Wiz's Computer and Website Security Blog

Spybot Search & Destroy is a free (for personal non-business use) anti-spyware/spyware removal program used by millions of people around the World, to protect their computers from spyware, adware, Trojans and other types of malware. Spybot updates for malware detections are released every Wednesday and this week's updates were released on schedule. If you are using Spybot S&D to protect your computer you should check for updates every Wednesday afternoon and apply all that are available.

Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. The last two week's updates were released on schedule on January 27, 2010, as listed below. 10 new or modified fake security programs (fraudulent anti virus/spyware), and other malware downloads, were added to the "Malware" detections, plus 14 new or modified Trojans, rootkits and spam bots were added to the "Trojan" list.

Remarkably, the old threat from ABetterInternet.Aurora has re-entered the Malware and Trojans categories, with new definitions, as their adware is once again being distributed by low-life affiliates.

Additions made on 01/27/2010

Keyloggers
++ Win32.Fung.hi

Malware
+ ABetterInternet.Aurora
++ Fraud.ApcSecure
++ Fraud.ArmorDefender
++ Fraud.DesktopSecurity2010
++ Fraud.ProtectDefender
++ Fraud.ProtectSoldier
++ Fraud.WinSecurity360
+ Smitfraud-C.
+ Win32.FraudLoad
+ Win32.Podnuha.rtk

Trojans
+ Virtumonde.dll
+ Virtumonde.sci
+ Virtumonde.sdn
++ Win32.Agent.cqf
+ Win32.Agent.deot
++ Win32.Agent.dnzl
++ Win32.Agent.msg
++ Win32.Allaple.a1
+ Win32.Allaple.a2
++ Win32.Aurora
+ Win32.CeeInject
+ Win32.FakeAlert.ttam
+ Win32.Turkojan
+ Win32.ZBot

Spybot S&D currently has 1919113 fingerprints in 734138 rules for 5193 products.

False Positives Reported This Past Week

1: Spybot's Teatimer module mistakenly identified today's Java update, to version 6 Update 18, as "Win32.Fraudload." I trust this will be sorted out sometime today or tomorrow. Check for a sudden update to the False Positives definitions until one appears, dated 1/27/2010 or later.

For details about how to apply updates correctly and download links for Spybot Search & Destroy, please read my extended content.

Installing or uninstalling and Immunizing Spybot S&D

Installing, upgrading to a new version, or uninstalling Spybot requires Administrator level privileges. Updating definitions does not require these permissions most of the time. But, to immunize against all threats does require Admin privileges. If you. like me, operate as a Power/Standard User, you can right-click on the icon to launch Spybot S&D and Run As (an) Administrator. From there you can download the latest definitions, immunize completely and scan/disinfect with full administrator authority.

Updating Spybot Search and Destroy

Before you update Spybot Search and Destroy make sure you have the latest official version. Older versions are no longer supported and will cause you a lot of grief when you immunize and scan for problems. Only download Spybot S&D from the official website, at: spybot.info, or from its alternate domain: Safer-Networking.org. Fake versions with similar names will rip you off for payment to remove threats, whereas the real Spybot Search & Destroy is free for personal use. No subscriptions, no download fees, but, donations are gladly accepted.

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers. When all updates have succeeded, click on "Exit."

You can also download the latest definition includes file from a clean PC and save them to a removable disk or drive, then install them into the Spybot S&D program while the infected PC is offline. This helps you disinfect a PC that cannot presently get online, or cannot access security websites for updates (because of the Conficker or similar malware), or due to other networking problems. The downloaded definition includes will look for a typical Spybot installation location and will update it instantly, as long as the program is closed during the updating process.

Download links and more instructions about using Spybot Search and Destroy are in my article titled "How to use Spybot Search & Destroy to fight malware".

TeaTimer false positives

In the case of Teatimer false positives that are fixed by updates, TeaTimer will have to be restarted after the update is applied. TeaTimer cannot be updated with new definitions if it is still running! After you update definitions to fix false positives, a restart of either TeaTimer or the Computer is required. If this doesn't fix the false positives, you may need to reset the TeaTimer detection list, as follows:

Right click the (TeaTimer) Resident tray icon
Select "Reset lists"

Alternately, close and restart TeaTimer using this method:

* start Spybot S&D
* switch to advanced mode
* navigate to "Tools" , then "Resident"
* uncheck the check box for Resident TeaTimer to close TeaTimer
* wait a bit so TeaTimer can unload completely, for instance wait 1min
* check the check box for Resident TeaTimer again to restart the TeaTimer

If that fails also, please read the rest of the things to try on this forum page, in replies #2 and #4.

When TeaTimer blocks the file you can also allow the file to be executed (also remove the check mark for deletion). You can exclude any file from further detections during a scan by right clicking the items in the Spybot S&D scan result and select "exclude this detection from further searches"

Posted by Wiz at 3:21 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

Spam levels have thankfully decreased 10% this week from last week's level. Fluctuations in spam levels sometimes are seasonal, or may be due to problems or successes Bot-masters have with maintaining the command and control (C&C) servers used to reactivate sleeping zombie computers in their spam Botnets. Or, these changes in spam levels may be caused when large numbers of zombie computers are disinfected, or taken offline by the ISPs who provide Internet connectivity to them. In case you didn't already know this, almost all spam is now sent from "zombie" computers in spam Botnets, unbeknown to the owners of those infected PCs.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. This past week again saw a large variety of categories of spam, including Russian dating spam, fake diplomas and counterfeit brand name watches, male enhancement scams, counterfeit Viagra and the fake Canadian Pharmacy. My updated blacklisted senders list proved extremely effective again this week, auto-deleting ~17% of all incoming spam.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job."

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for Jan 18 - 24, 2010, and the latest additions to my custom MailWasher Pro filters.

MailWasher Pro spam category breakdown for Jan 18 - 24, 2010. Spam amounted to 47% of my incoming email this week. This represents a -10% change from last week.

The latest weekly updates to my custom MailWasher Pro filters were to the Phishing Scam [B], Phishing Scam [S or F], Dating Spam, Known Spam [From] and Known Spam Domains filters. Everything else is working as it should. If you're not already using MailWasher Pro to filter out spam you should consider doing so! Read the next three paragraphs for more details about it.

I made the following additions to the MailWasher Pro Blacklist: (Use with caution!)
+@+.de
+@+.hk
+@+.tw
+@*ukrtel.net
[email protected]
[email protected]
[email protected]
[email protected]

These expressions instantly delete any messages with a "From" email address ending with one of those domains. Coupled with previous recent additions of +@*.hinet.net, +@+.jp, +@+.kr and +@+.ru, these expressions resulted in over 17% of spam being captured by the MWP Blacklist. Since the Blacklist is processed before the custom filters, the processing time and cpu load is greatly reduced.

MailWasher Pro intercepts POP3 and IMAP email before you download it to your desktop email client (e.g: Microsoft Outlook, Outlook Express, Windows Live Mail) and scans it for threats or spam content, then either manually or automatically deletes any messages matching your pre-determined criteria and custom filters. It is my primary line of defense against incoming spam, scams, phishing and exploit attacks. If you are not already using this fine anti-spam tool I invite to to read about it on my MailWasher Pro web page. You can download the latest version and try it for free for a month. Registration is only required once, for the life of the program.

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. MailWasher Pro is able to forward messages marked as spam to SpamCop, which then sends a confirmation email to you, containing a link. You must click on the enclosed reporting link and open it in your browser, then manually submit your report. This is how SpamCop wants it done.

If you use a POP email client on your desktop to send and receive your email, rather than your browser, you too will benefit from the added protection that MailWasher Pro provides. I can't even begin to tell you how many dangerous attachments, exploit encoded messages, 419 fraud, as well as courier, bank, eBay and PayPal phishing scams, plus hundreds of hostile link emails it has deleted, after identifying them with my rules and its own heuristic and known spam detections.

Finally, many security threats will come to you via spam email; some in hostile attachments, some as "phishing" scams, some as financial fraud or money laundering scams, and many more in links to web pages rigged to serve up exploit codes or Trojan downloads.You need really good up-to-date protection to fight off the multitude of attack codes flying like machine gun bullets these days. To protect your computer from web pages rigged with exploit codes, malware in email attachments, dangerous links to hostile web pages, JavaScript redirects, Phishing scams, or router DNS attack codes, I recommend Trend Micro Internet Security (or Internet Security Pro for travelers). It has strong realtime monitoring modules that stop rootkits and spam Trojans from installing themselves into your operating system. Also known as PC-cillin, it is very frequently updated as new and altered malware definitions become available and it checks for web based threats and new malware definitions by searching secure online servers owned by Trend Micro. This is referred to as "in-the-cloud" security. Best of all, you can try it fully functional for a month, then decide to pay to keep it or uninstall it.

See you all next week, same time, same station! Keep the sunny side up and don't take no wooden nickles!

Wiz - out

Posted by Wiz at 1:59 PM | Permalink

back to top ^

Spybot Search & Destroy is a free (for personal non-business use) anti-spyware/spyware removal program used by millions of people around the World, to protect their computers from spyware, adware, Trojans and other types of malware. Spybot updates for malware detections are released every Wednesday and this week's updates were released on schedule. If you are using Spybot S&D to protect your computer you should check for updates every Wednesday afternoon and apply all that are available.

Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. The last two week's updates were released on schedule on January 20 2010, as listed below. 15 new or modified fake security programs (fraudulent anti virus/spyware), and other malware downloads, were added to the "Malware" detections, plus 20 new or modified Trojans, rootkits and spam bots were added to the "Trojan" list.

Additions made on 01/20/2010

Adware
++ Abox
++ Win32.Webdir.c

Malware (contains many fake security programs)
+ AdDestination
++ BPS.PerformanceCenter
+ Fraud.AntiMalwarePro
+ Fraud.AntivirusPro2010
++ Fraud.DefendAPc
++ Fraud.GhostAntivirus
+ Fraud.MalwareDefense
++ Fraud.SysDefender
+ Fraud.Sysguard
+ Fraud.XPPoliceAntivirus
+ Smitfraud-C.
++ Win32.Agent.sw
++ Win32.FakeAlert.ttam
+ Win32.FraudLoad
+ Win32.FraudLoad.edt

Pups (Potentially Unwanted Programs)
+ MyFreezeToolbar

Security
+ Microsoft.Windows.RedirectedHosts

Trojan (These are rootkits, backdoors, Bots and password stealers)
+ Fraud.SystemSecurity
+ Virtumonde.dll
+ Virtumonde.sci
+ Virtumonde.sdn
+ Win32.Agent.alo
++ Win32.Agent.deot
++ Win32.Agent.sys
++ Win32.Agent.Winsts
+ Win32.Agent.ws
++ Win32.Autorun.sd
++ Win32.BHO.ttam
++ Win32.CeeInject
++ Win32.OnLineGames.mfaq
++ Win32.Rbot.ws
++ Win32.Sddrop.A
+ Win32.TDSS.bae
+ Win32.TDSS.reg
+ Win32.TDSS.rtk
+ Win32.ZBot
+ Win32.ZBot.rtk

Worm
+ Blackmail

Spybot S&D currently has 1868768 fingerprints in 718157 rules for 5183 products.

False Positives Reported

1: TeaTimer identified a MalwareBytes update as Perfect Keylogger and killed the process. This was fixed with today's updates, but, you may have to reinstall Adobe Reader.

For details about how to apply updates correctly and download links for Spybot Search & Destroy, please read my extended content.

Updating Spybot Search and Destroy

Before you update Spybot Search and Destroy make sure you have the latest official version. Older versions are no longer supported and will cause you a lot of grief when you immunize and scan for problems. Only download Spybot S&D from the official website, at: spybot.info, or from its alternate domain: Safer-Networking.org. Fake versions with similar names will rip you off for payment to remove threats, whereas the real Spybot Search & Destroy is free for personal use. No subscriptions, no download fees, but, donations are gladly accepted.

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers. When all updates have succeeded, click on "Exit."

You can also download the latest definition includes file from a clean PC and save them to a removable disk or drive, then install them into the Spybot S&D program while the infected PC is offline. This helps you disinfect a PC that cannot presently get online, or cannot access security websites for updates (because of the Conficker or similar malware), or due to other networking problems. The downloaded definition includes will look for a typical Spybot installation location and will update it instantly, as long as the program is closed during the updating process.

Download links and more instructions about using Spybot Search and Destroy are in my article titled "How to use Spybot Search & Destroy to fight malware".

TeaTimer false positives

In the case of Teatimer false positives that are fixed by updates, TeaTimer will have to be restarted after the update is applied. TeaTimer cannot be updated with new definitions if it is still running! After you update definitions to fix false positives, a restart of either TeaTimer or the Computer is required. If this doesn't fix the false positives, you may need to reset the TeaTimer detection list, as follows:

Right click the (TeaTimer) Resident tray icon
Select "Reset lists"

Alternately, close and restart TeaTimer using this method:

* start Spybot S&D
* switch to advanced mode
* navigate to "Tools" , then "Resident"
* uncheck the check box for Resident TeaTimer to close TeaTimer
* wait a bit so TeaTimer can unload completely, for instance wait 1min
* check the check box for Resident TeaTimer again to restart the TeaTimer

If that fails also, please read the rest of the things to try on this forum page, in replies #2 and #4.

When TeaTimer blocks the file you can also allow the file to be executed (also remove the check mark for deletion). You can exclude any file from further detections during a scan by right clicking the items in the Spybot S&D scan result and select "exclude this detection from further searches"

Posted by Wiz at 5:47 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

Spam levels have increased a whopping 25% this week from last week's level. Fluctuations in spam levels sometimes are seasonal, or may be due to problems or successes Bot-masters have with maintaining the command and control (C&C) servers used to reactivate sleeping zombie computers in their spam Botnets. Or, these changes in spam levels may be caused when large numbers of zombie computers are disinfected, or taken offline by the ISPs who provide Internet connectivity to them. In case you didn't already know this, almost all spam is now sent from "zombie" computers in spam Botnets, unbeknown to the owners of those infected PCs.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. This past week again saw a large variety of categories of spam, including Russian dating spam, fake diplomas and counterfeit brand name watches, counterfeit Viagra and the fake Canadian Pharmacy. My updated blacklisted senders list proved extremely effective again this week, auto-deleting ~27% of all incoming spam.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job."

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for Jan 11 - 17, 2010, and the latest additions to my custom MailWasher Pro filters.

MailWasher Pro spam category breakdown for Jan 11 - 17, 2010. Spam amounted to 57% of my incoming email this week. This represents a +25% change from last week.

The latest weekly updates to my custom MailWasher Pro filters were to the Known Spam [From], Pharmaceuticals [B], Pharmaceuticals [S], Nigerian 419 Scams, Known Spam Domains, Western Union Scam, Lottery Scam, Dating Spam, UPS Phishing Scam #2, Diploma Spam and pirated Software filters. Everything else is working as it should. If you're not already using MailWasher Pro to filter out spam you should consider doing so! Read the next three paragraphs for more details about it.

I made the following additions to the MailWasher Pro Blacklist:
+@+.jp
+@+.kr
+@+.ru
martynov@+

These expressions instantly delete any messages with a "From" email address ending with one of those domains, or the prefix "martynov." Coupled with last week's addition of +@+.cn and +@+.hinet, these additions resulted in over 27% of spam being captured by the MWP Blacklist. Since the Blacklist is processed before the custom filters, the processing time and cpu load is greatly reduced.

MailWasher Pro intercepts POP3 and IMAP email before you download it to your desktop email client (e.g: Microsoft Outlook, Outlook Express, Windows Live Mail) and scans it for threats or spam content, then either manually or automatically deletes any messages matching your pre-determined criteria and custom filters. It is my primary line of defense against incoming spam, scams, phishing and exploit attacks. If you are not already using this fine anti-spam tool I invite to to read about it on my MailWasher Pro web page. You can download the latest version and try it for free for a month. Registration is only required once, for the life of the program.

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. MailWasher Pro is able to forward messages marked as spam to SpamCop, which then sends a confirmation email to you, containing a link. You must click on the enclosed reporting link and open it in your browser, then manually submit your report. This is how SpamCop wants it done.

If you use a POP email client on your desktop to send and receive your email, rather than your browser, you too will benefit from the added protection that MailWasher Pro provides. I can't even begin to tell you how many dangerous attachments, exploit encoded messages, 419 fraud, as well as courier, bank, eBay and PayPal phishing scams, plus hundreds of hostile link emails it has deleted, after identifying them with my rules and its own heuristic and known spam detections.

Finally, many security threats will come to you via spam email; some in hostile attachments, some as "phishing" scams, some as financial fraud or money laundering scams, and many more in links to web pages rigged to serve up exploit codes or Trojan downloads.You need really good up-to-date protection to fight off the multitude of attack codes flying like machine gun bullets these days. To protect your computer from web pages rigged with exploit codes, malware in email attachments, dangerous links to hostile web pages, JavaScript redirects, Phishing scams, or router DNS attack codes, I recommend Trend Micro Internet Security (or Internet Security Pro for travelers). It has strong realtime monitoring modules that stop rootkits and spam Trojans from installing themselves into your operating system. Also known as PC-cillin, it is very frequently updated as new and altered malware definitions become available and it checks for web based threats and new malware definitions by searching secure online servers owned by Trend Micro. This is referred to as "in-the-cloud" security. Best of all, you can try it fully functional for a month, then decide to pay to keep it or uninstall it.

See you all next week, same time, same station! Keep the sunny side up and don't take no wooden nickles!

Wiz - out

Posted by Wiz at 4:33 PM | Permalink

back to top ^

Spybot Search & Destroy is a free (for personal non-business use) anti-spyware/spyware removal program used by millions of people around the World, to protect their computers from spyware, adware, Trojans and other types of malware. Spybot updates for malware detections are released every Wednesday and this week's updates were released on schedule. If you are using Spybot S&D to protect your computer you should check for updates every Wednesday afternoon and apply all that are available.

Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. The last two week's updates were released on schedule on January 13, 2010, as listed below. 19 new or modified fake security programs (fraudulent anti virus/spyware) were added to the "Malware" detections, plus 24 new or modified Trojans, rootkits and spam bots were added to the "Trojan" list. And, modem dialers made a reappearance after a long period of inactivity.

Additions made on 01/13/2010

Dialer
+ eGroup.InstantAccess

Malware (contains many fake security programs)
+ BookedSpace
++ FatimaCollage
++ Fraud.AntispywareShield
++ Fraud.AntiVirusPC2009
+ Fraud.AntivirusPlus
+ Fraud.AntivirusXP
++ Fraud.APcDefender
+ Fraud.ControlCenter
++ Fraud.GreatDefender
++ Fraud.GuardPro
++ Fraud.InSysSecure
+ Fraud.MalwareDefense
+ Fraud.MalwareDoctor
+ Fraud.PCAntispyware2010
++ Fraud.PCsProtector
++ Fraud.SecurityCenter
++ Fraud.SpyEraser
++ Fraud.SpySheriff
++ Fraud.SysProtector
++ Fraud.SystemCleanerPro
++ Fraud.TotalPCDefender

PUPS (Potentially Unwanted Programs)
+ DoubleD
++ Softomate.BullseyeToolBar

Security
+ Microsoft.Windows.RedirectedHosts

Spyware
+ AdRotator
+ eXact Advertising.BargainsBuddy

Trojan (These are rootkits, backdoors, Bots and password stealers)
+ FakeAlert.cc
+ Supsav.Smss32
+ Virtumonde.dll
+ Virtumonde.sci
+ Virtumonde.sdn
++ Win32.Agent.rar
++ Win32.Agent.rer
+ Win32.Agent.wlo
+ Win32.Bifrost.la
+ Win32.FakeAlert.ttam
++ Win32.FakeAntivir
++ Win32.FraudPack
++ Win32.Livemessn
++ Win32.Multidr-AH
+ Win32.OnLineGames.down
++ Win32.OnLineGames.mfdd
++ Win32.OnLineGames.mfdp
++ Win32.OnLineGames.uveh
+ Win32.Podnuha.rtk
+ Win32.TDSS.bae
+ Win32.TDSS.reg
+ Win32.TDSS.rtk
++ Win32.VB.em
+ Win32.ZBot

Spybot S&D currently has 1842388 fingerprints, in 709074 rules, for 5162 products.

False Positives Reported

In addition to definitions being added there were some false positive detections that can break harmless programs. This week's false positive reports and fixes are as follows:

1: A Registry Key created by the Group Policy Editor is being detected a malware. The particular change triggering this false positive is enabling "Remove Search From the Start Menu". We await a fix...

2: TeaTimer identified a MalwareBytes update as Perfect Keylogger and killed the process. Standby for more details and a fix.

For details about how to apply updates correctly and download links for Spybot Search & Destroy, please read my extended content.

Updating Spybot Search and Destroy

Before you update Spybot Search and Destroy make sure you have the latest official version. Older versions are no longer supported and will cause you a lot of grief when you immunize and scan for problems. Only download Spybot S&D from the official website, at: spybot.info, or from its alternate domain: Safer-Networking.org. Fake versions with similar names will rip you off for payment to remove threats, whereas the real Spybot Search & Destroy is free for personal use. No subscriptions, no download fees, but, donations are gladly accepted.

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers. When all updates have succeeded, click on "Exit."

You can also download the latest definition includes file from a clean PC and save them to a removable disk or drive, then install them into the Spybot S&D program while the infected PC is offline. This helps you disinfect a PC that cannot presently get online, or cannot access security websites for updates (because of the Conficker or similar malware), or due to other networking problems. The downloaded definition includes will look for a typical Spybot installation location and will update it instantly, as long as the program is closed during the updating process.

Download links and more instructions about using Spybot Search and Destroy are in my article titled "How to use Spybot Search & Destroy to fight malware".

TeaTimer false positives

In the case of Teatimer false positives that are fixed by updates, TeaTimer will have to be restarted after the update is applied. TeaTimer cannot be updated with new definitions if it is still running! After you update definitions to fix false positives, a restart of either TeaTimer or the Computer is required. If this doesn't fix the false positives, you may need to reset the TeaTimer detection list, as follows:

Right click the (TeaTimer) Resident tray icon
Select "Reset lists"

Alternately, close and restart TeaTimer using this method:

* start Spybot S&D
* switch to advanced mode
* navigate to "Tools" , then "Resident"
* uncheck the check box for Resident TeaTimer to close TeaTimer
* wait a bit so TeaTimer can unload completely, for instance wait 1min
* check the check box for Resident TeaTimer again to restart the TeaTimer

If that fails also, please read the rest of the things to try on this forum page, in replies #2 and #4.

When TeaTimer blocks the file you can also allow the file to be executed (also remove the check mark for deletion). You can exclude any file from further detections during a scan by right clicking the items in the Spybot S&D scan result and select "exclude this detection from further searches"

Posted by Wiz at 12:26 AM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

Spam levels have increased a whopping 15% this week from last week's level. Fluctuations in spam levels sometimes are seasonal, or may be due to problems or successes Bot-masters have with maintaining the command and control (C&C) servers used to reactivate sleeping zombie computers in their spam Botnets. Or, these changes in spam levels may be caused when large numbers of zombie computers are disinfected, or taken offline by the ISPs who provide Internet connectivity to them. In case you didn't already know this, almost all spam is now sent from "zombie" computers in spam Botnets, unbeknown to the owners of those infected PCs.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. This past week again saw a large variety of categories of spam, led by spam for Viagra, casinos, pirated software, counterfeit watches, the fake Canadian Pharmacy and other pharmaceuticals, and fake diplomas. Saturday, Jan 9, was the "spamiest" day this week. My blacklisted senders list proved effective again this week, catching ~13% of all incoming spam.

Not included in my statistics were several spam messages sent from hijacked PCs, faking a personal friend's account as the sender. The same message was sent to his entire group of contacts. The only body content was a link which led to an exploit web page, hosted on computers in a Botnet, all running an Nginx web server, from Russia. The exploit was based on a bogus Flash Player upgrade file, which is a Trojan Horse.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job."

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for Jan 3 - 10, 2010, and the latest additions to my custom MailWasher Pro filters.

MailWasher Pro spam category breakdown for Jan 3 - 10, 2010. Spam amounted to 32% of my incoming email this week. This represents a +15% change from last week.

The latest weekly updates to my custom MailWasher Pro filters were to the Known Spam Subjects #3, Known Spam Domains, Watches, Casinos and Viagra.com filters. I found that I needed to move the Casino filter above the software filter, because the subject "software" is being used in casino spam (probably a Trojan download). Everything else is working as it should. If you're not already using MailWasher Pro to filter out spam you should consider doing so! Read the next three paragraphs for more details about it.

I made one new addition to the MailWasher Pro Blacklist: +@+.cn - which instantly deletes any messages claiming to come from a Chinese mail domain. This, along with the recent addition of the hinet domain filter (+@*.hinet.net) resulted in over 13% of spam being captured by the MWP Blacklist. Since the Blacklist is processed before the custom filters, the processing time and cpu load is greatly reduced.

MailWasher Pro intercepts POP3 and IMAP email before you download it to your desktop email client (e.g: Microsoft Outlook, Outlook Express, Windows Live Mail) and scans it for threats or spam content, then either manually or automatically deletes any messages matching your pre-determined criteria and custom filters. It is my primary line of defense against incoming spam, scams, phishing and exploit attacks. If you are not already using this fine anti-spam tool I invite to to read about it on my MailWasher Pro web page. You can download the latest version and try it for free for a month. Registration is only required once, for the life of the program.

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. MailWasher Pro is able to forward messages marked as spam to SpamCop, which then sends a confirmation email to you, containing a link. You must click on the enclosed reporting link and open it in your browser, then manually submit your report. This is how SpamCop wants it done.

If you use a POP email client on your desktop to send and receive your email, rather than your browser, you too will benefit from the added protection that MailWasher Pro provides. I can't even begin to tell you how many dangerous attachments, exploit encoded messages, 419 fraud, as well as courier, bank, eBay and PayPal phishing scams, plus hundreds of hostile link emails it has deleted, after identifying them with my rules and its own heuristic and known spam detections.

Finally, many security threats will come to you via spam email; some in hostile attachments, some as "phishing" scams, some as financial fraud or money laundering scams, and many more in links to web pages rigged to serve up exploit codes or Trojan downloads.You need really good up-to-date protection to fight off the multitude of attack codes flying like machine gun bullets these days. To protect your computer from web pages rigged with exploit codes, malware in email attachments, dangerous links to hostile web pages, JavaScript redirects, Phishing scams, or router DNS attack codes, I recommend Trend Micro Internet Security (or Internet Security Pro for travelers). It has strong realtime monitoring modules that stop rootkits and spam Trojans from installing themselves into your operating system. Also known as PC-cillin, it is very frequently updated as new and altered malware definitions become available and it checks for web based threats and new malware definitions by searching secure online servers owned by Trend Micro. This is referred to as "in-the-cloud" security. Best of all, you can try it fully functional for a month, then decide to pay to keep it or uninstall it.

See you all next week, same time, same station! Keep the sunny side up and don't take no wooden nickles!

Wiz - out

Posted by Wiz at 2:29 PM | Permalink

back to top ^

Spybot Search & Destroy is a free (for personal non-business use) anti-spyware/spyware removal program used by millions of people around the World, to protect their computers from spyware, adware, Trojans and other types of malware. Spybot updates for malware detections are released every Wednesday and this week's updates were released on schedule. If you are using Spybot S&D to protect your computer you should check for updates every Wednesday afternoon and apply all that are available.

Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. The last two week's updates were released on schedule on January 6, 2010, as listed below. 7 new or modified fake security programs (fraudulent anti virus/spyware) were added to the "Malware" detections, plus 12 new or modified Trojans, rootkits and spam bots were added to the "Trojan" list.

The latest new or modified "Malware" category threats are all fake security programs and scans. The names used by Spybot S&D are as follows:
++ Fraud.APCProtect
++ Fraud.MalwareCrush
+ Fraud.PersonalSecurity
+ Fraud.SecurityTool
+ Fraud.Sysguard
++ Win32.Archivos
++ Win32.Piasolef

PUPS "PUPs" means Potentially Unwanted Programs
++ MyFreezeToolbar
++ MyWay.FrontierBa

Security
+ Microsoft.Windows.RedirectedHosts

Spyware
+ AdRotator

The latest "Trojans" that were added or updated are:
+ Goldun
+ Virtumonde.sci
+ Virtumonde.sdn
+ Win32.Agent.wu
++ Win32.OnLineGames.bgnk
++ Win32.OnLineGames.bkvr
++ Win32.OnLineGames.mfda
++ Win32.OnLineGames.ukzl
++ Win32.OnLineGames.ulfx
+ Win32.ZBot
+ Win32.ZBot.rtk
+ Zlob.Downloader.miu

Spybot S&D currently has 1826889 fingerprints in 703957 rules for 5120 products.

False Positives Reported

In addition to definitions being added there were some adjustments that were made to fix false positive detections that can break harmless programs. This week's false positive reports and fixes are as follows:

1: "Heuristics" scans detecting various jpg and thumbs.db files as "Fraud.SecurityTool" is a false positive, it was fixed with the detection updates on Jan 6, 2010.

2: A false positive in XYplorer installer, detected as Fraud.SecurityTool, was fixed on 1/6/2010.

3: Spybot S&D, McAfee SiteAdvisor and hpHosts have started to flag http://hazeleger.net and www.hazeleger.net as bad redirected host file entries (in HOSTS immunizations). There may have been a few infected hosts on their services, which seem to have been cleaned up, and one wrongly flagged piece of software called Foxtool. There appears to be no reason to block hazeleger.net, or Foxtool, generally speaking.

4: A false positive detection in the RedCrab calculator, as "Fraud.SecurityTool," was fixed on Jan 6.

5: A false positive detection of 2 files that were flagged as "Fraud.SecurityTool," on a software install CD, in "Dictionary.xml" and "msxml6.msi" was fixed this week.

For details about how to apply updates correctly and download links for Spybot Search & Destroy, please read my extended content.

Updating Spybot Search and Destroy

Before you update Spybot Search and Destroy make sure you have the latest official version. Older versions are no longer supported and will cause you a lot of grief when you immunize and scan for problems. Only download Spybot S&D from the official website, at: spybot.info, or from its alternate domain: Safer-Networking.org. Fake versions with similar names will rip you off for payment to remove threats, whereas the real Spybot Search & Destroy is free for personal use. No subscriptions, no download fees, but, donations are gladly accepted.

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers. When all updates have succeeded, click on "Exit."

You can also download the latest definition includes file from a clean PC and save them to a removable disk or drive, then install them into the Spybot S&D program while the infected PC is offline. This helps you disinfect a PC that cannot presently get online, or cannot access security websites for updates (because of the Conficker or similar malware), or due to other networking problems. The downloaded definition includes will look for a typical Spybot installation location and will update it instantly, as long as the program is closed during the updating process.

Download links and more instructions about using Spybot Search and Destroy are in my article titled "How to use Spybot Search & Destroy to fight malware".

TeaTimer false positives

In the case of Teatimer false positives that are fixed by updates, TeaTimer will have to be restarted after the update is applied. TeaTimer cannot be updated with new definitions if it is still running! After you update definitions to fix false positives, a restart of either TeaTimer or the Computer is required. If this doesn't fix the false positives, you may need to reset the TeaTimer detection list, as follows:

Right click the (TeaTimer) Resident tray icon
Select "Reset lists"

Alternately, close and restart TeaTimer using this method:

* start Spybot S&D
* switch to advanced mode
* navigate to "Tools" , then "Resident"
* uncheck the check box for Resident TeaTimer to close TeaTimer
* wait a bit so TeaTimer can unload completely, for instance wait 1min
* check the check box for Resident TeaTimer again to restart the TeaTimer

If that fails also, please read the rest of the things to try on this forum page, in replies #2 and #4.

When TeaTimer blocks the file you can also allow the file to be executed (also remove the check mark for deletion). You can exclude any file from further detections during a scan by right clicking the items in the Spybot S&D scan result and select "exclude this detection from further searches"

Posted by Wiz at 5:27 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

Spam levels have increased 3% this week from last week's level. Fluctuations in spam levels sometimes are seasonal, or may be due to problems or successes Bot-masters have with maintaining the command and control (C&C) servers used to reactivate sleeping zombie computers in their spam Botnets. Or, these changes in spam levels may be caused when large numbers of zombie computers are disinfected, or taken offline by the ISPs who provide Internet connectivity to them. In case you didn't already know this, almost all spam is now sent from "zombie" computers in spam Botnets, unbeknown to the owners of those infected PCs.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. This past week again saw a large variety of categories of spam, including spam for Viagra, pirated software, counterfeit watches, the fake Canadian Pharmacy and other fake pharmacies, phony loans, fake diplomas, plus some Nigerian 419 scams. Thursday, Dec 31 was the "spamiest" day this week. My blacklisted senders list proved effective again this week, catching 10% of the incoming spam.

Not included in my statistics were several spam messages sent from hijacked PCs, faking a personal friend's account as the sender. The same message was sent to his entire group of contacts. The only body content was a link which led to an exploit web page, hosted on computers in a Botnet, all running an Nginx web server, from Russia. The exploit was based on a bogus Flash Player upgrade file, which is a Trojan Horse.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job."

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for Dec 28, 2009 - Jan 3, 2010, and the latest additions to my custom MailWasher Pro filters.

MailWasher Pro spam category breakdown for Dec 28, 2009 - Jan 3, 2010. Spam amounted to 17% of my incoming email this week. This represents a +3% change from last week.

The latest weekly updates to my custom MailWasher Pro filters were to the Male Enhancement [S] and Phishing Scams [S] filters. Everything else is working as it should. If you're not already using MailWasher Pro to filter out spam you should consider doing so! Read the next three paragraphs for more details about it.

MailWasher Pro intercepts POP3 and IMAP email before you download it to your desktop email client (e.g: Microsoft Outlook, Outlook Express, Windows Live Mail) and scans it for threats or spam content, then either manually or automatically deletes any messages matching your pre-determined criteria and custom filters. It is my primary line of defense against incoming spam, scams, phishing and exploit attacks. If you are not already using this fine anti-spam tool I invite to to read about it on my MailWasher Pro web page. You can download the latest version and try it for free for a month. Registration is only required once, for the life of the program.

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. MailWasher Pro is able to forward messages marked as spam to SpamCop, which then sends a confirmation email to you, containing a link. You must click on the enclosed reporting link and open it in your browser, then manually submit your report. This is how SpamCop wants it done.

If you use a POP email client on your desktop to send and receive your email, rather than your browser, you too will benefit from the added protection that MailWasher Pro provides. I can't even begin to tell you how many dangerous attachments, exploit encoded messages, 419 fraud, as well as courier, bank, eBay and PayPal phishing scams, plus hundreds of hostile link emails it has deleted, after identifying them with my rules and its own heuristic and known spam detections.

Finally, many security threats will come to you via spam email; some in hostile attachments, some as "phishing" scams, some as financial fraud or money laundering scams, and many more in links to web pages rigged to serve up exploit codes or Trojan downloads.You need really good up-to-date protection to fight off the multitude of attack codes flying like machine gun bullets these days. To protect your computer from web pages rigged with exploit codes, malware in email attachments, dangerous links to hostile web pages, JavaScript redirects, Phishing scams, or router DNS attack codes, I recommend Trend Micro Internet Security (or Internet Security Pro for travelers). It has strong realtime monitoring modules that stop rootkits and spam Trojans from installing themselves into your operating system. Also known as PC-cillin, it is very frequently updated as new and altered malware definitions become available and it checks for web based threats and new malware definitions by searching secure online servers owned by Trend Micro. This is referred to as "in-the-cloud" security. Best of all, you can try it fully functional for a month, then decide to pay to keep it or uninstall it.

See you all next week, same time, same station! Keep the sunny side up and don't take no wooden nickles!

Wiz - out

Posted by Wiz at 3:55 PM | Permalink

back to top ^