Wiz's Computer and Website Security Blog

After about 6 years of existence, long time security website Castlecops.com has shut down operations, effective December 23, 2008. This comes about 6 months after the owner of the website left it in the hands of his deputies to pursue a security based career at Microsoft. I was a member of CastleCops for a long, long time, handling anti spam solutions in the MailWasher forum. I am sorry to see this valuable resource go away.

My thinking is that somebody will step up and offer a similar place for security minded people to gather and do their good work. It will cost a lot of money for redundant, failover hosting, and the servers will have to be robust, with huge pipes to the Internet. When CastleCops closed up shop they were still in the midst of an ongoing fund raiser to buy new servers. The existing equipment was simply overloaded to the point that the site would take minutes to change pages to various forums and search results. The databases were unbelievably huge.

If and when this hopeful re-emergence occurs you can rest assured that I and thousands of other former CastleCops volunteers will gather at the new site, to resume the good work of fighting phishing, scamming, spamming and malware threats. Until then, I continue to maintain my MailWasher Pro spam filter discussions on the new Firetrust MailWasher Forum. I post new MailWasher spam filter updates on my website and in the aforementioned Firetrust forum.

In the meantime you can learn about my preferred anti-spam solution, MailWasher Pro, or learn how to protect your websites from scammers, spammers and hackers using my .htaccess blocklists, or my iptables blocklists.

Still guarding the Castle against scammers and spammers, I remain your humble Wiz.

Posted by Wiz at 4:15 PM | Permalink

back to top ^

If you are using "Spybot Search and Destroy" to protect your PC against spyware infections and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Spybot Search and Destroy 1.6 was released on July 8, 2008. It scans for threats about 4 times faster than previous versions and has an redesigned spyware removal engine. Upgrade now to Spybot S&D 1.6. The newest Virtumonde threats require the anti malware engine in Spybot 1.6 to effectively remove them.

Work is progressing rapidly on the upcoming version 2.0, of Spybot Search and Destroy. Stay tuned for more details as they are announced. Version updates are discussed in my extended comments.

Additions made on December 30, 2008:

Adware
++ IThink.SideSearch

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
+ AdDestination
++ Avrlabs
++ Fraud.Antivirus360
++ Fraud.WinDefender2009
+ IEDefender
+ SpywareBot.SpywareStop
+ Smitfraud-C.
+ Win32.TDSS.rtk
++ WinWebSecurity
+ WinSpywareProtect
++ WMVideoPlugin

Security
+ Microsoft.Windows.AppFirewallBypass

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm! Many of these Trojans are Botnet infections, backdoors and Rootkits.)
++ Fraud.AntiVirusTrigger
++ ISearchTechnology.WinButler
+ Virtumonde
+ Virtumonde.prx
+ Virtumonde.sci
+ Virtumonde.sdn
++ Win32.IEMon
+ Win32.Delf.oko
++ Win32.Agent.pi
++ Win32.Agent.sp
++ Win32.Agent.adb
++ Win32.Agent.fkl
++ Win32.Bankobao.b
+ Win32.Rungbu.a

Total: 1306995 fingerprints in 369046 rules for 4518 products.

In case you have noticed a slowdown in the scan times over the past few months, it's because the number of detection patterns used to detect malware has doubled since the release of Spybot S&D v1.6, in July this year, to 369046 detection patterns in this weeks update!

False positive detections reported or fixed this week:

There is a confirmed false positive heuristic detection of "Darkonia" in zlib1.dll. This file is part of the external libraries required for Notepad++'s XML Tools. It has been fixed in the latest updates.

If you wish to report or discuss a possible false positive detection by Spybot S&D, please read this first.

Extended Comments

Malware Removal Guides

The good folks at Spybot S&D have started a new segment of their official forums, titled "Malware Removal Guides." Each week they intend to write a short self-help article to help you remove various common malware threats manually, or in conjunction with Spybot S&D. This should prove to be a very useful addition to the Spybot forums.

If you are still using Spybot S&D 1.3, or 1.4, update support is about to end and your computer will be at greater risk because of having out-dated definitions. Furthermore, older versions of Spybot are known to report lots of false positives, due to the advanced heuristic rules now found in the newer definition files.

If you are using any version older than 1.6 please upgrade to the current version of Spybot S&D, which is now 1.6.0.30, as soon as possible. New definitions for malware like the Virtumonde family of Trojans need the newer processing technologies introduced in version 1.6.0. Also, the number of malware definitions has more than doubled between July and December, 2008.

Virtumonde (also known as the Vundo Trojan) is a Trojan horse that is known to cause pop-ups and advertising for rogue anti-spyware programs. It also causes other problems, including performance degradation and denial of service with some websites including Google. It attaches itself to the operating system using phony Browser Helper Objects (BHOs) and .dll files attached to the Winlogon process and Windows Explorer.

With the release of Spybot-S&D 1.6, Team Spybot has spent a lot of energy and man-hours implementing some new technologies to improve Virtumonde detections, increasing their detection range to more than 369,000 detection patterns to identify more than one million malware "fingerprints."

Work is progressing at a steady pace on Spybot S&D version 2.0, thanks to an army of volunteer beta testers. The upcoming version will be modularized, with separate executables carrying out different detection and immunization tasks now performed by the main program file. This is expected to speed up the scanning times, which is becoming more strenuous with the rapid increase in the number of detections being developed by Team Spybot.

To benefit from these improvements, I recommend that you update to Spybot Search & Destroy 1.6, which is available through the update function integrated into the application as well as from the Spybot S&D download page. When version 2.0 is finally released you should follow the to-be-posted instructions and upgrade to that version.

If your computer gets stuck in a logon/logoff loop, after updating and scanning with the older versions of Spybot, visit this forum page for a solution, from Team Spybot.

Of continued concern to people who operate as Limited or Power Users for their daily browsing and email, Spybot Search and Destroy is still corrupting your less privileged accounts after you update it, immunize and scan from an Administrator level account. If, after doing these things, you log off the Administrator account and try to log into your Limited/Power User account, it may be corrupted and a generic desktop and start menu may appear. Don't panic! Your account and desktop can be restored by simply rebooting the computer. When you login after the reboot your previous settings will reappear. I don't know why this happens, but, stuff happens! It may be related to the relatively new rootkit detection added last year.

If you want to get direct assistance from Team Spybot, or their talented volunteers, visit the Spybot support forums, sign up for a user account and post your request for assistance. Be sure to read the rules before posting a question or reply.

If your computer is infected and you need help removing the threats, go to the Malware Removal Forums, at Safer Networking/Spybot.info. Again, read the rules before posting your request or logs! Do NOT inject your problem into somebody else's thread! Start a new topic.

Some people are confused by detections of Wild Tangent on their computers. Wild Tangent is detected as a PUP, meaning Potentially Unwanted Program, because it does send home some identifiable information about you and your computer. It ships with various games and screen savers and is a means of funding those programs. If you knowingly installed Wild Tangent and aren't worried about it, and don't wish to have Spybot repeatedly display it in scan results, do the following: Right click the WildTangent Product in the Scan result and select to "Ignore the product from further searches."

If Spybot flags a file on your computer that you believe is a false positive detection, use caution and check with the Spybot False Positives Forum before allowing it to be deleted. You can submit a report to the Spybot False Positives forum, after signing up for an account and reading about how to report false positives before submitting your report and request for analysis.

Posted by Wiz at 3:48 PM | Permalink

back to top ^

If you are reading this you have a computer. If you have a computer you also probably have at least one email address. Unless you live on another planet, or your email provider only allows whitelisted email through, you, like me, get a lot of junk mail, a.k.a. "spam" messages.While spam is an annoyance to most people, it is combat for me. I publish custom spam filters to block spam email for people who use the MailWasher Pro anti-spam email client.

This is the latest entry in a weekly series about classifications of spam, according to my custom filter rules used by the anti-spam tool, MailWasher Pro.

MailWasher Pro is a spam screening POP3 email program that goes between your email servers and your desktop email client (application). With this program you can actually read all of your incoming email in plain text, and click on links, if you are so inclined. MailWasher Pro uses a variety of techniques to recognize and designate what is and isn't spam, including a learning filter and user created custom filter rules. I personally write and use MailWasher Pro custom filters to detect and delete most incoming spam email. I have created and published a large assortment of spam filters which "plug-in" to MailWasher Pro, to flag or delete known spam. You can read about them, or download and use them in your own registered copy of MailWasher Pro.

MailWasher Pro has a "Statistics" display page that breaks down the types of spam it has deleted, listed by categories. Each program and user-created filter has a name and when a measurable percentage of spam is matched by a particular filter it shows up in the Statistics, with its percentage shown next to it. The percentages for various categories of spam listed below are taken from my MailWasher Pro "Statistics" page.

The category "Other Filters" combines several of my custom filters which did not receive enough spam to rate a measurable percentage, thus were all grouped into the one category called "Other Filters." Since I have a lot of custom filters and spam types do vary every week, the Other Filters category is always quite large, percentage-wise.

The overall volume of spam hitting my filters has dropped to very low levels not seen in years. This is due to the problems that Russian cyber criminals are having finding hosts for the servers used to issue command and control signals to their Botnets. This is a fluid situation, with spammers finding temporary hosts who come under pressure from security companies then terminate their connectivity. This has been going on since November 11, 2008. Currently, most spam is being sent via the resurrected Mega-D Botnet, which is famous for male enhancement spam.

The most prominent types of spam categorized this week were for imitations of brand name watches, followed by various pharmaceuticals, including diluted Asian Viagra from fake Internet pharmacies, and some fake diploma spam. Many of these types of spam were caught by my Sender's Blacklist rules, like lin+met@+.de or kef+diz@+, thus, the Blacklist category usually rates fairly high in the results.

MailWasher Pro spam category breakdown for December 22 - 28, 2008. Spam amounted to 17% of my incoming email this week, with just 35 spam messages analyzed.

Download MailWasher Pro Here

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as an incoming email screener for your POP email program (Microsoft Outlook, Microsoft Outlook Express, Microsoft Live Mail, Eudora, Mozilla and other stand-alone email programs).

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. I never buy anything that is Spamvertised and recommend you don't either! Remember, almost all spam is now sent from compromised home or business PCs, zombies in various Botnets, all of which are controlled by criminals. If you purchase anything advertised in spam messages, you have given your credit or debit card information to the criminals behind that enterprise. If you are really lucky you will only be charged for the fake items you purchased, but, if not, you might find your credit limit used up, or your bank account emptied (for debit card transactions), by cyber criminals.

Also, unsubscribing through links in botnet-sent spam messages is futile, as you never opted-in, in the first place; your email address was captured by an email harvester on an infected computer belonging to somebody you corresponded with. Instead of receiving less spam as one might expect (by unsubscribing), all it does is confirm that your email address is active and you will see even more spam than before.

Another common way your email address may get harvested by spammers is if it appears in a large C.C. (Carbon Copy) list on a computer that gets Botnetted. Many people engage in forwarding messages among all their friends. Each time they forward chain letters their address gets added to the growing list of recipients (called Carbon Copy, or CC). If just one recipient of that message has an email harvesting malware infection, all of the email addresses listed in that message will be sent home to the spammer behind that spam run.

Smart folks who want to forward or send a message to multiple recipients use B.C.C. instead of C.C. Using B.C.C. hides all of the recipients from displaying. The To field will just show "Undisclosed Recipients" in a message sent using B.C.C. This is safest for you and your friends or mailing list. All email clients have a means of displaying a B.C.C. field.

Posted by Wiz at 4:52 PM | Permalink

back to top ^

If you are using "Spybot Search and Destroy" to protect your PC against spyware infections and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Spybot Search and Destroy 1.6 was released on July 8, 2008. It scans for threats about 4 times faster than previous versions and has an redesigned spyware removal engine. Upgrade now to Spybot S&D 1.6. The newest Virtumonde threats require the anti malware engine in Spybot 1.6 to effectively remove them.

Work is progressing rapidly on the upcoming version 2.0, of Spybot Search and Destroy. Stay tuned for more details as they are announced. Version updates are discussed in my extended comments.

Additions made on December 23, 2008:

Adware
++ Win32.Toolbar.World2

Hijackers
+ PrimeSoft.SafeSearch

Keyloggers (Keyloggers steal your typed logins and passwords)
+ PerfectKeylogger (2)
++ Redneck

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
+ AdDestination
+ BPS.Gen
++ BPSAntiSpywareGuard
++ BPSMalwareGuard
++ ExtraAntivir
+ FakeAlert.cc
+ FakeBill.CourtCologne
+ Fraud.AntivirusTrigger
++ Fraud.PerfectDefender
+ Fraud.VirusTrigger
++ NanoAntivirus
+ SaferSurfing
+ Smitfraud-C.
++ Win32.Agent.hc
+ Win32.Renos

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm! Many of these Trojans are Botnet infections, backdoors and Rootkits.)
++ Fake.HTML.BHO
+ Fraud.AntiVirusTrigger
++ GFailure.Girlfriend135
+ Virtumonde
+ Virtumonde.sci
+ Virtumonde.sdn
++ Win32.Agent.arnx
+ Win32.Brontok.q
++ Win32.Delf.cof
++ Win32.Hider.i
+ Win32.Rays
+ Win32.TDSS.rtk
++ Win32.Tibia.dd
+ Zlob.Downloader
+ Zlob.Downloader.ol
+ Zlob.Downloader.vot
+ Zlob.Downloader.wot
+ Zlob.MovieCommander

Total: 1298391 fingerprints in 366315 rules for 4505 products.

In case you have noticed a slowdown in the scan times over the past few months, it's because the number of detection patterns used to detect malware has doubled since the release of Spybot S&D v1.6, in July this year, to 347101 detection patterns in this weeks update!

False positive detections reported or fixed this week:

None reported this week!

If you wish to report or discuss a possible false positive detection by Spybot S&D, please read this first.

Extended Comments

Malware Removal Guides

The good folks at Spybot S&D have started a new segment of their official forums, titled "Malware Removal Guides." Each week they intend to write a short self-help article to help you remove various common malware threats manually, or in conjunction with Spybot S&D. This should prove to be a very useful addition to the Spybot forums.

If you are still using Spybot S&D 1.3, or 1.4, update support is about to end and your computer will be at greater risk because of having out-dated definitions. Furthermore, older versions of Spybot are known to report lots of false positives, due to the advanced heuristic rules now found in the newer definition files.

If you are using any version older than 1.6 please upgrade to the current version of Spybot S&D, which is now 1.6.0.30, as soon as possible. New definitions for malware like the Virtumonde family of Trojans need the newer processing technologies introduced in version 1.6.0. Also, the number of malware definitions has more than doubled between July and December, 2008.

Virtumonde (also known as the Vundo Trojan) is a Trojan horse that is known to cause pop-ups and advertising for rogue anti-spyware programs. It also causes other problems, including performance degradation and denial of service with some websites including Google. It attaches itself to the operating system using phony Browser Helper Objects (BHOs) and .dll files attached to the Winlogon process and Windows Explorer.

With the release of Spybot-S&D 1.6, Team Spybot has spent a lot of energy and man-hours implementing some new technologies to improve Virtumonde detections, increasing their detection range to more than 366,000 detection patterns to identify more than one million malware "fingerprints."

Work is progressing at a steady pace on Spybot S&D version 2.0, thanks to an army of volunteer beta testers. The upcoming version will be modularized, with separate executables carrying out different detection and immunization tasks now performed by the main program file. This is expected to speed up the scanning times, which is becoming more strenuous with the rapid increase in the number of detections being developed by Team Spybot.

To benefit from these improvements, I recommend that you update to Spybot Search & Destroy 1.6, which is available through the update function integrated into the application as well as from the Spybot S&D download page. When version 2.0 is finally released you should follow the to-be-posted instructions and upgrade to that version.

If your computer gets stuck in a logon/logoff loop, after updating and scanning with the older versions of Spybot, visit this forum page for a solution, from Team Spybot.

Of continued concern to people who operate as Limited or Power Users for their daily browsing and email, Spybot Search and Destroy is still corrupting your less privileged accounts after you update it, immunize and scan from an Administrator level account. If, after doing these things, you log off the Administrator account and try to log into your Limited/Power User account, it may be corrupted and a generic desktop and start menu may appear. Don't panic! Your account and desktop can be restored by simply rebooting the computer. When you login after the reboot your previous settings will reappear. I don't know why this happens, but, stuff happens! It may be related to the relatively new rootkit detection added last year.

If you want to get direct assistance from Team Spybot, or their talented volunteers, visit the Spybot support forums, sign up for a user account and post your request for assistance. Be sure to read the rules before posting a question or reply.

If your computer is infected and you need help removing the threats, go to the Malware Removal Forums, at Safer Networking/Spybot.info. Again, read the rules before posting your request or logs! Do NOT inject your problem into somebody else's thread! Start a new topic.

Some people are confused by detections of Wild Tangent on their computers. Wild Tangent is detected as a PUP, meaning Potentially Unwanted Program, because it does send home some identifiable information about you and your computer. It ships with various games and screen savers and is a means of funding those programs. If you knowingly installed Wild Tangent and aren't worried about it, and don't wish to have Spybot repeatedly display it in scan results, do the following: Right click the WildTangent Product in the Scan result and select to "Ignore the product from further searches."

If Spybot flags a file on your computer that you believe is a false positive detection, use caution and check with the Spybot False Positives Forum before allowing it to be deleted. You can submit a report to the Spybot False Positives forum, after signing up for an account and reading about how to report false positives before submitting your report and request for analysis.

Posted by Wiz at 12:36 PM | Permalink

back to top ^

If you are reading this you have a computer. If you have a computer you also probably have at least one email address. Unless you live on another planet, or your email provider only allows whitelisted email through, you, like me, get a lot of junk mail, a.k.a. "spam" messages.While spam is an annoyance to most people, it is combat for me. I publish custom spam filters to block spam email for people who use the MailWasher Pro anti-spam email client.

This is the latest entry in a weekly series about classifications of spam, according to my custom filter rules used by the anti-spam tool, MailWasher Pro.

MailWasher Pro is a spam screening POP3 email program that goes between your email servers and your desktop email client (application). With this program you can actually read all of your incoming email in plain text, and click on links, if you are so inclined. MailWasher Pro uses a variety of techniques to recognize and designate what is and isn't spam, including a learning filter and user created custom filter rules. I personally write and use MailWasher Pro custom filters to detect and delete most incoming spam email. I have created and published a large assortment of spam filters which "plug-in" to MailWasher Pro, to flag or delete known spam. You can read about them, or download and use them in your own registered copy of MailWasher Pro.

MailWasher Pro has a "Statistics" display page that breaks down the types of spam it has deleted, listed by categories. Each program and user-created filter has a name and when a measurable percentage of spam is matched by a particular filter it shows up in the Statistics, with its percentage shown next to it. The percentages for various categories of spam listed below are taken from my MailWasher Pro "Statistics" page.

The category "Other Filters" combines several of my custom filters which did not receive enough spam to rate a measurable percentage, thus were all grouped into the one category called "Other Filters." Since I have a lot of custom filters and spam types do vary every week, the Other Filters category is always quite large, percentage-wise.

The overall volume of spam hitting my filters has dropped to very low levels not seen in years. This is due to the problems that Russian cyber criminals are having finding hosts for the servers used to issue command and control signals to their Botnets. This is a fluid situation, with spammers finding temporary hosts who come under pressure from security companies then terminate their connectivity. This has been going on since November 11, 2008. Currently, most spam is being sent via the resurrected Mega-D Botnet, which is famous for male enhancement spam.

The most prominent types of spam categorized this week were for imitations of brand name watches, followed by pirated software, then for fake Viagra from the fake Canadian Pharmacy. Many of these types of spam were caught by my Sender's Blacklist rules, like lin+met@+.de, thus, the Blacklist category is tied for the top position.

MailWasher Pro spam category breakdown for December 15 - 21, 2008. Spam amounted to 18% of my incoming email this week, with just 49 spam messages analyzed.

Download MailWasher Pro Here

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as an incoming email screener for your POP email program (Microsoft Outlook, Microsoft Outlook Express, Microsoft Live Mail, Eudora, Mozilla and other stand-alone email programs).

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. I never buy anything that is Spamvertised and recommend you don't either! Remember, almost all spam is now sent from compromised home or business PCs, zombies in various Botnets, all of which are controlled by criminals. If you purchase anything advertised in spam messages, you have given your credit or debit card information to the criminals behind that enterprise. If you are really lucky you will only be charged for the fake items you purchased, but, if not, you might find your credit limit used up, or your bank account emptied (for debit card transactions), by cyber criminals.

Also, unsubscribing through links in botnet-sent spam messages is futile, as you never opted-in, in the first place; your email address was captured by an email harvester on an infected computer belonging to somebody you corresponded with. Instead of receiving less spam as one might expect (by unsubscribing), all it does is confirm that your email address is active and you will see even more spam than before.

Another common way your email address may get harvested by spammers is if it appears in a large C.C. (Carbon Copy) list on a computer that gets Botnetted. Many people engage in forwarding messages among all their friends. Each time they forward chain letters their address gets added to the growing list of recipients (called Carbon Copy, or CC). If just one recipient of that message has an email harvesting malware infection, all of the email addresses listed in that message will be sent home to the spammer behind that spam run.

Smart folks who want to forward or send a message to multiple recipients use B.C.C. instead of C.C. Using B.C.C. hides all of the recipients from displaying. The To field will just show "Undisclosed Recipients" in a message sent using B.C.C. This is safest for you and your friends or mailing list. All email clients have a means of displaying a B.C.C. field.

Posted by Wiz at 3:20 PM | Permalink

back to top ^

If you are using "Spybot Search and Destroy" to protect your PC against spyware infections and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Spybot Search and Destroy 1.6 was released on July 8, 2008. It scans for threats about 4 times faster than previous versions and has an redesigned spyware removal engine. Upgrade now to Spybot S&D 1.6. The newest Virtumonde threats require the anti malware engine in Spybot 1.6 to effectively remove them.

Work is progressing rapidly on the upcoming version 2.0, of Spybot Search and Destroy. Stay tuned for more details as they are announced. Version updates are discussed in my extended comments.

Additions made on December 17, 2008:

Hijackers
+ ISearchToolbar

Keyloggers (Keyloggers steal your typed logins and passwords)
+ ActMon-Pro
+ Ardamax

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
+ AntiSpywareMaster
+ Fraud.PCProtectionCenter2008
+ FakeAlert.CC
+ Fraud.AntiVirusLab2009
+ Win32.PoisonIvy.j

Security
+ Microsoft.Windows.AppFirewallBypass
+ Microsoft.Windows.RedirectedHosts

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm! Many of these Trojans are Botnet infections, backdoors and Rootkits.)
++ PartnerBHO
++ RKdrv.rtk
+ Smitfraud-C.gp
+ Virtumonde
+ Virtumonde.sci
+ Virtumonde.sdn
+ Win32.Agent.amwr
+ Win32.Agent.bxh
+ Win32.Agent.pz
+ Win32.Agent.sd
++ Win32.Banload.ihm
++ Win32.CeeInject.Ik
++ Win32.Ciadoor.cj
++ Win32.Delf.oko
++ Win32.Poison.cpb
+ Win32.RAdmin
+ Zlob.Downloader
+ Zlob.Downloader.apl

Worm
++ VBS.LoveLetter.aq2 (2)

Total: 1212991 fingerprints in 347101 rules for 4491 products.

In case you have noticed a slowdown in the scan times over the past few months, it's because the number of detection patterns used to detect malware has doubled since the release of Spybot S&D v1.6, in July this year, to 347101 detection patterns in this weeks update!

False positive detections reported or fixed this week:

There was a false positive report "WMDrive.sys" with Smitfraud-C, in c:\windows\system32\drivers\WMDrive.sys (189,952 bytes). This was fixed in today's F/P update.

There was a false positive detection of Smitfraud.C confirmed in a Zoom Modem file named "country.exe." This was fixed in today's F/P update.

There is a confirmed False Positive "Heuristic" detection of "Accoona" in several unwise.exe uninstaller files. It was fixed with today's F/P update.

If you wish to report or discuss a possible false positive detection by Spybot S&D, please read this first.

Extended Comments

Malware Removal Guides

The good folks at Spybot S&D have started a new segment of their official forums, titled "Malware Removal Guides." Each week they intend to write a short self-help article to help you remove various common malware threats manually, or in conjunction with Spybot S&D. This should prove to be a very useful addition to the Spybot forums.

If you are still using Spybot S&D 1.3, or 1.4, update support is about to end and your computer will be at greater risk because of having out-dated definitions. Furthermore, older versions of Spybot are known to report lots of false positives, due to the advanced heuristic rules now found in the newer definition files.

If you are using any version older than 1.6 please upgrade to the current version of Spybot S&D, which is now 1.6.0.30, as soon as possible. New definitions for malware like the Virtumonde family of Trojans need the newer processing technologies introduced in version 1.6.0. Also, the number of malware definitions has more than doubled between July and December, 2008.

Virtumonde (also known as the Vundo Trojan) is a Trojan horse that is known to cause pop-ups and advertising for rogue anti-spyware programs. It also causes other problems, including performance degradation and denial of service with some websites including Google. It attaches itself to the operating system using phony Browser Helper Objects (BHOs) and .dll files attached to the Winlogon process and Windows Explorer.

With the release of Spybot-S&D 1.6, Team Spybot has spent a lot of energy and man-hours implementing some new technologies to improve Virtumonde detections, increasing their detection range to more than 347,000 detection patterns to identify more than one million malware "fingerprints."

Work is progressing at a steady pace on Spybot S&D version 2.0, thanks to an army of volunteer beta testers. The upcoming version will be modularized, with separate executables carrying out different detection and immunization tasks now performed by the main program file. This is expected to speed up the scanning times, which is becoming more strenuous with the rapid increase in the number of detections being developed by Team Spybot.

To benefit from these improvements, I recommend that you update to Spybot Search & Destroy 1.6, which is available through the update function integrated into the application as well as from the Spybot S&D download page. When version 2.0 is finally released you should follow the to-be-posted instructions and upgrade to that version.

If your computer gets stuck in a logon/logoff loop, after updating and scanning with the older versions of Spybot, visit this forum page for a solution, from Team Spybot.

Of continued concern to people who operate as Limited or Power Users for their daily browsing and email, Spybot Search and Destroy is still corrupting your less privileged accounts after you update it, immunize and scan from an Administrator level account. If, after doing these things, you log off the Administrator account and try to log into your Limited/Power User account, it may be corrupted and a generic desktop and start menu may appear. Don't panic! Your account and desktop can be restored by simply rebooting the computer. When you login after the reboot your previous settings will reappear. I don't know why this happens, but, stuff happens! It may be related to the relatively new rootkit detection added last year.

If you want to get direct assistance from Team Spybot, or their talented volunteers, visit the Spybot support forums, sign up for a user account and post your request for assistance. Be sure to read the rules before posting a question or reply.

If your computer is infected and you need help removing the threats, go to the Malware Removal Forums, at Safer Networking/Spybot.info. Again, read the rules before posting your request or logs! Do NOT inject your problem into somebody else's thread! Start a new topic.

Some people are confused by detections of Wild Tangent on their computers. Wild Tangent is detected as a PUP, meaning Potentially Unwanted Program, because it does send home some identifiable information about you and your computer. It ships with various games and screen savers and is a means of funding those programs. If you knowingly installed Wild Tangent and aren't worried about it, and don't wish to have Spybot repeatedly display it in scan results, do the following: Right click the WildTangent Product in the Scan result and select to "Ignore the product from further searches."

If Spybot flags a file on your computer that you believe is a false positive detection, use caution and check with the Spybot False Positives Forum before allowing it to be deleted. You can submit a report to the Spybot False Positives forum, after signing up for an account and reading about how to report false positives before submitting your report and request for analysis.

Posted by Wiz at 8:20 PM | Permalink

back to top ^

This article is in regard to Microsoft Security Advisory 961051: Vulnerability in Internet Explorer Could Allow Remote Code Execution, which was published on December 10, 2008 and last updated on December 15, 2008.

In the above Security Advisory Microsoft revealed that a critical vulnerability was reported in all versions of Internet Explorer, from versions 5 through 8 beta. There are already exploits in the wild compromising computers around the World, but it seems to have begun in China. In fact, these exploits began occurring the same day the last Windows Updates were pushed out, making this a zero-day exploit. The exploit code is being hosted mostly on exploited Windows IIS web servers and is installed by exploiting SQL Injection vulnerabilities that have not been patched by system administrators. From what I've been reading there are a lot of Windows-based servers that are not keeping up with critical patches!

The vulnerability exists as an invalid pointer reference in the data binding function of Internet Explorer. When data binding is enabled (which is the default state), it is possible under certain conditions for an object to be released without updating the array length, leaving the potential to access the deleted object's memory space. This can cause Internet Explorer to exit unexpectedly, in a state that is exploitable.

Users who operate from less privileged accounts will be less impacted than those operating as computer administrators. Also, using "Protected Mode" in Internet Explorer 7 and Internet Explorer 8 Beta 2 in Windows Vista limits the impact of the vulnerability.

Microsoft and other security sources have recommended several temporary workarounds to mitigate this vulnerability, including disabling automatic processing of ActiveX Controls in the Internet and Intranet zones. If you have ever changed the settings for ActiveX to "Prompt" you know that the browser will literally drive you nuts with pop-ups asking for permission to run an ActiveX Control. In these cases it is best to just disable ActiveX completely and wait for a patch to be released, then re-enable it. In any case, if you have applied any of the temporary workarounds listed in kb961051, you should undo them after applying the upcoming patch.

In response to the urgency of this vulnerability, Microsoft is releasing an "out-of-band" patch on December 17, 2008. This is the second unscheduled patch released this calendar year and both are in regards to zero-day exploits in the wild. If your computer is set to download and install Windows Updates automatically this will happen sometime on December 17. If you perform your Windows Updates manually, begin checking for "Express"updates during the afternoon (USA) of December 17, 2008. The official release time for the USA and Canada is 1 PM Eastern Standard Time, which is 6:00 PM or 18:00 Hours GMT.

This patch may require you to restart your computer, but definitely Internet Explorer.

Computers that are protected with Trend Micro Internet Security or Security Pro are already protected against this "web threat." This is because those products include constantly updated protection from hostile codes in compromised (or purposely hostile) web pages.

Posted by Wiz at 7:30 PM | Permalink

back to top ^

If you are reading this you have a computer. If you have a computer you also probably have at least one email address. Unless you live on another planet, or your email provider only allows whitelisted email through, you, like me, get a lot of junk mail, a.k.a. "spam" messages.While spam is an annoyance to most people, it is combat for me. I publish custom spam filters to block spam email for people who use the MailWasher Pro anti-spam email client.

This is the latest entry in a weekly series about classifications of spam, according to my custom filter rules used by the anti-spam tool, MailWasher Pro.

MailWasher Pro is a spam screening POP3 email program that goes between your email servers and your desktop email client (application). With this program you can actually read all of your incoming email in plain text, and click on links, if you are so inclined. MailWasher Pro uses a variety of techniques to recognize and designate what is and isn't spam, including a learning filter and user created custom filter rules. I personally write and use MailWasher Pro custom filters to detect and delete most incoming spam email. I have created and published a large assortment of spam filters which "plug-in" to MailWasher Pro, to flag or delete known spam. You can read about them, or download and use them in your own registered copy of MailWasher Pro.

MailWasher Pro has a "Statistics" display page that breaks down the types of spam it has deleted, listed by categories. Each program and user-created filter has a name and when a measurable percentage of spam is matched by a particular filter it shows up in the Statistics, with its percentage shown next to it. The percentages for various categories of spam listed below are taken from my MailWasher Pro "Statistics" page.

The category "Other Filters" combines several of my custom filters which did not receive enough spam to rate a measurable percentage, thus were all grouped into the one category called "Other Filters." Since I have a lot of custom filters and spam types do vary every week, the Other Filters category is always quite large, percentage-wise.

The overall volume of spam hitting my filters has dropped to very low levels not seen in years. This is due to the problems that Russian cyber criminals are having finding hosts for the servers used to issue command and control signals to their Botnets. This is a fluid situation, with spammers finding temporary hosts who come under pressure from security companies then terminate their connectivity. This has been going on since November 11, 2008. Currently, most spam is being sent via the resurrected Mega-D Botnet, which is famous for male enhancement spam.

When it comes to major spam runs, sent entirely through zombie computers which are unwittingly members of Botnets, certain types of spam rise to the top of the threat list, every week or two. The most common types of spam this week is for fake diplomas, counterfeit watches and various pharmaceuticals, including male enhancement pills, Viagra, Cialis and other sex oriented drugs. Spam for the fake "Canadian Pharmacy" remained strong as usual, but was surpassed again by spam caught by my "Hidden ISO Subject" filter. Most of the Hidden ISO spam is for imitation Viagra or ineffective male enhancement pills and patches. This hidden ISO or ASCII command in the Subject and From fields is from a template used by spammer. You can be certain this person lives in the former Soviet Union.

"Canadian Pharmacy" and it's offshoot "Canadian Health and Care Mall" is a scam website, hosted unknowingly on hijacked (Botnetted) personal computers, or on bulletproof Chinese hosting servers owned by criminals in Russia. The prescription drugs and herbal remedies promoted by the fake Canadian Pharmacy come from a lab in India, named after a flower. Those prescription drugs are illegal to import into the US or Canada and may be seized by postal inspectors upon arrival.

The male enhancement spams are mostly leading to Botnetted computers hosting a web page touting VPXL, Power Gain Plus, Mega-Dick, or other bogus herbal enlargement formulas, all of which are scams. These male enhancement pills and patches are totally ineffective at permanently lengthening the male organ and may even be dangerous to your health.

MailWasher Pro spam category breakdown for December 8 - 14, 2008. Spam amounted to 16% of my incoming email this week, with just 42 spam messages analyzed.

Download MailWasher Pro Here

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as an incoming email screener for your POP email program (Microsoft Outlook, Microsoft Outlook Express, Microsoft Live Mail, Eudora, Mozilla and other stand-alone email programs).

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. I never buy anything that is Spamvertised and recommend you don't either! Remember, almost all spam is now sent from compromised home or business PCs, zombies in various Botnets, all of which are controlled by criminals. If you purchase anything advertised in spam messages, you have given your credit or debit card information to the criminals behind that enterprise. If you are really lucky you will only be charged for the fake items you purchased, but, if not, you might find your credit limit used up, or your bank account emptied (for debit card transactions), by cyber criminals.

Also, unsubscribing through links in botnet-sent spam messages is futile, as you never opted-in, in the first place; your email address was captured by an email harvester on an infected computer belonging to somebody you corresponded with. Instead of receiving less spam as one might expect (by unsubscribing), all it does is confirm that your email address is active and you will see even more spam than before.

Another common way your email address may get harvested by spammers is if it appears in a large C.C. (Carbon Copy) list on a computer that gets Botnetted. Many people engage in forwarding messages among all their friends. Each time they forward chain letters their address gets added to the growing list of recipients (called Carbon Copy, or CC). If just one recipient of that message has an email harvesting malware infection, all of the email addresses listed in that message will be sent home to the spammer behind that spam run.

Smart folks who want to forward or send a message to multiple recipients use B.C.C. instead of C.C. Using B.C.C. hides all of the recipients from displaying. The To field will just show "Undisclosed Recipients" in a message sent using B.C.C. This is safest for you and your friends or mailing list. All email clients have a means of displaying a B.C.C. field.

Posted by Wiz at 3:07 PM | Permalink

back to top ^

All Bots work in stealth mode, so as to prolong their useful lifetime on each computer they infect. Because Bots operate behind the scenes, sometimes as rootkits, special anti-malware tools are often needed to detect and remove them. Some Bots may even uninstall themselves if the computer or its Internet connection don't meet the minimum requirements set by the person running them.

When a Bot is installed onto a computer that computer will not only be remotely controlled, but will become an unwitting member of a network of similar Bots, known as a "Botnet." Bots are accumulated into Botnets by "Bot Herders" who rent the use of their remote controlled networks to spammers, scammers, phishers, political anarchists, hackers and even terrorists. A Botnet in action is under the remote command and control of a criminal known as a "Bot Master."

When a computer is first infected by a Bot it will perform certain pre-programmed routines, including "phoning home" to register itself on the Botnet it belongs to and to supply details about the computer onto which it is installed. Some of these details are about the operating system and amount of memory installed, the infected user's identity on the computer, the password for the Administrator account, what, if any security programs are installed, the type of Internet connection used and the IP address of both the computer and the modem (if different). It will then receive files to be consulted and used as it operates. It may also be given some means of protecting its own executables and auxiliary support files, to ensure its continued existence if it is detected by the owner.

Unless you are an expert in securing your computer and operate with reduced user privileges, you should be asking yourself: "am I botted?" Don't leave this question unanswered! Find out now! There are a variety of new, specialized security tools available that will detect and remove modern Bot infections. Some really good Bot detection tools are listed in my extended comments.

Once infected with a Bot, a computer will go through cycles of activity, followed by periods of inactivity, at the discretion of the Bot Master. Because Bots do not perform their hostile functions until they are so-commanded, they are also referred to as "Zombies." In this regard they act much like the "sleeper agents" written about in espionage novels about the Cold War. When awakened by remote command, the Bots, like sleeper agents, will do the evil they are programmed to do, then fall silent to await further instructions.

Botnets are controlled by several means, including IRC channels, peer-to-peer networked controller computers, and commercially hosted "Command and Control Servers."

Computers are infected with Bots through a variety of techniques, including hostile links in spam emails and instant messages, hostile JavaScript codes embedded into web pages (with or without knowledge of the website owners), trickery (Trojans - self infection) and social networking site exploits. Some of the tricks used to cause people to infect their own computers with Trojan Bots are phony e-cards and Postcards (favorite of the Storm Botnet), links to view videos where you are informed that you are missing a required or updated Flash player or Codec, and fake security scans that trick you into installing fraudulent security programs to remove the non-existent infections revealed in the fake scan or alert.

There are several major Botnets currently in existence and operating. They have strange names like Srizbi, Rustock, Cutwail, Storm, Kraken, and Mega-D. Some of these Bots are programmed to detect other Bots and fight them off, while others will co-exist with rival Bots. Computers recruited into various Botnets are used to send spam emails, host malware executables and Trojans, host web pages used to commit identity theft (phishing), or promoting counterfeit goods or fake pharmacies, and sometimes to attack other computers, governments and organizations.

Find out if you are Botted

There are millions of computers infected with Bots, World-wide. I urge all of my gentle readers to scan their computers for evidence of Bot infections and have them removed as soon as possible. There are several specialized security tools available that keep up with the constantly changing "Bot-scape." Some go after nothing else and will co-exist with other security software, while others are part of security suites that should not be mixed with other such products. If you already have anti virus and anti spyware protection that you wish to keep, but would like to add a regularly updated application that specifically detects and removes Bots from your computer, Malwarebytes offers a stand-alone program named Malwarebytes Anti-Exploit Anti-Exploit costs $24.95 for one year. It shields browsers and software programs from attacks that exploit vulnerabilities in their code.

Get Smart protection for your home network, covering up to 3 PCs for one low annual price. Trend Micro Titanium Internet Security protects your PCs from viruses, spyware, rootkits, hackers, spam and Bots, with very little load on your computer's resources. Buy Titanium Now!

If you can't afford to pay for security protection for your computer, there is a free downloadable application offered by Trend Micro, called RUBotted. It runs on Windows XP and newer computers, in your System Tray area (by the clock). RUBotted is a simple program whose only job is to look for evidence of a possible Bot infection running on the PC on which it is installed. It will flash and alert you if such and infection is detected, or suspected. You will be given the option of visiting the free Trend Micro "HouseCall" malware scanner service, which can not only detect, but also remove most malware it finds. If it can't remove the malware you will be given the option to download a trial version of Trend Micro Internet Security, which will get the job done!

Last, but not least, Microsoft provides a Malicious Software Removal Tool (MSRT), which is updated once a month and released on Patch Tuesdays. This tool is capable of detecting and removing any Bot it is programmed to detect. While it is good at doing its job (Microsoft claims to have destroyed the Storm Botnet with the MSRT), it is limited by having only monthly updates. This tool runs automatically once a month when you download and install your Windows Updates. Use the link above to read about and download the MSRT manually, from Microsoft. Validation is not required at this time, to download and run the MSRT.

Posted by Wiz at 4:36 PM | Permalink

back to top ^

If you are using "Spybot Search and Destroy" to protect your PC against spyware infections and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Spybot Search and Destroy 1.6 was released on July 8, 2008. It scans for threats about 4 times faster than previous versions and has an redesigned spyware removal engine. Upgrade now to Spybot S&D 1.6. The newest Virtumonde threats require the anti malware engine in Spybot 1.6 to effectively remove them.

Work is progressing rapidly on the upcoming version 2.0, of Spybot Search and Destroy. Stay tuned for more details as they are announced. Version updates are discussed in my extended comments.

Additions made on December 10, 2008:

Adware
+ Win32.TrafficSol.c

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
+ AdDestination
+ AlphaWipe2008
+ AntiSpywareMaster
++ Fraud.AntiMalwareGuard
++ Fraud.AntiVirusSentry
++ Fraud.PersonalDefender
++ Fraud.SpyProtector
++ Fraud.SpywareGuard2008
++ Fraud.VirusTrigger (4)
++ Fraud.WinDefender (5)
+ IEDefender
+ Smitfraud-C.
+ Smitfraud-C.MSVPS
++ TracksFree
++ Win32.Adload.db
+ Win32.VB.ck
+ Zlob.Downloader

PUPS (Possibly UnPopular Software or Potentially Unwanted Program)
++ AdAtoms.MyCentria
+ MyWay.MySearch

Security
+ Microsoft.Windows.AppFirewallBypass

Spyware
++ MegaUploadToolbar

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm! Many of these Trojans are Botnet infections, backdoors and Rootkits.)
++ Dropper.Agent.apfv
+ Refpron
+ Virtumonde
+ Virtumonde.prx
+ Virtumonde.sci
+ Virtumonde.sdn
+ Win32.Agent.amwr
+ Win32.Agent.ark
++ Win32.Agent.clk
+ Win32.Agent.xv
+ Win32.Autoit
++ Win32.AutoRun.dfs
++ Win32.AutoRun.va
+ Win32.Bagle.A
+ Win32.Bagle.E
+ Win32.Bagle.F
+ Win32.Bagle.G
+ Win32.Bagle.H
+ Win32.Brontok (2)
+ Win32.Delf.rtk
++ Win32.GrayBird.aj
++ Win32.Hidden.RTK
+ Win32.TDSS.rtk
+ Zlob.Downloader.sit

Total: 1208743 fingerprints in 345764 rules for 4472 products.

In case you have noticed a slowdown in the scan times over the past few months, it's because the number of detection patterns used to detect malware has doubled since the release of Spybot S&D v1.6, in July this year, to 345,764 detection patterns in this weeks update!

False positive detections reported or fixed this week:

There was a confirmed false positive heuristic only detection of "Win32.ActiveKeyLogger" in a common, legitimate uninstaller file named, "Unwise.exe." Normal scans show the file is clean. This was fixed in today's updates.

A False Positive detection of Beast False Positive in the file extension .bst was fixed today.

A False positive detection of Sumom.a was fixed today. The file containing it was the AltNet adware component of Kazaa.

There is a confirmed False Positive "Heuristic" detection of "Accoona" in several unwise.exe uninstaller files. It will be fixed with later updates.

A False Positive has been confirmed in the following: Win32.Agent.bzs: C:\WINDOWS\system32\userinit.exe. It has been fixed in today's F/P update.

If you wish to report or discuss a possible false positive detection by Spybot S&D, please read this first.

Extended Comments

Malware Removal Guides

The good folks at Spybot S&D have started a new segment of their official forums, titled "Malware Removal Guides." Each week they intend to write a short self-help article to help you remove various common malware threats manually, or in conjunction with Spybot S&D. This should prove to be a very useful addition to the Spybot forums.

If you are still using Spybot S&D 1.3, or 1.4, update support is about to end and your computer will be at greater risk because of having out-dated definitions. Furthermore, older versions of Spybot are known to report lots of false positives, due to the advanced heuristic rules now found in the newer definition files.

If you are using any version older than 1.6 please upgrade to the current version of Spybot S&D, which is now 1.6.0.30, as soon as possible. New definitions for malware like the Virtumonde family of Trojans need the newer processing technologies introduced in version 1.6.0. Also, the number of malware definitions has doubled between July and December, 2008.

Virtumonde (also known as the Vundo Trojan) is a Trojan horse that is known to cause pop-ups and advertising for rogue anti-spyware programs. It also causes other problems, including performance degradation and denial of service with some websites including Google. It attaches itself to the operating system using phony Browser Helper Objects (BHOs) and .dll files attached to the Winlogon process and Windows Explorer.

With the release of Spybot-S&D 1.6, Team Spybot has spent a lot of energy and man-hours implementing some new technologies to improve Virtumonde detections, increasing their detection range to more than 343,000 detection patterns to identify more than one million malware "fingerprints."

Work is progressing at a steady pace on Spybot S&D version 2.0, thanks to an army of volunteer beta testers. The upcoming version will be modularized, with separate executables carrying out different detection and immunization tasks now performed by the main program file. This is expected to speed up the scanning times, which is becoming more strenuous with the rapid increase in the number of detections being developed by Team Spybot.

To benefit from these improvements, I recommend that you update to Spybot Search & Destroy 1.6, which is available through the update function integrated into the application as well as from the Spybot S&D download page. When version 2.0 is finally released you should follow the to-be-posted instructions and upgrade to that version.

If your computer gets stuck in a logon/logoff loop, after updating and scanning with the older versions of Spybot, visit this forum page for a solution, from Team Spybot.

Of continued concern to people who operate as Limited or Power Users for their daily browsing and email, Spybot Search and Destroy is still corrupting your less privileged accounts after you update it, immunize and scan from an Administrator level account. If, after doing these things, you log off the Administrator account and try to log into your Limited/Power User account, it may be corrupted and a generic desktop and start menu may appear. Don't panic! Your account and desktop can be restored by simply rebooting the computer. When you login after the reboot your previous settings will reappear. I don't know why this happens, but, stuff happens! It may be related to the relatively new rootkit detection added last year.

If you want to get direct assistance from Team Spybot, or their talented volunteers, visit the Spybot support forums, sign up for a user account and post your request for assistance. Be sure to read the rules before posting a question or reply.

If your computer is infected and you need help removing the threats, go to the Malware Removal Forums, at Safer Networking/Spybot.info. Again, read the rules before posting your request or logs! Do NOT inject your problem into somebody else's thread! Start a new topic.

Some people are confused by detections of Wild Tangent on their computers. Wild Tangent is detected as a PUP, meaning Potentially Unwanted Program, because it does send home some identifiable information about you and your computer. It ships with various games and screen savers and is a means of funding those programs. If you knowingly installed Wild Tangent and aren't worried about it, and don't wish to have Spybot repeatedly display it in scan results, do the following: Right click the WildTangent Product in the Scan result and select to "Ignore the product from further searches."

If Spybot flags a file on your computer that you believe is a false positive detection, use caution and check with the Spybot False Positives Forum before allowing it to be deleted. You can submit a report to the Spybot False Positives forum, after signing up for an account and reading about how to report false positives before submitting your report and request for analysis.

Posted by Wiz at 1:05 PM | Permalink

back to top ^

If you are reading this you have a computer. If you have a computer you also probably have at least one email address. Unless you live on another planet, or your email provider only allows whitelisted email through, you, like me, get a lot of junk mail, a.k.a. "spam" messages.While spam is an annoyance to most people, it is combat for me. I publish custom spam filters to block spam email for people who use the MailWasher Pro anti-spam email client.

This is the latest entry in a weekly series about classifications of spam, according to my custom filter rules used by the anti-spam tool, MailWasher Pro.

MailWasher Pro is a spam screening POP3 email program that goes between your email servers and your desktop email client (application). With this program you can actually read all of your incoming email in plain text, and click on links, if you are so inclined. MailWasher Pro uses a variety of techniques to recognize and designate what is and isn't spam, including a learning filter and user created custom filter rules. I personally write and use MailWasher Pro custom filters to detect and delete most incoming spam email. I have created and published a large assortment of spam filters which "plug-in" to MailWasher Pro, to flag or delete known spam. You can read about them, or download and use them in your own registered copy of MailWasher Pro.

MailWasher Pro has a "Statistics" display page that breaks down the types of spam it has deleted, listed by categories. Each program and user-created filter has a name and when a measurable percentage of spam is matched by a particular filter it shows up in the Statistics, with its percentage shown next to it. The percentages for various categories of spam listed below are taken from my MailWasher Pro "Statistics" page.

The category "Other Filters" combines several of my custom filters which did not receive enough spam to rate a measurable percentage, thus were all grouped into the one category called "Other Filters." Since I have a lot of custom filters and spam types do vary every week, the Other Filters category is always quite large, percentage-wise.

The overall volume of spam hitting my filters has dropped to very low levels not seen in years. This is due to the problems that Russian cyber criminals are having finding hosts for the servers used to issue command and control signals to their Botnets. This is a fluid situation, with spammers finding temporary hosts who come under pressure from security companies then terminate their connectivity. This has been going on since November 11, 2008.

When it comes to major spam runs, sent entirely through zombie computers which are unwittingly members of Botnets, certain types of spam rise to the top of the threat list, every week or two. The most common types of spam this week is for fake watches and various pharmaceuticals, including male enhancement pills, Viagra, Cialis and other sex oriented drugs. Spam for the fake "Canadian Pharmacy" remained strong as usual, but was surpassed again by spam caught by my "Hidden ISO Subject" filter. Most of the Hidden ISO spam is for Indian Viagra or ineffective male enhancement pills and patches. This hidden ISO or ASCII command in the Subject and From fields is from a template used by a particular Bot Master for his Botnet. You be be certain this person lives in the former Soviet Union.

"Canadian Pharmacy" and it's offshoot "Canadian Health and Care Mall" is a scam website, hosted unknowingly on hijacked (Botnetted) personal computers, or on bulletproof Chinese hosting servers owned by criminals in Russia. The prescription drugs and herbal remedies promoted by the fake Canadian Pharmacy come from a lab in India, named after a flower. Those prescription drugs are illegal to import into the US or Canada and may be seized by postal inspectors upon arrival.

The male enhancement spams are mostly leading to Botnetted computers hosting a web page touting VPXL, Power Gain Plus, or other herbal enlargement formulas, all of which are scams. Male enhancement pills are totally ineffective and may even be dangerous to your health.

MailWasher Pro spam category breakdown for December 1 - 7, 2008. Spam amounted to 10% of my incoming email this week, with just 27 spam messages analyzed.

Download MailWasher Pro Here

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as an incoming email screener for your POP email program (Microsoft Outlook, Microsoft Outlook Express, Microsoft Live Mail, Eudora, Mozilla and other stand-alone email programs).

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. I never buy anything that is Spamvertised and recommend you don't either! Remember, almost all spam is now sent from compromised home or business PCs, zombies in various Botnets, all of which are controlled by criminals. If you purchase anything advertised in spam messages, you have given your credit or debit card information to the criminals behind that enterprise. If you are really lucky you will only be charged for the fake items you purchased, but, if not, you might find your credit limit used up, or your bank account emptied (for debit card transactions), by cyber criminals.

Also, unsubscribing through links in botnet-sent spam messages is futile, as you never opted-in, in the first place; your email address was captured by an email harvester on an infected computer belonging to somebody you corresponded with. Instead of receiving less spam as one might expect (by unsubscribing), all it does is confirm that your email address is active and you will see even more spam than before.

Another common way your email address may get harvested by spammers is if it appears in a large C.C. (Carbon Copy) list on a computer that gets Botnetted. Many people engage in forwarding messages among all their friends. Each time they forward chain letters their address gets added to the growing list of recipients (called Carbon Copy, or CC). If just one recipient of that message has an email harvesting malware infection, all of the email addresses listed in that message will be sent home to the spammer behind that spam run.

Smart folks who want to forward or send a message to multiple recipients use B.C.C. instead of C.C. Using B.C.C. hides all of the recipients from displaying. The To field will just show "Undisclosed Recipients" in a message sent using B.C.C. This is safest for you and your friends or mailing list. All email clients have a means of displaying a B.C.C. field.

Posted by Wiz at 3:22 PM | Permalink

back to top ^

If you are using "Spybot Search and Destroy" to protect your PC against spyware infections and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Spybot Search and Destroy 1.6 was released on July 8, 2008. It scans for threats about 4 times faster than previous versions and has an redesigned spyware removal engine. Upgrade now to Spybot S&D 1.6. The newest Virtumonde threats require the anti malware engine in Spybot 1.6 to effectively remove them.

Work is progressing rapidly on the upcoming version 2.0, of Spybot Search and Destroy. Stay tuned for more details as they are announced. Version updates are discussed in my extended comments.

Additions made on December 3, 2008:

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
+ AdDestination
+ FakeAlert.cc
+ Fraud.VirusResponseLab2009
+ Fraud.AntiVirusLab2009
+ Fraud.XPAntivirus
+ Fraud.Antivirus2008
+ IEDefender
+ Smitfraud-C.
++ SpywareGuard2008
+ WinSpywareProtect

PUPS (Possibly UnPopular Software or Potentially Unwanted Program)
++ Keenfinder
+ MyWay.MySearch
++ StaffCop

Security
+ Microsoft.Windows.AppFirewallBypass

Spyware
++ GSearchTB.QuickAccessToolbar

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm! Many of these Trojans are Botnet infections, backdoors and Rootkits.)
+ BackOrifice2k
++ NVideoSupport
+ Pigeon
+ Smitfraud-C.MSVPS
++ Tsearch.msn
+ Virtumonde
+ Virtumonde.prx
+ Virtumonde.sci
+ Virtumonde.sdn
++ Win32.Agent.amwr
+ Win32.Agent.ll
++ Win32.Agent.bzs (2)
++ Win32.Agent.cid
++ Win32.Agent.cso
+ Win32.Agent.sd
++ Win32.AutoRun.abt (2)
+ Win32.Bandok
+ Win32.Brontok
++ Win32.Brontok.ab
++ Win32.Drefir.a
+ Win32.Exchanger.ch
++ Win32.Hidden.RTK
++ Win32.KeySave
+ Win32.TDSS.rtk
+ Win32.Webdir.b
++ Wot32

Total: 1199581 fingerprints in 343003 rules for 4445 products.

In case you have noticed a slowdown in the scan times over the past few months, it's because the number of detection patterns used to detect malware has doubled since the release of Spybot S&D v1.6, in July this year, to 343,003 detection patterns in this weeks update!

False positive detections reported or fixed this week:

There was a confirmed false positive heuristic only detection of "Win32.ActiveKeyLogger" in a common, legitimate uninstaller file named, "Unwise.exe." Normal scans show the file is clean. This will fixed in later updates, possibly tomorrow, or next week. In the meantime, if you run a heuristic scan of a folder and Spybot flags unwise.exe - it may be a false positive, so don't quarantine the file. Do scan the director or file with your anti virus scanner, or an online virus scanner. If you allow files with this name to be deleted and they were not in fact hostile, you will be unable to uninstall that program later on.

Several other possible false positives are currently under review. Sometimes a F/P update is released out of cycle, so check back over the next few days for additional definition updates for Spybot S&D.

If you wish to report or discuss a possible false positive detection by Spybot S&D, please read this first.

Extended Comments

Malware Removal Guides

The good folks at Spybot S&D have started a new segment of their official forums, titled "Malware Removal Guides." Each week they intend to write a short self-help article to help you remove various common malware threats manually, or in conjunction with Spybot S&D. This should prove to be a very useful addition to the Spybot forums.

If you are still using Spybot S&D 1.3, or 1.4, update support is about to end and your computer will be at greater risk because of having out-dated definitions. Furthermore, older versions of Spybot are known to report lots of false positives, due to the advanced heuristic rules now found in the newer definition files.

If you are using any version older than 1.6 please upgrade to the current version of Spybot S&D, which is now 1.6.0.30, as soon as possible. New definitions for malware like the Virtumonde family of Trojans need the newer processing technologies introduced in version 1.6.0. Also, the number of malware definitions has doubled between July and December, 2008.

Virtumonde (also known as the Vundo Trojan) is a Trojan horse that is known to cause pop-ups and advertising for rogue anti-spyware programs. It also causes other problems, including performance degradation and denial of service with some websites including Google. It attaches itself to the operating system using phony Browser Helper Objects (BHOs) and .dll files attached to the Winlogon process and Windows Explorer.

With the release of Spybot-S&D 1.6, Team Spybot has spent a lot of energy and man-hours implementing some new technologies to improve Virtumonde detections, increasing their detection range to more than 343,000 detection patterns to identify more than one million malware "fingerprints."

Work is progressing at a steady pace on Spybot S&D version 2.0, thanks to an army of volunteer beta testers. The upcoming version will be modularized, with separate executables carrying out different detection and immunization tasks now performed by the main program file. This is expected to speed up the scanning times, which is becoming more strenuous with the rapid increase in the number of detections being developed by Team Spybot.

To benefit from these improvements, I recommend that you update to Spybot Search & Destroy 1.6, which is available through the update function integrated into the application as well as from the Spybot S&D download page. When version 2.0 is finally released you should follow the to-be-posted instructions and upgrade to that version.

If your computer gets stuck in a logon/logoff loop, after updating and scanning with the older versions of Spybot, visit this forum page for a solution, from Team Spybot.

Of continued concern to people who operate as Limited or Power Users for their daily browsing and email, Spybot Search and Destroy is still corrupting your less privileged accounts after you update it, immunize and scan from an Administrator level account. If, after doing these things, you log off the Administrator account and try to log into your Limited/Power User account, it may be corrupted and a generic desktop and start menu may appear. Don't panic! Your account and desktop can be restored by simply rebooting the computer. When you login after the reboot your previous settings will reappear. I don't know why this happens, but, stuff happens! It may be related to the relatively new rootkit detection added last year.

If you want to get direct assistance from Team Spybot, or their talented volunteers, visit the Spybot support forums, sign up for a user account and post your request for assistance. Be sure to read the rules before posting a question or reply.

If your computer is infected and you need help removing the threats, go to the Malware Removal Forums, at Safer Networking/Spybot.info. Again, read the rules before posting your request or logs! Do NOT inject your problem into somebody else's thread! Start a new topic.

If Spybot flags a file on your computer that you believe is a false positive detection, use caution and check with the Spybot False Positives Forum before allowing it to be deleted. You can submit a report to the Spybot False Positives forum, after signing up for an account and reading about how to report false positives before submitting your report and request for analysis.

Posted by Wiz at 5:35 PM | Permalink

back to top ^

On November 26, 2008, I wrote an article concerning the "Srizbi" Botnet coming back to life, following the shutdown of its Command-and-Control servers (C&C) at McColo, Inc. This happened because the Russian criminals running the Srizbi Botnet, thought to number over 450,000 PCs, were able to lease servers from a web hosting firm in Estonia, to which they uploaded the C&C software. Once these servers came online the zombie computers making up the Botnet army were able to contact the servers and receive new instructions and spam templates. This resulted in a 10% increase in the volume of spam I saw last week, over the previous week (following the C&C servers at McColo being shut down).

Well, starting on Sunday night, November 30, 2008, I noticed another sudden decline in the amount of spam that was detected, classified and deleted by my spam filtering program, MailWasher Pro. This decline continues today, Monday, December 1, 2008. There is virtually no significant amount of spam arriving in any of my accounts. Being curious I did a little investigating and learned that the people running the Estonian ISP Starline Web Services, that temporarily hosted the Command-and-Control servers for the Srizbi botnet, has cut off those servers. This followed complaints from Estonia's Computer Emergency Response Team (CERT) and threats of total disconnection by the companies who supply the Internet IP connections to that ISP, and others in Estonia.

Note, that the ISP that was temporarily hosting the Srizbi C&C machines gets their IP addresses and Internet connectivity from a hosting company named Compic, which is known to CERT as a company that has been friendly to criminals who host malware on their websites. Many complaints have been filed with Compic concerning illegal activities by their customers, conducted on their servers and those of their downstream resellers. Reference.

Most of my readers are more concerned about repelling spam, than tracing it. I have written many articles offering filtering solutions involving MailWasher Pro, as well as website email filters that can be applied by people whose websites are hosted on cPanel control panels and Linux/Apache based servers. Just look in my recent posts links, in the right sidebar, or search this blog for the keywords "spam filters." But I seem to have overlooked one area of this spam-demic that deserves mentioning now. That area is your own computers and what unknown spam applications and scripts may be running on them.

The question every computer owner should be asking themselves, or their IT personnel, is: "Am I Botted?" What I mean by this is that every computer owner needs to scan for the presence of Bot infections on their PCs. Any operating system can become invaded by a Bot infection, either as an invisible rootkit or a visible process. Each OS will have tools available to its administrators to test for the presence of hostile applications (e.g. Snort). However, the rest of this article and the recommendations in it are meant for Windows based computer owners.

If you are using a Windows based computer you are the primary target for Botnet infectors! Hello! Accept this fact and learn to deal with it in a proactive way. Assume that "they" are out to get you, because it is a fact that a large percentage of Windows computers contain unpatched vulnerabilities that are relatively easily exploited. These vulnerabilities may have already had patches released by Microsoft, or the writers of third party software that is exploitable, but you may not have applied all of the available patches and updates. Therefore, the first thing any Windows computer owner should do is to visit Windows Updates, via Internet Explorer's menu item: Tools > Windows Update, or using the Start Menu Windows Update link. Click the Express button and let Microsoft search for all applicable security updates for your PC, then install every single one of them. Reboot as instructed, then go back to Windows Update and repeat the process, until there are no more critical or important updates listed.

All versions of Windows Vista contain a two way firewall that should block unauthorized incoming connection attempts and alert you to unauthorized outgoing connection attempts. Windows XP starting with Service Pack 2 turns on the built-in Windows Firewall, but it only protects against incoming connection attempts. Make sure that your Windows Firewall is not disabled, unless you are using a third party security application that has a two way firewall. Running a PC without a working firewall is like leaving the doors to your house open during an ongoing home invasion crime spree. A thinking person would install security door locks during such times of criminal activity. If you don't have the Windows Firewall running make sure a third party firewall is fully operational!

With a firewall in place you are protected against hostile attacks coming in "over the wires," as TCP and UDP vulnerability probes that try to connect to open "ports" on your computer. A good firewall blocks unwanted connection attempts.

Your next concern should be to make sure you are protecting your computer against downloaded malware threats. This is taken care of by anti spyware and anti virus programs that contain "resident" protection components. There are a lot of well known anti virus and anti spyware programs available from this website (see my ads) and others, or even at your local department stores selling computer software. However, having tested or receiving input from others who tested the various Internet security "suites" I can unhesitatingly recommend Trend Micro Internet Security to you. Formerly known as PC-cillin, this security suite detects, removes and protects against viruses, spyware, keyloggers, rootkits, Trojans, Bots and hostile codes on compromised web pages. The 2009 version has moved the latest detection definitions and databases to secure servers owned by Trend Micro. They call this "in-the-cloud security." This reduces the load it places on your computer by keeping a smaller definitions database on your PC and then reaching out to the Cloud servers to see if a file or web page is in their constantly updated list of known infections or hostile pages.

Trend Micro Internet Security is a commercial application, as well it should be. The company employs lots of real people in several countries, with families to feed, and they work day and night to detect and analyze new threats to your security and rush out definition updates to the Cloud. But, you can try the program for free for a month! Hopefully, it works as good for you as it does for me and most of my friends.

If you can't afford to pay for security protection for your computer, there is a free downloadable application offered by Trend Micro, called RUBotted. It runs on Windows 2000 and newer computers, in your System Tray area (by the clock). RUBotted is a simple program whose only job is to look for evidence of a possible Bot infection running on the PC on which it is installed. It will flash and alert you if such and infection is detected, or suspected. You will be given the option of visiting the free Trend Micro "HouseCall" malware scanner service, which can not only detect, but also remove most malware it finds. If it can't remove the malware you will be given the option to download a trial version of Trend Micro Internet Security, which will get the job done!

By applying suitable computer security applications you can prevent your computers from inadvertently becoming members of the Srizbi, or other Botnet. The computers in these Botnets are senders of most of the World's spam. They also host most of the landing pages for fake pharmacies (like the fake Canadian Pharmacy), or host hostile executable downloads, or exploit codes, used to force other visitors to join the same Botnet. By keeping your computers free of Bot infections you are contributing to the fight against spam and scammers.

Posted by Wiz at 6:27 PM | Permalink

back to top ^