October 28, 2009

Spybot Search & Destroy updates for Oct 28, 2009

Spybot Search & Destroy is a free (for personal non-business use) anti-spyware/spyware removal program used by millions of people around the World, to protect their computers from spyware, adware, Trojans and other types of malware. Spybot updates for malware detections are released every Wednesday and this week's updates were released on schedule. If you are using Spybot S&D to protect your computer you should check for updates every Wednesday afternoon and apply all that are available.

Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. The last two week's updates were released on schedule on October 28, 2009, as listed below. 14 new or modified fake security programs (fraudulent anti virus/spyware) were added to the "Malware" detections, plus 10 new or modified Trojans, rootkits and spam bots were added to the "Trojan" list.

Updating Spybot Search and Destroy

Before you update Spybot Search and Destroy make sure you have the latest official version. Older versions are no longer supported and will cause you a lot of grief when you immunize and scan for problems. Only download Spybot S&D from the official website, at: spybot.info, or from its alternate domain: Safer-Networking.org. Fake versions with similar names will rip you off for payment to remove threats, whereas the real Spybot S&D is free (donations gladly accepted).

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers. When all updates have succeeded, click on "Exit."

You can also download the latest definition includes file from a clean PC and save them to a removable disk or drive, then install them into the Spybot S&D program while the infected PC is offline. This helps you disinfect a PC that cannot presently get online, or cannot access security websites for updates (because of the Conficker or similar malware), or due to other networking problems. The downloaded definition includes will look for a typical Spybot installation location and will update it instantly, as long as the program is closed during the updating process.

Download links and more instructions about using Spybot Search and Destroy are in my article titled "How to use Spybot Search & Destroy to fight malware".

The description of the latest definition updates and false positive fixes are in my extended comments.

Additions to Spybot S&D malware definitions made on Oct 28, 2009:

All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection.

Hijacker
+ CoolWWWSearch.Svchost32

Malware
++ BPS.AdwareEraser
+ CoolWWWSearch.OleHelp
++ Fraud.ActiveSecurity
++ Fraud.PCScout
++ Fraud.SecurityTool
++ Fraud.SoftCop
++ Fraud.SoftSoldier
++ Fraud.SoftVeteran
++ Fraud.TREAntivirus
+ Lop
+ Win32.Agent.chh
++ Win32.Autorun.Protector
+ Win32.FraudLoad.edt
++ Win32.VB.svh

Security
+ Microsoft.Windows.RedirectedHosts

Trojans
+ Fake.FlashPlayer
+ Virtumonde.sci
+ Virtumonde.sdn
+ Win32.FraudLoad.pd
++ Win32.OnLineGames.ufye
++ Win32.OnLineGames.ugek
++ Win32.OnLineGames.uncy
++ Win32.OnLineGames.urst
+ Win32.Rungbu.a
+ Win32.TDSS.reg
+ Win32.ZBot

Total: 1602285 fingerprints in 569618 rules for 4997 products.

False positive detections reported, discussed, or fixed this week:

There were 2 possible new false positive reported this week. However, if you are still using an older version of Spybot you are likely to see false positives of all kinds. When I say old version I mean any version that is not the most current release (see below). The Spybot engine now gets changed radically with each new update, to help it deal with stubborn new types and variations of modern spyware.

Two people reported that they received a TeaTimer (Resident) notification that cygrunsrv.exe and tail.exe, part of the Cygwin program, contained Fraud.SoftCop. The same detection was reported after they downloaded fresh setup files for CygWin, from the maker. This is new and not resolved as of this posting time.

There is a confirmed false positive detection in Setup Factory 6.0, of "TeamTaylor.ScreenSaver" detected in irunin.bmp and irunin.lng. This has been fixed with today's updates.

There is an unresolved possible false positive detection of a Trojan in C:\Windows\System32\winsys2.exe. The reporter stated that this file is the executable associated with his MSI graphics card tools utility. The file was sent to Team Spybot for analysis two weeks ago, but they have not posted their findings. If you also get this file reported as a Trojan you should report it in the thread about this file on the Spybot False Positives forum.

Note. Spybot 1.5 x is now an OLD version and is unreliable in detections and removals!

If you keep getting a report of "Virtumonde," in c:Windows/system32/zipfldr.dll and you are running a version of Spybot S&D older than version 1.6.2, it is a probable false positive. That is a Windows system file that is automatically restored if you delete it. Any version of Spybot older than 1.6.2.46 will give false positive detections of Virtumonde and other threats, as the engine is now outdated and unable to comprehend new malware definitions. The fix: Update to the current version of Spybot S&D!

Some people running Windows 98 and ME have reported false positives of Virtumonde. They were not aware that the use of Spybot S&D on Windows versions older than W-2000 is no longer supported and is subject to many false positives and failed removals.

TeaTimer update issues and remedies:

TeaTimer cannot be updated with new definitions if it is still running! After you update definitions to fix false positives, a restart of either TeaTimer or the Computer is required. If this doesn't fix the false positives, you may need to reset the TeaTimer detection list, as follows:

Right click the (TeaTimer) Resident tray icon
Select "Reset lists"

If that fails also, please read the rest of the things to try on this forum page, in replies #2 and #4.

When TeaTimer blocks the file you can also allow the file to be executed (also remove the check mark for deletion). You can exclude any file from further detections during a scan by right clicking the items in the Spybot S&D scan result and select "exclude this detection from further searches"

If you keep getting false positive detections and broken programs, due to TeaTimer issues, try disabling that module. You can toggle TeaTimer off and on by switching into Advanced Mode > Tools > Resident.

False Positives are reported and discussed in the Spybot S&D False Positives Forum.

As mentioned earlier, links and more instructions about using the program, or reporting suspected false positives, are found in my article titled How to use Spybot Search & Destroy to fight malware.

Posted by Wiz at 4:13 PM |

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

October 25, 2009

My Spam analysis for Oct 20 - 25, 2009

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

Spam levels have increased 4% this week, after two weeks in a row that spam levels had declined here. This might mean that the Bot Masters running spam Botnets may be sorting out problems maintaining their command and control (C&C) servers, used to reactivate their sleeping zombie computers (Almost all spam is now sent from "zombie" computers in spam Botnets).

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. Most of the spam this week was for Nigerian 419 advance fee fraud scams, counterfeit Viagra and other brand name knock-offs. There was also a resurgence in spam using Yahoo! Groups web pages, mostly for the fake "Canadian Pharmacy," so Yahoo! needs to set up some keyword filters to detect and take down these illicit pages. Many of the "Known Spam Domain" spamvertised pharmaceutical websites were domains ending in ".cn" - which is the designation for websites hosted in China. Coincidentally, these spam messages were usually promoting the fake Canadian Pharmacy sites. Spammers try to confuse their victims with .cn domain links, because actual Canadian websites end in .ca, which many people don't realize.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job."

See my extended comments for this week's breakdown of spam by category, for Oct 20 - 25, 2009 and the latest additions to my custom MailWasher Pro filters.

MailWasher Pro spam category breakdown for Oct 20 - 25, 2009. Spam amounted to 15% of my incoming email this week. This represents a +4% change from last week.
finger pointing right MailWasher Pro by Firetrust
Nigerian 419 Scams: 25.00%
Known Spam Domains: 14.29%
Lottery Scams: 10.71%
Viagra: 10.71%
"Other Filters": 10.71%
Known X-Mailer Spam: 7.14%
HTML Tricks: 7.14%
Hidden ISO or ASCII Subject: 3.57%
Counterfeit Goods: 3.57%
Software (Pirated) Spam: 3.57%
Known Spam TO: 3.57%
The latest weekly updates to my custom MailWasher Pro filters were to the Nigerian 419 Scams, APNIC and Canadian Pharmacy (scam) filters. I also added two email addresses to the MailWasher Blacklist. They are: [email protected] and [email protected] (419 scammers). Everything else is working as it should. Without MailWasher Pro filtering out all the junk mail I would waste a lot more time deleting it my email program's inbox. If you're not already using MailWasher Pro to filter out spam, read on...

MailWasher Pro intercepts POP3 and IMAP email before you download it to your desktop email client (e.g: Microsoft Outlook, Outlook Express, Windows Live Mail) and scans it for threats or spam content, then either manually or automatically deletes any messages matching your pre-determined criteria and custom filters. It is my primary line of defense against incoming spam, scams, phishing and exploit attacks. If you are not already using this fine anti-spam tool I invite to to read about it on my MailWasher Pro web page. You can download the latest version and try it for free for a month. Registration is only required once, for the life of the program.

To protect your computer from web pages rigged with exploit codes, malware in email attachments, dangerous links to hostile web pages, JavaScript redirects, Phishing scams, or router DNS attack codes, I recommend Trend Micro Internet Security. It has strong realtime monitoring modules that stop rootkits and spam Trojans from installing themselves into your operating system. Also known as PC-cillin, it is very frequently updated as new and altered malware definitions become available and it checks for web based threats and new malware definitions by searching secure online servers owned by Trend Micro. This is referred to as "in-the-cloud" security.

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. MailWasher Pro is able to forward messages marked as spam to SpamCop, which then sends a confirmation email to you, containing a link. You must click on the enclosed reporting link and open it in your browser, then manually submit your report. This is how SpamCop wants it done.

Posted by Wiz at 3:59 PM |

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

October 21, 2009

Spybot Search & Destroy updates for Oct 21, 2009

Spybot Search & Destroy is a free (for personal non-business use) anti-spyware/spyware removal program used by millions of people around the World, to protect their computers from spyware, adware, Trojans and other types of malware. Spybot updates for malware detections are released every Wednesday and this week's updates were released on schedule. If you are using Spybot S&D to protect your computer you should check for updates every Wednesday afternoon and apply all that are available.

Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. The last two week's updates were released on schedule on October 21, 2009, as listed below. 19 new or modified fake security programs (fraudulent anti virus/spyware) were added to the "Malware" detections, plus 30 new or modified Trojans, rootkits and spam bots were added to the "Trojan" list.

Updating Spybot Search and Destroy

Before you update Spybot Search and Destroy make sure you have the latest official version. Older versions are no longer supported and will cause you a lot of grief when you immunize and scan for problems. Only download Spybot S&D from the official website, at: spybot.info, or from its alternate domain: Safer-Networking.org. Fake versions with similar names will rip you off for payment to remove threats, whereas the real Spybot S&D is free (donations gladly accepted).

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers. When all updates have succeeded, click on "Exit."

You can also download the latest definition includes file from a clean PC and save them to a removable disk or drive, then install them into the Spybot S&D program while the infected PC is offline. This helps you disinfect a PC that cannot presently get online, or cannot access security websites for updates (because of the Conficker or similar malware), or due to other networking problems. The downloaded definition includes will look for a typical Spybot installation location and will update it instantly, as long as the program is closed during the updating process.

Download links and more instructions about using Spybot Search and Destroy are in my article titled "How to use Spybot Search & Destroy to fight malware".

The description of the latest definition updates and false positive fixes are in my extended comments.

Additions to Spybot S&D malware definitions made on Oct 21, 2009:

All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection.

Adware
++ MyDealAssistant

Keylogger
++ Win32.Agent.cfg

Malware (Includes rogue or fraudulent security programs, fake registry cleaners, and fake security alerts, plus other nasty programs)

+ AdRotator
++ BPS.AdwareInspector
++ Fake.FlashPlayer
+ FAVORIT-NETWORK
+ Fraud.AntivirusPro2010
++ Fraud.CyberSecurity
+ Fraud.PCSecurity2009
+ Fraud.SmartVirusEliminator
++ Fraud.TrustFighter
++ Fraud.TrustSoldier
++ Fraud.WindowsEnterpriseDefender
+ Fraud.WindowsPolicePro
++ Fraud.WindowsSmartSecurity2009
+ Fraud.XPAntivirus
+ Mirar
+ Smitfraud-C.
++ Win32.Birdieb.b
+ Win32.FraudLoad.edt
+ Win32.Renos

PUPS (Possibly UnPopular Software or Potentially Unwanted Program - user discretion advised)

++ PremiereAdvertisingPlatform

Security
+ Microsoft.Windows.RedirectedHosts

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm! Many of these Trojans are Botnet infections, backdoors, malicious download agents and Rootkits.)

+ Fraud.Norton2009Reset
++ Opachki.ru
+ Virtumonde.sci
+ Virtumonde.sdn
++ Win32.Agent.asa
++ Win32.Agent.bwy
++ Win32.Agent.cld
++ Win32.Agent.cnu
++ Win32.Agent.dfh
++ Win32.Agent.dlt
++ Win32.Agent.ggg
++ Win32.Agent.ls
++ Win32.Agent.msv
++ Win32.Agent.res
++ Win32.Agent.wsv
++ Win32.Agent.ww
+ Win32.Agent.xwr
++ Win32.Clicker.odb
+ Win32.Fakealert.ttam
++ Win32.OnLineGames.uhvp
++ Win32.OnLineGames.unam
++ Win32.OnLineGames.unuh
+ Win32.Podnuha.rtk
+ Win32.Qhost.aei
+ Win32.TDSS.gen
+ Win32.TDSS.pe
+ Win32.TDSS.rtk
+ Win32.TDSS.tit
+ Win32.VB.ck
+ Win32.ZBot

Total: 1588454 fingerprints in 564134 rules for 4989 products.

False positive detections reported, discussed, or fixed this week:

There was just one (possible) new false positive reported this week. However, if you are still using an older version of Spybot you are likely to see false positives of all kinds. When I say old version I mean any version that is not the most current release (see below). The Spybot engine now gets changed radically with each new update, to help it deal with stubborn new types and variations of modern spyware.

There is a possible false positive detection of a Trojan in C:\Windows\System32\winsys2.exe. The reporter stated that this file is the executable associated with his MSI graphics card tools utility. The file has been sent to Team Spybot for analysis and I will report on their findings next week. If you also get this file reported as a Trojan you should report it in the thread about this file on the Spybot False Positives forum.

Note. Spybot 1.5 x is now an OLD version and is unreliable in detections and removals!

If you keep getting a report of "Virtumonde," in c:Windows/system32/zipfldr.dll and you are running a version of Spybot S&D older than version 1.6.2, it is a probable false positive. That is a Windows system file that is automatically restored if you delete it. Any version of Spybot older than 1.6.2.46 will give false positive detections of Virtumonde and other threats, as the engine is now outdated and unable to comprehend new malware definitions. The fix: Update to the current version of Spybot S&D!

Some people running Windows 98 and ME have reported false positives of Virtumonde. They were not aware that the use of Spybot S&D on Windows versions older than W-2000 is no longer supported and is subject to many false positives and failed removals.

TeaTimer update issues and remedies:

TeaTimer cannot be updated with new definitions if it is still running! After you update definitions to fix false positives, a restart of either TeaTimer or the Computer is required. If this doesn't fix the false positives, you may need to reset the TeaTimer detection list, as follows:

Right click the (TeaTimer) Resident tray icon
Select "Reset lists"

If that fails also, please read the rest of the things to try on this forum page, in replies #2 and #4.

When TeaTimer blocks the file you can also allow the file to be executed (also remove the check mark for deletion). You can exclude any file from further detections during a scan by right clicking the items in the Spybot S&D scan result and select "exclude this detection from further searches"

If you keep getting false positive detections and broken programs, due to TeaTimer issues, try disabling that module. You can toggle TeaTimer off and on by switching into Advanced Mode > Tools > Resident.

False Positives are reported and discussed in the Spybot S&D False Positives Forum.

As mentioned earlier, links and more instructions about using the program, or reporting suspected false positives, are found in my article titled How to use Spybot Search & Destroy to fight malware.

Posted by Wiz at 4:52 PM |

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

October 18, 2009

My Spam analysis for Oct 12 - 18, 2009

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

Spam levels have decreased again this week, making two weeks in a row that spam levels have declined here. This might mean that the Bot Masters running spam Botnets may have problems maintaining their command and control (C&C) servers, used to reactivate their sleeping zombie computers (Almost all spam is now sent from "zombie" computers in spam Botnets). Or, maybe those zombie PCs have been disinfected or taken offline. Or, maybe they are putting most of their efforts into scams on social networking sites and server exploits.

However, Bot Herders and spammers don't give up easily. If they lose one Command and Control server they will hunt for another one, often in China or Eastern Europe. Once they get those hostile servers back online, with other spam friendly hosts, the zombies are awakened and we see lots more spam. If the Botnet loses zombies after a major cleanup, they will acquire more through compromised or hostile websites exploiting vulnerabilities in browsers and their plug-ins and add-ons.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. Most of the spam this week was for the fake Canadian Pharmacy and counterfeit watches and other "knock offs." There were also several Nigerian 419 advance fee fraud scams. Most spamvertised pharmaceutical websites were domains ending in ".cn" - which is the designation for websites hosted in China. Coincidentally, these spam messages were usually promoting the fake Canadian Pharmacy sites. Spammers try to confuse their victims with .cn domain links, because actual Canadian websites end in .ca, which many people don't realize.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job."

See my extended comments for this week's breakdown of spam by category, for Oct 12 - 18, 2009 and the latest additions to my custom MailWasher Pro filters.

MailWasher Pro spam category breakdown for Oct 12 - 18, 2009. Spam amounted to 11% of my incoming email this week. This represents a -6% change from last week.
finger pointing right MailWasher Pro by Firetrust
DNS Blacklisted Servers: 17.65%
Canadian Pharmacy Scams: 11.76%
Counterfeit Watches: 11.76%
Yahoo Groups spam link: 11.76%
Hidden ISO or ASCII Subject: 11.76%
Lottery Scams: 11.76%
Known Spam Domains: 5.88%
African Sender (Nigerian 419 Scams): 5.88%
Viagra: 5.88%
Counterfeit Goods: 5.88%

The latest weekly updates to my custom MailWasher Pro filters were to the Lottery Scams, African Senders and Counterfeit Goods filters. Everything else is working as it should. Without MailWasher Pro filtering out all the junk mail I would waste a lot more time deleting it my email program's inbox. If you're not already using MailWasher Pro to filter out spam, read on...

MailWasher Pro intercepts POP3 and IMAP email before you download it to your desktop email client (e.g: Microsoft Outlook, Outlook Express, Windows Live Mail) and scans it for threats or spam content, then either manually or automatically deletes any messages matching your pre-determined criteria and custom filters. It is my primary line of defense against incoming spam, scams, phishing and exploit attacks. If you are not already using this fine anti-spam tool I invite to to read about it on my MailWasher Pro web page. You can download the latest version and try it for free for a month. Registration is only required once, for the life of the program.

To protect your computer from web pages rigged with exploit codes, malware in email attachments, dangerous links to hostile web pages, JavaScript redirects, Phishing scams, or router DNS attack codes, I recommend Trend Micro Internet Security. It has strong realtime monitoring modules that stop rootkits and spam Trojans from installing themselves into your operating system. Also known as PC-cillin, it is very frequently updated as new and altered malware definitions become available and it checks for web based threats and new malware definitions by searching secure online servers owned by Trend Micro. This is referred to as "in-the-cloud" security.

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. MailWasher Pro is able to forward messages marked as spam to SpamCop, which then sends a confirmation email to you, containing a link. You must click on the enclosed reporting link and open it in your browser, then manually submit your report. This is how SpamCop wants it done.

Posted by Wiz at 1:36 PM |

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

October 15, 2009

Spybot Search & Destroy updates for Oct 7 & 14, 2009

Spybot Search & Destroy is a free (for personal non-business use) anti-spyware/spyware removal program used by millions of people around the World, to protect their computers from spyware, adware, Trojans and other types of malware. Spybot updates for malware detections are released every Wednesday and this week's updates were released on schedule. If you are using Spybot S&D to protect your computer you should check for updates every Wednesday afternoon and apply all that are available.

Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. The last two week's updates were released on schedule on October 7 & 14, 2009, as listed below. 25 new or modified fake security programs (fraudulent anti virus/spyware) were added to the "Malware" detections, plus 19 new or modified Trojans, rootkits and spam bots were added to the "Trojan" list.

Updating Spybot Search and Destroy

Before you update Spybot Search and Destroy make sure you have the latest official version. Older versions are no longer supported and will cause you a lot of grief when you immunize and scan for problems. Only download Spybot S&D from the official website, at: spybot.info, or from its alternate domain: Safer-Networking.org. Fake versions with similar names will rip you off for payment to remove threats, whereas the real Spybot S&D is free (donations gladly accepted).

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers. When all updates have succeeded, click on "Exit."

You can also download the latest definition includes file from a clean PC and save them to a removable disk or drive, then install them into the Spybot S&D program while the infected PC is offline. This helps you disinfect a PC that cannot presently get online, or cannot access security websites for updates (because of the Conficker or similar malware), or due to other networking problems. The downloaded definition includes will look for a typical Spybot installation location and will update it instantly, as long as the program is closed during the updating process.

Download links and more instructions about using Spybot Search and Destroy are in my article titled "How to use Spybot Search & Destroy to fight malware".

The description of the latest definition updates and false positive fixes are in my extended comments.

Additions to Spybot S&D malware definitions made on Oct 7 & 14, 2009:

All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection.

Adware
++ Adlaunch
+ DuDuAccelerator
++ RecipeFeeder
+ SmartShopper

Hijackers
++ AdwareClick

Malware (Includes rogue or fraudulent security programs, fake registry cleaners, and fake security alerts, plus other nasty programs)
++ AdwarePolice
++ BPS.AdwareDestroyer
+ BPSSpywareRemover
++ Fraud.AlphaAntivirus
+ Fraud.AntivirusPro2010
++ Fraud.ContraViro
++ Fraud.HomePersonalAntivirus
+ Fraud.SafetyCenter
++ Fraud.SecureFighter
++ Fraud.SecureWarrior
++ Fraud.SecureVeteran
++ Fraud.SecuritySoldier
+ Fraud.SmartProtector
++ Fraud.SystemErrorFixer
++ Fraud.TrustCop
++ Fraud.WindowsPCDefender
+ Fraud.WindowsProtectionSuite
+ Lop
+ Mirar
+ Smitfraud-C.
++ Win32.Agent.krp
++ Win32.Agent.mp
++ SuperEasySearch
+ Win32.FraudLoad.edt
+ Win32.Renos

PUPS (Possibly UnPopular Software or Potentially Unwanted Program - user discretion advised)
++ DoubleD.DesktopSmiley
+ FastBrowserSearchToolbar
+ Freeze
++ QiwangC.AdvancedDefrag

Spyware
+ AdRotator
+ Huntbar

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm! Many of these Trojans are Botnet infections, backdoors, malicious download agents and Rootkits.)
++ Backdoor.Juan
+ Bifrost
+ PurityScan
+ Virtumonde
+ Virtumonde.atr
+ Virtumonde.sci
+ Virtumonde.sdn
+ Win32.Agent.fbx
++ Win32.Agent.wiw
++ Win32.Clicker.sv
+ Win32.Fakealert.ttam
++ Win32.IRCBot.svc
++ Win32.OnLineGames.bkmn
++ Win32.OnLineGames.bkpd
++ Win32.OnLineGames.uiwo
+ Win32.TDSS.rtk
+ Win32.ZBot
++ Win32.ZBot.rtk
+ Zlob.Downloader.bs

Total: 1574169 fingerprints in 558662 rules for 4954 products.

False positive detections reported, discussed, or fixed this week:

There were no new false positives reported this week. However, if you are still using an older version of Spybot you are likely to see false positives of all kinds. When I say old version I mean any version that is not the most current release (see below). The Spybot engine now gets changed radically with each new update, to help it deal with stubborn new types and variations of modern spyware.

Note. Spybot 1.5 x is now an OLD version and is unreliable in detections and removals!

If you keep getting a report of "Virtumonde," in c:Windows/system32/zipfldr.dll and you are running a version of Spybot S&D older than version 1.6.2, it is a probable false positive. That is a Windows system file that is automatically restored if you delete it. Any version of Spybot older than 1.6.2.46 will give false positive detections of Virtumonde and other threats, as the engine is now outdated and unable to comprehend new malware definitions. The fix: Update to the current version of Spybot S&D!

Some people running Windows 98 and ME have reported false positives of Virtumonde. They were not aware that the use of Spybot S&D on Windows versions older than W-2000 is no longer supported and is subject to many false positives and failed removals.

TeaTimer update issues and remedies:

TeaTimer cannot be updated with new definitions if it is still running! After you update definitions to fix false positives, a restart of either TeaTimer or the Computer is required. If this doesn't fix the false positives, you may need to reset the TeaTimer detection list, as follows:

Right click the (TeaTimer) Resident tray icon
Select "Reset lists"

If that fails also, please read the rest of the things to try on this forum page, in replies #2 and #4.

When TeaTimer blocks the file you can also allow the file to be executed (also remove the check mark for deletion). You can exclude any file from further detections during a scan by right clicking the items in the Spybot S&D scan result and select "exclude this detection from further searches"

If you keep getting false positive detections and broken programs, due to TeaTimer issues, try disabling that module. You can toggle TeaTimer off and on by switching into Advanced Mode > Tools > Resident.

False Positives are reported and discussed in the Spybot S&D False Positives Forum.

As mentioned earlier, links and more instructions about using the program, or reporting suspected false positives, are found in my article titled How to use Spybot Search & Destroy to fight malware.

Posted by Wiz at 4:43 PM |

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

October 12, 2009

My Spam analysis for Oct 5 - 11, 2009

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

Spam levels have decreased a bit this week, after a significant increase last week.This might mean that the Bot Masters running spam Botnets may have problems maintaining their command and control (C&C) servers, used to reactivate their sleeping zombie computers. Or, maybe those zombie PCs have been disinfected or taken offline. Whatever the explanation, spam dropped this week.

Almost all spam is now sent from zombie computers in spam Botnets, under the control of Bot Masters who rent the use of their networks to spammers. Major changes in the overall volume of spam indicate problems or successes of the Bot Masters with command and control over their robotic armies of spamming PCs. Sometimes their command and control servers are shut down by the efforts of security organizations, forcing them to look for other spam-friendly hosting companies. Other times, Microsoft's monthly Windows Updates, featuring an updated MSRT, or other security products, will clean Bot infections from millions of zombie computers. When this happens the overall volume of spam drops, as it has this week.

However, Bot Herders don't give up easily. If they lose one Command and Control server they will hunt for another one, often in China or Eastern Europe. Once they get those hostile servers back online, with other spam friendly hosts, the zombies are awakened and we see lots more spam. If the Botnet loses zombies after a major cleanup, they will acquire more through compromised or hostile websites exploiting vulnerabilities in browsers and their plug-ins and add-ons.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. Most of the spam this week, especially the "Other Filters" and "Known Spam Domains" categories was for the fake Canadian Pharmacy, male enhancement scams and counterfeit Viagra. There was also some spam for counterfeit watches-handbags-software, and several Nigerian 419 advance fee fraud scams.

In case anybody doesn't already know, virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets. All email sender addresses are forged, so there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job."

See my extended comments for this week's breakdown of spam by category, for Oct 5 - 11, 2009 and the latest additions to my custom MailWasher Pro filters.

MailWasher Pro spam category breakdown for Oct 5 - 11, 2009. Spam amounted to 17% of my incoming email this week. This represents a -5% change from last week.
finger pointing right MailWasher Pro by Firetrust
Nigerian 419 Scams: 15.79%
Canadian Pharmacy Scams: 15.79%
Known Spam Domains: 15.79%
Counterfeit Watches: 15.79%
"Other Filters" category: 5.26%
Blocked Country: 5.26%
PayPal Scam #1: 5.26%
RIPE filter: 5.26%
Known Spam X-Mailer: 5.26%
Known Spam User Agent: 5.26%
One Word Subject: 5.26%

The latest weekly updates to my custom MailWasher Pro filters were to the Image Spam #11, Canadian Pharmacy and Nigerian 419 Scam filters. Everything else is working as it should. Without MailWasher Pro filtering out all the junk mail I would waste a lot more time deleting it my email program's inbox. If you're not already using MailWasher Pro to filter out spam, read on...

MailWasher Pro intercepts POP3 and IMAP email before you download it to your desktop email client (e.g: Microsoft Outlook, Outlook Express, Windows Live Mail) and scans it for threats or spam content, then either manually or automatically deletes any messages matching your pre-determined criteria and custom filters. It is my primary line of defense against incoming spam, scams, phishing and exploit attacks. If you are not already using this fine anti-spam tool I invite to to read about it on my MailWasher Pro web page. You can download the latest version and try it for free for a month. Registration is only required once, for the life of the program.

To protect your computer from web pages rigged with exploit codes, malware in email attachments, dangerous links to hostile web pages, JavaScript redirects, Phishing scams, or router DNS attack codes, I recommend Trend Micro Internet Security. It has strong realtime monitoring modules that stop rootkits and spam Trojans from installing themselves into your operating system. Also known as PC-cillin, it is very frequently updated as new and altered malware definitions become available and it checks for web based threats and new malware definitions by searching secure online servers owned by Trend Micro. This is referred to as "in-the-cloud" security.

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. MailWasher Pro is able to forward messages marked as spam to SpamCop, which then sends a confirmation email to you, containing a link. You must click on the enclosed reporting link and open it in your browser, then manually submit your report. This is how SpamCop wants it done.

Posted by Wiz at 12:33 AM |

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

October 4, 2009

My Spam analysis for Sept 28 - Oct 4, 2009

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

Spam levels have increased again this week, after a significant decrease last week.This means that the Bot Masters running spam Botnets regained access to their command and control (C&C) servers, used to reactivate their sleeping zombie computers. Those zombie PCs are now sending out normal volumes of spam, as commanded by their Bot Masters. This will continue until the people hosting the C&C servers cut off the accounts, or get shut down by authorities.

Almost all spam is now sent from zombie computers in spam Botnets, under the control of Bot Masters who rent the use of their networks to spammers. Major changes in the overall volume of spam indicate problems or successes of the Bot Masters with command and control over their robotic armies of spamming PCs. Sometimes their command and control servers are shut down by the efforts of security organizations, forcing them to look for other spam-friendly hosting companies. Other times, Microsoft's monthly Windows Updates, featuring an updated MSRT, or other security products, will clean Bot infections from millions of zombie computers. When this happens the overall volume of spam drops, as it has this week.

However, Bot Herders don't give up easily. If they lose one Command and Control server they will hunt for another one, often in China or Eastern Europe. Once they get those hostile servers back online, with other spam friendly hosts, the zombies are awakened and we see lots more spam. If the Botnet loses zombies after a major cleanup, they will acquire more through compromised or hostile websites exploiting vulnerabilities in browsers and their plug-ins and add-ons.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. Most of the spam this week, especially the "Other Filters" "Known Spam Domains" and "Yahoo Groups Spam Link" categories, was for the fake Canadian Pharmacy, male enhancement scams and counterfeit Viagra. There was also some spam for counterfeit watches-handbags-software, phishing and weight loss scams.

In case anybody doesn't already know, virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets. All email sender addresses are forged, so there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job."

See my extended comments for this week's breakdown of spam by category, for Sept 28 - Oct 4, 2009 and the latest additions to my custom MailWasher Pro filters.

MailWasher Pro spam category breakdown for Sept 28 - Oct 4, 2009. Spam amounted to 22% of my incoming email this week. This represents a +4% change from last week.
finger pointing right MailWasher Pro by Firetrust
"Other Filters" category: 20.00%
Canadian Pharmacy Scams: 17.14%
Herbal spam: 11.43%
Yahoo Groups spam links: 8.57%
Known Spam Domains: 8.57%
Male Enhancement scams: 5.71%
Phishing Scams: 5.71%
Viagra Spam: 5.71%
Pharmaceutical spam: 5.71%
Known Spam TO: 5.71%
Pirated Software: 2.86%
Blacklisted senders: 2.86%
The latest weekly updates to my custom MailWasher Pro filters were to the Known Spam [From], Pharmaceutical Spam [S], Counterfeit Goods, PayPal Scams #1 filters. I also added a new "Webmail" phishing filter. Everything else is working as it should. Without MailWasher Pro filtering out all the junk mail I would waste a lot more time deleting it my email program's inbox. If you're not already using MailWasher Pro to filter out spam, read on...

MailWasher Pro intercepts POP3 and IMAP email before you download it to your desktop email client (e.g: Microsoft Outlook, Outlook Express, Windows Live Mail) and scans it for threats or spam content, then either manually or automatically deletes any messages matching your pre-determined criteria and custom filters. It is my primary line of defense against incoming spam, scams, phishing and exploit attacks. If you are not already using this fine anti-spam tool I invite to to read about it on my MailWasher Pro web page. You can download the latest version and try it for free for a month. Registration is only required once, for the life of the program.

To protect your computer from web pages rigged with exploit codes, malware in email attachments, dangerous links to hostile web pages, JavaScript redirects, Phishing scams, or router DNS attack codes, I recommend Trend Micro Internet Security. It has strong realtime monitoring modules that stop rootkits and spam Trojans from installing themselves into your operating system. Also known as PC-cillin, it is very frequently updated as new and altered malware definitions become available and it checks for web based threats and new malware definitions by searching secure online servers owned by Trend Micro. This is referred to as "in-the-cloud" security.

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. MailWasher Pro is able to forward messages marked as spam to SpamCop, which then sends a confirmation email to you, containing a link. You must click on the enclosed reporting link and open it in your browser, then manually submit your report. This is how SpamCop wants it done.

Posted by Wiz at 1:57 PM |

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

Blog Links

Sponsored Message

I recommend Malwarebytes to protect your computers and Android devices from malicious code attacks. Malwarebytes detects and blocks spyware, viruses and ransomware, as well as rootkits. It removes malware from an already infected device. Get an 18 month subscription to Malwarebytes here.

If you're a fan of Robert Jordan's novels, you can buy boxed sets of The Wheel Of Time, here.

As an Amazon and Google Associate, I earn commissions from qualifying purchases.

CIDR to IPv4 Address Range Utility Tool | IPAddressGuide
CIDR to IPv4 Conversion



Search


About the author
Wiz FeinbergWiz's Blog is written by Bob "Wiz" Feinberg, an experienced freelance computer consultant, troubleshooter and webmaster. Wiz's specialty is in computer and website security. Wizcrafts Computer Services was established in 1996.

I produce this blog and website at my own expense. If you find this information valuable please consider making a donation via PayPal.

Follow @Wizcrafts on Twitter, where I post short updates on security issues, spam trends and things that just eat at my craw.

Follow Wizcrafts on Twitter

Malwarebytes' Anti-Malware is the most frequently recommended malware removal tool in malware removal forums, like Bleeping Computers. It is extremely effective for removing fake/rogue security alerts, Bots, Spyware and the most prevalent and current malware threats in the wild. Learn about Malwarebytes Anti-Malware.

MailWasher Pro is an effective spam filter that protects your desktop email client. Using a combination of blacklists and built-in and user configurable filters, MailWasher Pro recognizes and deletes spam before you download it. MailWasher Pro reveals the actual URL of any links in a message, which protects you from most Phishing scams. Try it free for 30 days.

Categories

Tag Cloud

Recent Posts

Popular Posts

Archives

Subscribe to this blog's feed
Creative Commons License This weblog is licensed under a Creative Commons License.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.
Powered by Movable Type

back to top ^