February 27, 2012

Wiz's spam analysis for the week ending Feb 26, 2012

For the fourth week in a row my percentage of spam has remained around the 25% mark. This percentage is almost identical to the same period last year. Further, my total amount of email received was up about 12% from last week, as was the amount of spam.

This week, the highest percentage of spam this week, like last week, was for fake pharmacies. Closely following was spam for fake casinos, then male enhancement scams, with replica watches in 4th place. The category of malware fraud was much lower and covered four types of scams: the BBB, NACHA, ACH and JavaScript redirects to exploit kits in attached .htm files in phony Certified Account membership termination warnings.

I was kept busy updating my spam filters for MailWasher Pro, which is the program I use to intercept spam before I download it to my Windows Live Mail email client.

The following is my analysis of spam for the week of February 20 - 26, 2012.

These spam statistics are derived from MailWasher Pro, which is a POP3 email filtering program that runs on a Windows desktop. It intercepts all incoming email and analyzes it, based upon several factors, the most prominent of which are my own custom spam filters.

Overview
Total incoming email: 444 (12% more than last week)
Good mail: 332 (295 last week)
Classified as spam: 112 (100 last week)
Percentage rated spam: ~25%

Breakdown by category of spam

Fake (Canadian) pharmacies: 20.5% (20% last week)
Casino: 18.7% (18% last week)
Male Enhancement: 11.6% (4% last week)
Watches: 8.9% (12% last week)
URL Shortener spam links: 6.25% (2% last week)
Marked as Spam by MailWasher Pro: 5.3%
Diploma scams: 5.3%
Pirated software (.com.ua domains): 4.5% (8% last week)
Weight Loss: 2.7% (2% last week)
ACH, BBB, or NACHA malware links: 2.7% (15% last week)
Counterfeit goods: 1.8%
Other miscellaneous types of spam ~ 1% each: 11.75% (7% last week)

I made the following additions or updates to my custom MailWasher spam filters

Casino Spam (#1 for v 6.5.4),
Diploma Spam (plain body and RegExp body),
Known Spam [From],
Known Spam Subjects #4,
Male Enhancement [S],
URL Shortener Link,
Work At Home Scam #2

The following (single or wildcard) email addresses were added to my MailWasher Blacklist:

[email protected]

About MailWasher Pro
MailWasher Pro is a POP3 and IMAP email client spam filter I publish filters for both the old and new versions of MailWasher Pro. However, the new version allows for more lines of conditions than the previous ones. If you use a desktop application to send and receive POP3 email, MailWasher can act as a spam filter before you download email to your email client. You can learn more about the program, download a trial version, or purchase a subscription, at the MailWasher Pro website.

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

February 20, 2012

Wiz's spam analysis for the week ending Feb 19, 2012

For the third week in a row my percentage of spam has remained around the 25% mark. This is 9% less than the same period last year. The categories ranking highest have shifted again, as new spammers try their hand at the sucker trade.

This week, the highest percentage of spam went to fake pharmacies, most notably, the resurrected so-called Canadian Pharmacy. This affiliate program died in 2010, but new Russian based pharma-scam affiliate programs have spouted up to take its place.

The second most spammed category was fake casinos, then malware attachment or link fraud, closely followed by replica watches. The malware fraud covered four types of scams: the BBB, NACHA (ACH fraud), the FDIC and malware JavaScript redirects to exploit kits in attached .htm files from spoofed Xerox Work Center scans.

The goal of these fraud email messages is to draft victim computers into a spam botnet, as well as to install bank account stealing Trojans. Other forms of document theft are being carried out by one Trojan type in the wild. Office documents are being stolen and uploaded to cloud servers, then gleaned for useful information or company secrets.

The following is my analysis of spam for the week of February 13 - 19, 2012.

These spam statistics are derived from MailWasher Pro, which is a POP3 email filtering program that runs on a Windows desktop. It intercepts all incoming email and analyzes it, based upon several factors, the most prominent of which are my own custom spam filters.

Overview
Total incoming email: 395
Good mail: 295
Classified as spam: 100
Percentage rated spam: ~25%

Breakdown by category of spam

Fake (Canadian) pharmacies: 20%
Casino: 18% (14.5% last week)
ACH, BBB, or FDIC malware links: 15% (2.7% last week)
Watches: 12% (23% last week)
.com.ua or .ru spam domains: 8% (4.5% last week)
Cialis: 6% (2.7% last week)
Male Enhancement: 4% (19% last week)
Weight Loss: 2% (7.2% last week)
Known spam domains: 2% (3.6% last week)
Known spam [From]: 2% (2.7% last week)
Fake Xerox Work Center Scans: 2%
URL Shortener spam links: 2%
Other miscellaneous types of spam ~ 1% each: 7% (12.23% last week)

I made the following additions or updates to my custom MailWasher spam filters

Casino Spam #2 (just Casino Spam for new version)
.RU .SU or .UA Spam Domain Link,
Known Spam Domains.
New Filter: Email Addresses 4 Sale
New filter: FDIC Fraud,
New Filter: NACHA Fraud

The following (single or wildcard) email addresses were added to my MailWasher Blacklist:

No additions this week

About MailWasher Pro
MailWasher Pro is a POP3 and IMAP email client spam filter I publish filters for both the old and new versions of MailWasher Pro. However, the new version allows for more lines of conditions than the previous ones. If you use a desktop application to send and receive POP3 email, MailWasher can act as a spam filter before you download email to your email client. You can learn more about the program, download a trial version, or purchase a subscription, at the MailWasher Pro website.

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

February 15, 2012

Oracle Java and Adobe Flash get critical updates on Feb 15, 2012

Hmmm, it's been a busy two days for updates. On February 14, 2012, Microsoft released its monthly handful of Windows updates and patches. Later that night, I discovered that Oracle has just pushed out a critical update for their Java virtual machine. One day later, on Feb 15, I discovered that Adobe has just released a patched version of its Flash Players (all versions).

All of these updates, from three software companies, are rated anywhere from "important" to critical. I strongly advise my readers to update their Windows PCs with Windows Updates, and all operating systems with Adobe updates, and, if you use Java at all, get the Java update as well.

Java JRE Update of Feb 14, 2012

Oracle, the current owner and maintainer of Java technology, estimates that over 3 billion devices run their Java Virtual Machines. Java (not to be confused with JavaScript, which is different) is a powerful programming language that allows for mini-programs to run on a device, or desktop, or in your browsers. It is found in smart phones, tablets, computers and many other digital devices. The official website for distributing the consumer version of Java is fittingly called java.com.

For all of its fancy tricks and useful features, the devil lies in programming errors that have existed for a very long time, or which are introduced when other problems are patched. Java goes way back to the late-1990s. I used to run Java applet pets on my Windows 95 desktop, as far back as 1997. They were fun programs to play with and none of us thought that they could be used for evil purposes. Unfortunately, "we" were wrong.

For the last several years Java technology has been the primary target of cyber-criminals who write exploit kits (like the infamous Russian Blackhole Exploit Kit) that attack computers through vulnerabilities that have not been patched by the owners of those computers. The reason is that many people simply are not even aware that Java is installed on their PCs and hence, never think to update it. Older versions of Java, as far back as series 4 and 5 contain all kinds of coding errors that allow easy exploitation. To make matters worse, when people did upgrade to newer versions of Java, the old versions were not uninstalled! They were left intact, in their default folder locations, for any hacker to take advantage of simply by specifying the path to those versions of Java's executables and .JAR files.


So, the first thing my readers need to do is see what, if any versions of Java are installed, by visiting Java.com and clicking the "Do I have Java?" link. If you have the previous version installed, you should be able to update by opening your Windows Control Panel and (double) clicking on the Java icon, going to the "Update" tab and clicking the "Update Now" button. Then, open the "Add/Remove Programs," or the newer "Programs and Features" icon and uninstall all older versions of Java.

After you have updated Java, go to Control Panel (Windows), open the Java icon and click on the Update tab. Set the options to automatically check for updates every day, at a time the PC is normally on. One never knows when an update will be pushed out until it arrives. Tis far better safe than sorry when it comes to Java technology. The latest versions, released on February 14, 2012, are Java 6 Update 31, and the newer series Java 7 Update 3.

Adobe Flash Updated

Adobe released a new version of its free Flash Player, on February 15, 2012, to patch at least 7 security holes, one of which is currently being used in zero-day exploits. The latest version for Windows, Mac, Linux and Solaris is 11.1.102.62.

Users of Android 4.x devices should update to Adobe Flash Player 11.1.115.6. Users of Android 3.x and earlier versions should update to Flash Player 11.1.111.6.

You can discover whish, if any version of Flash you have installed, by visiting the Adobe About Flash page. To get the latest version of Flash for your devices, visit http://get.adobe.com/flashplayer. Do this for each device. If you use Internet Explorer and Firefox, you'll need to get a different Flash player for each browser. The IE version uses an ActiveX Control, which Firefox does not allow to run, for security reasons.

If you use Google Chrome, you need to upgrade to the new version: 17.0.963.56, which includes an embedded Flash Player built specifically for the Chrome browsers. Get the latest version of Chrome by opening the browser, clicking on the Tools icon, then clicking on About Google Chrome. This displays the version details and launches a check for updates. If a newer version is available, it will be downloaded and installed while you watch.

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

February 14, 2012

PCs infected with DNS Changer to lose Internet connections on March 8, 2012

The Internet can be a very dangerous place to place anymore. There are more malicious software (malware) threats out there than you can shake a stick at. The DNS Changer Trojan is one that needs to be mentioned right now. If you own or use a PC infected with the most recent variation of the DNS Changer, you may lose your ability to access the Internet on March 8, 2012.

What does DNS stand for?

DNS stands for Domain Name System. This is a system of electronic devices known as routers which locate websites you want to access by their common name, then translate those names into the numeric codes assigned to the web servers hosting those domains (websites). Every website is hosted on a computer that has a numeric address, known as an IP address, assigned to it. The DNS system searches and drills down through multiple layers of routing details until a numeric match is found for the website domain name you are trying to access.

For instance, my website, wizcrafts.net, is currently hosted on a web server belonging to Bluehost, with an assigned IP address of 66.147.244.184. It is reached after requests are routed from your home or business connection, through any required intermediaries, until the request ends up in Utah, at the facility owned by the hosting company. There, the internal routers sort out which one of hundreds of server in their facility is actually hosting my humble website. All this happens in the blink of your eye!

It's not just websites that use the DNS system. Your very own Internet connection is also part of that system. You get your Internet connection from a local Internet Service Provider (ISP), via a modem, or Wi-Fi, or cellular network, or hard-wired wide area network. Your connection has an IP address assigned to you by your ISP. When you access the Internet to browse websites you are usually going to use DNS servers belonging to your ISP. These DNS servers relay your requests for websites, or other Internet resources, to various upstream Domain Name Servers around the world.

When you connect to your ISP, their system assigns their primary and secondary (in case one fails) DNS servers to you, to use for accessing the Web. You trust those DNS servers to faithfully relay your requests to the desired target websites, or other resources (newsgroups, IRC, IM, email, ftp locations, online storage, etc). But, what if somehow, those good DNS servers belonging to your ISP were replaced with rogue servers owned by cyber-criminals?

Hijacked DNS Settings

Cyber-criminals are always devising new ways to infect computers for monetary gain. One of the ways they have found to monetize infected PCs is by installing Trojans that bore into the software that controls one's Internet access, to change the location of the primary and secondary DNS servers used by that machine. Recently, acting on an International warrant from the US Department Of Justice and the FBI, police authorities in Estonia arrested a group of conspirators (Rove Digital) who were operating a huge botnet of computers they had infected with the DNS Changer malware. Once installed, this malware redirected all Internet IP and domain name requests to DNS servers under the control of the Rove gang. In effect, they acted as middle-men for every Internet resource requested and used the unwitting victims browsers to activate clicks on advertisements on intermediary landing pages under their control. They also set up phishing pages to steal login credentials to victim's banks and money market accounts.

Ghosts, Clicks and DNS Servers

The operation that resulted in the arrests in Estonia is known as Operation Ghost Click. Authorities in the USA and Europe seized the servers and routers belonging to the DNS Changer crime gang. Then they realized that they had a big problem on their hands. About 4 million infected PCs were still phoning home, to a DNS server belonging to the DNS Changer gang, every time their owners accessed the Internet. Shutting down the servers at that IP address would break the Internet connectivity of 4 million victims of the DNS Changer malware. So they devised themselves a plan to keep the servers running, but cleansed them of malware and advertising banners that the criminals were affiliated with. The cleaned DNS servers are being operated under authority of the German Government.

Shutdown time is approaching

Unfortunately, in the first week of January, 2012, the German Federal Office for Information Security issued a press release stating that the converted DNS servers will be shut down on March 8. When that happens all PCs that are still infected with the DNS Changer will be unable to browse the Internet, or do email, etc. This is because the requests to translate requests for domain names will not be transferred to the rest of the DNS system. The link will be broken until the infected machines are disinfected and the correct DNS server details are setup.

Since the safe replacement servers are to be shut down on March 8, it would be a really good idea to check before then to see if your computers (or routers) have been compromised with the DNS Changer malware. One easy way is to visit the security check site setup just for this purpose. It will inform you if your DNS servers are on their list of rogue servers. If your servers are on that list you need to update your security programs and scan with everything you've got.

What you can do if infected

If you lose your ability to browse the Internet on March 8, 2012 you should run your (hopefully recently updated) anti-virus and anti-malware programs and scan for and remove any malware threats they recognize, but especially the DNS Changer Trojan. If the DNS Changer was found on your computer, or computers, and the software you removed it with restored normal DNS settings, you should be good to go, after the fight is over (scan, reboot, scan again, reboot, disable system restore, etc).

Manual restoration of DNS settings (messy)

But, in the event your security program removes the malware but fails to restore your Interwebs, you'll need to roll up your sleeves and alter certain settings in your Windows Registry and maybe even HOSTS file. One place you'll want to examine is the Registry key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters. The setting should reflect your actual ISP's DCHP servers. However, if the "DhcpNameServer" key shows 193.227.227.218, your PC is using the rogue DNS server that is soon to be shut down.

If that Registry key is compromised, so are the following keys (with foreign IP addresses in the key values):

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters "DhcpNameServer"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\%Random CLSID% "DhcpNameServer"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\%Random CLSID% "NameServer"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\%Random CLSID% "DhcpNameServer"

Here are some known hostile IP address pairs used by the DNS Changer malware:

64.28.176.1 - 64.28.191.254
67.210.0.1 - 67.210.15.254
77.67.83.1 - 77.67.83.254
85.255.112.1 - 85.255.127.254
93.188.160.1 - 93.188.167.254
213.109.64.1 - 213.109.79.254

Contact your ISP and ask for the IP addresses of your primary and secondary DNS servers. Then edit the above values to display the correct IP addresses, or long names used by some ISPs. Always export your Registry keys before altering them, just in case a typo makes matters even worse!

Follow-up recommendation

It is probably also a good idea to flush your DNS Cache and rebuild the TCP/IP "stack." You do this by opening a Command window with Administrator privileges, via Start > All Programs > Accessories and right-click on "Command Prompt" and select Run as Administrator (just "Run as" in XP). You may need to type in your password for the Administrator level account. Then, type in these commands, pressing Enter after each one:

ipconfig /flushdns
(Enter)
netsh int ip reset
(Enter)

The DNS Changer malware needs to be entirely removed in order to restore normal Internet operation. If the malware is still active it will reverse and Registry changes you make. It is probably backed up in your System Restore folders, so they may need to be turned off while you disinfect the PC. If you lose your Internet connection and cannot update or run any security programs, the infected computers will need to be serviced offline by competent technicians or troubleshooters.

But wait, there's more!

One last thing you need to know is that some variations of DNS Changer Trojans may have altered the DNS servers used in wired and wireless routers or router/modem combinations. You will need to look-up the browser interface login details for any routers in use in your home, or business, then login with Admin credentials. Locate the configuration section that lists DNS servers and make sure that they reflect those assigned by your ISP and not those listed in the DNS Changer details. If the soon-to-be-shutdown DNS IP address (193.227.227.218) is listed, delete the value, save the change, then restart the router or refresh that page. It should then contact your ISP for the correct DNS servers and list them.

If you found hijacked DNS servers in your router, know that it happened due to you either using the default login credentials, or a very weak password. Assign a strong password and turn off remote administration, restart the router and check again to make sure you are now using DNS servers assigned by your ISP!

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

February 12, 2012

Wiz's spam analysis for the week ending Feb 12, 2012

For the second week in a row my percentage of email spam is at about one quarter of all incoming mail. My total volume of email increased by 70 messages, from last week, with those deleted as spam increasing by 25.

For the second week in a row spam for replica watches (ripoffs of name brands) led the pack, with over 23%. All of the websites promoting these fake watches were hosted on Russian domains and are part of a Russian spam affiliate program.

The second most prevalent category of spam this week was promoting male enhancement pills. Casino (fake) spam took third place. It was just a few weeks ago that casino spam was the top category.

Missing entirely this week was spam for Russian brides and work at home scams. Those categories were heavily represented just a few weeks ago.

Also, spam leading to the Zeus banking Trojan through scams spoofing the BBB, or ACH, or FDIC, or Intuit are way down this week. Many of the people running these scams are now under arrest, or have warrants for their arrest, or are under investigation by local authorities in their own countries (all Eastern Europeans, Ukrainians and Russians).

The following is my analysis of spam for the week of February 6 - 12, 2012.

These spam statistics are derived from MailWasher Pro, which is a POP3 email filtering program that runs on a Windows desktop. It intercepts all incoming email and analyzes it, based upon several factors, the most prominent of which are my own custom spam filters.

Overview
Total incoming email: 415
Good mail: 305
Classified as spam: 110
Percentage rated spam: ~26%

Breakdown by category of spam

Watches: 23.6% (30% last week)
Male Enhancement: 19% (4.7% last week)
Casino: 14.5% (7% last week)
Diplomas: 7.2% (3.5% last week)
Weight Loss: 7.2% (3.5% last week)
Marked as Spam: 4.5% (2.3% last week)
.com.ua or .ru spam domains: 4.5%
Known spam domains: 3.6%
ACH or BBB malware links: 2.7% (same as last week)
Cialis: 2.7% (7% last week)
Known spam [From]: 2.7% (4.7% last week)
Viagra spam: 1.8%
Other miscellaneous types of spam ~ 1% each: 6% (12.23% last week)

I made the following additions or updates to my custom MailWasher spam filters

ACH Fraud,
Casino Spam #1,
Casino Spam #2,
Known Spam [From],
Re: or Fw: spam,
Work At Home Scam #2

The following (single or wildcard) email addresses were added to my MailWasher Blacklist:

No additions this week

About MailWasher Pro
MailWasher Pro is a POP3 and IMAP email client spam filter I publish filters for both the old and new versions of MailWasher Pro. However, the new version allows for more lines of conditions than the previous ones. If you use a desktop application to send and receive POP3 email, MailWasher can act as a spam filter before you download email to your email client. You can learn more about the program, download a trial version, or purchase a subscription, at the MailWasher Pro website.

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

February 5, 2012

Wiz's spam analysis for the week ending Feb 5, 2012

After several weeks of overall decline, my percentage of email spam has again decreased, this time by 4%, for the week ending February 5, 2012, to about 25% of my incoming email. My actual amount of email received, good and bad, was lower than the previous week, by about 54 messages. 85 messages were classified as spam, which is 43 less than the previous week.

The types of spam have drastically shifted over the past few weeks. Last week and several weeks before, Casino spam led the pack by a long shot (pun). These are scams asking you to download a suspicious executable to play their crappy games and lose your money and bank card details. Apparently, these scams are being shut down and what remains is small potatoes compared to two weeks ago.

The new leader in junk email is (...drum roll...) Fake/Replica Watches. These knockoffs are sold on Russian domains and websites hosted on compromised computers. The spam affiliates are about to learn that their primary spam portal for counterfeit goods is closing. Doh!

Interestingly, spam containing links to malware was way down, with just three email messages using URL shortener services to deliver payloads disguised as free tickets, vouchers and iPhones.

The following is my analysis of spam for the week of January 30, through February 5, 2012.

These spam statistics are derived from MailWasher Pro, which is a POP3 email filtering program that runs on a Windows desktop. It intercepts all incoming email and analyzes it, based upon several factors, the most prominent of which are my own custom spam filters.

Overview
Total incoming email from January 30 through Feb 5: 345
Good mail: 260
Classified as spam: 85
Percentage rated spam: ~25%

Breakdown by category of spam

Watches: 30.6%
Cialis: 7%
Casino: 7%
Blacklisted (my blacklist): 4.7%
Known spam "From": 4.7%
Male Enhancement: 4.7%
Pharma and Pills: 4.7%
Diplomas: 3.5%
URL Shortener Link: 3.5%
Weight Loss: 3.5%
Work at home Scam: 3.5%
Marked as Spam: 2.3%
Russian Bride: 2.3%
Nigerian 419 scams: 2.3%
Accented letters (foreign language): 2.3%
MailWasher "Language" filter:: 1.17%
Other miscellaneous types of spam: 12.23%

I made the following additions or updates to my custom MailWasher spam filters

Diploma Spam [B regexp],
Nigerian 419 Scam #3,
Nigerian 419 Scam #6

MailWasher Pro is a POP3 and IMAP email client spam filter I publish filters for both the old and new versions of MailWasher Pro. However, the new version allows for more lines of conditions than the previous ones. If you use a desktop application to send and receive POP3 email, MailWasher can act as a spam filter before you download email to your email client. You can learn more about the program, download a trial version, or purchase a subscription, at the MailWasher Pro website.

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

Blog Links

Sponsored Message

I recommend Malwarebytes to protect your computers and Android devices from malicious code attacks. Malwarebytes detects and blocks spyware, viruses and ransomware, as well as rootkits. It removes malware from an already infected device. Get an 18 month subscription to Malwarebytes here.

If you're a fan of Robert Jordan's novels, you can buy boxed sets of The Wheel Of Time, here.

As an Amazon and Google Associate, I earn commissions from qualifying purchases.


CIDR to IPv4 Address Range Utility Tool | IPAddressGuide
CIDR to IPv4 Conversion



About the author
Wiz FeinbergWiz's Blog is written by Bob "Wiz" Feinberg, an experienced freelance computer consultant, troubleshooter and webmaster. Wiz's specialty is in computer and website security. Wizcrafts Computer Services was established in 1996.

I produce this blog and website at my own expense. If you find this information valuable please consider making a donation via PayPal.

Follow @Wizcrafts on Twitter, where I post short updates on security issues, spam trends and things that just eat at my craw.

Follow Wizcrafts on Twitter


Malwarebytes' Anti-Malware is the most frequently recommended malware removal tool in malware removal forums, like Bleeping Computers. It is extremely effective for removing fake/rogue security alerts, Bots, Spyware and the most prevalent and current malware threats in the wild. Learn about Malwarebytes Anti-Malware.


MailWasher Pro is an effective spam filter that protects your desktop email client. Using a combination of blacklists and built-in and user configurable filters, MailWasher Pro recognizes and deletes spam before you download it. MailWasher Pro reveals the actual URL of any links in a message, which protects you from most Phishing scams. Try it free for 30 days.





Creative Commons License This weblog is licensed under a Creative Commons License.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.
Powered by Movable Type

back to top ^