Wiz's Computer and Website Security Blog

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

Spam levels have increased significantly after being unusually low for two weeks in a row.This probably means that the Bot Masters running spam Botnets have regained access to their command and control servers, which have reactivated sleeping zombie computers. Those zombie PCs are now sending out large volumes of spam, as commanded by their Bot Masters.

Almost all spam is now sent from zombie computers in spam Botnets, under the control of Bot Masters who rent the use of their networks to spammers. Major changes in the overall volume of spam indicate problems or successes of the Bot Masters with command and control over their robotic armies of spamming PCs. Sometimes their command and control servers are shut down by the efforts of security organizations, forcing them to look for other spam-friendly hosting companies. Other times, Microsoft's monthly Windows Updates, featuring an updated MSRT, or other security products, will clean Bot infections from millions of zombie computers. When this happens the overall volume of spam drops, as it has this week.

However, Bot Herders don't give up easily. If they lose one Command and Control server they will hunt for another one, often in China or Eastern Europe. Once they get those hostile servers back online, with other spam friendly hosts, the zombies are awakened and we see lots more spam. If the Botnet loses zombies after a major cleanup, they will acquire more through compromised or hostile websites exploiting vulnerabilities in browsers and their plug-ins and add-ons.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. Most of the spam this week, especially the "Known Spam Domains" category, was for male enhancement scams and fake Viagra. There was also a bunch of Nigerian lottery scams and counterfeit watches.

In case anybody doesn't already know, virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets. All email sender addresses are forged, so there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job."

See my extended comments for this week's breakdown of spam by category, for Aug 24 - 30, 2009 and the latest additions to my custom MailWasher Pro filters.

MailWasher Pro spam category breakdown for Aug 24 - 30, 2009. Spam amounted to 15% of my incoming email this week. This represents a +10% change from last week.

The latest weekly updates to my custom MailWasher Pro filters were to the Known X-Mailer, Herbal, Male Enhancement [B], Phishing and Canadian Pharmacy filters. I also added a new "Google Reader Spam Link" filter and two Blacklist wildcard entries: tequil*a+@+.com and [email protected]. Everything else is working as it should. Without MailWasher Pro filtering out all the junk mail I would waste a lot more time deleting it my email program's inbox. If you're not already using MailWasher Pro to filter out spam, read on...

MailWasher Pro intercepts POP3 and IMAP email before you download it to your desktop email client (e.g: Microsoft Outlook, Outlook Express, Windows Live Mail) and scans it for threats or spam content, then either manually or automatically deletes any messages matching your pre-determined criteria and custom filters. It is my primary line of defense against incoming spam, scams, phishing and exploit attacks. If you are not already using this fine anti-spam tool I invite to to read about it on my MailWasher Pro web page. You can download the latest version and try it for free for a month. Registration is only required once, for the life of the program.

To protect your computer from web pages rigged with exploit codes, malware in email attachments, dangerous links to hostile web pages, JavaScript redirects, Phishing scams, or router DNS attack codes, I recommend Trend Micro Internet Security. It has strong realtime monitoring modules that stop rootkits and spam Trojans from installing themselves into your operating system. Also known as PC-cillin, it is very frequently updated as new and altered malware definitions become available and it checks for web based threats and new malware definitions by searching secure online servers owned by Trend Micro. This is referred to as "in-the-cloud" security.

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. MailWasher Pro is able to forward messages marked as spam to SpamCop, which then sends a confirmation email to you, containing a link. You must click on the enclosed reporting link and open it in your browser, then manually submit your report. This is how SpamCop wants it done.

Posted by Wiz at 1:45 PM | Permalink

back to top ^

If you use Spybot Search and Destroy to protect your computer against spyware and malware, it is time again to run your manual updates. Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. This week's updates were released on schedule on August 26, 2009, as listed below. Twenty new fake security programs were added to the "Malware" detections, plus 15 new or modified Trojans, rootkits and spam bots were added to the "Trojan" list.

Updating Spybot Search and Destroy

Before you update Spybot Search and Destroy make sure you have the latest official version. Older versions are no longer supported and will cause you a lot of grief when you immunize and scan for problems. Only download Spybot S&D from the official website, at: spybot.info, or from its alternate domain: Safer-Networking.org. Fake versions with similar names will rip you off for payment to remove threats, whereas the real Spybot S&D is free (donations gladly accepted).

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers. When all updates have succeeded, click on "Exit."

You can also download the latest definition includes file from a clean PC and save them to a removable disk or drive, then install them into the Spybot S&D program while the infected PC is offline. This helps you disinfect a PC that cannot presently get online, or cannot access security websites for updates (because of the Conficker or similar malware), or due to other networking problems. The downloaded definition includes will look for a typical Spybot installation location and will update it instantly, as long as the program is closed during the updating process.

Download links and more instructions about using Spybot Search and Destroy are in my article titled "How to use Spybot Search & Destroy to fight malware".

The description of the latest definition updates and false positive fixes are in my extended comments below.

Additions to Spybot S&D malware definitions made on August 26, 2009:

All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection.

Adware
++ SuperJuan
+ Zango

Dialer
++ HotVideo
+ DoubleD

Malware (Includes rogue or fraudulent security programs, fake registry cleaners, and fake security alerts, plus other nasty programs)
+ Fraud.AdvancedVirusRemover
++ Fraud.MalwareDoctor
+ Fraud.PersonalDefender
+ Fraud.SpywareGuard2008
+ Fraud.Sysguard
++ Fraud.WindowsProtectionSuite
+ Mirar
++ MraSearch
+ Win32.FraudLoad.edt

PUPS (Possibly UnPopular Software or Potentially Unwanted Program - user discretion advised)
+ MyWay.MyWebSearch

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm! Many of these Trojans are Botnet infections, backdoors, malicious download agents and Rootkits.)
+ Virtumonde.Dll
+ Virtumonde.sci
+ Virtumonde.sdn
+ Win32.Agent.gpr
++ Win32.Agent.mut
++ Win32.Agent.sg
++ Win32.Buzus.busv
+ Win32.Fakealert.ttam
+ Win32.TDSS.clt
+ Win32.TDSS.gen
+ Win32.TDSS.reg
+ Win32.TDSS.rtk
+ Win32.ZBot
++ Win32.Zirit.lay

Total: 1452041 fingerprints in 505807 rules for 4833 products

False positive detections reported, discussed, or fixed this week:

No new false positives were reported this week. However, some folks using older versions of Spybot did report false positive detections of Virtumonde in zipfdr.dll, as reported below. Please read this paragraph before reporting a false positive, or trying to delete a perfectly good Windows system file.

Note. Spybot 1.5 x is now an OLD version and is unreliable in detections and removals!

If you keep getting a report of "Virtumonde," in c:Windows/system32/zipfldr.dll and you are running a version of Spybot S&D older than version 1.6.2, it is a probable false positive. That is a Windows system file that is automatically restored if you delete it. Any version of Spybot older than 1.6.2.46 will give false positive detections of Virtumonde and other threats, as the engine is now outdated and unable to comprehend new malware definitions. The fix: Update to the current version of Spybot S&D!

Some people running Windows 98 and ME have reported false positives of Virtumonde. They were not aware that the use of Spybot S&D on Windows versions older than W-2000 is no longer supported and is subject to many false positives and failed removals.

TeaTimer update issues and remedies:

TeaTimer cannot be updated with new definitions if it is still running! After you update definitions to fix false positives, a restart of either TeaTimer or the Computer is required. If this doesn't fix the false positives, you may need to reset the TeaTimer detection list, as follows:

Right click the (TeaTimer) Resident tray icon
Select "Reset lists"

If that fails also, please read the rest of the things to try on this forum page, in replies #2 and #4.

When TeaTimer blocks the file you can also allow the file to be executed (also remove the check mark for deletion). You can exclude any file from further detections during a scan by right clicking the items in the Spybot S&D scan result and select "exclude this detection from further searches"

If you keep getting false positive detections and broken programs, due to TeaTimer issues, try disabling that module. You can toggle TeaTimer off and on by switching into Advanced Mode > Tools > Resident.

False Positives are reported and discussed in the Spybot S&D False Positives Forum.

As mentioned earlier, links and more instructions about using the program, or reporting suspected false positives, are found in my article titled How to use Spybot Search & Destroy to fight malware.

Posted by Wiz at 2:33 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

Wow! spam levels have dropped significantly two weeks in a row! I received less than half the amount of spam messages from the previous few weeks. This probably means that the Bot Masters running spam Botnets have temporarily lost access to their command and control servers, or that the spammers who rent the use of those Bots have run low on cash, or are under arrest, or are laying low to avoid prosecution. I suspect the first explanation.

Almost all spam is now sent from zombie computers in spam Botnets, under the control of Bot Masters who rent the use of their networks to spammers. Major changes in the overall volume of spam indicate problems or successes of the Bot Masters with command and control over their robotic armies of spamming PCs. Sometimes their command and control servers are shut down by the efforts of security organizations, forcing them to look for other spam-friendly hosting companies. Other times, Microsoft's monthly Windows Updates, featuring an updated MSRT, or other security products, will clean Bot infections from millions of zombie computers. When this happens the overall volume of spam drops, as it has this week.

However, Bot Herders don't give up easily. If they lose one Command and Control server they will hunt for another one, often in China or Eastern Europe. Once they get those hostile servers back online, with other spam friendly hosts, the zombies are awakened and we see lots more spam. If the Botnet loses zombies after a major cleanup, they will acquire more through compromised or hostile websites exploiting vulnerabilities in browsers and their plug-ins and add-ons.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. Most of the spam this week, especially the "Known Spam Domains" category, was for male enhancement scams and fake Viagra. There was also a bunch of Nigerian lottery scams and counterfeit watches.

In case anybody doesn't already know, virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets. All email sender addresses are forged, so there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job."

See my extended comments for this week's breakdown of spam by category, for Aug 17 - 23, 2009 and the latest additions to my custom MailWasher Pro filters.

MailWasher Pro spam category breakdown for Aug 17 - 23, 2009. Spam amounted to 5% of my incoming email this week. This represents a -3% change from last week.

There were no updates to my custom MailWasher Pro filters this week. Every filter is working as it should. Without MailWasher Pro filtering out all the junk mail I would waste a lot more time deleting it my email program's inbox. If you're not already using MailWasher Pro to filter out spam, read on...

MailWasher Pro intercepts POP3 and IMAP email before you download it to your desktop email client (e.g: Microsoft Outlook, Outlook Express, Windows Live Mail) and scans it for threats or spam content, then either manually or automatically deletes any messages matching your pre-determined criteria and custom filters. It is my primary line of defense against incoming spam, scams, phishing and exploit attacks. If you are not already using this fine anti-spam tool I invite to to read about it on my MailWasher Pro web page. You can download the latest version and try it for free for a month. Registration is only required once, for the life of the program.

To protect your computer from web pages rigged with exploit codes, malware in email attachments, dangerous links to hostile web pages, JavaScript redirects, Phishing scams, or router DNS attack codes, I recommend Trend Micro Internet Security. It has strong realtime monitoring modules that stop rootkits and spam Trojans from installing themselves into your operating system. Also known as PC-cillin, it is very frequently updated as new and altered malware definitions become available and it checks for web based threats and new malware definitions by searching secure online servers owned by Trend Micro. This is referred to as "in-the-cloud" security.

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. MailWasher Pro is able to forward messages marked as spam to SpamCop, which then sends a confirmation email to you, containing a link. You must click on the enclosed reporting link and open it in your browser, then manually submit your report. This is how SpamCop wants it done.

Posted by Wiz at 3:46 PM | Permalink

back to top ^

If you use Spybot Search and Destroy to protect your computer against spyware and malware, it is time again to run your manual updates. Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. This week's updates were released on schedule on August 19, 2009, as listed below. Twenty new fake security programs were added to the "Malware" detections, plus 15 new or modified Trojans, rootkits and spam bots were added to the "Trojan" list.

Updating Spybot Search and Destroy

Before you update Spybot Search and Destroy make sure you have the latest official version. Older versions are no longer supported and will cause you a lot of grief when you immunize and scan for problems. Only download Spybot S&D from the official website, at: spybot.info, or from its alternate domain: Safer-Networking.org. Fake versions with similar names will rip you off for payment to remove threats, whereas the real Spybot S&D is free (donations gladly accepted).

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers. When all updates have succeeded, click on "Exit."

You can also download the latest definition includes file from a clean PC and save them to a removable disk or drive, then install them into the Spybot S&D program while the infected PC is offline. This helps you disinfect a PC that cannot presently get online, or cannot access security websites for updates (because of the Conficker or similar malware), or due to other networking problems. The downloaded definition includes will look for a typical Spybot installation location and will update it instantly, as long as the program is closed during the updating process.

Download links and more instructions about using Spybot Search and Destroy are in my article titled "How to use Spybot Search & Destroy to fight malware".

The description of the latest definition updates and false positive fixes are in my extended comments below.

Additions to Spybot S&D malware definitions made on August 19, 2009:

All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection.

Adware
++ FAVORIT-NETWORK

Dialer
+ eGroup.InstantAccess

Malware (Includes rogue or fraudulent security programs, fake registry cleaners, and fake security alerts, plus other nasty programs)
+ ExtraAntivir
++ Fraud.AdvancedVirusRemover
++ Fraud.AdvansedSpywareDetect
++ Fraud.AntiSpyProtector2009
++ Fraud.AntivirusBest
++ Fraud.CoreGuardAntivirus2009
++ Fraud.FastAntivirus2009
++ Fraud.HomeAntivirus2009
++ Fraud.MalwareCatcher2009
++ Fraud.PCAntiMalware
++ Fraud.PCAntispyware2010
++ Fraud.PCPrivacyDefender
+ Fraud.ProtectionSystem
++ Fraud.Unvirex
+ Fraud.VirusDoctor
++ Fraud.VirusRemovalProfessional
++ Fraud.VirusShield2009
+ Fraud.WiniblueSoftware
++ Fraud.WiniShield
++ Fraud.WinOptimizer
+ Fraud.XPAntivirus
+ Smitfraud-C.
+ Win32.FraudLoad.edt
+ Win32.Koobface
++ Win32.Sober.P

PUPS (Possibly UnPopular Software or Potentially Unwanted Program - user discretion advised)
+ GameVance

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm! Many of these Trojans are Botnet infections, backdoors, malicious download agents and Rootkits.)
++ Alcra
+ Virtumonde.sci
+ Virtumonde.sdn
++ Win32.Agent.d
+ Win32.Agent.fbx
++ Win32.Agent.wu
++ Win32.Agent.xml
++ Win32.AutoRun.gg
++ Win32.Buzus.brxa
+ Win32.Downloader.dequ
+ Win32.Fakealert.ttam
+ Win32.TDSS.blk
+ Win32.TDSS.clt
+ Win32.TDSS.rtk
+ Win32.ZBot

Total: 1446195 fingerprints in 504061 rules for 4827 products.

False positive detections reported, discussed, or fixed this week:

There is a confirmed false positive detection of "Win32.Fakealert.ttam" in PhaseExpress software's executable: phraseexpress.exe. This has been, or will be fixed once the known good file has been catalogued. In the meantime, if the only detection shown for Win32.Fakealert.ttam in PhaseExpress is a Registry Key, with no other actual files reported as infected with this same malware, it IS a false positive. If you use PhaseExpress and Spybot has deleted your registry key, you can recover it via the built-in Undo, after finding it in the list of fixed items. Or, reinstall the program and tell Spybot to ignore this detection.

If you keep getting a report of "Virtumonde," in c:Windows/system32/zipfldr.dll and you are running a version of Spybot S&D older than version 1.6.2, it is a probable false positive. That is a Windows system file that is automatically restored if you delete it. Any version of Spybot older than 1.6.2.46 will give false positive detections of Virtumonde and other threats, as the engine is now outdated and unable to comprehend new malware definitions. The fix: Update to the current version of Spybot S&D!

Some people running Windows 98 and ME have reported false positives of Virtumonde. They were not aware that the use of Spybot S&D on Windows versions older than W-2000 is no longer supported and is subject to many false positives and failed removals.

TeaTimer cannot be updated with new definitions if it is still running! After you update definitions to fix false positives a restart of either TeaTimer or the Computer is required. If this doesn't fix the false positives, you may need to reset the TeaTimer detection list, as follows:

Right click the (TeaTimer) Resident tray icon
Select "Reset lists"

If that fails also, please read the rest of the things to try on this forum page, in replies #2 and #4.

When TeaTimer blocks the file you can also allow the file to be executed (also remove the check mark for deletion). You can exclude any file from further detections during a scan by right clicking the items in the Spybot S&D scan result and select "exclude this detection from further searches"

If you keep getting false positive detections and broken programs, due to TeaTimer issues, try disabling that module. You can toggle TeaTimer off and on by switching into Advanced Mode > Tools > Resident.

False Positives are reported and discussed in the Spybot S&D False Positives Forum.

As mentioned earlier, links and more instructions about using the program, or reporting suspected false positives, are found in my article titled How to use Spybot Search & Destroy to fight malware.

Posted by Wiz at 4:18 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

Wow! spam levels have dropped significantly this week! I received about half the amount of spam messages from the previous few weeks. This could mean that the Bot Masters running spam Botnets have temporarily lost access to their command and control servers, or that the spammers who rent the use of those Bots have run low on cash, or are under arrest, or are laying low to avoid prosecution. I suspect the first explanation.

Almost all spam is now sent from zombie computers in spam Botnets, under the control of Bot Masters who rent the use of their networks to spammers. Major changes in the overall volume of spam indicate problems or successes of the Bot Masters with command and control over their robotic armies of spamming PCs. Sometimes their command and control servers are shut down by the efforts of security organizations, forcing them to look for other spam-friendly hosting companies. Other times, Microsoft's monthly Windows Updates, featuring an updated MSRT, or other security products, will clean Bot infections from millions of zombie computers. When this happens the overall volume of spam drops, as it has this week.

However, Bot Herders don't give up easily. If they lose one Command and Control server they will hunt for another one, often in China or Eastern Europe. Once they get those hostile servers back online, with other spam friendly hosts, the zombies are awakened and we see lots more spam. If the Botnet loses zombies after a major cleanup, they will acquire more through compromised or hostile websites exploiting vulnerabilities in browsers and their plug-ins and add-ons.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. Most of the spam this week, especially the "Known Spam Domains" category, was for male enhancement scams and fake Viagra. There was also a bunch of Nigerian 419 scams.

In case anybody doesn't already know, virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets. All email sender addresses are forged, so there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job."

See my extended comments for this week's breakdown of spam by category, for Aug 10 - 16, 2009 and the latest additions to my custom MailWasher Pro filters.

MailWasher Pro spam category breakdown for Aug 10 - 16, 2009. Spam amounted to 8% of my incoming email this week. This represents a -9% change from last week.

The latest weekly updates to my custom MailWasher Pro filters was the "Known Spam Domains" filter. Everything else is working as it should. Without MailWasher Pro filtering out all the junk mail I would waste a lot more time deleting it my email program's inbox. If you're not already using MailWasher Pro to filter out spam, read on...

MailWasher Pro intercepts POP3 and IMAP email before you download it to your desktop email client (e.g: Microsoft Outlook, Outlook Express, Windows Live Mail) and scans it for threats or spam content, then either manually or automatically deletes any messages matching your pre-determined criteria and custom filters. It is my primary line of defense against incoming spam, scams, phishing and exploit attacks. If you are not already using this fine anti-spam tool I invite to to read about it on my MailWasher Pro web page. You can download the latest version and try it for free for a month. Registration is only required once, for the life of the program.

To protect your computer from web pages rigged with exploit codes, malware in email attachments, dangerous links to hostile web pages, JavaScript redirects, Phishing scams, or router DNS attack codes, I recommend Trend Micro Internet Security. It has strong realtime monitoring modules that stop rootkits and spam Trojans from installing themselves into your operating system. Also known as PC-cillin, it is very frequently updated as new and altered malware definitions become available and it checks for web based threats and new malware definitions by searching secure online servers owned by Trend Micro. This is referred to as "in-the-cloud" security.

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. MailWasher Pro is able to forward messages marked as spam to SpamCop, which then sends a confirmation email to you, containing a link. You must click on the enclosed reporting link and open it in your browser, then manually submit your report. This is how SpamCop wants it done.

Posted by Wiz at 1:47 PM | Permalink

back to top ^

If you use Spybot Search and Destroy to protect your computer against spyware and malware, it is time again to run your manual updates. Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. This week's updates were released on schedule on August 12, 2009, as listed below. One new fake security program was added to the "Malware" detections, plus several new Trojans, rootkits and modified spam bots were added to the "Trojan" list.

Updating Spybot Search and Destroy

Before you update Spybot Search and Destroy make sure you have the latest official version. Older versions are no longer supported and will cause you a lot of grief when you immunize and scan for problems. Only download Spybot S&D from the official website, at: spybot.info, or from its alternate domain: Safer-Networking.org. Fake versions with similar names will rip you off for payment to remove threats, whereas the real Spybot S&D is free (donations gladly accepted).

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers. When all updates have succeeded, click on "Exit."

You can also download the latest definition includes file from a clean PC and save them to a removable disk or drive, then install them into the Spybot S&D program while the infected PC is offline. This helps you disinfect a PC that cannot presently get online, or cannot access security websites for updates (because of the Conficker or similar malware), or due to other networking problems. The downloaded definition includes will look for a typical Spybot installation location and will update it instantly, as long as the program is closed during the updating process.

Download links and more instructions about using Spybot Search and Destroy are in my article titled "How to use Spybot Search & Destroy to fight malware".

The description of the latest definition updates and false positive fixes are in my extended comments below.

Additions to malware definitions made on August 12, 2009:

All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection.

Malware (Includes rogue or fraudulent security programs, fake registry cleaners, and fake security alerts, plus other nasty programs)
+ Fraud.AntivirusPro

Spyware
+ EBlaster

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm! Many of these Trojans are Botnet infections, backdoors, malicious download agents and Rootkits.)
+ BraveSentry
+ eGroup.InstantAccess
+ Win32.Agent.fbx
+ Win32.Banload.aghb
+ Win32.FraudLoad.edt
+ Win32.OnLineGames.ubha
+ Virtumonde.sdn
+ Virtumonde.sci
+ Win32.Seneka.rtk
+ Win32.TDSS.rtk
+ Win32.TDSS.reg
+ Win32.TDSS.gen
+ Win32.TDSS.blk
+ Win32.ZBot

Total: 1431193 fingerprints in 496900 rules for 4802 products.

False positive detections reported, discussed, or fixed this week:

There is a confirmed false positive detection of "Win32.Fakealert.ttam" in PhaseExpress software's executable: phraseexpress.exe. This has been, or will be fixed once the known good file has been catalogued.

A confirmed false positive detection of "Virtumonde" in the the file: C:\Windows\System\DOSFNT01.dll has been fixed with today's updates.

A confirmed false positive detection of the "Virtumonde"
Trojan in C:\WINDOWS\system32\WMDRMdev.dll has been fixed.

A false positive detection of "Eblaster" in vbcards.dll (in the system32 directory) was confirmed and fixed. That file has to do with Freecell card game.

After you update definitions to fix false positives a restart of either TeaTimer or the Computer is required. If this doesn't fix the false positives, you may need to reset the TeaTimer detection list, as follows:

Right click the (TeaTimer) Resident tray icon
Select "Reset lists"

If that fails also, please read the rest of the things to try on this forum page, in replies #2 and #4.

When TeaTimer blocks the file you can also allow the file to be executed (also remove the check mark for deletion). You can exclude any file from further detections during a scan by right clicking the items in the Spybot S&D scan result and select "exclude this detection from further searches"

If you keep getting false positive detections and broken programs, due to TeaTimer issues, try disabling that module. You can toggle TeaTimer off and on by switching into Advanced Mode > Tools > Resident.

False Positives are reported and discussed in the Spybot S&D False Positives Forum.

As mentioned earlier, links and more instructions about using the program, or reporting suspected false positives, are found in my article titled How to use Spybot Search & Destroy to fight malware.

Posted by Wiz at 9:56 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

The volume of spam coming to my various honeypots and user accounts has declined very slightly, to 17%. Almost all spam is now sent from zombie computers in spam Botnets, under the control of Bot Masters who rent the use of their networks to spammers.Major changes in the overall volume of spam indicate problems or successes of the Bot Masters with command and control over their robotic armies of spamming PCs. Sometimes their command and control servers are shut down by the efforts of security organizations, forcing them to look for other spam-friendly hosting companies. When this happens the overall volume of spam drops. Once they get those hostile servers back online, with other hosts, the zombies are awakened and we see lots more spam.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. Most of the spam this week, especially the "Other Filters" category, was for male enhancement scams and the fake Canadian Pharmacy and other fake pharmacies. Next, was spam for pirated software and casinos.

In case anybody doesn't already know, virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets. All email sender addresses are forged, so there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job."

See my extended comments for this week's breakdown of spam by category, for Aug 3 - 9, 2009 and the latest additions to my custom MailWasher Pro filters

MailWasher Pro spam category breakdown for Aug 3 - 9, 2009. Spam amounted to 17% of my incoming email this week. This represents a -1% change from last week. Monday, Tuesday and Thursday had the highest volume of spam in my accounts.

The latest weekly updates to my custom MailWasher Pro filters were the Known Spam Domains, Canadian Pharmacy, Male Enhancement [Body], Phishing and Diploma spam filters. Everything else is working as it should. Without MailWasher Pro filtering out all the junk mail I would waste a lot more time deleting it my email client's inbox. If you're not already using MailWasher Pro to filter out spam, read on...

MailWasher Pro intercepts POP3 and IMAP email before you download it to your desktop email client (e.g: Microsoft Outlook, Outlook Express, Windows Live Mail) and scans it for threats or spam content, then either manually or automatically deletes any messages matching your pre-determined criteria and custom filters. It is my primary line of defense against incoming spam, scams, phishing and exploit attacks. If you are not already using this fine anti-spam tool I invite to to read about it on my MailWasher Pro web page. You can download the latest version and try it for free for a month. Registration is only required once, for the life of the program.

To protect your computer from web pages rigged with exploit codes, malware in email attachments, dangerous links to hostile web pages, JavaScript redirects, Phishing scams, or router DNS attack codes, I recommend Trend Micro Internet Security. It has strong realtime monitoring modules that stop rootkits and spam Trojans from installing themselves into your operating system. Also known as PC-cillin, it is very frequently updated as new and altered malware definitions become available and it checks for web based threats and new malware definitions by searching secure online servers owned by Trend Micro. This is referred to as "in-the-cloud" security.

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. MailWasher Pro is able to forward messages marked as spam to SpamCop, which then sends a confirmation email to you, containing a link. You must click on the enclosed reporting link and open it in your browser, then manually submit your report. This is how SpamCop wants it done.

Posted by Wiz at 2:29 PM | Permalink

back to top ^

I have a couple of new items to alert my readers about today. First, Sun Corporation has just updated their Java Virtual Machine (JVM) to version 6, Update15 (build 1.6.0_15-b03), fixing vulnerabilities announced by Microsoft in ATL components of Visual Studio. Apparently, Java itself used some of the vulnerable ATL modules and had to re-code the JVM to prevent it from being exploited in drive-by attacks against these components. Go to www.java.com to download and install the current version of Java from your browser. You can also manually choose an online or offline setup version for various operating systems, from this page.

As of today, updating the Java VM does not automatically uninstall older versions of Java. This is by an executive decision made by Sun Corp. They are afraid of breaking existing programs that depend on certain versions of Java. However, cyber-criminals are known to write codes pointing to the default installation paths of vulnerable versions of Java. If you leave an exploitable Java executable on your computer, then accidentally surf to, or get redirected to a hostile website, that version of Java can be used against you! If at all possible, if you aren't running a critical application that depends on an older version of Java, uninstall older versions after you update to a new version. You must close all browsers for the updates to take effect. If an application stops working properly after you update the Java VM, go to the manufacturer's website or look for a built-in check for updates link, to see if they have released a patched version to work with the new JVM.

The second matter affects Windows PC users who download Hotmail messages to their desktops, via Microsoft's Outlook, Outlook Express or Entourage programs. Microsoft has decided to make code changes to the way the Hotmail email servers work and these changes will cause Outlook and Outlook Express to stop sending and receiving Hotmail messages on September 1, 2009. Hotmail is now called "Windows Live Hotmail."

To continue to receive e-mail from your Hotmail account, you will have to select one of the alternative solutions below before September 1, 2009. After that day, new Hotmail e-mail can only be delivered to, or sent from your mail programs through the following alternative solutions. However you can continue to view and send your Hotmail messages via your web browsers.

If you use Microsoft Office Outlook to view Hotmail, you can download the free Office Outlook Connector to continue accessing your Windows Live Hotmail within Outlook 2003 or 2007. If you run an older version, read this information.

If you use Outlook Express (OE) to view Hotmail, you can choose to download the free Windows Live Mail (WLM), which resembles Outlook Express, but is much more powerful, less prone to crashes and contains a junk filter. You can import all of your saved .eml messages and accounts from OE into WLM (via Export/Import, or drag and drop between email clients). You can also import your personal folders from OE. The view is a little different, but you'll get used to it. You can find help on this page with exporting messages from Outlook Express into WLM.

If you are using Entourage to send and receive Hotmail, read these instructions to continue connecting to the new servers.

Why did this change happen? Because Microsoft Outlook, Outlook Express, and Entourage use a legacy communications method, known as the DAV protocol, to access Hotmail. Because the DAV protocol is not optimally suited for programs to access large inboxes such as Hotmail which now provides users ever-growing storage*, new alternatives have been built. Microsoft postponed their initial plans to retire the DAV protocol until more options were available. Now that these options (including the POP3 protocol) are available, they are ready to retire the DAV protocol, on September 1, 2009.

Posted by Wiz at 4:04 AM | Permalink

back to top ^

If you use Spybot Search and Destroy to protect your computer against spyware and malware, it is time again to run your manual updates. Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. This week's updates were released on schedule on August 5, 2009, as listed below. Many new and altered fake security programs were added to the "Malware" detections, plus several new Trojans, rootkits and modified spam bots were added to the "Trojan" list.

Updating Spybot Search and Destroy

Before you update Spybot Search and Destroy make sure you have the latest official version. Older versions are no longer supported and will cause you a lot of grief when you immunize and scan for problems. Only download Spybot S&D from the official website, at: spybot.info, or from its alternate domain: Safer-Networking.org. Fake versions with similar names will rip you off for payment to remove threats, whereas the real Spybot S&D is free (donations gladly accepted).

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers. When all updates have succeeded, click on "Exit."

You can also download the latest definition includes file from a clean PC and save them to a removable disk or drive, then install them into the Spybot S&D program while the infected PC is offline. This helps you disinfect a PC that cannot presently get online, or cannot access security websites for updates (because of the Conficker or similar malware), or due to other networking problems. The downloaded definition includes will look for a typical Spybot installation location and will update it instantly, as long as the program is closed during the updating process.

Download links and more instructions about using Spybot Search and Destroy are in my article titled "How to use Spybot Search & Destroy to fight malware".

The description of the latest definition updates and false positive fixes are in my extended comments below.

Additions to malware definitions made on August 5, 2009:

All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection.

Dialer
+ eGroup.InstantAccess

Hijackers
+ W3adv

Malware (Includes rogue or fraudulent security programs, fake registry cleaners, and fake security alerts, plus other nasty programs)
+ BugDoctor
++ Fraud.AntiMalwareSuite
+ Fraud.AntivirusPlus
+ Fraud.AntivirusXP
++ Fraud.AVCare
++ Fraud.BadwareProtector
++ Fraud.BarracudaAntivirus
++ Fraud.HomeAntivirus2010
++ Fraud.PCSecurity2009
++ Fraud.ProtectionSystem
++ Fraud.SecurityMechanic
++ Fraud.SmartDefenderPro
++ Fraud.SmartProtector
+ Fraud.SystemGuard2009
+ Fraud.SystemSecurity
++ Fraud.USAntispy
+ Smitfraud-C.
++ Win32.Agent.sim
+ Win32.FraudLoad.edt
+ Winsoftware.WinAntiVirusPro2007 (Fraudulent anti virus - back from the dead!)

PUPS (Possibly UnPopular Software or Potentially Unwanted Program - user discretion advised)
+ GameVance
+ MyWay.MyWebSearch

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm! Many of these Trojans are Botnet infections, backdoors, malicious download agents and Rootkits.)
+ KillAV
+ Win32.Agent.fbx
++ Win32.Agent.sc
++ Win32.Agent.wndm
++ Win32.Clicker.lc
++ Win32.Fakealert.ttam
+ Win32.Joleee.K
++ Win32.Monopod
+ Win32.Podnuha.rtk
++ Win32.RBot.sv
++ Win32.TDSS.blk
+ Win32.TDSS.gen
++ Win32.VBInject
+ Win32.ZBot

Worm
++ Win32.vb.aas

Total: 1418423 fingerprints in 491056 rules for 4802 products.

False positive detections reported, discussed, or fixed this week:

A user has reported a possible false positive detection of "Smitfraud-C" in a file named Enlocstr.exe, which may belong to SoundBlaster XFi software. We should know more by this weekend, after the uploaded file has been tested.

A false positive detection of "Eblaster" in vbcards.dll (in the system32 directory) was confirmed and fixed with the updates of 8/5/09. That file has to do with Freecell card game.

Another frustrated visitor to the Spybot False Positives forum reported a possible false positive of EBlaster in C:\Windows\System32\dinput8.dll. Unfortunately, he deleted the file before learning how to email it to Team Spybot for analysis! While we may never know if his particular file was infected with eBlaster, others may get this same detection. I Googled on that file and found that Dinput.dll is a DirectC DLL, which handles DirectInput. This gives functionality for multimedia input devices such as joysticks and should NOT be disabled or deleted! If this detection occurs when you scan with Spybot, please restart your PC in Safe Mode, navigate to the location where that file resides, copy it, then paste it into a zip file and email it to detections(at)spybot.info.

After you update definitions to fix false positives a restart of either TeaTimer or the Computer is required. If this doesn't fix the false positives, you may need to reset the TeaTimer detection list, as follows:

Right click the (TeaTimer) Resident tray icon
Select "Reset lists"

If that fails also, please read the rest of the things to try on this forum page, in replies #2 and #4.

When TeaTimer blocks the file you can also allow the file to be executed (also remove the check mark for deletion). You can exclude any file from further detections during a scan by right clicking the items in the Spybot S&D scan result and select "exclude this detection from further searches"

If you keep getting false positive detections and broken programs, due to TeaTimer issues, try disabling that module. You can toggle TeaTimer off and on by switching into Advanced Mode > Tools > Resident.

False Positives are reported and discussed in the Spybot S&D False Positives Forum.

As mentioned earlier, links and more instructions about using the program, or reporting suspected false positives, are found in my article titled How to use Spybot Search & Destroy to fight malware.

Posted by Wiz at 3:13 AM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

The volume of spam coming to my various honeypots and user accounts has declined slightly, to 18%. Almost all spam is now sent from zombie computers in spam Botnets, under the control of Bot Masters who rent the use of their networks to spammers.Major changes in the overall volume of spam indicate problems or successes of the Bot Masters with command and control over their robotic armies of spamming PCs. Sometimes their command and control servers are shut down by the efforts of security organizations, forcing them to look for other spam-friendly hosting companies. When this happens the overall volume of spam drops. Once they get those hostile servers back online, with other hosts, the zombies are awakened and we see lots more spam.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. Most of the spam this week was for male enhancement scams and the fake Canadian Pharmacy, which sells illicit and counterfeit pharmaceuticals like Viagra, and is hosted on Botnetted PCs. Next, was spam for weight loss ripoffs and casinos.

See my extended comments for this week's breakdown of spam by category, for July 27 - Aug 2, 2009 and the latest additions to my custom MailWasher Pro filters

MailWasher Pro spam category breakdown for July 27 - Aug 2, 2009. Spam amounted to 18% of my incoming email this week. This represents a -3% change from last week. Tuesday had the highest volume of spam in my accounts.

Download MailWasher Pro Here

The latest weekly updates to my custom MailWasher Pro filters were the Casino, Known X-Mailer, Known Spam Domains and Nigerian 419 spam filters. I also moved the Subject is RE: or FW: filter down. Everything else is working as it should. Without MailWasher Pro filtering out all the junk mail I would waste a lot more time deleting it my email client's inbox. If you're not already using MailWasher Pro to filter out spam, read on...

MailWasher Pro intercepts POP3 and IMAP email before you download it to your desktop email client (e.g: Microsoft Outlook, Outlook Express, Windows Live Mail) and scans it for threats or spam content, then either manually or automatically deletes any messages matching your pre-determined criteria and custom filters. It is my primary line of defense against incoming spam, scams, phishing and exploit attacks. If you are not already using this fine anti-spam tool I invite to to read about it on my MailWasher Pro web page. You can download the latest version and try it for free for a month. Registration is only required once, for the life of the program.

To protect your computer from web pages rigged with exploit codes, malware in email attachments, dangerous links to hostile web pages, JavaScript redirects, Phishing scams, or router DNS attack codes, I recommend Trend Micro Internet Security. It has strong realtime monitoring modules that stop rootkits and spam Trojans from installing themselves into your operating system. Also known as PC-cillin, it is very frequently updated as new and altered malware definitions become available and it checks for web based threats and new malware definitions by searching secure online servers owned by Trend Micro. This is referred to as "in-the-cloud" security.

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. MailWasher Pro is able to forward messages marked as spam to SpamCop, which then sends a confirmation email to you, containing a link. You must click on the enclosed reporting link and open it in your browser, then manually submit your report. This is how SpamCop wants it done.

Posted by Wiz at 1:55 PM | Permalink

back to top ^