If you already are using "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Additions made on May 14, 2008:

Adware
++ CliprexDivXPlayer
++ CliprexDVDRipper

Hijackers
+ Inet Delivery

Keyloggers (Keyloggers steal your logins and passwords)
+ KGBKeylogger

Malware Includes fake anti-virus and anti-spyware programs, like VirusHeat
++ BPS.Gen
++ Fraud.Antivirus2008
+ ISearchTech
+ MagicControl.Agent
+ Rogue.IEAntivirus
++ Rogue.ScanAndRepair2007
+ Smitfraud-C.
+ SpyShredder
++ Themida.Bot.tsj
+ Vario.AntiVirus
+ VirusHeat
++ Win32.Agent.kmf
+ Win32.BHO.je

PUPS Possibly Un(popular|wanted) Software
+ CliprexDVDPro

Security
+ Microsoft.Windows.AppFirewallBypass

Trojans Includes 1 new Zlob* Trojan detections
+ Banker.PorSMTP
+ ShudderLtd.AntiVirusPro
+ Smitfraud-C.MSVPS
++ Win32.Agent.cn
++ Win32.Agent.esq
++ Win32.Agent.qwq
+ Win32.Delf.eq
++ Win32.Konik
++ Win32.SlhClient
++ Win32.Small.dv
++ Win32.Small.imu (2)
++ Win32.Systembin
+ Zlob.Downloader.vdt

Total: 607566 fingerprints in 158897 rules for 3918 products!

False positive detections fixed this week:
SpyBossPro detected in ijl11.dll false positive fixed.

* The "Zlob Trojan" is a common infection that has been in the wild since 2005. It is often downloaded intentionally by people who are tricked into thinking that they are installing some missing ActiveX Video Codec, or other (Java) application, needed to view a presentation, or pornographic movie. Once installed on the target computer the Zlob Trojan allows hackers to deliver all manner of downloaders, adware, fake anti-spyware and backdoor components to it. The Zlob family of Trojans are constantly modified by it's maintainers to try to avoid detection by anti-malware applications. These criminals earn commissions for every computer they infect with the Zlob and its companion products. Spybot Search and Destroy can detect and remove most known variants of the Zlob Trojans, with new definitions being released every Wednesday to detect the latest incarnations of Zlob.

When a file sharing user double-clicks to play one of these files they get a surprise. Instead of seeing a movie or hearing a music file they are presented with a browser page that displays a EULA consisting of about 4800 words. The scam tells them that they must install a special media player, from fastmp3player.com - to playback the file they are trying to hear/see. Upon agreeing to the EULA the user is redirected to fastmp3player.com where a file download box appears, for a file named (at this time) "PLAY_MP3.exe." This file will install two separate adware and spyware applications; "FBrowsingAdvisor" and "SurfingEnhancer."

Apparently, in samples that have been analyzed in the last two days, these attacks are specifically designed to work in the Firefox browser. If Firefox is not found on the victim's computer, they will get a Windows error message and will be urged to download and install Firefox.

Most major anti virus and anti spyware companies can already detect and remove this threat, which has been elevated to a "medium threat" status by McAfee, for home users.

People who like to obtain copyrighted music or movies without paying a fair price for a licensed copy are left at risk from botmasters looking to increase their botnets, and criminals using affiliate programs to earn commissions for installing spyware and adware onto as many computers as possible.

What you can do to protect your computer from this threat.

1. Stop using file sharing programs like Limewire or Kaaza, or others, that allow people to distribute (share) copyrighted works illegally. They are riddled with malware files of all sorts. Instead, use one of the legitimate music or movie websites, like Apple's iTunes, Real Rhapsody, or Napster.


2. Install a modern, legitimate anti virus program that offers multiple daily updates and set it to receive automatic updates every hour. If you can't set it to an hourly schedule then run a manual check for updates as often as you think about it. Or, use Windows Task Scheduler to run the updater executable every hour. Reputable anti virus companies include Trend Micro, Symantec, McAfee, NOD32 and AVG.


3. Install a reputable anti spyware program and keep it updated as often as possible. Recommended companies include PCTools Spyware Doctor, Webroot's Spy Sweeper, Trend Micro PC-cillin, Lavasoft's Ad-Aware and anti-virus, and Spybot Search and Destroy.


4. Scan for threats every day, before you get busy online, or every night, before you turn off the computer for the night.

If you already are using "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Additions made on May 7, 2008:

Hijackers
+ SearchALot

Keyloggers (Keyloggers steal your logins and passwords)
+ SpyBossPro

Malware Includes fake anti-virus and anti-spyware programs
++ Delf.12.an (2)
++ Fake.SecurityAlert
+ MalwareBell
++ MalwareCore
++ Win32.Agent.cs
+ Win32.BHO.je (3)
+ Win32.Renos
++ WinIFixer

PUPS Possibly Un(popular|wanted) Software
+ Enter.Casino.PT

Security
+ Microsoft.Windows.AppFirewallBypass

Spyware
+ Conducent.TimeSink

Trojans Includes 5 new Zlob* Trojan detections
++ CNNIC.cn
+ Smitfraud-C.MSVPS
+ Virtumonde.dll
++ Win32.Agobot.aoi
++ Win32.Tibia.de
++ Win32.VB.bks
++ Win32.VB.me
+ Win32.Zhelatin.ah (a.k.a: Storm Trojan)
++ Zlob.Downloader.fvn
++ Zlob.Downloader.jau
++ Zlob.Downloader.vat
+ Zlob.Downloader.vdt
+ Zlob.ZipCodec

Total: 595073 fingerprints in 154556 rules for 3893 products!

False positive detections fixed this week:
False Positive for "ContraVirus" and "VirusBlast" has been fixed with this week's definition updates. Also removed from the immunizations list is Hotlinkfiles.com. This was done after they implemented anti malware scanning of all uploaded files.

* The "Zlob Trojan" is a common infection that has been in the wild since 2005. It is often downloaded intentionally by people who are tricked into thinking that they are installing some missing ActiveX Video Codec, or other (Java) application, needed to view a presentation, or pornographic movie. Once installed on the target computer the Zlob Trojan allows hackers to deliver all manner of downloaders, adware, fake anti-spyware and backdoor components to it. The Zlob family of Trojans are constantly modified by it's maintainers to try to avoid detection by anti-malware applications. These criminals earn commissions for every computer they infect with the Zlob and its companion products. Spybot Search and Destroy can detect and remove most known variants of the Zlob Trojans, with new definitions being released every Wednesday to detect the latest incarnations of Zlob.

In the beginning of this series I was using MailWasher Pro filters exclusively, to detect and delete incoming spam email. Since then I have instituted email spam filters on my website's mail server, which has greatly reduced the amount of spam I see at all. The balance that does get through is identified and either flagged as spam, or instantly deleted, by my POP3 mail anti-spam tool; MailWasher Pro. MailWasher Pro identifies what is spam by a combination of methods, including the use of custom written personal spam filter rules. I have created a large assortment of spam filters which "plug-in" to MailWasher Pro, to flag or delete known spam. You can read about them, or download and use them in your own registered copy of MailWasher Pro.

My analysis of this week's spam shows that male enhancement pills, Viagra and other pharmaceuticals occupy the top spot in my spam categories, with counterfeit brands of watches, clothes and shoes, pirated software and Google redirect exploits to fake "video codecs" (e.g: the Zlob Trojan and other Trojan Horse executables) falling further behind. All of the spam emails for pharmaceuticals have links to websites hosted in China or Korea. Most of the fake and counterfeit goods, drugs, enhancement pills and herbal solutions being spamvertised are produced in China. Foremost among these are fake pharmacy websites, like the so called "Canadian Pharmacy," which is not in Canada at all (it's in China and Indo-China), nor, despite the presence of fake accreditation logos, are they approved to sell pharmaceuticals in the US or Canada. Most of the fraudulent "Canadian Pharmacy" web pages are now hosted on compromised home or office PC's, that are unknowingly members of various spam Botnets. In fact, virtually all of the billions of spam messages hitting our inboxes these days comes from zombie computers, used as spam relays, in various Botnets.

As is usually the case, the category "Other Filters" has the second largest percentage in this week's spam analysis. That category contains all manner of miscellaneous filters that are matched by supposedly clever email subjects, such as: one word subject, digits and consonants senders, various HTML tricks, 2 line spam tricks, and some lottery and financial fraud and phishing scams. The spam main categories that rated a measurable percentage are listed below.

The current percentage of identified spam that made it through the filters on my mail server is 38% for the week ending May 4, 2008. These messages were all identified and dealt with by MailWasher Pro. I assigned some truly miscellaneous messages to the "learning filter" which then flags any similar messages as spam, making them easy to spot in the message list. This has earned the category "Learning Filter" a small spot in the list below. :-)

Download MailWasher Pro Here

MailWasher Pro spam category breakdown for April 28 through May 4, 2008.

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as an incoming email screener for your POP email program (Microsoft Outlook, Microsoft Outlook Express, Microsoft Mail, Eudora, Mozilla and other stand-alone email programs).

If you already are using "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Additions made on April 30, 2008:

Adware
+ Wintouch

Keyloggers (Keyloggers steal your logins and passwords)
+ Ardamax
++ KeyloggerDouglas
++ KeyloggerSpy

Malware Includes fake anti-virus and anti-spyware programs
+ MalwareBell
++ AntiVirProtect
+ IEDefender
++ Killsoft.V2008
+ Win32.BHO.je

PUPS Possibly Un(popular|wanted) Software
+ EuroGrand.Casino.PT
++ Monaco.Gold.Casino.PT

Trojans Includes 4 new Zlob* Trojan detections
++ BachKhoaAntivirus
++ BaiduBar.HostsRep
++ Delf.Inject
+ Prorat-D
+ Smitfraud-C.MSVPS
+ Virtumonde.dll
++ Win32.Agent.aou
++ Win32.Agent.ay
++ Win32.Mutant.jz.rtk
++ Win32.Shark.ae
+ Zlob.Downloader.bs
+ Zlob.Downloader.se
+ Zlob.Downloader.vet
+ Zlob.Downloader.vdt
++ YMCam

Total: 593837 fingerprints in 154855 rules for 3880 products!

False positive detections fixed this week:
No false positives to report at this time.

* The "Zlob Trojan" is a common infection that has been in the wild since 2005. It is often downloaded intentionally by people who are tricked into thinking that they are installing some missing ActiveX Video Codec, or other (Java) application, needed to view a presentation, or pornographic movie. Once installed on the target computer the Zlob Trojan allows hackers to deliver all manner of downloaders, adware, fake anti-spyware and backdoor components to it. The Zlob family of Trojans are constantly modified by it's maintainers to try to avoid detection by anti-malware applications. These criminals earn commissions for every computer they infect with the Zlob and its companion products. Spybot Search and Destroy can detect and remove most known variants of the Zlob Trojans, with new definitions being released every Wednesday to detect the latest incarnations of Zlob.

In the beginning of this series I was using MailWasher Pro filters exclusively, to detect and delete incoming spam email. Since then I have instituted email spam filters on my website's mail server, which has greatly reduced the amount of spam I see at all. The balance that does get through is identified and either flagged as spam, or instantly deleted, by my POP3 mail anti-spam tool; MailWasher Pro. MailWasher Pro identifies what is spam by a combination of methods, including the use of custom written personal spam filter rules. I have created a large assortment of spam filters which "plug-in" to MailWasher Pro, to flag or delete known spam. You can read about them, or download and use them in your own registered copy of MailWasher Pro.

My analysis of this week's spam shows that male enhancement pills, Viagra and other pharmaceuticals occupy the top spot in my spam categories, with counterfeit brands of watches, clothes and shoes, pirated software and Google redirect exploits to fake "video codecs" (e.g: the Zlob Trojan and other Trojan Horse executables) falling further behind. All of the spam emails for pharmaceuticals have links to websites hosted in China or Korea. Most of the fake and counterfeit goods, drugs, enhancement pills and herbal solutions being spamvertised are produced in China. Foremost among these are fake pharmacy websites, like the so called "Canadian Pharmacy," which is not in Canada at all (it's in China and Indo-China), nor, despite the presence of fake accreditation logos, are they approved to sell pharmaceuticals in the US or Canada. Most of the fraudulent "Canadian Pharmacy" web pages are now hosted on compromised home or office PC's, that are unknowingly members of various spam Botnets. In fact, virtually all of the billions of spam messages hitting our inboxes these days comes from zombie computers, used as spam relays, in various Botnets.

As was the case before, the category "Other Filters" has the largest percentage in this week's spam analysis. That category contains all manner of miscellaneous filters that are matched by supposedly clever email subjects, such as: one word subject, digits and consonants senders, various HTML tricks, 2 line spam tricks, and some good old Nigerian 419 lottery and financial fraud scams. The spam main categories that rated a measurable percentage are listed below.

The current percentage of identified spam that made it through the filters on my mail server is 38% for the week ending April 27, 2008. These messages were all identified and dealt with by MailWasher Pro. I assigned some truly miscellaneous messages to the "learning filter" which then flags any similar messages as spam, making them easy to spot in the message list. This has earned the category "Learning Filter" a small spot in the list below. :-)

MailWasher Pro spam category breakdown for April 21 through 27, 2008.

Download MailWasher Pro Here

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as an incoming email screener for your POP email program (Microsoft Outlook, Microsoft Outlook Express, Microsoft Mail, Eudora, Mozilla and other stand-alone email programs).

If you already are using "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released a day later than usual, on Thursday, April 24, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are normally released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings, or in this instance, on Thursday. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

While immunizing your computer is generally a good security measure, there may be occasions where the immunization detections break a program you want to use, or block access to a website you choose to visit. If this happens to you after you immunize with new definitions, go to the Immunize tab and run UNDO, to remove the last immunizations. You can also use the checkboxes to selectively undo or redo immunizations. Right-clicking on the immunization list gives you the option to select all or select none, which helps with mass immunizations or undoing mass immunizations. Also, if you are going to uninstall Spybot S&D, always select all immunizations, then click on Undo. This will unblock everything before you delete the program.

Spybot Updates - published every Wednesday, except this week

Additions made on April 24, 2008:

Adware
+ BaiduBar

Keyloggers (Keyloggers steal your logins and passwords)
+ Winsession Logger
++ XPCSpyPro

Malware Includes fake anti-virus and anti-spyware programs
+ ContraVirus
++ Fake.Antispyware.TheSpybot2007
+ MalwareCrush
+ PestTrap
+ Smitfraud-C.
+ SpywareQuake
+ Swizzor
+ TitanShield
+ TrustCleaner
+ VirusBlast
+ VirusBurst
+ VirusProtectPro

PUPS Possibly UnPopular Software
+ 32Vegas.PT (4)
+ Deskbar
+ Europa.Casino.PT (13)
+ Vegas.Red.Casino.PT (20)

Security
+ Microsoft.Windows.AppFirewallBypass
++ Microsoft.Windows.Exefile.HideExtension

Trojans Includes new or updated Zlob* Trojan detections
+ BraveSentry
+ Fraud.ProtectionBar
+ Hupigon (11)
++ Hupigon.evc
++ Hupigon.Gen
+ Nuclearwinter
+ SafetyBar
+ Virtumonde.dll
++ Warpcom
++ Win32.Agent.af
++ Win32.Agent.ip
++ Win32.Agent.vye
+ Win32.Autorun
++ Win32.Backdoor.ajhb
++ Win32.Bifrose.blr
++ Win32.Delf.asz
++ Win32.mIRC
++ Win32.Pakes.cgn
+ Win32.Qhost.ake
++ Win32.Settec
++ Win32.Soundmix
++ Win32.VB.tr
+ Zlob.Downloader.bs (2)

Total: 575727 fingerprints in 137545 rules for 3893 products!

* The "Zlob Trojan" is a common infection that has been in the wild since 2005. It is often downloaded intentionally by people who are tricked into thinking that they are installing some missing ActiveX Video Codec, or other (Java) application, needed to view a presentation, or pornographic movie. Once installed on the target computer the Zlob Trojan allows hackers to deliver all manner of downloaders, adware, fake anti-spyware and backdoor components to it. The Zlob family of Trojans are constantly modified by it's maintainers to try to avoid detection by anti-malware applications. These criminals earn commissions for every computer they infect with the Zlob and its companion products. Spybot Search and Destroy can detect and remove most known variants of the Zlob Trojans, with new definitions being released every Wednesday to detect the latest incarnations of Zlob.

In the beginning of this series I was using MailWasher Pro filters exclusively, to detect and delete incoming spam email. Since then I have instituted email spam filters on my website's mail server, which has greatly reduced the amount of spam I see at all. The balance that does get through is identified and either flagged as spam, or instantly deleted, by my POP3 mail anti-spam tool; MailWasher Pro. MailWasher Pro identifies what is spam by a combination of methods, including the use of custom written personal spam filter rules. I have created a large assortment of spam filters which "plug-in" to MailWasher Pro, to flag or delete known spam. You can read about them, or download and use them in your own registered copy of MailWasher Pro.

My analysis of this week's spam shows that male enhancement pills, Viagra and other pharmaceuticals occupy the top spot in my spam categories, with counterfeit brands of watches, clothes and shoes and Google redirect exploits to fake "video codecs" (e.g: the Zlob Trojan and other Trojan Horse executables) following closely behind. All of the spam emails for pharmaceuticals have links to websites hosted in China or Korea. Most of the fake and counterfeit goods, drugs, enhancement pills and herbal solutions being spamvertised are produced in China. Foremost among these are fake pharmacy websites, like the so called "Canadian Pharmacy," which is not in Canada at all (it's in China and Indo-China), nor, despite the presence of fake accreditation logos, are they approved to sell pharmaceuticals in the US or Canada. Most of the fraudulent "Canadian Pharmacy" web pages are now hosted on compromised home or office PC's, that are unknowingly members of various spam Botnets. In fact, virtually all of the billions of spam messages hitting our inboxes these days comes from zombie computers, used as spam relays, in various Botnets.

As was the case before, the category "Other Filters" has the largest percentage in this week's spam analysis. That category contains all manner of miscellaneous filters that are matched by supposedly clever email subjects, such as: one word subject, digits and consonants senders, various HTML tricks, 2 line spam tricks, and some good old Nigerian 419 lottery and financial fraud scams. The spam main categories that rated a measurable percentage are listed below.

The current percentage of identified spam that made it through the filters on my mail server is 34% for the week ending April 20, 2008. These messages were all identified and dealt with by MailWasher Pro. I assigned some truly miscellaneous messages to the "learning filter" which then flags any similar messages as spam, making them easy to spot in the message list. This has earned the category "Learning Filter" a small spot in the list below. :-)

MailWasher Pro spam category breakdown for April 14 through 20, 2008.

Download MailWasher Pro Here

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as a front-end screener to your POP email program (Microsoft Outlook, Microsoft Outlook Express, Microsoft Mail, Eudora, Mozilla and other stand-alone email programs).

Details
After immunizing Firefox, with the updates from 17/4/08, upon attempting to open SpywareBlaster this error message popped up:

Error: Access violation at 0x005F71FC (tried to read from 0x04F3032C), Program termminated

Some users performed an immunization "Undo" on the Firefox protection only and it worked,
just using SpywareBlaster to immunize Firefox. Normally, these programs get along quite well, but this time there was a glitch. I applaud Team Spybot for rushing out a sudden patch to correct this problem, as I also use SpywareBlaster and Firefox on some of my computers and was similarly affected.

For those who don't know the details about these programs, both Spybot Search and Destroy, by Patrick M. Kolla, and SpywareBlaster, by Javacool Software, are well known freeware security programs that have a feature they call "Immunization," which is a proactive form of protection against known hostile ActiveX controls, dangerous domains, browser hijackers and even advertiser's cookies, placed by websites you visit. By "Immunizing" after updating you protect against exploits from the controls, files, websites and other items in the definitions. If these unwanted items are on your computer already they get nullified by the immunization. Otherwise, once immunized, these applications cannot install themselves unless you knowingly override your already applied protection. This is done by unchecking a particular immunization rule, or by undoing all immunizations, en-masse.

Both programs require users to perform manual checking for updates, although SpywareBlaster does offer automatic updates for a small fee. Spybot S & D is always updated on Wednesdays and users must run a manual check for updates. I usually do this on Wednesday evenings, or on Thursday afternoon, just in case a faulty definition was released then patched, like just happened here. SpywareBlaster's latest definitions were released on 4/6/2008, so their update schedule is less regular than Spybot's.

If you already are using "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on Wednesday, this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Additions made on April 16, 2008:

Keyloggers (Keyloggers steal your logins and passwords)
+ Ardamax (2 variants)

Malware Includes fake anti-virus and anti-spyware programs
++ AntiSpywareDeluxe
++ AntiSpywareShield
+ Awola.Anti-Spyware
+ FakeAlert.cc
+ Smitfraud-C.gp
+ VirusHeat
+ Win32.BHO.je (2)
++ Win32.Agent.bk (2)
++ Win32.Agent.xg (2)

PUPS Possibly Un(popular|wanted) Software
++ 24kt.Gold.Casino.PT
++ 32Vegas.PT
++ 50.Stars.Casino.PT
++ African.Palace.Casino.PT
++ Bakara.Casino.PT
++ Cameo.Casino.PT
++ Carnival.Casino.PT
++ Casino.Bellini.PT
++ Casino.Del.Rio.PT
++ Casino.Las.Vegas.PT
++ Casino.Tropez.PT
++ Casino365.PT
++ CasinoKing.PT
+ CasinoRoyal.PT (100)
++ City.Club.Casino.PT
++ Club.Dice.Casino.PT
++ Craps.com.PT
++ Diamond.Club.Casino.PT
++ Enter.Casino.PT
++ EuroGrand.Casino.PT
++ Europa.Casino.PT
++ Flamingo.Casino.PT
++ Golden.Palace.Casino.PT
++ Grand.Online.Casino.PT
++ Hotel.Casino.Network.PT
++ Indio.Casino.PT
++ Joyland.Casino.PT
++ Kiwi.Casino.PT
++ Magic.Box.Casino.PT
++ Mansion.Casino.PT
++ Mega.Sport.Casino.PT
++ New.York.Casino.PT
++ Playgate.Casino.PT
++ Prestige.Casino.PT
++ Royal.Dice.Casino.PT
++ SIA.Casino.PT
++ Sierra.Star.Casino.PT
++ Sky.Kings.Casino.PT
++ Slots.PT
++ Swiss.Casino.PT
++ USA.Casino.PT
++ Vegas.Red.Casino.PT

Security
+ Microsoft.Windows.AppFirewallBypass
+ Microsoft.Windows.RedirectedHosts

Trojans Includes 4 new or updated Zlob* Trojan detections
+ Hupigon
+ Smitfraud-C.MSVPS
++ Win32.Agent.frl (2)
++ Win32.Banbra.anp
+ Win32.BHO.acw
+ Win32.Bifrose.aci
+ Win32.Delf.zq
++ Win32.Qhost.ake
++ Win32.Shark.if
++ Win32.Small.tnt
++ Win32.Small.vy
++ Win32.VB.bmr
+ Win32.Zhelatin.ah (Storm Trojan)
+ Zlob.DNSChanger
+ Zlob.Downloader.vdt
+ Zlob.VideoAccess
++ Zlob.Downloader.vet

Total: 573372 fingerprints in 136752 rules for 3857 products!

False positive detections fixed this week:
http://www.accessorygeeks.com and .accessorygeeks.com is a false positive, blocked by the HOSTS file additions made when you immunize with the HOSTS file option selected. This has been removed in the current updates for the HOSTS file.

* The "Zlob Trojan" is a common infection that has been in the wild since 2005. It is often downloaded intentionally by people who are tricked into thinking that they are installing some missing ActiveX Video Codec, or other (Java) application, needed to view a presentation, or pornographic movie. Once installed on the target computer the Zlob Trojan allows hackers to deliver all manner of downloaders, adware, fake anti-spyware and backdoor components to it. The Zlob family of Trojans are constantly modified by it's maintainers to try to avoid detection by anti-malware applications. These criminals earn commissions for every computer they infect with the Zlob and its companion products. Spybot Search and Destroy can detect and remove most known variants of the Zlob Trojans, with new definitions being released every Wednesday to detect the latest incarnations of Zlob.

On to the spam analysis at hand!

My analysis of this week's spam shows that male enhancement pills and other pharmaceuticals have reclaimed the top spot in my spam categories, with counterfeit brands of watches, clothes and shoes and Google redirect exploits to fake "video codecs" (e.g: the Zlob Trojan and other Trojan Horse executables) following closely behind. All of the spam emails for pharmaceuticals have links to websites hosted in China or Korea. Most of the fake and counterfeit goods, drugs, enhancement pills and herbal solutions being spamvertised are produced in China. Foremost among these are fake pharmacy websites, like the so called "Canadian Pharmacy," which is not in Canada at all (it's in China and Indo-China), nor, despite the presence of fake accreditation logos, are they approved to sell pharmaceuticals in the US or Canada. Most of the fraudulent "Canadian Pharmacy" web pages are now hosted on compromised home or office PC's, that are unknowingly members of various spam Botnets. In fact, virtually all of the billions of spam messages hitting our inboxes these days comes from zombie computers, used as spam relays, in various Botnets.

As was the case before, the category "Other Filters" has the largest percentage in this week's spam analysis. That category contains all manner of miscellaneous filters that are matched by supposedly clever email subjects, such as: one word subject, digits and consonants senders, various HTML tricks, 2 line spam tricks, and some good old Nigerian 419 lottery and financial fraud scams. The spam main categories that rated a measurable percentage are listed below.

The current percentage of identified spam that made it through the filters on my mail server is 34% for the week ending April 13, 2008. These messages were all identified and dealt with by MailWasher Pro. I assigned some truly miscellaneous messages to the "learning filter" which then flags any similar messages as spam, making them easy to spot in the message list. This has earned the category "Learning Filter" a small spot in the list below. :-)

MailWasher Pro spam category breakdown for April 7 through 13, 2008.

Download MailWasher Pro Here

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as a front-end screener to your POP email program (Microsoft Outlook, Microsoft Outlook Express, Microsoft Mail, Eudora, Mozilla and other stand-alone email programs).

If you already are using "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on Wednesday, this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Additions made on April 9, 2008:

+ CnsMin
+ CoolWWWSearch.OleHelp

Keyloggers (Keyloggers steal your logins and passwords)
+ Ardamax
+ FreeKeylogger
+ Perfect Keylogger

Malware Includes fake anti-virus and anti-spyware programs
++ AntiSpyKit
+ AntiVerminsPro
+ FakeAlert.cc
++ Fake.PC-Antispyware
++ PCCleaner
++ PlatinumPartner
+ Smitfraud-C.
++ Win32.Agent.pn
+ Win32.BHO.je
++ Win32.Krotten.ex
+ Win32.Renos
++ Win32.VB.bpv

Trojans Includes 67 new or updated Zlob* Trojan detections!
+ BackOrifice2k
+ Hupigon
++ Hupigon.dsx
+ Smitfraud-C.MSVPS
++ Win32.Agent.agx
++ Win32.Agent.AQ
++ Win32.Agent.bno
++ Win32.IRCBot.auf
++ Win32.Poison.pg
++ Win32.VB.aqt
++ Win32.Webmoner.co
+ Zlob.AdultAccess
+ Zlob.BrainCodec
+ Zlob.DigiPassword
+ Zlob.DirectVideo
+ Zlob.DNSChanger.rtk
+ Zlob.Downloader.bs
++ Zlob.Downloader.idt
+ Zlob.Downloader.mld
+ Zlob.Downloader.se
+ Zlob.Downloader.sg
+ Zlob.Downloader.vdt
++ Zlob.Downloader.vot
+ Zlob.EliteCodec
+ Zlob.FreeVideo.DVDCodec
+ Zlob.GoldCodec
+ Zlob.HomepageMonitor
+ Zlob.HQCodec
+ Zlob.HQvideo
+ Zlob.iCodecPack
+ Zlob.ImageActiveXAccess
+ Zlob.ImageActiveXObject
+ Zlob.ImageAXObject
+ Zlob.iMediaCodec
+ Zlob.IVideoCodec
+ Zlob.JPEG-Encoder
+ Zlob.KeyCodec
+ Zlob.KeyGenerator
+ Zlob.Mediacodec
+ Zlob.MMediaCodec
+ Zlob.MovieBox
+ Zlob.MovieCommander
+ Zlob.MPVideoCodec
+ Zlob.MyPassGenerator
+ Zlob.NewMediaCodec
+ Zlob.PerfectCodec
+ Zlob.PornMagPass
+ Zlob.PornPassManager
+ Zlob.PowerCodec
+ Zlob.PPlayer
+ Zlob.PrivateVideo
+ Zlob.QualityCodec
+ Zlob.SilverCodec
+ Zlob.SiteEntry
+ Zlob.SiteTicket
+ Zlob.SoftCodec
+ Zlob.strCodec
+ Zlob.SuperCodec
+ Zlob.TrueCodec
+ Zlob.VAXCodec
+ Zlob.Vcodec
+ Zlob.VidCodec
+ Zlob.VideoAccess
+ Zlob.VideoAccessActiveXObject
+ Zlob.VideoActiveXAccess
+ Zlob.VideoActiveXObject
+ Zlob.VideoAXObject
+ Zlob.VideoBox
+ Zlob.VideoCodec2007
+ Zlob.VideoCompressionCodec
+ Zlob.VideoKeyCodec
+ Zlob.VideoPlugin
+ Zlob.WinMediaCodec
+ Zlob.XpassGenerator
+ Zlob.XPasswordManager
+ Zlob.ZCodec
+ Zlob.ZipCodec

Total: 578031 fingerprints in 129018 rules for 3855 products!

False positive detections fixed this week:
http://www.accessorygeeks.com and .accessorygeeks.com is a false positive, blocked by the HOSTS file additions made when you immunize with the HOSTS file option selected. This will be removed in the next update cycle, or you can manually edit your HOSTS file and remove this domain from being redirected to 127.0.0.1 (your local machine IP).

* The "Zlob Trojan" is a common infection that has been in the wild since 2005. It is often downloaded intentionally by people who are tricked into thinking that they are installing some missing ActiveX Video Codec, or other (Java) application, needed to view a presentation, or pornographic movie. Once installed on the target computer the Zlob Trojan allows hackers to deliver all manner of downloaders, adware, fake anti-spyware and backdoor components to it. The Zlob family of Trojans are constantly modified by it's maintainers to try to avoid detection by anti-malware applications. These criminals earn commissions for every computer they infect with the Zlob and its companion products. Spybot Search and Destroy can detect and remove most known variants of the Zlob Trojans, with new definitions being released every Wednesday to detect the latest incarnations of Zlob.

Yesterday I learned about a new means being tested by security cracking professionals and hackers, whereby a 2Wire modem can still be hacked after a personal administrator password has been applied to it! The exploit may already be in the wild, on MySpace, Facebook, or other popular social networking websites, or soon will be. The technique they are using is not brute force, nor a dictionary attack, in fact, it is what I'd call a chance opportunity attack vector. The way it works is by launching a script aimed at your router's GUI configuration page, in your browser, hoping that you have recently logged into the router, in the same browser session. If you have been logged into your router and not closed that browser in the interim, and you happen upon a web page that contains the JavaScript exploit code, your router can be taken over! This happens because having logged in once, and not logged out, you are still authenticated by the router and anything you want to change is only a mouse click, or code string away. No further challenges would appear in most consumer modem/routers or wireless routers. After gaining access to the configuration utility a hacker's code can change your router's administrator password, poison the DNS tables (to redirect you to phishing websites), enable remote administration, download hostile firmware, and anything else the hacker can think of. You wouldn't be any the wiser until you closed that browser, then tried to log in again, only to find that your password was incorrect.

Should this type of attack happen to you and you find yourself locked out of your router, or modem/router configuration page, don't panic yet. The first thing you should do is reset the router to its default state. Most routers have a small hole on the back, where you can insert the tip of a pen, pencil, or hair pin and hold it in for a half minute, or so, then power off, hold it in again, then release the button and power the unit back on. After the device stabilizes you should be back to factory default settings. Close any open browsers to clear any possible hostile sessions and empty your browser's cache, or Temporary Internet Files. Next, open a new browser window and enter the web interface for your router and change the administrator password, disable remote administration and UPnP, then, if at all possible, change the router's IP address. Do not open any other web pages yet; they could have hostile codes embedded without the owner's knowledge.

The last item I mentioned is important because many router or modem attacks have hardcoded IP addresses in the scripts, which will target specific brands of routers. Some will target the address 192.168.1.254, used by 2-wire and certain other routers. If your router will allow you to alter its IP address, do so and save the changes, then log in using the new IP. For instance, if the default IP is 192.168.1.254, change it to something like 192.168.2.253. Be creative here. As long as you change it to a valid LAN IP, in the 192.168 range, it should accept it. When you restart the router, after saving the change, you will probably have to release and renew the computer's IP address, to get a new one from the changed router. To do this open a command prompt. Go to Start > Run and type in CMD then press the Enter key. A black command window should open, with a blinking cursor after a text path ending in a > symbol.

At the blinking cursor type the following commands:

IPCONFIG /RELEASE
press Enter
IPCONFIG /RENEW
press Enter

The last command will show your new computer's IP address as well as the IP of the gateway, which is your router (or modem/router). The gateway IP should be the same as the one you just assigned to your router.

Go back to your browser and try to log into the router again, using the new IP address you assigned to it. You should have to type in your user name and password to get authenticated. Once you are successful and have checked everything that needs checking, close that browser. From henceforth, until all of the major router manufacturers update their firmware to force you to type your old password before changing it, always close all browsers after visiting the router's web interface. Empty your browser's cache before surfing to any other websites, just in case they have been compromised with hostile codes aimed at your router.

If you have visited your online bank, or other financial institution, contact them as soon as possible to put a fraud watch on your account. Then, after securing your (modem) router, log in again to these websites and change you passwords. Hopefully, you will notice the problem with the router before the hackers receive your login details and empty your accounts.

Make it a point to visit your router/modem-router's manufacturer's website to look for new firmware and install it when it becomes available. If you do not know how to do this call your broadband service provider, who supplied the router, and ask them what they are doing to safeguard their routers. They may offer a flash upgrade on demand and may even do it without notifying you first. If that does occur, your personal settings and administrator password may have been reset to default again, along with the IP address you changed. This is typical for firmware updates, but I can't say for sure that you exact model will get reset completely by an upgrade. Just write down everything you know about the router's login and IP address, or save the configuration file after you have everything where you want it, and import it after you flash the firmware. Always verify your settings and make sure you are able to connect to the net, before closing out the router interface. Exit all browser windows afterward and clear the cache/Temporary Internet Files before starting to surf. I have detailed instructions in the extended comments below, for automatically clearing your browser's cache, upon closing all browser windows.

If you have a website that uses cPanel as the control panel and it has email filtering enabled, on an account-wide basis, the rules below will reduce the amount of spam you see, dramatically.

First of all, you should be aware that not all cPanel icon layouts are the same, nor are all of the same options available from various hosting companies. I have my websites hosted at Bluehost and enjoy lots of user configurable options, including account-wide user-created email filter rules. I gain access to the email filters by following this path: Login to cPanel > "Home" > "Mail" section > "Account Level Filtering" icon. This opens a new cPanel page with the heading: "Edit Filters for All Mail On Your Account" - "In this area you can manage filters for your main account. Note, that if you have add-on domains hosted under the main account, their email accounts will also be covered by these filters. My cPanel also has an icon that when clicked upon allows me to create filters on an individual account basis. This way I can apply more restrictive rules to the accounts receiving the most spam, leaving the others to be filtered less drastically.

For simplicity sake I have grouped all of my various account rules into one set, which can be applied site-wide. You'll still see some spam, but not nearly as much as you do before applying these rules.

On the cPanel "Account Level Filtering" page, click the button labeled "Create a new Filter." The first input field is labeled: "Filter Name:" and you should type in the name you want to assign to each rule, or use mine, shown below. Each rule must have a unique filter name.

The next section down is labeled "Rules" and is where you select the various criteria for the rules. The options list on the left is where you choose which part of the email message the rule on that line will apply to. Use the down-arrow button to open the options list. Most commonly used filter selections are: "From, Subject, To, Body and Any Header."

The options list on the right side of Rules section determines how that rule will be applied. The options in the flyout list are: "Equals, Matches Regex, Contains, Does Not Contain, Begins With, Ends With, Does Not Begin With, Does Not End With, Does Not Match."

The actual rule text goes into the input field under the flyout options. Type, or copy and paste my rules below, into the input field for each rule. Next, under Actions, choose Discard Message, then click on the button labeled: "Activate." You will be taken to a page reporting that rule "such and such" was successfully created, and which contains a button to take you back to the main Filters page. There, under "Filter Test," you can test your rules in the test message area. Just enter text, or headers to be tested into the appropriate section, adding to or replacing what is already there, then press the "Test Filter" button. The results page will tell you what, if any filter rule has been matched and that the results would be a delivery to "/dev/null" (the bit bucket).

If the results of a filter test are "Normal Delivery," for a filtered spam message, something is wrong with your input selections. Use the Edit button next to the filter that should have applied and check your options settings and look for typos in the actual rule text. Save changes by clicking the Activate button, then test again. You'll get it right eventually. Trust me, I know - I've gone through this already.

Every rule group has a plus and a minus button on the right side. These are used to add additional criteria to the rule set. Plus adds a new rule, while minus removes the last rule. Each rule can apply to a different part of the message and have a different matching criteria. Theoretically, one could apply all of my rules to one filter set, but that would make it very hard to debug if legitimate email gets sent to the bit bucket in the sky. Keep the rules separate and properly labeled to make it easy to edit or remove them, if it becomes necessary.

See my extended comments in the section below, for the actual rules.

If you already are using "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on Wednesday, this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Additions made on April 2, 2008:

Malware Includes fake anti-virus and anti-spyware programs
+ MalwareWipe
++ Win32.Alman
++ ZlobDownloader.vdt

Security
++ Microsoft.Windows.FileExecution

Trojans
+ Bifrose.LA (2)
+ CoolWWWSearch.SearchToolbar (2)
+ Hupigon
++ Hupigon.cbs
++ Injector.u
+ PremiumSearch (1574)
++ RysioLogger
+ SubSeven
++ Wannnadoo
++ Win32.BKClient
++ Win32.GBDialer.j
+ Win32.Nakuru.a
++ Win32.OnLineGame.jun
++ Win32.VB.sj

Total: 563708 fingerprints in 125654 rules for 3757 products!

False positive detections fixed this week:
False positive on vxSystem.dll from the Vigilix remote monitoring product. It was being incorrectly reported as VX2.b.BDS