Wiz's Computer and Website Security Blog

On June 22, 2011, a Microsoft researcher published disturbing findings about a new variant of a rootkit named "Popureb" - by Microsoft's Malware Protection Center. This variant, dubbed Popureb.E is a Master Boot Record (MDR) infector, as were its predecessors. But, this variant is different than the others in that it has a unique defense against being removed by the usual methods.

Rootkits are bad news for those whose computers are infected with them. The hide deep inside the operating system and act as puppeteers for other badware files. Rootkits can act as downloaders of malware and upgrades to it, as spam engines, and protectors of the malware programs they have installed. They can even act as a strange kind of anti-virus, by uninstalling rival malware files.

"Kernel mode" rootkits can usually be removed by using advanced anti-virus program modules that stop the rootkit process in memory, enumerating its normally hidden files and start-up Registry entries, then deleting them during a reboot cycle.

Boot sector, or MBR rootkits are a horse of another color! Boot sector rootkits are the worst of the worst. They hide in the first sector (0) of your boot hard drive and are loaded along with the hardware devices, as the computer boots up, before the OS is active. By loading at the beginning of the boot-up cycle, MBR rootkits, also known as "Bootkits," are able to evade detection by normal anti-virus programs. Even if detected, removal often requires rewriting the MBR, which overwrites the bootkit code with legitimate start-up code.

The most common way to remove standard MBR rootkits and other sector 0 infectors, is to use any preinstalled recovery console, or repair options that exist on that PC. Windows XP and 2000 had an installable Recovery Console, which was added to the boot options menu. Windows Vista and Windows 7 install repair options that become accessible when you restart and tap the F8 key repeatedly. This option is called Repair Your Computer.

So, let's say you have an XP, Vista or W7 computer that acquires a boot sector infector and you have either the Recovery Console, or Repair Your Computer option available during the initial boot cycle. If you go into one of those options from the boot menu or F8 boot options, and choose to "repair your startup files" (Vista/7), or use the Recovery Console, to rewrite the MBR (FIXMBR), will it kill the newest bootkits? Not if it is the one dubbed "Popureb.E."

The reason you can't remove this new variant of the Popureb bootkit, using onboard tools loaded during the boot cycle, is because is has been rewritten to avoid being over-written! When this rootkit/bootkit detects that input is being typed, or a command issued to rewrite the MBR, it does some code magic that intercepts the command and changes it into a read command, rather than write. Then, it displays a success message, as if the overwrite had succeeded, when it fact it failed! See the technical details about this here.

So, how do you kill off this bootkit? There are two ways. One way is to disconnect the hard drive and wire it as a slave in another computer and use its (updated) anti-virus program to find and eradicate the rootkit from your infected drive. Success depends on what anti-virus/malware program that computer has and how up to date its definitions really are.

There is a better way to kill bootkits, without performing a lobotomy. This method requires you to have a physical Windows installation or repair CD or DVD, for the operating system installed on your infected PC. If you don't have such a disk, borrow one from a friend, or order one from the manufacturer of your PC (you remain infected while you wait for it to arrive).

If you have Windows 7 you can create a bootable "repair disk" by inserting a writable CD or DVD into your computer's optical recorder, then going to Control Panel > System and Security > Backup and Restore > "Create a system repair disc" (sic) (in left pane). A bootable repair disk will be created. You can use it to fix a compromised Master Boot Sector by booting the computer with that disk in the drive, with the BIOS set to boot from the optical drive before the hard drive.

When you boot from the Repair "Disc," as Microsoft spells it, you must press any key on your keyboard fairly quickly to actually load the files from the repair disk. Otherwise, after so many seconds the optical disk will be bypassed and the BIOS will boot from the hard drive. Since the root/boot kit becomes active as soon as the hard drive begins its boot cycle, your fight will have to continue with another reboot, but this time, press a key before the timer times out, to load the repair files from the CD or DVD.

In lieu of the repair disk, you can simply insert your Windows installation disk and boot from it. The repair options vary with the OS, as shown below.

In Windows XP, look for the option to repair your computer using the Recovery Console. Boot into the Recovery Console and when you arrive at a command prompt, type this:

FIXMBR

(Press Enter to execute the command)

Type EXIT and press Enter to close the Recovery Console and reboot the PC. The bootkit will be killed.

For Windows 7, boot from the DVD, or Repair Disk and enter the Repair you computer options menu. There, choose the "Startup Repair" button with your mouse pointer and left click. This usually fixes most boot sector problems. But, if the bootkit is still there, boot back into the repair disk and this time choose Command Prompt. At the command prompt type these commands, pressing ENTER after each one:

c:
cd boot
bootrec /FixMbr

After restoring the proper Master Boot Sector (Record) and booting into Windows, you must run your anti-virus software to clean out all of the remaining files and Registry entries pertaining to the rootkit and its child processes. I use and recommend Trend Micro Titanium Internet Security.

---

UPDATE: July 3, 2011
A Webroot researcher has clarified the original Microsoft blog article's position about having to reinstall Windows to fix Popureb.E infections. Apparently, this stealthy MBR virus isn't the sharpest tack in the toolbox and has some coding flaws. In some cases, rewriting the MBR from an optical disk, then rebooting, may cause the computer to hang during the next reboot cycle. In most cases the fixmbr trick does work. Webroot also thinks that this virus does not "take" on Windows Vista or Windows 7, but that remains to be seen.

One thing is for sure. Virus writers tend to update their codes on a regular basis. This is done to get around the detection definitions used by anti-virus programs. Once any virus, Trojan, or other malware is in the wild for a few days, all of the major anti-malware programs will have received updated definitions to detect and remove it. As the successful infection rate drops, the authors will have the code altered to avoid detection for a while, until the security companies issue new definitions for the new virus fingerprint. This cat and mouse game has been going on for many years.

So, the next version of the Popureb virus could be even better written and harder to remove, without damaging the Windows installation to the point that it requires re-installation.

End Update

---

The worst case scenario is that you will have to reinstall Windows from the official installation disk. This rewrites the correct MBR, but wipes out all of your personal saved files. I advise you to run regular backups of all important data files, at least once a week. I use Acronis True Image to do this on a daily and weekly schedule, to an external drive.

It's always best to use preventative security programs to avoid these insidious rootkit infections. By saving several complete images of your hard drive to another drive, should a rootkit slip in, you can restore a saved image from a time just before the malware took hold.

Posted by Wiz at 11:27 AM | Permalink

back to top ^

Regular readers of my blog articles - about security matters - know that I write a lot about spam issues. Spam is a major source of security exploits. But, some of it exploits human foolishness and could compromise your health, as well as you bank account.

I am referring to the spam for pharmaceuticals, most of which are totally counterfeit and often dangerous to your health. Many pill pushing spam links now lead to Russian websites, hosted in Romania. The latest spam run I intercepted today, pushing male enhancement pills, has a plain text link to a domain ending in .RU (a Russian domain extension). The domain is hosted at, 188.229.95.27, which is located in Romania.

Spamvertised URL: maxpenisenergy.ru
Resolves to 188.229.95.27

Host: 188.229.95.27
Location: RO - Romania
City: Bucharest
Organization: SC Techomet SRL
ISP: Netserv Consult SRL
inetnum: 188.229.95.0 - 188.229.95.255
route: 188.229.95.0/24
descr: TECHOMET
origin: AS56860

I looked into the AS56860 server (AS = Autonomous Server) and found it listed as a fraud / scam server, on MalwareURL, with 32 domains listed. All of them promoting counterfeit pills, watches or HCG. Four of its 32 domains are the name servers used to direct traffic from spam recipients to rotating destination URLs.

I checked my Russian Blocklist and found that I already had the nearby Romanian CIDR 188.229.94.0/24 on the .htaccess and iptables blocklists. Rather than add another entire CIDR, I merely changed the multiplier from /24 to /23. This encompasses every IP from 188.229.94.0 - 188.229.95.255. All of these IPs are in Romania; owned by SC Techomet SRL. The new range: 188.229.94.0/23 - is already uploaded.

If you want to block Russian and neighboring Countries from accessing your websites, on shared hoisting servers, check out my Russian Blocklist, in .htaccess format. To block them from mail servers, or ftp sites will probably require the use of the Russian iptables Blocklist, for Linux Personal Firewalls. Only persons with root access can apply the iptables rules. Everyone else must use the .htaccess version. This only works on Apache servers, based on the Unix or Linux operating systems.

Posted by Wiz at 4:05 PM | Permalink

back to top ^

This week's spam levels have remained at about the same level as last week. The majority of spammers are trying to sell counterfeit pharmaceuticals and replica watches, followed by weight loss herbs, male enhancement gimmicks, fake Viagra, and some Nigerian lottery and 419 scams. The various percentages of spam, by category, are listed in my extended comments.

This past week saw a continuation of the previously dead and buried Canadian Pharmacy scams. However, spammers are affiliates of various fake pharmacy programs. They pay Bot Masters to lease the use of zombie computers making up spam botnets. Spammers expect to be paid for the traffic they drive to the fake pharmacies. It so happens that the co-founder of one of the remaining major spam payment processors, Chronopay, has been arrested in Russia. Directly related to his arrest, several affiliate payment systems related to his RX-Promotions spam business are going offline (details to follow soon).

Canadian Pharmacy is one of the spam programs created, managed and paid for in Russia. I expect to see a big drop in all variations of Canadian Pharmacy spam, in the next week or so. No pay, no spam!

Despite fluctuations in volumes of junk email, spam is still going strong. It's not just nuisance messages you need to look out for. There are many critical security threats contained in attachments and links to exploit sites, which are designed to infect your computers with malware. Keyloggers, disguised as Flash upgrades, missing codecs, scanned documents, or resumes in attachments, silently log your keystrokes when you log into your online bank, or PayPal, or your website control panel, stealing your credentials, then you money or company secrets. Therefore, effective email protection is required to protect your computers, your money and your data. MailWasher Pro is the program I use to detect and delete spam and email-borne security threats. My spam statistics are obtained from the program, showing how effective it is as a spam fighting tool.

This past 7 days, spam for various types of garbage amounted to 27% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from June 19-26, 2011. These classifications are based upon my own custom MailWasher spam filters. Most of this spam is automatically deleted by MailWasher Pro and my custom filters. The statistics are obtained from the program's logs.

Statistics Overview

Percentage classified as spam: 27%; +1% from last week
Number of messages classified as spam: 119
Number classified by my custom spam filters: 115
Number and percentage of spam according to my custom blacklist: 2
Number classified as spam by the Bayesian Learning filter: 0
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 1
Number of spam messages seen, reported to SpamCop & manually deleted: 15

The order of spam categories, according to the highest percentages, is as follows:

Pharmaceuticals: 26.27%
Counterfeit Watches:24.58%
Weight Loss Scams: 12.71%
Male Enhancement scams: 10.17%
.BR, .CN, .RU, UA Spam Domain Links: 6.78%
Other Filters (with small individual percentages): 5.08%
Fake Viagra and Cialis: 3.39%
Lottery Scams: 3.39%
Known Spam Domains: 1.69%
My Blacklist: 1.69%
Nigerian 419 scams: 1.69%
Subject All Caps (419 scams): 1.69%
DNS Blacklisted Servers: 0.85%

This week I made 5 updates and/or additions to my custom filters:
.BR .CN .RU .UA Domain Link,
Exploit Link,
Known Spam Domains,
Nigerian 419 Scam #6,
Russian Bride Scam

I made 1 addition to my custom Blacklist this week:
[email protected]

There were no false positives last week. All filters behaved as intended. Note, that I now publish three types of spam filters for MailWasher Pro. One type is for the latest 2011 series, in xml format, and two are for the previous series 6.x. One of those filters is set for manual deletions and the other for automatic deletions. You can read all about MailWasher Pro and the filters I write for it, on my MailWasher Pro Custom Filters page.

If you are having trouble caused by excess volumes of spam email, and are not using an effective filter, why not try out MailWasher Pro? It sure works for me!

Posted by Wiz at 4:31 PM | Permalink

back to top ^

Today, MailWasher Pro automatically deleted 3 spam emails that were matched by my "Pharmaceuticals" filter, for an online pharmacy. What was different was that they were advertising that the drugs would be shipped C.O.D., via FedEx Courier Service. The words "FREE Rx" were included in both the Subject and Body text.

Here is an excerpt from one of the restored spam messages:

Get FDA approved meds from a US licensed pharmacy. FedEx overnight shipping. No Prior Prescription needed.

Cash On Delivery.. pay to courier guy when your product arrive!

I hope none of my readers will fall for this trap. This is an illegal operation. US Citizens, residing in the USA, cannot import prescription drugs into the USA, by foot, car, truck, motorcycle, boat, airplane, satellite, balloon, mail or courier, from other Countries, with or without a prescription! Read the following excerpt from HealthInsurance.About.com:

Can I Bring Prescription Drugs I Buy in a Foreign Country into the U.S.?

The FDA regulates prescription drugs made in the U.S. Under federal law it is illegal for anyone except a drug manufacturer to import prescription drugs into the U.S.

Additionally, the FDA does not allow the re-importation of medications. For example, if a drug company makes an FDA-approved prescription drug and sends that drug to a pharmacy in Canada, it is against the law for you to buy that drug in Canada and bring it back into the U.S.

It is against the law, in the USA, to purchase Federally controlled substances, like prescription and Schedule 4 drugs, anywhere, without a valid prescription. Therefore, the spam message quoted in the beginning of my article is promoting an illegal activity. Any Courier service who delivers illicit prescription drugs to a US location, is acting as an accomplice, whether they know the contents or not. If a FedEx driver does indeed deliver illegal to import drugs to you, in the USA, and collects money from you, both of you are violating US FDA laws. This is a Federal offense, punishable by hard time in prison and a huge fine (see my extended comments about penalties).

In my extended comments I will show you where these emails come from and where the supposed "US licensed pharmacy" is really located.

So, what are the penalties if you get caught trying to import prescription drugs into the USA from an online pharmacy?

Read this valuable information I found in the Wikipedia, about Online Pharmacies:

It is illegal to purchase controlled substances from an overseas pharmacy. A person purchasing a controlled substance from such a pharmacy may be violating two federal laws that carry stiff penalties. The act of importation of the drug from overseas violates 21 USC, Section 952 (up to 5 years in prison and $250,000 fine for importation of non-narcotic Schedule III, IV, or V drugs; possibly more for narcotics and Schedule I and II drugs). The act of simple possession of a controlled substance without a valid prescription violates 21 USC, Section 844 (up to 1 year in prison and $1,000 fine). FDA does not recognize online prescriptions; for a prescription to be valid there must be a face-to-face relationship between the patient and the health-care professional prescribing the drug. What exactly constitutes a "face-to-face" relationship is considered by many online pharmacies to be a subjective definition that would allow them to operate as an adjunct to the patient's own physician if the patient submits medical records documenting a condition for which the requested medication is deemed appropriate for treatment. Sections 956 and 1301 provide exemptions for travelers who bring small quantities of controlled substances in or out of the country in person, but not by mail.

I believe that I have established to any reasonable person that the online drugstores being spamvertised are illegal and buying controlled substances from them is a violation of US Federal law. So, let's move along to revealing where the pharmacy in my spam email is really located.

From the headers, we see:

Received: from [187.113.224.3] (helo=thybsmgf73p1u)
Subject: Order Discount Vicodin - FREE Rx - Cash on Delivery

WHOIS?

inetnum: 187.112.0.0/14
aut-num: AS18881
owner: Global Village Telecom
country: BR

This spam was sent from a botted home PC in Brazil.

The link in the message body goes to pay[...]delv dot com. I ran the URL through WannaBrowser and the website that it landed upon is located at 60.190.222.163.

WHOIS 60.190.222.163?

IP Address 60.190.222.163
Location CN CN, China
ISP CHINANET Zhejiang province network
AS Number AS4134 Chinanet

The AS4134 assignment is also used in numerous online scams and malware distribution systems, some of which I have written about in the last week, or two.

Back to the web page at the aforementioned URL. The images on the page show an American looking man and woman wearing white medical garments and stethoscopes The text in the images advertise "your favorite RX Medications" and "No Prescription Required." A huge list of all kinds of prescription medicines follow. Below the list there is a round gold banner proclaiming that they offer "Cash On Delivery shipping; Pay your Postman..." Below that is a FedEx logo, with the words Discreet Shipping under it. At the very bottom of the page are the words: "RightRx Ltd 2004-2011"

Since the pharmacy claims to be in operation since 2004, I ran a WHOIS on the domain name that they responded to. The results shows that this domain was just registered on June 17, 2011! It expires on June 17, 2012. The Registrant is listed as: BIZCN.COM, INC., located at: http://www.bizcn.com - a Chinese organization. Even the Name Servers are located in China.

Host pay...delv.com
DNS servers NS5.CNMSN.NET 219.136.249.5
NS6.CNMSN.NET 61.4.191.170

Host 219.136.249.5
Location CN CN, China
City Guangzhou, 30 -
Organization ChinaNet Guangdong Province Network

Host 61.4.191.170
Location CN CN, China
City Beijing, 22 -
Organization BeiJing FeiHuaLingHang Technology Development Co.

Epilog:

So, here we have a spam run promoting illegal to import drugs, sold without any prescription, by a website hosted in China, willing to drop ship counterfeit drugs to your doorstep, COD. C.O.D. might mean "Collect, Open, Die," in the case of Chinese drugs containing solvents or Melamine.

Don't fall for any online pharmacy scams, whether you are asked for a credit card on the spot, or they offer C.O.D. All of these spamvertised online pharmacies are unlicensed in the USA, are selling illegal to import prescription and Schedule 3 or 4 narcotics, and are distributing 100% counterfeit drugs.

People ordering drugs from such pharmacies could end up in the hospital, in the morgue, or in prison.

Posted by Wiz at 2:01 PM | Permalink

back to top ^

On June 15, 2011, I wrote a blog article about the re-emergence of the previously killed off Canadian Pharmacy scams. When I published that article I also filed a spam report against the domain named used in the link in the spam email I received, with their Registrar of record. Two days later the domain was suspended for violating the Registrar's terms of service.

Tonight I received two more identical spam emails, with two different domains in the links, promoting a Canadian Pharmacy selling the same Anti-ED drugs. I have filed a report with the Registrar of record, nameregistrars.net, for the first one: eumbyhojbu.com. The second domain link was for: gffbn.ru. This is a Russian domain. The only information I can find on it is that it leads to the same IP address as the previous two spam links did. All of these fake Canadian-Pharmacy/My Canadian Pharmacy links are redirected to a rogue pharmacy website hosted on a Romanian PC or server (at 194.50.7.208), running a Russian Nginx web server.

Notably, all of these spam emails use hidden ISO codes in the From and Subject fields to evade spam filters. Your email client is happy to translate them into the names of the pharmacy and illicit drugs they are selling.

As was the case with the previous fake pharmacy landing page, this one uses a variety of Chinese and other Botnet sources to assemble the images used to fool people into believing it is a legit pharmacy. It is all snake oil and octopus juice. This is a fake pharmacy, hosted in Romania, using Russian Name Servers. The PCs used to deliver the spam emails for it are part of a world-wide spam botnet.

Do not believe anything found in the emails promoting these fake Canadian Pharmacy websites. Never buy anything from those sites. You will be handing over your credit or debit card details to Russian spammers and criminals. If you ever receive the illegal drugs you ordered, they will be counterfeit, made in Asia. They may harm or kill you. If you are lucky, you'll never receive them at all. Better to be out a few hundred bucks than pushing up daisies from OD-ing on fake Viagra laced with Melamine!

Posted by Wiz at 12:52 AM | Permalink

back to top ^

This article, short as it may be, could save both your money and identity, if you are a PayPal customer.

PayPal, now an eBay owned company, manages the money for all transactions conducted on eBay, plus those of a huge number of non-eBay customers who use PayPal to send and receive money online. In all, as of June 2011, PayPal claims to have 98 million active users, in 190 different markets and 25 currencies. You may be one of those members.

If you are not a PayPal member and do not make any purchases on eBay, nor send donations via PayPal Donate buttons, or make any other payments through them, you will automatically treat all email claiming to come from PayPal as spam and a probable Phishing scam (most are). You won't be tempted to click on any links to login to your PayPal account if you don't have one!

But, if you are one of the 98 million members of PayPal, whether you use them rarely, or often, you have to allow them to send you email messages. It is not optional. This leads me into the topic at hand:

PayPal is still sending official email messages to its members, containing clickable links, and urging you to login to your account via those links.

This is exactly the same behavior used by Phishing scam artists. They send official looking copies of the exact emails that companies like PayPal are sending to their customers. They include clickable logos and text links, urging you to use them to login to your PayPal account and give away your username and password and all of your money that is either in your PayPal account, or in the credit card linked to it, or in the bank account linked to it.

In the case of actual PayPal email messages, the only obvious distinction is that they always address you by your proper name, as it is registered with them (E.g.: Dear Joe Blow). The Phishing scams usually address you as "Dear Member." The actual difference in the links is that the real PayPal email links point to sub-domains on paypal.com, like: email0.paypal.com/servelet/whatever... whereas the links in Phishing emails will lead to a different domain than paypal.com.

You can learn to see the actual location of any link in most email messages by hovering your mouse or pointer over the links, but not clicking on them. The actual domain portion comes between the http:// and the first forward slash (/). Any domain names that follow the first forward slash are inserted to fool you. So, if the URL you see in the Status Bar show something like this: https://email0.paypal.com/servlet/cc6?iitgHQYRASQUV... it is an authentic PayPal link. On the other hand, if the hover link resembles this: http://account-verify-paypal.com/... it is a fake. The domain in the second link leads to a domain named account-verify-paypal.com - which is NOT the same domain as paypal.com! But, https://email0.paypal.com/ IS a sub-domain on paypal.com.

Sub-domains are separated from the master domain by a period (.); not a dash (-), nor an underscore (_). Only a DOT between the first name and the domain name is a legal sub-domain. Thus, this is a sub-domain: email0.paypal.com/ ... This is NOT a sub-domain: email0-paypal.com; it is a totally different Domain Name.

This information about hovering is fine for people using a standalone email program, like Microsoft Windows Live Mail, or the old Outlook Express, which display a Status Bar on the bottom by default. But, many people use their web browsers to do email and quite a few do not opt to display the Status Bar. Those folks will not see the true destination of links before they click on them.

It it a foolish act, in many opinions, for a huge financial firm, like PayPal, to send out email communications about Policy Updates, overdrafts, pending cases, etc, and include clickable links to log you into your account! This is the very same means used by fraudsters to trick victims into clicking on their links to look-alike login pages, where your credentials and money and bank details will be stolen.

PayPal would better serve all of its customers by instructing them to login to PayPal (or their bank) by typing in the URL, in the browser address bar, or by re-using a link they saved from a previous, legitimate online session. Most browsers save your frequently visited websites and will help you as you type. I opnly need to type a couple of characters for the legitimate PayPal URL to appear.

Note: All PayPal logins should have HTTPS at the beginning of the URL; NOT HTTP. HTTPS indicates a secure connection, to a website with a legitimate safety certificate issued by a secure (SSL) license issuer. Anything you type into input fields in an HTTPS connection is encrypted before being sent out from the browser. Anything typed into a form on an HTTP page is sent out in plain text.

The bottom line and message I am trying to impart to you is this: It makes no never mind what the links in a PayPal email (real or fake) lead to. DON'T USE THEM! They might be real, or fake and you may not be able to tell from how they are displayed in your Status Bar (if you have one showing). If an email arrives from PayPal, about an important matter, like their Policy Updates, or Disputes, or accounts added, ignore the links in the message. PERIOD. Go to your browser, open a new tab, or new window and type in https://www.paypal.com/ then make sure it still says exactly that in the location/address bar (watch out for typos that could lead to malware sites), then press Enter. Then and only then, type in your login credentials.

By always typing in the address of important financial websites, then verifying them before pressing the Go button, or Enter, you can hopefully avoid being phished by credential crooks. There are other ways they can ensnare you, so keep your computers protected with the best anti-malware program you can afford. I use and recommend Malwarebytes' Anti-Malware and also, Trend Micro Titanium Internet Security Pro

Posted by Wiz at 12:30 PM | Permalink

back to top ^

After decreasing last week, this week's spam levels have remained at the same level. The majority of spammers are trying to sell counterfeit replica watches, followed by illicit prescription pharmaceuticals (sans the req'd prescription), male enhancement herbs, fake Viagra, weight loss drugs and even some Nigerian 419 scams. The various percentages of spam, by category, are listed in my extended comments.

This past week saw a return of the previously dead and buried Canadian Pharmacy scams. This time, the spam sender uses the name "Canadian-Pharmacy" and the faked destination website says "My Canadian Pharmacy." Other than the addition of "My," the rest is identical to the old websites. They are still hosted on botted PCs, controlled by Russian spam gangs and Bot Masters. The landing pages include logos with links to alleged Accreditation sources, all of which all go right back to the same fraudulent web page, on the botted PC. I wrote a full analysis of this new Canadian Pharmacy scam in a recent article.

Despite fluctuations in volumes of junk email, spam is still going strong. It's not just nuisance messages you need to look out for. There are many critical security threats contained in attachments and links to exploit sites, which are designed to infect your computers with malware. Keyloggers, disguised as Flash upgrades, missing codecs, scanned documents, or resumes in attachments, silently log your keystrokes when you log into your online bank, or PayPal, or your website control panel, stealing your credentials, then you money or company secrets. Therefore, effective email protection is required to protect your computers, your money and your data. MailWasher Pro is the program I use to detect and delete spam and email-borne security threats. My spam statistics are obtained from the program, showing how effective it is as a spam fighting tool.

This past 7 days, spam for various types of garbage amounted to 26% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from June 12-19, 2011. These classifications are based upon my own custom MailWasher spam filters. Most of this spam is automatically deleted by MailWasher Pro and my custom filters. The statistics are obtained from the program's logs.

Statistics Overview

Percentage classified as spam:26%; 0% from last week
Number of messages classified as spam: 112
Number classified by my custom spam filters: 101
Number and percentage of spam according to my custom blacklist: 2
Number classified as spam by the Bayesian Learning filter: 0
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 5
Number of spam messages seen, reported to SpamCop & manually deleted: 12

The order of spam categories, according to the highest percentages, is as follows:

Counterfeit Watches:25.00%
Pharmaceuticals: 17.59%
Male Enhancement scams: 13.89% (up ~7% from last week)
Fake Viagra and Cialis: 9.26% (down ~15%)
.BR, .CN, .RU Spam Domain Links: 8.33%
Other Filters (with small individual percentages): 6.48%
Known Spam [From]: 4.63%
DNS Blacklisted Servers: 4.63%
Non-English Language spam: 2.78%
Weight Loss Scams: 2.78% (down 50% from last week)
My Blacklist: 1.85%
Nigerian 419 scams: 1.85%
RE or FW spam: .093%

This week I made 4 updates and/or additions to my custom filters:
Diploma spam,
URL Shortener (Spam) Link,
Weight Loss Drugs.
(New) Accented Characters - Non-English Language

I made 0 additions to my custom Blacklist this week:

There was one false positive last week, leading to a slight modification of the Diplomas spam filter. All filters behaved as intended. Note, that I now publish three types of spam filters for MailWasher Pro. One type is for the latest 2011 series, in xml format, and two are for the previous series 6.x. One of those filters is set for manual deletions and the other for automatic deletions. You can read all about MailWasher Pro and the filters I write for it, on my MailWasher Pro Custom Filters page.

If you are having trouble caused by excess volumes of spam email, and are not using an effective filter, why not try out MailWasher Pro? It sure works for me!

Posted by Wiz at 2:14 PM | Permalink

back to top ^

About two days ago, on June 15, 2011, I wrote an article on this blog about the re-emergence of the rogue Canadian Pharmacy scam, now using the name: "My Canadian Pharmacy." The pharmacy is a fake, selling counterfeit Asian pills and stealing money from gullible Americans, who are tricked into purchasing fake drugs (without the normally required prescription) and handing over their credit and debit card numbers to criminals, in the process.

Near the end of that article I mentioned BigRock.com, the Accredited Domain Name Registrar on record, who was responsible for providing a connection for that domain, ERGADOYMA dot COM, to the Russian "name servers" inputted into the account, by the owner. The Registrar is a go-between for a domain name and the equipment that provides an IP address that allows them to serve web pages to the World Wide Web. That equipment is referred to as a name server. In the case of the rogue My Canadian Pharmacies, the name servers were Russian (.ru); located in Russia and in China.

The Registrar, BigRock.com, located in Mumbai, India, read my complaint about spamming and illegal activities going on regarding that domain, and looked into the matter. I am happy to announce that they replied to my charges and have terminated the account for ERGADOYMA dot COM, for violating their Terms Of Service, regarding spamming and illicit activity. That domain is now blackholed, to 0.0.0.0 and is no longer responding to requests from spam recipients.

It is almost certain that the cybercriminals who registered that domain name are going to try to find another accredited Registrar with whom they might register their fake pharmacy name again. If or when they do, the domain will resolve to web pages hosted on botted PCs, under the control of the spammers and Bot Masters running this rogue pharmacy.

This victory, for the little guy, may be short lived, but it is significant. My formal complaint and due diligence in my investigation contributed to the takedown of a criminal domain name used to rob and poison gullible people of their money and health. It shows you that one small voice can make a big difference.

If you intend to report spam domains to their hosts or Registrars, make sure you have your facts lined up in an easy to understand outline. Avoid ambiguous words and phrases. Get to the point and provide concrete evidence. Do not assume that the Registrar, or web host, is complicit. In most cases, they are innocent accomplices, duped by seasoned professional cybercriminal spammers and Bot Masters.

NB: I use Trend Micro Internet Security on my PC. It has blocked access to the web pages referred by links to ERGADOYMA dot COM, for a long time. This domain is a known "badware" serving domain, owned by Russian criminals.

Posted by Wiz at 12:01 AM | Permalink

back to top ^

In October 2010, the Russian based criminal enterprise that ran and financed the fraudulent Canadian Pharmacy scams closed their doors, leaving hundreds of affiliate spammers without a payment portal or template system. Well, their baaaaack!

Today my Hotmail account received a spam email claiming to be from "Canadian-Pharmacy." I investigated for a while and my findings are listed below. Before anybody reads any further, suffice it to say that this is a fake/rogue Internet pharmacy, which despite their claims on their web pages, has absolutely no connection to Canada, or to any accreditation bodies mentioned in the spamvertised websites. Everything about this new version of Canadian Pharmacy is a fake as the ones before it.

Let's dissect the new version of this scam, which is now going by the name: "My Canadian Pharmacy" - and reveal the facts that the average Joe might not see, or be aware of.

In a nutshell, what a potential victim of this scam may not know is that the website they land on is not hosted in Canada, but, in this case, in Romania. The page you see is not running on a normal, commercial web server, but on the Russian Nginx web server, popular with Russian cybercriminals. It it surreptitiously installed on compromised PCs, after they have been infected with botnet malware.

The message I receive earlier today had a subject and body text promoting trademarked prescription anti-ED drugs, which if used improperly, without consulting your personal physician, could cause you a lot of medical trouble, or even cause your death. Worse, these drugs are not made in the USA or Canada, but in Asian labs that specialize in counterfeiting American brand name drugs and producing snake oil herbal remedies. At the end of the body text there was a link, with the text: "Click Here Now." Hovering over that link (holding the pointer over it without clicking on it !) revealed the destination URL, which I copied, using the technique described in the next paragraph.

If you left-click (using normal mouse setups) on a link you go directly to that location, or to the location it redirects you to (!). If you right-click instead, you get a flyout list of non-committal options, which you can act upon as desired. By right-clicking while you hover over a hyperlink (in email or on web pages), you will usually get the option to copy the link location. I did this and copied the URL that was concealed under the words "Click Here Now."

When you are investigating spam and scam email messages it is not usually safe to click on, or copy and paste a link from those messages into your browser's location/address bar. You could easily end up getting exploited and having malware installed on your PC!

What I do is to copy the link's location (by right-clicking while hovering over the link), then going to www.wannabrowser.com, where I paste in the URL in the Location field. Then, to cloak where I am browsing from, I type a dash (-) into the Referrer field, then click on the Load URL button. After a few seconds you will be taken to the website in question, where everything about it is displayed in plain safe text. On the upper right side you will see the actual location and IP address of the website you have landed upon. In a large text are below you will find everything that is revealed by the server, including the entire source code of the web page.

The information that is displayed in the results on Wannabrowser are sufficient to act as a starting point, for most spam detective work. The value depends on your viewpoint, so, if you can afford it, please use the Donations button on the Wannabrowser results pages and send the owner a little love.

In the case I am writing about, the destination URL (ERGADOYMA dot COM - known badware/scam site) is hosted on an Nginx web server, on a PC in Romania, with an IP address of 194.50.7.208. The URL is already blocked by Trend Micro Internet Security, which I use, as a hostile site hosting harmful content.

The source code of the web page showed that it represented itself as "My Canadian Pharmacy." Remember, this web page was hosted in Romania. By the time I publish this article, it will be hosted elsewhere, on another botnetted PC. It featured a whole bunch of images of Canadian flags, logos, people in white Doctor outfits, pills, capsules, trademarked drug brand names, Accreditation claims, Visa and MasterCard, etc. What I found interesting about these images is that they were all pulled in from five (5) different IP addresses, from botnetted computers in Bangladesh, China, Panama and Russia, using port 8080.

Botnets setup hidden web servers on zombie PCs and set them to communicate on port 8080, to avoid detection by the ISPs through which they are getting their Internet access. Most ISPs block outgoing port 80, which is the standard used to "serve" web pages. The Nginx server gets around these blocks by using port 8080.

All of the logos claiming that the site was licensed or accredited led right back to the very same botnetted computer, to a page deposited there when the scam website was installed on it. There is an order form leading to a payment portal owned by the criminal gang behind this scam. Anybody who purchases any of the pills listed on these fake pharmacies has given their credit or debit card details to Russian criminals. If they even receive the drugs they ordered (illicit drugs are often seized by US Customs), they will not be what they claim to be. The contents will be counterfeit and often contain extremely dangerous chemicals, used to simulate the effect of the real V pill. People have died from taking these fake, Asian drugs.

I ran a Whois look-up on the domain being Spamvertised in the email and found that it was one on about 99 recently registered by the same person, going by the name: Michael Field. of Newport Oregon, using the email address: [email protected]. This person, real or fake, is well documented as a spammer and malware distributor.

The Domain's Registrar, BigRock.com, has been notified about the spam website. Interestingly, the Registrar in located in Mumbai India. The name servers used by the spamvertised website are located in China and Russia and are both registered as Russian name servers.

All of this matches the previous discoveries that I and many other security researchers have uncovered, concerning the rogue Canadian Pharmacies and their offshoots. These are Russian operations, carried out by seedy characters who operate with relative impunity from prosecution, by paying bribes to criminal investigators and local authorities.

Do not be fooled into buying the illicit drugs spamvertised by email, from rogue Internet pharmacies. They are operated by spammers and criminals and sell dangerous and sometimes death dealing counterfeit drugs. Once they have your credit card information they will do with it as they please and you might not like what that is.

Note to Webmasters: I have updated my Chinese, LACNIC and Russian Blocklists to include the CIDRs that include the IP addresses used to host the images and the rogue pharmacy itself.

Posted by Wiz at 2:24 PM | Permalink

back to top ^

According to a Microsoft Technet Blog article published on June 14, 2011, Malware infections resulting from exploits involving Autorun (like when you plug in a USB memory device and it runs a program or setup automatically) have dropped by 82% from the numbers recorded during the same period in 2010.

The percentage of decline varied with the operating system and service pack installed. Windows XP users who have Service Pack 3 installed saw a 62% drop in Autorun installed malware, after accepting the optional patch issued on Feb 8, 2011, or the forced installation of the reissued patch, pushed out on February 24, 2011.

If you are operating a Windows XP computer with any service pack older that SP 3, your version of Windows is now out of support and you are no longer receiving any critical patches. Thus, your computer is not protected against this, or any other recently patched vulnerabilities. If it is connected to the Internet, or if you plug in an infected USB device, unless you have manually edited your computer's Registry to disable Autorun, or it is running industrial strength anti-malware protection, it will eventually become infected and probably botted.

Computers running on Windows Vista with SP1 saw a 68% decline, while those with SP2 installed had a whopping 82% drop in malware installations.

Note! Microsoft will stop supporting Windows Vista Service Pack 1 on July 12, 2011. From that date onward, Microsoft will no longer provide support or free security updates for Windows Vista Service Pack 1 (SP1). You folks need to upgrade to Vista SP 2 by July 12, 2011, or you will not receive any more updates or patches.

Why have Autorun infection rates dropped so dramatically?

The drop in malware infections from Autorun exploits is attributable to patch KB971029 that Microsoft released optionally, with the Windows Updates of February 8, 2011, which turned OFF Autorun for "non-shiny" media (e.g. CDs, DVDs) and two weeks later, as a non-optional update. Before then, if you plugged a USB stick (a.k.a. thumbdrive, flash drive) into your Windows XP or Vista computer and there was a setup file on that memory device, it would run automatically. With the update installed, flash drives inserted into a PC running XP (SP3), or Vista no longer offer the option to run programs. However, the demise of AutoRun does not affect CDs or DVDs (just USB devices or shared network drives).

Some notorious infections went so far as spoofing the wording of options on the dialog box that usually opens when you plug in a USB device. The wording was crafted to induce unwary users into choosing the spoofed option, which was rewritten to appear that if clicked upon, it would open the drive as a folder, for them to look at. In fact, that option was still there, as the next option down! The first one executed a hidden file on the device, named "autorun.inf" - which triggered a hidden executable file on the drive, which was a malware/spyware setup file. Because of its being the first choice and the craftiness of the wording, many thousands of intelligent people were fooled into clicking it and installing the malware contained on those devices.

It was by means of infected thumb-drives that allowed the Conficker Worm to spread so widely and quickly in late 2009 and early 2010.

You can verify which operating system and service pack your computer is running by right-clicking and left-selecting "Properties" onthe icon for (My) Computer, which is in the upper right side of the Start Menu, that opens when you click the Start button. You may even have an icon labeled My Computer on your Windows Desktop. If so, right-click on it and left-select Properties.

When the Computer Properties box opens, it should be on the "General" tab. You will see your OS type and any service packs installed, in the upper section. You can also learn about the speed of your CPU and amount of installed RAM, in the lower section of the box.

If you have Windows computers running XP with Service Pack 3, or Vista, with Service Pack 2, you should have already received the February 2011 Windows Update that effectively disables Autorun on removable non-shiny disk drives. However, it is possible that you have just acquired a used computer and perhaps it hasn't been online in a long time. If it has XP SP 3, go directly to Windows Update, via either Internet Explorer > Safety > Windows Update, or, via the link to Windows Update in the upper right area of the "Start Menu."

Once the Windows Updates site loads in Internet Explorer (no other browser works for Windows Updates, because the site uses ActiveX Controls), click the Express button and accept all available updates. You will need to restart your PC, then return to the Windows Update site and see what new updates become available, as a result of updates just applied. Do this, rebooting as requested, until no more Express Windows Updates appear.

If you are using a PC that is running a licensed, older version of XP, like SP 1 or SP 2, or even no Service Pack at all, you must go to the Microsoft Download Center and download the missing service packs, then install them manually. You need the previous service pack to get the newer ones. This is all explained on this Microsoft page about downloading and upgrading XP service packs. Alternately, you can order the service pack upgrade on a CD, and just pay for postage. You get the CD, plop it into the CD drive, then follow the directions to upgrade to SP 3.

Note, that when you download a service pack for manual installation, it will check to make sure you have a valid copy of Windows. If you do, you can upgrade to the latest and greatest service pack. If you don't have a valid license, you can call Microsoft and see if they will sell you a license, or, if you are able to find somebody who still has an unused XP license, on a hologram sticker, buy it from them, then contact Microsoft about activating the OS with that Product Key.

If you want to learn how to disable Autorun manually, by editing your Windows Registry, read the article I wrote about disabling Autorun on January 22, 2009. People with XP SP 2 computers can use this technique to protect their computers, while they decide about upgrading to SP 3. If you do upgrade, all current Windows Updates are available to you.

If you are reading this on a Windows 7 PC, you are already protected from Autorun exploits. Your operating system has disabled that function, by default, from the day it was released. You would need to hack your Registry to turn Autorun on.

I hope this helps someone, somewhere.

Posted by Wiz at 12:00 PM | Permalink

back to top ^

You'd think that with the seemingly unstoppable flow of all types of spam, that it must pay fairly decently. It does, for the upper echelon of professional spammers and their top affiliates. But, not necessarily for the lower ranks or those engaging in spam on their own.

Still, paying (for spammers) or not, the spam flood continues. It seems like an impossible task for us little guys to do anything to stop it. But is it really impossible for individual spam recipients to fight back and stop it? Not in this case!

So begins my story, where this little guy was able to make a big difference against a determined spammer. The spam I'm writing about is not your usual type, although it may have also been delivered to others through more typical means. This type of spam is where domain owners, or hired agents post spam links to the websites they are "spamvertising" - in the access logs of innocent websites. This is known as "log spam." They do this in the hopes that these logs may be published for the World to see, and show up in search results for the spamvertised keywords.

Since I have owned domains I have read my access logs, both to see where traffic comes from, and to catch bad behavior before it gets out of control. During the early to mid 2000's, from about 2002 through 2006, it was very common to see spam comments and links posted to a website's access logs, from remote visitors. These visitors were not usually human, but were often automated scripts written to post spam links in the "REFERER" field (that is how it is misspelled in the Apache Server documentation) of typical web logs. The reason they did this was because many cheaply or freely hosted websites published those access logs as viewable by the public, by default.

Fast forward to 2011 and despite the fact that most websites, like mine, have only privately accessible logs, the people wanting to spamvertise their new, often unfriendly websites will employ every tactic available to them. Thus, the spammer who wanted to promote his two new websites decided to post REFERER spam to my access logs. At first this was just an oddity that caught my eye, as it perused the hundreds of lines of hits to my main site. However, I am not your typical Webmaster and I don't have a typical viewpoint for seeing things, with my trained eyes.

Over a period of two weeks I noticed a repeating pattern of obvious spam links for two domains, coming at a short, predictable interval, from two closely related IP addresses. The IP addresses led to a broadband ISP in Czechoslovakia. The websites they were promoting were hosted by a well known hosting company here, in the USA.

Read my extended comments for the rest of the story.

The spammer, who lives in Czechoslovakia and has a dynamic IP address assigned by his broadband ISP, posted spam links in the Referer field of my access logs, promoting two - now suspended domains, which were just registered a month or so earlier. The name of the domain Registrant was distinctly European and his residence was listed as being in Czechoslovakia. The ISP through which the spam script was being sent was in the same area, in Czechoslovakia.

I ran a Whois lookup on both of the spamvertised websites and on the IP of the sender. The websites were both hosted on the same server, managed by Hostgator, in Boca Raton, Florida. The domains were both registered to the same person, with a Czechoslovakian address and the same free email account, at Hotmail.

It was difficult to establish where to send complaints to the ISP in Czechoslovakia. They don't seem to have a functioning website, where one could find terms of service (being violated by this activity). Still, I found three email addresses and sent complaints to all of them. I provided excerpts from my raw access logs, which are important in establishing the fact that wrongdoing was intentional and ongoing.

I suspected that since these folks are Czechoslovakian, I had no right to assume that they can read English. In fact, if they can, nothing was accomplished by my problem reports. The Referer spam continued unabated.

As a last resort, seeing as how I really, really dislike spammers of all kinds, I filed a spam report, showing all of my evidence and findings, with Hostgator, at 1:24 PM, on June 13, 2011. I didn't really expect them to take any action against the domain owner, since the spam came from a different IP and place in the world, but, what the heck, why not try?

Exactly one hour and one minute later I received two identical emails from a security Administrator at Hostgator, each stating the following:

Hello,

We have suspended the site. Thank you very much for bringing this to our attention.

Robert Metzger
Security Administrator
http://www.hostgator.com/

True enough, both spamvertised websites are now suspended; totally dark. The spammer who purchased the account will not receive a refund for his unused time, because he violated their terms of service (by spamming about the domains). In this case, spam did NOT pay! To the contrary, it cost him!

Hats off to Hostgator! They took the high road, saw my evidence, looked at it objectively, then took appropriate action. This is a fine Web Hosting company, which does not knowing tolerate spamming, or exploit attacking of any kind, once they are notified about it (with proper documentation). This is the second time I have reported bad behavior by a Hostgator customer and the second time they have suspended those sites, almost instantly (in Internet time!).

The lesson for other Webmasters out there is this: if you are good people and use acceptable practices to promote your websites, you may thrive when others learn of your decency and honorable methods. If somebody tries to bounce spam links off of your logs or blogs, track them down, including their spamvertised domains, and report them to every possible person or company listed in the Whois, for both the sending IP and the domains listed in the Referer field. But, if you are a blackhat domain owner and you try to earn Brownie points by spamming my logs, or blogs, or contact forms, look out! I am coming for you, with legal authority behind me! And Hell is riding with me!

Posted by Wiz at 4:01 PM | Permalink

back to top ^

After an increase last week, this week's spam levels have decreased again. This yo-yo effect is possibly due to problems Bot Masters are having maintaining their spam botnets, in the face of strong pressure from Microsoft, the DOJ, FireEye and cooperation from law enforcement authorities in Russia. The various percentages of spam, by category, are listed in my extended comments.

Bot Masters, who send the orders and templates to the zombie spambots (robot agents on infected personal computers), depend on professional or newly recruited spammers to pay to rent the use of their botnets. Competition among botnet owners, dis-infection of botted PCs and interference from authorities tends to drive prices down for some services and up for others. These days, there seems to be more money to be made by renting out botnets for use in denial of service attacks, than for sending e-junk mail.

Despite fluctuations in volumes of junk email, spam is still going strong. It's not just nuisance messages you need to look out for. There are many critical security threats contained in attachments and links to exploit sites, which are designed to infect your computers with malware. Keyloggers, disguised as Flash upgrades, missing codecs, scanned documents, or resumes in attachments, silently log your keystrokes when you log into your online bank, or PayPal, or your website control panel, stealing your credentials, then you money or company secrets. Therefore, effective email protection is required to protect your computers, your money and your data. MailWasher Pro is the program I use to detect and delete spam and email-borne security threats. My spam statistics are obtained from the program, showing how effective it is as a spam fighting tool.

This past 7 days, spam for various types of garbage amounted to 26% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from June 5-12, 2011. These classifications are based upon my own custom MailWasher spam filters. Most of this spam is automatically deleted by MailWasher Pro and my custom filters. The statistics are obtained from the program's logs.

Statistics Overview

Percentage classified as spam:26%; -3% from last week
Number of messages classified as spam: 98
Number classified by my custom spam filters: 96
Number and percentage of spam according to my custom blacklist: 1
Number classified as spam by the Bayesian Learning filter: 1
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 1
Number of spam messages seen, reported to SpamCop & manually deleted: 7

The order of spam categories, according to the highest percentages, is as follows:

Counterfeit Watches:31.63%
Fake Viagra and Cialis: 24.49%
.BR, .CN, .RU Spam Domain Links: 11.22%
Pharmaceuticals: 8.16%
Male Enhancement scams: 6.12% (up 5% from last week)
Weight Loss Scams: 5.10% (down 7% from last week)
Known Spam [From]: 3.06%
Other Filters (with small individual percentages): 2.04%
Lottery scams: 2.04%
Nigerian 419 scams: 2.04%
Blocked Countries filter: 2.04%
DNS Blacklisted Servers: 1.02%
My Blacklist: 1.02%

This week I made 2 updates and/or additions to my custom filters:
Watches Spam,
Weight Loss Drugs

I made 0 additions to my custom Blacklist this week:

There were no false positives last week. All filters behaved as intended. Note, that I now publish three types of spam filters for MailWasher Pro. One type is for the latest 2011 series, in xml format, and two are for the previous series 6.x. One of those filters is set for manual deletions and the other for automatic deletions. You can read all about MailWasher Pro and the filters I write for it, on my MailWasher Pro Custom Filters page.

If you are having trouble caused by excess volumes of spam email, and are not using an effective filter, why not try out MailWasher Pro? It sure works for me!

Posted by Wiz at 3:09 PM | Permalink

back to top ^

After months of preparation and one trip to Toledo, to take photographs, I have finally managed to get the initial version of the Toledo Industrial Sewing Machines website online. It has been quite a task, trying to catch the owner, Bob Kovar, in between him answering phone calls and setting up and repairing industrial sewing machines.

The business is located at 3631 Marine Road, near the airport, in Toledo, Ohio. The building is huge and is thoroughly polluted with industrial sewing machines. They are everywhere; on racks, tables, counters, and on the floor. If it's a sewing machine and built for professional use, they probably have it in stock! I'm talking bar tackers, sergers, walking foot machines, needle feed machines, zig-zaggers, button machines, tailors' machines, shoe patchers, cylinder arm machines, post machines, portable walking foot machines, and ... the entire line of Cowboy sewing equipment. They also have a huge stock replacement parts, needles, bobbins, etc, and nylon thread, in sizes from #46 up to #346.

The website was primarily designed around the Cowboy brand machines, which are highly favored by professional and semi-pro leather crafters. These big leather stitchers are able to sew through 7/8 inch of veg-tan or bridle leather and are used to make holsters, halters, saddles, bridles, reins, dress, gun and weight belts, and all manner of cases, pouches, sheathes and leather bags.

I still have a lot more work to do on the website, but I invite you to go to www.tolindsewmach.com and take a look around. If you know somebody who needs an industrial sewing machine, or a big leather stitcher, tell them about Toledo Industrial Sewing Machines!

If you are looking for a Webmaster, please contact me! I have reasonable hourly rates.

Posted by Wiz at 11:33 PM | Permalink

back to top ^

Oracle, the new owners and maintainers of the Java Virtual Machine technology, will be releasing a new, patched version of Java, on June 7, 2011. This "Critical" update is a collection of patches for multiple security vulnerabilities in Oracle Java SE. This patch contains 17 new security vulnerability fixes. All these vulnerabilities may be remotely exploitable without authentication, (may be exploited over a network without the need for a username and password). Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply this Critical Patch as soon as possible (June 7 will do!).

A rating of "Critical," in new-speak, indicates that no direct user interaction is required for an exploit to take ownership of an attacked PC, if that PC is running unpatched versions of exploitable software. All that must occur is that the operator of the PC either clicks on a hostile link, or views a web page which has had hidden malicious redirection links embedded within hidden iframes, or which contains injected JavaScript redirection codes, or navigates to an infected network share (using an unpatched machine).

Once an innocent Netizen has been redirected to an attack site, numerous attack vectors will be tried, until one succeeds in downloading malware to that PC. To date, the most frequently exploited software which plugs into web browsers - is the Java Virtual Machine.

You may or may not be aware that you have Java installed on your PC. If you do know, update it on June 7, 2011 and set the automatic check for updates to every day. You never know on what day Java updates will be issued. If you don't know if Java is installed, and it is, you are probably in greater danger than you can imagine. Read on...

According to the Oracle pre-release bulletin, all version of Java for Windows, Solaris, and Linux, prior to "JDK" (developers version) and "JRE" (user's version) 6 Update 25 are vulnerable. The new patched version to be released on June 7 will be Java 6 build 26.

You can find out if you have any version of Java installed on your PC, by visiting the "Do I Have Java" web page. When you click on the big button labeled: "Verify Java Version," a script will poll your computer for evidence of an installed Java Virtual Machine, known as the "Java Runtime Environment."

If you are using Firefox 4 or newer, and you see a yellow bar appear over that page, proclaiming that you need to install a missing plug-in, click on it and see if it tells you that you must install the Java Runtime Environment. If so, you do not have Java installed. Go on with your life in relative peace. Or, install the newest version, if you must.

If you do install, or upgrade your current installation (Java download page), to the latest version of Java (at that moment) , go to Control Panel (Start > Control Panel), change the view to Classic, or Large Icons, rather than Category, then search out the icon for Java and open it. Find the Update tab and click on it. There, you can check for updates on the spot and also schedule future updates on your schedule. Since you never really know when these updates may be pushed out (unless you are on a security list), it's best to simply set the updater to check every day, at some time when the PC is usually on and not in sleep mode. If it misses a scheduled look-up, it will do one the next day.

In a study released on May 25, 2011, Microsoft revealed that after scanning over 420,000 PCs with Microsoft's free Safety Scanner, released on May 12, 20,097 infected machines were cleaned of malware, averaging 3.5 types per machine. Of those, 70% were infected by means of Java exploits.

Microsoft said that just two (already patched) holes in Java account for 85 percent of all Java attacks in the second half of 2010, when Java exploits exploded from 1 million in the first six months to 13 million in the second half of the year. This indicates that 5 percent of typical Windows users had infected machines and 70% of them had failed to keep up with already released Java updates.

So, be sure to check for the latest Java Runtime Environment or JDK update, to be released sometime on June 7, 2011. Then, set the updater to check automatically every day, just to be safe. Criminals only need to get it right once. You need to get it right all the time.

Keep a valid and up-to-date anti-malware program, from a major manufacturer, operating on all of your computers and make sure it is set to automatically check for updates as often as possible. I personally use and recommend Trend Micro Internet Security or Trend Micro Anti-Virus. Both have real time protection, frequent updates and definitions for brand new malware fingerprints in the cloud. Also, the Trend Micro Smart Protection Network blocks access to known infected web pages, many of which contain Java exploit attacks.

Stay safe and practice Safe Hex!

Posted by Wiz at 10:10 PM | Permalink

back to top ^

On Sunday, June 5, 2011, while I was enjoying a steak dinner, Adobe was busy releasing critical patches for its ubiquitous Flash Player. The bulletin, strangely rated as only "important," addresses Vulnerability identifier: APSB11-13 and CVE number: CVE-2011-2107 and affects all operating systems and platforms, including smart phones.

A vulnerability has been identified in Adobe Flash Player 10.3.181.16 and earlier versions for Windows, Macintosh, Linux and Solaris, and Adobe Flash Player 10.3.185.22 and earlier versions for Android. This universal cross-site scripting vulnerability (CVE-2011-2107) could be used to take actions on a user's behalf on any website or webmail provider, if the user visits a malicious website. There are reports that this vulnerability is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message.

Note the last sentence in the blockquote, where it refers to malicious links in email messages. For the last two weeks I have been updating my custom MailWasher Pro spam filters to combat these very links. Spam email has been pumped out by rented botnets, pretending to come from Adobe, Skype and a filesharing program that is claimed to be an alternative for the now dead LimeWire system. All contain links to exploit websites, all of which are hosted on servers in China. The goal was to draft more innocent computers into spam botnets.

The Adobe scam claims to provide an urgent update for Adobe Flash, Acrobat and Reader software. Please believe me when I tell you that Adobe does NOT send out unsolicited email messages to the general public, announcing updates to its products.

The facts is that there were serious zero day, highly targeted attacks launched from China, disclosed last week by Google, exploiting a previously unpublished cross site scripting vulnerability in all versions of Adobe Flash. Kudos to the Adobe security team for rushing out patched versions so quickly.

Affected operating system platforms:
The Flash vulnerability patched on June 5 affects all of these platforms: Windows, Macintosh, Linux and Solaris computers/servers and Google Android hand held devices.

All known browsers are affected, but especially Internet Explorer, which uses an ActiveX version. In fact, IE got a newer version that Firefox and Opera: version 10.3.181.23 for ActiveX. The Flash plug-in for Firefox and Opera is version 10.3.181.22. Google has a special bundled version of Flash inside its Chrome browsers and has just released Google Chrome 11.0.696.77.

Adobe Flash Player 10.3.181.16 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems is exploitable by the latest zero day attacks.

Android phone and tablet users will have their update available on or after the morning of June 6, 2011. All versions of Flash for Android up to 10.3.185.22 are vulnerable.

How to get your update for Adobe Flash.

All users of Adobe Flash Player 10.3.181.16 and earlier versions for Windows, Macintosh, Linux and Solaris can upgrade to the newest version downloading it from the Adobe Flash Player Download Center. Windows users and users of Adobe Flash Player 10.3.181.16 for Macintosh can install the update via the auto-update mechanism within the product when prompted.

Windows users take note: You must upgrade Internet Explorer's ActiveX Flash, even if you use another browser as the default browser for your computer. Other programs and email clients may use that vulnerable Flash component. Then, update your Firefox, Opera and or Chrome browsers, which use a different flavor of Flash. Don't forget to close them after the installation, to finish the upgrade.

Adobe Flash for Ubuntu is distributed by means of the Software Update Manager, in the form of a special package. Use your Update Manager every few days, or at least once a week, to check for and apply all available patches and updates, not just Flash.

After you update Flash in your browsers, restart them to complete the installation (you have to flush out the previous version which may have been in use). Then, visit the Adobe About Flash web page and verify that you have the latest version, as shown on that page.

If you encounter any problems upgrading Flash, or uninstalling previous versions, please visit the Adobe Flash troubleshooting page.

Epilogue

Adobe Flash one is one the more frequently exploited pieces of software, behind the Java Virtual Machine, now owned by Oracle. Incidentally, Oracle is about to release a critical patch for Java. I'll let you know when it has been released. Make yourself aware of the dangers of running exploitable software and how to check each type for security updates and patches. If you stay in the loop regarding security news and software updates, your computers will remain more secure that if you let it slide and just hope it goes away.

Posted by Wiz at 11:55 PM | Permalink

back to top ^

After two weeks in a row of reduced spam volumes, spam levels have increased again, as anticipated. Spam for imitation Viagra lead counterfeit watches by a ~5% margin. This was followed by weight loss scams promoting the illegal sale of the controlled Schedule 4 drug: Phentermine. Spam for various pharmaceuticals and male enhancement scams had lower proportions than usual. I saw a lot of what appears to be French language spam, which I can't read, followed by fake Adobe and Skype upgrade exploit links and work at home scams.

Spam is still with us, along with security threats contained in scams and exploit email links, so, email protection is still needed as it will get worse again (it always ebbs and flows). MailWasher Pro is the program I use to detect and delete spam. My spam statistics are obtained from the program, showing how effective it is as a spam fighting tool.

This past 7 days, spam for various types of garbage amounted to 29% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from May 29 - June 5, 2011. These classifications are based upon my own custom MailWasher spam filters. Most of this spam is automatically deleted by MailWasher Pro and my custom filters. The statistics are obtained from the program's logs.

Statistics Overview

Percentage classified as spam:29%; +6% from last week
Number of messages classified as spam: 127
Number classified by my custom spam filters: 116
Number and percentage of spam according to my custom blacklist: 4
Number classified as spam by the Bayesian Learning filter: 1
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 5
Number of spam messages seen, reported to SpamCop & manually deleted: 15

The order of spam categories, according to the highest percentages, is as follows:

Fake Viagra and Cialis: 28.00%
Counterfeit Watches: 23.20%
Weight Loss Scams: 12.80%
Pharmaceuticals: 9.60%
Known Spam [From]: 5.60
Other Filters (with small individual percentages):4.80%
DNS Blacklisted Servers: 4.00%
My Blacklist: 3.20%
Hidden ISO Subject: 2.40%
Exploit Link: 1.60%
Male Enhancement scams: 1.60%
Interact2 spammer: 1.60%
Work At Home scams: 1.60%

This week I made 3 updates and/or additions to my custom filters:
(New:) Fake Adobe Reader Link,
Skype Upgrade Scam,
"interact2" Spammer

I made 1 addition to my custom Blacklist:
[email protected]

There were no false positives last week. All filters behaved as intended. Note, that I now publish three types of spam filters for MailWasher Pro. One type is for the latest 2011 series, in xml format, and two are for the previous series 6.x. One of those filters is set for manual deletions and the other for automatic deletions. You can read all about MailWasher Pro and the filters I write for it, on my MailWasher Pro Custom Filters page.

If you are having trouble caused by excess volumes of spam email, and are not using an effective filter, why not try out MailWasher Pro? It sure works for me!

Posted by Wiz at 11:20 PM | Permalink

back to top ^