWasher Pro spam category breakdown for June 30 - July 6, 2008. Spam amounted to 51% of incoming email this week.

Other filters: (See my MWP Filters page)	23.08%
"Opera Mail" Spam from Russia (Enlargement herbals):	17.31%
Blacklisted Domains/Senders:	16.03%
Pharmaceutical spam (inc. Viagra, Cialis, Levitra & misc. pills & herbals):	14.10%
Male enhancement spam (subject and body):	10.26%
"Apple Mail" Spam (Male Enhancement, etc):	6.41%
Counterfeit Watches:	3.85%
HTML Tricks:	3.85%
Pirated Software:	3.85%
DNS Blacklists:	0.64%
Bayesian learning filter:	0.64%

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as an incoming email screener for your POP email program (Microsoft Outlook, Microsoft Outlook Express, Microsoft Live Mail, Eudora, Mozilla and other stand-alone email programs).

Posted by Wiz at 2:00 PM | Permalink

back to top ^

On July 24, 2006, I wrote a technical article on my Blog titled: "Using Windows Task Scheduler to Check for/install AVG-Free Anti Virus Updates." It described a simple method end users can apply to cause the AVG Free 7.5 Updater file to run every hour, instead of just once a day.

Now it is the summer of 2008 and AVG Free is at version 8.0, with version 7.5 set for discontinuation on December 31, 2008. The AVG Free updater still only checks once per day, but the command that worked in the previous version also works in version 8.0, with some path and file name adjustments. (AVG paid versions do allow multiple daily updates and scans).

If you use AVG Free 8.x and want to have it check for updates on an hourly basis (or some other personal schedule), the information that follows will guide you through the process. I am writing this using Windows XP Professional, so these details may be different if you use Windows Vista.

You can find information about the new Task Scheduler for Windows Vista here (Microsoft MSDN), or at LifeHacker.com (lots of screen shots - JavaScript required).

First, open the Task Scheduler by clicking on Start > (All) Programs > Accessories > System Tools - and clicking on Scheduled Tasks. Double-click on the icon labeled "Add Scheduled Task." The Scheduled Task Wizard will open. Click Next. A list of installed programs will appear with a scroll bar on the right. Scroll down to see if AVG Free 8.0 (or such) is listed and highlight it if it is, then click Next. If AVG Free 8.0 (or 8.x) is not listed use the Browse button to locate it. The path to the updater executable should be: C:\Program Files\AVG\AVG8\avgupd.exe, with a default installation. If you have customized your installation your path or folder name may vary, but the file name is constant.

Once you locate the AVG updater executable, "avgupd.exe," highlight it and click Next. Type a name for this task in the top input field. I used "AVG 8 Updater." Select the "radio" option "Daily" and click Next. Select a start time and day, making sure you also select "Every Day," or "Weekdays," depending on your requirements (home or office).Click Next. Enter a User Name and Password, if you have one assigned to your logged in identity, then click Next. If you want to fine tune your options for the updater task check the box beside "Open advanced properties for this task when i click finish."

The Advanced Properties page is where you enable or disable the task, change the schedule, manage the power settings, and decide if you want to wake your computer to run the task.

Here are the settings I used in my AVG Free 8.0 Updater scheduled task:

Task tab
Task: AVG 8 Updater
Start in: "C:\Program Files\AVG\AVG8"
Run: "C:\Program Files\AVG\AVG8\avgupd.exe" /SCHED=

Schedule tab
Schedule Task: Daily - (set a start time) - (AM/PM)
Schedule Task Daily: Every 1 day
Advanced button on Schedule Task
Check mark in "Repeat Task"
Every: 1 hours
Duration: 24 hours

Settings tab
Scheduled Task Completed: Stop the task if it runs for: 1 hour
Power Management: Check box for "Wake the computer to run this task" (NOT recommended for hourly tasks)

Make any other setting changes you want, then click Apply, then OK.

Also, under the Security tab, make sure that your logged in identity is allowed to run the task, if you are not an Administrator. If you run Windows 2000 or XP Professional you can make your daily browsing account a Power User and add yourself to the Backup Operators Group. This allows you to schedule and run backups and other tasks.

You can learn about protecting your Windows PC by running as a reduced privileges user, on my Blog article: Limited User Privileges Protect PCs From Adware, Rootkits, Spyware and Viruses, or on my FAQs page titled: Windows 2000 and XP User Account Privileges Explained.

Posted by Wiz at 2:06 PM | Permalink

back to top ^

Mozilla Foundation has announced that sometime in December 2008 all updates and support for Firefox 2.x browsers will come to an end. After that only version 3.x will receive updates. The following notice is posted on the downloads page for Firefox 2.x browsers.

Firefox 2.0.0.x will be maintained with security and stability updates until mid-December, 2008. All users are strongly encouraged to upgrade to Firefox 3.

This gives the authors of the various add-ons, extensions, plug-ins and themes 6 months notice to update their applications to be compatible with Firefox series 3 browsers.

Those of you who are staying with Firefox 2.0.0.x because you use add-ons that have not been updated for version 3.x will have to consider these options over the next few months.

1. Search for replacement add-ons that are compatible with Firefox 3.x and similar enough to our old ones to be suitable.
2. Try to force the new browser to use our old add-ons, using browser configuration hacks. This can have disastrous effects on browser stability if an add-on is truly incapable of working with the new security model or rendering engine. A few of these hacks are listed in my extended content, below.
3. Upgrade to Firefox 3, let it disable incompatible add-ons, then set it to check for updates to add-ons every time it searches for browser updates. This can be set in the browser Options, under Advanced > Update. This will slow the opening of the browser until the search has completed. Also, if an update is available you will have to interact with the notification box to install it, or skip it.
4. You can also check manually for updates to your add-ons (enabled or disabled) by going to the menu item Tools > Add-ons, then clicking "Find Updates." You will have the option of installing any updates, then restarting Firefox. The updates will not "take" until you restart (all instances of) the browser. If you had multiple tabs open when you click Restart they will all re-open when the browser restarts.

All of the add-ons and extensions for Firefox are written and maintained by volunteer authors and are available from the official Mozilla.org add-ons website. All add-ons list the author's website on record at the time the add-on was first submitted for approval. Sometimes these websites will have a newer version available than the Firefox website. So, if your add-ons are not yet updated to work in Firefox 3.x, visit the author's website to see if one is available there. Just be sure you use the author links found at https://addons.mozilla.org/en-US/firefox/ for your existing or new add-ons.

Unfortunately, some of the add-ons have been abandoned by their authors and are no longer being updated. While you may be able to hack their configuration codes to force them to install, be prepared for possible instability issues in Firefox, caused by incompatible add-ons forced into service.

Here are a couple of browser configuration hacks I have found that will force an out-dated add-on or extension to install into newer versions of Firefox than it was written for.

One method is to tell the browser to not test for add-on compatibility or search for updates. To do this you must alter two values in the browser's configuration utility; "about:config."

1. With Firefox 3 open, type this into the Address Bar: about:config


2. A notice will pop-up, warning you about the consequences of messing with the browser's configuration. If you really really want to do this, accept the notice (OK) and proceed at your own peril.


3. Go to the following settings in about:config, and change both to false by double-clicking them:


4. extensions.checkCompatibility


5. extensions.checkUpdateSecurity

Another method is to edit the install.rdf files in the downloaded add-on xpi files. First you must save your desired add-ons to your hard drive, rather than opening them in Firefox. To do this visit the official Mozilla Add-ons website. Type in the name, or partial name, of your existing or desired add-ons, then search through the results list until you find the add-on you want. There is an "Add to Firefox" button on the right side of each item in the add-ons list. Right-click on the button and select "Save Link As." Choose your preferred download folder, or your desktop and save each add-on to it. They will all end in the file type .xpi. Do not left-click on the button unless the add-on has already been updated to work in Firefox 3.x. This action would try to install the add-on, which will fail.

Once you have downloaded the add-on .xpi files you will need to open them for editing. They are really zipped files that can be expanded using Winzip, WinRar, Stuffit, 7zip, or a similar decompressor-expander application. If you don't possess an unzipping program you can perform a Google search to find one either for free, or at a price you can afford to pay.

Expand (unzip) the .xpi files, one at a time, locating the file named install.rdf. Open these files in Notepad, or your computer's default plain text editor. Find or search for a line that contains the word "maxVersion" and change the highest number to 3.0, or higher (to allow for incremental updates to Firefox). Most install.rdf files have a range of versions supported, as in 1.0 - 2.0. You would then change the 2.0 to 3.0 or 3.1, then click on File > Save. Close the edited file and allow it to merge back into the zipped file archive. I use Winzip successfully to edit .xpi files and recommend it to you. It just merges the edited file back into the archive, without changing any paths.

If your unzipping program does not offer to merge the altered file into the archive you will have to unzip all of the files to a new folder and allow it to re-create the sub-folders listed in the archive. Edit the install.rdf, then create a new archive of the whole ball of wax, keeping the folder structure, with a file name ending in .xpi. This can get complicated because there are files inside folder locations saved in the .xpi archives and they must be included in the updated archive.

Now, double click on each updated xpi file, one at a time, and if asked which application to use to open them, choose Firefox and allow Windows to remember your decision. Firefox will see the updated version of 3.x and should proceed to install your old add-ons. restart the browser to finish the installation.

There is no guarantee these add-ons will still function properly in Firefox 3.x, but it is worth a try. I would recommend doing this one at a time. Restart Firefox with the forced add-on and test it for function and stability. If the add-on works as it should and the browser doesn't act strangely, or crash, move on to the next one, and so on.

I have hacked several add-ons over the course of the life of Firefox and only a few have failed to work after being forced into service. But, a lot has changed under the hood of Firefox 3.x, so if a forced add-on works you are fortunate. If not, try to find a similar functioning add-on that is compatible with the new browser engine.

Posted by Wiz at 3:59 PM | Permalink

back to top ^

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you already are using "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Additions made on July 2, 2008:


Keyloggers (Keyloggers steal your typed logins and passwords)
+ Goldeneye

Malware (Includes fake anti-virus and anti-spyware programs, like VirusHeat and Vario and fake registry cleaners)
+ Fraud.Antivirus2008
++ MalwareProtector2008
+ Marketflip.FakeSearchAndDestroy
+ Win32.Agent.pz
+ Win32.BHO.je
++ Win32.VB.eu

PUPS (Possibly Unpopular Software or Unwanted Programs)
++ DAEMONToolsPro.Crack

Trojans (Includes 4 new or updated Zlob* Trojan detections)
+ CoolWWWSearch.hjg (5)
+ Smitfraud-C.MSVPS
+ Virtumonde.dll
++ Virtumonde.cls
++ Virtumonde.prx
++ Virtumonde.sdn (37)
+ Win32.Agent.arr
++ Win32.Agent.sfg
++ Win32.Autoit.p
++ Win32.Flux.fm
++ Win32.Lotto
++ Win32.OnLineGames.es
++ Win32.Xema.bn
++ Zlob.Downloade.wet
+ Zlob.Downloader
+ Zlob.Downloader.pit
+ Zlob.Downloader.vdt

Total: 677387 fingerprints in 174120 rules for 4032 products !

False positive detections fixed this week:

Spybot blocked pcsleek.com in the HOSTS file and detected pcsleek free error scanner as malware, which it is not. This was fixed in the July 2, 2008 updates.

I have read several false positive reports from people still using the old version 1.3 of Spybot Search and Destroy. I must stress that you cannot trust this version to be 100% accurate when updated with current definitions. The engine in it is too old to understand the changes that have been made by both malware and the means of detecting it. If you are using any version older than 1.5.2, please upgrade to the current version of Spybot S&D.

If you get an alert about that detection for a file you think is legitimate you should submit it to Team Spybot for analysis.

* The "Zlob Trojan" is a common infection that has been in the wild since 2005. It is often downloaded intentionally by people who are tricked into thinking that they are installing some missing ActiveX Video Codec, or other (Java) application, needed to view a presentation, or pornographic movie. Once installed on the target computer the Zlob Trojan allows hackers to deliver all manner of downloaders, adware, fake anti-spyware and backdoor components to it. The Zlob family of Trojans are constantly modified by it's maintainers to try to avoid detection by anti-malware applications. These criminals earn commissions for every computer they infect with the Zlob and its companion products. Spybot Search and Destroy can detect and remove most known variants of the Zlob Trojans, with new definitions being released every Wednesday to detect the latest incarnations of Zlob.

Spybot Search & Destroy version 1.5.2, the latest release, is compatible with Windows Vista and features a nicer interface and sports a separate updater window and application. If you are still using version 1.4, I recommend that you update to 1.5.x, using the company links below.

There is a new version of Spybot S&D in the final phase of public beta testing, version 1.6. I understand that it scans for threats much faster than 1.5.2 does. You are welcome to download it and try it out if you wish (please report bugs to the developers). It is a prelude to the upcoming version 2.0 incarnation of Spybot Search and Destroy.

Some users are having problems with Spybot S&D updates when running as less privileged users (Limited or Power Users). First off, less privileged users can no longer apply most immunization rules from within their accounts, unless they use the "Run as" command to run the program as an administrator. Your solution is to first run the Spybot Updater, from your Start menu > Programs > "Spybot - Search & Destroy" > "Update Spybot-S&D." The updater is now a separate application. To avoid possible account corruption from the rootkit detections, run the Spybot Updater before you open the actual Spybot S&D program. Download all available updates from the best server location (I prefer the Safer Networking servers). Exit the updater after all definitions have been installed and green checkmarks are displayed for all updates.

After the updater has exited you can right-click on the shortcut to Spybot S&D and "Run As" an administrator, with your administrator account password (only if you login as a Limited or Power User). When the program opens you should immediately use the Immunize button to apply the level of protection you desire to the selectable applications. These typically include major browsers, domains, cookies, and the Windows HOSTS file. If you are an advertiser or publisher in an affiliate network be sure you exclude cookies for your affiliate programs that are in the detections list, or you'll have problems logging into your affiliate accounts. I have to exclude Commission Junction and Linkshare detections in both cookies, domains and HOSTS immunizations. Apparently, the authors of Spybot are down on advertising cookies and domains. Oh well (sigh).

Another problem being reported is when you run some versions of Spybot S&D it stops with a warning about problems including the file C:\Program Files\Spybot-Search_Destroy\Includes\TrojansC.sbi. The current errors with the Trojans.sbi and TrojansC.sbi files are caused by new detection rules that are incompatible with versions of Spybot prior to 1.5.2. These new detection rules use the new Anti-Rootkit plugins #1, #2 and #3 that only have been offered as updates to Spybot 1.5.2. If you upgrade to Spybot 1.5.2 you will not only eliminate the error messages but in also will be performing rootkit searches while doing a Spybot "Check for problems".

English Language Company Links:
Spybot Search and Destroy English Home Page
Spybot Search and Destroy (Multi-Lingual Landing Page. Choose your language).
Spybot Search and Destroy Download page - Program and definition updates. You can download the latest version of Spybot S&D plus definition and tool updates here for inclusion later on.
Full tutorial about using and setting up Spybot Search and Destroy
Spybot Search and Destroy Update History

See all security program update notices in this catagory

A consequence of acquiring many of the parasites, keyloggers, hijackers and downloaders is that their files and startup settings are usually saved to your System Restore hidden folder, from whence they are automatically restored upon rebooting the computer. To completely remove these threats, and others, you should disable System Restore, then reboot, then clean all threats, then re-start System Restore, setting a new Restore Point, with a clean machine. Many people overlook this and are constantly reinfected after removing threats. There are few, if any security programs that can clean or remove infected files that are backed up in your protected System Restore directory.

To disable System Restore, go to My Computer and right-click on it's icon. From the flyout options select Properties. From the "System Properties" select the "System Restore" tab. There you will find a checkbox labeled "Turn off System Restore." Check it, then click Apply and wait while the System Restore files are deleted (takes some time). After the deletions are finished, click OK to close the Properties box, then reboot.

When you have thoroughly removed all infections follow the same procedure as above, unchecking the box that turned off System Restore.

In the event that Spybot mistakenly removes a file(s) due to a faulty detection update (a.k.a False Positive), you can restore it from the program itself. Just click on the "Recovery" button, that looks like a first aid kit, with a red cross in it, then locate the item(s) you wish to restore. Click on the select box(es) on the left of the detection name(s), to place a check mark in it/them, then click on "Recover selected items." The files, and/or registry entries will be replaced, from where they were deleted. The Spybot forums have discussions about false positives here.

For those of you who have not yet used Spybot Search and Destroy, if you were wondering if it "plays nice" with other anti spyware programs, it most certainly does! I have used Spybot S&D since it's inception, along with various other free and commercial security programs, and it has never caused any problems on my, or my customers' computers.

Spybot Search and Destroy has a Malware Removal Forum where trained volunteers can help you with spyware removal problems.

Finally, as an individuals who benefits from the free software that is produced and updated by the good folks who run Spybot Search and Destroy, at their own expense, it won't hurt us to send occasional donations to them, to help them financially in their efforts. There is a donate button on most pages of the Spybot S & D website. Think seriously about using it. Send what you can.

Posted by Wiz at 11:05 PM | Permalink

back to top ^

On July 1, 2008, Mozilla Foundation pushed out automatic and manual updates to its version 2 series Firefox browsers, bring the latest version number up to 2.0.0.15. The new version contain a dozen fixes ranging from low to critical. Five fixes are critical, four are high, two are moderate and one is low importance. Below is a list of the vulnerabilities fixed in Firefox 2.0.0.15.

Fixed in Firefox 2.0.0.15

MFSA 2008-33: Crash and remote code execution in block reflow
MFSA 2008-32: Remote site run as local file via Windows URL shortcut
MFSA 2008-31: Peer-trusted certs can use alt names to spoof
MFSA 2008-30: File location URL in directory listings not escaped properly
MFSA 2008-29: Faulty .properties file results in uninitialized memory being used
MFSA 2008-28: Arbitrary socket connections with Java LiveConnect on Mac OS X
MFSA 2008-27: Arbitrary file upload via originalTarget and DOM Range
MFSA 2008-25: Arbitrary code execution in mozIJSSubScriptLoader.loadSubScript()
MFSA 2008-24: Chrome script loading from fastload file
MFSA 2008-23: Signed JAR tampering
MFSA 2008-22: XSS through JavaScript same-origin violation
MFSA 2008-21: Crashes with evidence of memory corruption (rv:1.8.1.15)

The release and installation notes, plus download links, are found here. If you already use Firefox version 2.x and have set the option to automatically check for and download updates, your update should await you now, or next time you open Firefox while connected to the Internet. If you prefer to do a manual update you can do it from your Firefox browser. Go to the menu item "Help" > "Check for Updates."

If you are still using Firefox 2.x you should obtain the update as soon as possible, to stay protected against the 12 attack vectors fixed in version 2.0.0.15. Better yet, you can upgrade all the way to the newest series, Firefox 3.x browser, here. Note, that if you use add-on extensions, many are still waiting to be updated by their authors, to be compatible with series 3 Firefox browsers, first released on June 17, 2008.

Posted by Wiz at 1:09 AM | Permalink

back to top ^