Wiz's Computer and Website Security Blog

Following last week's big decline in spam, due to the sudden takedown of the Rustock botnet, other botnet operators have taken up the slack, bring spam levels back up to 38% of my incoming email. This week the majority of spam was for counterfeit name brand watches, followed by pharmaceuticals, male enhancement and fake Viagra.

This past 7 days, spam for various types of garbage amounted to 38% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from Mar 21 - 27, 2011. These classifications are based upon my own custom MailWasher spam filters. Most of this spam is automatically deleted by MailWasher Pro and my custom filters. The statistics are obtained from the program's logs.

Statistics Overview

Percentage classified as spam: 38%; up 10% from last week
Number of messages classified as spam: 214
Number classified by my custom spam filters: 175
Number and percentage of spam according to my custom blacklist: 10
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 1
Number of spam messages seen, reported to SpamCop & manually deleted: 10

The order of spam categories, according to the highest percentages, is as follows:

Counterfeit Watches: 33.33%
Pharmaceuticals and illegal prescription drugs: 22.58%
Male Enhancement scams: 13.44%
Fake Viagra and Cialis: 11.83%
Blacklisted sender names and domains (my blacklist): 5.38%
Other Filters (with small percentages): 4.30%
African Sender: 2.15%
.BR, .CN, or .RU domain links: 1.61%
Subject contains e-mail address: 1.61%
Work At Home Scams: 1.08%
419 scams: 1.08%
Loans/Bankruptcy scams: 1.08%
DNS Blacklist Servers: 0.54%

This week I made 6 updates and/or additions to my custom filters:
Known Spam Domains
Watches Spam
Work At Home Scam
New filter: Courier Scam #7
New filter: .BR, .CN, .RU Domain Link
Re-enabled Weight Loss filter.


There was one false positive last week, resulting in my creating a new filter to detect .RU domains in the message body. All other filters behaved as intended. Note, that I now publish three types of spam filters for MailWasher Pro. One type is for the latest 2011 series, in xml format, and two are for the previous series 6.x. One of those filters is set for manual deletions and the other for automatic deletions. You can read all about MailWasher Pro and the filters I write for it, on my MailWasher Pro Custom Filters page.

Posted by Wiz at 4:10 PM | Permalink

back to top ^

This is a roundup of the most important security vulnerability alerts announced and patches issued, between March 10 through 23, 2011. Most affect Windows, operating systems, but some also target Macintosh and Linux computers. By applying vendors' patches as they are released you can keep your computers secured against the exploits targeting these vulnerabilities.

The following security alerts were issued in the past two weeks, with the latest first and the oldest last (FILO logic).

Fraudulent SSL Certificates
March 23, 2011

There have been recent published reports about the existence of at least nine fraudulent "Comodo" SSL certificates. These fake SSL certificates could be used by an attacker to masquerade as a trusted website. Multiple web browser vendors have provided updates to recognize and block these fraudulent SSL certificates.

Mozilla has updated Firefox 4.0, 3.6, and 3.5 which you get by upgrading your Firefox browser via Help > "Check for updates." Firefox 3.6.16 blacklists a few of the now invalid HTTPS certificates.

Microsoft has released a revised list of trusted root certificates for Internet Explorer browsers, which you can obtain via Windows Updates (under "Express").

Finally, Google Chrome was updated on March 22 to version 10.0.648.151 for Windows, Mac, Linux and Chrome Frame. This release blacklists the revoked Comodo HTTPS certificates.

Adobe Releases Security Updates for Reader and Acrobat
March 22, 2011

Adobe has released updates for Adobe Reader and Acrobat for Windows and Macintosh. These updates address a vulnerability in the authplay.dll component. Exploitation of this vulnerability may allow an attacker to execute arbitrary code. End users and system administrators should review Adobe security bulletin APSB11-06 and apply any necessary updates to help offset the risks posed by this vulnerability.

Apple patches 56 bugs in Mac OS X
March 22, 2011

Apple on Monday patched 56 vulnerabilities, most of them critical flaws that could be used to hijack machines running Mac OS X, code-named "Snow Leopard." The patched version is 10.6.7.

Of the 56 bugs patched in the update for Snow Leopard, 45 were included the description that exploitation could lead to arbitrary code execution. Translated, that means complete system takeover is possible (even on a Mac!).

According to Apple's advisory , more than a dozen of the bugs can be exploited by "drive-by" attacks that execute as soon as a victim browses to a malicious Web site with an unpatched edition of Mac OS X.

The update to Mac OS X 10.6.7 also fixed several non-security bugs including issues in the AirPort Wi-Fi driver and other usability and stability improvements.

Use your Apple software updater to obtain the latest version of OS X.

Adobe Releases Flash Player Update
March 21, 2011

Adobe has released an update for Flash Player to address multiple vulnerabilities (see this Adobe bulletin). These vulnerabilities affect Adobe Flash Player 10.1.102.64 and earlier versions for Windows, Macintosh, Linux, and Solaris, and Adobe Flash Player 10.1.106.16 and earlier versions for Android. Exploitation of these vulnerabilities may allow an attacker to cause a denial-of-service attack or execute arbitrary code.

PC owners should upgrade to Adobe Flash Player 10.2.152.26 by downloading it from the Adobe Flash Player Download Center.

Users of Flash Player for Android version 10.1.106.16 and earlier can update to Flash Player version 10.2.156.12 by browsing to the Android Marketplace on an Android phone.

Google Releases Chrome 10.0.648.134
March 17, 2011

Google released Chrome 10.0.648.134 for Windows, Mac, Linux, and Chrome Frame. This release contains an updated version of the Adobe Flash player that addresses a vulnerability. Exploitation of this vulnerability may allow an attacker to execute arbitrary code.

Note, the March 22 Chrome release includes and supersedes this one.

Apple Releases Safari 5.0.4
March 10, 2011

Apple has released Safari 5.0.4 to address multiple vulnerabilities in the ImageIO, libxml, and WebKit packages. These vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, obtain sensitive information, or conduct cross-site scripting attacks.

Users of Safari browsers should review Apple article HT4566 and apply any necessary updates to help mitigate the risks.

Apple Releases iOS 4.3
March 10, 2011

Apple has released iOS 4.3 for the iPhone 3 GS and later, iPod touch (3rd generation) and later, and iPad to address multiple vulnerabilities. These vulnerabilities affect the CoreGraphics, ImageIO, libxml, Networking, Safari, and WebKit packages. Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code or cause a denial-of-service condition.

Users of these devices should review Apple article HT4564 and apply any necessary updates to help mitigate the risks.

Finally,there was a security advisory published on March 16, for the owners of Blackberry devices: "Vulnerability in WebKit browser engine impacts BlackBerry Device Software version 6.0 and later" The details are as follows:

A vulnerability exists in the open source WebKit browser engine provided in BlackBerry Device Software version 6.0 and later. The issue could result in remote code execution (RCE) on affected BlackBerry smartphones. Successful exploitation of the vulnerability requires the user to browse to a website that the attacker has maliciously designed. The attacker would then be able to read or write to the built-in media storage section of a BlackBerry smartphone or to the media card, but not to access user data that the email, calendar and contact applications store in the application storage (the internal file system that stores application data and user data) of the BlackBerry smartphone.

Application storage is the only place on a device from which applications can be run. Sections of application storage can store files that a user downloads or saves to device memory. Exploitation of the vulnerability does not allow access to this part of BlackBerry smartphone memory.

Finally, you should keep an up to date version of the best anti-everything program you can afford on every computer that connects to the Internet, or into which you plug a USB memory device (they get infected too). If you want my recommendation, try out Trend Micro Internet Security products, like Trend Micro's Titanium Maximum Security suite.If you decide to buy a subscription, use coupon code: spring30 in the shopping cart and you will save 30% off the regular price. This discount code ends on April 25, 2011, so download the program and evaluate it for free for a month, but use the discount code before it expires.

Posted by Wiz at 9:08 PM | Permalink

back to top ^

After briefly rising last week, spam levels have fallen again, following this week's takedown of the Rustock spam botnet's command and control servers, by Microsoft, Pfizer, Fire-eye and the US Marshall's Service. My statistics reveal a 7% decrease from the previous week. Prior to the shutdown of those servers, Rustock was responsible for over 40% of the world-wide spam.

Immediately following Rustock's takedown, on March 16, there was a big drop in spam. However, other botnets quickly rented out their services to spammers, so the amount of spam rebounded over the last few days to regain several percentage points. You can look for those botnets to become the next targets of Microsoft, Pfizer and other anti-spam agencies.

Pfizer was involved because so much spam is for counterfeit Viagra, which is a trademarked and controlled drug manufactured and distributed by Pfizer and it's legitimate partners. They do not license Russian, Indian, or Chinese based Internet pharmacies to make or distribute Viagra, or to use the trademarked name of the company or the drug. Anybody offering to sell Viagra (real or counterfeit) to US residents, without a valid prescription issued by a real US based and licensed doctor, after an actual physical examination, is violating US Federal law. Anybody attempting to purchase Viagra, or other controlled prescription drugs, from an Internet pharmacy located outside the USA, or any Internet pharmacy that sells pharmaceuticals that are not manufactured or licensed for sale in the USA, is guilty of violating US laws regulating the purchase of controlled substances. Those purchases are subject to seizure by US Customs and smuggling charges can be filed by Federal authorities.

This past 7 days, spam for various types of garbage amounted to 28% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from Mar 14 - 20, 2011. These classifications are based upon my own custom MailWasher spam filters. Most of this spam is automatically deleted by MailWasher Pro and my custom filters. The statistics are obtained from the program's logs.

Statistics Overview

Percentage classified as spam: 28%; down 7% from last week
Number of messages classified as spam: 124
Number classified by my custom spam filters: 120
Number and percentage of spam according to my custom blacklist: 1
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 2
Number of spam messages seen, reported to SpamCop & manually deleted: 11

The order of spam categories, according to the highest percentages, is as follows:

Counterfeit Watches: 28.46%
Pharmaceuticals and illegal prescription drugs: 26.02%
Fake Viagra and Cialis: 15.45%
Other Filters (with small percentages): 7.32%
Male Enhancement scams: 4.88%
Known Spam Domains in links (usually Russian: .RU): 4.07%
Work At Home Scams: 3.25%
Subject contains e-mail address: 2.44%
Twitter Phishing Scam: 2.44%
419 scams:1.63%
DNS Blacklist Servers: 1.63%
Russian Sender: 1.63%
Blacklisted sender names and domains (my blacklist): 0.81%

This week I made 7 updates to my custom filters:
Consecutive digits or consonants,
Diploma Spam,
Russian Bride Scam,
Russian Sender,
Work At Home Scam.
New filters: Courier Scam #6 and Post Express Scam.
Disabled 28 out-dated filters.


There was one false positives last week. All filters behaved as intended. Note, that I now publish three types of spam filters for MailWasher Pro. One type is for the latest 2011 series, in xml format, and two are for the previous series 6.x. One of those filters is set for manual deletions and the other for automatic deletions. You can read all about MailWasher Pro and the filters I write for it, on my MailWasher Pro Custom Filters page.

Posted by Wiz at 1:06 PM | Permalink

back to top ^

For the second week in a row, spam levels have risen again. My statistics reveal a 2% increase from the previous week. The most recent spam runs have been for illegal to import, dangerous prescription drugs, followed by fake brand name watches, then Asian Viagra, male enhancement scams, various African 419 lottery scams and a new DHL courier scam carrying a the SpyEye Trojan in an attachment.

This past 7 days, spam for various types of garbage amounted to 35% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from Mar 7 - 13, 2011. These classifications are based upon my own custom MailWasher spam filters. Most of this spam is automatically deleted by MailWasher Pro and my custom filters. The statistics are obtained from the program's logs.

Statistics Overview

Percentage classified as spam: 35%; up 2% from last week
Number of messages classified as spam: 212
Number classified by my custom spam filters: 190
Number and percentage of spam according to my custom blacklist: 4
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 1
Number of spam messages seen, reported to SpamCop & manually deleted: 36

The order of spam categories, according to the highest percentages, is as follows:

Pharmaceuticals and illegal prescription drugs: 21.03%
Counterfeit Watches: 21.03%
Fake Viagra and Cialis: 17.95%
Male Enhancement scams: 10.77%
Other Filters (with small percentages): 9.74%
Lottery Scams: 5.13%
Known Spam Domains in links (usually Russian: .RU): 3.59%
Blacklisted sender names and domains (my blacklist): 2.05%
African Sender (419 scams): 2.05%
SUBJECT ALL CAPS (mostly Nigerian scams): 2.05%
LACNIC (South American) spam sender: 2.05%
Known Spam [From]: 2.05%
DNS Blacklist Servers: 0.51%

This week I made 4 updates to my custom filters:
Known Spam [From],
Misspelled Viagra,
Pics Spam,
Russian Bride Scam


There were no false positives last week. All filters behaved as intended. Note, that I now publish three types of spam filters for MailWasher Pro. One type is for the latest 2011 series, in xml format, and two are for the previous series 6.x. One of those filters is set for manual deletions and the other for automatic deletions. You can read all about MailWasher Pro and the filters I write for it, on my MailWasher Pro Custom Filters page.

Posted by Wiz at 3:20 PM | Permalink

back to top ^

With the Pwn2Own competition just getting underway, several security updates were released over the past week for two of the World's more popular web browsers, along with the monthly Windows Updates, an iTunes patch, and one Java update. The following is a list of the significant updates released this past 6 days, starting with the most recent.

On March 9, 2011, Apple Releases Java Updates for Mac OS X 10.5 and OS X 10.6

Apple has released Java for Mac OS X 10.5 Update 9 and Java for Mac OS X 10.6 Update 4 to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code or cause a denial-of-service condition.

Apple computer users running these systems should review Apple articles HT4563 and HT4562 and apply any necessary updates to help counteract the risks. Do not think that your computer is invulnerable just because it is a Mac!

Also on March 9, 2011, Google released Google Chrome 10.0.648.127

Just eight days after the previous security update, Google has released Chrome 10.0.648.127 for all platforms to address 50 25 vulnerabilities. Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, or bypass security restrictions.

You can review the Google Chrome Releases blog and apply any necessary updates to help mitigate the risks. Chrome can be updated by opening the browser, clicking on the Settings icon on the upper right and selecting About Chrome. This starts the online check for updates and downloads them.

On Patch Tuesday, March 8, 2011, Microsoft released its monthly Windows Updates.

Microsoft has released updates to address vulnerabilities in Microsoft Windows and Office as part of the Microsoft Security Bulletin Summary for March 2011. Two were rated as important and one as Critical.

One vulnerability patched this week is in Windows Media Player and is rated Critical, and affects almost all versions of Media Player on almost all supported versions of Windows. Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code.

Make sure you check for and apply Windows Updates to all of your supported Windows PCs.

On March 4, 2011, Firefox was updated to version 3.6.15, fixing a stability problem caused by one of the security fixes in version 3.6.14, which was released 3 days earlier, on March 1, 2011.

On March 3, 2011, Apple Released iTunes 10.2

Apple has released iTunes 10.2 to address multiple vulnerabilities affecting the ImageIO, libxml, and WebKit packages. Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code or cause a denial-of-service condition. You can review Apple article HT4554 for the details and links to download the patched version. Or, use your installed Apple Software Updater to download the latest version of iTunes.

That completes the list of vulnerabilities patched this past week, in Windows and Mac applications. You can keep tabs on all installed and exploitable software by running the Secunia Online Software Inspector every week. It reveals out-dated and insecure programs and offers download links to obtain the latest patched versions. It also tells you about any missing Windows Updates.

Posted by Wiz at 2:38 PM | Permalink

back to top ^

After decreasing sharply last week, spam levels have begun to rise again. My statistics reveal a 9% increase from the previous week. The most recent spam runs have been for illegal to import, dangerous prescription drugs, fake brand name watches and various African 419 scams.

This past 7 days, spam for various types of garbage amounted to 33% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I often see the same spam message sent to several of my accounts at the same time. I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from Feb 28 - Mar 6, 2011. These classifications are based upon my own custom MailWasher spam filters. Most of this spam is automatically deleted by MailWasher Pro and my custom filters. The statistics are obtained from the program's logs.

Statistics Overview

Percentage classified as spam: 33%; up 9% from last week
Number of messages classified as spam: 164
Number classified by my custom spam filters: 146
Number and percentage of spam according to my custom blacklist: 10
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 2
Number of spam messages seen, reported to SpamCop & manually deleted: 13

The order of spam categories, according to the highest percentages, is as follows:

Pharmaceuticals and illegal prescription drugs: 40.51%
Counterfeit Watches: 13.92%
Known Spam Domains in links (usually Russian: .RU): 13.29%
Fake Viagra and Cialis: 10.13%
Blacklisted sender names and domains (my blacklist): 6.33%
Male Enhancement scams: 3.80%
Other Filters (with small percentages): 3.16%
Pics (Russian Bride) scam: 2.53%
Dating scams: 1.27%
Nigerian 419 scams: 1.27%
SUBJECT ALL CAPS: 1.27%
LACNIC (South American) spam sender: 1.27%
DNS Blacklist Servers: 1.27%

I made just 1 update to my custom filters:
"Pics" Scam (Russian Brides)


There were no false positives last week. All filters behaved as intended. Note, that I now publish three types of spam filters for MailWasher Pro. One type is for the latest 2011 series, in xml format, and two are for the previous series 6.x. One of those filters is set for manual deletions and the other for automatic deletions (which I refer to as my Judge Dredd, murder, death, kill rules!). You can read all about MailWasher Pro and the filters I write for it, on my MailWasher Pro Custom Filters page.

Posted by Wiz at 2:33 PM | Permalink

back to top ^

It was just 3 days ago, on March 1, 2011, that Mozilla released Firefox 3.6.14, plugging several security and stability issues. Now, on March 4, 2011, they have pushed out another version: 3.6.15, with but one fix: Fixed an issue where some Java applets would fail to load in Firefox 3.6.14.

Not everybody has Java installed on their computers, but, if you do you expect it to work. Some sites use Java to scan for threats or out-of-date software on user's PCs. The Secunia Online Software Inspector is a security scanner that many people routinely use that runs on Java technology. If the Java Virtual Machine fails to load, the scanner does not work. Other uses for Java include online virus scans (real ones, not rogue scanners), interactive animations, presentations and various "applets" that run on a computer desktop.

Normally, when I write about Java it is about an updated version that has been released to fix critical vulnerabilities. This is probably the first time I mention Java where it is not at fault for something that has gone wrong. ;-)

You will want to update your Firefox browser now, whether you have the Java plug-in installed or not. If you have your preferences set to automatically update Firefox, it will happen on its own. Otherwise, you can go to the Help menu item and go down to Check for updates and click on that link. A box will scan for updates and tell you which version is available. Download it and click to restart Firefox. All open tabs will be preserved and will load when Firefox opens, after a minute or so. If you had more than one Firefox windows open, all of the will reappear.

If you experience delays updating through the browser's updater, go directly to the main Firefox download page and download the complete latest version. Install it over the existing version and all of your settings, bookmarks, sign-ons and cookies will be carried over.

Posted by Wiz at 8:10 PM | Permalink

back to top ^

On March 1, 2011, both Google and Mozilla released updates to their web browsers.

Firefox Update

Mozilla Foundation released Firefox 3.6.14, which is a security and stability release. There were 10 security fixes, 8 of which are rated critical. All together, there were 41 bugs reported and fixed, affecting all supported operating systems. I strongly advise all Firefox users to upgrade to the latest version.

Here is a list of the security fixes included in Firefox 3.6.14:

Fixed in Firefox 3.6.14
MFSA 2011-10 - CSRF risk with plugins and 307 redirects
MFSA 2011-09 - Crash caused by corrupted JPEG image
MFSA 2011-08 - ParanoidFragmentSink allows javascript: URLs in chrome documents
MFSA 2011-07 - Memory corruption during text run construction (Windows)
MFSA 2011-06 - Use-after-free error using Web Workers
MFSA 2011-05 - Buffer overflow in JavaScript atom map
MFSA 2011-04 - Buffer overflow in JavaScript upvarMap
MFSA 2011-03 - Use-after-free error in JSON.stringify
MFSA 2011-02 - Recursive eval call causes confirm dialogs to evaluate to true
MFSA 2011-01 - Miscellaneous memory safety hazards (rv:1.9.2.14/ 1.9.1.17)

How to upgrade Firefox

You can upgrade to the latest version of Firefox by means of the automatic updater built into Firefox 3+, or by going to Help > "Check for updates," or by downloading the full install file from http://www.mozilla.com/firefox/ (8.2 MB). You must restart the browser to complete the upgrade. All open tabs will be saved and will re-open with the browser, after a minute or so. Ubuntu and Debian Linux users must use their Software Updater, with an Administrator password, to get new versions of Firefox.

Google Chrome Update

Also on March 1, 2011, Google released an updated Chrome browser earlier today. Google has released Chrome 9.0.597.107 for all platforms to address multiple vulnerabilities. Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code or cause a denial-of-service condition. Open Google Chrome and click on the Settings icon > About Google Chrome, which launches the updater. The browser will close and re-open to complete the upgrade.

Posted by Wiz at 11:36 PM | Permalink

back to top ^