May 31, 2009

My Spam analysis for May 25 - 31, 2009

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

The volume of spam coming to my various honeypots and user accounts has been steadily increasing over the past month. This is due to the activity of various wounded spam Botnets coming back to life (after the takedown of McColo), or new ones like the Russian Cutwail Botnet, being pressed into service. The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. Much of the spam this week was for the fake Canadian Pharmacy, which sells illicit and counterfeit pharmaceuticals, Nigerian 419 scams, fake watches and Viagra, "stud" tips and male enhancement scams (same websites). I also saw an increase in Australian banking phishing scams this week.

See my extended comments for this week's breakdown of spam by category, for May 25 - 31, 2009 and the latest additions to my custom MailWasher Pro filters

MailWasher Pro spam category breakdown for May 25 - 31, 2009. Spam amounted to 16% of my incoming email this week. This represents a 4% increase from last week.
"Other filters": (See my MWP Filters page) 34.09%
Blacklisted Domains/Senders (e.g: kef+diz@+): 11.36%
Known Spam Domains: 6.82%
Known X-Mailer Spam: 6.82%
Phishing Scams: 6.82%
Male Enhancement Patches, etc: 6.82%
Hidden ISO or ASCII Subject: 4.55%
Nigerian 419 Scams: 4.55%
Casino Spam: 4.55%
Viagra or Cialis Spam: 4.55%
Diploma Scams: 4.55%
Known Spam in From or Body: 4.55%
The latest additions to my custom MailWasher Pro filters include updates to the Bank Phishing, Known Spam Domains, Known Spam [F or B], Viagra [B], Casino and Nigerian 419 Scam filters, plus the addition of a "Stud Tips" filter. The Stud Tips website also promotes various fake male enhancement solutions, much like the fake Canadian Pharmacy sites.

MailWasher Pro intercepts POP3 and IMAP email before you download it to your desktop email client (e.g: Microsoft Outlook, Outlook Express, Windows Live Mail) and scans it for threats or spam content, then either manually or automatically deletes any messages matching your pre-determined criteria and custom filters. It is my primary line of defense against incoming spam, scams, phishing and exploit attacks. If you are not already using this fine anti-spam tool I invite to to read about it on my MailWasher Pro web page. You can download the latest version and try it for free for a month. Registration is only required once, for the life of the program.

To protect your computer from web pages rigged with exploit codes, malware in email attachments, dangerous links to hostile web pages, JavaScript redirects, Phishing scams, or router DNS attack codes, I recommend Trend Micro Internet Security. It has strong realtime monitoring modules that stop rootkits and spam Trojans from installing themselves into your operating system. Also known as PC-cillin, it is very frequently updated as new and altered malware definitions become available and it checks for web based threats and new malware definitions by searching secure online servers owned by Trend Micro. This is referred to as "in-the-cloud" security.

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. MailWasher Pro is able to forward messages marked as spam to SpamCop, which then sends a confirmation email to you, containing a link. You must click on the enclosed reporting link and open it in your browser, then manually submit your report. This is how SpamCop wants it done.

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

May 27, 2009

Spybot Search and Destroy Definitions Updated on May 27, 2009

If you use Spybot Search and Destroy to protect your computer against spyware, it is time again to run your manual updates. Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. This week's updates were released on schedule on May 27, 2009, as listed below. Somef fake security programs and rootkits were added to the latest definitions.

Updating Spybot Search and Destroy

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers. When all updates have succeeded, click on "Exit."

Download links and more instructions about using Spybot Search and Destroy are in my extended comments, along with the description of the latest definition updates and false positive fixes.

Immunizing and scanning with Spybot S&D

With the program updated it is time to open the main program interface, using either the Start Menu link, or a desktop icon, to launch Spybot Search and Destroy. The next item to take care of is to apply Immunization. Click on the Immunize button in the left sidebar, select everything you want, or uncheck things like cookies, or Hosts, or Domains, as you see fit, then click on Immunize button over the right panel, that has a green cross. Sometimes, Spybot immunizes against cookies and domains that you may actually want to visit. If you suddenly find you cannot login, or cookies are missing, you can undo the most recent Immunizations, then uncheck the desired items and re-immunize. Websites added to your Windows HOSTS file during immunization will be blocked completely, so you may need to edit that file in Notepad, saving as HOSTS, without any extension, or uncheck it from immunization if your preferred websites are blocked by Spybot S&D.

After immunizing against unwanted items you should click on the Search & Destroy icon, on the left, then click "Check for problems," on the right side. It will take several minutes, or longer to scan all your files for known threats, and possible threats, using heuristics, unless you disable heuristics in the program's main Advanced Mode > Settings. When the scan completes anything listed in the definition databases will be listed in the results window, with check boxes in front of each main item group. If you find the program has listed some cookies or other programs you use and trust, uncheck them, click on the item name and the right click and select "Exclude this product from further searches." Finally, click on "Fix (selected) Problems."

If you want to learn more about using the program, the complete Spybot S&D FAQ's are found here.

Additions to malware definitions made on May 27, 2009:

Adware
+ Netpumper
+ WhenU.Search.BrowserToolbar

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
+ SpywareCease (fake anti spyware scanner)

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm! Many of these Trojans are Botnet infections, backdoors and Rootkits.)
++ MSMcr.cn
++ PanWeiIPR.cn
+ Virtumonde.sci
+ Virtumonde.sdn
++ Win32.Agent.bleh
++ Win32.AutoRun.aho
+ Win32.Poison.pg
+ Win32.Rootkit.gen
++ Win32.Small.fpc
+ Win32.TDSS.clt
+ Win32.TDSS.gen
+ Win32.TDSS.rtk

Total: 1420974 fingerprints in 485874 rules for 4676 products.

False positive detections reported or fixed this week:

PerfectUninstaller was detected as PUPS, but was supposed to be removed from detection with the update 2009-05-20 after the vendor removed the changes PerfectUninstaller made to the visibility of hidden files. It was removed from detection with the May 27 detection update.

Additional Information about Spybot S&D and links

Spybot Search and Destroy has always been and continues to be free (although they do accept donations from grateful users!). If you clicked on a download link that claimed to be for Spybot S&D and found that you were required to pay to use the program, you have been tricked. Get out of there right now and go to the real Spybot S&D website, then download the authentic version. If you installed a fake version you may be infected, so update the real one and scan for malware.

Spybot Search and Destroy 1.6.2 was released on January 26, 2009. This is probably going to be the last "maintenance release" before version 2.0 is released. It scans for threats about 4 times faster than previous versions and has an redesigned spyware removal engine. Upgrade now to Spybot S&D 1.6.2. The newest Virtumonde and Zlob threats require the anti malware engine in Spybot 1.6+ to effectively remove them. If you are using any version older than 1.6.2 you are strongly advised to uninstall it and install the newest version. It is advisable to undo all immunizations before uninstalling Spybot S&D, then redo them after updating signatures for the new version.

If you want to get direct assistance from Team Spybot, or their talented volunteers, visit the Spybot support forums, sign up for a user account and post your request for assistance. Be sure to read the rules before posting a question or reply.

If your computer is infected and you need help removing the threats, go to the Malware Removal Forums, at Safer Networking/Spybot.info. Again, read the rules before posting your request or logs! Do NOT inject your problem into somebody else's thread! Start a new topic.

If Spybot flags a file on your computer that you believe is a false positive detection, use caution and check with the Spybot False Positives Forum before allowing it to be deleted. You can submit a report to the Spybot False Positives forum, after signing up for an account and reading about how to report false positives before submitting your report and request for analysis.

Finally, if you have opted to use the Spybot "Tea Timer" realtime monitor, you need to know that it has been subject to a lot of false positives recently. Most have occurred since the Tea Timer module was recently updated to version 1.6.6, a few months ago. Check with the Spybot S&D False Positives Forum before allowing Tea Timer to permanently delete any files. Further, just in case, tell it to save the deleted files so you can restore them after obtaining definition updates. If you cannot wait for updates to be released tell Tea Timer to ignore the problem files, if they are known to be falsely flagged.

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

May 24, 2009

My Spam analysis for May 18 - 24, 2009

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

I am still seeing a greatly reduced amount of spam, possibly due to me being white-listed by spammers, trying to avoid my honeypots, or because of troubles spammers might be having controlling their Botnets. Nonetheless, the types of spam I am getting are most likely the same types you are getting, just in a different quantity. The classifications can help you adjust your email filters according to what is most common, on a weekly basis. Much of the spam this week was for the fake Canadian Pharmacy, which sells illicit and counterfeit pharmaceuticals, spam for unsubstantiated Acai Berry weight loss remedies and the usual male and female enhancement scams. I also saw an increase in bank Phishing scams this week.

See my extended comments for this week's breakdown of spam by category, for May 18 - 24, 2009 and the latest additions to my custom MailWasher Pro filters.

MailWasher Pro spam category breakdown for May 18 - 24, 2009. Spam amounted to 12% of my incoming email this week. This represents a 2% increase from last week.
Fake Canadian Pharmacy spam: 31.82%
Counterfeit Watches: 13.64%
Exploit Link 9.09%
Numeric IP Link 9.09%
Other filters: (See my MWP Filters page) 9.09%
Male Enhancement Patches, etc: 4.55%
Phishing Scams: 4.55%
Pills: 4.55%
Breast Enlargement Scams: 4.55%
Hidden ISO or ASCII Subject: 4.55%
Nigerian 419 Scams: 4.55%
The latest additions to my custom MailWasher Pro filters include updates to the Canadian Pharmacy, Male Enhancement [Body], Bank Phishing and Known Spam Domains filters, plus the addition of a filter for the "Ow.ly URL Shortener" that is being used by spammers. I also moved some filters down the list to let more efficient ones identify the current types of spam.

MailWasher Pro intercepts POP3 and IMAP email before you download it to your desktop email client (e.g: Microsoft Outlook, Outlook Express, Windows Live Mail) and scans it for threats or spam content, then either manually or automatically deletes any messages matching your pre-determined criteria and custom filters. It is my primary line of defense against incoming spam, scams, phishing and exploit attacks. If you are not already using this fine anti-spam tool I invite to to read about it on my MailWasher Pro web page. You can download the latest version and try it for free for a month. Registration is only required once, for the life of the program.

To protect your computer from web pages rigged with exploit codes, malware in email attachments, dangerous links to hostile web pages, JavaScript redirects, Phishing scams, or router DNS attack codes, I recommend Trend Micro Internet Security. It has strong realtime monitoring modules that stop rootkits and spam Trojans from installing themselves into your operating system. Also known as PC-cillin, it is very frequently updated as new and altered malware definitions become available and it checks for web based threats and new malware definitions by searching secure online servers owned by Trend Micro. This is referred to as "in-the-cloud" security.

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. MailWasher Pro is able to forward messages marked as spam to SpamCop, which then sends a confirmation email to you, containing a link. You must click on the enclosed reporting link and open it in your browser, then manually submit your report. This is how SpamCop wants it done.

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

May 22, 2009

Vulnerabilities roundup for May 18 - 22, 2009

Takeaway

This week has been a headache for the major web software vendors, especially Red Hat Linux and other distributions. Windows users are being targeted by highly critical vulnerabilities in Winamp and Quicktime. Mac users are affected by a flaw in Calendar Objects for Java. So far, between May 18 and 22 there have been at least 85 vulnerability advisories reported by the security investigators at Secunia, 17 of which are rated as "highly critical." I counted at least 7 SQL flaws that can be or are being exploited to inject hostile redirection codes into websites.

Windows Vulnerabilities

On 5/18 /09, Secunia reported an unpatched flaw in Winamp 5.x that can be exploited by malicious people to potentially compromise a user's system. The vulnerability is caused due to the use of vulnerable libsndfile code. Successful exploitation of the vulnerabilities may allow execution of arbitrary code. The vulnerability is confirmed in version 5.552, but other versions may also be affected. Since this vulnerability in currently unpatched, the best advise is to not open untrusted files in Winamp.

A highly critical vulnerability was reported in Apple QuickTime 7.x, on 5/22/09, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to an error in the processing of "0x77" tags within PICT images, which can be exploited to cause a heap-based buffer overflow when the user opens a specially crafted PICT image or visits a malicious web site. This flaw is new and unpatched, so you are advised to not browse untrusted web sites, or open PICT files from untrusted sources.

Read about the vulnerabilities affecting other operating systems and software in my extended comments.

Microsoft Internet Information Services (IIS) WebDAV Request Vulnerability

US-CERT is aware of public reports of a vulnerability affecting Microsoft Internet Information Services 6 (IIS6). Reports indicate that this vulnerability is due to improper handling of unicode tokens. Exploitation of this vulnerability may allow a remote attacker to bypass authentication methods, allowing an attacker to upload files to a WebDAV folder or obtain sensitive information. If you run Microsoft IIS servers, implementing the following workarounds will help mitigate the risks until a patch or update is available from Microsoft.


  • NTFS file ACLs will generally prevent the anonymous internet user from writing to an unauthorized area.

  • Disable WebDAV if it is not needed

  • Administrators who are unable to disable WebDAV may be able to mitigate some risk by configuring their IDS to refuse external HTTP requests containing "Translate: f" headers.


Please note that disabling WebDAV may affect the functionality of other applications such as SharePoint. Microsoft has released Security Advisory 971492 to provide information about this vulnerability and its workarounds.

Vulnerabilities affecting other OSes

Mac OS X users are being targeted again, this time by a highly critical vulnerability in Calendar Objects for Java, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to an error in the de-serialisation of Calendar objects in Java for Mac OS X. This can be exploited to escape the Java sandbox and execute arbitrary code e.g. when a user visits a web page containing a specially crafted Java applet. The vulnerability is confirmed in Mac OS X - 10.5.7. Other versions may also be affected. Until this is patched Mac OS X users should disable Java applets in their browsers and disable 'Open "safe" files after downloading' in Safari.

Linux Vulnerabilities

I counted 28 new or updated vulnerabilities reported in various distributions of Linux, including 12 in Red Hat products alone. Ubuntu and Debian are also affected and are in need of security package updates. If you use Linux workstations (desktops) or servers you need to begin checking for updates this weekend. Ubuntu has already released a patch for the new exploits, which affect all releases up to 9.04.

Applications were not left out of this week's vulnerabilities. I see at least 7 SQL Injection flaws in various web applications, including Coppermine Photo Gallery, DM File Manager and Drupal E-mail Verification.

Coppermine Photo Gallery Vulnerabilities

Coppermine has released an update, v1.4.23, to fix this flaw, so it is important that all users who run version cpg1.4.22 or older update to this latest version as soon as possible.

Drupal Vulnerabilities

The Drupal vulnerabilities are reported in versions prior to 5.x-2.1 and 6.x-1.2. They can be exploited by malicious people to conduct script insertion attacks and by malicious users to bypass certain security restrictions. If you administer a server that runs this software you should check with the Drupal Email Verification page to get an update.

DM FileManager "username" SQL Injection Vulnerability

A vulnerability has been reported in DM FileManager, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "username" parameter in login.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Successful exploitation requires that "magic_quotes_gpc" is disabled.

The vulnerability is reported in version 3.9.2. Other versions may also be affected.

Spam Campaigns

Attacks against people using Google Searches and website owners continued this week, this time featuring the Cutwail Botnet. It is responsible for a substantial spam campaign promoting Acai Berry remedies and other useless drugs and herbal solutions. Some links lead to the fake Canadian Pharmacy websites that are unknowingly hosted on botnetted personal computers. Other links redirect hapless visitors to hostile web pages where exploits will be launched against their browsers and third party software. Unpatched versions of Adobe Reader and Flash are being targeted by these drive-by attacks.

Gumblar Malware Exploit Circulating

The so-called Gumblar exploit attacks have been on-going since March and are picking up steam this week. Gumblar has been described as "a Botnet of compromised websites" by security company ScanSafe. One of Gumblar's functions is to poison Google search results so that as many people as possible can be tricked into visiting Gumblar coded web pages.

According to this CERT Advisory, the first stage of this exploit attempts to compromise legitimate websites by injecting malicious code into them, usually via unsecured PHP scripts or SQL database exploits. Reports indicate that these website infections occur primarily through stolen FTP credentials but may also be compromised through poor configuration settings, vulnerable web applications. The second stage of this exploit occurs when users visit a website compromised by Gumblar. Users who visit these compromised websites and have not applied updates for known PDF and Flash Player vulnerabilities may become infected with malware. This malware may be used by attackers to monitor network traffic and obtain sensitive information, including FTP and login credentials, that can be used to conduct further exploits. Additionally, this malware may also redirect Google search results for the infected user.

Browsing Security Best Practices

Obviously, if you are browsing the Internet and following links and you have not been keeping your browser add-ons and plug-ins updated, you are in extreme danger of being exploited by any number of hostile codes that are running all over the Internet. I urge you to use the Secunia Online Software Inspector, or their Personal Software Inspector, to stay current with Windows and third party patches and updates. When the Software Inspectors report that you have insecure applications on your computer you need to uninstall them and upgrade to the latest, secure versions. Links are provided in the reports so you can go directly to the vendor's download pages for patches.

That's all for today folks. Be sure you visit the vendor's websites listed in these vulnerabilities to watch for and obtain updates or patches as they are released.

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

May 20, 2009

Spybot Search and Destroy Definitions Updated on May 20, 2009

If you use Spybot Search and Destroy to protect your computer against spyware, it is time again to run your manual updates. Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. This week's updates were released on schedule on May 20, 2009, as listed below. A slew of fake security programs and rootkits were added to the latest definitions.

Updating Spybot Search and Destroy

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers. When all updates have succeeded, click on "Exit."

Download links and more instructions about using Spybot Search and Destroy are in my extended comments, along with the description of the latest definition updates and false positive fixes.

Immunizing and scanning with Spybot S&D

With the program updated it is time to open the main program interface, using either the Start Menu link, or a desktop icon, to launch Spybot Search and Destroy. The next item to take care of is to apply Immunization. Click on the Immunize button in the left sidebar, select everything you want, or uncheck things like cookies, or Hosts, or Domains, as you see fit, then click on Immunize button over the right panel, that has a green cross. Sometimes, Spybot immunizes against cookies and domains that you may actually want to visit. If you suddenly find you cannot login, or cookies are missing, you can undo the most recent Immunizations, then uncheck the desired items and re-immunize. Websites added to your Windows HOSTS file during immunization will be blocked completely, so you may need to edit that file in Notepad, saving as HOSTS, without any extension, or uncheck it from immunization if your preferred websites are blocked by Spybot S&D.

After immunizing against unwanted items you should click on the Search & Destroy icon, on the left, then click "Check for problems," on the right side. It will take several minutes, or longer to scan all your files for known threats, and possible threats, using heuristics, unless you disable heuristics in the program's main Advanced Mode > Settings. When the scan completes anything listed in the definition databases will be listed in the results window, with check boxes in front of each main item group. If you find the program has listed some cookies or other programs you use and trust, uncheck them, click on the item name and the right click and select "Exclude this product from further searches." Finally, click on "Fix (selected) Problems."

If you want to learn more about using the program, the complete Spybot S&D FAQ's are found here.

Additions to malware definitions made on May 20, 2009:

Adware
++ Digifast

Keyloggers
+ Ardamax

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
++ Fraud.WinPCAntivirus
+ InternetAntivirusPro
++ Win32.OnLineGames.bklm

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm! Many of these Trojans are Botnet infections, backdoors and Rootkits.)
+ Bifrost.LA
+ Fake.Javacore
+ Webshow
++ Win32.Agent.afq
+ Win32.Agent.amwr
++ Win32.Agent.cfuc
++ Win32.Agent.jjv
++ Win32.Agent.NKV
++ Win32.Agent.ukv
++ Win32.BHO.sx
+ Win32.TDSS.pe
+ Win32.TDSS.rtk
+ Win32.Virut.q
++ Win32.Webprefix
+ Zlob.Downloader
+ Zlob.Downloader.miu

Total: 1411185 fingerprints in 482185 rules for 4667 products.

False positive detections reported or fixed this week:

A false positive detection of "Virtumonde.sdn" in iwlandrvxpver.dll was confirmed and fixed with today's updates.

A false positive detection in Malwarebytes mbamgui.exe, detected as Smitfraud-C, was fixed today.

Some false positive bad-site detections in Mozilla Firefox bookmarks, to legitimate trusted websites, were finally fixed, after two weeks of discussions.

One user reported that right after updating his definitions last week (May 13) a total of 48 Windows\System32 files were flagged as Trojans. After sending them in for analysis it was determined that these were false positives and all have been added to the program's white list. Note, that sometimes malware will replace legitimate system files with infected copies, so scanning with other programs (anti virus) is recommended.

Additional Information about Spybot S&D and links

Spybot Search and Destroy has always been and continues to be free (although they do accept donations from grateful users!). If you clicked on a download link that claimed to be for Spybot S&D and found that you were required to pay to use the program, you have been tricked. Get out of there right now and go to the real Spybot S&D website, then download the authentic version. If you installed a fake version you may be infected, so update the real one and scan for malware.

Spybot Search and Destroy 1.6.2 was released on January 26, 2009. This is probably going to be the last "maintenance release" before version 2.0 is released. It scans for threats about 4 times faster than previous versions and has an redesigned spyware removal engine. Upgrade now to Spybot S&D 1.6.2. The newest Virtumonde and Zlob threats require the anti malware engine in Spybot 1.6+ to effectively remove them. If you are using any version older than 1.6.2 you are strongly advised to uninstall it and install the newest version. It is advisable to undo all immunizations before uninstalling Spybot S&D, then redo them after updating signatures for the new version.

If you want to get direct assistance from Team Spybot, or their talented volunteers, visit the Spybot support forums, sign up for a user account and post your request for assistance. Be sure to read the rules before posting a question or reply.

If your computer is infected and you need help removing the threats, go to the Malware Removal Forums, at Safer Networking/Spybot.info. Again, read the rules before posting your request or logs! Do NOT inject your problem into somebody else's thread! Start a new topic.

If Spybot flags a file on your computer that you believe is a false positive detection, use caution and check with the Spybot False Positives Forum before allowing it to be deleted. You can submit a report to the Spybot False Positives forum, after signing up for an account and reading about how to report false positives before submitting your report and request for analysis.

Finally, if you have opted to use the Spybot "Tea Timer" realtime monitor, you need to know that it has been subject to a lot of false positives recently. Most have occurred since the Tea Timer module was recently updated to version 1.6.6, a few months ago. Check with the Spybot S&D False Positives Forum before allowing Tea Timer to permanently delete any files. Further, just in case, tell it to save the deleted files so you can restore them after obtaining definition updates. If you cannot wait for updates to be released tell Tea Timer to ignore the problem files, if they are known to be falsely flagged.

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

May 17, 2009

My Spam analysis for May 11 - 17, 2009

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

I am still seeing a greatly reduced amount of spam, possibly due to me being white-listed by spammers, trying to avoid my honeypots, or because of troubles spammers might be having controlling their Botnets. Nonetheless, the types of spam I am getting are most likely the same types you are getting, just in a different quantity. The classifications can help you adjust your email filters according to what is most common, on a weekly basis. Much of the spam this week was for the offshore knockoff pharmaceuticals, like Viagra, bogus weight loss remedies and male enhancement scams. Other classifications, like Blocked Countries, usually include counterfeit drug promotions, sometimes in embedded images, or in vertical text and html tricks.

See my extended comments for this week's breakdown of spam by category, for May 11 - 17, 2009 and the latest additions to my custom MailWasher Pro filters.

MailWasher Pro spam category breakdown for May 11 - 17, 2009. Spam amounted to 10% of my incoming email this week. This represents a 5% decrease from last week.
Viagra spam: 21.43%
Blacklisted Domains/Senders (e.g: kef+diz@+): 21.43%
Blocked Countries, RIPE, LACNIC, APNIC: 14.29%
Other filters: (See my MWP Filters page) 7.14%
Male Enhancement Patches, etc: 7.14%
Zip, RAR, or GZ Hostile Attachment: 7.14%
Weight Loss Scams 7.14%
Misc. Pharmaceutical spam (inc. Viagra, Cialis, Levitra & misc. pills & herbals): 7.14%
Known spam user agents: 7.14%

The latest additions to my custom MailWasher Pro filters include the Image Spam 11, Male Enhancement [Body], Bank Phishing, Known Spam Domains, Known Spam Subjects #3, Nigerian 419 Scams and Weight Loss Drugs filters.

MailWasher Pro intercepts POP3 and IMAP email before you download it to your desktop email client (e.g: Microsoft Outlook, Outlook Express, Windows Live Mail) and scans it for threats or spam content, then either manually or automatically deletes any messages matching your pre-determined criteria and custom filters. It is my primary line of defense against incoming spam, scams, phishing and exploit attacks. If you are not already using this fine anti-spam tool I invite to to read about it on my MailWasher Pro web page. You can download the latest version and try it for free for a month. Registration is only required once, for the life of the program.

To protect your computer from malware in email attachments, dangerous links to hostile web pages, JavaScript redirects, Phishing scams, or router DNS attack codes, I recommend Trend Micro Internet Security.

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. MailWasher Pro is able to forward messages marked as spam to SpamCop, which then sends a confirmation email to you, containing a link. You must click on the enclosed reporting link and open it in your browser, then manually submit your report. This is how SpamCop wants it done.

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

May 15, 2009

Securing FormMail scripts against spambots

Takeaway

This is a technical article about securing a Perl "FormMail" script against spammers who attempt to hijack these scripts for use as spam relays. For those not in the know, FormMail, written in the "Perl" scripting language, is one of the original mailer scripts freely available for general use on websites. It is used by millions of webmasters to send email from a web page form. However, unbeknown to many webmasters, older versions of FormMail are totally insecure and can be exploited as spam relays.

History of FormMail

The original version of FormMail was written in 1995 by Matt Wright and was made available for free on his website: Matt's Script Archive. Unfortunately, the early versions of his FormMail script were very insecure and easily turned into spam relays. This fact was seized upon in 2002 by spammers who used bots to scour websites in search of these exploitable scripts, by name or variations thereof. In response, on April 19, 2002, Matt rewrote his FormMail script to secure it better and released it as version 1.91. This was to become the final version of Matt's FormMail. It remains mostly insecure to this day, yet is in use by website owners around the World who haven't learned about the exploits targeting FormMail.

Several years ago I wrote an in depth web article describing the vulnerabilities in Matt's FormMail, partially titled: FormMail Security Vulnerabilities and Solutions, in which I also recommended a drop in secure replacement script known as NMS FormMail, which was developed by a group of calling themselves the London Perl Mongers. My article is still a valuable resource and will bring most webmasters up to speed on what they need to do to protect their websites from FormMail exploiters. Following my recommendations will certainly help to secure any FormMail scripts you may be using. It will also protect your email account(s) from being harvested by creating alias numbers for them, in NMS FormMail, instead of using plain text addresses to submit to. But, there's more you can do that wasn't covered in my original article.

Securing FormMail - 101

One of my recommendations was renaming your FormMail script to something other than its default spelling: formmail.pl. While this makes it a little harder to locate the script for hostile bots it is useless at protecting it against human spammers. All they need to do is to read the source code of your contact, or feedback pages to get the name of the script that processes your forms and mails comments to you. Then they can go after that script by its new name to try to exploit it for use as a spam relay. If it really is an insecure version of Matt's FormMail it will be used as a spam relay! If you are running your website on an Apache web server, as most of us are, there are special codes, called Mod_Rewrite Directives, that can be applied to a particular server file named .htaccess to completely hide the name of the renamed script, protecting it from being used as a spam relay. If you are allowed to add these directives you can make your FormMail script invisible to spammers.

Read the rest of the details in my extended comments.

About .htaccess

All Apache based web servers use a special access control file named .htaccess. This file's name begins with a period which Apache servers interpret as a server control file. The contents of a .htaccess file have to conform to exact specifications to (1) work as intended, and (2), avoid causing a Server 500 lockout error. Yep, it's that touchy! In my extended comments I will demonstrate how you can apply particular "directives" to your .htaccess file to hide your renamed FormMail scripts from the prying eyes of form spammers and their bots.

Note, that the instructions for hiding the actual script will not prevent spammers from filling out your forms with spam comments and submitting them to you. They will prevent your FormMail script from being used as a spam sending relay without your knowledge. You will need to contact your web hosting company to find out if you have permission to create a custom .htaccess file, or to modify an existing copy using "Mod_Rewrite" directives. Most good web hosts allow custom .htaccess files and Mod_Rewrite directives. If your web host doesn't allow you to use custom .htaccess directives you may want to consider finding another hosting company for your websites, like my current host, Bluehost.

How to hide your FormMail Perl script from spammers

Assuming you have a properly configured and secure version (NMS) of FormMail, that will actually send you an email when a form is properly submitted, here is the process to use to conceal it from spammers wishing to use it as a spam relay. These codes must be used in your public web root .htaccess file, which is only available on an Apache web server hosted website. Windows Server hosted websites cannot use this system unless the web host has, or is willing to install a commercial rewrite conversion script that translates .htaccess directives into a form recognized by Windows IIS servers.

The nitty gritty details of concealing FormMail scripts

First, rename the script to something that doesn't contain either the word "form" or "mail" - like p9pwdfj.pl (or .cgi) (don't use my example names!). Just pick a name or set of characters that has nothing in common with "form," "mail," or any combination or alteration of either word. Spammers have dispatched automated scripts (bots) to search publicly accessible websites for Perl and PHP scripts containing the words form, mail, email, mailer, etc. If they find such a script it will be probed to see if it can be exploited as a spam relay, using your website's SMTP mail server as the spam engine. That will probably get your hosting account suspended if they are successful.

Second, create an alias name for the action when a contact form is submitted. This would be on your HTML or PHP contact, or feedback web pages. Normally, this action line would resemble this stripped down renamed example:

<form action="cgi-bin/changed-script-name.pl" method="POST">

To protect your changed FormMail script name from being scraped from this form, change the action to an alias name, like this example:

<form action="cgi-bin/sub" method="POST">

We can now use a special .htaccess "Mod_Rewrite" directive to translate this aliased action to point to the renamed FormMail script. Learn more about Apache v2.2 .htaccess directives here (read about other releases here).

Download your .htaccess file from your website and open for editing in Notepad, or your preferred plain text ASCII editor. You can download it either via your FTP program, or your web control panel's file manager. You may have to unhide the normally hidden .htaccess file to see it on the remote server side. You can do this in most FTP programs by issuing a "Remote File Mask" command of -al, or by checking a box to show hidden server files using your web site's control panel file manager.

With the .htaccess file downloaded to your hard drive, open it in a plain ascii text editor (e.g: Windows Notepad, TextEdit in Mac OS X, Fookes NoteTab Pro, or CoffeeCup Direct FTP, etc). The entire contents is in plain "ascii" text. If you do not already have a .htaccess file you can create a new one for this purpose. Open a new text file in your plain text editor and save the following directives, carefully observing the spaces where they exist (copy and paste for safety sake, then edit), substituting the action alias and the name you have given to your cloaked FormMail file:


Options +FollowSymLinks
RewriteEngine On
RewriteOptions inherit
RewriteBase /

RewriteRule ^cgi-bin/sub$ cgi-bin/changed-script-name.pl [L]

Testing and dealing with Server 500 errors

Save the modified .htaccess as (using Save As) htaccess.txt. Now rename the original file to .htaccess1 and then rename the modified file to .htaccess and upload it to your Apache server website's public_html or web root folder. Immediately, try to open a page on your website in a browser. If you see a "Server 500" error you must upload the original file to the server, rename the bad one to .htaccess2, rename the original/good one, if any existed, to .htaccess, then look for typos in your modified file. Look for text comments you may have typed or copied that are not preceded with a # symbol (a comment directive), or spaces where none should be, or unescaped spaces in directives. Spaces in .htaccess Mod_Rewrite directives must be escaped with a backslash before a space. Other reserved characters, like parenthesis and periods must also be escaped if they are to be interpreted literally, not as code. Read the Apache Documentation for details about allowed directives in .htaccess files.

If you have copied and pasted then edited my example and still get a server 500 error, contact your web host's support department to see if they disallow one of these .htaccess directives.

If your web host requires Perl scripts to end in .cgi, change the renamed extension from .pl to .cgi, then change the directive in .htaccess to match it. If your renamed FormMail starts giving you access denied errors, you may need to assign the proper permissions to it on the server. The required server permissions are "755" - which translates into Owner = Read, Write and Execute, Authenticated Group = Read, Execute, Everyone else = Read and Execute.

Wrap-up

Matt's old FormMail scripts are all vulnerable to hacking exploits. By using NMS Formail, not Matt's FormMail, by renaming the script, then using a .htaccess Mod_Rewrite alias for the action you will prevent automated spam bots from turning your FormMail script into an open spam relay.

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

May 13, 2009

Spybot Search and Destroy Definitions Updated on May 13, 2009

If you use Spybot Search and Destroy to protect your computer against spyware, it is time again to run your manual updates. Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. This week's updates were released on schedule on May 13, 2009, as listed below. A slew of fake security programs and rootkits were added to the latest definitions.

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers.

Download links and more instructions about using Spybot Search and Destroy are in my extended comments, along with the description of the latest definition updates and false positive fixes.

Extended Comments

When all updates have succeeded, click on "Exit." With the program updated it is time to open the main program interface, using either the Start Menu link, or a desktop icon, to launch Spybot Search and Destroy. The next item to take care of is to apply Immunization. Click on the Immunize button in the left sidebar, select everything you want, or uncheck things like cookies, or Hosts, or Domains, as you see fit, then click on Immunize button over the right panel, that has a green cross. Sometimes, Spybot immunizes against cookies and domains that you may actually want to visit. If you suddenly find you cannot login, or cookies are missing, you can undo the most recent Immunizations, then uncheck the desired items and re-immunize. Websites added to your Windows HOSTS file during immunization will be blocked completely, so you may need to edit that file in Notepad, saving as HOSTS, without any extension, or uncheck it from immunization if your preferred websites are blocked by Spybot S&D.

After immunizing against unwanted items you should click on the Search & Destroy icon, on the left, then click "Check for problems," on the right side. It will take several minutes, or longer to scan all your files for known threats, and possible threats, using heuristics, unless you disable heuristics in the program's main Advanced Mode > Settings. When the scan completes anything listed in the definition databases will be listed in the results window, with check boxes in front of each main item group. If you find the program has listed some cookies or other programs you use and trust, uncheck them, click on the item name and the right click and select "Exclude this product from further searches." Finally, click on "Fix (selected) Problems."

Spybot Search and Destroy 1.6.2 was released on January 26, 2009. This is probably going to be the last "maintenance release" before version 2.0 is released. It scans for threats about 4 times faster than previous versions and has an redesigned spyware removal engine. Upgrade now to Spybot S&D 1.6.2. The newest Virtumonde and Zlob threats require the anti malware engine in Spybot 1.6+ to effectively remove them.

Also, the TeaTimer module was recently updated to version 1.6.6. If you use the Spybot Tea Timer you may want install this update (as an administrator) (Or maybe not! See notes below concerning false positives in TeaTimer.).

Additions made on May 13, 2009:

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
+ DrAntispy
++ Fraud.AntiMalwarePro
+ Fraud.AntivirusPlus
+ Fraud.Downloader.gen
++ Fraud.PCCenter
++ Fraud.PersonalAntivirus
+ Fraud.SystemSecurity
+ MalwareAlarm
++ Win32.Staem.m
++ Win32.XiaJian.bk
+ WinWebSecurity

PUPS (Possibly UnPopular Software or Potentially Unwanted Program)
+ Live-Player

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm! Many of these Trojans are Botnet infections, backdoors and Rootkits.)
+ Virtumonde.sci
+ Virtumonde.sdn
++ Win32.Adload.R
+ Win32.Agent.bt
+ Win32.Agent.fbx
++ Win32.Downloader.dequ
++ Win32.ESpy.k
+ Win32.Poison.pg
+ Win32.Seneka.rtk
+ Win32.TDSS.bae
+ Win32.TDSS.or
+ Win32.TDSS.qa
+ Win32.TDSS.rtk
++ Win32.VB.mqu

Total: 1409583 fingerprints in 481881 rules for 4661 products.

False positive detections reported or fixed this week:

A false positive detection of Troj Printspool leading to the failure to print has been corrected with today's updates.

A TeaTimer update has been issued to stop deleting UPX-packed executables, created by programmers.

A user reported that TeaTimer doesn't like the Comodo Firewall's latest security update. "TeaTimer terminated \Program Files\Comodo\COMODO Internet Security\cmdagent.exe." This is a confirmed false positive that may have been fixed today.

FInally, a user who updated his nVidia video drivers was astounded to be told by Spybot that their registry entries are considered to match Smitfraud-c! This is being analyzed to determine if it is another false positive. If so it will be fixed in another update.

I recommend NOT installing the TeaTimer module at this time, unless you are an advanced user! There are just too many false positives since the updated version was released. If you are unsure about the validity of a TeaTimer pop-up alert regarding a process having been terminated, do not select the option to delete the file. Also beware of Spybot heuristic scan malware reports and always save any deleted files in case it is a false positive and they need to be restored. If you can't recover deleted registry entries and programs stop wortking, try running System Restore to just before the last Spybot updates.

You should send feedback about TeaTimer false positives to Team Spybot, after registering with the Safer-Networiking forum.

If you have purchased McAfee, Symantec, or Trend Micro security suites (which are very good products) and they ask you to uninstall Spybot, or do so without your option to refuse, simply reinstall Spybot afterward. But, I recommend not activating the TeaTimer module in Spybot S&D, as this will cause a struggle over which program monitors the system for realtime changes.

Various reports from the Internet and from Safer-Networking's own testing seem to indicate that there is a problem between Internet Explorer 8 and the immunization feature of Spybot - Search & Destroy, causing a slow startup of IE 8. It is caused by the large number of websites added to the browser's Restricted Sites Zone. This is being worked on by Team Spybot.

Team Spybot has changed the name of the Spybot S&D setup file. The installer file that is downloaded to the desktop during a main update (to allow you to see the file and store it elsewhere if you want) is now named setup-spybotsd162.exe instead of spybotsd162.exe to avoid confusion with the regular Spybot... start link. The new naming convention should continue with future releases.

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the new detections, by its name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

Older versions of Spybot are no longer being updated or supported. If you are using any version older than 1.62 please upgrade to the current version of Spybot S&D, which is now 1.6.2, as soon as possible. New definitions for malware like the Virtumonde family of Trojans need the newer processing technologies introduced in version 1.6.0. Also, the number of malware definitions has more than doubled between July and December, 2008.


Of continued concern to people who operate as Limited or Power Users for their daily browsing and email, Spybot Search and Destroy is still corrupting your less privileged accounts after you update it, immunize and scan from an Administrator level account. If, after doing these things, you log off the Administrator account and try to log into your Limited/Power User account, it may be corrupted and a generic desktop and start menu may appear. Don't panic! Your account and desktop can be restored by simply rebooting the computer. When you login after the reboot your previous settings will reappear. I don't know why this happens, but, stuff happens! It may be related to the relatively new rootkit detection added last year.

If you want to get direct assistance from Team Spybot, or their talented volunteers, visit the Spybot support forums, sign up for a user account and post your request for assistance. Be sure to read the rules before posting a question or reply.

If your computer is infected and you need help removing the threats, go to the Malware Removal Forums, at Safer Networking/Spybot.info. Again, read the rules before posting your request or logs! Do NOT inject your problem into somebody else's thread! Start a new topic.

If Spybot flags a file on your computer that you believe is a false positive detection, use caution and check with the Spybot False Positives Forum before allowing it to be deleted. You can submit a report to the Spybot False Positives forum, after signing up for an account and reading about how to report false positives before submitting your report and request for analysis.

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

May 10, 2009

My Spam analysis for May 3 - 10, 2009

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

I am still seeing a greatly reduced amount of spam, possibly due to me being white-listed by spammers, trying to avoid my honeypots, or because of troubles spammers might be having controlling their Botnets. Nonetheless, the types of spam I am getting are most likely the same types you are getting, just in a different quantity. The classifications can help you adjust your email filters according to what is most common, on a weekly basis. Much of the spam this week was for the offshore knockoff pharmaceuticals, bogus weight loss remedies, male enhancement scams and Nigerian 419 advance fee fraud scams and phishing scams. Other classifications, like Blocked Countries, usually include counterfeit drug promotions, sometimes in embedded images, or in vertical text and html tricks.

MailWasher Pro spam category breakdown for May 3 - 10, 2009. Spam amounted to 15% of my incoming email this week. This represents a 6% increase from last week.


Other filters: (See my MWP Filters page) 25.00%
Male Enhancement Patches, etc: 10.71%
Blacklisted Domains/Senders: 10.71%
Nigerian 419 Scams: 7.14%
Blocked Countries, RIPE, LACNIC, APNIC: 7.14%
Hidden ISO or ASCII Subject spam: 7.14%
Viagra spam: 7.14%
Casino Spam: 7.14%
Phishing Scams (for banks): 7.14%
Weight Loss Scams 3.57%
Misc. Pharmaceutical spam (inc. Viagra, Cialis, Levitra & misc. pills & herbals): 3.57%
Pills spam: 3.57%

If you are reading this and wondering what you can do to reduce the sometimes huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as an incoming email screener for your POP email program (Microsoft Outlook, Microsoft Outlook Express, Microsoft/Windows Live Mail, Eudora, Mozilla and other stand-alone email programs).

To protect your computer from malware in email attachments, dangerous links to hostile web pages, JavaScript redirects, Phishing scams, or router DNS attack codes, I recommend Trend Micro Internet Security.

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. MailWasher Pro is able to forward messages marked as spam to SpamCop, which then sends a confirmation email to you, containing a link. You must click on the enclosed reporting link and open it in your browser, then manually submit your report. This is how SpamCop wants it done.

All spam is now sent from compromised home or business PCs, zombies in various Botnets, all of which are controlled by career criminals, many of whom live in Eastern Europe, in the former Soviet Union. If you purchase anything advertised in spam messages, you have given your credit or debit card information to the criminals behind that enterprise. If you are really lucky you will only be charged for the fake items you purchased, but, if not, you might find your credit limit used up, or your bank account emptied (for debit card transactions).

If you are foolish enough to purchase spamvertised pharmaceuticals you may be placing your health in danger. The pharmacies producing these drugs are in China and other Asian countries, including India. Their pills are not approved for use in the US or Canada, where they are targeted. All claims to the contrary are false. Canadian Pharmacy is fake. It does not exist in Canada, nor is it licensed there! It is a scam website, hosted on zombie computers in Botnets. The drugs they push are Asian made counterfeits and could cause you harm.

Also, unsubscribing through links in botnet-sent spam messages is futile, as you never opted-in, in the first place; your email address was captured by an email harvester on an infected computer belonging to somebody you corresponded with. Instead of receiving less spam as one might expect (by unsubscribing), all it does is confirm that your email address is active and you will see even more spam than before.

Another common way your email address may get harvested by spammers is if it appears in a large C.C. (Carbon Copy) list on a computer that gets Botnetted. Many people engage in forwarding messages among all their friends. Each time they forward chain letters their address gets added to the growing list of recipients (called Carbon Copy, or CC). If just one recipient of that message has an email harvesting malware infection, all of the email addresses listed in that message will be sent home to the spammer behind that spam run.

Smart folks who want to forward or send a message to multiple recipients use B.C.C. instead of C.C. Using B.C.C. hides all of the recipients from displaying. The To field will just show "Undisclosed Recipients" in a message sent using B.C.C. This is safest for you and your friends or mailing list. All email clients have a means of displaying a B.C.C. field.

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

May 9, 2009

Spybot Search and Destroy Definitions Updated on May 6, 2009

If you use Spybot Search and Destroy to protect your computer against spyware, it is time again to run your manual updates. Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. This week's updates were released on schedule on May 6, 2009, as listed below.

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers.

When all updates have succeeded, click on "Exit." With the program updated it is time to open the main program interface, using either the Start Menu link, or a desktop icon, to launch Spybot Search and Destroy. The next item to take care of is to apply Immunization. Click on the Immunize button in the left sidebar, select everything you want, or uncheck things like cookies, or Hosts, or Domains, as you see fit, then click on Immunize button over the right panel, that has a green cross. Sometimes, Spybot immunizes against cookies and domains that you may actually want to visit. If you suddenly find you cannot login, or cookies are missing, you can undo the most recent Immunizations, then uncheck the desired items and re-immunize. Websites added to your Windows HOSTS file during immunization will be blocked completely, so you may need to edit that file in Notepad, saving as HOSTS, without any extension, or uncheck it from immunization if your preferred websites are blocked by Spybot S&D.

Download links and more instructions about using Spybot Search and Destroy are in my extended comments, along with the description of the latest definition updates and false positive fixes.

Extended Comments

After immunizing against unwanted items you should click on the Search & Destroy icon, on the left, then click "Check for problems," on the right side. It will take several minutes, or longer to scan all your files for known threats, and possible threats, using heuristics, unless you disable heuristics in the program's main Advanced Mode > Settings. When the scan completes anything listed in the definition databases will be listed in the results window, with check boxes in front of each main item group. If you find the program has listed some cookies or other programs you use and trust, uncheck them, click on the item name and the right click and select "Exclude this product from further searches." Finally, click on "Fix (selected) Problems."

Spybot Search and Destroy 1.6.2 was released on January 26, 2009. This is probably going to be the last "maintenance release" before version 2.0 is released. It scans for threats about 4 times faster than previous versions and has an redesigned spyware removal engine. Upgrade now to Spybot S&D 1.6.2. The newest Virtumonde and Zlob threats require the anti malware engine in Spybot 1.6+ to effectively remove them.

Also, the TeaTimer module was recently updated to version 1.6.6. If you use the Spybot Tea Timer you may want install this update (as an administrator) (Or maybe not! See notes below concerning false positives in TeaTimer.).

Additions made on May 6, 2009:

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
++ Fraud.AntiVirus360Remover
++ Fraud.AVAntiSpyware
++ Fraud.SpybotSearch
++ Fraud.UltraAntivir2009
++ Fraud.WinCleaner
+ Win32.BHO.je
++ Win32.Inject.mby
++ Win32.Virut.ce
+ WinWebSecurity

PUPS (Possibly UnPopular Software or Potentially Unwanted Program)
++ PerfectUninstaller

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm! Many of these Trojans are Botnet infections, backdoors and Rootkits.)
+ Vanbot
+ Win32.Agent.boym
+ Win32.Agent.bt
++ Win32.Agent.ext
+ Win32.Seneka.rtk
+ Win32.TDSS.cl
+ Win32.TDSS.gen
+ Win32.TDSS.qa
+ Win32.TDSS.rtk
+ Win32.VB.aqt

Total: 1409006 fingerprints in 481516 rules for 4641 products.

False positive detections reported or fixed this week:

One user has reported that all of his Firefox bookmarks were flagged with gold stars as being a "problem." I'd say there is a problem, but not with the bookmarks. These are false positives!

Spybot's TeaTimer is still misbehaving. A user reported that it doesn't like the Comodo Firewall's latest security update. TeaTimer terminated \Program Files\Comodo\COMODO Internet Security\cmdagent.exe. This is a confirmed false positive.

Many users are reporting false positives of "EBlaster" in the Spybot heuristic scanner for .mht files, various image files, zip files and some saved web pages. These false positives were fixed with this week's updates.

Another False positive: Fraud.Antivirus 2008 was detected in a registry entry for a video editing color correction plugin named AavcolorLabPP. It was fixed with this week's updates.

A false positive was confirmed and fixed for Top Producer Online msjavx86.exe.

A false positive detection of Fraud.VirusDoctor in C:\Program Files\SecondLife\SLVoice.exe was fixed this week.

There was a confirmed False Positive in Sun Java of "Perfect Keylogger" and it has been fixed.

I recommend NOT installing the TeaTimer module at this time, unless you are an advanced user! There are just too many false positives since the updated version was released. If you are unsure about the validity of a TeaTimer pop-up alert regarding a process having been terminated, do not select the option to delete the file. Also beware of Spybot heuristic scan malware reports and always save any deleted files in case it is a false positive and they need to be restored. If you can't recover deleted registry entries and programs stop wortking, try running System Restore to just before the last Spybot updates.

You should send feedback about TeaTimer false positives to Team Spybot, after registering with the Safer-Networiking forum.

If you have purchased McAfee, Symantec, or Trend Micro security suites (which are very good products) and they ask you to uninstall Spybot, or do so without your option to refuse, simply reinstall Spybot afterward. But, I recommend not activating the TeaTimer module in Spybot S&D, as this will cause a struggle over which program monitors the system for realtime changes.

Various reports from the Internet and from Safer-Networking's own testing seem to indicate that there is a problem between Internet Explorer 8 and the immunization feature of Spybot - Search & Destroy, causing a slow startup of IE 8. It is caused by the large number of websites added to the browser's Restricted Sites Zone. This is being worked on by Team Spybot.

Team Spybot has changed the name of the Spybot S&D setup file. The installer file that is downloaded to the desktop during a main update (to allow you to see the file and store it elsewhere if you want) is now named setup-spybotsd162.exe instead of spybotsd162.exe to avoid confusion with the regular Spybot... start link. The new naming convention should continue with future releases.

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the new detections, by its name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

Older versions of Spybot are no longer being updated or supported. If you are using any version older than 1.62 please upgrade to the current version of Spybot S&D, which is now 1.6.2, as soon as possible. New definitions for malware like the Virtumonde family of Trojans need the newer processing technologies introduced in version 1.6.0. Also, the number of malware definitions has more than doubled between July and December, 2008.


Of continued concern to people who operate as Limited or Power Users for their daily browsing and email, Spybot Search and Destroy is still corrupting your less privileged accounts after you update it, immunize and scan from an Administrator level account. If, after doing these things, you log off the Administrator account and try to log into your Limited/Power User account, it may be corrupted and a generic desktop and start menu may appear. Don't panic! Your account and desktop can be restored by simply rebooting the computer. When you login after the reboot your previous settings will reappear. I don't know why this happens, but, stuff happens! It may be related to the relatively new rootkit detection added last year.

If you want to get direct assistance from Team Spybot, or their talented volunteers, visit the Spybot support forums, sign up for a user account and post your request for assistance. Be sure to read the rules before posting a question or reply.

If your computer is infected and you need help removing the threats, go to the Malware Removal Forums, at Safer Networking/Spybot.info. Again, read the rules before posting your request or logs! Do NOT inject your problem into somebody else's thread! Start a new topic.

If Spybot flags a file on your computer that you believe is a false positive detection, use caution and check with the Spybot False Positives Forum before allowing it to be deleted. You can submit a report to the Spybot False Positives forum, after signing up for an account and reading about how to report false positives before submitting your report and request for analysis.

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

May 3, 2009

My Spam analysis for April 27 - May 2, 2009

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

I am seeing a greatly reduced amount of spam, possibly due to me being white-listed by spammers, trying to avoid my honeypots, or because of troubles spammers might be having controlling their Botnets. Nonetheless, the types of spam I am getting are most likely the same types you are getting, just in a different quantity. The classifications can help you adjust your email filters according to what is most common, on a weekly basis. Much of the spam this week was for the fake watches, male enhancement junk and Nigerian 419 advance fee fraud scams. Other classifications, like Blocked Countries, usually include counterfeit drug promotions, sometimes in embedded images, or in vertical text and html tricks.

MailWasher Pro spam category breakdown for April 27 - May 2, 2009. Spam amounted to 9% of my incoming email this week. This represents a 2% decrease from last week.


Nigerian 419 Scams: 15.00%
Counterfeit Watches: 15.00%
Blocked Countries, RIPE, LACNIC, APNIC: 10.00%
Known Spam Domains (.cn, .ru, .br, etc): 10.00%
Hidden ISO or ASCII Subject spam: 10.00%
Viagra spam: 10.00%
Fake "Canadian Pharmacy" spam (fake Viagra, Cialis, etc): 5.00%
Casino Spam: 5.00%
Base64 encoded spam: 5.00%
One word Subject (spam in body): 5.00%
Blacklisted Domains/Senders: 5.00%
Other filters: (See my MWP Filters page) 5.00%

If you are reading this and wondering what you can do to reduce the sometimes huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as an incoming email screener for your POP email program (Microsoft Outlook, Microsoft Outlook Express, Microsoft/Windows Live Mail, Eudora, Mozilla and other stand-alone email programs).

To protect your computer from malware in email attachments, dangerous links to hostile web pages, JavaScript redirects, Phishing scams, or router DNS attack codes, I recommend Trend Micro Internet Security.

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. MailWasher Pro is able to forward messages marked as spam to SpamCop, which then sends a confirmation email to you, containing a link. You must click on the enclosed reporting link and open it in your browser, then manually submit your report. This is how SpamCop wants it done.

All spam is now sent from compromised home or business PCs, zombies in various Botnets, all of which are controlled by career criminals, many of whom live in Eastern Europe, in the former Soviet Union. If you purchase anything advertised in spam messages, you have given your credit or debit card information to the criminals behind that enterprise. If you are really lucky you will only be charged for the fake items you purchased, but, if not, you might find your credit limit used up, or your bank account emptied (for debit card transactions).

If you are foolish enough to purchase spamvertised pharmaceuticals you may be placing your health in danger. The pharmacies producing these drugs are in China and other Asian countries, including India. Their pills are not approved for use in the US or Canada, where they are targeted. All claims to the contrary are false. Canadian Pharmacy is fake. It does not exist in Canada, nor is it licensed there! It is a scam website, hosted on zombie computers in Botnets. The drugs they push are Asian made counterfeits and could cause you harm.

Also, unsubscribing through links in botnet-sent spam messages is futile, as you never opted-in, in the first place; your email address was captured by an email harvester on an infected computer belonging to somebody you corresponded with. Instead of receiving less spam as one might expect (by unsubscribing), all it does is confirm that your email address is active and you will see even more spam than before.

Another common way your email address may get harvested by spammers is if it appears in a large C.C. (Carbon Copy) list on a computer that gets Botnetted. Many people engage in forwarding messages among all their friends. Each time they forward chain letters their address gets added to the growing list of recipients (called Carbon Copy, or CC). If just one recipient of that message has an email harvesting malware infection, all of the email addresses listed in that message will be sent home to the spammer behind that spam run.

Smart folks who want to forward or send a message to multiple recipients use B.C.C. instead of C.C. Using B.C.C. hides all of the recipients from displaying. The To field will just show "Undisclosed Recipients" in a message sent using B.C.C. This is safest for you and your friends or mailing list. All email clients have a means of displaying a B.C.C. field.

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

May 1, 2009

Block Ukrainian Malware Server on Eurohost

Yesterday, April 30, 2009, when investigating a problem with an associate's websites, I traced a cross site scripting iframe exploit, pointing to a malware middleman website at tojandglow.com, which redirects victims to a hostile server hosted in the Ukraine by Eurohost LLC. This Ukrainian server is currently dispensing malicious software that includes 9 Trojans, 7 scripting exploits and 1 virus.

The hostile iframe code was injected into the home pages of two related websites by exploiting vulnerabilities in a PHP script used by the webmaster of those websites. The server dispensing the exploits is located at 91.212.65.138, which coincides with the Eurohost home page. The CIDR assigned to Eurohost is 91.212.65.0/24 and you should block access to it in your firewall IP blocking rules, or in your Windows HOSTS file. Examples of how to do both are found below.

Any website that is running php or cgi scripts is in danger of becoming an inadvertent carrier of the redirection iframe that leads your innocent visitors to servers that are rigged to exploit a variety of exploitable vulnerabilities in their browsers, or browser add-ons, plug-ins, or helper objects. Some of the most frequently exploited applications are Internet Explorer (any version prior to 8.0), Adobe Flash, Adobe Reader and Apple Quicktime. Other exploited programs include Apple Safari, Google Chrome and occasionally, Mozilla Firefox. On rare occasions the Opera browser and the Java plug-in are vulnerable to targeted attacks. Firefox and Opera browsers are usually updated very quickly after a vulnerability is reported to their maintainers. Plug-ins usually take longer to update because they have to interact with so many other items and applications.

Webmasters and server administrators, you are responsible for keeping up to date with patches released by software authors, for any applications or scripts that you choose to run on your websites. Information to help you protect your websites and servers from getting exploited by hostile injection probes is in my extended comments.

Individuals browsing the Internet are the real targets of all of these injection attacks. This includes everybody reading this article. You and I have to constantly remain vigilant about threats to our computers' security. New exploits are found every month and are often released in the wild before software authors can respond with patched versions. Those are called zero day exploits. There are several ways to protect your computers from these exploits, including, but not limited to keeping up to date with all Windows, Mac or Linux updates and patches, and patches for commonly exploited third party browser add-ons, like Flash players, PDF Readers, Quicktime and Java plug-ins. Your next line of defense is a combination of security programs encompassing a 2-way firewall, anti-virus and anti-spyware and web threat protection that blocks hostile web pages. Or, you can install one top-notch security suite, like Trend Micro Internet Security and have all these protections and more in just one regularly updated package. There are links to reputable security products in the right sidebar on all of my blog pages.

Windows users have an additional means of protecting their PCs from visiting hostile websites. There is a special file, normally found in (C):\Windows\System32\Etc\, with the unusual file name: HOSTS . Although it has no file extension it can be opened and edited using the built-in Windows Notepad. The HOSTS file takes input in the form of IP addresses and website URLs, separated by a tab or multiple spaces. To protect your computer from being redirected to the hostile tojandglow website, or the Ukrainian server it tries to redirect you to, open your HOSTS file and edit it using these steps.


  1. Using Start > (My) Compute, double-click on the C drive icon, then navigate to your Windows\System32\etc\ folder.

  2. Inside the "etc" folder you should see a file named "Hosts" You may have to unhide system files before this file can be seen. See my extended comments for details on how to do this.

  3. Right-click on the file named HOSTS and choose (left click) Properties

  4. Find the attributes section starting with "READ-ONLY" and uncheck it if it was checked

  5. Click Apply and OK to close the Properties window.

  6. Right-click on HOSTS while holding down the Shift key and select "Open With"

  7. Scroll through the programs list until you find "Notepad" and double-click on it

  8. If Notepad isn't listed you will have to use the browse button to navigate to the Windows folder, where Notepad.exe is located.

  9. With HOSTS open for editing go to the last line in the file and hit ENTER

  10. Add these lines, with a tab after each 127.0.0.1:

    • 127.0.0.1       tojandglow.com

    • 127.0.0.1       91.212.65.138

    • 127.0.0.1       91.212.65.0/24


  11. Click File > Save and in the File Type selection, choose All FIles and save it as HOSTS, without an extension.

  12. Windows may decide to add a .txt extension anyway. If it does, allow this, then right-click on the saved file and delete the .txt extension. Answer the challenge about changing file extensions.


Reboot your computer to make this protection take effect. From that point on any script that tries to redirect you to any of the web addresses listed in the HOSTS file will instead be looped right back to your own computer, commonly referred to as 127.0.0.1, or Local Machine. The injected iframe would display a "page cannot be found" error if it was visible (it isn't; it's only 1x1 pixel!). Do the same anytime a new hostile website or ip address is published.

BTW: If you see any 127.0.0.1 entries referring to microsoft.com in your HOSTS file, remove them! Malware put them there to prevent you from getting Windows Updates or Microsoft security downloads. Ditto for any recognizable security vendors' websites.

Webmaster information to protect against hostile IP traffic

Most shared hosting websites are offered a large selection of free scripts that enhance the usability and functionality of their websites. These include photo galleries, guestbooks, contact forms, administration interfaces, control panels, web email applications, voting scripts, blogs and CMS scripts. Many of these scripts are written in the PHP scripting language and have been thoroughly gone over by hackers looking for any line of insecure code that could be exploited. An unbelievable number of open source and commercial php scripts contain unvalidated input fields and variables which hackers can exploit. To be safe you need to locate the author's websites and see if more recent versions of these scripts are available, then upgrade any that have been updated. The new versions will probably contain fixes for scripting oversights the original programs contained and which hackers are looking to exploit.

CGI and Perl scripts are also targeted by hackers and spammers who search for out-dated, exploitable versions of such popular applications as FormMail. A few years ago hackers began probing my websites for a program known as Matt's FormMail. Fortunately, I was already aware of the vulnerabilities in it and that hackers were probing websites for that program. The proactive steps I took and which new webmasters may also wish to take include first replacing Matt's FormMail with the more secure NMS FormMail (read my web page about FormMail Security). Next, you should rename the FormMail script to something not containing either the words Form or Mail. Don't forget to change the name of the script on your contact form pages to match the renamed file. This is all detailed on my FormMail Security web page. See my extended comments for an even better solution to hiding form scripts from hacker probes.

Webmasters, if you are in doubt about how to proceed, call or email your hosting company, ask for technical support and inquire about which scripts have been updated and which need to be, to remain secure from hackers. If your website is hosted on an Apache web server and you understand how to use .htaccess file directives, and your host allows clients to apply custom .htaccess commands, you can download and install my .htaccess blocklists to prevent persons or automated probes coming from hostile countries, or exploited servers, from accessing any part of your website. Webmasters and server administrators who possess root access can apply my iptables blocklists to deny access to all server modules, including the mail and ftp servers.

Specifically, as relates to this article, you should block access to any traffic coming from the Ukrainian CIDR 91.212.65.0/24. To do this in your .htaccess file, add thesee lines of code to it:

<Files *>
order deny,allow
deny from 91.212.65.0/24
</Files>

If you are a Linux server system administrator, add the CIDR 91.212.65.0/24 to your iptables deny firewall rules. See my iptables blocklists landing page for instructions and tips.

Unhiding hidden Windows files and folders and extensions

By default, most versions of Windows from 2000 onward have the default folder view set to hide what are called system files and known extensions. This makes it difficult to edit your Hosts file, which is located in the normally hidden Windows\System32\Etc folder. It also hides files in your personal logged in identiy's Application Data folders, or to see the extensions of known file types. Malware executables frequently fool Windows users by appending a normally harmless extension to an executable file, knowing that many of those users never change their default view to unhide known file type extensions. Thus, a file named "filename.mp3" may actually be named "filename.mp3.exe" and may be a malicious Trojan. If you haven't changed the default view options you would never see the .exe on the end and could launch the installation of a Trojan, if you double-clicked on what you thought was an image, or audio, or video file.

Here is how to unhide the files that Windows thinks you don't need to be bothered with (sigh).


  1. In Windows 2000, XP, Server 2000, or Server 2003, open My Computer, either from a desktop icon, or from Start > (My) Computer

  2. Click on the menu item TOOLS, then FOLDER OPTIONS.

  3. Skip to line #6

  4. In Windows Vista, Windows 7, or Windows Server 2008, click on (My) Computer, from the Start button link

  5. Click on the "Organize" button, then choose "Folder and Search Options."

  6. In all platforms, click on "View" tab of Folder Options

  7. In the Folder Options > View window, there are four (4) settings you may need to change:

    1. Display the contents of System Folders (check this)

    2. Do not show Hidden files and folders (uncheck this)

    3. Hide extensions for known file types (uncheck this)

    4. Hide protected operating system files (uncheck this)



  8. Click Apply

  9. Click OK until you have exited the options windows, leaving just the (My) Computer window open.


Now you can navigate to the system folder where your "hosts" (or other hidden) file lives and actually see it.

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

Blog Links

Sponsored Message

I recommend Malwarebytes to protect your computers and Android devices from malicious code attacks. Malwarebytes detects and blocks spyware, viruses and ransomware, as well as rootkits. It removes malware from an already infected device. Get an 18 month subscription to Malwarebytes here.

If you're a fan of Robert Jordan's novels, you can buy boxed sets of The Wheel Of Time, here.

As an Amazon and Google Associate, I earn commissions from qualifying purchases.


CIDR to IPv4 Address Range Utility Tool | IPAddressGuide
CIDR to IPv4 Conversion



About the author
Wiz FeinbergWiz's Blog is written by Bob "Wiz" Feinberg, an experienced freelance computer consultant, troubleshooter and webmaster. Wiz's specialty is in computer and website security. Wizcrafts Computer Services was established in 1996.

I produce this blog and website at my own expense. If you find this information valuable please consider making a donation via PayPal.

Follow @Wizcrafts on Twitter, where I post short updates on security issues, spam trends and things that just eat at my craw.

Follow Wizcrafts on Twitter


Malwarebytes' Anti-Malware is the most frequently recommended malware removal tool in malware removal forums, like Bleeping Computers. It is extremely effective for removing fake/rogue security alerts, Bots, Spyware and the most prevalent and current malware threats in the wild. Learn about Malwarebytes Anti-Malware.


MailWasher Pro is an effective spam filter that protects your desktop email client. Using a combination of blacklists and built-in and user configurable filters, MailWasher Pro recognizes and deletes spam before you download it. MailWasher Pro reveals the actual URL of any links in a message, which protects you from most Phishing scams. Try it free for 30 days.





Creative Commons License This weblog is licensed under a Creative Commons License.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.
Powered by Movable Type

back to top ^