Wiz's Computer and Website Security Blog

Spybot Search & Destroy is a free (for personal non-business use) anti-spyware/spyware removal program used by millions of people around the World, to protect their computers from spyware, adware, Trojans and other types of malware. Spybot updates for malware detections are released every Wednesday and this week's updates were released on schedule. If you are using Spybot S&D to protect your computer you should check for updates every Wednesday afternoon and apply all that are available.

Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. This week's updates were released on schedule, as listed below. These detections include new or modified fake (rogue) security programs (fraudulent anti virus/spyware; scareware) (Malware), Trojan downloaders, password stealers, rootkits, DDoS attack bots and spam bots. It is imperative to keep your security tools updated and scan frequently for malware threats.

Note: one + sign before a detection indicates an update to an existing malware family for which previous definitions have been released. Two ++ signs indicate a completely new detection of a new or rewritten malware type.

An anti-spyware program that is updated once a week cannot protect you from malware threats created or modified and released in the last 24 - 48 hours. If you want realtime protection against the most current spyware, keyloggers, rootkits, rogue anti-virus and security programs, Trojans and other forms of malware, with very frequent automatic updates, scheduled malware scans and the blocking of known-hostile IP addresses, you should try Malwarebytes Anti-Malware.

Definition updates made on 07/28/2010

Malware (Fake anti-virus, etc)
+ Fraud.AVSecuritySuite
+ Fraud.InternetSecurity2010
+ Fraud.Sysguard
+ Win32.Agent.chh
++ Win32.Bagle.upg
+ Win32.DotTorrent
+ Win32.FraudLoad
+ Win32.FraudLoad.edt
+ Win32.FraudPack

Trojan (Bots, Trojan downloaders, rootkits)
+ Bredolab.fb
+ Hupigon
++ Win32.Agent.bin
+ Win32.Agent.fbx
+ Win32.Autorun.mbzt
+ Win32.Bifrost
+ Win32.FraudLoad.pd
++ Win32.Nepoe
++ Win32.Poison.st
++ Win32.Wemon.sh
+ Win32.ZBot

Total: 4158967 fingerprints in 1278273 rules for 5686 products.

False Positives Reported This Past Week

There is one possible false positive reported this week and being investigated. It is a detection of PerfectKeylogger in the McAfee SiteAdvisor file: "mcsacore.exe"

Notes about the detection categories

If you see updates in the "PUPS" category, this means Possibly Unwanted/Unpopular Programs. They appeal to many social networkers but may track your surfing habits and report on your computer configuration, without your explicit knowledge. These often include some smiley programs, screensavers and browser toolbars.

"Spyware" includes applications that track your surfing and report to a third party without your permission.

"Keyloggers" record your keystrokes and steal logon credentials to your bank, trading company, website and server control panels, PayPal, eBay, etc.

"Malware" means Malicious Software and includes among other things - fake/rogue anti virus, anti spyware, system security and registry scanners and infection alerts. These often appear on hostile websites, or websites that have been hacked to redirect you to places where false alerts and scans are launched. The goal is to panic you into purchasing the program to remove the (fake) infections. This is really a soft form of extortion and is generally referred to as scareware and rogue security alerts.

Note, that people who pay for scareware to remove the fake alerts are giving their credit or debit card numbers and security codes to criminals. Most live in the former Soviet Union and are associated with the RBN.

"Trojans" pretend to be a required missing Codec, Flash update, plug-in, or news report, or porn player, whereas they are really the worst malware that installs remote control (Bot) software and rootkits into your PC. Like the Trojan Horse of ancient Troy, once installed, Trojan Horse programs hand the keys to your PC castle to cybercriminals!

Installing or uninstalling and Immunizing Spybot S&D

Installing, upgrading to a new version, or uninstalling Spybot requires Administrator level privileges. Updating definitions does not require these permissions most of the time. But, to immunize against all threats does require Admin privileges. If you. like me, operate as a Power/Standard User, you can right-click on the icon to launch Spybot S&D and Run As (an) Administrator. From there you can download the latest definitions, immunize completely and scan/disinfect with full administrator authority.

Updating Spybot Search and Destroy

Before you update Spybot Search and Destroy make sure you have the latest official version. Older versions are no longer supported and will cause you a lot of grief when you immunize and scan for problems. Only download Spybot S&D from the official website, at: spybot.info, or from its alternate domain: Safer-Networking.org. Fake versions with similar names will rip you off for payment to remove threats, whereas the real Spybot Search & Destroy is free for personal use. No subscriptions, no download fees, but, donations are gladly accepted.

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers. When all updates have succeeded, click on "Exit."

You can also download the latest definition includes file from a clean PC and save them to a removable disk or drive, then install them into the Spybot S&D program while the infected PC is offline. This helps you disinfect a PC that cannot presently get online, or cannot access security websites for updates (because of the Conficker or similar malware), or due to other networking problems. The downloaded definition includes will look for a typical Spybot installation location and will update it instantly, as long as the program is closed during the updating process.

Download links and more instructions about using Spybot Search and Destroy are in my article titled "How to use Spybot Search & Destroy to fight malware".

TeaTimer false positives

In the case of Teatimer false positives that are fixed by updates, TeaTimer will have to be restarted after the update is applied. TeaTimer cannot be updated with new definitions if it is still running! After you update definitions to fix false positives, a restart of either TeaTimer or the Computer is required. If this doesn't fix the false positives, you may need to reset the TeaTimer detection list, as follows:

Right click the (TeaTimer) Resident tray icon
Select "Reset lists"

Alternately, close and restart TeaTimer using this method:

* start Spybot S&D
* switch to advanced mode
* navigate to "Tools" , then "Resident"
* uncheck the check box for Resident TeaTimer to close TeaTimer
* wait a bit so TeaTimer can unload completely, for instance wait 1min
* check the check box for Resident TeaTimer again to restart the TeaTimer

If that fails also, please read the rest of the things to try on this forum page, in replies #2 and #4.

When TeaTimer blocks the file you can also allow the file to be executed (also remove the check mark for deletion). You can exclude any file from further detections during a scan by right clicking the items in the Spybot S&D scan result and select "exclude this detection from further searches"

Malware fingerprints are frequently changed by their purveyors, to slip past definition based anti-malware tools. As malware detections and behavioral analysis modules increase in complexity, so does the possibility of false positives. For this reason it is often a good idea to quarantine suspected malware rather than deleting it, until the next weekly Spybot definitions have been released. Scan the quarantined items again and if they are still detected as malware, delete them after a week or two. You can also open a new thread on the Spybot False Positives Forum to see if your detection is real, or a false positive.

If you are running several brands of security software, make sure that only one active protection (realtime monitoring) feature runs at a time. In case you want to deactivate the TeaTimer, to avoid conflicts, you can do this in Spybot S&D advanced mode in Tools - Resident, as described above.

Posted by Wiz at 11:46 PM | Permalink

back to top ^

This is a short post to let people who need replacement batteries for digital devices, that I have posted discount encoded links for them on my laptop parts page. The discounts apply to batteries for laptop computers, PDAs, cellphones, digital cameras and mp3 players, plus, AC adapters for laptops. If you are planning to replace old, or failed batteries, or a broken AC adapter, now is your chance to do it and save some moolah.

The coupon code savings range from 5% to 10% and are good until the end of business on September 30, 2010 (PST). This is also where I buy my own replacement laptop batteries and AC power adapters and I have no complaints yet.

Use my coupon code encoded links on my laptop parts page, to save on batteries and power adapters.

Posted by Wiz at 4:05 PM | Permalink

back to top ^

Spybot Search & Destroy is a free (for personal non-business use) anti-spyware/spyware removal program used by millions of people around the World, to protect their computers from spyware, adware, Trojans and other types of malware. Spybot updates for malware detections are released every Wednesday and this week's updates were released on schedule. If you are using Spybot S&D to protect your computer you should check for updates every Wednesday afternoon and apply all that are available.

Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. This week's updates were released on schedule, as listed below. These detections include new or modified fake (rogue) security programs (fraudulent anti virus/spyware; scareware) (Malware), Trojan downloaders, password stealers, rootkits, DDoS attack bots and spam bots. It is imperative to keep your security tools updated and scan frequently for malware threats.

Note: one + sign before a detection indicates an update to an existing malware family for which previous definitions have been released. Two ++ signs indicate a completely new detection of a new or rewritten malware type.

An anti-spyware program that is updated once a week cannot protect you from malware threats created or modified and released in the last 24 - 48 hours. If you want realtime protection against the most current spyware, keyloggers, rootkits, rogue anti-virus and security programs, Trojans and other forms of malware, with very frequent automatic updates, scheduled malware scans and the blocking of known-hostile IP addresses, you should try Malwarebytes Anti-Malware.

Definition updates made on 07/21/2010

Malware (Fake anti-virus, etc)
+ Fraud.AntivirusPro2010
+ Fraud.Sysguard
+ Fraud.SystemGuard2009
++ Win32.Chinky.gen
+ Win32.FraudLoad
+ Win32.FraudLoad.edt
+ Win32.FraudPack
+ Win32.VB.bpbu
++ Win32.Winb2s32

Trojan (Bots, Trojan downloaders, rootkits)
+ Bredolab.fb (Bad Bot!)
+ Virtumonde
+ Virtumonde.dll
+ Virtumonde.sdn
+ Win32.Agent.fbx
++ Win32.Autoit.gen
+ Win32.Autorun.mbzt
+ Win32.Bifrost
+ Win32.CeeInject
++ Win32.Chinky.a
Win32.Turkojan
+ Win32.ZBot
+ Win32.ZBot.rtk

Total: 3078831 fingerprints in 1055775 rules for 5677 products.

False Positives Reported This Past Week

No false positives were reported or discussed this past week.

Notes about the detection categories

As of June, 2010, Spybot S&D now includes detections for iPhone malware threats. These will be updated as needed (+ or -).

If you see updates in the "PUPS" category, this means Possibly Unwanted/Unpopular Programs. They appeal to many social networkers but may track your surfing habits and report on your computer configuration, without your explicit knowledge. These often include some smiley programs, screensavers and browser toolbars.

"Spyware" includes applications that track your surfing and report to a third party without your permission.

"Keyloggers" record your keystrokes and steal logon credentials to your bank, trading company, website and server control panels, PayPal, eBay, etc.

"Malware" means Malicious Software and includes among other things - fake/rogue anti virus, anti spyware, system security and registry scanners and infection alerts. These often appear on hostile websites, or websites that have been hacked to redirect you to places where false alerts and scans are launched. The goal is to panic you into purchasing the program to remove the (fake) infections. This is really a soft form of extortion and is generally referred to as scareware and rogue security alerts.

Note, that people who pay for scareware to remove the fake alerts are giving their credit or debit card numbers and security codes to criminals. Most live in the former Soviet Union and are associated with the RBN.

"Trojans" pretend to be a required missing Codec, Flash update, plug-in, or news report, or porn player, whereas they are really the worst malware that installs remote control (Bot) software and rootkits into your PC. Like the Trojan Horse of ancient Troy, once installed, Trojan Horse programs hand the keys to your PC castle to cybercriminals!

Installing or uninstalling and Immunizing Spybot S&D

Installing, upgrading to a new version, or uninstalling Spybot requires Administrator level privileges. Updating definitions does not require these permissions most of the time. But, to immunize against all threats does require Admin privileges. If you. like me, operate as a Power/Standard User, you can right-click on the icon to launch Spybot S&D and Run As (an) Administrator. From there you can download the latest definitions, immunize completely and scan/disinfect with full administrator authority.

Updating Spybot Search and Destroy

Before you update Spybot Search and Destroy make sure you have the latest official version. Older versions are no longer supported and will cause you a lot of grief when you immunize and scan for problems. Only download Spybot S&D from the official website, at: spybot.info, or from its alternate domain: Safer-Networking.org. Fake versions with similar names will rip you off for payment to remove threats, whereas the real Spybot Search & Destroy is free for personal use. No subscriptions, no download fees, but, donations are gladly accepted.

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers. When all updates have succeeded, click on "Exit."

You can also download the latest definition includes file from a clean PC and save them to a removable disk or drive, then install them into the Spybot S&D program while the infected PC is offline. This helps you disinfect a PC that cannot presently get online, or cannot access security websites for updates (because of the Conficker or similar malware), or due to other networking problems. The downloaded definition includes will look for a typical Spybot installation location and will update it instantly, as long as the program is closed during the updating process.

Download links and more instructions about using Spybot Search and Destroy are in my article titled "How to use Spybot Search & Destroy to fight malware".

TeaTimer false positives

In the case of Teatimer false positives that are fixed by updates, TeaTimer will have to be restarted after the update is applied. TeaTimer cannot be updated with new definitions if it is still running! After you update definitions to fix false positives, a restart of either TeaTimer or the Computer is required. If this doesn't fix the false positives, you may need to reset the TeaTimer detection list, as follows:

Right click the (TeaTimer) Resident tray icon
Select "Reset lists"

Alternately, close and restart TeaTimer using this method:

* start Spybot S&D
* switch to advanced mode
* navigate to "Tools" , then "Resident"
* uncheck the check box for Resident TeaTimer to close TeaTimer
* wait a bit so TeaTimer can unload completely, for instance wait 1min
* check the check box for Resident TeaTimer again to restart the TeaTimer

If that fails also, please read the rest of the things to try on this forum page, in replies #2 and #4.

When TeaTimer blocks the file you can also allow the file to be executed (also remove the check mark for deletion). You can exclude any file from further detections during a scan by right clicking the items in the Spybot S&D scan result and select "exclude this detection from further searches"

Malware fingerprints are frequently changed by their purveyors, to slip past definition based anti-malware tools. As malware detections and behavioral analysis modules increase in complexity, so does the possibility of false positives. For this reason it is often a good idea to quarantine suspected malware rather than deleting it, until the next weekly Spybot definitions have been released. Scan the quarantined items again and if they are still detected as malware, delete them after a week or two. You can also open a new thread on the Spybot False Positives Forum to see if your detection is real, or a false positive.

If you are running several brands of security software, make sure that only one active protection (realtime monitoring) feature runs at a time. In case you want to deactivate the TeaTimer, to avoid conflicts, you can do this in Spybot S&D advanced mode in Tools - Resident, as described above.

Posted by Wiz at 3:24 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics. These reports can help you adjust the order of your own spam filters.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

My incoming spam levels have decreased 5% this week, to 49% of all my incoming email. New this week is a run of fake, but authentic looking scams forging Amazon.com order confirmations, complete with a fake, but properly formatted purchase order code in the subject. The message bodies should be a giveaway to anybody who reads them thoroughly, because the greeting lists your email address, instead of your legal name (real Amazon orders always include your real name). Plus, the dollar amounts shown don't match or add up. Further, when you hover your pointer over the links they all go to the same destination, which is NOT on Amazon.com! These links lead to a scripted exploit attack which results in unprotected PCs becoming members of a Botnet.

The classifications of spam in my analysis (below) can help you adjust your email filters according to what is most common, on a weekly basis. If you are using my custom MailWasher Pro filters, keep the filters for the highest percentage categories of spam near the top of the filters list, to minimize the impact on your CPU when analyzing incoming messages for spam content.

My blacklisted senders list was quite effective this week, auto-deleting 10.46% of all incoming spam. Many (53) of this week's spam messages also included my own account names in the From and Subject and most were selling fake Viagra. This illegal spam practice is known as a "Joe Job" and it is used to slip spam past our own filters. Joe Jobs depend on people white-listing their own accounts and domains. Fortunately, MailWasher custom filters allow you to override the friends list, so you can easily detect and delete Joe Job spam, if you are using MailWasher Pro as your spam filter.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job." Fortunately, MailWasher Pro has a custom filter option that overrides the "Friends" list (a Whitelist of approved senders), allowing user created spam filters to read the content and flag or auto delete spam that's using one's own accounts as the forged sender.

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for July 19 - 25, 2010, and the latest additions to my custom MailWasher Pro filters and Blacklist.

MailWasher Pro spam category breakdown for July 19 - 25, 2010. Spam amounted to 49% of my incoming email this week. This represents -5% change from last week.

Please note that these filters are written for MailWasher versions up to 6.5.4. There is a brand new version that was just released this month, which uses a totally different filter format. I am going to be rewriting my filters to work in the new 2010 version, but they are not yet available for public use.

Here are some facts from my MailWasher Statistics for the past week. Of the 325 incoming email messages that were classified as spam, 271 were classified by my custom filters, 32 were from my custom Blacklist, and 3 from the DNS Servers Blacklist (mostly the SpamCop Blocklist (SBL)). I only saw 31 spam messages (but classified by filters set to manual deletion, for safety), all of which I reported through my SpamCop reporting account. The rest were automatically deleted by my custom filters and Blacklist. See the updates to my filters below the spam categories list.

There were 8 updates to my custom spam filters this week, and 0 updates to the blacklist. The latest updates to my custom MailWasher Pro filters were to these filters:

Dating Spam,
Exploit Link (added ecard),
Known Spam Domains,
Known Spam [From],
Lottery Scam,
Numeric IP Link,
Porn Spam,
Russian Sender

The following recent MailWasher Pro Email Blacklist entries were able to block ~10% of this week's spam. Some weeks will have higher percentages of blacklisted senders, depending on which Botnets are used to send those messages, with forged sender names and email addresses. Since the Blacklist is processed before the custom filters, the processing time and cpu load is greatly reduced.
+@+.br
+@+.cn
+@+.de
+@+.es
+@+.gr
+@+.hk
+@+.in
+@+.jp
+@+.kr
+@+.ru
+@+.tw
+@+.ua
+@+.vn
[email protected]
+@*.hinet.net
+@*ukrtel.net
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
notification*@googlemail.com
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
*discount*@yahoo.com
*viagra*@+
[email protected]
lovepil*@yahoo.com
[email protected]
+@+.net.co
lovepil*@yahoo.com
oemsoftware*@+
softwareoem*@+
*[email protected]
medical*@yahoo.com
+@+.roma6ka.com
[email protected]
[email protected] (New - used by Nigerian 419 scammers)
dr.max+@+.+ (New)

Note: The blacklist expressions in large type are extremely effective! Note, that is you set a custom filter to Take Precedence over the Friends list, it also overrides the Blacklist, which is in the same file.

About MailWasher Pro

MailWasher Pro intercepts POP3 and IMAP email before you download it to your desktop email client (e.g: Microsoft Outlook, Outlook Express, Windows Live Mail) and scans it for threats or spam content, then either manually or automatically deletes any messages matching your pre-determined criteria and custom filters. It is my primary line of defense against incoming spam, scams, phishing and exploit attacks. If you are not already using this fine anti-spam tool I invite to to read about it on my MailWasher Pro web page. You can download the latest version and try it for free for a month. Registration costs just $39.95 and is only required once, for the life of the program.

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. MailWasher Pro is able to forward messages marked as spam to SpamCop, which then sends a confirmation email to you, containing a link. You must click on the enclosed reporting link and open it in your browser, then manually submit your report. This is how SpamCop wants it done.

If you use a POP email client on your desktop to send and receive your email, rather than your browser, you too will benefit from the added protection that MailWasher Pro provides. I can't even begin to tell you how many dangerous attachments, exploit encoded messages, 419 fraud, as well as courier, bank, eBay and PayPal phishing scams, plus hundreds of hostile link emails it has deleted, after identifying them with my rules and its own heuristic and known spam detections.

I am available for hire to write custom MailWasher Pro filters for you or your company. They require that you have a copy of MailWasher on each computer to be customized.

Finally, many security threats will come to you via spam email; some in hostile attachments, some as "phishing" scams, some as financial fraud or money laundering scams, and many more in links to web pages rigged to serve up exploit codes or Trojan downloads.You need really good up-to-date protection to fight off the multitude of attack codes flying like machine gun bullets these days. To protect your computer from web pages rigged with exploit codes, malware in email attachments, dangerous links to hostile web pages, JavaScript redirects, Phishing scams, or router DNS attack codes, I recommend Trend Micro Internet Security (or Internet Security Pro for travelers). It has strong realtime monitoring modules that stop rootkits and spam Trojans from installing themselves into your operating system. Also known as PC-cillin, it is very frequently updated as new and altered malware definitions become available and it checks for web based threats and new malware definitions by searching secure online servers owned by Trend Micro. This is referred to as "in-the-cloud" security. Best of all, you can try it fully functional for a month, then decide to pay to keep it or uninstall it.

See you all next week, same time, same station! Keep the sunny side up and don't take no wooden nickles!

Wiz - out

Posted by Wiz at 2:41 PM | Permalink

back to top ^

Just three days after Mozilla released Firefox 3.6.7, they have pushed out a stability/security update, Firefox version 3.6.8. I just published an extensive article about Firefox 3.6.7, two days ago!

This back-to-back sudden release was rushed out to fix a stability/security problem in the handling of crashed plug-ins (Flash), in Firefox browser windows and tabs. The problem was apparently caused by one of the 126 bug fixes included in Firefox 3.6.7. Right now, there are more unresolved bugs showing up in Bugzilla, for v 3.6.7 and one for the just released 3.6.8.

If you have allowed the option for automatic Firefox updates, you will see a pop-up notice about the new version. Download it, then, when prompted, restart Firefox. If you prefer to get the update manually, go to Firefox's Help menu item > Check for Updates. Download and apply the update to 3.6.8. You can also download the latest version from the Firefox product page.

UPDATE! July 26, 2010

Geek Alert!
Mozilla developer Daniel Holbert reported that the fix to the plug-in parameter array crash that was fixed in Firefox 3.6.7 caused a crash showing signs of memory corruption. While the Firefox What's New page described the update as a stability patch, there was more to the story. In certain circumstances, properties in the plug-in instance's parameter array could be freed prematurely leaving a dangling pointer that the plug-in could execute, potentially calling into attacker-controlled memory.

Posted by Wiz at 6:33 PM | Permalink

back to top ^

On July 20, 2010, Mozilla released Firefox 3.6.7, which contains 14 security fixes, 8 of which are rated as critical. Two more are rated high risk, with the remainder rated as important. This is the first major security overhaul since version 3.6.4 was released, in June. The other interim releases were to fix stability problems, especially as related to the handling of crashed plug-ins.

In addition to the security updates, 123 out of 126 reported bugs were fixed with version 3.6.7. Many affect the stability of the browser, others deal with particular behind the scenes issues.

If you are already using a prior version of Firefox as your browser of choice (which you are I hope!), go to the Help menu item and move down to Check for updates and click it. You will be offered the latest version of your series of Firefox. If you're already using version 3.6.x, you will receive the update to 3.6.7. If you have allowed the browser to automatically check for, and download updates, you'll get a little pop-up box notifying you that you must restart Firefox to complete the upgrade to version X.

Restart the browser as directed, to complete the upgrade! Any open tabs will reopen when Firefox reloads.

If you are using a different series than 3.6.x, you'll need to upgrade to the final version of that series, restart the browser, then when you check for updates again you will be offered the latest series and newest version.

Or, just go to the main Firefox product page and download the latest version. If you are not English speaking and need Firefox in your own language, go to the all languages download page instead. Each language has links to download Firefox for Windows, Mac OS-X and Linux operating systems. Note though, if you use Debian or Ubuntu Linux, you must update using your "Update Manager" - found in the Administration menu. Using Update Manager requires an Administrator level password.

Internet Explorer users wanting to try or migrate to Firefox can rest assured that Firefox will offer to import your saved Cookies and Favorites, which will now become "Bookmarks."

Firefox now enjoys a sizable percentage of the World wide browser market and as such is a target for malware authors. To add another layer of protection against JavaScript and iframe attacks, I advise you to install the famous NoScript! Add-on. By default, NoScript! disables JavaScript and cross domain redirection exploits, along with clickjacking, tab-napping and a multitude of other browser exploits in the wild. You will need to manually approve websites you trust, to allow scripting. This may include multiple approvals for imported content from advertisers, form suppliers, news feeds, etc. Once approved, a website remains on the whitelist unless you revoke your approval (temp or perm).

Please upgrade your browser to the latest version, to remain safe against the latest threats targeting it.

Posted by Wiz at 11:43 AM | Permalink

back to top ^

As I write this I am looking at the fourth Amazon.com scam message I have received in the last 24 hours. These messages are professionally composed and very closely resemble an actual similar email that one receives after making a purchase at Amazon.com. However, there are some telltale differences, listed below, that give away the fake notices. All of the current scams have this subject:

Your Amazon.com Order (D2 numbers-7 numbers-7 numbers). This is exactly the same layout as a real confirmation for Amazon.com.

Before I tell you how to differentiate between a legitimate Amazon order confirmation and the fakes, I want to show you where you will end up if you are tricked into clicking on a link in a fake Amazon notice. In the sample of the fake notice before me, everything looks like an official order confirmation for an Amazon.com purchase, all the way down to the graphics and most, but not all of the text (see next paragraph). The main difference is that every single clickable link in the fake message leads to a domain that is not on amazon.com at all. All links lead to the same hostile location, via a 301 Apache web server redirect, created in an .htaccess file on a compromised VPS web server. The new location of this redirection is, in this instance: actcountry.ru:8080, which is hosted on a an nginx Russian web server, on an unconfigured dedicated server in France, belonging to OVH Hosting.

At this moment the payload is offline, but it could return at any time, or may appear on another server used in the domain redirection scripts. There is no doubt that the payload was not friendly to most browsers on Windows operating systems.

The rest of the details about identifying fake Amazon purchase confirmations, follow in my extended comments.

How to differentiate between real and fake Amazon.ocm purchase confirmations

The first exception giving away the fakes is in the salutation. The name of the purchaser in the fake is not your actual name, but your email address. If you buy something on Amazon, your actual first and last name, as listed in your Amazon account, will be listed in bold, in the beginning of the message. If you buy on Amazon and get an email with your email address after "Thanks for your order," - rather than your actual name, it is probably a scam.

The next giveaway is that if you hover your pointer over every link they will all display a location that does not start with http://www.amazon.com/. Most of the links in an official Amazon email lead to different folders and files, but, all of the links in the fakes lead the the same domain and file and an id number. Always hover before clicking on links in email messages.

The next giveaway is that the dollar amounts are not the same in several places. In an actual purchase of one item the amount paid is listed at least 5 times and is always the same. The only difference in price is sales tax or additional items. In the fake, only one purchase is declared, but, the prices vary at least 5 times! This includes a dead giveaway that first shows the grand total as one price, then 4 other totals that do not match.

Finally, the headers don't lie. If your email client allows you to display the incoming full headers, you should look at the first Received from line and see if it includes the following, or variation thereof: Received: from mm-notify-out-2103.amazon.com ([207.171.164.47]) - The notify-out port or mail server may vary, but it always ends with amazon.com, followed by parenthesis and an ip belonging to amazon.com. The fakes will not have amazon.com as the received from, but an offshore server, with an ip addresses traceable to Europe. In the fake I am looking at, the first received from is as follows: Received: from [59.92.38.93] (helo=ZSXOMGPE). That IP address belongs to the national internet backbone in India! Whois 59.92.38.93.

If you use Windows Live Mail, or Outlook Express, or Windows Mail, you can read the incoming hearers in the source code. Just right click on a message in your inbox and select Properties. If the message is already open for viewing, press ALT + Enter to display the headers. Other email clients will have their own key combination to display the headers, as will most webmail systems (see your email options link).

Finally, if you don't buy on Amazon.com, delete all such messages on sight! They are targeted at people who do have Amazon accounts and are meant to scam or infect them.

Using MailWasher Pro as an additional line of defense

I use MailWasher Pro to filter all incoming email before downloading it to my Windows Live email client. I already have a custom spam filter in place that detects and deletes these Amazon scams. It is as follows:

[enabled],"Amazon.com Scam","Amazon.com Scam",16711680,AND,Delete,TakesPrecedence,From,contains,@amazon.com,EntireHeader,doesn'tContainRE,"^Received:\ from\ (mm-[a-z]{5,8}|smtp)-out-.{4,7}\.amazon\.com\ \(\[[\d\.]{11,15}\]\)$",Subject,contains,Amazon.com


This filter is for MailWasher versions up to 6.5.4. I am rewriting my filters and my MailWasher product description page to reflect the changes and new filter format.

Posted by Wiz at 2:23 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics. These reports can help you adjust the order of your own spam filters.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

My incoming spam levels have increased 2% this week, to 54% of all my incoming email. New this week is a dangerous attachment pretending to be a scann from a Xerox WorkCenter Pro. This attack is probably targeted at businesses which may exchange Xerox documents online, or via email. In the case of this spam run, the attachments are inside a Zipfile and are actually the Trojan downloader named "Oficla," or "Meredrop." If you execute that enclosed fake document your PC will be taken over by criminal Botmasters in Eastern Europe.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. If you are using my custom MailWasher Pro filters, keep the filters for the highest percentage categories of spam near the top of the filters list, to minimize the impact on your CPU when analyzing incoming messages for spam content.

My blacklisted senders list was quite effective this week, auto-deleting almost 11% of all incoming spam. Many (51) of this week's spam messages also included my own account names in the From and Subject and most were selling fake Viagra. This illegal spam practice is known as a "Joe Job" and it is used to slip spam past our own filters. Joe Jobs depend on people white-listing their own accounts and domains. Fortunately, MailWasher custom filters allow you to override the friends list, so you can easily detect and delete Joe Job spam, if you are using MailWasher Pro as your spam filter.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job." Fortunately, MailWasher Pro has a custom filter option that overrides the "Friends" list (a Whitelist of approved senders), allowing user created spam filters to read the content and flag or auto delete spam that's using one's own accounts as the forged sender.

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for July 12 - 18, 2010, and the latest additions to my custom MailWasher Pro filters and Blacklist.

MailWasher Pro spam category breakdown for July 12 - 18, 2010. Spam amounted to 54% of my incoming email this week. This represents +2% change from last week.

Please note that these filters are written for MailWasher versions up to 6.5.4. There is a brand new version that was just released this month, which uses a totally different filter format. I am going to be rewriting my filters to work in the new 2010 version, but they are not yet available for public use.

Here are some facts from my MailWasher Statistics for the past week. Of the 371 incoming email messages that were classified as spam, 310 were classified by my custom filters, 39 were from my custom Blacklist, and 11 from the DNS Servers Blacklist (mostly the SpamCop Blocklist (SBL)). I only saw 54 spam messages (but classified by filters set to manual deletion, for safety), all of which I reported through my SpamCop reporting account. The rest were automatically deleted by my custom filters and Blacklist. See the updates to my filters below the spam categories list.

There were 4 updates to my custom spam filters this week, and 2 updates to the blacklist. The latest updates to my custom MailWasher Pro filters were to these filters:

Male Enhancement [B],
Porn Spam, Software Spam,
Unlicensed Prescription Drugs,
Viagra.com Spam

The following recent MailWasher Pro Email Blacklist entries were able to block ~19% of this week's spam. Some weeks will have higher percentages of blacklisted senders, depending on which Botnets are used to send those messages, with forged sender names and email addresses. Since the Blacklist is processed before the custom filters, the processing time and cpu load is greatly reduced.
+@+.br
+@+.cn
+@+.de
+@+.es
+@+.gr
+@+.hk
+@+.in
+@+.jp
+@+.kr
+@+.ru
+@+.tw
+@+.ua
+@+.vn
[email protected]
+@*.hinet.net
+@*ukrtel.net
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
notification*@googlemail.com
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
*discount*@yahoo.com
*viagra*@+
[email protected]
lovepil*@yahoo.com
[email protected]
+@+.net.co
lovepil*@yahoo.com
oemsoftware*@+
softwareoem*@+
*[email protected]
medical*@yahoo.com
+@+.roma6ka.com
[email protected]
[email protected] (New - used by Nigerian 419 scammers)
dr.max+@+.+ (New)

Note: The blacklist expressions in large type are extremely effective! Note, that is you set a custom filter to Take Precedence over the Friends list, it also overrides the Blacklist, which is in the same file.

About MailWasher Pro

MailWasher Pro intercepts POP3 and IMAP email before you download it to your desktop email client (e.g: Microsoft Outlook, Outlook Express, Windows Live Mail) and scans it for threats or spam content, then either manually or automatically deletes any messages matching your pre-determined criteria and custom filters. It is my primary line of defense against incoming spam, scams, phishing and exploit attacks. If you are not already using this fine anti-spam tool I invite to to read about it on my MailWasher Pro web page. You can download the latest version and try it for free for a month. Registration costs just $39.95 and is only required once, for the life of the program.

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. MailWasher Pro is able to forward messages marked as spam to SpamCop, which then sends a confirmation email to you, containing a link. You must click on the enclosed reporting link and open it in your browser, then manually submit your report. This is how SpamCop wants it done.

If you use a POP email client on your desktop to send and receive your email, rather than your browser, you too will benefit from the added protection that MailWasher Pro provides. I can't even begin to tell you how many dangerous attachments, exploit encoded messages, 419 fraud, as well as courier, bank, eBay and PayPal phishing scams, plus hundreds of hostile link emails it has deleted, after identifying them with my rules and its own heuristic and known spam detections.

I am available for hire to write custom MailWasher Pro filters for you or your company. They require that you have a copy of MailWasher on each computer to be customized.

Finally, many security threats will come to you via spam email; some in hostile attachments, some as "phishing" scams, some as financial fraud or money laundering scams, and many more in links to web pages rigged to serve up exploit codes or Trojan downloads.You need really good up-to-date protection to fight off the multitude of attack codes flying like machine gun bullets these days. To protect your computer from web pages rigged with exploit codes, malware in email attachments, dangerous links to hostile web pages, JavaScript redirects, Phishing scams, or router DNS attack codes, I recommend Trend Micro Internet Security (or Internet Security Pro for travelers). It has strong realtime monitoring modules that stop rootkits and spam Trojans from installing themselves into your operating system. Also known as PC-cillin, it is very frequently updated as new and altered malware definitions become available and it checks for web based threats and new malware definitions by searching secure online servers owned by Trend Micro. This is referred to as "in-the-cloud" security. Best of all, you can try it fully functional for a month, then decide to pay to keep it or uninstall it.

See you all next week, same time, same station! Keep the sunny side up and don't take no wooden nickles!

Wiz - out

Posted by Wiz at 1:44 PM | Permalink

back to top ^

Spybot Search & Destroy is a free (for personal non-business use) anti-spyware/spyware removal program used by millions of people around the World, to protect their computers from spyware, adware, Trojans and other types of malware. Spybot updates for malware detections are released every Wednesday and this week's updates were released on schedule. If you are using Spybot S&D to protect your computer you should check for updates every Wednesday afternoon and apply all that are available.

Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. This week's updates were released on schedule, as listed below. These detections include new or modified fake (rogue) security programs (fraudulent anti virus/spyware; scareware) (Malware), Trojan downloaders, password stealers, rootkits, DDoS attack bots and spam bots. It is imperative to keep your security tools updated and scan frequently for malware threats.

Note: one + sign before a detection indicates an update to an existing malware family for which previous definitions have been released. Two ++ signs indicate a completely new detection of a new or rewritten malware type.

Definition updates made on 07/14/2010

Malware
+ Fraud.Sysguard
+ Win32.FraudPack

Trojan
+ Win32.Agent.fbx
+ Win32.Bifrost
+ Win32.CeeInject
++ Win32.IRCBot
++ Win32.Poison.gen
+ Win32.Runouce.ch2
++ Win32.Scar.a
++ Win32.Scar.gen
+ Win32.ZBot
+ Win32.ZBot.rtk

Total: 3024387 fingerprints in 1038931 rules for 5662 products.

False Positives Reported This Past Week

A confirmed false positive detection of "Virtumonde.sci" in FlashGet files and registry entries was supposed to be fixed with the 7/7/2010 updates. Somehow, it slipped through the cracks, but was fixed today!

Notes about the detection categories

As of June, 2010, Spybot S&D now includes detections for iPhone malware threats. These will be updated as needed (+ or -).

If you see updates in the "PUPS" category, this means Possibly Unwanted/Unpopular Programs. They appeal to many social networkers but may track your surfing habits and report on your computer configuration, without your explicit knowledge. These often include some smiley programs, screensavers and browser toolbars.

"Spyware" includes applications that track your surfing and report to a third party without your permission.

"Keyloggers" record your keystrokes and steal logon credentials to your bank, trading company, website and server control panels, PayPal, eBay, etc.

"Malware" means Malicious Software and includes among other things - fake/rogue anti virus, anti spyware, system security and registry scanners and infection alerts. These often appear on hostile websites, or websites that have been hacked to redirect you to places where false alerts and scans are launched. The goal is to panic you into purchasing the program to remove the (fake) infections. This is really a soft form of extortion and is generally referred to as scareware and rogue security alerts.

Note, that people who pay for scareware to remove the fake alerts are giving their credit or debit card numbers and security codes to criminals. Most live in the former Soviet Union and are associated with the RBN.

"Trojans" pretend to be a required missing Codec, Flash update, plug-in, or news report, or porn player, whereas they are really the worst malware that installs remote control (Bot) software and rootkits into your PC. Like the Trojan Horse of ancient Troy, once installed, Trojan Horse programs hand the keys to your PC castle to cybercriminals!

Installing or uninstalling and Immunizing Spybot S&D

Installing, upgrading to a new version, or uninstalling Spybot requires Administrator level privileges. Updating definitions does not require these permissions most of the time. But, to immunize against all threats does require Admin privileges. If you. like me, operate as a Power/Standard User, you can right-click on the icon to launch Spybot S&D and Run As (an) Administrator. From there you can download the latest definitions, immunize completely and scan/disinfect with full administrator authority.

Updating Spybot Search and Destroy

Before you update Spybot Search and Destroy make sure you have the latest official version. Older versions are no longer supported and will cause you a lot of grief when you immunize and scan for problems. Only download Spybot S&D from the official website, at: spybot.info, or from its alternate domain: Safer-Networking.org. Fake versions with similar names will rip you off for payment to remove threats, whereas the real Spybot Search & Destroy is free for personal use. No subscriptions, no download fees, but, donations are gladly accepted.

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers. When all updates have succeeded, click on "Exit."

You can also download the latest definition includes file from a clean PC and save them to a removable disk or drive, then install them into the Spybot S&D program while the infected PC is offline. This helps you disinfect a PC that cannot presently get online, or cannot access security websites for updates (because of the Conficker or similar malware), or due to other networking problems. The downloaded definition includes will look for a typical Spybot installation location and will update it instantly, as long as the program is closed during the updating process.

Download links and more instructions about using Spybot Search and Destroy are in my article titled "How to use Spybot Search & Destroy to fight malware".

TeaTimer false positives

In the case of Teatimer false positives that are fixed by updates, TeaTimer will have to be restarted after the update is applied. TeaTimer cannot be updated with new definitions if it is still running! After you update definitions to fix false positives, a restart of either TeaTimer or the Computer is required. If this doesn't fix the false positives, you may need to reset the TeaTimer detection list, as follows:

Right click the (TeaTimer) Resident tray icon
Select "Reset lists"

Alternately, close and restart TeaTimer using this method:

* start Spybot S&D
* switch to advanced mode
* navigate to "Tools" , then "Resident"
* uncheck the check box for Resident TeaTimer to close TeaTimer
* wait a bit so TeaTimer can unload completely, for instance wait 1min
* check the check box for Resident TeaTimer again to restart the TeaTimer

If that fails also, please read the rest of the things to try on this forum page, in replies #2 and #4.

When TeaTimer blocks the file you can also allow the file to be executed (also remove the check mark for deletion). You can exclude any file from further detections during a scan by right clicking the items in the Spybot S&D scan result and select "exclude this detection from further searches"

Malware fingerprints are frequently changed by their purveyors, to slip past definition based anti-malware tools. As malware detections and behavioral analysis modules increase in complexity, so does the possibility of false positives. For this reason it is often a good idea to quarantine suspected malware rather than deleting it, until the next weekly Spybot definitions have been released. Scan the quarantined items again and if they are still detected as malware, delete them after a week or two. You can also open a new thread on the Spybot False Positives Forum to see if your detection is real, or a false positive.

If you are running several brands of security software, make sure that only one active protection (realtime monitoring) feature runs at a time. In case you want to deactivate the TeaTimer, to avoid conflicts, you can do this in Spybot S&D advanced mode in Tools - Resident, as described above.

Posted by Wiz at 12:25 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics. These reports can help you adjust the order of your own spam filters.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

Spam levels have decreased 4% this week, to 52% of all my incoming email. This decline is partly caused by my rerouting all Russian language spam to a blackhole on my server. Previously, I allowed MailWasher to classify and auto-delete all Russian sent and Russian language spam. Now, only a few Russian senders (but English language) get through, only to be automatically deleted by my MailWasher Blacklist entry: +@+.ru

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. This past week again saw another typical variety of categories of spam, led by fake Viagra, illicit pharmaceuticals and male enhancement scams, followed by Russian senders, counterfeit watches, fake diplomas and pirated software. If you are using my custom MailWasher Pro filters, keep the filters for these types of spam near the top of the filters list, to minimize the impact on your CPU when analyzing incoming messages for spam content.

My blacklisted senders list was very effective this week, auto-deleting almost 19% of all incoming spam. Many (61) of this week's spam messages also included my own account names in the From and Subject and most were selling fake Viagra. This illegal spam practice is known as a "Joe Job" and it is used to slip spam past our own filters. Joe Jobs depend on people white-listing their own accounts and domains. Fortunately, MailWasher custom filters allow you to override the friends list, so you can easily detect and delete Joe Job spam, if you are using MailWasher Pro as your spam filter.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job." Fortunately, MailWasher Pro has a custom filter option that overrides the "Friends" list (a Whitelist of approved senders), allowing user created spam filters to read the content and flag or auto delete spam that's using one's own accounts as the forged sender.

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for July 5 - 11, 2010, and the latest additions to my custom MailWasher Pro filters and Blacklist.

MailWasher Pro spam category breakdown for July 5 - 11, 2010. Spam amounted to 52% of my incoming email this week. This represents -4% change from last week.

Here are some facts from my MailWasher Statistics for the past week. Of the 307 incoming email messages that were classified as spam, 237 were classified by my custom filters, 56 were from my custom Blacklist, and 2 from the DNS Servers Blacklist (mostly the SpamCop Blocklist (SBL)). I only saw 30 spam messages (but classified by filters set to manual deletion, for safety), all of which I reported through my SpamCop reporting account. The rest were automatically deleted by my custom filters and Blacklist. See the updates to my filters below the spam categories list.

There were 3 updates to my custom spam filters this week, and no updates to the blacklist. The latest updates to my custom MailWasher Pro filters were to these filters:

Known Spam [From]
Pills
Amazon.com Scam

The following recent MailWasher Pro Email Blacklist entries were able to block ~19% of this week's spam. Some weeks will have higher percentages of blacklisted senders, depending on which Botnets are used to send those messages, with forged sender names and email addresses. Since the Blacklist is processed before the custom filters, the processing time and cpu load is greatly reduced.
+@+.br
+@+.cn
+@+.de
+@+.es
+@+.gr
+@+.hk
+@+.in
+@+.jp
+@+.kr
+@+.ru
+@+.tw
+@+.ua
+@+.vn
[email protected]
+@*.hinet.net
+@*ukrtel.net
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
notification*@googlemail.com
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
*discount*@yahoo.com
*viagra*@+
[email protected]
lovepil*@yahoo.com
[email protected]
+@+.net.co
lovepil*@yahoo.com
oemsoftware*@+
softwareoem*@+
*[email protected]
medical*@yahoo.com
+@+.roma6ka.com
[email protected]

Note: The blacklist expressions in large type are extremely effective! Note, that is you set a custom filter to Take Precedence over the Friends list, it also overrides the Blacklist, which is in the same file.

About MailWasher Pro

MailWasher Pro intercepts POP3 and IMAP email before you download it to your desktop email client (e.g: Microsoft Outlook, Outlook Express, Windows Live Mail) and scans it for threats or spam content, then either manually or automatically deletes any messages matching your pre-determined criteria and custom filters. It is my primary line of defense against incoming spam, scams, phishing and exploit attacks. If you are not already using this fine anti-spam tool I invite to to read about it on my MailWasher Pro web page. You can download the latest version and try it for free for a month. Registration costs just $39.95 and is only required once, for the life of the program.

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. MailWasher Pro is able to forward messages marked as spam to SpamCop, which then sends a confirmation email to you, containing a link. You must click on the enclosed reporting link and open it in your browser, then manually submit your report. This is how SpamCop wants it done.

If you use a POP email client on your desktop to send and receive your email, rather than your browser, you too will benefit from the added protection that MailWasher Pro provides. I can't even begin to tell you how many dangerous attachments, exploit encoded messages, 419 fraud, as well as courier, bank, eBay and PayPal phishing scams, plus hundreds of hostile link emails it has deleted, after identifying them with my rules and its own heuristic and known spam detections.

I am available for hire to write custom MailWasher Pro filters for you or your company. They require that you have a copy of MailWasher on each computer to be customized.

Finally, many security threats will come to you via spam email; some in hostile attachments, some as "phishing" scams, some as financial fraud or money laundering scams, and many more in links to web pages rigged to serve up exploit codes or Trojan downloads.You need really good up-to-date protection to fight off the multitude of attack codes flying like machine gun bullets these days. To protect your computer from web pages rigged with exploit codes, malware in email attachments, dangerous links to hostile web pages, JavaScript redirects, Phishing scams, or router DNS attack codes, I recommend Trend Micro Internet Security (or Internet Security Pro for travelers). It has strong realtime monitoring modules that stop rootkits and spam Trojans from installing themselves into your operating system. Also known as PC-cillin, it is very frequently updated as new and altered malware definitions become available and it checks for web based threats and new malware definitions by searching secure online servers owned by Trend Micro. This is referred to as "in-the-cloud" security. Best of all, you can try it fully functional for a month, then decide to pay to keep it or uninstall it.

See you all next week, same time, same station! Keep the sunny side up and don't take no wooden nickles!

Wiz - out

Posted by Wiz at 2:35 PM | Permalink

back to top ^

Spybot Search & Destroy is a free (for personal non-business use) anti-spyware/spyware removal program used by millions of people around the World, to protect their computers from spyware, adware, Trojans and other types of malware. Spybot updates for malware detections are released every Wednesday and this week's updates were released on schedule. If you are using Spybot S&D to protect your computer you should check for updates every Wednesday afternoon and apply all that are available.

Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. This week's updates were released on schedule, as listed below. These detections include new or modified fake (rogue) security programs (fraudulent anti virus/spyware; scareware) (Malware), Trojan downloaders, password stealers, rootkits, DDoS attack bots and spam bots. It is imperative to keep your security tools updated and scan frequently for malware threats.

Note: one + sign before a detection indicates an update to an existing malware family for which previous definitions have been released. Two ++ signs indicate a completely new detection of a new or rewritten malware type.

Definition updates made on 07/7/2010

Keylogger (Keyloggers silently log and steal your login credentials to banks, websites and places you thought were secure)
++ SpyOnePro

Malware (includes fake/rogue security programs and alerts)
+ FakeAlert.gen
+ Fraud.AntiSpywarePro
+ Fraud.SecurityMasterAV
+ Fraud.Sysguard
+ Fraud.VolcanoSecuritySuite
+ Win32.Agent.chh
+ Win32.FraudLoad
+ Win32.FraudLoad.edt
+ Win32.FraudLoad.pc
+ Win32.FraudPack
+ WinWebSecurity

Security (Redirects to 127.0.0.1 in your HOSTS file blocks access to Windows Updates, security programs and updates)
+ Microsoft.Windows.RedirectedHosts

Trojans (These are the really bad guys)
+ Virtumonde
+ Virtumonde.dll
+ Virtumonde.sdn
+ Win32.Agent.fbx
+ Win32.Banker.xe
+ Win32.Bifrost
+ Win32.FraudLoad.pd
++ Win32.FraudLoad.ss
+ Win32.Muollo
+ Win32.Runouce.ch2
+ Win32.TDSS.rtk
+ Win32.ZBot

Total: 3021867 fingerprints in 1038599 rules for 5667 products.

False Positives Reported This Past Week

A confirmed false positive detection of "Virtumonde.sci" in FlashGet files and registry entries was fixed with the 7/7/2010 updates.

More issues that prevent people using Spybot S&D from reaching or logging into AdultFriendFinder will be fixed on July 14, 2010.

Notes about the detection categories

As of June 2, 2010, Spybot S&D now includes detections for iPhone malware threats. These will be updated as needed (+ or -).

If you see updates in the "PUPS" category, this means Possibly Unwanted/Unpopular Programs. They appeal to many social networkers but may track your surfing habits and report on your computer configuration, without your explicit knowledge. These often include some smiley programs, screensavers and browser toolbars.

"Spyware" includes applications that track your surfing and report to a third party without your permission.

"Keyloggers" record your keystrokes and steal logon credentials to your bank, trading company, website and server control panels, PayPal, eBay, etc.

"Malware" means Malicious Software and includes among other things - fake/rogue anti virus, anti spyware, system security and registry scanners and infection alerts. These often appear on hostile websites, or websites that have been hacked to redirect you to places where false alerts and scans are launched. The goal is to panic you into purchasing the program to remove the (fake) infections. This is really a soft form of extortion and is generally referred to as scareware and rogue security alerts.

Note, that people who pay for scareware to remove the fake alerts are giving their credit or debit card numbers and security codes to criminals. Most live in the former Soviet Union and are associated with the RBN.

"Trojans" pretend to be a required missing Codec, Flash update, plug-in, or news report, or porn player, whereas they are really the worst malware that installs remote control (Bot) software and rootkits into your PC. Like the Trojan Horse of ancient Troy, once installed, Trojan Horse programs hand the keys to your PC castle to cybercriminals!

Installing or uninstalling and Immunizing Spybot S&D

Installing, upgrading to a new version, or uninstalling Spybot requires Administrator level privileges. Updating definitions does not require these permissions most of the time. But, to immunize against all threats does require Admin privileges. If you. like me, operate as a Power/Standard User, you can right-click on the icon to launch Spybot S&D and Run As (an) Administrator. From there you can download the latest definitions, immunize completely and scan/disinfect with full administrator authority.

Updating Spybot Search and Destroy

Before you update Spybot Search and Destroy make sure you have the latest official version. Older versions are no longer supported and will cause you a lot of grief when you immunize and scan for problems. Only download Spybot S&D from the official website, at: spybot.info, or from its alternate domain: Safer-Networking.org. Fake versions with similar names will rip you off for payment to remove threats, whereas the real Spybot Search & Destroy is free for personal use. No subscriptions, no download fees, but, donations are gladly accepted.

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers. When all updates have succeeded, click on "Exit."

You can also download the latest definition includes file from a clean PC and save them to a removable disk or drive, then install them into the Spybot S&D program while the infected PC is offline. This helps you disinfect a PC that cannot presently get online, or cannot access security websites for updates (because of the Conficker or similar malware), or due to other networking problems. The downloaded definition includes will look for a typical Spybot installation location and will update it instantly, as long as the program is closed during the updating process.

Download links and more instructions about using Spybot Search and Destroy are in my article titled "How to use Spybot Search & Destroy to fight malware".

TeaTimer false positives

In the case of Teatimer false positives that are fixed by updates, TeaTimer will have to be restarted after the update is applied. TeaTimer cannot be updated with new definitions if it is still running! After you update definitions to fix false positives, a restart of either TeaTimer or the Computer is required. If this doesn't fix the false positives, you may need to reset the TeaTimer detection list, as follows:

Right click the (TeaTimer) Resident tray icon
Select "Reset lists"

Alternately, close and restart TeaTimer using this method:

* start Spybot S&D
* switch to advanced mode
* navigate to "Tools" , then "Resident"
* uncheck the check box for Resident TeaTimer to close TeaTimer
* wait a bit so TeaTimer can unload completely, for instance wait 1min
* check the check box for Resident TeaTimer again to restart the TeaTimer

If that fails also, please read the rest of the things to try on this forum page, in replies #2 and #4.

When TeaTimer blocks the file you can also allow the file to be executed (also remove the check mark for deletion). You can exclude any file from further detections during a scan by right clicking the items in the Spybot S&D scan result and select "exclude this detection from further searches"

Malware fingerprints are frequently changed by their purveyors, to slip past definition based anti-malware tools. As malware detections and behavioral analysis modules increase in complexity, so does the possibility of false positives. For this reason it is often a good idea to quarantine suspected malware rather than deleting it, until the next weekly Spybot definitions have been released. Scan the quarantined items again and if they are still detected as malware, delete them after a week or two. You can also open a new thread on the Spybot False Positives Forum to see if your detection is real, or a false positive.

If you are running several brands of security software, make sure that only one active protection (realtime monitoring) feature runs at a time. In case you want to deactivate the TeaTimer, to avoid conflicts, you can do this in Spybot S&D advanced mode in Tools - Resident, as described above.

Posted by Wiz at 1:59 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics. These reports can help you adjust the order of your own spam filters.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

Spam levels have decreased 6% this week, to 56% of all my incoming email. This decline is partly caused by my rerouting all Russian language spam to a blackhole on my server. Previously, I allowed MailWasher to classify and auto-delete all Russian sent and Russian language spam. Fluctuations in spam levels sometimes are seasonal, or may be due to problems or successes Bot-masters have with maintaining the command and control (C&C) servers used to reactivate sleeping zombie computers in their spam Botnets. Or, these changes in spam levels may be caused when large numbers of zombie computers are disinfected, or taken offline by the ISPs who provide Internet connectivity to them. In case you didn't already know this, almost all spam is now sent from "zombie" computers in spam Botnets, unbeknownst to the owners of those infected PCs.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. This past week again saw another typical variety of categories of spam, led by fake diplomas, fake Viagra, unlicensed pharmaceuticals and male enhancement scams, Russian senders, counterfeit goods and pirated software. Keep the fake diplomas, Viagra, male enhancement, Russian sender and pirated software filters high up your list of custom filters, to minimize the impact on your CPU when analyzing incoming messages for spam content.

I have noticed that with school now out for the summer and graduation ceremonies over, fake diplomas are the number one classification of spam, for two weeks in a row. I guess that the arrogant foreign spammers behind these scams believe that our students lack the parts to earn a diploma fair and square. But, in case you are reading this and were thinking about buying a fake diploma in the hopes of getting a high paying job, you should be alerted to this cold hard fact of life. If you buy a fake diploma, when, not if, you are found out, if that diploma landed you a job you will be fired as soon as they learn the truth. Then, your former employer will notify any hiring agencies who referred you and you will be blacklisted by all US and Canadian HR companies, including Temp placement companies. They share information about people who lie on applications and use fake diplomas and credentials. If you need to get more credits to graduate, go to summer school and get it honest!

My blacklisted senders list was slightly effective this week, auto-deleting 9.39% of all incoming spam. Many (37) of this week's spam messages also included my own account names in the From and Subject and most were selling fake Viagra. This illegal spam practice is known as a "Joe Job" and it is used to slip spam past our own filters. Joe Jobs depend on people white-listing their own accounts and domains. Fortunately, MailWasher custom filters allow you to override the friends list, so you can easily detect and delete Joe Job spam, if you are using MailWasher Pro as your spam filter.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job." Fortunately, MailWasher Pro has a custom filter option that overrides the "Friends" list (a Whitelist of approved senders), allowing user created spam filters to read the content and flag or auto delete spam that's using one's own accounts as the forged sender.

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for June 28 - July 4, 2010, and the latest additions to my custom MailWasher Pro filters and Blacklist.

MailWasher Pro spam category breakdown for June 28 - July 4, 2010. Spam amounted to 56% of my incoming email this week. This represents -6% change from last week.

Here are some facts from my MailWasher Statistics for the past week. Of the 326 incoming email messages that were classified as spam, 279 were classified by my custom filters, 29 were from my custom Blacklist, 1 by the Bayesian filter and 1 from the DNS Servers Blacklist (mostly the SpamCop Blocklist (SBL)). I only saw 29 spam messages (but classified by filters set to manual deletion, for safety), all of which I reported through my SpamCop reporting account. The rest were automatically deleted by my custom filters and Blacklist. See the updates to my filters below the spam categories list.

There were 2 updates to my custom spam filters this week, and 1 update was added to the blacklist. The latest updates to my custom MailWasher Pro filters were to these filters:

Viagra [B]
Counterfeit Goods

The following recent MailWasher Pro Email Blacklist entries were able to block ~9% of this week's spam. Some weeks will have higher percentages of blacklisted senders, depending on which Botnets are used to send those messages, with forged sender names and email addresses. Since the Blacklist is processed before the custom filters, the processing time and cpu load is greatly reduced.
+@+.br
+@+.cn
+@+.de
+@+.es
+@+.gr
+@+.hk
+@+.in
+@+.jp
+@+.kr
+@+.ru
+@+.tw
+@+.ua
+@+.vn
[email protected]
+@*.hinet.net
+@*ukrtel.net
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
notification*@googlemail.com
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
*discount*@yahoo.com
*viagra*@+
[email protected]
lovepil*@yahoo.com
[email protected]
+@+.net.co
lovepil*@yahoo.com
oemsoftware*@+
softwareoem*@+
*[email protected]
medical*@yahoo.com
+@+.roma6ka.com
[email protected] (New)

Note: The blacklist expressions in large type are extremely effective! Note, that is you set a custom filter to Take Precedence over the Friends list, it also overrides the Blacklist, which is in the same file.

About MailWasher Pro

MailWasher Pro intercepts POP3 and IMAP email before you download it to your desktop email client (e.g: Microsoft Outlook, Outlook Express, Windows Live Mail) and scans it for threats or spam content, then either manually or automatically deletes any messages matching your pre-determined criteria and custom filters. It is my primary line of defense against incoming spam, scams, phishing and exploit attacks. If you are not already using this fine anti-spam tool I invite to to read about it on my MailWasher Pro web page. You can download the latest version and try it for free for a month. Registration costs just $39.95 and is only required once, for the life of the program.

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. MailWasher Pro is able to forward messages marked as spam to SpamCop, which then sends a confirmation email to you, containing a link. You must click on the enclosed reporting link and open it in your browser, then manually submit your report. This is how SpamCop wants it done.

If you use a POP email client on your desktop to send and receive your email, rather than your browser, you too will benefit from the added protection that MailWasher Pro provides. I can't even begin to tell you how many dangerous attachments, exploit encoded messages, 419 fraud, as well as courier, bank, eBay and PayPal phishing scams, plus hundreds of hostile link emails it has deleted, after identifying them with my rules and its own heuristic and known spam detections.

I am available for hire to write custom MailWasher Pro filters for you or your company. They require that you have a copy of MailWasher on each computer to be customized.

Finally, many security threats will come to you via spam email; some in hostile attachments, some as "phishing" scams, some as financial fraud or money laundering scams, and many more in links to web pages rigged to serve up exploit codes or Trojan downloads.You need really good up-to-date protection to fight off the multitude of attack codes flying like machine gun bullets these days. To protect your computer from web pages rigged with exploit codes, malware in email attachments, dangerous links to hostile web pages, JavaScript redirects, Phishing scams, or router DNS attack codes, I recommend Trend Micro Internet Security (or Internet Security Pro for travelers). It has strong realtime monitoring modules that stop rootkits and spam Trojans from installing themselves into your operating system. Also known as PC-cillin, it is very frequently updated as new and altered malware definitions become available and it checks for web based threats and new malware definitions by searching secure online servers owned by Trend Micro. This is referred to as "in-the-cloud" security. Best of all, you can try it fully functional for a month, then decide to pay to keep it or uninstall it.

See you all next week, same time, same station! Keep the sunny side up and don't take no wooden nickles!

Wiz - out

Posted by Wiz at 2:09 PM | Permalink

back to top ^

According to this support article: http://support.microsoft.com/gp/lifean31, all patches, updates and support for Windows XP Service Pack 2 (SP2) will end on July 13, 2010. This date was established when Windows XP Service Pack 3 (SP3) was released on April 21, 2008.

This announcement is in line with the Microsoft Support Lifecycle policy for Windows service packs. This policy states that when a new service pack is released, Microsoft will provide 24 months of support for the previous service pack for products that belong to the Windows product family.

Note The release of a service pack has no impact on Mainstream Support and Extended Support end dates. Therefore, there will be no change to the previously announced end of Mainstream and Extended Support dates for Windows XP. Windows XP will transition from the Mainstream Support phase to the Extended Support phase on April 14, 2009, as scheduled. During the Extended Support phase for Windows XP, Microsoft will continue to provide paid support and security updates at no additional charge. Extended Support for Windows XP will retire on April 8, 2014. At that time, even computers running Service Pack 3 will cease receiving any more updates.

Malware authors are ramping up their efforts to be ready to compromise as many unpatched Windows XP computers as possible, after the July 13 end of support passes. Normally, XP computers are set to download updates automatically, so their owners tend to forget about this important system. After July 13 your computer will no longer receive automatic updates, unless you upgrade to SP3. It will be a sitting duck for hackers, fake anti virus programs, rootkits, password stealers and Botnet installers.

Details about upgrading to XP SP3 are in my extended comments...

What you need to do

If your PC is still running on Windows XP with SP2, you need to upgrade to SP3, as soon as humanly possible. There are several ways to do this, as outlined below.

1. Use Automatic Windows Update and allow SP3 to install (you may need to update a driver or two first ... check with your computer's manufacturer for updated drivers for XP-SP3)


2. Use your Start Menu link for Windows Update, or Microsoft Update


3. Download Service Pack 3 from Microsoft


4. Download a CD ISO image of XP SP3


5. Order SP3 on a CD from Microsoft

Note

There's no SP3 for the 64-bit version of Windows XP. If you're running the 64-bit version of Windows XP with SP2, you have the latest service pack and will continue to be eligible for support and receive updates until April 8, 2014.

I want to urge you to backup your personal data files, and files and settings, before upgrading to SP3. This is in case something goes wrong during the process.If you haven't got a commercial backup program, just use the built in Windows Backup, found via Start > Programs > Accessories > System Tools > Backup. Check the option to backup either Everything, or Selected files and folders. I recommend starting with the "My Documents" option. Then add other folders where you store important files.

You can use the Files and Settings Transfer Wizard, found in the same Accessories folder as Backup, to save a special files containing all of your personalized settings, including your POP3 email accounts and all saved email messages, your desktop icons, startup programs and other settings that only apply to your Welcome Screen identity. If there are multiple users who have logon names, each one can save/export their own Files and Settings.

Again, this is just a backup precaution. In most cases you won't need to do anything after upgrading to SP3.

After you have completed the upgrade to SP3, make sure you turn on Automatic Windows Updates and set them to either Download and Install, Download and Notify, or Notify only.

Last, there are still a lot of people who are running unlicensed copies of Windows XP. Unfortunately, to upgrade to SP3 requires a valid license from Microsoft, You will need to purchaser a valid license from them, or buy a rapidly disappearing original copy of XP and validate using the Product Key on the hologram accompanying the CD. You will probably need to do this over the telephone, to Microsoft support.

If you refuse to make your copies of XP valid, you have nobody but yourself to blame if your XP PC is taken over by a Botnet and put to illegal use by cybercriminals, or if a keylogger is installed via an unpatched vulnerability and your bank accounts are empties and credit cards maxed out.

At least install the best security programs you can afford. See the ads on my blog and links in the lower right sidebar for various reputable paid and free security programs and malware removal forums.

Posted by Wiz at 11:54 AM | Permalink

back to top ^