Wiz's Computer and Website Security Blog

If you are using "Spybot Search and Destroy" to protect your PC against spyware infections and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Spybot Search and Destroy 1.6.2 was just released on January 26, 2009. This is probably going to be the last "maintenance release" before version 2.0 is released. It scans for threats about 4 times faster than previous versions and has an redesigned spyware removal engine. Upgrade now to Spybot S&D 1.6.2. The newest Virtumonde and Zlob threats require the anti malware engine in Spybot 1.6+ to effectively remove them.

Work is progressing rapidly on the upcoming version 2.0, of Spybot Search and Destroy. Stay tuned for more details as they are announced. Version updates are discussed in my extended comments.

Additions made on January 28, 2009:

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
+ AdDestination
++ Fraud.ISafeAntivirus
++ Fraud.MyFasterPC
+ Fraud.SpyProtector
+ Fraud.SpywareGuard2008
+ Rogue.IEAntivirus
++ Rogue.WinAntivir2008
+ SpywareQuake
++ Win32.Agent.zbr
+ Win32.Banker
+ WinWebSecurity

PUPS (Possibly UnPopular Software or Potentially Unwanted Program)
++ HotTV

Security
+ Microsoft.Windows.AppFirewallBypass

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm! Many of these Trojans are Botnet infections, backdoors and Rootkits.)
+ Virtumonde
+ Virtumonde.Dll
+ Virtumonde.prx
+ Virtumonde.sci
+ Virtumonde.sdn
++ Win32.Agent.cyt
+ Win32.Agent.fbx
++ Win32.Agent.wls
++ Win32.Iksmas.ai
++ Win32.Lager.bi
++ Win32.SdBot.ays
+ Zlob.DNSChanger
+ Zlob.Downloader
+ Zlob.Downloader.jot
++ Zlob.Downloader.rut
+ Zlob.Downloader.tfr
++ Zlob.RouterChanger

Total: 1307319 fingerprints in 373362 rules for 4544 products.

The domain "Spywareinfo.com" was recently added to the HOSTS file updates (for redirection to 127.0.0.1), because the domain name expired and was purchased by spammers or malware distributers, in December 2008. It is now advertising a fake Spybot Search & Destroy, fake security scans and various malware downloads. The new Spywareinfo malware removal forum is located at: http://www.spywareinfoforum.com/

In case you have noticed a slowdown in the scan times over the past few months, it's because the number of detection patterns used to detect malware has doubled since the release of Spybot S&D v1.6, in July 2008. Older versions of Spybot are no longer being updated and cannot deal with many of the new malware definitions and removal routines.

False positive detections reported or fixed this week:

There were no new false positives confirmed or fixed this week.

If you wish to report or discuss a possible false positive detection by Spybot S&D, please read this first.

Extended Comments

Malware Removal Guides

The good folks at Spybot S&D have started a new segment of their official forums, titled "Malware Removal Guides." Each week they intend to write a short self-help article to help you remove various common malware threats manually, or in conjunction with Spybot S&D. This should prove to be a very useful addition to the Spybot forums.

If you are still using Spybot S&D 1.3, or 1.4, update support is about to end and your computer will be at greater risk because of having out-dated definitions. Furthermore, older versions of Spybot are known to report lots of false positives, due to the advanced heuristic rules now found in the newer definition files.

If you are using any version older than 1.6 please upgrade to the current version of Spybot S&D, which is now 1.6.2, as soon as possible. New definitions for malware like the Virtumonde family of Trojans need the newer processing technologies introduced in version 1.6.0. Also, the number of malware definitions has more than doubled between July and December, 2008.

Virtumonde (also known as the Vundo Trojan) is a Trojan horse that is known to cause pop-ups and advertising for rogue anti-spyware programs. It also causes other problems, including performance degradation and denial of service with some websites including Google. It attaches itself to the operating system using phony Browser Helper Objects (BHOs) and .dll files attached to the Winlogon process and Windows Explorer.

Work is progressing at a steady pace on Spybot S&D version 2.0, thanks to an army of volunteer beta testers. The upcoming version will be modularized, with separate executables carrying out different detection and immunization tasks now performed by the main program file. This is expected to speed up the scanning times, which is becoming more strenuous with the rapid increase in the number of detections being developed by Team Spybot.

To benefit from these improvements, I recommend that you update to Spybot Search & Destroy 1.6.2, which is available through the update function integrated into the application as well as from the Spybot S&D download page. When version 2.0 is finally released you should follow the to-be-posted instructions and upgrade to that version.

If your computer gets stuck in a logon/logoff loop, after updating and scanning with the older versions of Spybot, visit this forum page for a solution, from Team Spybot.

Of continued concern to people who operate as Limited or Power Users for their daily browsing and email, Spybot Search and Destroy is still corrupting your less privileged accounts after you update it, immunize and scan from an Administrator level account. If, after doing these things, you log off the Administrator account and try to log into your Limited/Power User account, it may be corrupted and a generic desktop and start menu may appear. Don't panic! Your account and desktop can be restored by simply rebooting the computer. When you login after the reboot your previous settings will reappear. I don't know why this happens, but, stuff happens! It may be related to the relatively new rootkit detection added last year.

If you want to get direct assistance from Team Spybot, or their talented volunteers, visit the Spybot support forums, sign up for a user account and post your request for assistance. Be sure to read the rules before posting a question or reply.

If your computer is infected and you need help removing the threats, go to the Malware Removal Forums, at Safer Networking/Spybot.info. Again, read the rules before posting your request or logs! Do NOT inject your problem into somebody else's thread! Start a new topic.

Some people are confused by detections of Wild Tangent on their computers. Wild Tangent is detected as a PUP, meaning Potentially Unwanted Program, because it does send home some identifiable information about you and your computer. It ships with various games and screen savers and is a means of funding those programs. If you knowingly installed Wild Tangent and aren't worried about it, and don't wish to have Spybot repeatedly display it in scan results, do the following: Right click the WildTangent Product in the Scan result and select to "Ignore the product from further searches."

If Spybot flags a file on your computer that you believe is a false positive detection, use caution and check with the Spybot False Positives Forum before allowing it to be deleted. You can submit a report to the Spybot False Positives forum, after signing up for an account and reading about how to report false positives before submitting your report and request for analysis.

Posted by Wiz at 10:51 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

Wow! Spam is down for another week, thanks to the efforts of some of our colleagues in the security field. Starting with the takedown of the colocation facility McColo, on November 11, 2008, levels of incoming messages MailWasher identified as spam have dropped dramatically. That company provided hosting space and maintenance for privately owned servers that were used by spammers to command and control spam-sending Botnets. Those spammers are rebuilding or replacing their Botnets as I type this, so let's not become complacent. In fact, I suspect that a huge new Botnet is currently being assembled, via the Conficker/Downadup Worm. More about this emerging threat will be in a forthcoming article.

Once again, with the main command and control servers being partially or fully offline, I urge all Windows computer owners and sys admins to install security applications that are capable of detecting SpamBot activity. Please do yourself a favor and protect your PCs against Bots with Trend Micro's free program called RUBotted.

Some of the top rated Internet security products now contain Bot detections and prevention components. These in include Symantec and Trend Micro Internet Security Suites. I wrote a blog article about detecting and removing Bots in December, 2008. You can also visit Microsoft's download center and grab a current copy of the Malicious Software Removal Tool and let it scan your computer for malware and Bots. It will remove any threats listed in the tool's database, which now include the widespread Conflicker/Downadup Worm. Microsoft has been at war with Botnets since September 2007 (when they took down much of the Storm Botnet) and has made a huge dent in their numbers. This tool is totally free and is updated once a month. It is regularly released on Patch Tuesdays.

Note, that I have re-enabled my pattern matching blacklist filters to automatically delete spam messages containing a forged From address matching either of these Regular Expressions: lin+met@+.de and kef+diz@+, in MailWasher Pro. These two blacklist rules alone caught 52% of this week's spam!

MailWasher Pro spam category breakdown for Jan 19 - 25, 2009. Spam amounted to 22% of my incoming email this week.

Download MailWasher Pro Here

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as an incoming email screener for your POP email program (Microsoft Outlook, Microsoft Outlook Express, Microsoft Live Mail, Eudora, Mozilla and other stand-alone email programs).

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. I never buy anything that is Spamvertised and recommend you don't either! Remember, almost all spam is now sent from compromised home or business PCs, zombies in various Botnets, all of which are controlled by criminals. If you purchase anything advertised in spam messages, you have given your credit or debit card information to the criminals behind that enterprise. If you are really lucky you will only be charged for the fake items you purchased, but, if not, you might find your credit limit used up, or your bank account emptied (for debit card transactions), by cyber criminals.

Also, unsubscribing through links in botnet-sent spam messages is futile, as you never opted-in, in the first place; your email address was captured by an email harvester on an infected computer belonging to somebody you corresponded with. Instead of receiving less spam as one might expect (by unsubscribing), all it does is confirm that your email address is active and you will see even more spam than before.

Another common way your email address may get harvested by spammers is if it appears in a large C.C. (Carbon Copy) list on a computer that gets Botnetted. Many people engage in forwarding messages among all their friends. Each time they forward chain letters their address gets added to the growing list of recipients (called Carbon Copy, or CC). If just one recipient of that message has an email harvesting malware infection, all of the email addresses listed in that message will be sent home to the spammer behind that spam run.

Smart folks who want to forward or send a message to multiple recipients use B.C.C. instead of C.C. Using B.C.C. hides all of the recipients from displaying. The To field will just show "Undisclosed Recipients" in a message sent using B.C.C. This is safest for you and your friends or mailing list. All email clients have a means of displaying a B.C.C. field.

Posted by Wiz at 2:13 PM | Permalink

back to top ^

If you are still browsing the Internet (and reading this) with Firefox 2.x, you need to know that support for it has ceased. Mozilla.org is no longer releasing any security updates to this line, which ended at version 2.0.0.20, in December 2008. With that final security update an existing security feature was disabled. Mozilla has turned off the anti-phishing filter built into Firefox browsers, from 2.0 up. This was done at the request of Google, who maintain the databases used by the phishing filter. However, the anti phishing filter is alive and well in the new series 3 Firefox browsers. For your continued security I recommend that you upgrade to Firefox 3.x as soon as possible.

If you have an older version of Firefox 2.x and the anti phishing filter is still enabled on it, I have bad news for you. On Monday, January 19, 2009, Google turned off the phishing website blacklist for Firefox 2.x browsers. Even though your browser may show the anti phishing filter as active its database is no longer being updated. This gives a false sense of security where none exists. Phishing websites typically have a useful life of between 3 days to two weeks, before they are reported and taken down by hosting providers or ISPs. If your anti phishing filter is not receiving regular updates you will be completely out-dated in a week or two. The websites in your blacklist will probably be inactive (as phishing sites), but newly discovered sites won't be added to your database.

You have some tough choice to make if you want to have Firefox browser protection against phishing attacks via compromised websites. If you choose to not upgrade to Firefox 3.x you should disable the setting "Tell me if the site I'm visiting is a suspected forgery" in the Security preferences section of Firefox 2.0's Options dialog box.

Here are your anti-phishing security options.

• Upgrade to Firefox 3.x which Google is supporting with new anti phishing updates (Recommended)


• Install the Netcraft Toolbar for Firefox


• Install the McAfee SiteAdvisor Toolbar for Firefox


• Install the Trend Micro Web Protection Add on (beta)


• Trend Micro Internet Security (PC-cillin)

Posted by Wiz at 2:55 PM | Permalink

back to top ^

Takeaway:
This article about (disabling) AutoPlay was supposed to be a sub-section in another article that I am composing about the Conficker/Downadup Worm, but in light of fresh information it has been promoted into its own article. If you already understand how AutoRun works skip down to the "Solution" section, in my extended comments.

AutoPlay is a long time feature included in all Windows operating systems from Windows 95 onward. It allows both data, video and music CDs and DVDs to start automatically when a pre-recorded disk is inserted into the player tray and the tray door is closed, which is a convenience for most users. With Windows XP onward when you insert a blank recordable disk into a media recorder a box will popup asking what you want to do. This is familiar stuff by now.

When you plug in a USB thumbdrive, camera memory module, external USB drive, Firewire disk, or map a network drive, one of two things usually happens. Normally, a box pops up asking what action you wish to take, with a default action highlighted. Most people usually choose to open these drives in a folder view and often select the option to remember that decision and not ask again. If they have selected that option the next time they plug in such a drive or module the device will automatically open as expected, without prompting.

When an external drive or device is plugged into your Windows PC and AutoPlay is on (which it usually is), a normally hidden file named Autorun.inf, in the root of that drive, can cause a program on the device to execute immediately. This is how setup programs run automatically when you insert a program installation disk. These Autorun.inf files are usually very small files, contain just a few lines of code, pointing to the setup executable, and are viewable in Notepad.

However, malware authors have begun exploiting this feature to spread their viruses and hostile programs to computers via removable drives and memory sticks, using the hidden AutoRun.inf to automatically run the Conficker/Downadup Worm's installation routine. This happens the moment that the device is plugged into an unpatched PC. This is one of the ways this Worm spreads in multi-computer environments. If an employee acquires the Conficker Worm while out of the office and then saves work documents to a thumbdrive, then plugs that drive into his or her work computer, the Worm can infect that computer, then attempt to infect the entire LAN!

To protect networks and standalone computers from becoming infected via removable drives that are infected various sources have recommended disabling the AutoPlay feature. Microsoft has entire pages devoted to this trick. Also, I have read details about fine tuning your AutoPlay restrictions so they only apply to removable drives, not CDs and DVDs. This all sounded like a good preventative measure until today, when I read Technical Cyber Security Alert TA09-020A, on the US-CERT website. That bulletin makes it clear that simply disabling AutoPlay via Group Policy or the recommended Registry hacks would NOT prevent infections via removable devices. This is because these hacks and workarounds do not address the problem that Autorun.inf is still parsed for instructions, which are then executed automatically, even if AutoPlay is turned completely OFF!

From the CERT bulletin:

The Autorun and NoDriveTypeAutorun registry values are both ineffective for fully disabling AutoRun capabilities on Microsoft Windows systems. Setting the Autorun registry value to 0 will not prevent newly connected devices from automatically running code specified in the Autorun.inf file.

By placing an Autorun.inf file on a device, an attacker may be able to automatically execute arbitrary code when the device is connected to a Windows system. Code execution may also take place when the user attempts to browse to the software location with Windows Explorer.

Read my extended comments for solutions to this vulnerability.

Solution

Disable AutoRun in Microsoft Windows
Produced 2009 by US-CERT, a government organization.

To effectively disable AutoRun in Microsoft Windows, import the following registry value:

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"

To import this value, perform the following steps:

1. Copy the text
2. Paste the text into Windows Notepad
3. Save the file as autorun.reg
4. Navigate to the file location
5. Double-click the file to import it into the Windows registry

Microsoft Windows can also cache the AutoRun information from mounted devices in the MountPoints2 registry key. We recommend restarting Windows after making the registry change so that any cached mount points are reinitialized in a way that ignores the Autorun.inf file. Alternatively, the following registry key may be deleted:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

Once these changes have been made, all of the AutoRun code execution scenarios described above will be mitigated because Windows will no longer parse Autorun.inf files to determine which actions to take. Further details are available in the CERT/CC Vulnerability Analysis blog. Thanks to Nick Brown and Emin Atac for providing the workaround.

Upon being notified about this continued vulnerability Microsoft has released a new article describing how to correctly disable AutoRun so it actually does what one wants it to do; not run automatically when a dive is inserted, or opened for viewing. There are patch available from Microsoft that must downloaded and install it manually. Methinks that they might be considering pushing them out in another out-of-cycle Windows Update (just speculating).

Note, that once you disable the parsing of Autorun.inf you will totally lose AutoPlay functionality on all drive types, including mapped drives. Audio and video media will no longer play automatically and programs will not begin their setup unless you open the drive to a folder view and locate the setup file. You can do this fairly easily by opening the drive to FolderView, unhide Hidden files to reveal Autorun.inf, then open that file in Notepad. The Action line will show you where the setup file is located and you can drill down to it manually, then (scan first for malware) run it.

I hope this helps you protect your computers and networks from unintended infections via thumbdrives or other removable media. I will post an article about the Conficker/Downadup Worm later.

Note: if you have a computer that is already infected you should take it offline. Buy a new thumbdrive that has the means of being rendered as Read Only (via a switch), or grab a CD-R disk and take it to an uninfected computer that has has MS09-067 patch installed (released out-of-cycle on October 23, 2008). Visit the Microsoft Malicious Software Removal Tool page and download the most current version to the thumbdrive or recordable CD. Also, try to download updates or setup packages for your installed anti-malware products, which may have been disabled by the Worm. If you save these things to a thumbdrive be sure to render it READ ONLY afterward. Failure to do so will result in the drive becoming infected with the Worm as soon as it is plugged into the infected PC.

Posted by Wiz at 11:29 AM | Permalink

back to top ^

If you are using "Spybot Search and Destroy" to protect your PC against spyware infections and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Spybot Search and Destroy 1.6 was released on July 8, 2008. It scans for threats about 4 times faster than previous versions and has an redesigned spyware removal engine. Upgrade now to Spybot S&D 1.6. The newest Virtumonde threats require the anti malware engine in Spybot 1.6 to effectively remove them.

Work is progressing rapidly on the upcoming version 2.0, of Spybot Search and Destroy. Stay tuned for more details as they are announced. Version updates are discussed in my extended comments.

Additions made on January 21, 2009:

Adware
+ Win32.TrafficSol.c

Keyloggers
+ SCKeylogger
++ Win32.Keylogger.s

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
++ AntiSpamBastion
++ AstrumAntivirusPro
++ Fraud.eAntiSpy
+ Fraud.XPAntivirus
+ Win32.AOLPass.i

PUPS (Possibly UnPopular Software or Potentially Unwanted Program)
+ EuroGrand.Casino.PT

Security
+ Microsoft.Windows.AppFirewallBypass

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm! Many of these Trojans are Botnet infections, backdoors and Rootkits.)
+ Virtumonde.sci
+ Virtumonde.sdn
++ Win32.agent.jr
++ Win32.Banbra.hp
+ Win32.Iksmas.ai
+ Win32.Small.ay
++ Win32.Tibia.ci
++ Win32.VB.df
++ Win32.Xorer.dr
+ Zlob.DNSChanger
+ Zlob.Downloader
+ Zlob.Downloader.vet
+ Zlob.Downloader.wot
+ Zlob.VideoActiveXObject
+ Zlob.VideoCodec2007
+ Zlob.VideoKeyCodec

Total: 1278173 fingerprints in 365193 rules for 4531 products.

My entry for last week's definitions update went to the bitbucket due to the failure of my server, which had to be restored from a backup from a previous date. So, here are the Spybot S&D updates from January 14, 2009:

Malware
+ AdDestination + Fraud.AntiVirusTrigger + Fraud.PCHealth ++ Fraud.UltraAntivirus2009 ++ InternetAntivirusPro + RapidAntivirus ++ SpywareCease + Vcodec

Trojan
+ Virtumonde + Virtumonde.sci + Virtumonde.sdn ++ Win32.Banker.xe + Zlob.Downloader.miu

The domain "Spywareinfo.com" was recently added to the HOSTS file updates (for redirection to 127.0.0.1), because the domain name expired and was purchased by spammers or malware distributers, in December 2008. It is now advertising a fake Spybot Search & Destroy, fake security scans and various malware downloads. The new Spywareinfo malware removal forum is located at: http://www.spywareinfoforum.com/

In case you have noticed a slowdown in the scan times over the past few months, it's because the number of detection patterns used to detect malware has doubled since the release of Spybot S&D v1.6, in July 2008. Older versions of Spybot are no longer being updated and cannot deal with many of the new malware definitions and removal routines.

False positive detections reported or fixed this week:

There was a confirmed false positive heuristic detection of virtumonde.sdn in c:\windows\system32\ackpbsc.dll. This was first fixed on Jan 14, 2009, then again on January 21, 2009. The file is legitimate and is used by the built in camera on some HP laptop computers.

A confirmed false positive in Avira Premium Security Suite Firewall detected as Win32.Delf.qmw was fixed on Jan 14, 2009.

Finally, two confirmed false positives detected on the E-Sword CD were fixed with today's updates.

If you wish to report or discuss a possible false positive detection by Spybot S&D, please read this first.

Extended Comments

Malware Removal Guides

The good folks at Spybot S&D have started a new segment of their official forums, titled "Malware Removal Guides." Each week they intend to write a short self-help article to help you remove various common malware threats manually, or in conjunction with Spybot S&D. This should prove to be a very useful addition to the Spybot forums.

If you are still using Spybot S&D 1.3, or 1.4, update support is about to end and your computer will be at greater risk because of having out-dated definitions. Furthermore, older versions of Spybot are known to report lots of false positives, due to the advanced heuristic rules now found in the newer definition files.

If you are using any version older than 1.6 please upgrade to the current version of Spybot S&D, which is now 1.6.0.30, as soon as possible. New definitions for malware like the Virtumonde family of Trojans need the newer processing technologies introduced in version 1.6.0. Also, the number of malware definitions has more than doubled between July and December, 2008.

Virtumonde (also known as the Vundo Trojan) is a Trojan horse that is known to cause pop-ups and advertising for rogue anti-spyware programs. It also causes other problems, including performance degradation and denial of service with some websites including Google. It attaches itself to the operating system using phony Browser Helper Objects (BHOs) and .dll files attached to the Winlogon process and Windows Explorer.

Work is progressing at a steady pace on Spybot S&D version 2.0, thanks to an army of volunteer beta testers. The upcoming version will be modularized, with separate executables carrying out different detection and immunization tasks now performed by the main program file. This is expected to speed up the scanning times, which is becoming more strenuous with the rapid increase in the number of detections being developed by Team Spybot.

To benefit from these improvements, I recommend that you update to Spybot Search & Destroy 1.6, which is available through the update function integrated into the application as well as from the Spybot S&D download page. When version 2.0 is finally released you should follow the to-be-posted instructions and upgrade to that version.

If your computer gets stuck in a logon/logoff loop, after updating and scanning with the older versions of Spybot, visit this forum page for a solution, from Team Spybot.

Of continued concern to people who operate as Limited or Power Users for their daily browsing and email, Spybot Search and Destroy is still corrupting your less privileged accounts after you update it, immunize and scan from an Administrator level account. If, after doing these things, you log off the Administrator account and try to log into your Limited/Power User account, it may be corrupted and a generic desktop and start menu may appear. Don't panic! Your account and desktop can be restored by simply rebooting the computer. When you login after the reboot your previous settings will reappear. I don't know why this happens, but, stuff happens! It may be related to the relatively new rootkit detection added last year.

If you want to get direct assistance from Team Spybot, or their talented volunteers, visit the Spybot support forums, sign up for a user account and post your request for assistance. Be sure to read the rules before posting a question or reply.

If your computer is infected and you need help removing the threats, go to the Malware Removal Forums, at Safer Networking/Spybot.info. Again, read the rules before posting your request or logs! Do NOT inject your problem into somebody else's thread! Start a new topic.

Some people are confused by detections of Wild Tangent on their computers. Wild Tangent is detected as a PUP, meaning Potentially Unwanted Program, because it does send home some identifiable information about you and your computer. It ships with various games and screen savers and is a means of funding those programs. If you knowingly installed Wild Tangent and aren't worried about it, and don't wish to have Spybot repeatedly display it in scan results, do the following: Right click the WildTangent Product in the Scan result and select to "Ignore the product from further searches."

If Spybot flags a file on your computer that you believe is a false positive detection, use caution and check with the Spybot False Positives Forum before allowing it to be deleted. You can submit a report to the Spybot False Positives forum, after signing up for an account and reading about how to report false positives before submitting your report and request for analysis.

Posted by Wiz at 9:50 AM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

Wow! Spam is down for another week, thanks to the efforts of some of our colleagues in the security field. Starting with the takedown of the colocation facility McColo, on November 11, 2008, levels of incoming messages MailWasher identified as spam have dropped dramatically. That company provided hosting space and maintenance for privately owned servers that were used by spammers to command and control spam-sending Botnets. Those spammers are rebuilding or replacing their Botnets as I type this, so let's not become complacent. In fact, I suspect that a huge new Botnet is currently being assembled, via the Conficker/Downadup Worm. More about this emerging threat will be in a forthcoming article.

Once again, with the main command and control servers being partially or fully offline, I urge all Windows computer owners and sys admins to install security applications that are capable of detecting SpamBot activity. Please do yourself a favor and protect your PCs against Bots with Trend Micro's free program called RUBotted.

Some of the top rated Internet security products now contain Bot detections and prevention components. These in include Symantec and Trend Micro Internet Security Suites. I wrote a blog article about detecting and removing Bots in December, 2008. You can also visit Microsoft's download center and grab a current copy of the Malicious Software Removal Tool and let it scan your computer for malware and Bots. It will remove any threats listed in the tool's database, which now include the widespread Conflicker/Downadup Worm. Microsoft has been at war with Botnets since September 2007 (when they took down much of the Storm Botnet) and has made a huge dent in their numbers. This tool is totally free and is updated once a month. It is regularly released on Patch Tuesdays.

Note, that I have re-enabled my pattern matching blacklist filters to automatically delete spam messages containing a forged From address matching either of these Regular Expressions: lin+met@+.de and kef+diz@+, in MailWasher Pro. These two blacklist rules caught 26% of this week's spam!

MailWasher Pro spam category breakdown for Jan 12 - 18, 2009. Spam amounted to 24% of my incoming email this week.

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as an incoming email screener for your POP email program (Microsoft Outlook, Microsoft Outlook Express, Microsoft Live Mail, Eudora, Mozilla and other stand-alone email programs).

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. I never buy anything that is Spamvertised and recommend you don't either! Remember, almost all spam is now sent from compromised home or business PCs, zombies in various Botnets, all of which are controlled by criminals. If you purchase anything advertised in spam messages, you have given your credit or debit card information to the criminals behind that enterprise. If you are really lucky you will only be charged for the fake items you purchased, but, if not, you might find your credit limit used up, or your bank account emptied (for debit card transactions), by cyber criminals.

Also, unsubscribing through links in botnet-sent spam messages is futile, as you never opted-in, in the first place; your email address was captured by an email harvester on an infected computer belonging to somebody you corresponded with. Instead of receiving less spam as one might expect (by unsubscribing), all it does is confirm that your email address is active and you will see even more spam than before.

Another common way your email address may get harvested by spammers is if it appears in a large C.C. (Carbon Copy) list on a computer that gets Botnetted. Many people engage in forwarding messages among all their friends. Each time they forward chain letters their address gets added to the growing list of recipients (called Carbon Copy, or CC). If just one recipient of that message has an email harvesting malware infection, all of the email addresses listed in that message will be sent home to the spammer behind that spam run.

Smart folks who want to forward or send a message to multiple recipients use B.C.C. instead of C.C. Using B.C.C. hides all of the recipients from displaying. The To field will just show "Undisclosed Recipients" in a message sent using B.C.C. This is safest for you and your friends or mailing list. All email clients have a means of displaying a B.C.C. field.

Posted by Wiz at 3:13 PM | Permalink

back to top ^

Spam Spam Spam Spam Spam Spam Spam! That repetition of the word Spam comes from a comedy routine by Monty Python's Flying Circus, in 1970. They were referring to the canned cooked ham products that have been marketed by Hormel Foods since 1937. While canned Spam is still very much alive and well, so is another kind of so-called spam; unsolicited commercial email (UCE). This is the crap that contaminates email inboxes with all manner of junk promotions for fake pharmacies, counterfeit watches, pirated software, junk stocks, fake Viagra, bogus male enhancement products, fake diplomas, phishing scams, bogus loans and Nigerian 419 financial and lottery fraud scams. We call junk email spam, based on the Monty Python skit that abused the word by repeating it over and over again, to the point that it becomes obnoxious.

There are quite a few different types of email spam and my Spam Analysis articles categorize them according to what junk they are promoting. To do this I use a commercial email-screening program named MailWasher Pro. MailWasher Pro uses a combination of user configurable filters, blacklists, and a Bayesian learning filter to identify what the users of the program consider to be unwanted spam email. Once messages are identified as spam they are deleted manually or automatically, based on the users' preferences (I prefer automatic deletion). Normally, MailWasher identifies three categories of email: Friends, Known Spam (via a subscription service called FirstAlert!) and Blacklist. However, because the program allows users to create their own filter rules, it can label and categorize many different types of spam messages. I have created many custom MailWasher Pro filters to categorize and delete spam and I use the "Statistics" reports each weekend to share my findings with the rest of the World. You can learn more about MailWasher Pro here.

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

Note, that the small percentage of reported spam is a recent development that began on November 11, 2008, with the takedown of the McColo server colocation hosting company. This company was allegedly turning a blind eye to illegal activities being conducted by spammers using servers hosted at the McColo facilities. Many of those servers were used by criminals to command and control the Botnets they owned. The compromised computers in those Botnets are used as zombie agents to send spam, scam and phishing emails, to launch DDoS attacks and to host hostile websites, all without the knowledge of the owners of those PCs.

MailWasher Pro spam category breakdown for Jan 5 - 11, 2009. Spam amounted to 12% of my incoming email this week.

Download MailWasher Pro Here

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as an incoming email screener for your POP email program (Microsoft Outlook, Microsoft Outlook Express, Microsoft Live Mail, Eudora, Mozilla and other stand-alone email programs).

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. I never buy anything that is Spamvertised and recommend you don't either! Remember, almost all spam is now sent from compromised home or business PCs, zombies in various Botnets, all of which are controlled by criminals. If you purchase anything advertised in spam messages, you have given your credit or debit card information to the criminals behind that enterprise. If you are really lucky you will only be charged for the fake items you purchased, but, if not, you might find your credit limit used up, or your bank account emptied (for debit card transactions), by cyber criminals.

Also, unsubscribing through links in botnet-sent spam messages is futile, as you never opted-in, in the first place; your email address was captured by an email harvester on an infected computer belonging to somebody you corresponded with. Instead of receiving less spam as one might expect (by unsubscribing), all it does is confirm that your email address is active and you will see even more spam than before.

Another common way your email address may get harvested by spammers is if it appears in a large C.C. (Carbon Copy) list on a computer that gets Botnetted. Many people engage in forwarding messages among all their friends. Each time they forward chain letters their address gets added to the growing list of recipients (called Carbon Copy, or CC). If just one recipient of that message has an email harvesting malware infection, all of the email addresses listed in that message will be sent home to the spammer behind that spam run.

Smart folks who want to forward or send a message to multiple recipients use B.C.C. instead of C.C. Using B.C.C. hides all of the recipients from displaying. The To field will just show "Undisclosed Recipients" in a message sent using B.C.C. This is safest for you and your friends or mailing list. All email clients have a means of displaying a B.C.C. field.

Posted by Wiz at 1:31 PM | Permalink

back to top ^

If you are using "Spybot Search and Destroy" to protect your PC against spyware infections and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Spybot Search and Destroy 1.6 was released on July 8, 2008. It scans for threats about 4 times faster than previous versions and has an redesigned spyware removal engine. Upgrade now to Spybot S&D 1.6. The newest Virtumonde threats require the anti malware engine in Spybot 1.6 to effectively remove them.

Work is progressing rapidly on the upcoming version 2.0, of Spybot Search and Destroy. Stay tuned for more details as they are announced. Version updates are discussed in my extended comments.

Additions made on January 7, 2009:

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
+ Fraud.SpywareGuard2008
+ Smitfraud-C.
+ Win32.Bomka.r

PUPS (Possibly UnPopular Software or Potentially Unwanted Program)
+ MyWay.MyWebSearch

Spyware
+ WebCompass.Searchbar

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm! Many of these Trojans are Botnet infections, backdoors and Rootkits.)
+ IRC.crt
+ Virtumonde
+ Virtumonde.sci
+ Virtumonde.sdn
+ Win32.Delf.qmw
+ Zlob.Downloader

Total: 1320313 fingerprints in 372884 rules for 4518 products.

In case you have noticed a slowdown in the scan times over the past few months, it's because the number of detection patterns used to detect malware has doubled since the release of Spybot S&D v1.6, in July 2008. Older versions of Spybot are no longer being updated and cannot deal with many of the new malware definitions and removal routines.

False positive detections reported or fixed this week:

There is a confirmed false positive heuristic detection of "Win32.Sober" in the "conhost.exe" in beta versions of Windows 7. It will be fixed soon.

If you wish to report or discuss a possible false positive detection by Spybot S&D, please read this first.

Extended Comments

Malware Removal Guides

The good folks at Spybot S&D have started a new segment of their official forums, titled "Malware Removal Guides." Each week they intend to write a short self-help article to help you remove various common malware threats manually, or in conjunction with Spybot S&D. This should prove to be a very useful addition to the Spybot forums.

If you are still using Spybot S&D 1.3, or 1.4, update support is about to end and your computer will be at greater risk because of having out-dated definitions. Furthermore, older versions of Spybot are known to report lots of false positives, due to the advanced heuristic rules now found in the newer definition files.

If you are using any version older than 1.6 please upgrade to the current version of Spybot S&D, which is now 1.6.0.30, as soon as possible. New definitions for malware like the Virtumonde family of Trojans need the newer processing technologies introduced in version 1.6.0. Also, the number of malware definitions has more than doubled between July and December, 2008.

Virtumonde (also known as the Vundo Trojan) is a Trojan horse that is known to cause pop-ups and advertising for rogue anti-spyware programs. It also causes other problems, including performance degradation and denial of service with some websites including Google. It attaches itself to the operating system using phony Browser Helper Objects (BHOs) and .dll files attached to the Winlogon process and Windows Explorer.

With the release of Spybot-S&D 1.6, Team Spybot has spent a lot of energy and man-hours implementing some new technologies to improve Virtumonde detections, increasing their detection range to more than 372,000 detection patterns to identify more than one million malware "fingerprints."

Work is progressing at a steady pace on Spybot S&D version 2.0, thanks to an army of volunteer beta testers. The upcoming version will be modularized, with separate executables carrying out different detection and immunization tasks now performed by the main program file. This is expected to speed up the scanning times, which is becoming more strenuous with the rapid increase in the number of detections being developed by Team Spybot.

To benefit from these improvements, I recommend that you update to Spybot Search & Destroy 1.6, which is available through the update function integrated into the application as well as from the Spybot S&D download page. When version 2.0 is finally released you should follow the to-be-posted instructions and upgrade to that version.

If your computer gets stuck in a logon/logoff loop, after updating and scanning with the older versions of Spybot, visit this forum page for a solution, from Team Spybot.

Of continued concern to people who operate as Limited or Power Users for their daily browsing and email, Spybot Search and Destroy is still corrupting your less privileged accounts after you update it, immunize and scan from an Administrator level account. If, after doing these things, you log off the Administrator account and try to log into your Limited/Power User account, it may be corrupted and a generic desktop and start menu may appear. Don't panic! Your account and desktop can be restored by simply rebooting the computer. When you login after the reboot your previous settings will reappear. I don't know why this happens, but, stuff happens! It may be related to the relatively new rootkit detection added last year.

If you want to get direct assistance from Team Spybot, or their talented volunteers, visit the Spybot support forums, sign up for a user account and post your request for assistance. Be sure to read the rules before posting a question or reply.

If your computer is infected and you need help removing the threats, go to the Malware Removal Forums, at Safer Networking/Spybot.info. Again, read the rules before posting your request or logs! Do NOT inject your problem into somebody else's thread! Start a new topic.

Some people are confused by detections of Wild Tangent on their computers. Wild Tangent is detected as a PUP, meaning Potentially Unwanted Program, because it does send home some identifiable information about you and your computer. It ships with various games and screen savers and is a means of funding those programs. If you knowingly installed Wild Tangent and aren't worried about it, and don't wish to have Spybot repeatedly display it in scan results, do the following: Right click the WildTangent Product in the Scan result and select to "Ignore the product from further searches."

If Spybot flags a file on your computer that you believe is a false positive detection, use caution and check with the Spybot False Positives Forum before allowing it to be deleted. You can submit a report to the Spybot False Positives forum, after signing up for an account and reading about how to report false positives before submitting your report and request for analysis.

Posted by Wiz at 10:38 AM | Permalink

back to top ^

This is the latest entry in a weekly series about classifications of spam, according to my custom filter rules used by the anti-spam tool, MailWasher Pro.

If you are reading this you have a computer, or smart phone. If you have a computer or smart phone you also probably have at least one email address. Unless you live on another planet, or your email provider only allows whitelisted email through, you, like me, get a lot of junk mail, a.k.a. "spam" messages. While spam is an annoyance to most people, it is combat for me. I publish custom spam filters to block spam email for people who use the MailWasher Pro anti-spam email client.

MailWasher Pro is a spam screening POP3 email program that goes between your email servers and your desktop email client (application). With this program you can actually read all of your incoming email in plain text, and click on links, if you are so inclined. MailWasher Pro uses a variety of techniques to recognize and designate what is and isn't spam, including a learning filter and user created custom filter rules. I personally write and use MailWasher Pro custom filters to detect and delete most incoming spam email. I have created and published a large assortment of spam filters which "plug-in" to MailWasher Pro, to flag or delete known spam. You can read about them, or download and use them in your own registered copy of MailWasher Pro.

MailWasher Pro has a "Statistics" display page that breaks down the types of spam it has deleted, listed by categories. Each program and user-created filter has a name and when a measurable percentage of spam is matched by a particular filter it shows up in the Statistics, with its percentage shown next to it. The percentages for various categories of spam listed below are taken from my MailWasher Pro "Statistics" page.

The category "Other Filters" combines several of my custom filters which did not receive enough spam to rate a measurable percentage, thus were all grouped into the one category called "Other Filters." Since I have a lot of custom filters and spam types do vary every week, the Other Filters category is always quite large, percentage-wise.

The overall volume of spam hitting my filters has dropped to very low levels not seen in years. This is due to the problems that Russian cyber criminals are having finding hosts for the servers used to issue command and control signals to their Botnets. This is a fluid situation, with spammers finding temporary hosts who come under pressure from security companies then terminate their connectivity. This has been going on since November 11, 2008. Currently, most spam is being sent via the resurrected Mega-D Botnet, which is famous for male enhancement spam.

Regarding the slowdown in Botnet sent spam, I keep a daily log and Monday, December 29 was the heaviest spam day, seconded by Friday, January 2. Obviously, the Russian Bot Masters are having a difficult time controlling or maintaining their zombie spambots and command and control servers.

The most prominent types of spam categorized this week were for imitations of brand name watches, followed by various pharmaceuticals, including Viagra from fake Internet pharmacies, bogus male enhancement crap, pirated software and some fake diploma spam. Many of these types of spam were caught by my Sender's Blacklist rules, like lin+met@+.de or kef+diz@+, thus, the Blacklist category usually rates fairly high in the results (when I active it).

MailWasher Pro spam category breakdown for December 29, 2008 - January 4, 2009. Spam amounted to 19% of my incoming email this week, with just 30 spam messages analyzed.

Download MailWasher Pro Here

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as an incoming email screener for your POP email program (Microsoft Outlook, Microsoft Outlook Express, Microsoft Live Mail, Eudora, Mozilla and other stand-alone email programs).

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. I never buy anything that is Spamvertised and recommend you don't either! Remember, almost all spam is now sent from compromised home or business PCs, zombies in various Botnets, all of which are controlled by criminals. If you purchase anything advertised in spam messages, you have given your credit or debit card information to the criminals behind that enterprise. If you are really lucky you will only be charged for the fake items you purchased, but, if not, you might find your credit limit used up, or your bank account emptied (for debit card transactions), by cyber criminals.

Also, unsubscribing through links in botnet-sent spam messages is futile, as you never opted-in, in the first place; your email address was captured by an email harvester on an infected computer belonging to somebody you corresponded with. Instead of receiving less spam as one might expect (by unsubscribing), all it does is confirm that your email address is active and you will see even more spam than before.

Another common way your email address may get harvested by spammers is if it appears in a large C.C. (Carbon Copy) list on a computer that gets Botnetted. Many people engage in forwarding messages among all their friends. Each time they forward chain letters their address gets added to the growing list of recipients (called Carbon Copy, or CC). If just one recipient of that message has an email harvesting malware infection, all of the email addresses listed in that message will be sent home to the spammer behind that spam run.

Smart folks who want to forward or send a message to multiple recipients use B.C.C. instead of C.C. Using B.C.C. hides all of the recipients from displaying. The To field will just show "Undisclosed Recipients" in a message sent using B.C.C. This is safest for you and your friends or mailing list. All email clients have a means of displaying a B.C.C. field.

Posted by Wiz at 4:38 PM | Permalink

back to top ^