Wiz's Computer and Website Security Blog

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

Spam levels have increased 5% this week from last week's level. Furthermore, there has been a big drop in the number of male enhancement scam emails I have captured. This is almost entirely due to the hijacking and sinkholing of the Ozdok/Mega-D Botnet. That Botnet was taken down two weeks ago by the efforts of FireEye, a security firm that hijacked the Ozdok Bot command structure and redirected requests for updates from the zombies in the Botnet to a blackhole/sinkhole IP. They also notified all of the companies hosting the Command and Control servers used by the Botnet and those servers were all taken offline. This was all accomplished in a mere 24 hours, thanks to a lot of co-operation and investigative work. Unfortunately, those male enhancement spam emails are reappearing, so either Mega-D Botnet has been restored, or another Botnet is being used by the spammers promoting these fake, Chinese enhancement products.

Before the takedown, Mega-D was responsible for most of the World-wide plague of male enhancement spam messages, going back to at least 2007. Those are the messages promoting unreal enlargement results from various bogus pills and herbals.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. Most of the spam this week was for the fake Canadian Pharmacy and other unlicensed prescription drugs from China. Also, the Nigerian scammers were busy again last week, promoting their lottery scams, sent from various African countries.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job."

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for Nov 23 - 29, 2009 and the latest additions to my custom MailWasher Pro filters.

MailWasher Pro spam category breakdown for Nov 23 - 29, 2009. Spam amounted to 14% of my incoming email this week. This represents a +5% change from last week.

Other Filters (misc):	20.00%
HTML letter positioning tricks:	15.00%
Nigerian Lottery Scams:	10.00%
Canadian Pharmacy Scams:	10.00%
Male Enhancement Scams:	10.00%
Viagra:	5.00%
Unlicensed Prescription Drugs:	5.00%
Phishing Scams:	5.00%
Known Spam "From":	5.00%
Known Spam Domains in Body:	5.00%
Loans:	5.00%
Blacklisted Senders:	5.00%

The latest weekly updates to my custom MailWasher Pro filters were to the Phishing Scam and Canadian Pharmacy filters. Everything else is working as it should. Without MailWasher Pro filtering out all the junk mail I would waste a lot more time deleting it my email program's inbox. If you're not already using MailWasher Pro to filter out spam, read on...

MailWasher Pro intercepts POP3 and IMAP email before you download it to your desktop email client (e.g: Microsoft Outlook, Outlook Express, Windows Live Mail) and scans it for threats or spam content, then either manually or automatically deletes any messages matching your pre-determined criteria and custom filters. It is my primary line of defense against incoming spam, scams, phishing and exploit attacks. If you are not already using this fine anti-spam tool I invite to to read about it on my MailWasher Pro web page. You can download the latest version and try it for free for a month. Registration is only required once, for the life of the program.

To protect your computer from web pages rigged with exploit codes, malware in email attachments, dangerous links to hostile web pages, JavaScript redirects, Phishing scams, or router DNS attack codes, I recommend Trend Micro Internet Security. It has strong realtime monitoring modules that stop rootkits and spam Trojans from installing themselves into your operating system. Also known as PC-cillin, it is very frequently updated as new and altered malware definitions become available and it checks for web based threats and new malware definitions by searching secure online servers owned by Trend Micro. This is referred to as "in-the-cloud" security.

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. MailWasher Pro is able to forward messages marked as spam to SpamCop, which then sends a confirmation email to you, containing a link. You must click on the enclosed reporting link and open it in your browser, then manually submit your report. This is how SpamCop wants it done.

Posted by Wiz at 3:53 PM | Permalink

back to top ^

Spybot Search & Destroy is a free (for personal non-business use) anti-spyware/spyware removal program used by millions of people around the World, to protect their computers from spyware, adware, Trojans and other types of malware. Spybot updates for malware detections are released every Wednesday and this week's updates were released on schedule. If you are using Spybot S&D to protect your computer you should check for updates every Wednesday afternoon and apply all that are available.

Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. The last two week's updates were released on schedule on November 25, 2009, as listed below. 16 new or modified fake security programs (fraudulent anti virus/spyware) were added to the "Malware" detections, plus 15 new or modified Trojans, rootkits and spam bots were added to the "Trojan" list. The new Trojans are mostly of the types Virtumonde, Botnet agents and OnlineGames.

Updating Spybot Search and Destroy

Before you update Spybot Search and Destroy make sure you have the latest official version. Older versions are no longer supported and will cause you a lot of grief when you immunize and scan for problems. Only download Spybot S&D from the official website, at: spybot.info, or from its alternate domain: Safer-Networking.org. Fake versions with similar names will rip you off for payment to remove threats, whereas the real Spybot S&D is free (donations gladly accepted).

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers. When all updates have succeeded, click on "Exit."

You can also download the latest definition includes file from a clean PC and save them to a removable disk or drive, then install them into the Spybot S&D program while the infected PC is offline. This helps you disinfect a PC that cannot presently get online, or cannot access security websites for updates (because of the Conficker or similar malware), or due to other networking problems. The downloaded definition includes will look for a typical Spybot installation location and will update it instantly, as long as the program is closed during the updating process.

Download links and more instructions about using Spybot Search and Destroy are in my article titled "How to use Spybot Search & Destroy to fight malware".

The description of the latest definition updates and false positive fixes are in my extended comments.

Additions to Spybot S&D malware definitions made on November 25, 2009:

If your computer is infected with any of the malware threats listed below, Spybot S& D should be able to remove them, after you update it. Always check to see if you have the latest version of Spybot S&D. You may need to schedule a second scan after a reboot, to remove threats that couldn't be deleted because they were active in memory. You may even need to restart in Safe Mode and scan from there.

All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection.

Adware
++ Cuckoo ++ Tencent.AdressBar

Malware
+ Fraud.AntivirusPlus
++ Fraud.ControlCenter
++ Fraud.LinkSafeness
+ Fraud.MSAntispyware2009
++ Fraud.PersonalProtector
+ Fraud.ProAntispyware2009
+ Fraud.Sysguard
+ Fraud.XPAntivirus
+ Smitfraud-C.
+ WareOut
+ Win32.Downloader.dequ
+ Win32.FraudLoad.edt
++ Win32.Podmena
++ Win32.Presto
++ Win32.VB.bpbu
++ Win32.VB.usr

PUPS (Potentially Unwanted Programs)
+ Live-Player

Trojans (These are the real bad guys: bots, rootkits, remote controllers, backdoors)
++ Backdoor.FakeUtility
+ Virtumonde.sci
+ Virtumonde.sdn
++ Win32.Agent.hbt
++ Win32.Ambler
+ Win32.KillAV.hd
++ Win32.OnLineGames.mfbi
++ Win32.OnLineGames.mfcc
++ Win32.OnLineGames.unaj
++ Win32.OnLineGames.uozk
++ Win32.OnLineGames.urvu
++ Win32.Qibongi
++ Win32.Satasery
+ Win32.TDSS.rtk
+ Win32.ZBot

Total: 1756620 fingerprints in 681017 rules for 5073 products.

False positive detections reported, discussed, or fixed this week:

There were a slew of possible and confirmed false positives reported this week. However, if you are still using an older version of Spybot you are likely to see false positives of all kinds. When I say old version I mean any version that is not the most current release (see below). The Spybot engine now gets changed radically with each new update, to help it deal with stubborn new types and variations of modern spyware.

There was a confirmed false positive detection of "Rbot.skp" in various programs, like RegSeeker, Netmeter, Cygwin, Terminal.exe, RQ Money, Hurrican and San Andreas Multiplayer, reported by several people. This was fixed with today's updates. If you should still get this detection after running the Nov 25 updates, and after restarting Teatimer, please visit this False Positives forum, at: http://forums.spybot.info/forumdisplay.php?f=16 and file a request for help.

There was a confirmed false positive detection of "PerfectKeylogger" in Western Digital Drive Manager. This was fixed today.

There was a confirmed false positive detection of "Smitfraud-C" on a copy of taskmgr.exe that was created by installing BartPE. This will be fixed soon.

There was a confirmed false positive detection of some Trojan in WinSys2.exe - an MSI Graphics card Tool. It took one month to resolve this and fix it. The resolution is posted here.

There was a confirmed false positive detection of win32.agent.wsg in various files, during a Hueristic scan, has been fixed.

In the case of Teatimer false positives that are fixed by updates, Teatimer will have to be restarted after the update is applied. Or, just disable TeaTimer if you really don't need its "protection." One way to not need TeaTimer is to run your PC with reduced privileges, as a Power User or Standard User, rather than as an Administrator.

Note. Spybot 1.5 x is now an OLD version and is unreliable in detections and removals!

If you keep getting a report of "Virtumonde," in c:Windows/system32/zipfldr.dll and you are running a version of Spybot S&D older than version 1.6.2, it is a probable false positive. That is a Windows system file that is automatically restored if you delete it. Any version of Spybot older than 1.6.2.46 will give false positive detections of Virtumonde and other threats, as the engine is now outdated and unable to comprehend new malware definitions. The fix: Update to the current version of Spybot S&D!

Some people running Windows 98 and ME have reported false positives of Virtumonde. They were not aware that the use of Spybot S&D on Windows versions older than W-2000 is no longer supported and is subject to many false positives and failed removals.

TeaTimer update issues and remedies:

TeaTimer cannot be updated with new definitions if it is still running! After you update definitions to fix false positives, a restart of either TeaTimer or the Computer is required. If this doesn't fix the false positives, you may need to reset the TeaTimer detection list, as follows:

Right click the (TeaTimer) Resident tray icon
Select "Reset lists"

Alternately, close and restart TeaTimer using this method:

* start Spybot S&D
* switch to advanced mode
* navigate to "Tools" , then "Resident"
* uncheck the check box for Resident TeaTimer to close TeaTimer
* wait a bit so TeaTimer can unload completely, for instance wait 1min
* check the check box for Resident TeaTimer again to restart the TeaTimer

If that fails also, please read the rest of the things to try on this forum page, in replies #2 and #4.

When TeaTimer blocks the file you can also allow the file to be executed (also remove the check mark for deletion). You can exclude any file from further detections during a scan by right clicking the items in the Spybot S&D scan result and select "exclude this detection from further searches"

If you keep getting false positive detections and broken programs, due to TeaTimer issues, try disabling that module. You can toggle TeaTimer off and on by switching into Advanced Mode > Tools > Resident.

False Positives are reported and discussed in the Spybot S&D False Positives Forum.

As mentioned earlier, links and more instructions about using the program, or reporting suspected false positives, are found in my article titled How to use Spybot Search & Destroy to fight malware.

Posted by Wiz at 5:04 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

Spam levels have decreased 1% this week from last week's level. Furthermore, there has been a big drop in the number of male enhancement scam emails I have captured. This is almost entirely due to the hijacking and sinkholing of the Ozdok/Mega-D Botnet. That Botnet was taken down last week by the efforts of FireEye, a security firm that hijacked the Ozdok Bot command structure and redirected requests for updates from the zombies in the Botnet to a blackhole/sinkhole IP. They also notified all of the companies hosting the Command and Control servers used by the Botnet and those servers were all taken offline. This was all accomplished in a mere 24 hours, thanks to a lot of co-operation and investigative work.

Before the takedown, Mega-D was responsible for most of the World-wide plague of male enhancement spam messages, going back to at least 2007 (or late 2006). Those are the messages promoting unreal enlargement results from various bogus pills and herbals.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. Most of the spam this week was for fake Viagra and other unlicensed prescription drugs from China. Not surprisingly, the Nigerian scammers were busy again last week, promoting their advance fee fraud 419 scams. 100% of all email coming to me, with African IPs in the headers, are 419 scams. I have a MailWasher Pro filter to detect and block African Senders.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job."

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details)

See my extended comments for this week's breakdown of spam by category, for Nov 16 - 22, 2009 and the latest additions to my custom MailWasher Pro filters.

MailWasher Pro spam category breakdown for Nov 16 - 23, 2009. Spam amounted to 9% of my incoming email this week. This represents a -1% change from last week.

Viagra:	17.65%
Unlicensed Prescription Drugs:	17.65%
Known Spam Subject:	11.76%
"RIPE" IP Space:	11.76%
Nigerian 419 Scams:	11.76%
Pharmaceutical Spam:	5.88%
Pills:	5.88%
Phishing Scams:	5.88%
APNIC sender:	5.88%
African Sender:	5.88%

The latest weekly updates to my custom MailWasher Pro filters were to the Phishing Scam filter, which I updated, then split into two filters: one for the Subject; one for message Body. Everything else is working as it should. Without MailWasher Pro filtering out all the junk mail I would waste a lot more time deleting it my email program's inbox. If you're not already using MailWasher Pro to filter out spam, read on...

MailWasher Pro intercepts POP3 and IMAP email before you download it to your desktop email client (e.g: Microsoft Outlook, Outlook Express, Windows Live Mail) and scans it for threats or spam content, then either manually or automatically deletes any messages matching your pre-determined criteria and custom filters. It is my primary line of defense against incoming spam, scams, phishing and exploit attacks. If you are not already using this fine anti-spam tool I invite to to read about it on my MailWasher Pro web page. You can download the latest version and try it for free for a month. Registration is only required once, for the life of the program.

To protect your computer from web pages rigged with exploit codes, malware in email attachments, dangerous links to hostile web pages, JavaScript redirects, Phishing scams, or router DNS attack codes, I recommend Trend Micro Internet Security. It has strong realtime monitoring modules that stop rootkits and spam Trojans from installing themselves into your operating system. Also known as PC-cillin, it is very frequently updated as new and altered malware definitions become available and it checks for web based threats and new malware definitions by searching secure online servers owned by Trend Micro. This is referred to as "in-the-cloud" security.

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. MailWasher Pro is able to forward messages marked as spam to SpamCop, which then sends a confirmation email to you, containing a link. You must click on the enclosed reporting link and open it in your browser, then manually submit your report. This is how SpamCop wants it done.

Posted by Wiz at 4:31 PM | Permalink

back to top ^

For the past few days I have discovered that a script, or person operating a server farm, at Ubiquity Server Solutions, is attempting to post spam trackbacks to my blog. I don't even allow trackbacks on my blog, for this very reason, yet, this spamming idiot keeps blasting away with his script, ignoring a constant flow of Server 403 (Forbidden) responses. The page that the spammer is trying to POST to is no longer on the blog database, having been deleted in the spring of 2006! So, he is wasting his time and amusing me as I look at all the IP addresses I can add to my Exploited Servers Blocklist.

In fact, I have discovered that this blog trackback spammer is using a server farm assigned to Ubiquity Server Solutions, in Seattle, Washington, USA. Their full assigned CIDR is 64.120.4.0/22, covering IPs ranging from 64.120.4.0 through 64.120.7.255. However, to be fair to this clueless hosting service, the spammer is rotating through a group of servers with IP addresses only in the range of 64.120.5.0 - 64.120.5.255. To minimize possible collateral damage to innocent hosting customers, I am only blocking the narrow range encompassed by the CIDR 64.120.5.0/24.

UPDATE
November 20, 2009

Ubiquity Servers is now hitting MovableType blogs with trackback spam exploit attempts from a different CIDR: 174.34.144.0/23. I have updated the evidence and blocklist rules below to include this new CIDR.

The evidence:

174.34.145.115 - - [19/Nov/2009:12:59:57 -0800] "POST /cgi-bin/mt/mt-tb.cgi/18 HTTP/1.0" 403 137 "-" "tbr/0.1.0"
174.34.145.117 - - [19/Nov/2009:15:16:17 -0800] "POST /cgi-bin/mt/mt-tb.cgi/18 HTTP/1.0" 403 137 "-" "tbr/0.1.0"

64.120.5.197 - - [18/Nov/2009:07:07:08 -0800] "POST /cgi-bin/mt/mt-tb.cgi/18 HTTP/1.0" 403 137 "-" "tbr/0.1.0"
64.120.5.241 - - [18/Nov/2009:07:12:57 -0800] "POST /blogs/2007/08/stupid_blog_trackback_spammers_dont_understa.html HTTP/1.0" 302 378 "-" "tbr/0.1.0"
64.120.5.246 - - [18/Nov/2009:07:32:26 -0800] "POST /cgi-bin/mt/mt-tb.cgi/18 HTTP/1.0" 403 137 "-" "tbr/0.1.0"
64.120.5.254 - - [18/Nov/2009:07:49:48 -0800] "POST /cgi-bin/mt/mt-tb.cgi/18 HTTP/1.0" 403 137 "-" "tbr/0.1.0"
64.120.5.236 - - [18/Nov/2009:08:22:27 -0800] "POST /cgi-bin/mt/mt-tb.cgi/18 HTTP/1.0" 403 137 "-" "tbr/0.1.0"
64.120.5.196 - - [18/Nov/2009:08:30:16 -0800] "POST /blogs/2007/08/stupid_blog_trackback_spammers_dont_understa.html HTTP/1.0" 302 378 "-" "tbr/0.1.0"
64.120.5.225 - - [18/Nov/2009:08:49:54 -0800] "POST /cgi-bin/mt/mt-tb.cgi/18 HTTP/1.0" 403 137 "-" "tbr/0.1.0"

Enough already! You will notice that the spammer is only attempting to POST to two items. One is identified as blog entry number 18, which dates back to May of 2006 and was deleted from my blog in early 2007. The other target of this hapless spammer is an article I wrote about "Stupid Blog Trackback Spammers"not understanding a 403 Forbidden response, when they try to post trackback comments to a blog that has all trackbacks and comments disabled! There are no trackbacks or comments allowed on my blog! Spammers cannot POST anything!

I find this amusing, but others who do allow trackbacks or comments may not be so amused by this a-hole, whom I previously may have traced to Romania. If your website is hosted on an Apache web server, you can serve him a steady diet of Server 403 Forbidden responses by blocking his IP CIDR and his user agent in your public web root .htaccess file, as demonstrated below.

---

<Files *>
order deny,allow
deny from 64.120.5.0/24
deny from 174.34.144.0/23
</Files>

Options +FollowSymLinks
RewriteEngine On
RewriteOptions inherit
RewriteBase /

RewriteCond %{HTTP_USER_AGENT} ^tbr/0\.1\.0$
RewriteRule .* - [F]

---

You should determine if legitimate visitors to your blogs are using the tbr/0.1.0 user agent. If so, don't block it. In all likelihood, only spammers use that tool with that version number.

Details about the .htaccess file are found in my extended comments.

In the first half of this article I described how a spammer was attempting to POST spam comments to my blog, using a tool made to create blog "trackbacks." These are comments that usually include a link to the website owned by the person placing the trackback. This system has been abused by spammers to place spam trackbacks to their websites that promote illegal drugs and pornography.

The end of the first half included codes to be used in an Apache web server file named .htaccess. Some of those codes, officially known as "directives," blocked access to a website (or server) by the IP address range, known as a CIDR. This makes use of the Apache Mod_Access module. The last part of the directives utilize the Mod_Rewrite module to block access to the user agent known as "tbr/"(version), which is used to POST trackbacks to blogs that allow them. This is software is usually used by spammers in an automated script.

Most of the personal websites in the World are hosted on a box running an Apache Web Server, running on a Unix or Linux operating system. Other websites run on Microsoft Windows IIS Servers, mainly because they may require proprietary Microsoft technologies (e.g. .NET, .ASP) to be supported. This article only deals with Apache web server access controls, which do not apply directly to Windows Servers (sorry).

One of the things I like about operating a website on an Apache web server is that I can control who gets access to any part of the website by means of a special server file named .htaccess. The file name has no prefix, just a period and a suffix. This type of file has a special meaning to Apache servers and is normally hidden from view in a file manager, or ftp client. Some new shared hosting websites come with a .htaccess file with some basic directives, others have none to start. Contact your web hosting company to find out if they allow users to create custom .htaccess directives, including "Mod_Access" and "AllowOverride All."

If your web host does allow users to create or modify their own .htaccess file, you need to know a few basic things about it. First of all, as I mentioned before, it is normally hidden, because it has a file name beginning with a period. If you use a file manger supplied by your hosting company, they probably have unhidden these files in the view options. However, if, like most webmasters, you use what is known as an "FTP client" to upload and download files to and from the server, you may need to input a special command in a "file mask" box, to unhide normally hidden files on the server.

Most, if not all ftp clients have a means of unhiding .htaccess and other hidden server control files. Some may have a checkbox option that you select and apply. Others, like WS_FTP have an input box named "Remote File Mask" - in which you can type the code: -AL and apply it. This code would be placed inside the configuration box for every Apache based website you intend to log onto, with that FTP client. The next time you log onto that website you should see any hidden control files, including any .htaccess that may already exist.

If there is a .htaccess file in the public web root directory, that is the one you will probably want to modify to block spammers, hackers and other unwanted traffic. Anything you block in the master .htaccess, in, for instance, your "public_html directory, will apply to all sub-directories on your website. If there is no .htaccess yet, you can create one from scratch, using Windows Notepad, or any other plain ASCII text editor that is installed on your computer. Note, that some text editors don't like files that have no prefix and may try to force the name to end in .txt. If this happens, allow it for the time being. After you have added all of the directives you want, save the file, then rename it to .htaccess, then upload it, then immediately check a page on your website to make sure you didn't cause a fatal error by using bad syntax.

Be extremely careful when editing .htaccess files. One mistyped or unrecognized, uncommented character will break your website, until you find and correct the error. Server 500 errors indicate a misconfigured directive in .htaccess, or some other critical file. All non-directives must be preceded with the # sign and be typed on one long line. If your editor has Word Wrap enabled, the lines may occupy more than one line of text, which is ok, as long as you do not use the Enter key to force a line break. Only hit Enter to create blank lines, or new lines of comments, or lines of directives.

Example of a comment in .htaccess:

# This is a comment in .htaccess. It occupies just one code line, even if it wraps due to word wrap.

Example of a Mod_Rewrite Directive in .htaccess

RewriteCond %{HTTP_USER_AGENT} ^Mozilla/5\.0$
RewriteRule .* - [F]

The above condition states that if the exact user agent is "Mozilla/5.0" - a known exploit tool, then return a Server 403 Forbidden to any request for any page or resource.

Blank lines are acceptable and are a good idea for keeping different lists and directives separated. Just make sure that anything other than a blank line starts with and completely includes a proper directive, or else a # sign, if it is a comment.

Actual .htaccess directives are not negotiable. You must learn the correct syntax for the version of Apache your server is using, if you are going to succeed with your custom .htaccess directives. You can search Google, Yahoo, Bing, or Ask.com for the keywords ".htaccess+directives" to learn about the various recognized directives, modules and correct syntax. The following Google search box is already setup to return results on .htaccess tutorials, but you can change it to .htaccess+directives if you prefer:

Another great place to learn the fine points about applying .htaccess directives to achieve specific goals, is the Webmaster World Apache Web Server Forum. You should read as many posts and replies as possible, searching for topics about the problems you want to solve, before asking for help. They teach by example (literally, using example.com) and corrections, but will not write code for you, from scratch. You must have a basic understanding before getting into advanced .htaccess concepts.

By using a combination of Mod_Access IP address/CIDR blocklists and Mod_Rewrite conditions and rules - to block known bad user agents, referrers, requests or exploit attacks, you will go the extra mile in protecting your server and or websites from unwanted traffic, scammers, spammers and hackers.

Posted by Wiz at 2:16 AM | Permalink

back to top ^

Spybot Search & Destroy is a free (for personal non-business use) anti-spyware/spyware removal program used by millions of people around the World, to protect their computers from spyware, adware, Trojans and other types of malware. Spybot updates for malware detections are released every Wednesday and this week's updates were released on schedule. If you are using Spybot S&D to protect your computer you should check for updates every Wednesday afternoon and apply all that are available.

Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. The last two week's updates were released on schedule on November 18, 2009, as listed below. 15 new or modified fake security programs (fraudulent anti virus/spyware) were added to the "Malware" detections, plus 18 new or modified Trojans, rootkits and spam bots were added to the "Trojan" list. The new Trojans were mostly of the types Virtumonde, Botnet agents and OnlineGames.

Updating Spybot Search and Destroy

Before you update Spybot Search and Destroy make sure you have the latest official version. Older versions are no longer supported and will cause you a lot of grief when you immunize and scan for problems. Only download Spybot S&D from the official website, at: spybot.info, or from its alternate domain: Safer-Networking.org. Fake versions with similar names will rip you off for payment to remove threats, whereas the real Spybot S&D is free (donations gladly accepted).

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers. When all updates have succeeded, click on "Exit."

You can also download the latest definition includes file from a clean PC and save them to a removable disk or drive, then install them into the Spybot S&D program while the infected PC is offline. This helps you disinfect a PC that cannot presently get online, or cannot access security websites for updates (because of the Conficker or similar malware), or due to other networking problems. The downloaded definition includes will look for a typical Spybot installation location and will update it instantly, as long as the program is closed during the updating process.

Download links and more instructions about using Spybot Search and Destroy are in my article titled "How to use Spybot Search & Destroy to fight malware".

The description of the latest definition updates and false positive fixes are in my extended comments.

Additions to Spybot S&D malware definitions made on November 18, 2009:

If your computer is infected with any of the malware threats listed below, Spybot S& D should be able to remove them, after you update it. Always check to see if you have the latest version of Spybot S&D. You may need to schedule a second scan after a reboot, to remove threats that couldn't be deleted because they were active in memory. You may even need to restart in Safe Mode and scan from there.

All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection.

Hijacker
+ FFHijacker.ttam

Malware
++ DoubleD.SystemSearchDispatcher
+ Fraud.AlphaAntivirus
++ Fraud.AntiAid
++ Fraud.AntiMalware
+ Fraud.AntivirusPlus
+ Fraud.SafetyCenter
+ Fraud.SmartProtector
++ Fraud.SystemFighter
+ Fraud.SystemSecurity
++ Fraud.SystemVeteran
++ Fraud.SystemWarrior
+ Fraud.VirusDoctor
+ Win32.Fakealert.ttam
+ Win32.FraudLoad
+ WinSpyKiller

PUPS (Potentially Unwanted Programs)
++ DoubleD
++ DoubleD.DesktopSmiley
++ DoubleD.GamingHarbor
++ DoubleD.InternetSavingOptimizer
++ DoubleD.JuicyAccess
++ DoubleD.MediaAccessStartup

Trojans (These are the real bad guys: bots, rootkits, remote controllers, backdoors)
+ Hupigon
++ Rbot.skp
+ Virtumonde.dll
+ Virtumonde.prx
+ Virtumonde.sci
+ Virtumonde.sdn
++ Win32.Agent.fl
++ Win32.Agent.vml
++ Win32.Agent.wc
++ Win32.Agent.wlo
+ Win32.Agent.wu
+ Win32.Bifrost.la
++ Win32.OnLineGames.bkns
++ Win32.OnLineGames.bkph
+ Win32.OnLineGames.ubha
++ Win32.USXT
+ Win32.ZBot
+ Zlob.Downloader

Total: 1749198 fingerprints in 678567 rules for 5052 products.

False positive detections reported, discussed, or fixed this week:

There were 2 confirmed false positives reported this week. However, if you are still using an older version of Spybot you are likely to see false positives of all kinds. When I say old version I mean any version that is not the most current release (see below). The Spybot engine now gets changed radically with each new update, to help it deal with stubborn new types and variations of modern spyware.

There was a confirmed false positive detection of "win32.agent.wsg" reported by several people on the False Positives Forum. This detection only occurred in the "heuristics" scans. It was fixed with tthe Nov 18, 2009 updates.

Several people reported a possible false positive detection of PartnerBHO in several diverse files, some on brand new Windows 7 computers. It appears that the PartnerBHO is a partner program managed by Google. This is being treated as a false positive and was removed from detection with the update on Nov 18.

Note. Spybot 1.5 x is now an OLD version and is unreliable in detections and removals!

If you keep getting a report of "Virtumonde," in c:Windows/system32/zipfldr.dll and you are running a version of Spybot S&D older than version 1.6.2, it is a probable false positive. That is a Windows system file that is automatically restored if you delete it. Any version of Spybot older than 1.6.2.46 will give false positive detections of Virtumonde and other threats, as the engine is now outdated and unable to comprehend new malware definitions. The fix: Update to the current version of Spybot S&D!

Some people running Windows 98 and ME have reported false positives of Virtumonde. They were not aware that the use of Spybot S&D on Windows versions older than W-2000 is no longer supported and is subject to many false positives and failed removals.

TeaTimer update issues and remedies:

TeaTimer cannot be updated with new definitions if it is still running! After you update definitions to fix false positives, a restart of either TeaTimer or the Computer is required. If this doesn't fix the false positives, you may need to reset the TeaTimer detection list, as follows:

Right click the (TeaTimer) Resident tray icon
Select "Reset lists"

Alternately, close and restart TeaTimer using this method:

* start Spybot S&D
* switch to advanced mode
* navigate to "Tools" , then "Resident"
* uncheck the check box for Resident TeaTimer to close TeaTimer
* wait a bit so TeaTimer can unload completely, for instance wait 1min
* check the check box for Resident TeaTimer again to restart the TeaTimer

If that fails also, please read the rest of the things to try on this forum page, in replies #2 and #4.

When TeaTimer blocks the file you can also allow the file to be executed (also remove the check mark for deletion). You can exclude any file from further detections during a scan by right clicking the items in the Spybot S&D scan result and select "exclude this detection from further searches"

If you keep getting false positive detections and broken programs, due to TeaTimer issues, try disabling that module. You can toggle TeaTimer off and on by switching into Advanced Mode > Tools > Resident.

False Positives are reported and discussed in the Spybot S&D False Positives Forum.

As mentioned earlier, links and more instructions about using the program, or reporting suspected false positives, are found in my article titled How to use Spybot Search & Destroy to fight malware.

Posted by Wiz at 3:10 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

Spam levels have increased 4% this week from last week's level. Fluctuations in spam levels sometimes are seasonal, or may be due to problems or successes Bot-masters have with maintaining the command and control (C&C) servers used to reactivate sleeping zombie computers in their spam Botnets. Or, these changes in spam levels may be caused when large numbers of zombie computers are disinfected, or taken offline by the ISPs who provide Internet connectivity to them. In case you didn't already know this, almost all spam is now sent from "zombie" computers in spam Botnets, unbeknown to the owners of those infected PCs.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. Most of the spam this week was for unlicensed prescription drugs from China, plus the usual male enhancement and fake pharmacy scams and counterfeit Viagra. Not ot be out-done, the Nigerian scammers were busy again last week, promoting their lottery scams. 100% of all email coming to me, with African IPs in the headers, are 419 scams.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job."

See my extended comments for this week's breakdown of spam by category, for Nov 9 - 15, 2009 and the latest additions to my custom MailWasher Pro filters.

MailWasher Pro spam category breakdown for Nov 9 - 15, 2009. Spam amounted to 10% of my incoming email this week. This represents a +4% change from last week.

Unlicensed Prescription Drugs:	22.73%
Pharmaceutical Spam:	13.64%
Known Spam TO:	9.09%
"Other Filters":	9.09%
Viagra:	9.09%
Lottery Scams:	9.09%
Male Enhancement scams:	4.55%
Blacklisted Senders:	4.55%
Counterfeit Watches & other knock-offs:	4.55%
Hidden ISO or ASCII Subject:	4.55%
APNIC sender:	4.55%
LACNIC sender:	4.55%

The latest weekly updates to my custom MailWasher Pro filters were to the (new filter) Unlicensed Prescription Drugs, Pharmaceutical [Subject] and Lottery Scam filters. Everything else is working as it should. Without MailWasher Pro filtering out all the junk mail I would waste a lot more time deleting it my email program's inbox. If you're not already using MailWasher Pro to filter out spam, read on...

MailWasher Pro intercepts POP3 and IMAP email before you download it to your desktop email client (e.g: Microsoft Outlook, Outlook Express, Windows Live Mail) and scans it for threats or spam content, then either manually or automatically deletes any messages matching your pre-determined criteria and custom filters. It is my primary line of defense against incoming spam, scams, phishing and exploit attacks. If you are not already using this fine anti-spam tool I invite to to read about it on my MailWasher Pro web page. You can download the latest version and try it for free for a month. Registration is only required once, for the life of the program.

To protect your computer from web pages rigged with exploit codes, malware in email attachments, dangerous links to hostile web pages, JavaScript redirects, Phishing scams, or router DNS attack codes, I recommend Trend Micro Internet Security. It has strong realtime monitoring modules that stop rootkits and spam Trojans from installing themselves into your operating system. Also known as PC-cillin, it is very frequently updated as new and altered malware definitions become available and it checks for web based threats and new malware definitions by searching secure online servers owned by Trend Micro. This is referred to as "in-the-cloud" security.

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. MailWasher Pro is able to forward messages marked as spam to SpamCop, which then sends a confirmation email to you, containing a link. You must click on the enclosed reporting link and open it in your browser, then manually submit your report. This is how SpamCop wants it done.

Posted by Wiz at 1:40 PM | Permalink

back to top ^

When it comes to hackers and cyber criminals using leased, co-located, or hijacked web servers to attack other web servers, one of the top culprits I see in my daily access logs is traceable to ThePlanet.com, based in Dallas, Texas. More server attacks originate from their IP addresses during any givien week than from anywhere else. This has been the case for at least three years in a row.

When I say "server attacks" I am referring to attempts to hack a web server, or website, by sending codes to it that are designed to exploit unpatched versions of software commonly used by website owners. Most attempts involve trying to upload or inject a hostile file to a PHP script that is known to be exploitable. These are known a PHP Injection Exploits. Of those targeted scripts, the one that I see almost every day, in my access logs, is the Coppermine Gallery script. Hardly a day goes by that some script kiddie, or hacker, or bot tries to upload or inject hostile files to my server via Coppermine exploits, as demonstrated in the following actual log entry:

We can use DNSStuff or DomainTools to run a WhoIs lookup on that IP address...

WHOIS - 70.85.136.34
Location: United States [City: Dallas, Texas]
OrgName: ThePlanet.com Internet Services, Inc.
NetRange: 70.84.0.0 - 70.87.255.255
CIDR: 70.84.0.0/14

Definition of CIDR
In the above results, the last item shown is the CIDR of the entity in question. CIDR stands for "Classless InterDomain Routing." It is designated by appending a forward slash and number to the end of a starting IP address, to designate an entire range of IPs assigned to that entity. In this case, 70.84.0.0/14 covers all IPs between 70.84.0.0 trough 70.87.255.255.

The CIDR covering ThePlanet.com is shown to be 70.84.0.0/14, but they have other assigned CIDRs that are used by hackers and spammers. All pertinent CIDRs that I have discovered to this date for ThePlanet.com are listed further down in this article, in "deny from" rules, which are referred to as a "blocklist." I have also thrown in IPs belonging to Everyone's Internet and Rackspace, both favorites of spammers and hackers. Any IP address that is covered by one of the CIDRs in the blocklist will get a server 403 Forbidden response, no matter what page they try to view on a website that employs these rules.

Furthermore, I have included a ".htaccess" "Mod_Rewrite" rule to block the exact user agent "Mozilla/5.0" - which is a known hacking tool. Read on and learn to how protect your Apache web server, or Apache hosted websites, from exploit attacks coming from ThePlanet and the like, or Mozilla/5.0 hack tools.

If you own a website and it is hosted on an Apache web server and you are allowed to modify a special control file named ".htaccess," you can add IP addresses and CIDRs to "deny from" blocklists and probably also perform Mod_Rewrite overrides as well. Use your main .htaccess file to deny access (403 Forbidden) to the CIDRs assigned to ThePlanet hosting services and to anybody using the hacker tool identified as "Mozilla/5.0." Use the following codes in a .htaccess in your public web root to block ThePlanet, et al.

If you already have a .htaccess in the web root, log onto the server with your FTP client, then unhide hidden server files by means of any options to do so, or input the code -al into the "Remote File Mask" input box. Download .htaccess to your computer and open it for editing in a plain text editor (e.g. Notepad), immediately save it as .htaccess1, or htaccess.txt as a backup, then copy and paste the directives below into it. Save the changes and upload it back to the server. Be sure to try to view your home page right after making changes to .htaccess and always save a backup copy of the unaltered file with a 1 appended to the name (e.g. .htaccess1 or htaccess.txt). In the event you make a typographic error you will get a "Server 500" error, which locks everyone out of viewing the website. If that occurs just upload the original saved .htaccess, delete the problem file on the server and rename the original back to .htaccess. Then go over your changes on the local copy and correct any typos, then try uploading it again.

Just remember this rule when editing .htaccess: If it isn't a known directive or command, precede it with the # sign. That makes it a comment and it is ignored by the server. Forget to do this and you will get a Server 500 lockout.

.htaccess additions to block ThePlanet , Everyone's Internet, Rackspace and Mozilla/5.0:

<Files *>
order deny,allow
# ThePlanet.com and Everyones Internet
deny from 64.5.32.0/19 64.246.0.0/18 66.98.128.0/17 67.15.0.0/16 67.18.0.0/15 69.93.0.0/16 70.84.0.0/14 74.52.0.0/14 75.125.0.0/16 174.132.0.0/15 207.44.128.0/17 209.62.0.0/17 216.127.64.0/19

# Let's toss in "Rackspace" - Hackers, spammers, scammers and phishers
deny from 67.192.0.0/16 69.20.0.0/17 72.3.128.0/17 72.32.0.0/16 74.205.0.0/17
</Files>

# Now, to kill requests from hackers using the user agent "Mozilla/5.0" - add these directives under the previous section:

Options +FollowSymLinks
RewriteEngine On
RewriteOptions inherit
RewriteBase /

RewriteCond %{HTTP_USER_AGENT} ^Mozilla/5\.0$
RewriteRule .* - [F]

# end of .htaccess additions

I will be writing other articles showing you how to block more of these PHP injection exploit attacks, at a later date. If you want to use pre-defined .htaccess blocklists, I have four of them online and available from my Htaccess Blocklists page. Copy and paste them into your .htaccess file as needed, testing as you go. Please consider donating via PayPal, to help me pay for my research time and hosting costs. Donation buttons are found on all of my blocklist pages.

Posted by Wiz at 2:33 AM | Permalink

back to top ^

Spybot Search & Destroy is a free (for personal non-business use) anti-spyware/spyware removal program used by millions of people around the World, to protect their computers from spyware, adware, Trojans and other types of malware. Spybot updates for malware detections are released every Wednesday and this week's updates were released on schedule. If you are using Spybot S&D to protect your computer you should check for updates every Wednesday afternoon and apply all that are available.

Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. The last two week's updates were released on schedule on November 11, 2009, as listed below. 16 new or modified fake security programs (fraudulent anti virus/spyware) were added to the "Malware" detections, plus 18 new or modified Trojans, rootkits and spam bots were added to the "Trojan" list. The new Trojans were mostly of the types Virtumonde, Botnet agents and OnlineGames.

Updating Spybot Search and Destroy

Before you update Spybot Search and Destroy make sure you have the latest official version. Older versions are no longer supported and will cause you a lot of grief when you immunize and scan for problems. Only download Spybot S&D from the official website, at: spybot.info, or from its alternate domain: Safer-Networking.org. Fake versions with similar names will rip you off for payment to remove threats, whereas the real Spybot S&D is free (donations gladly accepted).

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers. When all updates have succeeded, click on "Exit."

You can also download the latest definition includes file from a clean PC and save them to a removable disk or drive, then install them into the Spybot S&D program while the infected PC is offline. This helps you disinfect a PC that cannot presently get online, or cannot access security websites for updates (because of the Conficker or similar malware), or due to other networking problems. The downloaded definition includes will look for a typical Spybot installation location and will update it instantly, as long as the program is closed during the updating process.

Download links and more instructions about using Spybot Search and Destroy are in my article titled "How to use Spybot Search & Destroy to fight malware".

The description of the latest definition updates and false positive fixes are in my extended comments.

Additions to Spybot S&D malware definitions made on November 11, 2009:

If your computer is infected with any of the malware threats listed below, Spybot S& D should be able to remove them, after you update it. Always check to see if you have the latest version of Spybot S&D. You may need to schedule a second scan after a reboot, to remove threats that couldn't be deleted because they were active in memory. You may even need to restart in Safe Mode and scan from there.

All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection.

Adware
++ Hyperbar

Malware
+ Fraud.ActiveSecurity
++ Fraud.BlockKeeper
++ Fraud.BlockProtector
++ Fraud.BlockWatcher
++ Fraud.DesktopDefender2010
++ Fraud.ShieldSafeness
++ Fraud.SoftBarrier
+ Fraud.SoftCop
++ Fraud.SoftStrongHold
+ Fraud.VolcanoSecuritySuite
+ Win32.Agent.pn
++ Win32.Agent.rt
++ Win32.Agent.wsg
++ Win32.Infostealer
++ Win32.Tiny.b
+ Win32.VB.svh

Security
+ Microsoft.Windows.RedirectedHosts

Spyware
+ Marketscore.RelevantKnowledge

Trojans
+ Virtumonde.dll
+ Virtumonde.sci
+ Virtumonde.sdn
+ Webshow
++ Win32.Agent.mdi
++ Win32.Agent.nzi
++ Win32.Agent.stb
++ Win32.Agent.wd
++ Win32.Agent.wln
++ Win32.Bionet
++ Win32.OnLineGames.mfbj
++ Win32.OnLineGames.mfce
++ Win32.OnLineGames.mffv
++ Win32.OnLineGames.uhbf
++ Win32.OnLineGames.unbp
++ Win32.OnLineGames.unnl
+ Win32.ZBot
+ Win32.ZBot.rtk

Total: 1702368 fingerprints in 659608 rules for 5027 products.

False positive detections reported, discussed, or fixed this week:

There were new 2 possible new false positive reported this week. However, if you are still using an older version of Spybot you are likely to see false positives of all kinds. When I say old version I mean any version that is not the most current release (see below). The Spybot engine now gets changed radically with each new update, to help it deal with stubborn new types and variations of modern spyware.

There was a confirmed and fixed false positive detection of "Virtumonde.sdn" - (SBI $0B8F80EC) Library, in C:\WINDOWS\system32\ialmcoin.dll. The file C:\WINDOWS\system32\ialmcoin.dll appears to be related to Intel motherboard or device drivers.

There was a confirmed false positive of "smss.exe" being reported as Adwarealert. Update your Spybot definitions and restart TeaTImer to fix this.

Teatimer will have to be restarted after the update is applied. Or, just disable TeaTimer if you really don't need its "protection." One way to not need TeaTimer is to run your PC with reduced privileges, as a Power User or Standard User, rather than as an Administrator.

Note. Spybot 1.5 x is now an OLD version and is unreliable in detections and removals!

If you keep getting a report of "Virtumonde," in c:Windows/system32/zipfldr.dll and you are running a version of Spybot S&D older than version 1.6.2, it is a probable false positive. That is a Windows system file that is automatically restored if you delete it. Any version of Spybot older than 1.6.2.46 will give false positive detections of Virtumonde and other threats, as the engine is now outdated and unable to comprehend new malware definitions. The fix: Update to the current version of Spybot S&D!

Some people running Windows 98 and ME have reported false positives of Virtumonde. They were not aware that the use of Spybot S&D on Windows versions older than W-2000 is no longer supported and is subject to many false positives and failed removals.

TeaTimer update issues and remedies:

TeaTimer cannot be updated with new definitions if it is still running! After you update definitions to fix false positives, a restart of either TeaTimer or the Computer is required. If this doesn't fix the false positives, you may need to reset the TeaTimer detection list, as follows:

Right click the (TeaTimer) Resident tray icon
Select "Reset lists"

Alternately, close and restart TeaTimer using this method:

* start Spybot S&D
* switch to advanced mode
* navigate to "Tools" , then "Resident"
* uncheck the check box for Resident TeaTimer to close TeaTimer
* wait a bit so TeaTimer can unload completely, for instance wait 1min
* check the check box for Resident TeaTimer again to restart the TeaTimer

If that fails also, please read the rest of the things to try on this forum page, in replies #2 and #4.

When TeaTimer blocks the file you can also allow the file to be executed (also remove the check mark for deletion). You can exclude any file from further detections during a scan by right clicking the items in the Spybot S&D scan result and select "exclude this detection from further searches"

If you keep getting false positive detections and broken programs, due to TeaTimer issues, try disabling that module. You can toggle TeaTimer off and on by switching into Advanced Mode > Tools > Resident.

False Positives are reported and discussed in the Spybot S&D False Positives Forum.

As mentioned earlier, links and more instructions about using the program, or reporting suspected false positives, are found in my article titled How to use Spybot Search & Destroy to fight malware.

Posted by Wiz at 3:46 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

Spam levels have decreased 6% this week from last week's level. Fluctuations in spam levels sometimes are seasonal, or may be due to problems or successes Bot-masters have with maintaining the command and control (C&C) servers used to reactivate sleeping zombie computers in their spam Botnets. Or, these changes in spam levels may be caused when large numbers of zombie computers are disinfected, or taken offline by the ISPs who provide Internet connectivity to them. In case you didn't already know this, almost all spam is now sent from "zombie" computers in spam Botnets, unbeknown to the owners of those infected PCs.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. Most of the spam this week was for knock-off (counterfeit) Chinese watches, male enhancement and fake pharmacy scams and counterfeit Viagra. Not ot be out-done, the Nigerian scammers were busy again last week, promoting their usual 419 and lottery scams. 100% of all email coming to me, with African IPs in the headers, are 419 scams.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job."

See my extended comments for this week's breakdown of spam by category, for Nov 2 - 8, 2009 and the latest additions to my custom MailWasher Pro filters.

MailWasher Pro spam category breakdown for Nov 2 - 8, 2009. Spam amounted to 6% of my incoming email this week. This represents a -6% change from last week.

"Other Filters":	20.00%
Viagra:	13.33%
Lottery Scams:	6.67%
Counterfeit Watches & other knock-offs:	6.67%
Known Spam TO:	6.67%
Known Spam User Agent:	6.67%
Pharmaceutical Spam:	6.67%
Hidden ISO or ASCII Subject:	6.67%
No Subject:	6.67%
Blocked Country:	6.67%
African Sender:	6.67%
Blacklisted Senders:	6.67%

The latest weekly updates to my custom MailWasher Pro filters were to the Hidden ISO Subject, Known Spam From, Lottery Scam, Nigerian 419 Scam and African Sender (scam) filters. Everything else is working as it should. Without MailWasher Pro filtering out all the junk mail I would waste a lot more time deleting it my email program's inbox. If you're not already using MailWasher Pro to filter out spam, read on...

MailWasher Pro intercepts POP3 and IMAP email before you download it to your desktop email client (e.g: Microsoft Outlook, Outlook Express, Windows Live Mail) and scans it for threats or spam content, then either manually or automatically deletes any messages matching your pre-determined criteria and custom filters. It is my primary line of defense against incoming spam, scams, phishing and exploit attacks. If you are not already using this fine anti-spam tool I invite to to read about it on my MailWasher Pro web page. You can download the latest version and try it for free for a month. Registration is only required once, for the life of the program.

To protect your computer from web pages rigged with exploit codes, malware in email attachments, dangerous links to hostile web pages, JavaScript redirects, Phishing scams, or router DNS attack codes, I recommend Trend Micro Internet Security. It has strong realtime monitoring modules that stop rootkits and spam Trojans from installing themselves into your operating system. Also known as PC-cillin, it is very frequently updated as new and altered malware definitions become available and it checks for web based threats and new malware definitions by searching secure online servers owned by Trend Micro. This is referred to as "in-the-cloud" security.

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. MailWasher Pro is able to forward messages marked as spam to SpamCop, which then sends a confirmation email to you, containing a link. You must click on the enclosed reporting link and open it in your browser, then manually submit your report. This is how SpamCop wants it done.

Posted by Wiz at 3:50 PM | Permalink

back to top ^

On November 5, 2009, Firefox was updated to version 3.5.5. I learned this today, when I opened my Firefox browser and it began installing an update. When the browser launched it had moved up from version 3.5.4 to 3.5.5. I looked at the release notes and saw that this sudden update is purely a stability release. Apparently, there were some problems caused by the last two updates, which were mostly security patches. Release Notes. Most Firefox users will receive an automatic update to the new version, the next time you start Firefox. If you don't get an automatic update, use the Help menu item link to "Check for Updates." If you have a previous series 3.0 version you will need to first update to the most current version of that series before being offered to upgrade to series 3.5.x.

For those of you who are curious about Firefox, but have not used it yet, here are some basic facts. Firefox is a freeware project maintained by a foundation named the Mozilla Foundation. Funded by a grant from AOL and other concerns, Mozilla develops open source browsers and email programs (a.k.a. "clients"). The "Firefox" web browser is the flagship product from Mozilla. It is one of the most secure and absolutely the most frequently updated web browser in common circulation. It is constantly being tested and improved in security and stability, as issues or bugs are discovered. Firefox currently enjoys a 24% market share of web browsers, World wide and counting.

One of the strongest features of Firefox is its total lack of support for the Microsoft technology called ActiveX. ActiveX is one of the primary means of exploitation of Internet Explorer browsers. Only Internet Explorer recognizes that scripting technology, which is used by various scanners that operate inside a browser. Many users of Internet Explorer are easily tricked into installing and running hostile ActiveX Controls. This cannot happen if you browse the Internet using Firefox.

A new security feature found in Firefox, starting with series 3.5.x, is that it will tell you if you have a vulnerable, out of date version of Adobe Flash installed as a plug-in. Flash is found everywhere and cyber criminals use that fact to try to trick people into installing Trojans disguised as updated Flash players, when they are lured to hostile websites. Firefox will let you know if Flash needs to be updated and gives you a direct link to adobe.com, the only official source of the Flash Player. Only accept Flash updates that come from adobe.com!

Firefox uses new tabs to open links to new web pages, rather than opening a new browser window. There is no limit to how many tabs you can have open, altho too many will slow down opening of new links. You can set the behavior of links that are coded to open a new window to open in a new tab, or a new window and decide whether or not that tab or window receives focus as it opens the page. When you close Firefox with multiple tabs open it will offer to Quit and Save your tabs, or just Quit. If, like me, you always have a lot of tabs open and you save them upon closing the browser, the next time you start Firefox it will begin restoring all of those connections. Sometimes it takes a while to load a lot of websites simultaneously! If you are using a really fast broadband Internet service it shouldn't take too awfully long to load a dozen pages at the same time.

Firefox uses third party themes and add-ons to add features and color schemes not built into the browser. The approved color themes and Add-ons, formerly known as Extensions, is huge and is found at "Add-ons For Firefox". Note, that these are developed by individuals and as browser security improves, some older add-ons will no longer work and will be disabled. Unless the authors update those add-ons you will need to search for current model replacements. Firefox has an option setting to automatically check for updates to your Themes and Add-ons.

Internet Explorer ("IE") users wanting to try out, or move to Firefox can rest assured that during installation, or anytime afterward, you can import your saved cookies and Favorites, from IE into Firefox. Your "Favorites" will be placed inside a folder labeled "Imported bookmarks." Favorites in Firefox are called "Bookmarks" and are accessed by opening the menubar item labeled "Bookmarks." You can go on to organize your new or imported Bookmarks as you wish, using the "Organize Bookmarks" link, under the Bookmarks Menubar item.

Firefox is compatible with Windows 2000, upward, including Windows 7 and Mac OS X 10.4 and later and various versions of Linux. System requirements are found here.

Firefox Download links:

Firefox (English) for Windows. Other languages and operating systems. Ubuntu and Debian Linux users must use your Update Manager to get new releases of Firefox. It is part of a package that the installer recognizes. Mac and Windows users who already use Firefox can update to the latest version via the menu item Help > Check for Updates.

No matter what browser you use you still need to keep your guard up against being tricked into installing malware disguised as something else. These "malware" programs are called Trojan Horses. No browser can prevent foolishness on the user's part. That is why you need a good, current, up to date security program, like Trend Micro Internet Security (TMIS) to protect your PC, in case you are about to download or install a malware threat. Also known as PC-cillin, TMIS blocks access to web pages that are known to contain harmful code. This cuts off the most common means of infecting computers.

Posted by Wiz at 1:14 PM | Permalink

back to top ^

On Monday, November 2, 2009, Microsoft began using Automatic Windows Updates to forcibly push out a re-release of a critical patch for its Internet Explorer browsers. Monday's hotfix, named KB976749, targeted MS09-054, originally released on October 13, 2009. That update patched four vulnerabilities, all "critical," in Internet Explorer. It was the third fix released for last month's Windows Updates! Whew!

Microsoft Knowledge base article KB976749 outlines the two issues, one that scrambles Web page elements, while the other spawns a "Type Mismatch" script error on sites that use VBScript, or a mix of VBScript and JavaScript. That article is titled: "An update is available for Internet Explorer that resolves issues that occur after you apply security update 974455 (MS09-054)."

The following warning appears on the aforementioned page:

Important Do not install this update if you have not installed security update 974455. If you install this update without first installing security update 974455, Internet Explorer may not work correctly. If this occurs, uninstall this update, install security update 974455, and then reinstall this update.

This update affects all versions of Internet Explorer, from 5.01 through 8.x. So, if you applied last month's Windows Updates (Oct 13, 2009) and allowed the IE patch to be installed, you will need to install this patched patch.

Many people will have already received this update automatically by the time I published this blog article. It requires a reboot to install the patch and you will be logged off and your PC will restart automatically, unless you intercept the pop-under notice giving you a 15 minute warning before shutdown (Maybe it was 20 minutes to start. When I first noticed it the timer said 15 minutes). Even Power Users and probably Limited Users are affected by the automatic installation and reboot process, if your PC is set to install Windows Updates automatically.

BTW: The "Restart later" button was grayed out for me, so I was forced to save all work in progress, close open applications to avoid data loss, then use "Restart Now" to let the inevitable update complete. The aggravating part of this process was that I don't browse at all with Internet Explorer! I only open it to obtain Windows Updates, after logging into a Administrator level account, or to check layouts of websites I design and maintain. I do all daily browsing on Mozilla's Firefox, using latest version. I operate as a Power User and was forced to allow the installation and forced reboot. Not much finesse on Microsoft's part.

Note, that if this patch causes you more problems that it solves, you can uninstall it via Control Panel > Add/Remove Programs, with the Show Updates option checked. After rebooting you will be rolled back to the previous state of "patchedness."

Note also that one can only avoid these forced installation/reboot routines by disabling Automatic Windows Updates. Anything less will allow critical patches to be downloaded and installed if you are browsing on a less privileged account type. People who (foolishly, in my opinion) insist on using Administrator level accounts will at least see the gold shield tray icon notification that an update is available. or has been downloaded. By the time a Power User sees the shield, the countdown timer has starting its countdown to a forced restart.

Posted by Wiz at 5:38 PM | Permalink

back to top ^

Spybot Search & Destroy is a free (for personal non-business use) anti-spyware/spyware removal program used by millions of people around the World, to protect their computers from spyware, adware, Trojans and other types of malware. Spybot updates for malware detections are released every Wednesday and this week's updates were released on schedule. If you are using Spybot S&D to protect your computer you should check for updates every Wednesday afternoon and apply all that are available.

Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. The last two week's updates were released on schedule on November 4, 2009, as listed below. 2 new or modified fake security programs (fraudulent anti virus/spyware) were added to the "Malware" detections, plus 14 new or modified Trojans, rootkits and spam bots were added to the "Trojan" list. The new Trojans were mostly of the types Virtumonde and OnlineGames.

Updating Spybot Search and Destroy

Before you update Spybot Search and Destroy make sure you have the latest official version. Older versions are no longer supported and will cause you a lot of grief when you immunize and scan for problems. Only download Spybot S&D from the official website, at: spybot.info, or from its alternate domain: Safer-Networking.org. Fake versions with similar names will rip you off for payment to remove threats, whereas the real Spybot S&D is free (donations gladly accepted).

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers. When all updates have succeeded, click on "Exit."

You can also download the latest definition includes file from a clean PC and save them to a removable disk or drive, then install them into the Spybot S&D program while the infected PC is offline. This helps you disinfect a PC that cannot presently get online, or cannot access security websites for updates (because of the Conficker or similar malware), or due to other networking problems. The downloaded definition includes will look for a typical Spybot installation location and will update it instantly, as long as the program is closed during the updating process.

Download links and more instructions about using Spybot Search and Destroy are in my article titled "How to use Spybot Search & Destroy to fight malware".

The description of the latest definition updates and false positive fixes are in my extended comments.

Additions to Spybot S&D malware definitions made on November 4, 2009:

All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection.

Malware
+ AntiSpywareShield
++ Fraud.VolcanoSecuritySuite

Trojans
+ Rossvoll.wsa
+ Virtumonde.atr
+ Virtumonde.dll
+ Virtumonde.prx
+ Virtumonde.sci
+ Virtumonde.sdn
++ Win32.Agent.bgdt
++ Win32.OnLineGames.bkpe
++ Win32.OnLineGames.ugrh
++ Win32.OnLineGames.ultz
++ Win32.OnLineGames.unal
++ Win32.OnLineGames.unbx
++ Win32.OnLineGames.uncf
+ Win32.TDSS.gen

Total: 1702437 fingerprints in 656677 rules for 5015 products.

False positive detections reported, discussed, or fixed this week:

There were 6 possible new false positive reported this week. However, if you are still using an older version of Spybot you are likely to see false positives of all kinds. When I say old version I mean any version that is not the most current release (see below). The Spybot engine now gets changed radically with each new update, to help it deal with stubborn new types and variations of modern spyware.

Several people reported that they received a TeaTimer (Resident) notification that cygrunsrv.exe and tail.exe, part of the Cygwin program, contained Fraud.SoftCop. The same detection was reported after they downloaded fresh setup files for CygWin, from the maker. This has now been fixed with today's updates.

A second false positive detection of Fraud.SoftCop in ibmpmsvc.exe (the IBM ThinkPad pointer program) was fixed with today's updates. Additional false positive detections of Fraud.SoftCop were reported and fixed for the following files:

uedos32.exe (part of UltraEdit)
RSSowl (news reader)
Aptana
photoshopserver.exe (Photoshop CS4)

Teatimer will have to be restarted after the update is applied. Or, just disable TeaTimer if you really don't need its "protection." One way to not need TeaTimer is to run your PC with reduced privileges, as a Power User or Standard User, rather than as an Administrator.

There is a possible false positive Registry entry detection of the BHO "PartnerHBO" that is being analyzed right now. There is another report of BHO entries for "Virtumonde.sci" in the Registry, but no matching files were found on the hard drive. These reports may be for "Orphaned" malware that was removed, but the Registry entries for it were left in place.

A false positive detection of "SpyLocked" - designating the entire Program Files directory as needing to be deleted (because of the presence of an exe file without a prefix), was fixed today. A VBScript used by Acer to search for updates created the empty filename that triggered the false alert.

There is an unresolved possible false positive detection of a Trojan in C:\Windows\System32\winsys2.exe. The reporter stated that this file is the executable associated with his MSI graphics card tools utility. The file was sent to Team Spybot for analysis 3 weeks ago, but they have not posted their findings. If you also get this file reported as a Trojan you should report it in the thread about this file on the Spybot False Positives forum.

Note. Spybot 1.5 x is now an OLD version and is unreliable in detections and removals!

If you keep getting a report of "Virtumonde," in c:Windows/system32/zipfldr.dll and you are running a version of Spybot S&D older than version 1.6.2, it is a probable false positive. That is a Windows system file that is automatically restored if you delete it. Any version of Spybot older than 1.6.2.46 will give false positive detections of Virtumonde and other threats, as the engine is now outdated and unable to comprehend new malware definitions. The fix: Update to the current version of Spybot S&D!

Some people running Windows 98 and ME have reported false positives of Virtumonde. They were not aware that the use of Spybot S&D on Windows versions older than W-2000 is no longer supported and is subject to many false positives and failed removals.

TeaTimer update issues and remedies:

TeaTimer cannot be updated with new definitions if it is still running! After you update definitions to fix false positives, a restart of either TeaTimer or the Computer is required. If this doesn't fix the false positives, you may need to reset the TeaTimer detection list, as follows:

Right click the (TeaTimer) Resident tray icon
Select "Reset lists"

If that fails also, please read the rest of the things to try on this forum page, in replies #2 and #4.

When TeaTimer blocks the file you can also allow the file to be executed (also remove the check mark for deletion). You can exclude any file from further detections during a scan by right clicking the items in the Spybot S&D scan result and select "exclude this detection from further searches"

If you keep getting false positive detections and broken programs, due to TeaTimer issues, try disabling that module. You can toggle TeaTimer off and on by switching into Advanced Mode > Tools > Resident.

False Positives are reported and discussed in the Spybot S&D False Positives Forum.

As mentioned earlier, links and more instructions about using the program, or reporting suspected false positives, are found in my article titled How to use Spybot Search & Destroy to fight malware.

Posted by Wiz at 2:13 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

Spam levels have decreased 3% this week from last week's level. Fluctuations in spam levels sometimes are seasonal, or may be due to problems or successes Bot-masters have with maintaining the command and control (C&C) servers used to reactivate sleeping zombie computers in their spam Botnets. Or, these changes in spam levels may be caused when large numbers of zombie computers are disinfected, or taken offline by the ISPs who provide Internet connectivity to them. In case you didn't already know this, almost all spam is now sent from "zombie" computers in spam Botnets, unbeknown to the owners of those infected PCs.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. Most of the spam this week was for knock-off (counterfeit) Chinese watches clothes and handbags, closely followed by male enhancement and fake pharmacy scams. Not ot be out-done, the Nigerian scammers were busy again last week, promoting their usual 419 and lottery scams.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job."

See my extended comments for this week's breakdown of spam by category, for Oct 26 - Nov 1, 2009 and the latest additions to my custom MailWasher Pro filters.

MailWasher Pro spam category breakdown for Oct 26 - Nov 1, 2009. Spam amounted to 12% of my incoming email this week. This represents a -3% change from last week.

Counterfeit Watches & other knock-offs:	15.00%
Known Spam Domains:	10.00%
"Other Filters":	10.00%
Known Spam User Agent:	10.00%
HTML Tricks:	10.00%
Pharmaceutical Spam:	10.00%
Male Enhancement scams:	5.00%
Lottery Scams:	5.00%
Numeric IP threats:	5.00%
SUBJECT ALL CAPS:	5.00%
Base64 encoded spam messages:	5.00%
Blacklisted Senders:	5.00%
DNS Blacklisted Servers:	5.00%

The latest weekly updates to my custom MailWasher Pro filters was to the Pharmaceutical Spam [Subject] filter. I also added another email address to the MailWasher Blacklist. It is: [email protected] (fake Nigerian lawyer - 419 scammer). Everything else is working as it should. Without MailWasher Pro filtering out all the junk mail I would waste a lot more time deleting it my email program's inbox. If you're not already using MailWasher Pro to filter out spam, read on...

MailWasher Pro intercepts POP3 and IMAP email before you download it to your desktop email client (e.g: Microsoft Outlook, Outlook Express, Windows Live Mail) and scans it for threats or spam content, then either manually or automatically deletes any messages matching your pre-determined criteria and custom filters. It is my primary line of defense against incoming spam, scams, phishing and exploit attacks. If you are not already using this fine anti-spam tool I invite to to read about it on my MailWasher Pro web page. You can download the latest version and try it for free for a month. Registration is only required once, for the life of the program.

To protect your computer from web pages rigged with exploit codes, malware in email attachments, dangerous links to hostile web pages, JavaScript redirects, Phishing scams, or router DNS attack codes, I recommend Trend Micro Internet Security. It has strong realtime monitoring modules that stop rootkits and spam Trojans from installing themselves into your operating system. Also known as PC-cillin, it is very frequently updated as new and altered malware definitions become available and it checks for web based threats and new malware definitions by searching secure online servers owned by Trend Micro. This is referred to as "in-the-cloud" security.

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. MailWasher Pro is able to forward messages marked as spam to SpamCop, which then sends a confirmation email to you, containing a link. You must click on the enclosed reporting link and open it in your browser, then manually submit your report. This is how SpamCop wants it done.

Posted by Wiz at 3:45 PM | Permalink

back to top ^