Wiz's Computer and Website Security Blog

Wiz's spam analysis for the week ending Feb 5, 2012

2012-02-06T04:42:45Z

After several weeks of overall decline, my percentage of email spam has again decreased, this time by 4%, for the week ending February 5, 2012, to about 25% of my incoming email. My actual amount of email received, good and bad, was lower than the previous week, by about 54 messages. 85 messages were classified as spam, which is 43 less than the previous week.

The types of spam have drastically shifted over the past few weeks. Last week and several weeks before, Casino spam led the pack by a long shot (pun). These are scams asking you to download a suspicious executable to play their crappy games and lose your money and bank card details. Apparently, these scams are being shut down and what remains is small potatoes compared to two weeks ago.

The new leader in junk email is (...drum roll...) Fake/Replica Watches. These knockoffs are sold on Russian domains and websites hosted on compromised computers. The spam affiliates are about to learn that their primary spam portal for counterfeit goods is closing. Doh!

Interestingly, spam containing links to malware was way down, with just three email messages using URL shortener services to deliver payloads disguised as free tickets, vouchers and iPhones.

The following is my analysis of spam for the week of January 30, through February 5, 2012.

]]> These spam statistics are derived from MailWasher Pro, which is a POP3 email filtering program that runs on a Windows desktop. It intercepts all incoming email and analyzes it, based upon several factors, the most prominent of which are my own custom spam filters.

Overview
Total incoming email from January 30 through Feb 5: 345
Good mail: 260
Classified as spam: 85
Percentage rated spam: ~25%

Breakdown by category of spam
Watches: 30.6% Cialis: 7% Casino: 7% Blacklisted (my blacklist): 4.7% Known spam "From": 4.7% Male Enhancement: 4.7% Pharma and Pills: 4.7% Diplomas: 3.5% URL Shortener Link: 3.5% Weight Loss: 3.5% Work at home Scam: 3.5% Marked as Spam: 2.3% Russian Bride: 2.3% Nigerian 419 scams: 2.3% Accented letters (foreign language): 2.3% MailWasher "Language" filter:: 1.17% Other miscellaneous types of spam: 12.23%
I made the following additions or updates to my custom MailWasher spam filters
Diploma Spam [B regexp], Nigerian 419 Scam #3, Nigerian 419 Scam #6

I publish filters for both the old and new versions of MailWasher Pro. However, the new version allows for more lines of conditions than the previous ones. If you use a desktop application to send and receive POP3 email, MailWasher can act as a spam filter before you download email to your email client. You can learn more about the program, download a trial version, or purchase a subscription, at the MailWasher Pro website.

My spam analysis January 22 - 29, 2012

2012-01-29T19:12:20Z

For the third week in a row, the percentage of spam to all of my accounts has dropped. This time it decreased by 9% from last week, which is a significant decline and might signal a trend (one can only hope).

My total email received this week is up by 81 from last week. But, the volume of spam only increased by 28 messages. I noticed a big increase (pardon the pun) in Male Enhancement pill scams and a slight increase in the amount of the phony "ClubVIP" Casino spam.

Happily, there was a significant drop in the number of spam messages containing links to malware. These scams typically pretend to be failed or pending ACH transaction notices from NACHA, or a bank. There have been some very significant arrests and naming of suspects who are behind many of the top botnets, including the KoobFace gang. Many of the persons named or arrested, or on the run, are Russian, Romanian and Ukrainian citizens who are responsible for installing banking Trojans onto victim's computers. My guess is that the remaining active bot masters are laying low right now, until the heat dies down.

The following is my analysis of spam for the week of January 22, through 29, 2012.

]]> These spam statistics are derived from MailWasher Pro, which is a POP3 email screening program that runs on a Windows desktop. It intercepts all incoming email and analyzes it, based upon several factors, the most prominent of which are my own custom spam filters.

Overview
Total incoming email from January 22 through 29 (about 2:30 PM EDT): 442
Good mail: 314
Classified as spam: 128
Percentage rated spam: ~29%

Breakdown by category of spam

Casino: 23% Male Enhancement: 14% Watches: 12.5% Pharma and Pills: 10% Blacklisted (my blacklist): 7% Cialis: 6% Viagra: 4.5% Marked as Spam: 3% Weight Loss: 3% .Ru, .Ua link: 3% .com.ua link: 2.5% Russian Bride: 2.5% Diplomas: 2.5% Blocked Country: 1.5% Software (pirated): 1.5% Exploit Link: 1.17% URL Shortener Link: 1.17% Work at home Scam: 1.16%
I made the following additions or updates to my custom MailWasher filters
Casino Spam updated and split into #1 and #2, Casino Spam #2, Known X-Mailer Spam, .RU or .UA Domain Link, Russian Sender, URL Shortener (Spam) Link, Work At Home Scam #1, Work At Home Scam #2

My spam analysis and threat assessment for 1/16-1/22, 2012

2012-01-22T19:44:28Z

After surging around January 1, my level of spam has shown signs of decreasing. It has dropped 2% from last week, making spam 38% of my total incoming email, from January 16 through 22, 2012.

In addition to the percentage drop, there was also a large drop in the actual number of messages classified as spam. In fact, I saw about 50% fewer spam email messages this week as compared to the previous week.

The email threats this week were mostly BBB Fraud, with links to fake complaint reports, which redirected to malware servers. There were also several miscellaneous scams with fake query strings appended to .htm files. These links lead to compromised websites and redirected to the Russian Blackhole Exploit Kit. People with JavaScript enabled and out-dated versions of the Java Virtual Machine installed would be exploited silently. Their PCs would become members of a botnet and begin spewing out spam and DDoS attacks. Some of these exploits also install bank account stealing Trojans.

The following is my analysis of spam for the week of January 16, through 22, 2012.

Overview
Total incoming email from January 16 through 22 (about 4 PM EDT): 361
Good mail: 261
Classified as spam: 100
Percentage rated spam: ~38%

Breakdown by category of spam

Casino spam: 17% Pharmaceuticals spam: 13% Cialis: 12% Malware link with fake query strings appended: 10% Replica Watches: 9% Fake diplomas: 8% Work at home scams:7% Blacklisted (my blacklist): 6% Learning filter classed as Spam: 5% Russian Bride scams: 5% Nigerian 419 scams: 3% Russian or Ukrainian spam domain links: 1% Male Enhancement scams: 1.% Miscellaneous other filters: 3%
I made the following additions or updates to my custom MailWasher filters
BBB Fraud, Casino Spam, Loans Spam, Work At Home Scam #1
The following wildcard email address was added to my MailWasher Blacklist:
None added this week

My spam analysis and spam filter updates, for Jan 9 - 16, 2012

2012-01-16T20:23:56Z

I just compiled my personal spam statistics for the 2nd week of January, 2012 and found that spam accounted for about 40% of my incoming email. This is down 4% from the same period last year, but 1% higher than the previous week.

The leading category by a long shot was for the fake ClubVIP Casino. There is no website with such a name, just a bunch of various recently registered domain names that all point to fake casino pages. As was the case last week, these casino pages display an image that is wrapped in a hyperlink, which leads to the downloading of a suspicious executable. Once you install that file, you will part with a lot more money than if you shot craps at a real casino.

The second highest spam category was for fake (replica) watches, followed by counterfeit Cialis and Viagra. All other categories had smaller percentages, as outlined in my extended comments.

These spam statistics are derived from MailWasher Pro, which is a POP3 email screening program that runs on a Windows desktop. It intercepts all incoming email and analyzes it, based upon several factors, the most prominent of which are my own custom spam filters.

Total incoming email from January 9 through 16 (4 PM EDT): 516
Good mail: 308
Classified as spam: 208
Percentage rated spam: 40.3%

]]> Here is a breakdown of spam by category, for the week of January 9 through 16, 2012.



Casino spam:        24%

Replica Watches:  15%

Cialis and Viagra:  10%

Fake diplomas:      7.54%

Russian or Ukrainian spam domain links: 5.7%

Work at home scams: 5.7%

Pharmaceuticals spam: 4.8%

Weight loss scams: 4.8%

Miscellaneous other filters: 4.8%

Learning filter classed as Spam: 3.8%

Blacklisted (my blacklist): 3.36%

Unlicensed prescription drugs: 2.4%

Known Spam Domains: 1.9%

Russian Bride scams: 1.9%

Nigerian 419 scams: 1.9%

Male Enhancement scams: 1.44%

Malware link with fake query strings appended: 0.96%

I made the following additions or updates to my custom MailWasher filters



Counterfeit Goods,

Diploma Spam [B plain text], 

Diploma Spam [B regexp], 

Known Spam Domains (trlvi.com), 

Male Enhancement [B], 

Nigerian 419 Scam #3 [S, F, R], 

URL Shortener (Spam) Link, 

Work At Home Scam #1

The following wildcard email address was added to my MailWasher Blacklist:



+@potter.m.lawfirm.+

This wildcard account is being used by a persistent Nigerian 419 scammer and appeared in all of the 419 scams I received this week. The + sign in front of the @ means "anything"@potter.m.lawfirm plus any domain extensions (.com, .co.uk, etc).

Spam percentage continues to increase in 1st week of 2012

2012-01-08T19:20:56Z

For the second week in a row, my email spam percentage has exceeded the amounts recorded during the last quarter of 2011. At 39% it is 7% higher than the same period last year. I will review the various percentages of spam by category, as obtained from my anti-spam program, MailWasher Pro.

For the last couple of weeks there has been a huge amount of spam for the ClubVIP Casino. The links in the email messages spamvertising this currently Romanian based casino use various domain names, all of which redirect to a server running on the Russian Nginx software. When a victim is enticed to click on a link to this casino, rather than arriving at an actual online casino (currently hosted at 89.136.223.126), all they see is an image that is a clickable link to a suspicious file download, currently named SetupClubVIP.exe. This file hooks into the Windows Kernel file, Kernel32.dll, where it can do whatever evil it was designed to do. I tried to have it analyzed at VirusTotal, but the Romanian server is blocking their efforts to download that file.

I would advise anybody who asks my opinion to stay away from this type of scam. Do not download suspicious files to your computer to play any online games. Above all else, make sure you have the very latest and up-to-date anti-malware program installed, to protect your PC, just in case you slip up.

Now, on to the percentages of spam by category, for the week ending January 8, 2012.

]]> The following categories and percentages of spam were obtained from the Statistics readout from the anti-spam program, MailWasher Pro. I write and publish custom MailWasher spam filters that detect and flag, or auto-delete any email spam matching the criteria in my spam filter rules.



Percentage classified as spam: 39%; down 10% from last week, but way up from December

Number of messages classified as spam: 148 

Number classified by my custom spam filters: 139

Number and percentage of spam according to my custom blacklist: 7

Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 2

Number of spam messages seen, reported to SpamCop & manually deleted: 7

The order of spam according to the highest percentages, is as follows:



Casino Spam: 31.08%

Pharmaceuticals (other than Cialis or Viagra): 19.59%

Diploma (fake documents) Spam: 10.81%

Male Enhancement scams: 7.43%

Cialis (counterfeit): 6.46%

Blacklisted by my custom blacklist: 4.73%

Russian Brides and Dating Scams: 4.05%

Counterfeit/Replica Watches: 4.05%

Other filters with small percentages: 3.38%

Viagra (counterfeit): 2.70%

Russian or Ukrainian Domain links: 2.70%

419 (Nigerian) Scams: 1.35%

DNS Blacklists: 1.35%

Changes or additions to my custom MailWasher filters:



Nigerian 419 Scam #3

Pump and Dump Scam

My end of 2011 spam analysis

2012-01-02T05:03:08Z

Here it is, New Years day, 2012 and I have just analyzed my email statistics for the past 9 days. After being down for months, spam levels have returned to last year's level of 49%, from Dec 23, through Jan 1. Spammers have indeed ended 2011 with a bang!

After some reading from my security sources blogs, I have learned that most of this spam blast over the last week+ was spewed out by one of the few remaining big botnets: the Cutwail Botnet. This botnet, like most of the others already taken down this year, is based in Russia. The Russian Bot Master may have just been fingered by Brian Krebs, in his "Pharma Wars" article posted on Jan 1, 2012.

The top categories of products and services being spammed the most over the last 9 days were for casinos, male enhancement gimmicks and various illicit pharmaceuticals sold from fake Internet pharmacies.

Lesser categories of spam included replica watches, fake diplomas, Russian dating and bride scams, Nigerian 419 scams and a few malware links to Russian exploit kits. I even got some unreadable spam in the Russian language and character set iso-1251.

As for totals, from December 23, 2011, through January 1, 2012, of the 339 messages I received, 169 were classified as spam, equaling 49% of all email for that period. This is exactly the same percentage of spam from the same time period last year.

]]> I obtain my spam statistics from my anti-spam program: MailWasher Pro. This program sits on my desktop and inspects all email before I download it to Windows Live Mail (formerly Outlook Express). MailWasher uses a combination of tactics to determine if any email is spam, then either flags it as spam, for manual review and deletion, or follows my own spam filter rules and deletes it automatically.

I write my own spam filters for MailWasher Pro and publish them on my MailWasher Pro Custom Filters page. Any changes or updates to my filters are noted on that page. The most recent changes this past week were as follows.

Changes or additions to my MailWasher spam filters:

Loans,
URL Shortener spam links

I publish filters for both the old and new versions of MailWasher Pro. However, the new version allows for more lines of conditions than the previous ones. If you use a desktop application to send and receive POP3 email, MailWasher can act as a spam filter before you download email to your email client. You can learn more about the program, download a trial version, or purchase a subscription, at the MailWasher Pro website.

How to install MBAM and Trend Micro Internet Security on same PC

2011-12-28T04:18:18Z

This article is targeted at security-conscious people who have purchased Trend Micro security programs to protect their PC's and also want to keep an existing installation of Malwarebytes' Anti-Malware on those computers.

I am one of those people. I have a subscription for Trend Micro Titanium Anti-Virus and Malwarebytes' Anti-Malware (MBAM). I recently was notified that I was entitled to a free upgrade to version 2012 of Trend Micro, so I downloaded it from their website. Up to that point both programs were getting along just fine. Ah, but change awaited me.

The upgrade was a simple process that combines uninstalling the previous edition (2011) and installing the newer version (2012). After the uninstaller removes the previous version you are instructed to reboot. Here is where I encountered my first obstacle.

Privileges

I operate as a Windows 7 "Standard User" - which is similar to a Windows XP Pro Power User. That means I have more privileges than a "Limited User" - but less than an Administrator. I like it that way. This type of account reduces my chances of accidental exploitation to single digits (see my articles about privileges, here, here and here). It means that in order to install security programs, or any program requiring access to operating system files, I must use the "Run As Administrator" right-click option when installing such programs.

I was working inside my Standard User account when I received the notice about the free upgrade to Trend Micro 2012, so I ran the installer using Run As Administrator. The first step was to uninstall my existing version (2011) of Trend Micro Titanium, then reboot. Everything went fine until I rebooted into my Standard User account.

]]> When I logged back into my Standard User account, on my Windows 7 PC, I saw no sign of Trend Micro in the System Tray (it was indeed uninstalled!). Task Manager showed no sign of it either. It was then that I remembered that when one uses Run As Administrator, one is granted a temporary "token" for elevated privileges, from the operating system's security manager. That token does not survive a reboot. The installer was sleeping in the background, like Rip Van Winkle. I knew I had to log out and go into my Administrator level account, to resume the installation.

This is where you really need to use an Admin account. It is one of the few times I have had to do so in the 7 months since I built my Windows 7 PC. As soon as I logged into the Administrator level account the Trend Micro installer opened and began doing its thing: unpacking files, displaying a license I had to agree with, then a it displayed a box that really got my attention.

It told me that Malwarebytes Anti-Malware was discovered on the system and must be uninstalled before Trend Micro security was installed. There were two button options: Proceed and Cancel.

I soon learned that pressing Cancel meant cancelling the installation of Trend Micro, not the deinstallation of MBAM! With that in mind I followed this procedure to install the new version of Trend Micro 2012 and keep MBAM.

I re-ran the Trend Micro installer, allowing it to uninstall MBAM, then rebooted to complete the installation. I logged into my admin level account, rather than the Standard User account. I made sure that TMIS was up and running, with a Systray icon and working user interface. I then re-installed Malwarebytes Anti-Malware, updated it and ran it. Everything worked properly, so I logged out of the admin account and into the Standard User account and both Trend Micro and MBAM icons were present and fully functional. I have been able to run scans with both programs and neither complains about the other. They are finally playing nice.

Do the same thing with whatever brand of anti-virus you are installing. If it demands that you remove competing programs, let it do so. Reboot, then reinstall your favorite anti-malware blood hounds (keep copies of your license codes, just in case you need to re-enter them after reinstalling your programs). I believe the combination of MBAM and TMIS is plenty of protection, especially when coupled with running with reduced user privileges. This makes a Windows PC a very small target for modern malware exploit vectors.

Don't feel smug though. A "Standard" or Power user can still be socially tricked into deliberately running a Trojan installer with elevated (Run As) privileges. That's why I keep the best security programs running in the background, just in case I screw up.

BTW: Malwarebytes Anti-Malware was just upgraded to version 1.60.0.1800, on December 27, 2011. Read about the improvements on my Malwarebytes' Anti-Malware page (download it from there also).

Four Reasons to Monitor Internet Usage

2011-12-19T16:43:19Z

Takeaway:

Do you know what your employees are doing online, on company time? How can their online activities impact not just productivity, but also your company's bank accounts? Are you or your admins monitoring your employees' online activities to find out what they are doing that could negatively impact your company?

As an administrator or a security professional your job is greatly dependent on information. Both of these professions require that you stay on top of things and are always aware about what is going on throughout your network. There are different ways to acquire the information required to effectively do the job and to gather the type of information one is seeking.

By monitoring internet usage the following information can be ascertained:

Internet Usage: This may be stating the obvious but information on internet usage is essential for an administrator and/or a security professional. With this information one can find out:
- How much time users spend browsing
- How much bandwidth is being consumed and for what
- Which sites people are visiting the most.
Policies adherence: A good Internet usage monitor will give you reports on which internet usage policies users have tried to breach, how often they have attempted to breach them, and how many users have attempted to breach these policies. This information can then be used to identify the reasons for these attempted breaches. Is it because the policy is too strict and it stops people from doing their job? This analysis can help identify any changes required to make the policy less restricting without compromising the underlying security reason for it. It could also be the case that people don't understand the reasons for a particular security policy so this would be the perfect opportunity to educate your users.
Bandwidth: When you use an internet usage monitoring solution you can get a clear picture of which websites are eating up a lot of bandwidth and those users whose activity online is consuming excessive bandwidth. If your bandwidth is being used by employees who are streaming media that has no relevance to the business, you can proactively limit bandwidth use through quotas or by blocking certain sites altogether.
Threats: It's very important to know if and when users try to access malicious sites, because if a sudden increase is seen it can be an indication that someone is either targeting your organization or some other security mechanism has failed - for example the anti-spam solution is no longer catching phishing emails and users are clicking on links which they should not. This information can also potentially pinpoint troublesome employees. If you see a user trying to access sites that are infected with Trojans and other malware it should raise a red flag and you should investigate why that user is accessing those sites.

With a good internet usage monitoring solution you can keep an eye on what is happening within your organization enabling you to be proactive on issues that you would otherwise not be aware of.

This guest post was provided by Emmanuel Carabott on behalf of GFI Software Ltd and edited by Wiz Feinberg. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. Learn more about why you need to monitor internet usage.

Spam and email threat analysis for the week ending Dec 18, 2011

2011-12-18T18:55:13Z

This past week, I saw another consecutive 2% increase in my percentage of spam, vs legitimate email, bringing my spam percentage up to 26%. This week last year, my spam percentage was 47%. This year I am seeing just over half as much spam as in 2010.

As for email-borne malware threats, I received 11 messages leading to malware servers and none that carried malware in attached files. Of these malware threats, 7 spoofed NACHA and ACH pending bank transaction notices, 1 spoofed the BBB, 3 had fake query strings appended to files ending with a .htm extension. All of the above led to Russian crimeware exploit kits which use Java exploits to install either the Zeus or SpyEye banking Trojans, plus make those PC's members of spam botnets.

The balance of the incoming spam email was divided among the usual spam categories of pharmaceuticals, casinos, fake diplomas, replica watches, weight loss, and ridiculous Russian Bride dating scams, most of which had male names for the senders, but Russian female names in the message body (like "Olga from Russia, Moscow"). The grammar is absolutely horrible in those scams.

Top Spam Categories for the week ending on December 18, 2011:

These statistics were obtained from MailWasher Pro, an anti spam program that goes between email servers and your desktop email client.

]]> The biggest biggest category was my custom Blacklist, which automatically deleted 12 spam and scam email messages. The processing of the Blacklist precedes any custom filters, making it more efficient on the CPU than the filters. The Blacklist is loaded with the program. Any messages not containing a Blacklisted sender or domain are passed on to my custom spam filters.

Tied with the Blacklist was the Male Enhancement category, with 12 spam messages for useless enlargement products..

The lesser categories of spam are as follows:

Cialis accounted for 10 messages.

Pharmaceutical spam had 9 messages, all for fake Internet pharmacies.

Casino spam occupied 7 "slots" ;-)

My Russian Brides filter blocked 5 spams.

Replica Watches filter stopped 5 spams.

Weight loss HCG drops dropped 4 spam emails.

MailWasher's built-in learning filter correctly marked 4 emails as spam.

The remaining spam messages were for fake diplomas, URL shorteners, Russian and Ukrainian spam domains and some miscellaneous spam categories.

The following updates were made to my spam filters this week.

Base 64 Encoded Body,
Casino Spam.
New Filter: BBB Fraud.
New Filter: Fake Query String In Link (plus updated twice)

I made 0 additions to my custom blacklist (individual email addresses and wildcard Regular Expressions):

I publish filters for both the old and new versions of MailWasher Pro. However, the new version allows for more lines of conditions than the previous ones. If you use a desktop application to send and receive POP3 email, MailWasher can act as a spam filter before you download email to your email client. You can learn more about the program, download a trial version, or purchase a subscription, at the MailWasher Pro website.

MailWasher spam filter for links to .htm files with huge query strings

2011-12-15T04:31:56Z

For the past week, I have been seeing and reporting (to SpamCop), scam email messages claiming to come from various financial agencies, or banks, with unusual links; all leading to malware servers. This is a continuation of the ACH, FDIC, etc., malware fraud that has been making the rounds for the past few months.

What's different about the links in these new scams is that they are HUGE! They all start out like any normal hyperlink, with a domain name and a particular file. But, appended to the end of the file name is a humongous "query string" (query strings begin with a question mark), containing multiple long groups of letters and numbers, separated by = signs. I have just analyzed one that has 214 alpha-numeric characters in the query string!

But, like octopus ink, things aren't always as they appear to be!

Being a Webmaster and web page writer, it didn't take me long to figure out that the file type that had the query string appended to it was not a valid active content file. Sure, it could possibly have been rigged to be such a file, like a php type, but these are not. They are Plain Jane simple html files, ending in the extension .htm. The .htm file type does not accept any query strings. If you append such a string of characters to it, the server will ignore them completely. All you see is the htm, or html file contents.

All of the rigged links I have traced are placed on compromised websites hosted on Apache web servers. The standard configuration of Apache web servers does NOT parse .htm, or .html files for active content. They are treated as "static" or flat files. No matter what the characters are that follow the file name and extension, the Apache servers where these links are pointing will ignore the phony query strings.

But, the .htm file type link in the scam emails is not where this story ends. The contents of each and every one I have analyzed contains a few simple lines of straight forward HTML code and an "iframe" (inline frame) - which imports a page hosted on a Russian website named csredret.ru (or variation thereof), containing a JavaScript array that leads to targeted attacks based on the brand of browser you are using and the installed plug-ins, especially unpatched versions of Java.

After seeing another such scam email link tonight, I decided to write a spam filter to detect this type of link. I named the filter: "Fake Query String In Link." The filter is for the anti-spam program MailWasher Pro.

]]> First, here is a sample of the kind of link this article is referring to:

http://mtbtrforum(DOT)com/cxqud(DOT)htm?R2WG=8SSFNEH63Q53K575GB9UY1&96E=NDVRCCPYBA8MXYMK1B1CC7&PV3FM46=EU8T4XXL5&U9W=XLH3I5KPL377639HT9&WVDSSH0=64FCA8OGDFC&

MailWasher Pro has been available for 10 years now, and I have been using it that long. Some people are using the "old" version, which ended with version 6.5.4, in 2010. Others have moved up to the new version, which is now version 2012. I write spam filters for both the old and new versions. My MailWasher custom spam filters are here.

Filter codes UPDATED on Dec 15, 2011, at 3:30 PM EDT.

Here is my "Fake Query String In Link" spam filter for people using MailWasher Pro version 6.5.x:
[enabled],"Fake Query String In Link (Dangerous!)","Exploit Link",255,OR,Delete,Body,containsRE,"(?-i)http://.+\.[a-z]{2,4}/.+\.html?\?[A-Z0-9=&]+="
Here is the same filter written in XML format for people using MailWasher Pro versions 2011 or newer (you can set it to auto-delete if you wish):
Exploit Link False -200 #FFCC0098 White False False All Body Contains RegEx (?-i)http://[a-z0-9]+\.[a-z]{2,4}(\.[a-z]{2,4})?/.+\.html?\?[A-Z0-9=&]+=
These filters have already been added to my published custom spam filters, in both old and new formats. If you already use MailWasher Pro, you can download the format for your version of the program and either merge your own filters into it, or use it as is. Instructions are found on the landing page.

If you aren't using MailWasher Pro yet, but want to learn more about it, go to my MailWasher Pro program description page. You can read about it, download a trial version there, or buy into a subscription. I do make a small commission on sales through my links, which puts beer in the fridge occasionally!

If you don't use MailWasher Pro and still want some protection for your computers (against this particular Russian domain), you can edit a read-only, normally hidden system file with the name HOSTS (with no file extension!) - to include the following line of code:

127.0.0.1 csredret.ru

If you don't know about the tricks of editing and saving changes to the HOSTS file, use the links in the previous paragraph, or leave it alone.

I hope none of you have been tricked into clicking on one of these links, because the payload is very nasty. Your identity and bank accounts could be stolen by the Trojans downloaded by the scripts and attack kits hosted on the Russian malware server I listed earlier in this article. But, if you did, you should run a scan for malware using your up-to-date and updated security program or programs. If you are using Windows XP or newer, you may be able to salvage your system by running System Restore to a day or time before you clicked on the link.

If your security program is out-dated, or you have none at all, I use and recommend Trend Micro Internet Security and Malwarebytes Anti-Malware to secure my PCs.

Java updated to version 6 update 30, on December 12, 2011

2011-12-13T06:13:11Z

Oracle, the current keeper of Java software, has released a new version to fix stability problems in previous versions and improve performance (see bug fix page). The new version's common name is Java 6 update 30. The official version number is actually 1.6.0_30-b12. If you have Java installed I recommend keeping it updated to the latest version, whenever Oracle releases one.

I often write about Java vulnerabilities being exploited by criminals who install exploit attack kits onto web servers under their control; mostly in the former Soviet Union. The number one exploit targets vulnerabilities in Java. In my last blog article I wrote a couple of paragraphs about how Java vulnerabilities are exploited to take over computers with no user interaction.

If you have Java installed on any of your PCs, it is important to check for updates and apply them as soon as possible. Windows PC users can check for updates by using the Control Panel Java applet's "Update" tab. On that tab there is a section where you can select automatic checking for updates on a schedule of your choice. Since Oracle doesn't seem to have any regular schedule for updating Java, I recommend setting the automatic checks to every day, at a time when the PC is turned on. The updater hides in the System Tray, be the clock, and only appears if there is an update available.

You can also check for Java updates manually, from the same Java applet icon in Control Panel. It is found on the Update tab page, as a button labeled Update Now. Use it to install the latest version, if you haven't already received notification by the auto-updater.

It is important that you uninstall all previous versions of Java, in order to protect your computers from exploits that target them by their default folder location. Use your Control Panel "Add/Remove Programs," or the Windows 7 "Programs and Features" icon, to get rid of all previous builds prior to the latest version. Reboot after you run all of the old Java uninstallers. Then, after you re-enter Windows, go to Start and click to open "(My) Computer" - then double-click on the C drive, then on Program Files, and look for the Java folder. Open it (double-click) and look for any leftover older Java version number folders and delete them manually. Keep in mind that the new current version, as of 12/12/2011, is version 6 build 30.

You can also check to see if you have Java installed on this page on Java.com. You can download the latest stable version of Java from java.com.

If your computers have Java installed (even an old insecure version), you can check to see if you have any insecure software installed, or are missing any Windows Updates, by using the Secunia Online Software Inspector. It uses Java to scan your computer for out-dated software and browser plug-ins, including Java and provides download links to get the latest versions of those programs or plug-ins. I recommend scanning from Secunia one a week, just to be sure you are fully patched!

Adobe and Windows critical patches coming in mid-December and January

2011-12-11T20:10:27Z

Adobe Systems has published an advisory announcing that they will be releasing an "out-of-band" patch, sometime during the week starting on December 12, 2011, for their Acrobat and Reader programs for Windows, version 9.4.6. This is in response to cyber criminals exploiting a critical vulnerability discovered in the code used by those related programs.

The same vulnerability being exploited in Reader 9.4.6 also exists in the newer version 10.1.1 of Adobe Reader X and Acrobat X. However, those programs operate by default in protected mode, which nullifies the exploit vector being target in the ongoing attacks. Nonetheless, Adobe has scheduled a security update for these newer versions, to be released on January 10, 2012. That update will apply to all supported platforms of Adobe Reader.

If you use the Foxit PDF reader, they have released a new version to respond to the same vulnerability as exists in Adobe's Reader (see Foxit security notice here). You can download the latest version (5.1.3) of Foxit from their website.

Microsoft is going to be releasing 14 patches on December 13, 2011. Be sure you check for these Windows Udates during the afternoon of this coming Patch Tuesday. You may or may not need all 14 patches, depending on your Windows operating system and installed Microsoft Office programs. If you use Windows XP, with SP 3, you are definitely going to get a lot of patches! If you haven't upgraded to SP 3, your PC is in extreme danger of takeover by numerous vulnerabilities that were patched, but require SP 3 to receive them.

Other software vulnerabilities being exploited in the wild this week include a critical flaw in Yahoo Messenger 11.5.0.152 and older. This happens to include the current version! The World waits with bated breath for Yahoo to respond with a patched update. The flaw allows hostile status update messages to be placed by hackers and criminals, with links to malware servers. The victims are unaware that their status message system is being used to trick other people on their Yahoo Messenger contact lists.

To protect themselves until a patch is released, Yahoo users should set their Yahoo Messenger to "ignore anyone who is not in your Yahoo! Contacts." That should keep you safe from being exploited by strangers, but you could still be tricked if one of your existing contacts gets hacked. Keep this in mind and check for updates regularly, via the Yahoo Messenger Help menu item.

]]> Finally, Oracle's Java (not JavaScript) has been and still is the darling of exploit kit authors. It is the most successful attack vector in use today. If you have a vulnerable version of Java installed on your computer, it can be exploited without any user interaction, to completely take over control of your computer. It is imperative that if you have Java, it must be the latest version (currently version 6 Update 29), with no old versions left on your hard drives (old versions can still be targets). Go to java.com to ensure that you have the latest version installed (then uninstall any older versions!).

If you don't use Java for any mission critical purposes, consider uninstalling ALL versions of it. If you must use Java, set the updater to check automatically every week, or even daily, at a time when your PCs are normally on. Do this via the Windows Control Panel Java applet. Mac users should use the Apple Software Updater, while Linux users should use the built-in software updater for their version of Linux.

In case you are wondering who is to blame for all of the exploit kits targeting your computers, read this BBC article about Russian exploit kit programmers. Blame Rasputin!

Spam and email threat analysis for the week ending Dec 11, 2011

2011-12-11T19:16:02Z

This past week, I had a 2% increase in my percentage of spam, vs legitimate email, bring my spam percentage to 24%. This, coupled with the big decrease of last week, brings spam levels to the lowest this year. Much of this decline in spam has to do with the takedowns of several major spam botnets. It also has to do with spammers finding it more lucrative to use social networks to conduct their illicit business.

Overall, it was a quiet week, threat-wise. I only received 10 messages leading to malware servers and none that carried malware in attached files. Of these malware threats, 2 spoofed Bank Of America, 2 spoofed the BBB, 2 were fake contract links, 1 fake changelog, and 3 ACH or FDIC scams.

Although I didn't personally see any, I read that other security researchers and honeypots have captured spam email containing links to fake update notices for Adobe Acrobat and Reader and Adobe X Suite Advanced and fake "License keys" for Adobe InDesign. All of these led to the installation of Trojan Horse programs that steal banking credentials and force the infected machine to become part of a spam and attack botnet.

Please go directly to www.adobe.com (type it into your browser's address bar) to obtain any updates or licenses for Adobe products. Do not click on links in email messages. 99.99999% are fraudulent and lead to malware exploit kits.

Top Spam Categories for the week ending on December 11, 2011:

These statistics were obtained from MailWasher Pro, an anti spam program that goes between email servers and your desktop email client.

Interestingly, Turkish hosted online casinos were the top category of spam. I created some new rules for my MailWasher Pro spam filters to detect and delete the new Casino Spam. There were 15 casino spam messages.

]]> The second biggest category was my custom Blacklist, which automatically deleted 14 spam and scam email messages. The processing of the Blacklist precedes any custom filters, making it more efficient on the CPU than the filters. The Blacklist is loaded with the program. Any messages not containing a Blacklisted sender or domain are passed on to my custom spam filters.

The lesser categories of spam are as follows:

Pharmaceutical spam had just 8 messages.

Male enhancement, Russian Brides and counterfeit watches each had 7 spam messages.

Cialis and Viagra accounted for 6 messages.

My Russian (.ru) domain filter blocked 5 spams.

Fake diplomas and unlicensed prescription drugs each had 4 spam emails.

The remaining 12 messages were for various types of spam offerings, from scams to weight loss berries and some URL shortener links to possibly dangerous destinations.

The following updates were made to my spam filters this week.

Casino Spam,
Diploma Spam [B regexp]
Money Mule Scam (#2 for v 6.x),
Unlicensed Prescription Drugs

I made 2 additions to my custom blacklist (individual email addresses and wildcard Regular Expressions):

test.test@aol.com
+@bbb.org

I publish filters for both the old and new versions of MailWasher Pro. However, the new version allows for more lines of conditions than the previous ones. If you use a desktop application to send and receive POP3 email, MailWasher can act as a spam filter before you download email to your email client. You can learn more about the program, download a trial version, or purchase a subscription, at the MailWasher Pro website.

Access log "Referer" spam still happening through 2011

2011-12-08T03:36:06Z

Takeaway:

I write about a lot of different types of spam, but one of the oldest, next to email and USENET, is spamming the "REFERER" field on a website's raw access logs. I have been seeing this form of spam for over a decade now.

What is a raw access log?

Websites are usually setup or configured to generate a text or graphical log of all visits to those sites (a.k.a: "hits"). These logs contain information that is useful to Webmasters of the websites. Graphical access logs use pie or column charts to show where the hits are coming from, who sent them to you, what details they were searching for and other useful facts about each request. A "raw access log" presents these details in plain text format, in space-separated groups.

Why would anybody want to spam a website's raw access logs?

Over a decade ago, spammers learned that some website owners, or free hosting companies, or individuals hosting their own web servers at home (usually against T.O.S) were actually publishing their raw access logs so that the owners could read them in a web browser, from anywhere they might be. Most of these published access logs are not password protected, meaning anybody anywhere can view them, if they know the location of those website log files. Since so many people do not understand website security at all, they leave configurations in a default state. This means that if their raw access logs are published, the folder location will be predictable, based upon the operating system of the web server. That web server is usually the Apache Web Server.

Thus, when spammers began seeing website raw access logs that were in default folder locations, on various web servers, they could read them in their browsers, as could anybody else in the World who reads that language. So, some enterprising S.O.B. came up with the brilliant idea of posting a request for some files on some websites, and they decided to include fake "referrer" details.

What is the referrer field in an Access log?

The referrer field is a section of an access log that tells the owner/maintainer of the website where each visitor came from, just before they came to your website. In other words, who referred them to you. This information is extremely valuable for learning who links to your web pages, or is writing about you, or has found your site by means of a search engine result.

What do spammers do to referrer fields to turn them into spam?

Instead of revealing the actual referring page location of the website that the visitor (human or machine) was visiting when they decided to come yours, spammers use special web software programs to create whatever content they wish to present for the referer field. That special content usually takes to form of spammy links containing the names of illicit goods (illicit prescription drugs, counterfeit goods), or services (shady or illegal businesses).

Did I just misspell "referrer" as "referer?"

Nope. When the original Apache Web Server documentation was written, back in 1945, the scientists working on it accidentally misspelled the word Referrer as Referer. This misspelling has stayed with us to this very day!

Now, on to the rest of the details about Referer spam.

]]> Most raw access logs contain the following details:

IP address of the visitor

Date and time of the requested resource

Method (GET, POST, HEAD, etc)

Requested Folder (just "/" means default index page)

Requested file name and extension

HTTP type (1.0 or 1.1)

Server Response Code (200=Okay, 403=Forbidden, 404=Not Found, 500=Oops - I broke it)

Size of file in bytes

REFERER (What this is all about.)

User Agent of the visitor (browser name and version and computer OS, search engine robot details, exploit tool, spambot)

When spammers post spam links in the faked Referer field as they visit your website, they are hoping against the odds that your hosting company is foolish enough to allow your access logs to be published without any credentials required to view the log. They (spammers) use cheap labor, or "bots," or automated web scripts to post spam links to as many websites as they have listed in their databases, which are sold on underground spam forums. Some spammers actually compile their own lists by searching for published raw access logs on Google, Yahoo, Bing and other search engines. Since those logs are publicly viewable, they are also detectable and index-able by search engine crawlers.

Take Action!

If you are a webmaster, or own a website, and your access logs are publicly viewable, without a username and password, learn how to either protect them from the public, or turn off their publication altogether. Spammers may continue to post spam links to your referer field, but nobody will see those links - which is how it should be. Do your part in denying an audience to spammers, no matter what type of spam they try to post.

Epilogue:

Whether spam is sent by email, or posted to Facebook, Twitter, or a blog, or an access log, it is still pure garbage. Most of it promotes dangerous illicit prescription drugs that are made in India and other countries in Asia, where the quality and content controls are lax, compared to those in the US and Canada and most other Western nations. Some log spam promotes counterfeit goods, pirated software, porn sites, online casinos, underground forums and ripoff sites hawking loans. Don't let your access logs assist spammers in their criminal pursuits!

Spam and email threat analysis for the week ending Dec 4, 2011

2011-12-04T21:51:15Z

This week I saw a drop in my overall volume of email, but the percentage of spam actually declined by 2%, to 22%.

First place went to spam for the ridiculous Russian Bride scams. Second place went to spam for fake-replica name brand watches. Third place remained firmly in the grasp of male enhancement scams. Every other typical spam category paled compared to these three.

The other categories of spam last week were covered by casinos, Cialis, fake diplomas, weight loss drugs, NACHA failed deposit fraud and money mule job scams. If you have been reading my blog you know that the NACHA emails are all fraudulent and are meant to infect your computers with a bank account stealing Trojan and to draft it into a spam botnet.

Most of the online exploit attacks that succeed, like the NACHA and ACH fraud, do so by means of exploit kits that seek to compromise vulnerable versions of the Java Virtual Machine. Java is the #1 attack vector targeting user's web browsers. If you are using a non-current version of Java, or even have older versions in your Program Files directory, you are at great risk of being exploited. The exploits I refer to will place financial and auction account credential stealing Trojans on your computer, along with making it a zombie member of a spam botnet.

You can check to see if Java is installed on your Windows computers by going to Control Panel and looking for an icon named Java. If it is there, double click to open the control box, then click on the Update tab, then click the button to check for updates. Accept any updates to Java. Set the updater to automatically check every day, at a time when your PC is on. Next, use the Add/Remove Programs icon to look for older versions of Java and uninstall all but the newest version and build. Close and restart your browser to flush out any lingering out-dated version of Java.

If you don't need Java, or don't know if you need it, uninstall it completely and close the number one attack vector used by the BlackHole Exploit Kit.

]]> The money mule scams have been covered in recent articles on my blog (search it for money mule). One is enticed by the promise of unrealistic wages for part time work at home. What the respondents don't usually know is that the ads and websites (for Rock Cruit Management, or Rock Smith Management) are placed by Russian cybercriminals. The jobs entail receiving and relaying either money stolen by Zeus or SpyEye Trojans, or goods bought on auction sites with stolen credit cards and PayPal accounts (The aforementioned Trojans also steal PayPal and eBay credentials).

In past weeks, Russian scammers were using Ukrainian registered domain names to hawk pirated software. This week, the stolen software messages are gone and have been replaced by spam for counterfeit name brand purses, glasses, shoes and watches. Virtually every other piece of email spam that contained a link led to a Russian registered website, ending in .RU.

I use a program called MailWasher Pro to prescreen all incoming email for unwanted content, or threats. The program makes use of several methods to detect and block spam. But, my favorite is the use of user-created spam filters. I write and publish my own custom MailWasher Pro spam filters. The current version of MailWasher Pro, as of this article, is version 2012, which was just introduced. My filters are written for both the new format and old format, 6.x of MailWasher, so all users can benefit from my spam filters.

The following updates were made to my spam filters this week.

Known Spam Subjects #4,

Money Mule Scam updated and split into 2 filters: Money Mule Scam #1 and Money Mule Scam #2 (split in version 6.x only. Updated in v 2011/2012);

Watches Spam updated and split into 2 new filters: [From or Subject] and [Body] (split in version 6.x only. Updated in v 2011/2012)

I made 0 additions to my custom blacklist (individual email addresses and wildcard Regular Expressions):

My Blacklist is working just fine; thank you!

I publish filters for both the old and new versions of MailWasher Pro. However, the new version allows for more lines of conditions than the previous ones. If you use a desktop application to send and receive POP3 email, MailWasher can act as a spam filter before you download email to your email client. You can learn more about the program, download a trial version, or purchase a subscription, at the MailWasher Pro website.