Wiz's Computer and Website Security Blog

Starting with Firefox 3.6.4, Mozilla added a new feature called Crash Protection. This feature watches over three (initially Flash, Silverlight and Quicktime) plug-ins and isolates their tabs, if or when a supported plug-in crashes. Since the browser itself survives the crash, It is possible to reload that tab and hopefully, load the affected plug-in correctly.

However, soon after Firefox 3.6.4 was released, numerous complaints began arriving at Bugzilla, claiming that the new crash protection was making it impossible for those affected to play "Farmville." Apparently, the timeout for detecting a crash was too short, and Farmville was taking too long to load its Flash presentations. The page would halt loading with this message: "The Adobe Flash plugin has crashed."

To rectify the problem Mozilla rushed out Firefox 3.6.6, with a higher timeout of 45 seconds. That should fix the timeout problem for hi-speed broadband customers, but those on low speed broadband (e.g. mobile broadband modems, smartphones, netbooks), less than stellar satellite Internet and dial-up Internet services will still be affected by these timeouts. So, here is a manual workaround that allows you to specify a new timeout value, or even disable the crash protection completely.

How to disable or increase plug-in hang protection in Firefox 3.6.4+

You can disable hang protection to prevent Firefox from killing a hanging plug-in process, regardless of how long it's taking. Crashes in the plug-in will still be caught and will not terminate the browser process.

1. In the Location bar, type about:config and press EnterReturn.
   * The about:config "This might void your warranty!" warning page may appear. Click I'll be careful, I promise!, to continue to the about:config page.
2. The about:config page should appear. In the Filter box, type, or copy and paste: dom.ipc.plugins.timeoutSecs
3. Double click the setting and change the number to -1 to disable hang protection.
4. To maintain crash protection, change the value to a higher timeout, in seconds.
   ** Example: "45" means Firefox waits 45 seconds before declaring that a plug-in has crashed and halts the loading of the page.

You can apply this technique anytime an important web page is hanging because a plug-in is taking too long to load and Firefox declares that it crashed. You can undo your changes by lowering the timeout for normal crash protection.

Posted by Wiz at 4:35 PM | Permalink

back to top ^

Spybot Search & Destroy is a free (for personal non-business use) anti-spyware/spyware removal program used by millions of people around the World, to protect their computers from spyware, adware, Trojans and other types of malware. Spybot updates for malware detections are released every Wednesday and this week's updates were released on schedule. If you are using Spybot S&D to protect your computer you should check for updates every Wednesday afternoon and apply all that are available.

Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. This week's updates were released on schedule, as listed below. These detections include new or modified fake (rogue) security programs (fraudulent anti virus/spyware; scareware) (Malware), Trojan downloaders, password stealers, rootkits, DDoS attack bots and spam bots. It is imperative to keep your security tools updated and scan frequently for malware threats.

Additionally, as of June 2, 2010, Spybot S&D now includes detections for iPhone malware threats. These will be updated as needed (+ or -).

PUPS are Possibly Unwanted/Unpopular Programs. They appeal to many social networkers but may track your surfing habits and report on your computer configuration, without your explicit knowledge. These often include some smiley programs, screensavers and browser toolbars.

Spyware includes applications that track your surfing and report to a third party without your permission, and keyloggers that steal logon information to your bank, trading company, website and server control panels, Paypal, eBay, etc.

Trojans pretend to be a required missing Codec, Flash update, plug-in, or news report, or porn player, whereas they are really the worst malware that installs remote control (Bot) software and rootkits into your PC. Like the Trojan Horse of ancient Troy, once installed, Trojan Horse programs hand the keys to your PC castle to cybercriminals!

Note: one + sign before a detection indicates an update to an existing malware family for which previous definitions have been released. Two ++ signs indicate a completely new detection of a new or rewritten malware type.

Definition updates made on 06/30/2010

Malware
+ AntiSpyWare2007
+ Fraud.AntimalwareDoctor
++ Fraud.AVSecuritySuite
+ Fraud.DrGuard
+ Fraud.Sysguard
+ Win32.FraudLoad
+ Win32.FraudLoad.edt
+ Win32.FraudPack

Trojans
+ Virtumonde.dll
+ Virtumonde.sdn
+ Win32.Bifrost
++ Win32.OnLineGames.bkxl
++ Win32.OnLineGames.mfcv
++ Win32.OnLineGames.mffn
++ Win32.OnLineGames.mffr
++ Win32.OnLineGames.mfhn
++ Win32.OnLineGames.tolp
++ Win32.OnLineGames.tonv
++ Win32.OnLineGames.torh
++ Win32.OnLineGames.urjh
++ Win32.OnLineGames.urnw
++ Win32.OnLineGames.uvev
++ Win32.OnLineGames.uwgv
+ Win32.Runouce.ch2
+ Win32.ZBot

Total: 2933640 fingerprints in 1010577 rules for 5654 products.

False Positives Reported This Past Week

A couple of people have reported a false positive detection of Virtumonde.sdn in System32\lvcoinst.dll. That file belongs to a Logitech Quick Cam driver. It was corrected today.

Some issues that prevented people using Spybot S&D from reaching or logging into AdultFriendFinder were fixed today.

Installing or uninstalling and Immunizing Spybot S&D

Installing, upgrading to a new version, or uninstalling Spybot requires Administrator level privileges. Updating definitions does not require these permissions most of the time. But, to immunize against all threats does require Admin privileges. If you. like me, operate as a Power/Standard User, you can right-click on the icon to launch Spybot S&D and Run As (an) Administrator. From there you can download the latest definitions, immunize completely and scan/disinfect with full administrator authority.

Updating Spybot Search and Destroy

Before you update Spybot Search and Destroy make sure you have the latest official version. Older versions are no longer supported and will cause you a lot of grief when you immunize and scan for problems. Only download Spybot S&D from the official website, at: spybot.info, or from its alternate domain: Safer-Networking.org. Fake versions with similar names will rip you off for payment to remove threats, whereas the real Spybot Search & Destroy is free for personal use. No subscriptions, no download fees, but, donations are gladly accepted.

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers. When all updates have succeeded, click on "Exit."

You can also download the latest definition includes file from a clean PC and save them to a removable disk or drive, then install them into the Spybot S&D program while the infected PC is offline. This helps you disinfect a PC that cannot presently get online, or cannot access security websites for updates (because of the Conficker or similar malware), or due to other networking problems. The downloaded definition includes will look for a typical Spybot installation location and will update it instantly, as long as the program is closed during the updating process.

Download links and more instructions about using Spybot Search and Destroy are in my article titled "How to use Spybot Search & Destroy to fight malware".

TeaTimer false positives

In the case of Teatimer false positives that are fixed by updates, TeaTimer will have to be restarted after the update is applied. TeaTimer cannot be updated with new definitions if it is still running! After you update definitions to fix false positives, a restart of either TeaTimer or the Computer is required. If this doesn't fix the false positives, you may need to reset the TeaTimer detection list, as follows:

Right click the (TeaTimer) Resident tray icon
Select "Reset lists"

Alternately, close and restart TeaTimer using this method:

* start Spybot S&D
* switch to advanced mode
* navigate to "Tools" , then "Resident"
* uncheck the check box for Resident TeaTimer to close TeaTimer
* wait a bit so TeaTimer can unload completely, for instance wait 1min
* check the check box for Resident TeaTimer again to restart the TeaTimer

If that fails also, please read the rest of the things to try on this forum page, in replies #2 and #4.

When TeaTimer blocks the file you can also allow the file to be executed (also remove the check mark for deletion). You can exclude any file from further detections during a scan by right clicking the items in the Spybot S&D scan result and select "exclude this detection from further searches"

Malware fingerprints are frequently changed by their purveyors, to slip past definition based anti-malware tools. As malware detections and behavioral analysis modules increase in complexity, so does the possibility of false positives. For this reason it is often a good idea to quarantine suspected malware rather than deleting it, until the next weekly Spybot definitions have been released. Scan the quarantined items again and if they are still detected as malware, delete them after a week or two. You can also open a new thread on the Spybot False Positives Forum to see if your detection is real, or a false positive.

If you are running several brands of security software, make sure that only one active protection (realtime monitoring) feature runs at a time. In case you want to deactivate the TeaTimer, to avoid conflicts, you can do this in Spybot S&D advanced mode in Tools - Resident, as described above.

Posted by Wiz at 2:44 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics. These reports can help you adjust the order of your own spam filters.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

Spam levels have decreased 8% this week, to 62% of all my incoming email. This decline is partly caused by my rerouting all Russian spam to a blackhole on my server. Previously, I allowed MailWasher to classify and auto-delete all Russian sent and Russian language spam. Fluctuations in spam levels sometimes are seasonal, or may be due to problems or successes Bot-masters have with maintaining the command and control (C&C) servers used to reactivate sleeping zombie computers in their spam Botnets. Or, these changes in spam levels may be caused when large numbers of zombie computers are disinfected, or taken offline by the ISPs who provide Internet connectivity to them. In case you didn't already know this, almost all spam is now sent from "zombie" computers in spam Botnets, unbeknownst to the owners of those infected PCs.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. This past week again saw another typical variety of categories of spam, led by fake Viagra, counterfeit diplomas, Russian spam, male enhancement and pirated software. Keep the Viagra, Russian sender, counterfeit diplomas, male enhancement and pirated software filters high up your list of custom filters, to minimize the impact on your CPU when analyzing incoming messages for spam content.

If you are also getting a lot of unreadable Russian spam, my custom MailWasher "Russian Sender" filter and a Blacklist addition of +@+.ru should kill all of it, if set to Automatically Delete. You can kill this Russian junk off of your domain email system, if you are hosted on a cPanel website. Go to the Email Account Level Filtering and add the following conditions and rule: If ANY HEADER contains: "koi8-r" OR if the BODY contains: "charset=koi8-r" - Discard Message.

My blacklisted senders list was slightly effective this week, auto-deleting 5.71% of all incoming spam. Many of this week's spam messages also included my own account names in the From and Subject and most were selling fake Viagra. This illegal spam practice is known as a "Joe Job" and it is used to slip spam past our own filters. Joe Jobs depend on people white-listing their own accounts and domains. Fortunately, MailWasher custom filters allow you to override the friends list, so you can easily detect and delete Joe Job spam, if you are using MailWasher Pro as your spam filter.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job." Fortunately, MailWasher Pro has a custom filter option that overrides the "Friends" list (a Whitelist of approved senders), allowing user created spam filters to read the content and flag or auto delete spam that's using one's own accounts as the forged sender.

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for June 21 - 27, 2010, and the latest additions to my custom MailWasher Pro filters and Blacklist.

MailWasher Pro spam category breakdown for June 21 - 27, 2010. Spam amounted to 62% of my incoming email this week. This represents -8% change from last week.

Here are some facts from my MailWasher Statistics for the past week. Of the 516 incoming email messages that were classified as spam, 440 were classified by my custom filters, 27 were from my custom Blacklist and 6 from the DNS Servers Blacklist (mostly the SpamCop Blocklist (SBL)). I only saw 34 spam messages (but classified by filters set to manual deletion, for safety), all of which I reported through my SpamCop reporting account. The rest were automatically deleted by my custom filters and Blacklist. See the updates to my filters below the spam categories list.

There were 5 updates to my custom spam filters this week, and 3 updates were added to the blacklist. The latest updates to my custom MailWasher Pro filters were to these filters:

Phishing Scam [B]
Phishing Scam [S or F]
Software
Twitter Scam
New filter: Courier Scam #4

The following recent MailWasher Pro Email Blacklist entries were able to block ~6% of this week's spam. Some weeks will have higher percentages of blacklisted senders, depending on which Botnets are used to send those messages, with forged sender names and email addresses. Since the Blacklist is processed before the custom filters, the processing time and cpu load is greatly reduced.
+@+.br
+@+.cn
+@+.de
+@+.es
+@+.gr
+@+.hk
+@+.in
+@+.jp
+@+.kr
+@+.ru
+@+.tw
+@+.ua
+@+.vn
[email protected]
+@*.hinet.net
+@*ukrtel.net
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
notification*@googlemail.com
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
*discount*@yahoo.com
*viagra*@+
[email protected]
lovepil*@yahoo.com
[email protected]
+@+.net.co
lovepil*@yahoo.com
oemsoftware*@+
softwareoem*@+
*[email protected] (New)
medical*@yahoo.com (New)
+@+.roma6ka.com (New)

Note: The blacklist expressions in large type are extremely effective! Note, that is you set a custom filter to Take Precedence over the Friends list, it also overrides the Blacklist, which is in the same file.

About MailWasher Pro

MailWasher Pro intercepts POP3 and IMAP email before you download it to your desktop email client (e.g: Microsoft Outlook, Outlook Express, Windows Live Mail) and scans it for threats or spam content, then either manually or automatically deletes any messages matching your pre-determined criteria and custom filters. It is my primary line of defense against incoming spam, scams, phishing and exploit attacks. If you are not already using this fine anti-spam tool I invite to to read about it on my MailWasher Pro web page. You can download the latest version and try it for free for a month. Registration costs just $39.95 and is only required once, for the life of the program.

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. MailWasher Pro is able to forward messages marked as spam to SpamCop, which then sends a confirmation email to you, containing a link. You must click on the enclosed reporting link and open it in your browser, then manually submit your report. This is how SpamCop wants it done.

If you use a POP email client on your desktop to send and receive your email, rather than your browser, you too will benefit from the added protection that MailWasher Pro provides. I can't even begin to tell you how many dangerous attachments, exploit encoded messages, 419 fraud, as well as courier, bank, eBay and PayPal phishing scams, plus hundreds of hostile link emails it has deleted, after identifying them with my rules and its own heuristic and known spam detections.

I am available for hire to write custom MailWasher Pro filters for you or your company. They require that you have a copy of MailWasher on each computer to be customized.

Finally, many security threats will come to you via spam email; some in hostile attachments, some as "phishing" scams, some as financial fraud or money laundering scams, and many more in links to web pages rigged to serve up exploit codes or Trojan downloads.You need really good up-to-date protection to fight off the multitude of attack codes flying like machine gun bullets these days. To protect your computer from web pages rigged with exploit codes, malware in email attachments, dangerous links to hostile web pages, JavaScript redirects, Phishing scams, or router DNS attack codes, I recommend Trend Micro Internet Security (or Internet Security Pro for travelers). It has strong realtime monitoring modules that stop rootkits and spam Trojans from installing themselves into your operating system. Also known as PC-cillin, it is very frequently updated as new and altered malware definitions become available and it checks for web based threats and new malware definitions by searching secure online servers owned by Trend Micro. This is referred to as "in-the-cloud" security. Best of all, you can try it fully functional for a month, then decide to pay to keep it or uninstall it.

See you all next week, same time, same station! Keep the sunny side up and don't take no wooden nickles!

Wiz - out

Posted by Wiz at 3:15 PM | Permalink

back to top ^

Vulnerability identifier: Adobe security advisory APSB10-15 - a.k.a. CVE-2010-1297

On June 29, 2010, Adobe is planning to release updates for Adobe Reader 9.3.2 for Windows, Macintosh and UNIX, Adobe Acrobat 9.3.2 for Windows and Macintosh, and Adobe Reader 8.2.2 and Acrobat 8.2.2 for Windows and Macintosh to resolve critical security issues in the authplay.dll component that ships with Adobe Reader and Acrobat 9.x for Windows, Macintosh and UNIX operating systems. This has been known about since June 4 and is being exploited in the wild.

According to the advisory, "the June 29, 2010 updates represent an accelerated release of the next quarterly security update originally scheduled for July 13, 2010. With this accelerated schedule, Adobe will not release additional updates for Adobe Reader and Acrobat on July 13, 2010."

UPDATE: June 29, 2010

As scheduled, Adobe has released patched versions 9.3.3 and 8.2.3 of its pdf Acrobat and Reader. 17 vulnerabilities were fixed in this update, including one zero-day flaw that has been exploited in the wild. I applied this update to my XP SP 3 computer and it required a reboot to complete, and your computer may also require a restart, depending on the OS. Be prepared to save any work in progress and reboot after you receive this update, whether manually or automatically.

Adobe warned about that vulnerability, which also affected Flash Player, on June 4, 2010, and plugged the hole in Flash on June 10. If you haven't updated Flash for all of your browsers, do so now, at http://www.adobe.com/go/EN_US-H-GET-FLASH, or from http://get.adobe.com/flashplayer/.

If you are currently using the latest version of Adobe Reader or Acrobat, you should have automatic checking for updates and notification of availability turned on by default, unless you purposely turned this safety feature off. That means that when the check for updates is run after these updates are pushed out, you will be notified about their availability and can download the update. If you set your Updates preference to automatically download and install the updates, this will happen automatically, in the background. This could be the same day, or the next day, depending on what time your Adobe Reader checks for updates. You can also run a manual check for updates, via the Help menu > Check for Updates.

You can set or reset your preferences for Adobe Reader and Acrobat update checking, via Edit > Preferences > Updater. I recommend "Automatically Install Updates." Note, that you must use Administrator credentials to check for and apply updates to Adobe Reader and Acrobat. This can be done from a less privileged account by right clicking on the desktop or Start Menu icon for Adobe Reader/Acrobat and choosing "Run As" (Administrator).

If you are running Ubuntu or Debian Linux, you must update Adobe Reader via the Updates Manager, found under the Menu item: Administration. An Administrator password is required to check for and install updates.

Please apply the security update to all PCs running Adobe Reader and or Acrobat, as the vulnerability is critical and if exploited, may lead to complete takeover of unpatched PCs. From that point on, anything goes.

Posted by Wiz at 12:18 AM | Permalink

back to top ^

Spybot Search & Destroy is a free (for personal non-business use) anti-spyware/spyware removal program used by millions of people around the World, to protect their computers from spyware, adware, Trojans and other types of malware. Spybot updates for malware detections are released every Wednesday and this week's updates were released on schedule. If you are using Spybot S&D to protect your computer you should check for updates every Wednesday afternoon and apply all that are available.

Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. This week's updates were released on schedule, as listed below. These detections include new or modified fake (rogue) security programs (fraudulent anti virus/spyware; scareware) (Malware), Trojan downloaders, password stealers, rootkits, DDoS attack bots and spam bots. It is imperative to keep your security tools updated and scan frequently for malware threats.

Additionally, as of June 2, 2010, Spybot S&D now includes detections for iPhone malware threats. These will be updated as needed (+ or -).

PUPS are Possibly Unwanted/Unpopular Programs. They appeal to many social networkers but may track your surfing habits and report on your computer configuration, without your explicit knowledge. These often include some smiley programs, screensavers and browser toolbars.

Spyware includes applications that track your surfing and report to a third party without your permission, and keyloggers that steal logon information to your bank, trading company, website and server control panels, Paypal, eBay, etc.

Trojans pretend to be a required missing Codec, Flash update, plug-in, or news report, or porn player, whereas they are really the worst malware that installs remote control (Bot) software and rootkits into your PC. Like the Trojan Horse of ancient Troy, once installed, Trojan Horse programs hand the keys to your PC castle to cybercriminals!

Note: one + sign before a detection indicates an update to an existing malware family for which previous definitions have been released. Two ++ signs indicate a completely new detection of a new or rewritten malware type.

Definition updates made on 06/22/2010

Malware
+ Fraud.AntimalwareDoctor
+ Fraud.Antivirus
+ Fraud.Antivirus7
++ Fraud.DefenseCenter
++ Fraud.EcoAntivirus
+ Fraud.RCommander
+ Fraud.Sysguard
++ Fraud.SysinternalsAntivirus
+ Win32.FraudLoad
+ Win32.FraudLoad.edt
+ Win32.Podnuha.rtk

PUPS
+ DoubleD.HottieStarToolbar

Security
+ Microsoft.Windows.RedirectedHosts

Spyware
+ AdRotator
++ iPhone.Spyware.PinchMedia.ActionMethod
++ iPhone.Spyware.PinchMedia.AjiReaderPDF
++ iPhone.Spyware.PinchMedia.GasCubbybyFRAMMPG&CarMaintenance
++ iPhone.Spyware.PinchMedia.NightstandWeatherClockFree
+ Win32.Spynet.a

Trojans
+ Fraud.UPSInvoice
++ Sasan
+ Virtumonde.dll
+ Virtumonde.sci
+ Virtumonde.sdn
+ Win32.Agent.fbx
+ Win32.Agent.mwl
+ Win32.Agent.psr
+ Win32.Agent.sc
+ Win32.Agent.wur
+ Win32.BHO.ttam
+ Win32.FakeAlert.ttam
+ Win32.FraudPack
+ Win32.Muollo
+ Win32.OnLineGames.down
++ Win32.OnLineGames.mfey
++ Win32.OnLineGames.mffe
++ Win32.OnLineGames.mfgs
+ Win32.Runouce.ch2
++ Win32.Small.ttam
+ Win32.TDSS.rtk
+ Win32.ZBot
+ Win32.ZBot.rtk
+ Zlob.ImageActiveXAccess

Total: 2928345 checksums in 1009233 rules for 5651 products.

This week's false positive reports and program usage instructions are in the extended content.

False Positives Reported This Past Week

Two possible false positives were reported this past week.

1: A confirmed false positive detection of "Virtumonde.sdn" in c:\windows\jestertb.dll belonged to a flash tool that was made with flashjester.

2: One user reported a false positive detection of "2Search" during an Nvidia video driver update. He has submitted a copy of its nviewsetup.exe for confirmation.

Installing or uninstalling and Immunizing Spybot S&D

Installing, upgrading to a new version, or uninstalling Spybot requires Administrator level privileges. Updating definitions does not require these permissions most of the time. But, to immunize against all threats does require Admin privileges. If you. like me, operate as a Power/Standard User, you can right-click on the icon to launch Spybot S&D and Run As (an) Administrator. From there you can download the latest definitions, immunize completely and scan/disinfect with full administrator authority.

Updating Spybot Search and Destroy

Before you update Spybot Search and Destroy make sure you have the latest official version. Older versions are no longer supported and will cause you a lot of grief when you immunize and scan for problems. Only download Spybot S&D from the official website, at: spybot.info, or from its alternate domain: Safer-Networking.org. Fake versions with similar names will rip you off for payment to remove threats, whereas the real Spybot Search & Destroy is free for personal use. No subscriptions, no download fees, but, donations are gladly accepted.

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers. When all updates have succeeded, click on "Exit."

You can also download the latest definition includes file from a clean PC and save them to a removable disk or drive, then install them into the Spybot S&D program while the infected PC is offline. This helps you disinfect a PC that cannot presently get online, or cannot access security websites for updates (because of the Conficker or similar malware), or due to other networking problems. The downloaded definition includes will look for a typical Spybot installation location and will update it instantly, as long as the program is closed during the updating process.

Download links and more instructions about using Spybot Search and Destroy are in my article titled "How to use Spybot Search & Destroy to fight malware".

TeaTimer false positives

In the case of Teatimer false positives that are fixed by updates, TeaTimer will have to be restarted after the update is applied. TeaTimer cannot be updated with new definitions if it is still running! After you update definitions to fix false positives, a restart of either TeaTimer or the Computer is required. If this doesn't fix the false positives, you may need to reset the TeaTimer detection list, as follows:

Right click the (TeaTimer) Resident tray icon
Select "Reset lists"

Alternately, close and restart TeaTimer using this method:

* start Spybot S&D
* switch to advanced mode
* navigate to "Tools" , then "Resident"
* uncheck the check box for Resident TeaTimer to close TeaTimer
* wait a bit so TeaTimer can unload completely, for instance wait 1min
* check the check box for Resident TeaTimer again to restart the TeaTimer

If that fails also, please read the rest of the things to try on this forum page, in replies #2 and #4.

When TeaTimer blocks the file you can also allow the file to be executed (also remove the check mark for deletion). You can exclude any file from further detections during a scan by right clicking the items in the Spybot S&D scan result and select "exclude this detection from further searches"

If you are running several brands of security software, make sure that only one active protection (realtime monitoring) feature runs at a time. In case you want to deactivate the TeaTimer, to avoid conflicts, you can do this in Spybot S&D advanced mode in Tools - Resident, as described above.

Posted by Wiz at 11:15 AM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics. These reports can help you adjust the order of your own spam filters.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

Spam levels have increased 4% this week, to 70% of all my incoming email. Fluctuations in spam levels sometimes are seasonal, or may be due to problems or successes Bot-masters have with maintaining the command and control (C&C) servers used to reactivate sleeping zombie computers in their spam Botnets. Or, these changes in spam levels may be caused when large numbers of zombie computers are disinfected, or taken offline by the ISPs who provide Internet connectivity to them. In case you didn't already know this, almost all spam is now sent from "zombie" computers in spam Botnets, unbeknownst to the owners of those infected PCs.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. This past week again saw another typical variety of categories of spam, led by lots of unreadable Russian language spam, counterfeit Viagra, counterfeit college diplomas and counterfeit watches. Runners up were the bogus Canadian Pharmacy and Male Enhancement scams. Keep the Viagra, Canadian Pharmacy, Russian Sender, counterfeit Watches and Diploma filters high up your list of custom filters, to minimize the impact on your CPU when analyzing incoming messages for spam content.

If you are also getting a lot of unreadable Russian spam, my custom MailWasher "Russian Sender" filter and a Blacklist addition of +@+.ru should kill all of it, if set to Automatically Delete.

My blacklisted senders list was effective this week, auto-deleting ~7% of all incoming spam. Many of this week's spam messages also included my own account names in the From and Subject and most were selling fake Viagra. This illegal spam practice is known as a "Joe Job" and it is used to slip spam past our own filters. Joe Jobs depend on people white-listing their own accounts and domains. Fortunately, MailWasher custom filters allow you to override the friends list, so you can easily detect and delete Joe Job spam, if you are using MailWasher Pro as your spam filter.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job." Fortunately, MailWasher Pro has a custom filter option that overrides the "Friends" list (a Whitelist of approved senders), allowing user created spam filters to read the content and flag or auto delete spam that's using one's own accounts as the forged sender.

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for June 14 - 20, 2010, and the latest additions to my custom MailWasher Pro filters and Blacklist.

MailWasher Pro spam category breakdown for June 14 - 20, 2010. Spam amounted to 70% of my incoming email this week. This represents +4% change from last week.

Here are some facts from my MailWasher Statistics for the past week. Of the 587 incoming email messages that were classified as spam, 533 were classified by my custom filters, 40 were from my custom Blacklist and 4 from the DNS Servers Blacklist (mostly the SpamCop Blocklist (SBL)). I only saw 29 spam messages (but classified by filters set to manual deletion, for safety), all of which I reported through my SpamCop reporting account. The rest were automatically deleted by my custom filters and Blacklist. See the updates to my filters below the spam categories list.

There were no updates to my custom spam filters this week, but 2 updates were added to the blacklist. The existing filters are working just fine!

The following recent MailWasher Pro Email Blacklist entries were able to block ~7% of this week's spam. Some weeks will have higher percentages of blacklisted senders, depending on which Botnets are used to send those messages, with forged sender names and email addresses. Since the Blacklist is processed before the custom filters, the processing time and cpu load is greatly reduced.
+@+.br
+@+.cn
+@+.de
+@+.es
+@+.gr
+@+.hk
+@+.in
+@+.jp
+@+.kr
+@+.ru
+@+.tw
+@+.ua
+@+.vn
[email protected]
+@*.hinet.net
+@*ukrtel.net
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
notification*@googlemail.com
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
*discount*@yahoo.com
*viagra*@+
[email protected]
lovepil*@yahoo.com
[email protected]
+@+.net.co
lovepil*@yahoo.com
oemsoftware*@+ (New)
softwareoem*@+ (New)

Note: The blacklist expressions in large type are extremely effective!

About MailWasher Pro

MailWasher Pro intercepts POP3 and IMAP email before you download it to your desktop email client (e.g: Microsoft Outlook, Outlook Express, Windows Live Mail) and scans it for threats or spam content, then either manually or automatically deletes any messages matching your pre-determined criteria and custom filters. It is my primary line of defense against incoming spam, scams, phishing and exploit attacks. If you are not already using this fine anti-spam tool I invite to to read about it on my MailWasher Pro web page. You can download the latest version and try it for free for a month. Registration costs just $39.95 and is only required once, for the life of the program.

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. MailWasher Pro is able to forward messages marked as spam to SpamCop, which then sends a confirmation email to you, containing a link. You must click on the enclosed reporting link and open it in your browser, then manually submit your report. This is how SpamCop wants it done.

If you use a POP email client on your desktop to send and receive your email, rather than your browser, you too will benefit from the added protection that MailWasher Pro provides. I can't even begin to tell you how many dangerous attachments, exploit encoded messages, 419 fraud, as well as courier, bank, eBay and PayPal phishing scams, plus hundreds of hostile link emails it has deleted, after identifying them with my rules and its own heuristic and known spam detections.

I am available for hire to write custom MailWasher Pro filters for you or your company. They require that you have a copy of MailWasher on each computer to be customized.

Finally, many security threats will come to you via spam email; some in hostile attachments, some as "phishing" scams, some as financial fraud or money laundering scams, and many more in links to web pages rigged to serve up exploit codes or Trojan downloads.You need really good up-to-date protection to fight off the multitude of attack codes flying like machine gun bullets these days. To protect your computer from web pages rigged with exploit codes, malware in email attachments, dangerous links to hostile web pages, JavaScript redirects, Phishing scams, or router DNS attack codes, I recommend Trend Micro Internet Security (or Internet Security Pro for travelers). It has strong realtime monitoring modules that stop rootkits and spam Trojans from installing themselves into your operating system. Also known as PC-cillin, it is very frequently updated as new and altered malware definitions become available and it checks for web based threats and new malware definitions by searching secure online servers owned by Trend Micro. This is referred to as "in-the-cloud" security. Best of all, you can try it fully functional for a month, then decide to pay to keep it or uninstall it.

See you all next week, same time, same station! Keep the sunny side up and don't take no wooden nickles!

Wiz - out

Posted by Wiz at 12:51 PM | Permalink

back to top ^

Spybot Search & Destroy is a free (for personal non-business use) anti-spyware/spyware removal program used by millions of people around the World, to protect their computers from spyware, adware, Trojans and other types of malware. Spybot updates for malware detections are released every Wednesday and this week's updates were released on schedule. If you are using Spybot S&D to protect your computer you should check for updates every Wednesday afternoon and apply all that are available.

Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. This week's updates were released on schedule, as listed below. These detections include new or modified fake security programs (fraudulent anti virus/spyware; scareware), Trojan downloaders, password stealers, rootkits, DDoS attack bots and spam bots. It is imperative to keep your security tools updated and scan frequently for malware threats.

Additionally, as of June 2, 2010, Spybot S&D now includes detections for iPhone malware threats. These will be updated as needed (+ or -).

Note: one + sign before a detection indicates an update to an existing malware family for which previous definitions have been released. Two ++ signs indicate a completely new detection of a new or rewritten malware type.

Definition updates made on 06/16/2010

Adware
+ Tencent.AdressBar

Malware
+ Fraud.AntimalwareDoctor
++ Fraud.Antivirus2009
++ Fraud.QIPGuard
+ Fraud.SecurityTool
+ Fraud.Sysguard
+ Fraud.VolcanoSecuritySuite
+ SpywareBOT (This ripoff pretends to be Spybot S&D)
++ Win32.DotTorrent
+ Win32.FraudLoad
+ Win32.FraudLoad.edt
++ Win32.FraudLoad.pc
+ Win32.FraudPack

Pups (PUPS means Potentially Unwanted Programs)
++ DoubleD.HottieStarToolbar
++ SweetIM

Spyware
+ AdRotator
+ AlexaToolbar
+ Fake.AdobeUpdater
+ ShopNav
+ Win32.Spynet.a

Trojans
+ Virtumonde.sci
+ Virtumonde.sdn
++ Win32.Agent.bkr
++ Win32.Agent.chs
+ Win32.Agent.fbx
++ Win32.Agent.mwl
++ Win32.Agent.psr
++ Win32.Agent.ssp
++ Win32.Agent.tsr
++ Win32.Agent.wur
+ Win32.Ambler
+ Win32.Muollo
+ Win32.Runouce.ch2
+ Win32.TDSS.rtk
+ Win32.ZBot
+ Win32.ZBot.rtk

Total: 2887130 fingerprints in 994747 rules for 5636 products.

This week's false positive reports and program usage instructions are in the extended content.

False Positives Reported This Past Week

One possible false positive is being investigated this past week..

C:\WINDOWS\SoftwareDistribution\Download\Install\NDP1.1sp1-KB979906-X86.exe was
identified as SpyArsenal.HomeKeyLogger. This may be a legitimate Windows Update file. Team Spybot is still waiting for the file to be sent to them for analysis, by the person who reported it.

Installing or uninstalling and Immunizing Spybot S&D

Installing, upgrading to a new version, or uninstalling Spybot requires Administrator level privileges. Updating definitions does not require these permissions most of the time. But, to immunize against all threats does require Admin privileges. If you. like me, operate as a Power/Standard User, you can right-click on the icon to launch Spybot S&D and Run As (an) Administrator. From there you can download the latest definitions, immunize completely and scan/disinfect with full administrator authority.

Updating Spybot Search and Destroy

Before you update Spybot Search and Destroy make sure you have the latest official version. Older versions are no longer supported and will cause you a lot of grief when you immunize and scan for problems. Only download Spybot S&D from the official website, at: spybot.info, or from its alternate domain: Safer-Networking.org. Fake versions with similar names will rip you off for payment to remove threats, whereas the real Spybot Search & Destroy is free for personal use. No subscriptions, no download fees, but, donations are gladly accepted.

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers. When all updates have succeeded, click on "Exit."

You can also download the latest definition includes file from a clean PC and save them to a removable disk or drive, then install them into the Spybot S&D program while the infected PC is offline. This helps you disinfect a PC that cannot presently get online, or cannot access security websites for updates (because of the Conficker or similar malware), or due to other networking problems. The downloaded definition includes will look for a typical Spybot installation location and will update it instantly, as long as the program is closed during the updating process.

Download links and more instructions about using Spybot Search and Destroy are in my article titled "How to use Spybot Search & Destroy to fight malware".

TeaTimer false positives

In the case of Teatimer false positives that are fixed by updates, TeaTimer will have to be restarted after the update is applied. TeaTimer cannot be updated with new definitions if it is still running! After you update definitions to fix false positives, a restart of either TeaTimer or the Computer is required. If this doesn't fix the false positives, you may need to reset the TeaTimer detection list, as follows:

Right click the (TeaTimer) Resident tray icon
Select "Reset lists"

Alternately, close and restart TeaTimer using this method:

* start Spybot S&D
* switch to advanced mode
* navigate to "Tools" , then "Resident"
* uncheck the check box for Resident TeaTimer to close TeaTimer
* wait a bit so TeaTimer can unload completely, for instance wait 1min
* check the check box for Resident TeaTimer again to restart the TeaTimer

If that fails also, please read the rest of the things to try on this forum page, in replies #2 and #4.

When TeaTimer blocks the file you can also allow the file to be executed (also remove the check mark for deletion). You can exclude any file from further detections during a scan by right clicking the items in the Spybot S&D scan result and select "exclude this detection from further searches"

If you are running several brands of security software, make sure that only one active protection (realtime monitoring) feature runs at a time. In case you want to deactivate the TeaTimer, to avoid conflicts, you can do this in Spybot S&D advanced mode in Tools - Resident, as described above.

Posted by Wiz at 4:17 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics. These reports can help you adjust the order of your own spam filters.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

Spam levels have increased 4% this week, to 66% of all my incoming email. Fluctuations in spam levels sometimes are seasonal, or may be due to problems or successes Bot-masters have with maintaining the command and control (C&C) servers used to reactivate sleeping zombie computers in their spam Botnets. Or, these changes in spam levels may be caused when large numbers of zombie computers are disinfected, or taken offline by the ISPs who provide Internet connectivity to them. In case you didn't already know this, almost all spam is now sent from "zombie" computers in spam Botnets, unbeknownst to the owners of those infected PCs.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. This past week again saw another typical variety of categories of spam, led by lots of unreadable Russian language spam, counterfeit Viagra, fake diplomas and counterfeit watches. Runners up were the bogus Canadian Pharmacy and Male Enhancement scams. Keep the Viagra, Canadian Pharmacy, Russian Sender, counterfeit Watches and Diploma filters high up your list of custom filters, to minimize the impact on your CPU when analyzing incoming messages for spam content.

If you are also getting a lot of unreadable Russian spam, my custom MailWasher "Russian Sender" filter and a Blacklist addition of +@+.ru should kill all of it, if set to Automatically Delete.

My blacklisted senders list was effective this week, auto-deleting ~7% of all incoming spam, which included a huge amount of the aforementioned Russian language spam (see my extended content for details). I saw a slight increase in the number of emails forging my own accounts as the senders, with 50 this week, which was ~10% of my total spam. Many of these spam messages also included the same account names in the Subject and all were selling fake Viagra. This illegal practice is known as a "Joe Job" and it is used to slip spam past our filters. Joe Jobs depend on people white-listing their own accounts and domains. Fortunately, MailWasher custom filters allow you to override the friends list, so you can easily detect and delete Joe Job spam, if you are using MailWasher Pro as your spam filter.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job." Fortunately, MailWasher Pro has a custom filter option that overrides the "Friends" list (a Whitelist of approved senders), allowing user created spam filters to read the content and flag or auto delete spam that's using one's own accounts as the forged sender.

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for June 7 - 13, 2010, and the latest additions to my custom MailWasher Pro filters and Blacklist.

MailWasher Pro spam category breakdown for June 7 - 13, 2010. Spam amounted to 66% of my incoming email this week. This represents +4% change from last week.

Here are some facts from my MailWasher Statistics for the past week. Of the 470 incoming email messages that were classified as spam, 414 were classified by my custom filters, 31 were from my custom Blacklist and 1 from the DNS Servers Blacklist (mostly the SpamCop Blocklist (SBL)). I actually only saw 17 spam messages, all of which I reported through my SpamCop reporting account. The rest were automatically deleted by my custom filters and Blacklist. See the updates to my filters below the spam categories list.

This was a slow week for updates/tweaking to my custom spam filters. There was an upsurge in the number of Viagra.com spam and spam for fake diplomas, so I updated those filters. The latest updates to my custom MailWasher Pro filters were to these filters:

Diploma Spam
Viagra.com Spam

The following recent MailWasher Pro Email Blacklist entries were able to block ~7% of this week's spam. Some weeks will have higher percentages of blacklisted senders, depending on which Botnets are used to send those messages, with forged sender names and email addresses. Since the Blacklist is processed before the custom filters, the processing time and cpu load is greatly reduced.
+@+.br
+@+.cn
+@+.de
+@+.es
+@+.gr
+@+.hk
+@+.in
+@+.jp
+@+.kr
+@+.ru
+@+.tw
+@+.ua
+@+.vn
[email protected]
+@*.hinet.net
+@*ukrtel.net
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
notification*@googlemail.com
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
*discount*@yahoo.com
*viagra*@+
[email protected]
lovepil*@yahoo.com
[email protected]
+@+.net.co
lovepil*@yahoo.com

Note: The blacklist expressions in large type are extremely effective!

About MailWasher Pro

MailWasher Pro intercepts POP3 and IMAP email before you download it to your desktop email client (e.g: Microsoft Outlook, Outlook Express, Windows Live Mail) and scans it for threats or spam content, then either manually or automatically deletes any messages matching your pre-determined criteria and custom filters. It is my primary line of defense against incoming spam, scams, phishing and exploit attacks. If you are not already using this fine anti-spam tool I invite to to read about it on my MailWasher Pro web page. You can download the latest version and try it for free for a month. Registration costs just $39.95 and is only required once, for the life of the program.

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. MailWasher Pro is able to forward messages marked as spam to SpamCop, which then sends a confirmation email to you, containing a link. You must click on the enclosed reporting link and open it in your browser, then manually submit your report. This is how SpamCop wants it done.

If you use a POP email client on your desktop to send and receive your email, rather than your browser, you too will benefit from the added protection that MailWasher Pro provides. I can't even begin to tell you how many dangerous attachments, exploit encoded messages, 419 fraud, as well as courier, bank, eBay and PayPal phishing scams, plus hundreds of hostile link emails it has deleted, after identifying them with my rules and its own heuristic and known spam detections.

I am available for hire to write custom MailWasher Pro filters for you or your company. They require that you have a copy of MailWasher on each computer to be customized.

Finally, many security threats will come to you via spam email; some in hostile attachments, some as "phishing" scams, some as financial fraud or money laundering scams, and many more in links to web pages rigged to serve up exploit codes or Trojan downloads.You need really good up-to-date protection to fight off the multitude of attack codes flying like machine gun bullets these days. To protect your computer from web pages rigged with exploit codes, malware in email attachments, dangerous links to hostile web pages, JavaScript redirects, Phishing scams, or router DNS attack codes, I recommend Trend Micro Internet Security (or Internet Security Pro for travelers). It has strong realtime monitoring modules that stop rootkits and spam Trojans from installing themselves into your operating system. Also known as PC-cillin, it is very frequently updated as new and altered malware definitions become available and it checks for web based threats and new malware definitions by searching secure online servers owned by Trend Micro. This is referred to as "in-the-cloud" security. Best of all, you can try it fully functional for a month, then decide to pay to keep it or uninstall it.

See you all next week, same time, same station! Keep the sunny side up and don't take no wooden nickles!

Wiz - out

Posted by Wiz at 4:17 PM | Permalink

back to top ^

Spybot Search & Destroy is a free (for personal non-business use) anti-spyware/spyware removal program used by millions of people around the World, to protect their computers from spyware, adware, Trojans and other types of malware. Spybot updates for malware detections are released every Wednesday and this week's updates were released on schedule. If you are using Spybot S&D to protect your computer you should check for updates every Wednesday afternoon and apply all that are available.

Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. This week's updates were released on schedule, as listed below. These detections include new or modified fake security programs (fraudulent anti virus/spyware; scareware), Trojan downloaders, password stealers, rootkits, DDoS attack bots and spam bots. It is imperative to keep your security tools updated and scan frequently for malware threats.

Additionally, as of June 2, 2010, Spybot S&D now includes detections for iPhone malware threats. There were too many new additions today to bother listing them all.

Note: one + sign before a detection indicates an update to an existing malware family for which previous definitions have been released. Two ++ signs indicate a completely new detection of a new or rewritten malware type.

Definition updates made on 06/09/2010

Malware
++ Fraud.IPClear
++ Fraud.ProtectionCenter
++ Fraud.SecurityMasterAV
++ Fraud.SpywareCleaner2010
++ Fraud.VaccineCenter
++ Fraud.WinGuard
+ Win32.FraudLoad.edt

Pups (Potentially Unwanted Programs)
+ FastBrowserSearchToolbar
+ GameVance
+ Hotbar

Security
+ Microsoft.Windows.RedirectedHosts

SpywareSpyware
+ AdRotator
Dozens of various iPhone.Spyware.(AdMob/Flurry/PinchMedia/GoogleAnalytics) variations

Trojans
+ Supsav.Smss32
++ Vapsup
+ Virtumonde
+ Virtumonde.sci
+ Virtumonde.sdn
++ Win32.Agent.cc
++ Win32.Agent.dif
+ Win32.Agent.fbx
++ Win32.Agent.ima
++ Win32.Agent.wex
+ Win32.Agent.ws
+ Win32.Bifrost
+ Win32.FakeAlert.ttam
++ Win32.IRCBot.rw
++ Win32.Muollo
++ Win32.Rbot.pc
+ Win32.Runouce.ch2
+ Win32.ZBot
+ Win32.ZBot.rtk
++ Xort.trj

Worms
+ Win32.Amburadul

Total: 2877962 fingerprints in 992400 rules for 5611 products

This week's false positive reports and program usage instructions are in the extended content.

False Positives Reported This Past Week

Two false positives were reported this past week..

A false positive detections of Virtumonde.sdn: in the Registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs=...wmfhotfix.dll... was fixed with today's updates.

Installing or uninstalling and Immunizing Spybot S&D

Installing, upgrading to a new version, or uninstalling Spybot requires Administrator level privileges. Updating definitions does not require these permissions most of the time. But, to immunize against all threats does require Admin privileges. If you. like me, operate as a Power/Standard User, you can right-click on the icon to launch Spybot S&D and Run As (an) Administrator. From there you can download the latest definitions, immunize completely and scan/disinfect with full administrator authority.

Updating Spybot Search and Destroy

Before you update Spybot Search and Destroy make sure you have the latest official version. Older versions are no longer supported and will cause you a lot of grief when you immunize and scan for problems. Only download Spybot S&D from the official website, at: spybot.info, or from its alternate domain: Safer-Networking.org. Fake versions with similar names will rip you off for payment to remove threats, whereas the real Spybot Search & Destroy is free for personal use. No subscriptions, no download fees, but, donations are gladly accepted.

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers. When all updates have succeeded, click on "Exit."

You can also download the latest definition includes file from a clean PC and save them to a removable disk or drive, then install them into the Spybot S&D program while the infected PC is offline. This helps you disinfect a PC that cannot presently get online, or cannot access security websites for updates (because of the Conficker or similar malware), or due to other networking problems. The downloaded definition includes will look for a typical Spybot installation location and will update it instantly, as long as the program is closed during the updating process.

Download links and more instructions about using Spybot Search and Destroy are in my article titled "How to use Spybot Search & Destroy to fight malware".

TeaTimer false positives

In the case of Teatimer false positives that are fixed by updates, TeaTimer will have to be restarted after the update is applied. TeaTimer cannot be updated with new definitions if it is still running! After you update definitions to fix false positives, a restart of either TeaTimer or the Computer is required. If this doesn't fix the false positives, you may need to reset the TeaTimer detection list, as follows:

Right click the (TeaTimer) Resident tray icon
Select "Reset lists"

Alternately, close and restart TeaTimer using this method:

* start Spybot S&D
* switch to advanced mode
* navigate to "Tools" , then "Resident"
* uncheck the check box for Resident TeaTimer to close TeaTimer
* wait a bit so TeaTimer can unload completely, for instance wait 1min
* check the check box for Resident TeaTimer again to restart the TeaTimer

If that fails also, please read the rest of the things to try on this forum page, in replies #2 and #4.

When TeaTimer blocks the file you can also allow the file to be executed (also remove the check mark for deletion). You can exclude any file from further detections during a scan by right clicking the items in the Spybot S&D scan result and select "exclude this detection from further searches"

If you are running several brands of security software, make sure that only one active protection (realtime monitoring) feature runs at a time. In case you want to deactivate the TeaTimer, to avoid conflicts, you can do this in Spybot S&D advanced mode in Tools - Resident, as described above.

Posted by Wiz at 5:10 PM | Permalink

back to top ^

I don't know if a Botnet has been mis-programmed, or if some Russian spammers have mistaken my domain for a Russian speaking domain, but I am seeing huge amounts of unreadable Russian language spam over the past month. However, I doubt that I am the only totally English speaking person in the USA who is getting this unintelligible Cyrillic spam.

The why's are unimportant to me, or to you, if you are also getting foreign language spam. A few years ago I was getting Chinese language spam, which is totally weird to look at. Both the Russian and Chinese alphabets look like something out of Star Trek to me. Most people are annoyed when they get any spam at all. But, getting spam you can't even read is worse. Since I can't read the content I have no use in looking at this crap, so I have created spam filters to automatically delete it off my email servers, and I will share them with you.

I have certain systems in place to filter out spam before I download it, but you all might have altogether different measures in place. I will outline my countermeasures, then suggest others that you may be able to use.

My primary tool in the war to secure my inbox is an anti-spam program called MailWasher Pro (MWP). It is a desktop application that intercepts all incoming POP3 email, from all of the various email servers that I use to get and send email. In my extended comments I will reveal two powerful filters that I have created, which combined will automatically delete 100% of the Cyrillic coded spam sent to my various POP3 accounts.

My second tool is my desktop email client; Windows Live Mail (WLM). This is the most recent child of the no longer supported Outlook Express email client, from Microsoft. Outlook Express died when Windows Vista was released. At the same time, Windows Mail was included with Vista. With the advent of Windows 7, Windows Live Mail is the only email client available from Microsoft, as an optional download. Unlike Outlook Express, Windows Live Mail includes a junk filter module, which receives updates from time to time. You can also block incoming messages from your inbox by applying the new "International" filter, which reads the sender's From address or language encoding. If the domain listed in the From field, or the text coding matches one on the blocked countries list, it automatically goes to the Junk Mail folder, or is automatically deleted, according to your choices.

The previous anti spam countermeasures are for people using a POP3 or IMAP desktop email client to download, read, compose and send email. But, many people are still using browser based email systems, like Hotmail, Yahoo, AOL, Comcast, Charter, and other proprietary mail systems from free mail providers, or from their web hosting companies. You folks must search out and apply any junk mail rules available from your email service. I will show you how to apply junk filters to Yahoo and Hotmail, using your web browsers.

Most web hosting accounts now come with the option to enable Spam Assassin. You can turn on Spam Assassin and add the regular expression to block any "From" address containing the domain .ru

Solutions for blocking Russian language spam

MailWasher Pro users

If you use MailWasher Pro to filter out spam before it is downloaded to your desktop email client, the following rules can be applied to block 100% of Russian language spam.

Blacklist addition: +@+.ru
Set the Blacklist options to automatically delete blacklisted addresses, without notification.

Custom filter addition:
Create a new filter, titled: "Russian Sender" (use same Status description). Set the condition to "Any rule below is satisfied." Add these conditions, each on a separate code line:

• Entire Header, Contains: charset="koi8-r";
• Entire Header, Contains: Subject: =?koi8-r
• Entire Header, Contains: From: =?koi8-r
• Entire Header, Contains Regular Expression: HELO\s.+\.ru
• Entire Header, Contains Regular Expression: \(envelope-from\ <.+@.+\.ru>\)
• Entire Header, Contains Regular Expression: Message-ID:\s<.+@.+\.ru>
• Body, Contains: charset=3Dkoi8-r

1. Takes precedence over the friend's list
2. Delete the mail
3. Automatically without notification

1. Create a "new mail rule" (Tools > Message Rules > Mail)
2. Check the condition "Where the FROM line contains people"
3. Click on the blue underlined words in the edit description box below the conditions lists
4. Type .ru into the input field
5. Click "Add"
6. Give a name to the rule, like "Russian Sender" - in the bottom input field
7. Click OK to save the message rule

With WLM open click on the menu item "Tools" > "Safety Options" and set these options:

• Options Tab: Choose Low or High detection level (Low is safer)


• If, after a while, you find that there are no false positive classifications of Junk, check the option to "permanently delete junk rather than moving it to the Junk folder."


• International Tab: Click on the "Blocked Top-Level Domain List" button


• Select all undesirable country domain suffixes, especially .ru (Russia) and .ua (Ukraine)


• Click OK


• Click on the "Blocked Encoding List" button


• Check unwanted language encoding types, especially "Cyrillic"


• Click OK


• Click OK again to close the Safety Options

Sign into your Hotmail account. Click on the upper right side link labeled Options, then on the drop down link: More Options. Click on Filters and Reporting. Select the "Low" level of detection option (only Obvious junk e-mail is sent to the junk e-mail folder), then go to the next section, "Select when junk mail is deleted," and if you are confident in the Hotmail junk filter accuracy, select "Immediately." Select Report Junk to help others, then click Save, in the lower right.

Login to your Yahoo! Mail account and click on the upper right side link: "Options," then on "More Options," from the flyout list. Click on the "Spam" link in the left sidebar. Make sure you have a check mark to "Automatically send suspected spam to my Spam folder." Choose a time interval to "Empty Spam folder" (choose Once a week or Immediately).

Next, click on the sidebar link for "Filters." Click to "Add A Filter" and name it "Russian Sender." In the first input field select "Sender" with the action: "Contains" and the variable entry: .ru. Choose the folder where you want Russian senders to be routed. I selected Trash, but you may prefer the Spam folder. Now click on the upper left button labeled: "Save Changes."

Posted by Wiz at 11:31 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics. These reports can help you adjust the order of your own spam filters.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

Spam levels have increased 3% this week, to 62% of all my incoming email. Fluctuations in spam levels sometimes are seasonal, or may be due to problems or successes Bot-masters have with maintaining the command and control (C&C) servers used to reactivate sleeping zombie computers in their spam Botnets. Or, these changes in spam levels may be caused when large numbers of zombie computers are disinfected, or taken offline by the ISPs who provide Internet connectivity to them. In case you didn't already know this, almost all spam is now sent from "zombie" computers in spam Botnets, unbeknownst to the owners of those infected PCs.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. This past week again saw another typical variety of categories of spam, led by blacklisted domains, counterfeit Viagra, counterfeit watches, and lots of unreadable Russian language spam. Keep the Viagra, Russian Sender, counterfeit Watches filters high up your list of custom filters, to minimize the impact on your CPU when analyzing incoming messages for spam content.

If you are also getting a lot of unreadable Russian spam, my custom MailWasher "Russian Sender" filter and a Blacklist addition of +@+.ru should kill all of it, if set to Automatically Delete.

My updated blacklisted senders list proved extremely effective this week, auto-deleting ~35% of all incoming spam, which included a huge amount of the aforementioned Russian language spam (see my extended content for details). I saw another decrease in the number of emails forging my own accounts as the senders, with 45 this week, which was ~9% of my total spam. Many of these spam messages also included the same account names in the Subject and all were selling fake Viagra. This illegal practice is known as a "Joe Job" and it is used to slip spam past our filters. Joe Jobs depend on people white-listing their own accounts and domains. Fortunately, MailWasher custom filters allow you to override the friends list, so you can easily detect and delete Joe Job spam, if you are using MailWasher Pro as your spam filter.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job." Fortunately, MailWasher Pro has a custom filter option that overrides the "Friends" list (a Whitelist of approved senders), allowing user created spam filters to read the content and flag or auto delete spam that's using one's own accounts as the forged sender.

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for May 31 - June 6, 2010, and the latest additions to my custom MailWasher Pro filters and Blacklist.

MailWasher Pro spam category breakdown for May 31 - June 6, 2010. Spam amounted to 62% of my incoming email this week. This represents +3% change from last week.

Here are some facts from my MailWasher Statistics for the past week. Of the 461 incoming email messages that were classified as spam, 284 were classified by my custom filters, a whopping 157 were from my custom Blacklist and 2 from the DNS Servers Blacklist (mostly the SpamCop Blocklist (SBL)). I actually only saw 16 spam messages, all of which I reported through my SpamCop reporting account. The rest were automatically deleted by my custom filters and Blacklist. See the updates to my filters below the spam categories list.

This was a medium week for updates/tweaking to my custom spam filters. There was an upsurge in the number of Canadian Pharmacy spam, so I updated the filter. I also replaced filters2 and filters3 with my own current set. The latest updates to my custom MailWasher Pro filters were to these filters:

Counterfeit Goods
Male Enhancement [B]
Pharmaceuticals [S]
Phishing Scam [S or F]
Watches
Added "TakesPrecedence" to the Russian Sender filter

The following recent MailWasher Pro Email Blacklist entries were able to block ~30% of this week's spam. Some weeks will have higher percentages of blacklisted senders, depending on which Botnets are used to send those messages, with forged sender names and email addresses. Since the Blacklist is processed before the custom filters, the processing time and cpu load is greatly reduced.
+@+.br
+@+.cn
+@+.de
+@+.es
+@+.gr
+@+.hk
+@+.in
+@+.jp
+@+.kr
+@+.ru
+@+.tw
+@+.ua
+@+.vn
[email protected]
+@*.hinet.net
+@*ukrtel.net
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
notification*@googlemail.com
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
*discount*@yahoo.com
*viagra*@+
[email protected] (still an Important filter!)
lovepil*@yahoo.com
[email protected]
+@+.net.co
lovepil*@yahoo.com (New)

Note: The blacklist expressions in large type are extremely effective!

About MailWasher Pro

MailWasher Pro intercepts POP3 and IMAP email before you download it to your desktop email client (e.g: Microsoft Outlook, Outlook Express, Windows Live Mail) and scans it for threats or spam content, then either manually or automatically deletes any messages matching your pre-determined criteria and custom filters. It is my primary line of defense against incoming spam, scams, phishing and exploit attacks. If you are not already using this fine anti-spam tool I invite to to read about it on my MailWasher Pro web page. You can download the latest version and try it for free for a month. Registration costs just $39.95 and is only required once, for the life of the program.

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. MailWasher Pro is able to forward messages marked as spam to SpamCop, which then sends a confirmation email to you, containing a link. You must click on the enclosed reporting link and open it in your browser, then manually submit your report. This is how SpamCop wants it done.

If you use a POP email client on your desktop to send and receive your email, rather than your browser, you too will benefit from the added protection that MailWasher Pro provides. I can't even begin to tell you how many dangerous attachments, exploit encoded messages, 419 fraud, as well as courier, bank, eBay and PayPal phishing scams, plus hundreds of hostile link emails it has deleted, after identifying them with my rules and its own heuristic and known spam detections.

I am available for hire to write custom MailWasher Pro filters for you or your company. They require that you have a copy of MailWasher on each computer to be customized.

Finally, many security threats will come to you via spam email; some in hostile attachments, some as "phishing" scams, some as financial fraud or money laundering scams, and many more in links to web pages rigged to serve up exploit codes or Trojan downloads.You need really good up-to-date protection to fight off the multitude of attack codes flying like machine gun bullets these days. To protect your computer from web pages rigged with exploit codes, malware in email attachments, dangerous links to hostile web pages, JavaScript redirects, Phishing scams, or router DNS attack codes, I recommend Trend Micro Internet Security (or Internet Security Pro for travelers). It has strong realtime monitoring modules that stop rootkits and spam Trojans from installing themselves into your operating system. Also known as PC-cillin, it is very frequently updated as new and altered malware definitions become available and it checks for web based threats and new malware definitions by searching secure online servers owned by Trend Micro. This is referred to as "in-the-cloud" security. Best of all, you can try it fully functional for a month, then decide to pay to keep it or uninstall it.

See you all next week, same time, same station! Keep the sunny side up and don't take no wooden nickles!

Wiz - out

Posted by Wiz at 3:54 PM | Permalink

back to top ^