« November 2011 | Blog Home | January 2012 »

December 27, 2011

How to install MBAM and Trend Micro Internet Security on same PC

This article is targeted at security-conscious people who have purchased Trend Micro security programs to protect their PC's and also want to keep an existing installation of Malwarebytes' Anti-Malware on those computers.

I am one of those people. I have a subscription for Trend Micro Titanium Anti-Virus and Malwarebytes' Anti-Malware (MBAM). I recently was notified that I was entitled to a free upgrade to version 2012 of Trend Micro, so I downloaded it from their website. Up to that point both programs were getting along just fine. Ah, but change awaited me.

The upgrade was a simple process that combines uninstalling the previous edition (2011) and installing the newer version (2012). After the uninstaller removes the previous version you are instructed to reboot. Here is where I encountered my first obstacle.

Privileges

I operate as a Windows 7 "Standard User" - which is similar to a Windows XP Pro Power User. That means I have more privileges than a "Limited User" - but less than an Administrator. I like it that way. This type of account reduces my chances of accidental exploitation to single digits (see my articles about privileges, here, here and here). It means that in order to install security programs, or any program requiring access to operating system files, I must use the "Run As Administrator" right-click option when installing such programs.

I was working inside my Standard User account when I received the notice about the free upgrade to Trend Micro 2012, so I ran the installer using Run As Administrator. The first step was to uninstall my existing version (2011) of Trend Micro Titanium, then reboot. Everything went fine until I rebooted into my Standard User account.

When I logged back into my Standard User account, on my Windows 7 PC, I saw no sign of Trend Micro in the System Tray (it was indeed uninstalled!). Task Manager showed no sign of it either. It was then that I remembered that when one uses Run As Administrator, one is granted a temporary "token" for elevated privileges, from the operating system's security manager. That token does not survive a reboot. The installer was sleeping in the background, like Rip Van Winkle. I knew I had to log out and go into my Administrator level account, to resume the installation.

This is where you really need to use an Admin account. It is one of the few times I have had to do so in the 7 months since I built my Windows 7 PC. As soon as I logged into the Administrator level account the Trend Micro installer opened and began doing its thing: unpacking files, displaying a license I had to agree with, then a it displayed a box that really got my attention.


It told me that Malwarebytes Anti-Malware was discovered on the system and must be uninstalled before Trend Micro security was installed. There were two button options: Proceed and Cancel.

I soon learned that pressing Cancel meant cancelling the installation of Trend Micro, not the deinstallation of MBAM! With that in mind I followed this procedure to install the new version of Trend Micro 2012 and keep MBAM.

I re-ran the Trend Micro installer, allowing it to uninstall MBAM, then rebooted to complete the installation. I logged into my admin level account, rather than the Standard User account. I made sure that TMIS was up and running, with a Systray icon and working user interface. I then re-installed Malwarebytes Anti-Malware, updated it and ran it. Everything worked properly, so I logged out of the admin account and into the Standard User account and both Trend Micro and MBAM icons were present and fully functional. I have been able to run scans with both programs and neither complains about the other. They are finally playing nice.

Do the same thing with whatever brand of anti-virus you are installing. If it demands that you remove competing programs, let it do so. Reboot, then reinstall your favorite anti-malware blood hounds (keep copies of your license codes, just in case you need to re-enter them after reinstalling your programs). I believe the combination of MBAM and TMIS is plenty of protection, especially when coupled with running with reduced user privileges. This makes a Windows PC a very small target for modern malware exploit vectors.

Don't feel smug though. A "Standard" or Power user can still be socially tricked into deliberately running a Trojan installer with elevated (Run As) privileges. That's why I keep the best security programs running in the background, just in case I screw up.

BTW: Malwarebytes Anti-Malware was just upgraded to version 1.60.0.1800, on December 27, 2011. Read about the improvements on my Malwarebytes' Anti-Malware page (download it from there also).

Bookmark and Share

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

back to top ^

December 19, 2011

Four Reasons to Monitor Internet Usage

Takeaway:

Do you know what your employees are doing online, on company time? How can their online activities impact not just productivity, but also your company's bank accounts? Are you or your admins monitoring your employees' online activities to find out what they are doing that could negatively impact your company?

As an administrator or a security professional your job is greatly dependent on information. Both of these professions require that you stay on top of things and are always aware about what is going on throughout your network. There are different ways to acquire the information required to effectively do the job and to gather the type of information one is seeking.

By monitoring internet usage the following information can be ascertained:

  1. Internet Usage: This may be stating the obvious but information on internet usage is essential for an administrator and/or a security professional. With this information one can find out:
    • How much time users spend browsing
    • How much bandwidth is being consumed and for what
    • Which sites people are visiting the most.
  2. Policies adherence: A good Internet usage monitor will give you reports on which internet usage policies users have tried to breach, how often they have attempted to breach them, and how many users have attempted to breach these policies. This information can then be used to identify the reasons for these attempted breaches. Is it because the policy is too strict and it stops people from doing their job? This analysis can help identify any changes required to make the policy less restricting without compromising the underlying security reason for it. It could also be the case that people don't understand the reasons for a particular security policy so this would be the perfect opportunity to educate your users.
  3. Bandwidth: When you use an internet usage monitoring solution you can get a clear picture of which websites are eating up a lot of bandwidth and those users whose activity online is consuming excessive bandwidth. If your bandwidth is being used by employees who are streaming media that has no relevance to the business, you can proactively limit bandwidth use through quotas or by blocking certain sites altogether.
  4. Threats: It's very important to know if and when users try to access malicious sites, because if a sudden increase is seen it can be an indication that someone is either targeting your organization or some other security mechanism has failed - for example the anti-spam solution is no longer catching phishing emails and users are clicking on links which they should not. This information can also potentially pinpoint troublesome employees. If you see a user trying to access sites that are infected with Trojans and other malware it should raise a red flag and you should investigate why that user is accessing those sites.

With a good internet usage monitoring solution you can keep an eye on what is happening within your organization enabling you to be proactive on issues that you would otherwise not be aware of.

This guest post was provided by Emmanuel Carabott on behalf of GFI Software Ltd and edited by Wiz Feinberg. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. Learn more about why you need to monitor internet usage.
Bookmark and Share

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

back to top ^

December 18, 2011

Spam and email threat analysis for the week ending Dec 18, 2011

This past week, I saw another consecutive 2% increase in my percentage of spam, vs legitimate email, bringing my spam percentage up to 26%. This week last year, my spam percentage was 47%. This year I am seeing just over half as much spam as in 2010.

As for email-borne malware threats, I received 11 messages leading to malware servers and none that carried malware in attached files. Of these malware threats, 7 spoofed NACHA and ACH pending bank transaction notices, 1 spoofed the BBB, 3 had fake query strings appended to files ending with a .htm extension. All of the above led to Russian crimeware exploit kits which use Java exploits to install either the Zeus or SpyEye banking Trojans, plus make those PC's members of spam botnets.

The balance of the incoming spam email was divided among the usual spam categories of pharmaceuticals, casinos, fake diplomas, replica watches, weight loss, and ridiculous Russian Bride dating scams, most of which had male names for the senders, but Russian female names in the message body (like "Olga from Russia, Moscow"). The grammar is absolutely horrible in those scams.

Top Spam Categories for the week ending on December 18, 2011:

These statistics were obtained from MailWasher Pro, an anti spam program that goes between email servers and your desktop email client.

The biggest biggest category was my custom Blacklist, which automatically deleted 12 spam and scam email messages. The processing of the Blacklist precedes any custom filters, making it more efficient on the CPU than the filters. The Blacklist is loaded with the program. Any messages not containing a Blacklisted sender or domain are passed on to my custom spam filters.

Tied with the Blacklist was the Male Enhancement category, with 12 spam messages for useless enlargement products..

The lesser categories of spam are as follows:

Cialis accounted for 10 messages.

Pharmaceutical spam had 9 messages, all for fake Internet pharmacies.

Casino spam occupied 7 "slots" ;-)

My Russian Brides filter blocked 5 spams.

Replica Watches filter stopped 5 spams.

Weight loss HCG drops dropped 4 spam emails.

MailWasher's built-in learning filter correctly marked 4 emails as spam.

The remaining spam messages were for fake diplomas, URL shorteners, Russian and Ukrainian spam domains and some miscellaneous spam categories.



The following updates were made to my spam filters this week.

Base 64 Encoded Body,
Casino Spam.
New Filter: BBB Fraud.
New Filter: Fake Query String In Link (plus updated twice)

I made 0 additions to my custom blacklist (individual email addresses and wildcard Regular Expressions):


MailWasher Pro is a POP3 email client spam filter
I publish filters for both the old and new versions of MailWasher Pro. However, the new version allows for more lines of conditions than the previous ones. If you use a desktop application to send and receive POP3 email, MailWasher can act as a spam filter before you download email to your email client. You can learn more about the program, download a trial version, or purchase a subscription, at the MailWasher Pro website.

Bookmark and Share

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

back to top ^

December 14, 2011

MailWasher spam filter for links to .htm files with huge query strings

For the past week, I have been seeing and reporting (to SpamCop), scam email messages claiming to come from various financial agencies, or banks, with unusual links; all leading to malware servers. This is a continuation of the ACH, FDIC, etc., malware fraud that has been making the rounds for the past few months.

What's different about the links in these new scams is that they are HUGE! They all start out like any normal hyperlink, with a domain name and a particular file. But, appended to the end of the file name is a humongous "query string" (query strings begin with a question mark), containing multiple long groups of letters and numbers, separated by = signs. I have just analyzed one that has 214 alpha-numeric characters in the query string!

But, like octopus ink, things aren't always as they appear to be!

Being a Webmaster and web page writer, it didn't take me long to figure out that the file type that had the query string appended to it was not a valid active content file. Sure, it could possibly have been rigged to be such a file, like a php type, but these are not. They are Plain Jane simple html files, ending in the extension .htm. The .htm file type does not accept any query strings. If you append such a string of characters to it, the server will ignore them completely. All you see is the htm, or html file contents.

All of the rigged links I have traced are placed on compromised websites hosted on Apache web servers. The standard configuration of Apache web servers does NOT parse .htm, or .html files for active content. They are treated as "static" or flat files. No matter what the characters are that follow the file name and extension, the Apache servers where these links are pointing will ignore the phony query strings.

But, the .htm file type link in the scam emails is not where this story ends. The contents of each and every one I have analyzed contains a few simple lines of straight forward HTML code and an "iframe" (inline frame) - which imports a page hosted on a Russian website named csredret.ru (or variation thereof), containing a JavaScript array that leads to targeted attacks based on the brand of browser you are using and the installed plug-ins, especially unpatched versions of Java.

After seeing another such scam email link tonight, I decided to write a spam filter to detect this type of link. I named the filter: "Fake Query String In Link." The filter is for the anti-spam program MailWasher Pro.

First, here is a sample of the kind of link this article is referring to:


http://mtbtrforum(DOT)com/cxqud(DOT)htm?R2WG=8SSFNEH63Q53K575GB9UY1&96E=NDVRCCPYBA8MXYMK1B1CC7&PV3FM46=EU8T4XXL5&U9W=XLH3I5KPL377639HT9&WVDSSH0=64FCA8OGDFC&

MailWasher Pro has been available for 10 years now, and I have been using it that long. Some people are using the "old" version, which ended with version 6.5.4, in 2010. Others have moved up to the new version, which is now version 2012. I write spam filters for both the old and new versions. My MailWasher custom spam filters are here.

Filter codes UPDATED on Dec 15, 2011, at 3:30 PM EDT.

Here is my "Fake Query String In Link" spam filter for people using MailWasher Pro version 6.5.x:

[enabled],"Fake Query String In Link (Dangerous!)","Exploit Link",255,OR,Delete,Body,containsRE,"(?-i)http://.+\.[a-z]{2,4}/.+\.html?\?[A-Z0-9=&]+="

Here is the same filter written in XML format for people using MailWasher Pro versions 2011 or newer (you can set it to auto-delete if you wish):

<Filter Name="Fake Query String In Link (Dangerous Link!)" Enabled="True">
<Description>Exploit Link</Description>
<MatchAll>False</MatchAll>
<Rating>-200</Rating>
<Colour>#FFCC0098</Colour>
<TextColour>White</TextColour>
<AutoDelete>False</AutoDelete>
<HideEmail>False</HideEmail>
<HideEmailOption>All</HideEmailOption>
<Rule>
<Field>Body</Field>
<Operator>Contains</Operator>
<Type>RegEx</Type>
<Expression>(?-i)http://[a-z0-9]+\.[a-z]{2,4}(\.[a-z]{2,4})?/.+\.html?\?[A-Z0-9=&]+=</Expression>
</Rule>
</Filter>

These filters have already been added to my published custom spam filters, in both old and new formats. If you already use MailWasher Pro, you can download the format for your version of the program and either merge your own filters into it, or use it as is. Instructions are found on the landing page.

If you aren't using MailWasher Pro yet, but want to learn more about it, go to my MailWasher Pro program description page. You can read about it, download a trial version there, or buy into a subscription. I do make a small commission on sales through my links, which puts beer in the fridge occasionally!


If you don't use MailWasher Pro and still want some protection for your computers (against this particular Russian domain), you can edit a read-only, normally hidden system file with the name HOSTS (with no file extension!) - to include the following line of code:

127.0.0.1 csredret.ru

If you don't know about the tricks of editing and saving changes to the HOSTS file, use the links in the previous paragraph, or leave it alone.


I hope none of you have been tricked into clicking on one of these links, because the payload is very nasty. Your identity and bank accounts could be stolen by the Trojans downloaded by the scripts and attack kits hosted on the Russian malware server I listed earlier in this article. But, if you did, you should run a scan for malware using your up-to-date and updated security program or programs. If you are using Windows XP or newer, you may be able to salvage your system by running System Restore to a day or time before you clicked on the link.

If your security program is out-dated, or you have none at all, I use and recommend Trend Micro Internet Security and Malwarebytes Anti-Malware to secure my PCs.

Bookmark and Share

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

back to top ^

December 13, 2011

Java updated to version 6 update 30, on December 12, 2011

Oracle, the current keeper of Java software, has released a new version to fix stability problems in previous versions and improve performance (see bug fix page). The new version's common name is Java 6 update 30. The official version number is actually 1.6.0_30-b12. If you have Java installed I recommend keeping it updated to the latest version, whenever Oracle releases one.

I often write about Java vulnerabilities being exploited by criminals who install exploit attack kits onto web servers under their control; mostly in the former Soviet Union. The number one exploit targets vulnerabilities in Java. In my last blog article I wrote a couple of paragraphs about how Java vulnerabilities are exploited to take over computers with no user interaction.

If you have Java installed on any of your PCs, it is important to check for updates and apply them as soon as possible. Windows PC users can check for updates by using the Control Panel Java applet's "Update" tab. On that tab there is a section where you can select automatic checking for updates on a schedule of your choice. Since Oracle doesn't seem to have any regular schedule for updating Java, I recommend setting the automatic checks to every day, at a time when the PC is turned on. The updater hides in the System Tray, be the clock, and only appears if there is an update available.

You can also check for Java updates manually, from the same Java applet icon in Control Panel. It is found on the Update tab page, as a button labeled Update Now. Use it to install the latest version, if you haven't already received notification by the auto-updater.

It is important that you uninstall all previous versions of Java, in order to protect your computers from exploits that target them by their default folder location. Use your Control Panel "Add/Remove Programs," or the Windows 7 "Programs and Features" icon, to get rid of all previous builds prior to the latest version. Reboot after you run all of the old Java uninstallers. Then, after you re-enter Windows, go to Start and click to open "(My) Computer" - then double-click on the C drive, then on Program Files, and look for the Java folder. Open it (double-click) and look for any leftover older Java version number folders and delete them manually. Keep in mind that the new current version, as of 12/12/2011, is version 6 build 30.

You can also check to see if you have Java installed on this page on Java.com. You can download the latest stable version of Java from java.com.

If your computers have Java installed (even an old insecure version), you can check to see if you have any insecure software installed, or are missing any Windows Updates, by using the Secunia Online Software Inspector. It uses Java to scan your computer for out-dated software and browser plug-ins, including Java and provides download links to get the latest versions of those programs or plug-ins. I recommend scanning from Secunia one a week, just to be sure you are fully patched!

Bookmark and Share

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

back to top ^

December 11, 2011

Adobe and Windows critical patches coming in mid-December and January

Adobe Systems has published an advisory announcing that they will be releasing an "out-of-band" patch, sometime during the week starting on December 12, 2011, for their Acrobat and Reader programs for Windows, version 9.4.6. This is in response to cyber criminals exploiting a critical vulnerability discovered in the code used by those related programs.

The same vulnerability being exploited in Reader 9.4.6 also exists in the newer version 10.1.1 of Adobe Reader X and Acrobat X. However, those programs operate by default in protected mode, which nullifies the exploit vector being target in the ongoing attacks. Nonetheless, Adobe has scheduled a security update for these newer versions, to be released on January 10, 2012. That update will apply to all supported platforms of Adobe Reader.

If you use the Foxit PDF reader, they have released a new version to respond to the same vulnerability as exists in Adobe's Reader (see Foxit security notice here). You can download the latest version (5.1.3) of Foxit from their website.

Microsoft is going to be releasing 14 patches on December 13, 2011. Be sure you check for these Windows Udates during the afternoon of this coming Patch Tuesday. You may or may not need all 14 patches, depending on your Windows operating system and installed Microsoft Office programs. If you use Windows XP, with SP 3, you are definitely going to get a lot of patches! If you haven't upgraded to SP 3, your PC is in extreme danger of takeover by numerous vulnerabilities that were patched, but require SP 3 to receive them.

Other software vulnerabilities being exploited in the wild this week include a critical flaw in Yahoo Messenger 11.5.0.152 and older. This happens to include the current version! The World waits with bated breath for Yahoo to respond with a patched update. The flaw allows hostile status update messages to be placed by hackers and criminals, with links to malware servers. The victims are unaware that their status message system is being used to trick other people on their Yahoo Messenger contact lists.

To protect themselves until a patch is released, Yahoo users should set their Yahoo Messenger to "ignore anyone who is not in your Yahoo! Contacts." That should keep you safe from being exploited by strangers, but you could still be tricked if one of your existing contacts gets hacked. Keep this in mind and check for updates regularly, via the Yahoo Messenger Help menu item.

Finally, Oracle's Java (not JavaScript) has been and still is the darling of exploit kit authors. It is the most successful attack vector in use today. If you have a vulnerable version of Java installed on your computer, it can be exploited without any user interaction, to completely take over control of your computer. It is imperative that if you have Java, it must be the latest version (currently version 6 Update 29), with no old versions left on your hard drives (old versions can still be targets). Go to java.com to ensure that you have the latest version installed (then uninstall any older versions!).

If you don't use Java for any mission critical purposes, consider uninstalling ALL versions of it. If you must use Java, set the updater to check automatically every week, or even daily, at a time when your PCs are normally on. Do this via the Windows Control Panel Java applet. Mac users should use the Apple Software Updater, while Linux users should use the built-in software updater for their version of Linux.

In case you are wondering who is to blame for all of the exploit kits targeting your computers, read this BBC article about Russian exploit kit programmers. Blame Rasputin!

Bookmark and Share

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

back to top ^

Spam and email threat analysis for the week ending Dec 11, 2011

This past week, I had a 2% increase in my percentage of spam, vs legitimate email, bring my spam percentage to 24%. This, coupled with the big decrease of last week, brings spam levels to the lowest this year. Much of this decline in spam has to do with the takedowns of several major spam botnets. It also has to do with spammers finding it more lucrative to use social networks to conduct their illicit business.

Overall, it was a quiet week, threat-wise. I only received 10 messages leading to malware servers and none that carried malware in attached files. Of these malware threats, 2 spoofed Bank Of America, 2 spoofed the BBB, 2 were fake contract links, 1 fake changelog, and 3 ACH or FDIC scams.

Although I didn't personally see any, I read that other security researchers and honeypots have captured spam email containing links to fake update notices for Adobe Acrobat and Reader and Adobe X Suite Advanced and fake "License keys" for Adobe InDesign. All of these led to the installation of Trojan Horse programs that steal banking credentials and force the infected machine to become part of a spam and attack botnet.

Please go directly to www.adobe.com (type it into your browser's address bar) to obtain any updates or licenses for Adobe products. Do not click on links in email messages. 99.99999% are fraudulent and lead to malware exploit kits.

Top Spam Categories for the week ending on December 11, 2011:

These statistics were obtained from MailWasher Pro, an anti spam program that goes between email servers and your desktop email client.

Interestingly, Turkish hosted online casinos were the top category of spam. I created some new rules for my MailWasher Pro spam filters to detect and delete the new Casino Spam. There were 15 casino spam messages.

The second biggest category was my custom Blacklist, which automatically deleted 14 spam and scam email messages. The processing of the Blacklist precedes any custom filters, making it more efficient on the CPU than the filters. The Blacklist is loaded with the program. Any messages not containing a Blacklisted sender or domain are passed on to my custom spam filters.

The lesser categories of spam are as follows:

Pharmaceutical spam had just 8 messages.

Male enhancement, Russian Brides and counterfeit watches each had 7 spam messages.

Cialis and Viagra accounted for 6 messages.

My Russian (.ru) domain filter blocked 5 spams.

Fake diplomas and unlicensed prescription drugs each had 4 spam emails.

The remaining 12 messages were for various types of spam offerings, from scams to weight loss berries and some URL shortener links to possibly dangerous destinations.



The following updates were made to my spam filters this week.

Casino Spam,
Diploma Spam [B regexp]
Money Mule Scam (#2 for v 6.x),
Unlicensed Prescription Drugs

I made 2 additions to my custom blacklist (individual email addresses and wildcard Regular Expressions):

[email protected]
[email protected]

MailWasher Pro is a POP3 email client spam filter
I publish filters for both the old and new versions of MailWasher Pro. However, the new version allows for more lines of conditions than the previous ones. If you use a desktop application to send and receive POP3 email, MailWasher can act as a spam filter before you download email to your email client. You can learn more about the program, download a trial version, or purchase a subscription, at the MailWasher Pro website.

Bookmark and Share

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

back to top ^

December 7, 2011

Access log "Referer" spam still happening through 2011

Takeaway:

I write about a lot of different types of spam, but one of the oldest, next to email and USENET, is spamming the "REFERER" field on a website's raw access logs. I have been seeing this form of spam for over a decade now.


What is a raw access log?

Websites are usually setup or configured to generate a text or graphical log of all visits to those sites (a.k.a: "hits"). These logs contain information that is useful to Webmasters of the websites. Graphical access logs use pie or column charts to show where the hits are coming from, who sent them to you, what details they were searching for and other useful facts about each request. A "raw access log" presents these details in plain text format, in space-separated groups.


Why would anybody want to spam a website's raw access logs?

Over a decade ago, spammers learned that some website owners, or free hosting companies, or individuals hosting their own web servers at home (usually against T.O.S) were actually publishing their raw access logs so that the owners could read them in a web browser, from anywhere they might be. Most of these published access logs are not password protected, meaning anybody anywhere can view them, if they know the location of those website log files. Since so many people do not understand website security at all, they leave configurations in a default state. This means that if their raw access logs are published, the folder location will be predictable, based upon the operating system of the web server. That web server is usually the Apache Web Server.

Thus, when spammers began seeing website raw access logs that were in default folder locations, on various web servers, they could read them in their browsers, as could anybody else in the World who reads that language. So, some enterprising S.O.B. came up with the brilliant idea of posting a request for some files on some websites, and they decided to include fake "referrer" details.


What is the referrer field in an Access log?

The referrer field is a section of an access log that tells the owner/maintainer of the website where each visitor came from, just before they came to your website. In other words, who referred them to you. This information is extremely valuable for learning who links to your web pages, or is writing about you, or has found your site by means of a search engine result.


What do spammers do to referrer fields to turn them into spam?

Instead of revealing the actual referring page location of the website that the visitor (human or machine) was visiting when they decided to come yours, spammers use special web software programs to create whatever content they wish to present for the referer field. That special content usually takes to form of spammy links containing the names of illicit goods (illicit prescription drugs, counterfeit goods), or services (shady or illegal businesses).


Did I just misspell "referrer" as "referer?"

Nope. When the original Apache Web Server documentation was written, back in 1945, the scientists working on it accidentally misspelled the word Referrer as Referer. This misspelling has stayed with us to this very day!


Now, on to the rest of the details about Referer spam.

Most raw access logs contain the following details:


  • IP address of the visitor

  • Date and time of the requested resource

  • Method (GET, POST, HEAD, etc)

  • Requested Folder (just "/" means default index page)

  • Requested file name and extension

  • HTTP type (1.0 or 1.1)

  • Server Response Code (200=Okay, 403=Forbidden, 404=Not Found, 500=Oops - I broke it)

  • Size of file in bytes

  • REFERER (What this is all about.)

  • User Agent of the visitor (browser name and version and computer OS, search engine robot details, exploit tool, spambot)


When spammers post spam links in the faked Referer field as they visit your website, they are hoping against the odds that your hosting company is foolish enough to allow your access logs to be published without any credentials required to view the log. They (spammers) use cheap labor, or "bots," or automated web scripts to post spam links to as many websites as they have listed in their databases, which are sold on underground spam forums. Some spammers actually compile their own lists by searching for published raw access logs on Google, Yahoo, Bing and other search engines. Since those logs are publicly viewable, they are also detectable and index-able by search engine crawlers.


Take Action!

If you are a webmaster, or own a website, and your access logs are publicly viewable, without a username and password, learn how to either protect them from the public, or turn off their publication altogether. Spammers may continue to post spam links to your referer field, but nobody will see those links - which is how it should be. Do your part in denying an audience to spammers, no matter what type of spam they try to post.


Epilogue:

Whether spam is sent by email, or posted to Facebook, Twitter, or a blog, or an access log, it is still pure garbage. Most of it promotes dangerous illicit prescription drugs that are made in India and other countries in Asia, where the quality and content controls are lax, compared to those in the US and Canada and most other Western nations. Some log spam promotes counterfeit goods, pirated software, porn sites, online casinos, underground forums and ripoff sites hawking loans. Don't let your access logs assist spammers in their criminal pursuits!

Bookmark and Share

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

back to top ^

December 4, 2011

Spam and email threat analysis for the week ending Dec 4, 2011

This week I saw a drop in my overall volume of email, but the percentage of spam actually declined by 2%, to 22%.

First place went to spam for the ridiculous Russian Bride scams. Second place went to spam for fake-replica name brand watches. Third place remained firmly in the grasp of male enhancement scams. Every other typical spam category paled compared to these three.

The other categories of spam last week were covered by casinos, Cialis, fake diplomas, weight loss drugs, NACHA failed deposit fraud and money mule job scams. If you have been reading my blog you know that the NACHA emails are all fraudulent and are meant to infect your computers with a bank account stealing Trojan and to draft it into a spam botnet.

Most of the online exploit attacks that succeed, like the NACHA and ACH fraud, do so by means of exploit kits that seek to compromise vulnerable versions of the Java Virtual Machine. Java is the #1 attack vector targeting user's web browsers. If you are using a non-current version of Java, or even have older versions in your Program Files directory, you are at great risk of being exploited. The exploits I refer to will place financial and auction account credential stealing Trojans on your computer, along with making it a zombie member of a spam botnet.

You can check to see if Java is installed on your Windows computers by going to Control Panel and looking for an icon named Java. If it is there, double click to open the control box, then click on the Update tab, then click the button to check for updates. Accept any updates to Java. Set the updater to automatically check every day, at a time when your PC is on. Next, use the Add/Remove Programs icon to look for older versions of Java and uninstall all but the newest version and build. Close and restart your browser to flush out any lingering out-dated version of Java.

If you don't need Java, or don't know if you need it, uninstall it completely and close the number one attack vector used by the BlackHole Exploit Kit.

The money mule scams have been covered in recent articles on my blog (search it for money mule). One is enticed by the promise of unrealistic wages for part time work at home. What the respondents don't usually know is that the ads and websites (for Rock Cruit Management, or Rock Smith Management) are placed by Russian cybercriminals. The jobs entail receiving and relaying either money stolen by Zeus or SpyEye Trojans, or goods bought on auction sites with stolen credit cards and PayPal accounts (The aforementioned Trojans also steal PayPal and eBay credentials).

In past weeks, Russian scammers were using Ukrainian registered domain names to hawk pirated software. This week, the stolen software messages are gone and have been replaced by spam for counterfeit name brand purses, glasses, shoes and watches. Virtually every other piece of email spam that contained a link led to a Russian registered website, ending in .RU.

I use a program called MailWasher Pro to prescreen all incoming email for unwanted content, or threats. The program makes use of several methods to detect and block spam. But, my favorite is the use of user-created spam filters. I write and publish my own custom MailWasher Pro spam filters. The current version of MailWasher Pro, as of this article, is version 2012, which was just introduced. My filters are written for both the new format and old format, 6.x of MailWasher, so all users can benefit from my spam filters.

The following updates were made to my spam filters this week.

Known Spam Subjects #4,

Money Mule Scam updated and split into 2 filters: Money Mule Scam #1 and Money Mule Scam #2 (split in version 6.x only. Updated in v 2011/2012);

Watches Spam updated and split into 2 new filters: [From or Subject] and [Body] (split in version 6.x only. Updated in v 2011/2012)

I made 0 additions to my custom blacklist (individual email addresses and wildcard Regular Expressions):

My Blacklist is working just fine; thank you!

MailWasher Pro is a POP3 email client spam filter
I publish filters for both the old and new versions of MailWasher Pro. However, the new version allows for more lines of conditions than the previous ones. If you use a desktop application to send and receive POP3 email, MailWasher can act as a spam filter before you download email to your email client. You can learn more about the program, download a trial version, or purchase a subscription, at the MailWasher Pro website.

Bookmark and Share

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

back to top ^

About the author
Wiz FeinbergWiz's Blog is written by Bob "Wiz" Feinberg, an experienced freelance computer consultant, troubleshooter and webmaster. Wiz's specialty is in computer and website security. Wizcrafts Computer Services was established in 1996.

I produce this blog and website at my own expense. If you find this information valuable please consider making a donation via PayPal.


Malwarebytes' Anti-Malware is the most frequently recommended malware removal tool in malware removal forums, like Bleeping Computers. It is extremely effective for removing fake/rogue security alerts, Bots, Spyware and the most prevalent and current malware threats in the wild. Learn about Malwarebytes Anti-Malware.


MailWasher Pro is an effective spam filter that protects your desktop email client. Using a combination of blacklists and built-in and user configurable filters, MailWasher Pro recognizes and deletes spam before you download it. MailWasher Pro reveals the actual URL of any links in a message, which protects you from most Phishing scams. Try it free for 30 days. Pay $39.95 US once, for a lifetime license, with free upgrades.

Use OpenDNS

Get Reliable Web Hosting

Get your websites hosted on Bluehost, for as low as $6.95/month. Unlimited everything! Reliable servers, US based phone support, and 1-click software installs.

We are hosted on Bluehost and couldn't be happier!


Creative Commons License This weblog is licensed under a Creative Commons License.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.
Powered by
Movable Type 4.38