« May 2009 | Blog Home | July 2009 »

June 28, 2009

My Spam analysis for June 22 - 28, 2009

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

The volume of spam coming to my various honeypots and user accounts has increased slightly this week. This indicates to me that some of the Botnets that lost their Control and Command servers following the forced shutdown of colocation host Pricewert have found other server hosts that allow illegal activities. Thus, sleeping zombie bots are awakening and spamming again.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. Most of the spam this week was for various fake pharmacies, which sell illicit and counterfeit pharmaceuticals like Viagra, weight loss scams and phishing scams.

See my extended comments for this week's breakdown of spam by category, for June 22 - 28, 2009 and the latest additions to my custom MailWasher Pro filters

MailWasher Pro spam category breakdown for June 22 - 28, 2009. Spam amounted to 13% of my incoming email this week. This represents a 5% increase from last week.
Pills: 21.43%
Known Spam Domains: 17.86%
Male Enhancement Patches, etc: 14.29%
Phishing Scams (bank or credit card): 10.71%
Weight Loss Scams (e.g. Acai Berry) 10.71%
Canadian Pharmacy spam: 7.14%
Misc. Pharmaceutical spam: 3.57%
Counterfeit Watches: 3.57%
Viagra or Cialis Spam: 3.57%
Known Spam Subjects #3: 3.57%
"Other filters": (See my MWP Filters page) 3.57%


The latest weekly additions to my custom MailWasher Pro filters include updates to the Known Spam (in Body or From) and splitting it into two separate filters, Known Spam Domains, Known Spam Subjects #3, Male Enhancement [S], Viagra.com, Fake MSN Newsletters (Canadian Pharmacy), Canadian Pharmacy, Phishing and Weight Loss spam filters. Most of the known spam domains, Known Spam Subjects and Known Spam From/Body emails lead to bogus male enhancement solutions, like the fake Canadian Pharmacy sites, now hosted on Chinese domains and servers.

MailWasher Pro intercepts POP3 and IMAP email before you download it to your desktop email client (e.g: Microsoft Outlook, Outlook Express, Windows Live Mail) and scans it for threats or spam content, then either manually or automatically deletes any messages matching your pre-determined criteria and custom filters. It is my primary line of defense against incoming spam, scams, phishing and exploit attacks. If you are not already using this fine anti-spam tool I invite to to read about it on my MailWasher Pro web page. You can download the latest version and try it for free for a month. Registration is only required once, for the life of the program.

To protect your computer from web pages rigged with exploit codes, malware in email attachments, dangerous links to hostile web pages, JavaScript redirects, Phishing scams, or router DNS attack codes, I recommend Trend Micro Internet Security. It has strong realtime monitoring modules that stop rootkits and spam Trojans from installing themselves into your operating system. Also known as PC-cillin, it is very frequently updated as new and altered malware definitions become available and it checks for web based threats and new malware definitions by searching secure online servers owned by Trend Micro. This is referred to as "in-the-cloud" security.

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. MailWasher Pro is able to forward messages marked as spam to SpamCop, which then sends a confirmation email to you, containing a link. You must click on the enclosed reporting link and open it in your browser, then manually submit your report. This is how SpamCop wants it done.

Bookmark and Share

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

back to top ^

June 26, 2009

Weekly roundup of vulnerabilities and exploits in the wild

Here is a summary of this week's vulnerabilities and exploits in the wild, as reported by Secunia, Websense and other security firms. Actually, this has been a quieter week than most.

Websense has been following a website code injection event they named the "Nine Ball Mass Injection," which is a follow-up to the "Beladen" and "Gumblar" mass injection attacks last month This is a situation where cyber criminals exploit vulnerable web application scripts that have not been secured by the webmasters who operate those websites. Too many webmasters use free scripts that are rarely, if ever updated to patch announced vulnerabilities. Hackers send out automatic scripts (a.k.a. robots, spiders) that try to upload hostile files to any website they come across. Once they find an unpatched point of entry they are able to alter the codes on any web pages (usually the home page) they want. In the past, hackers would deface home pages with gibberish or slogans for their causes. Now, it is criminals who sneak in dangerous hidden codes that redirect innocent visitors to hostile websites, where malware is attempted to be downloaded to the victims' computers. Most are successful, because most people do not, or cannot keep up with patches released by every vendor of the add-ons and plug-ins used by their browsers.

Most of the malware being downloaded by the Nine Ball and similar exploits is fake security applications that pretend to scan you computer, announce so many threats found, then demand payment to remove those threats. These are tandem malware programs, with part one being the fake alerts and part two being the fake remover. After you pay to unlock the remover, it only removes the alerts its sister placed there in the first place. You will have submitted your credit or debit card information to cyber criminals in the Former Soviet Union and can expect to have your accounts drained shortly.

The rest of this weeks vulnerabilities and exploits are in my extended comments.

More of this week's vulnerabilities and exploits

Adobe has just released a new, patched version of its Shockwave Player; version 11.5.0.600. There have been exploits announced that are targeting all versions of Shockwave going back several years, when Macromedia owned the rights to it. It took a little while for Adobe to come up with the patch, but it is now available on the Adobe Shockwave page, as a free download. It is advised that you first uninstall any previous versions of Shockwave, reboot, then install the new version. If you have a not too old version of Shockwave installed you can probably remove it via Control Panel > Add/Remove Programs > Adobe Shockwave > Uninstall. Uninstall Shockwave, reboot, then download and install the latest version, directly from the Adobe.com Shockwave download page listed above. Do not download Shockwave from any other website than Adobe.

Criminals constantly try to fool their victims into downloading "required" or "updated" versions of Flash or Shockwave from hostile web pages. In fact, those files are Trojans that will wreak havoc on your PC. Fake Codecs, fake Flash and Shockwave and Adobe Reader updates happen all the time and lead to everything from fake security scanners/removers/applications, to Botnet executables being installed. Botnets are constantly being expanded by luring victims into self infecting their computers with fake security applications or fake browser add-on updates.

Speaking of fake anti-virus applications, there is a new spam run sent by a very large Botnet that is feasting on the unfortunate deaths this week of Farrah Fawcett and Michael Jackson (here is a Websense video report about the Michael Jackson spam links). These spam messages contain links that claim to lead to a video performance, or other special news site about the deceased, where instead of, or in additions to seeing the content you expect, you may be infected behind the scenes simply by visiting that website. That is, if you have any vulnerable third party applications running in your browser. Remember this. Criminal are always targeting unpatched versions of the following commonly installed browser helpers:

Adobe Acrobat
Adobe Flash
Adobe Reader
Adobe Shockwave
Sun Java
Apple QuickTime

The most exploitable browser in history is Microsoft's Internet Explorer. The latest version, 8.0, is definitely more secure than previous versions, but only when used in a Windows Vista or newer computer. Under Vista Internet Explorer can be placed into "Protected Mode." This separates any activity in the browser from accessing or replacing operating system files. Downloads cannot happen without your knowledge using protected mode, but, you can still be fooled into allowing them yourself (Trojans). So, if you are not running Windows Vista, or Windows 7, or newer, and have Internet Explorer 8, and are operating as an administrator, you could still be exploited without your knowledge, simply by getting redirected to a hostile website.

Apple's Safari browser is highly exploitable, as is the new Google Chrome. Mozilla's Firefox, while being constantly targeted by hackers, is very fast when it comes to releasing patched versions. I have seen them push out two patched versions in two or three days. I use Firefox (current version) exclusively to browse the Internet. Safari and Chrome updates often come months apart. Internet "Exploder" is typically updated once a month, at best.

Users who operate their PCs as Administrators are always at higher risk than folks who operate as Limited, Standard, or Power Users. To better understand this please read my February 2009 blog article about how running with reduced user privileges stops 92% of malware attacks from succeeding.

Not relying on email spam alone, criminals have been busy hacking into Twitter accounts with keyloggers, then placing phony "Tweets" containing links that lead directly to malware distribution servers, or that do so through multiple redirects that are encoded into each stop. The most recent report has links in Twitter accounts leading to the Koobface Trojan, which usually spreads on Facebook.

You should always keep your computers protected from malware threats with a current version of your preferred anti-virus and anti-spyware program, or suite. If you use Trend Micro Internet Security, or Internet Security Pro, you are already protected against web based threats, email spam with hostile links, Bots, or dangerous downloads. Additionally, I strongly recommend that you routinely visit the Secunia Online Software Inspector and run it to see what, if any unpatched applications are found on your PCs. Read the results and follow its directions to obtain patched versions of any exploitable software it finds. This includes Windows Updates.

That's all for now. I'll be back next week with the latest threats and vulnerabilities that you need to be concerned with.

Bookmark and Share

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

back to top ^

June 25, 2009

Spybot Search and Destroy Definitions Updated on June 24, 2009

If you use Spybot Search and Destroy to protect your computer against spyware and malware, it is time again to run your manual updates. Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. This week's updates were released on schedule on June 24, 2009, as listed below. Lots of new and altered fake security programs were added to the detections, plus several new Virtumonde Trojans and new or modified spam bots.

Updating Spybot Search and Destroy

Before you update Spybot Search and Destroy make sure you have the latest official version. Older versions are no longer supported and will cause you a lot of grief when you immunize and scan for problems. Only download Spybot S&D from the official website, at: spybot.info, or from its alternate domain: Safer-Networking.org. Fake versions with similar names will rip you off for payment to remove threats, whereas the real Spybot S&D is free (donations gladly accepted).

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers. When all updates have succeeded, click on "Exit."

Download links and more instructions about using Spybot Search and Destroy are in my article titled "How to use Spybot Search & Destroy to fight malware".

The description of the latest definition updates and false positive fixes are in my extended comments below.

Additions to malware definitions made on June 24, 2009:

Hijackers
++ Win32.AdAgent.q

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
+ AdDestination
++ Fraud.AdwareProfessional
+ Fraud.AntivirusPlus
+ Fraud.AVAntiSpyware
+ Fraud.MSAntispyware2009
+ Fraud.SystemGuard2009
+ Kalmarte
++ Win32.Agent.Bbzv
++ Win32.Agent.fkb
++ Win32.Agent.uek
+ Win32.FraudLoad.edt
+ Worldsecurityonline.FakeAlert


Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm! Many of these Trojans are Botnet infections, backdoors and Rootkits.)
+ Virtumonde.sci
+ Virtumonde.sdn
++ Win32.Agent.atta
++ Win32.Agent.cfnb
+ Win32.BHO.sx
++ Win32.BHO.ulc
+ Win32.Delf.uv
+ Win32.FraudLoad
++ Win32.IRCBot.kow
++ Win32.LoadAdv.ABA
++ Win32.SharaQQ.30
+ Win32.TDSS.clt
++ Win32.Vbinder.k
+ Win32.VB.ksl
++ Win32.XShadow.b
+ Win32.ZBot

Total: 1435417 fingerprints in 491152 rules for 4706 products.

False positive detections reported or fixed this week:

Four (possible or confirmed) false positives were reported and are being/were discussed and investigated since last week. The are as follows...

A confirmed false positive detection of Virtumonde.sdn in files used in laptops, by the Lojack program was fixed in today's updates. Until the fix is applied you can exclude Lojack's repnet.dll and rpcnet.exe from the scan result by right clicking the items in the Spybot S&D scan result and select "exclude this detection from further searches"

A couple of users reported that hundreds of temporary Windows (Vista) Service Pack 2 files were being flagged as Virtumonde.sdn. The definitions released on June 24 fixed these false positives. Nonetheless, deleting those files caused no harm as they were temporary files left over after upgrading to the new service pack and are safe to delete ater rebooting from the upgrade.

One user has reported a possible False Positive detection of Win32.SharaQQ.30 in C:\WINDOWS\system32\SVKP.sys. Anti virus scans showed no problem with that file. Team Spybot has not responded as of the time of this posting.

A possible false positive of Win32.IRCBot.kow is under investigation as of tonight.

False Positives are reported and discussed in the Spybot S&D False Positives Forum.

As mentioned earlier, links and more instructions about using the program, or reporting suspected false positives, are found in my article titled How to use Spybot Search & Destroy to fight malware.

Bookmark and Share

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

back to top ^

June 21, 2009

My Spam analysis for June 15 - 21, 2009

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

The volume of spam coming to my various honeypots and user accounts has decreased again this week. This is probably attributable to the forced closure of Pricewert, a spam-friendly hosting company, where Botnet command and control (C&am;C) servers and malware hosting was carried out by its customers, with no action taken by the company to halt those activities. With the C&C controllers offline their Botnets cannot receive updates or new instructions and fall silent, like zombies. Spammers then find other means of delivering their crap to us.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. Much of the spam this week was for the fake pharmacies, which sell illicit and counterfeit pharmaceuticals, Nigerian 419 scams, and dating scams. Also, the volume of phishing scams targeting customers of various banks and credit cards remained strong again this week.

See my extended comments for this week's breakdown of spam by category, for June 15 - 21, 2009 and the latest additions to my custom MailWasher Pro filters

MailWasher Pro spam category breakdown for June 15 - 21, 2009. Spam amounted to 8% of my incoming email this week. This represents a 4% decrease from last week. This is attributable to the takedown of Pricewert hosting company, where several Botnet Command and Control servers were hosted.
Known Spam Domains: 29.41%
Dating Scams: 17.65%
Phishing Scams (bank or credit card): 11.76%
Misc. Pharmaceutical spam (inc. Viagra, Cialis, Levitra & misc. pills, pherimones & herbals): 11.76%
Nigerian 419 Scams: 5.88%
Male Enhancement Patches, etc: 5.88%
Counterfeit Watches: 5.88%
Known Spam (From or Body): 5.88%
Stud scams: 5.88%
The latest additions to my custom MailWasher Pro filters include updates to the Known Spam (in Body or From), Known Spam X-Mailers, Dating scams and Male Enhancement spam filters. Most of the known spam domains, Known X-mailers and Known Spam From/Body emails lead to bogus male enhancement solutions, like the fake Canadian Pharmacy sites, now hosted on Chinese domains and servers.

MailWasher Pro intercepts POP3 and IMAP email before you download it to your desktop email client (e.g: Microsoft Outlook, Outlook Express, Windows Live Mail) and scans it for threats or spam content, then either manually or automatically deletes any messages matching your pre-determined criteria and custom filters. It is my primary line of defense against incoming spam, scams, phishing and exploit attacks. If you are not already using this fine anti-spam tool I invite to to read about it on my MailWasher Pro web page. You can download the latest version and try it for free for a month. Registration is only required once, for the life of the program.

To protect your computer from web pages rigged with exploit codes, malware in email attachments, dangerous links to hostile web pages, JavaScript redirects, Phishing scams, or router DNS attack codes, I recommend Trend Micro Internet Security. It has strong realtime monitoring modules that stop rootkits and spam Trojans from installing themselves into your operating system. Also known as PC-cillin, it is very frequently updated as new and altered malware definitions become available and it checks for web based threats and new malware definitions by searching secure online servers owned by Trend Micro. This is referred to as "in-the-cloud" security.

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. MailWasher Pro is able to forward messages marked as spam to SpamCop, which then sends a confirmation email to you, containing a link. You must click on the enclosed reporting link and open it in your browser, then manually submit your report. This is how SpamCop wants it done.

Bookmark and Share

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

back to top ^

June 17, 2009

Spybot Search and Destroy Definitions Updated on June 17, 2009

If you use Spybot Search and Destroy to protect your computer against spyware and malware, it is time again to run your manual updates. Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. This week's updates were released on schedule on June 17, 2009, as listed below. Some new fake security programs, new Virtumonde Trojans and new or modified bots and rootkits were added to the latest definitions.

Updating Spybot Search and Destroy

Before you update Spybot Search and Destroy make sure you have the latest official version. Older versions are no longer supported and will cause you a lot of grief when you immunize and scan for problems. Only download Spybot S&D from the official website, at: spybot.info, or from its alternate domain: Safer-Networking.org. Fake versions with similar names will rip you off for payment to remove threats, whereas the real Spybot S&D is free (donations gladly accepted).

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers. When all updates have succeeded, click on "Exit."

Download links and more instructions about using Spybot Search and Destroy are in my article titled "How to use Spybot Search & Destroy to fight malware".

The description of the latest definition updates and false positive fixes are in my extended comments below.

Additions to malware definitions made on June 17, 2009:

Keyloggers
+ InvisibleKeyLogger97

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
+ AdDestination
+ Fraud.AntivirusDoktor
+ Fraud.AntivirusPlus
+ Fraud.MalwareDefender2009
+ Fraud.MSAntispyware2009
+ Fraud.PCCenter
+ Fraud.PersonalAntivirus
+ Fraud.ProAntispyware2009
+ Fraud.Sysguard
+ Fraud.SystemGuard2009
+ MalwareProtector2008

PUPS (Possibly UnPopular Software or Potentially Unwanted Program)
+ DAEMONToolsPro.Crack

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm! Many of these Trojans are Botnet infections, backdoors and Rootkits.)
+ Virtumonde.sci
+ Virtumonde.sdn
+ Win32.Agent.jjv
+ Win32.FraudLoad.ie
+ Win32.Hidrag.a
+ Win32.Rbot.gen
+ Win32.TDSS.pe
+ Win32.TDSS.rtk
+ Win32.VB.mqz
+ Win32.ZBot

Total: 1433053 fingerprints in 490325 rules for 4696 products.

False positive detections reported or fixed this week:

No false positives were reported since last week. This means that the Spybot S&D detections are becoming much more accurate! Just be sure you are always using the most recent version of the program.

As mentioned earlier, links and more instructions about using the program, or reporting suspected false positives, are found in my article titled How to use Spybot Search & Destroy to fight malware.

Bookmark and Share

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

back to top ^

June 14, 2009

My Spam analysis for June 8 - 14, 2009

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

Spam, spam, spam, spam, spam, spam, spam (from the old Monty Python routine)! The volume of spam coming to my various honeypots and user accounts has held steady this week, still at a relatively low volume (some spammers do prune honeypot accounts from their lists). Some of this is also attributable to the forced closure of Pricewert, a spam-friendly hosting company, where Botnet command and control servers and malware hosting was carried out by its customers, with no action taken by the company to halt those activities.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. Much of the spam this week was for the fake pharmacies, which sell illicit and counterfeit pharmaceuticals, Nigerian 419 scams, fake Cialis and Viagra. Also, the volume of phishing scams targeting customers of various Australian banks and credit card holders remained in the running this week.

See my extended comments for this week's breakdown of spam by category, for June 8 - 14, 2009 and the latest additions to my custom MailWasher Pro filters

MailWasher Pro spam category breakdown for June 8 - 14, 2009. Spam amounted to 12% of my incoming email this week. This represents a 3% decrease from last week.
Known Spam Domains: 29.17%
Viagra or Cialis Spam: 16.67%
"Other filters": (See my MWP Filters page) 12.50%
Nigerian 419 Scams: 8.33%
Phishing Scams (bank or credit card): 8.33%
Male Enhancement Patches, etc: 4.17%
Misc. Pharmaceutical spam (inc. Viagra, Cialis, Levitra & misc. pills & herbals): 4.17%
Counterfeit Software: 4.17%
Known Spam User Agents: 4.17%
PayPal Phishing Scams: 4.17%
Hidden ISO or ASCII Subject: 4.17%
The latest additions to my custom MailWasher Pro filters include updates to the Bank/credit card Phishing, Known Spam Domains, Cialis/Levitra, Pills, Image Spam and Nigerian Lottery Scam filters. Most of the miscellaneous and known spam domains emails led to bogus male enhancement solutions, like the fake Canadian Pharmacy sites, now hosted on Chinese domains and servers.

MailWasher Pro intercepts POP3 and IMAP email before you download it to your desktop email client (e.g: Microsoft Outlook, Outlook Express, Windows Live Mail) and scans it for threats or spam content, then either manually or automatically deletes any messages matching your pre-determined criteria and custom filters. It is my primary line of defense against incoming spam, scams, phishing and exploit attacks. If you are not already using this fine anti-spam tool I invite to to read about it on my MailWasher Pro web page. You can download the latest version and try it for free for a month. Registration is only required once, for the life of the program.

To protect your computer from web pages rigged with exploit codes, malware in email attachments, dangerous links to hostile web pages, JavaScript redirects, Phishing scams, or router DNS attack codes, I recommend Trend Micro Internet Security. It has strong realtime monitoring modules that stop rootkits and spam Trojans from installing themselves into your operating system. Also known as PC-cillin, it is very frequently updated as new and altered malware definitions become available and it checks for web based threats and new malware definitions by searching secure online servers owned by Trend Micro. This is referred to as "in-the-cloud" security.

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. MailWasher Pro is able to forward messages marked as spam to SpamCop, which then sends a confirmation email to you, containing a link. You must click on the enclosed reporting link and open it in your browser, then manually submit your report. This is how SpamCop wants it done.

Bookmark and Share

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

back to top ^

June 12, 2009

Windows, Firefox, Adobe Reader and Apple QuickTime updated

There have been significant program updates issued for Microsoft Windows, the Firefox browser, Adobe Acrobat and Reader and Apple's QuickTime browser plug-in. All updates were released this week to fix critical vulnerabilities that were reported and were being exploited by hackers and cyber-criminals. These criminal elements hijack legitimate websites and install hidden codes to redirect innocent visitors to hostile websites loaded with exploit attack codes.

Most of the successful attacks exploit vulnerabilities in browsers (usually Internet Exploder), or their installed add-ons and plug-ins. like Apple QuickTime, Adobe Flash and Reader (and other PDF readers) and Sun's Java plug-in. If any of these items are a vulnerable version you may have your computer hijacked by cyber-criminals who will make it a zombie member of their Botnet. This will turn your PC into a spam machine, or it could be used to attack websites or Governments, with whom the hackers have a difference of opinion.

In order to stay safe from the barrage of hack attacks targeting browsers and their plug-ins it is imperative that you keep Windows and its components and all third party add-ons up to date. One way is to always select the option to automatically check for, download and install updates to those programs. If there is no automatic update mechanism for a program you use you should check to see if it has been updated. This could be at the manufacturer's website, or by using the free Secunia Online Software Inspector (requires current version of Java).

The details of this week's updates are below, in my extended comments.

Microsoft had another big Windows Update release on Tuesday, June 9, 2009. 10 major software patches that fix 31 important security vulnerabilities in Windows, Office, and other Microsoft products were released on Patch Tuesday. Eighteen (18) of the vulnerabilities were classified by the company as "critical fixes." The number of patches available varied with whether you have MS Office installed and which versions you have. One of my PCs received 6 updates, plus the updated Malicious Software Removal Tool (MSRT). Most people running legitimate copies of Windows 2000 and newer should receive Automatic Windows Updates, as that is the default option. Others must download them manually, by using the link to Windows Update on your Start Menu, or from the link within Internet Explorer's "Tools" menu item (IE 6 and 7), or the "Safety" menu item in IE 8.

Also on June 9, Adobe released new versions of its Acrobat PDF encoder and PDF Reader software, fixing 13 new vulnerabilities being exploited by malware laden hostile websites. Adobe announced last month that they planned to release their updates on Microsoft Patch Tuesdays, to make it easier for people to remember to look for them on the same day. This is a good idea in my opinion. Sometimes updates require switching user accounts to an Administrator level account, to install program and security updates. Getting most of your important security patches at one time is a real time saver for system admins who manage multiple computers.

Mozilla has released Firefox 3.0.11, on June 12, 2009. This is both a stability and security update. Stability and corruption issues were reported with the internal database, SQLite, which have now been fixed by upgrading to a newer version. Additionally, nine (9) security vulnerabilities were patched, four (4) of which were rated as Critical. Firefox has an automatic updater built in, unless you disabled that option, so you should receive the new version sometime today (6/12/09).

If you turned off automatic checking for Firefox updates you need to update manually. You can do so from the browser by going to the menu item Help > "Check for Updates." You should be notified about version 3.0.11 being available and offered a button to download and install the update. You can also download the latest version from the Firefox product page for English, or from this page for all other supported languages.

Apple has updated its QuickTime browser plug-in for Internet Explorer and Firefox and other browsers that use it to display .mov and other format movies. The new version is 7.6.2. Many websites have audio and video content tailored for QuickTime, leading to a large installed user-base and hackers know this. Exploit codes are always in circulation for any version of QuickTime that is exploitable. If you haven't updated your QuickTime software in a while you probably are vulnerable to these hidden, drive-by exploits. If you have QuickTime installed there are a couple of ways to update it. The easiest is to go to Control Panel and find the icon with a large Q, for QuickTime. If you don't see the Q icon try switching to "Classic" view, where all icons are displayed alphabetically. Open it and click the Update tab. Select the option to check for updates automatically (in the future) then click on the "Update" button. When the update box opens click on "Update Now."

Also, keep a current version of anti-virus and anti-spyware programs on your PCs and keep them updated. Trend Micro's Internet Security suite is very highly recommended and will protect you from web threats by blocking access to infected pages. Also known as PC-cillin, it provides protection against spyware, fake security products, Trojans, Bots and viruses, whether they come from websites, email, or IMs. PC-cillin also has a 2 way firewall and phishing protection and is updated multiple times daily.

Bookmark and Share

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

back to top ^

June 10, 2009

How to use Spybot Search & Destroy to fight malware

About Spybot Search & Destroy

Spybot Search & Destroy (S&D), a product of Safer Networking Ltd., is a free ("donation-ware") security program that is used by millions of people to fight off spyware, keyloggers, Trojans, Botnet executables, adware, hostile domains, unwanted cookies and other types of malware in the wild. Being freeware it lacks some functions that are commonly implemented in commercial security programs. It has only manual updates, which are usually released once a week, on Wednesdays (see my regular weekly articles about new updates), and limited scanning presets. Most functions must be carried out manually, but hey, it's free! Despite these limitations Spybot S&D is a well respected and effective anti-malware tool to add to your arsenal.

Spybot Search and Destroy can be downloaded for free from either www.spybot.info, or from www.safer-networking.org, or several official mirror sites. Don't fall for fake versions distributed by rogue anti spyware websites. Approved download mirror sites are listed on the Spybot S&D downloads page.

Once downloaded you should install the program onto your hard drive. There are installation options to watch for and the options you select will affect the normal operation of the program, when launched. One of the installation options is for the "TeaTimer" module. This is a realtime monitoring component that sits in your System Tray and launches itself into action whenever a change is about to be made to the system, the Registry, or your browser's home or search page. The program pops up little balloon alerts asking if you want to allow or deny the changes, or even notifying you that a suspicious program file was terminated automatically. These balloon popups can be annoying at times, although you can tell TeaTimer to remember your decisions. Unfortunately, there have been several serious false positives reported in the Spybot forums concerning the TeaTimer module deleting harmless files necessary for the operation of other programs or Windows itself. Lately, these false positives are becoming fewer and further between. It is your choice whether you want to use the TeaTimer module. I would keep Windows System Restore turned ON in case TeaTimer renders an important program, or part of Windows itself unusable (use the "Last known good configuration" startup option).

No matter which options you choose to install the program with, always select the option to update the program immediately. You can select or deselect all options later on, using the Advanced Mode. Once installed and updated it is time to Immunize, then scan for threats. These steps are described in my extended comments, along with download and forum links and more instructions about using Spybot Search and Destroy.

Updating Spybot Search and Destroy

Spybot S&D is updated once a week, on Wednesdays and you must download the updates manually. In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again.

The reason I recommend launching the Updater first and separately, is because sometimes it downloads program updates to the main Spybot interface. The program needs to be closed and restarted for those changes to take affect.

The other method is to launch Spybot S&D from a desktop icon and use the "Search For Updates" button on the main interface. This launches the separate Updater box described above, where you can choose your downlaod mirror and get the latest updates.

When all updates have completed successfully and have a green check mark next to them, click Exit to close the Updater. If you used the Update link from the program you can go on to the Immunize and Check for Problems steps. If you launched the Updater by itself, use your desktop link to launch the main program.

Immunizing and scanning with Spybot S&D

With the program updated it is time to open the main program interface, using either the Start Menu link, or a desktop icon, to launch Spybot Search and Destroy. The next item to take care of is to apply Immunization. Click on the Immunize button in the left sidebar, select everything you want, or uncheck things like cookies, or Hosts, or Domains, as you see fit, then click on Immunize button over the right panel, that has a green cross. Sometimes, Spybot immunizes against cookies and domains that you may actually want to visit. If you suddenly find you cannot login, or cookies are missing, you can undo the most recent Immunizations, then uncheck the desired items and re-immunize. Websites added to your Windows HOSTS file during immunization will be blocked completely, so you may need to edit that file in Notepad, saving as HOSTS, without any extension, or uncheck it from immunization if your preferred websites are blocked by Spybot S&D.

There is a button labeled "Undo" in the Immunization screen. It is used to remove Immunization from the selected items. It is also possible to undo the "fixing" of items during a scan for problems by using the "Recovery" button, in the left sidebar of the program interface. The Undo functions sometimes come in handy when a mistake has been made by the program (false positive or wanted item). Some programs are labeled as PUPS (Potentially Unpopular Programs), during a scan, but they may be useful to you. Uncheck them before Fixing Problems. You can highlight any entry in the Problems Found list and right click on it, then choose to Ignore it, or even exclude it from further detections.

UPDATE:
When I first published this article there was an ongoing issue where immunizing Internet Explorer 8.0 would cause that browser to crash upon opening. The remedy, at that time, was to undo immunizations of Domains and other items in Internet Explorer, leaving it vulnerable to attack. ´╗┐Microsoft has finally released a fix for this issue. The update was released on June 9th, 2009, the day before I wrote this and I was unaware of this fact. If you experienced problems with IE8 and Spybot's immunization, please download update "KB969897" via Windows updates, or download a copy directly from Microsoft.

Update #2:
Part of the weekly updates to the Spybot S&D definitions are additions or subtractions to the Windows HOSTS file. This file is used to block potentially bad IPs and URLS by redirecting requests for them to the local machine IP address 127.0.0.1. This results in your browsers displaying an error page telling you that the page cannot be displayed. Spybot does not currently alert you when it is responsible for blocking a website via HOSTS entries. Therefore, many users are unaware that the program is blocking websites they may wish to visit. If you used to be able to go to some website and after updating Spybot's definitions you find that the page cannot be displayed, it may have been added to the HOSTS blocklist by Spybot updates. You can edit the file manually, in Notepad, or in a HOSTS editor program, or uncheck the option for HOSTS in the Immunization list and reimmunize. That will remove all entries from HOSTS that were added by Spybot S&D.

After immunizing against unwanted items you should click on the Search & Destroy icon, on the left, then click "Check for problems," on the right side. It will take several minutes, or longer to scan all your files for known threats, and possible threats, using heuristics, unless you disable heuristics in the program's main Advanced Mode > Settings. When the scan completes anything listed in the definition databases will be listed in the results window, with check boxes in front of each main item group. If you find the program has listed some cookies or other programs you use and trust, uncheck them, click on the item name and the right click and select "Exclude this product from further searches." Finally, click on "Fix (selected) Problems."

Sometimes Spybot S&D cannot delete "problems" that are active in memory, or which are protected by rootkits. In these instances the program will ask you if you would like to have the program run automatically when you restart Windows. If you select Yes, then restart, Spybot will launch as you log into your user account in Windows and will perform a complete scan before allowing the desktop icons to load. During this time you cannot use the computer.

You can also reboot into Safe Mode, by restarting and tapping the F8 key, until a startup options menu appears. Choose Safe Mode, or Safe Mode With Networking if you need to download updates from there. Log into your user account, or the Administrator account, then scan for problems. Many types of malware will not startup in Safe Mode and many a good fight is won there.

Additional Information about Spybot S&D and links

Spybot Search and Destroy has always been and continues to be free (although they do accept donations from grateful users!). If you clicked on a download link that claimed to be for Spybot S&D and found that you were required to pay to use the program, you have been tricked. Get out of there right now and go to the real Spybot S&D website, then download the authentic version. If you installed a fake version you may be infected, so update the real one and scan for malware.

Spybot Search and Destroy 1.6.2 was released on January 26, 2009. This is probably going to be the last "maintenance release" before version 2.0 is released. It scans for threats about 4 times faster than previous versions and has an redesigned spyware removal engine. Upgrade now to Spybot S&D 1.6.2. The newest Virtumonde and Zlob threats require the anti malware engine in Spybot 1.6+ to effectively remove them. If you are using any version older than 1.6.2 you are strongly advised to uninstall it and install the newest version. It is advisable to undo all immunizations before uninstalling Spybot S&D, then redo them after updating signatures for the new version.

If you want to get direct assistance from Team Spybot, or their talented volunteers, visit the Spybot support forums, sign up for a user account and post your request for assistance. Be sure to read the rules before posting a question or reply.

If your computer is infected and you need help removing the threats, go to the Malware Removal Forums, at Safer Networking/Spybot.info. Again, read the rules before posting your request or logs! Do NOT inject your problem into somebody else's thread! Start a new topic.

About False Positives

If Spybot flags a file on your computer that you believe is a false positive detection, use caution and check with the Spybot False Positives Forum before allowing it to be deleted. You can submit a report to the Spybot False Positives forum, after signing up for an account and reading about how to report false positives before submitting your report and request for analysis.

Finally, if you have opted to use the Spybot "Tea Timer" realtime monitor, you need to know that it has been subject to a lot of false positives recently. Most have occurred since the Tea Timer module was recently updated to version 1.6.6, a few months ago. Check with the Spybot S&D False Positives Forum before allowing Tea Timer to permanently delete any files. Further, just in case, tell it to save the deleted files so you can restore them after obtaining definition updates. If you cannot wait for updates to be released tell Tea Timer to ignore the problem files, if they are known to be falsely flagged.

If you want to learn more about using the program, the complete Spybot S&D FAQ's are found here.

Bookmark and Share

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

back to top ^

Spybot Search and Destroy Definitions Updated on June 10, 2009

If you use Spybot Search and Destroy to protect your computer against spyware and malware, it is time again to run your manual updates. Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. This week's updates were released on schedule on June 10, 2009, as listed below. Some fake security programs, new Virtumonde Trojans and new or modified rootkits were added to the latest definitions.

Updating Spybot Search and Destroy

Before you update Spybot Search and Destroy make sure you have the latest official version. Older versions are no longer supported and will cause you a lot of grief when you immunize and scan for problems. Only download Spybot S&D from the official website, at: spybot.info, or from its alternate domain: Safer-Networking.org. Fake versions with similar names will rip you off for payment to remove threats, whereas the real Spybot S&D is free (donations gladly accepted).

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers. When all updates have succeeded, click on "Exit."

Download links and more instructions about using Spybot Search and Destroy are in my article titled "How to use Spybot Search & Destroy to fight malware".

The description of the latest definition updates and false positive fixes are in my extended comments below.

Additions to malware definitions made on June 10, 2009:

Hijackers
++ Win32.AutoRun.voa

Keyloggers
+ HellzLittleSpy

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
+ Fraud.AntivirusPlus
+ Fraud.MSAntispyware2009
+ Fraud.WinPCDefender
+ Win32.Agent.pn
+ Win32.OnLineGames.bklm
+ WinWebSecurity

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm! Many of these Trojans are Botnet infections, backdoors and Rootkits.)
+ Virtumonde.sci
+ Virtumonde.sdn
++ Win32.Delf.ma
++ Win32.Delf.pii
++ Win32.FraudLoad.pd
+ Win32.Rootkit.gen
+ Win32.TDSS.rtk

Total: 1423725 fingerprints in 486472 rules for 4688 products.

False positive detections reported or fixed this week:

The www.bit-world.eu Bookmark in Firefox was recognized as the "BitWorld" malware link. However, in this case it is an innocent German online shopping website that was flagged by mistake. The false positive was fixed with today's updates.

As mentioned earlier, links and more instructions about using the program, or reporting suspected false positives, are found in my article titled How to use Spybot Search & Destroy to fight malware.

Bookmark and Share

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

back to top ^

June 7, 2009

My Spam analysis for June 1 - 7, 2009

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

Spam, spam, spam, spam, spam, spam, spam (from the old Monty Python routine)! The volume of spam coming to my various honeypots and user accounts has held steady this week, still at a relatively low volume (some spammers do prune honeypot accounts from their lists). The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. Much of the spam this week was for the fake pharmacies, which sell illicit and counterfeit pharmaceuticals, Nigerian 419 and lottery scams, Cialis and Viagra. Also, the volume of phishing scams targeting customers of various Australian banks and credit card holders remained steady this week.

See my extended comments for this week's breakdown of spam by category, for June 1 - 7, 2009 and the latest additions to my custom MailWasher Pro filters

MailWasher Pro spam category breakdown for June 1 - 7, 2009. Spam amounted to 15% of my incoming email this week. This represents a 1% decrease from last week.
Known Spam Domains: 28.95%
Lottery Scams: 10.53%
"Other filters": (See my MWP Filters page) 10.53%
Phishing Scams: 7.89%
Male Enhancement Patches, etc: 7.89%
Nigerian 419 Scams: 7.89%
Known X-Mailer Spam: 5.26%
Weight Loss Scams 5.26%
HTML Tricks 5.26%
Viagra or Cialis Spam: 2.63%
Pills: 2.63%
Blacklisted Domains/Senders (e.g: kef+diz@+): 2.63%
Bayesian Learning Filter: 2.63%
The latest additions to my custom MailWasher Pro filters include updates to the Bank/credit card Phishing, Known Spam Domains, Cialis/Levitra, Pills, Image Spam and Nigerian Lottery Scam filters. Most of the miscellaneous and known spam domains emails led to bogus male enhancement solutions, like the fake Canadian Pharmacy sites, now hosted on Chinese domains and servers.

MailWasher Pro intercepts POP3 and IMAP email before you download it to your desktop email client (e.g: Microsoft Outlook, Outlook Express, Windows Live Mail) and scans it for threats or spam content, then either manually or automatically deletes any messages matching your pre-determined criteria and custom filters. It is my primary line of defense against incoming spam, scams, phishing and exploit attacks. If you are not already using this fine anti-spam tool I invite to to read about it on my MailWasher Pro web page. You can download the latest version and try it for free for a month. Registration is only required once, for the life of the program.

To protect your computer from web pages rigged with exploit codes, malware in email attachments, dangerous links to hostile web pages, JavaScript redirects, Phishing scams, or router DNS attack codes, I recommend Trend Micro Internet Security. It has strong realtime monitoring modules that stop rootkits and spam Trojans from installing themselves into your operating system. Also known as PC-cillin, it is very frequently updated as new and altered malware definitions become available and it checks for web based threats and new malware definitions by searching secure online servers owned by Trend Micro. This is referred to as "in-the-cloud" security.

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. MailWasher Pro is able to forward messages marked as spam to SpamCop, which then sends a confirmation email to you, containing a link. You must click on the enclosed reporting link and open it in your browser, then manually submit your report. This is how SpamCop wants it done.

Bookmark and Share

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

back to top ^

June 3, 2009

Spybot Search and Destroy Definitions Updated on June 3, 2009

If you use Spybot Search and Destroy to protect your computer against spyware and malware, it is time again to run your manual updates. Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. This week's updates were released on schedule on June 3, 2009, as listed below. Some fake security programs, Botnet executables and rootkits were added to the latest definitions.

Updating Spybot Search and Destroy

Before you update Spybot Search and Destroy make sure you have the latest official version. Older versions are no longer supported and will cause you a lot of grief when you immunize and scan for problems. Only download Spybot S&D from the official website, at: spybot.info, or from its alternate domain: Safer-Networking.org. Fake versions with similar names will rip you off for payment to remove threats, whereas the real Spybot S&D is free (donations gladly accepted).

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers. When all updates have succeeded, click on "Exit."

Download links and more instructions about using Spybot Search and Destroy are in my extended comments, along with the description of the latest definition updates and false positive fixes.

Immunizing and scanning with Spybot S&D

With the program updated it is time to open the main program interface, using either the Start Menu link, or a desktop icon, to launch Spybot Search and Destroy. The next item to take care of is to apply Immunization. Click on the Immunize button in the left sidebar, select everything you want, or uncheck things like cookies, or Hosts, or Domains, as you see fit, then click on Immunize button over the right panel, that has a green cross. Sometimes, Spybot immunizes against cookies and domains that you may actually want to visit. If you suddenly find you cannot login, or cookies are missing, you can undo the most recent Immunizations, then uncheck the desired items and re-immunize. Websites added to your Windows HOSTS file during immunization will be blocked completely, so you may need to edit that file in Notepad, saving as HOSTS, without any extension, or uncheck it from immunization if your preferred websites are blocked by Spybot S&D.

After immunizing against unwanted items you should click on the Search & Destroy icon, on the left, then click "Check for problems," on the right side. It will take several minutes, or longer to scan all your files for known threats, and possible threats, using heuristics, unless you disable heuristics in the program's main Advanced Mode > Settings. When the scan completes anything listed in the definition databases will be listed in the results window, with check boxes in front of each main item group. If you find the program has listed some cookies or other programs you use and trust, uncheck them, click on the item name and the right click and select "Exclude this product from further searches." Finally, click on "Fix (selected) Problems."

If you want to learn more about using the program, the complete Spybot S&D FAQ's are found here.

Additions to malware definitions made on June 3, 2009:


Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
+ Fraud.PCCenter
+ Fraud.WinPCDefender
++ Win32.DsBot.ua
++ Win32.Kolab.cpx

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm! Many of these Trojans are Botnet infections, backdoors and Rootkits.)
+ Bifrost.LA
++ SysM.wsk
+ Vanbot
+ Virtumonde.sci
+ Virtumonde.sdn
++ Win32.BHO.ext
++ Win32.Delf.ajg
++ Win32.FraudLoad.ie
++ Win32.fx.wta
++ Win32.Inpl.sr
+ Win32.Joleee.K
++ Win32.Kolab.cqe
++ Win32.Machbot
++ Win32.Renos.ik
+ Win32.Rootkit.gen
+ Win32.TDSS.rtk
++ Win32.TLoaderBHO
+ Win32.ZBot

Total: 1422161 fingerprints in 486171 rules for 4690 products.

False positive detections reported or fixed this week:

Over the course of the last month or so several users of Spybot S&D reported that scan results were showing all of their Firefox Bookmarks as threats, with check marks to delete them when Fix Problems is clicked. Some of these users allowed this to happen, only to find that their bookmarks were gone and that these turned out to be false positives (already fixed). If this happened to you there is a way you can recover your lost Firefox Bookmarks. Proceed as follows...

Check your Firefox profile folder by using the Run command (Windows Key + R) to navigate to: %AppData%\Mozilla\Firefox\Profiles\

Look for files named bookmarks.bak, or bookmarks.html.sbsd.bak, or a subfolder named boomarkbackps. Depending on your version of Firefox these files or folder will exist and contain backups of your bookmarks. The boomarkbackps folder actually keeps a series of daily backups of your bookmarks.

This Mozilla article may help you with importing them back into Firefox.

Additional Information about Spybot S&D and links

Spybot Search and Destroy has always been and continues to be free (although they do accept donations from grateful users!). If you clicked on a download link that claimed to be for Spybot S&D and found that you were required to pay to use the program, you have been tricked. Get out of there right now and go to the real Spybot S&D website, then download the authentic version. If you installed a fake version you may be infected, so update the real one and scan for malware.

Spybot Search and Destroy 1.6.2 was released on January 26, 2009. This is probably going to be the last "maintenance release" before version 2.0 is released. It scans for threats about 4 times faster than previous versions and has an redesigned spyware removal engine. Upgrade now to Spybot S&D 1.6.2. The newest Virtumonde and Zlob threats require the anti malware engine in Spybot 1.6+ to effectively remove them. If you are using any version older than 1.6.2 you are strongly advised to uninstall it and install the newest version. It is advisable to undo all immunizations before uninstalling Spybot S&D, then redo them after updating signatures for the new version.

If you want to get direct assistance from Team Spybot, or their talented volunteers, visit the Spybot support forums, sign up for a user account and post your request for assistance. Be sure to read the rules before posting a question or reply.

If your computer is infected and you need help removing the threats, go to the Malware Removal Forums, at Safer Networking/Spybot.info. Again, read the rules before posting your request or logs! Do NOT inject your problem into somebody else's thread! Start a new topic.

About False Positives

If Spybot flags a file on your computer that you believe is a false positive detection, use caution and check with the Spybot False Positives Forum before allowing it to be deleted. You can submit a report to the Spybot False Positives forum, after signing up for an account and reading about how to report false positives before submitting your report and request for analysis.

Finally, if you have opted to use the Spybot "Tea Timer" realtime monitor, you need to know that it has been subject to a lot of false positives recently. Most have occurred since the Tea Timer module was recently updated to version 1.6.6, a few months ago. Check with the Spybot S&D False Positives Forum before allowing Tea Timer to permanently delete any files. Further, just in case, tell it to save the deleted files so you can restore them after obtaining definition updates. If you cannot wait for updates to be released tell Tea Timer to ignore the problem files, if they are known to be falsely flagged.

Bookmark and Share

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

back to top ^

About the author
Wiz FeinbergWiz's Blog is written by Bob "Wiz" Feinberg, an experienced freelance computer consultant, troubleshooter and webmaster. Wiz's specialty is in computer and website security. Wizcrafts Computer Services was established in 1996.

I produce this blog and website at my own expense. If you find this information valuable please consider making a donation via PayPal.


Malwarebytes' Anti-Malware is the most frequently recommended malware removal tool in malware removal forums, like Bleeping Computers. It is extremely effective for removing fake/rogue security alerts, Bots, Spyware and the most prevalent and current malware threats in the wild. Learn about Malwarebytes Anti-Malware.


MailWasher Pro is an effective spam filter that protects your desktop email client. Using a combination of blacklists and built-in and user configurable filters, MailWasher Pro recognizes and deletes spam before you download it. MailWasher Pro reveals the actual URL of any links in a message, which protects you from most Phishing scams. Try it free for 30 days. Pay $39.95 US once, for a lifetime license, with free upgrades.

Use OpenDNS

Get Reliable Web Hosting

Get your websites hosted on Bluehost, for as low as $6.95/month. Unlimited everything! Reliable servers, US based phone support, and 1-click software installs.

We are hosted on Bluehost and couldn't be happier!


Creative Commons License This weblog is licensed under a Creative Commons License.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.
Powered by
Movable Type 4.38