Wiz's Computer and Website Security Blog

There is a new malware threat in the wild circulating among various file sharing networks. The threat is spread by duping file sharing users into downloading fake mp3 audio and mpeg movie files, which have very enticing filenames (some listed below in extended comments). All of these fake files have very small file sizes, which should be a giveaway that something is wrong with them. Despite that fact, almost 400,000 PCs are now infected in just a few days, after their users downloaded and opened some of these rigged files.

When a file sharing user double-clicks to play one of these files they get a surprise. Instead of seeing a movie or hearing a music file they are presented with a browser page that displays a EULA consisting of about 4800 words. The scam tells them that they must install a special media player, from fastmp3player.com - to playback the file they are trying to hear/see. Upon agreeing to the EULA the user is redirected to fastmp3player.com where a file download box appears, for a file named (at this time) "PLAY_MP3.exe." This file will install two separate adware and spyware applications; "FBrowsingAdvisor" and "SurfingEnhancer."

Apparently, in samples that have been analyzed in the last two days, these attacks are specifically designed to work in the Firefox browser. If Firefox is not found on the victim's computer, they will get a Windows error message and will be urged to download and install Firefox.

Most major anti virus and anti spyware companies can already detect and remove this threat, which has been elevated to a "medium threat" status by McAfee, for home users.

People who like to obtain copyrighted music or movies without paying a fair price for a licensed copy are left at risk from botmasters looking to increase their botnets, and criminals using affiliate programs to earn commissions for installing spyware and adware onto as many computers as possible.

What you can do to protect your computer from this threat.

1. Stop using file sharing programs like Limewire or Kaaza, or others, that allow people to distribute (share) copyrighted works illegally. They are riddled with malware files of all sorts. Instead, use one of the legitimate music or movie websites, like Apple's iTunes, Real Rhapsody, or Napster.


2. Install a modern, legitimate anti virus program that offers multiple daily updates and set it to receive automatic updates every hour. If you can't set it to an hourly schedule then run a manual check for updates as often as you think about it. Or, use Windows Task Scheduler to run the updater executable every hour. Reputable anti virus companies include Trend Micro, Symantec, McAfee, NOD32 and AVG.


3. Install a reputable anti spyware program and keep it updated as often as possible. Recommended companies include PCTools Spyware Doctor, Webroot's Spy Sweeper, Trend Micro PC-cillin, Lavasoft's Ad-Aware and anti-virus, and Spybot Search and Destroy.


4. Scan for threats every day, before you get busy online, or every night, before you turn off the computer for the night.

Posted by Wiz at 11:30 PM | Permalink

The infamous Storm Trojan Botnet has reawakened again, after a brief sleep. It last made it's appearance towards the end of January, stayed active until Valentines' Day, then disappeared. Since July of 2007 the Storm Botnet is most well known for sending out spam messages containing links to view e-cards, or postcards. All of the resulting web pages are hosted on other storm infected botnetted computers and all of the links lead to your PC being infected with the same Trojan.

One of the things that made Storm Trojan links stand out last year was that most of them were numeric IP addresses, rather than domain names, in their links. These links resemble this example: ht*p://123.123.123.123/(some garbage characters may follow). During the last quarter of 2007 the Botnet began using actual registered domain names to reach the target host computers, which are managed on what is known as a Fast-Flux DNS network. Most of these domain names were registered within a few days of the spam run and are usually allowed to die shortly thereafter.

The Storm has become active again and is once again spamming out email messages about e-cards and postcards, most containing the good old numeric IP links. All of the targets are infected PCs and if you are duped into clicking on a link to such a target, exploits await you, including an automatic download of the Trojan. Should this fail, you will be enticed to click on a link, or an image to begin your download, supposedly to view your e-card/postcard. At this point, if you are running a Windows based computer, with Administrator level privileges, your PC is about to become a zombie member of the Storm Botnet.

When, not if, you receive one of these e-card/postcard notices delete it immediately. If the sender looks like a name you know, check the email address to see if it matches that name. If in doubt, contact that person to see if they knowingly sent you an e-card, from that particular e-card company. Chances are they won't know anything about it. You see, the names and addresses used in the From fields are all harvested from infected computer contact lists and address books. All spam email messages since late 2006 have totally forged From and Reply to email addresses. The people whose names and addresses are being used have no idea this is happening and cannot stop it. If you have sent an email to somebody whose computer gets infected with an email harvesting trojan or Worm, your email address will not only receive spam, but will be used in forged From and Reply To fields of spam messages. There is nothing you can do about this. Even my accounts have been harvested from computers of customers and friends and I see spam coming to me, supposedly From me!

Unwanted E-Card/Postcard = DELETE! Leave the curious George stuff to professionals like me and the anti-exploitation labs.

Posted by Wiz at 3:08 PM | Permalink

Most experienced Windows PC owners know by now that their computers are the primary targets of every type of malware exploit that can be conceived by man or machine. Prudent PC owners take extra precautions and ensure that their computers are protected and scanned regularly, with up-to-date anti virus and anti spyware programs. The also tend to use more secure browser settings, or switch to Firefox for their Internet browsing, instead of Internet Explorer. Yet, millions of PCs are infected every day, with all manner of spyware and viruses, with many of them belonging to fairly new computer users (Newbies). Why is this?

A lot of the reason for the constant increase in infected computers is due to inexperienced, or unaware Windows PC owners operating without proper and active security protection onboard. I have disinfected lots of computers that had either no virus protection at all, or had expired anti virus applications on them. An expired product is as useless as if it wasn't there, and gives a false sense of security to untrained PC users. Most of these products ship with new computers and offer a free 3 or 6 month trial period, after which they become inert, unless a subscription is paid for to keep them updated with new threat definitions.

This background information leads into the subject about which I am posting today. It has to do with a brand new malware threat that is in the Wild, calling itself: "MonaDonaRona." This is a malware "Trojan" that is acquired by downloading and installing a fake software program called RegistryCleaner 2008, although there may also be other means of delivering the infection. Once MonaDonaRona is installed on the victim's PC it pops up an ominous alert, identifying itself by name, and proudly proclaiming its intention to cause harm to your computer, currently using this text:

“Welcome to MonaRonaDona. I am a Virus & I am here to wreck your PC. If you observe strange behavior with your PC, like program Windows disappearing, etc., it’s me who’s doing this.”

This pop-up alert and strong language is meant to panic unsuspecting victims into paying to have it removed by a fraudulent anti virus program, which is a companion to this threat. People who are duped by this two handed ploy will have the MonaRonaDona alerts turned off by the companion malware application, which they had to pay for to use. This is also known as extortion-ware. The MonRonaDona component is only there as bait for the fake anti virus program, which the perpetrators of this fraud want to sell, for about $40 US. The fake anti virus product may be called "Unigray," or other names. It is apparently not linked to directly at this point in time, but the victim is expected to search for anti virus programs that specifically target it.

False information about the fake anti virus program has already been spammed to Google and other search engines, through phoney blogs and spam blog postings, poisoning the results pages. If the victim searches for help removing MonaRonaDona, they will most likely see the fake products listed at the top of the results. This is a new method of delivering fraud-ware, by gaming search results and panicking users into searching for the spammed, fake removal tool.

The fake removal program will tell MonaRonaDona to shut itself down, making the victim believe that the anti virus program actually removed it legitimately. But, this is merely a ploy. Most free anti virus and anti spyware programs will detect and remove this threat within a few hours of its discovery, if you check for updates every day, several times a day.

Early credit for this discovery goes to Eugene Kaspersky and his famous, commercial Kaspersky Anti Virus products. They are often first to intercept malware that comes from certain regions of Russia where much of the World's malware is written and launched.

If you don't have any up-to-date anti virus protection on your Windows PC, give Kaspersky a try, or TrendMicro, or Norton Anti-Virus products. If you can't afford to buy commercial anti virus protection there are various free programs available. I would unhesitatingly recommend AVG Free, although Avast! is also very good.

Continue reading "Watch out for a new fraudulent anti-virus ploy named MonaDonaRona" »

Posted by Wiz at 3:38 PM | Permalink

All of the above mentioned malware types are threats to anybody running a Windows based operating system, especially when they are connected to the Internet. There are malware threats that are specifically targeted at other operating systems, like MacIntosh and Linux, but they are less prevalent, mostly due to the smaller installed base of those OS's. Some come to you over the wires, so to speak, via TCP/IP attacks against open "ports." A router between you and your external broadband modem can stop those attack vectors (unless you have poked holes in the router's firewall). However, no common router has the means of protecting you against malware threats that come in as you read email, or use your Internet browser. Unless you have an advanced router, that receives regular updates to it's malware detections, you will need to keep a software firewall running on your computer, to protect it against hostile incoming TCP threats.

Malware threats do not just come from the Internet. I got into computer troubleshooting before I was connected to the Internet, due to an infected floppy disk. Floppies are mostly gone nowadays, but there are still some CD's, DVD's and plug-in memory devices that are somehow infected before going to, or during production. Then, you have certain music companies who knowingly install programs onto their CD's, which install rootkits onto the computers of legitimate buyers, to prevent copying those CD's (DRM protection). This was done a couple of years ago by Sony-BMG. Those DRM rootkits were then exploited by cyber-criminals to install other, much more dangerous types of malware.

Every week or two there seems to be a new type of malware attack method discovered, as well as constant variations of existing methods of infection. This article will review the latest methods of delivering viruses, spyware, rootkits, backdoors, keyloggers and Trojans to your PC. All of the threats listed are already "in the wild." Most of them are being used to draft unprotected, or insufficiently secured Windows PC's into Botnets. Others are used to steal login information to websites control panels, servers, banks, eBay, PayPal, or similar institutions. Then there are the pop-up ad windows that can render a computer unusable, and rogue anti-spyware programs that trick you into paying to remove the threats that the program itself invented, or installed. Your best defense against all of these threats is to keep a firewall running at all times, keep the most current version of anti-virus and anti-spyware programs working and updated, and keep fully current with Windows or MacIntosh security patches and updates (yes, Apple releases security patches too).

The most prevalent malware threats, in the Wild, include the following (The Dirty Dozen):

• Lunar eclipse video scam - link leads to Trojan and Botnetting if clicked


• IRS rebates and refunds phishing scams - targets US citizens by mail or phone


• Bank Of America phishing scam


• Hillary Clinton video download scam - link downloads a Trojan if clicked


• Britney Spears and Paris Hilton video scams - link downloads a Trojan if clicked


• Storm Trojan numeric links in spam emails continue, but are reduced.


• Thousaands of compromised web servers are still allowing JavaScript redirection exploits to occur, leading to stealth download infection attacks to many visitors of the web sites hosted on those servers.


• Compromised individual web sites have had hidden iframes installed, by criminal hackers, leading to instant infection of insufficiently secured PC's visiting those web sites.


• Adobe Reader had a vulnerability that, if exploited, allowed complete computer takeover. Everybody using Adobe Reader or Acrobat should be sure they update to the latest, patched version. Use the program's Help menu to check for updates and install them.


• Apple QuickTime exploits are in the wild. Make sure you update to the current version.


• There are Java virtual machine exploits on compromised web pages. Make sure you computer has the latest version of Sun's Java.


• Finally, rounding out the Dirty Dozen, certain brands of wired and wireless routers are being targeted with DNS redirect attacks. This involves sending code, from simply opening a hostile spam email message, to the targeted router, which reprograms the router to send users to a phishing banking website, or other financial institution, if you try to logon to that institution. Router exploits that are in the wild were recently successful against millions of Mexican DSL routers, many of whose owners used the bank that the redirect was aimed at. All of these router attacks depended on the users not setting a personal Administrator password! Those with a password were not affected.

If you have a Mac OS PC, make sure you check for updates at least once a month, or turn on automatic checking for security updates. Mac's "Finder" has a link to check for Apple Updates. If you have iTunes installed, it may need updates occasionally as well.

If you have a Windows PC, the quickest method you can use to check the security level is to visit the security website, Secunia.com, and run their online Secunia Software Inspector (requires Java). After you read the instructions and click on Start, a second page will load, then click on Start on that page and it will scan your PC for vulnerable software in it's database, and missing Windows Updates. If the Software Inspector finds out dated versions of software it will highlight them with a red mark and expand their details to tell you what vulnerability exists. It will also provide a direct link to the applicable page where you can download the patched version. Sometimes, Secunia will locate an older version of Flash, or Java, that has been left behind after updating to the current version. It will show the locations of those still-vulnerable files, which you should manually delete, or uninstall (Control Panel > Add/Remove Programs).

To protect your router from code exploits, establish a unique Administrator password (do not use the word "password"), disable remote administration and turn off UPnP. If you have a wireless router, setup the best level of encryption your receiving computers can work with. Most broadband routers come with a firewall, with configurable rules and a means of "poking holes" in them. Make sure your router's firewall is turned on and do not allow any port holes unless they are necessary for your personal or business use (e.g: filesharing, VPN, remote desktop, ftp. etc). Routers use "NAT" to hide your personal network computers from the public Internet. This makes them a less visible target for TCP/IP exploits.

Finally, if your PC shipped with a free trial version of a security program and it has expired, and you have not paid to renew it, you had better either pay for it, pay to upgrade it, or uninstall it and get a different security program. An expired anti-virus or anti-spyware program is totally useless and it's only current affect is to eat up valuable system resources! There are many fine security programs available, both in retail stores and online. I have ads for several brands on this blog and on my other web pages, all of them reputable. However, I have my eye on one in particular that seems to be pulling ahead of the others, especially in the area of intercepting web site borne malware threats. That company is Trend Micro. They have a technology that is included in the Trend Micro Internet Security 2008, also known as "PC-cillin," that analyzes the content of web pages you visit, screening them for either known hostile codes, or potentially hostile embedded exploits, based on heuristics. If such codes are discovered Trend Micro's web threat protection will block the harmful content, while allowing safe content to be delivered. Or, it can block the entire web site from downloading anything, if you prefer. This type of defense is invaluable when you consider that much of today's malware is being delivered through website exploits and hidden redirects.

The Trend Micro Security Suite 2008 also comes with a two way firewall, anti-virus, anti-spyware and anti-phishing protection, with multiple daily automatic updates, all for a reasonable subscription price and allowing you to protect up to three PC's under one license. Get 10% Off a 1 year subscription to Trend Micro Internet Security 2008, using Coupon Code: TrendIS08.

Posted by Wiz at 1:17 PM | Permalink

First, some background information about the Storm Trojan.

Since July 1, 2007, I have written several blog articles warning people to be on the lookout for email scams that contain links that cause Windows computers to become infected with the Storm Trojan. This malware threat has already infected more PCs than any other in the history of personal computing. In August of 2007 estimates put the total number of infected computers at anywhere from 1 million to over 5 million! All of the infected computers acquired the Storm Trojan through social engineering trickery of their human owners.

Early varieties of the Storm Trojan, which began circulating widely in January, 2007, used catchy news headlines (some true, some false), such as news of hundreds of people killed by storms raging across Europe. Early payloads were carried in hostile attachments, offering more information or the full story, but were rigged with the Storm Trojan malware. Later, in mid-2007, the authors began shifting away from using attachments and started providing links to the already infected computers, which were now used to host web pages that carried exploit codes and copies of the Trojan itself. The owners of these computers had no idea that their machines were being used for this purpose, and other purposes even more sinister.

It was in June 2007 that I began to notice suspicious numeric links in email spam messages, that characterized the new breed of the Storm Trojan. There were several phases where different techniques were employed, all designed to appeal to human curiosity and which snared more and more unsuspecting victims into the ever-growing Storm Botnet. There were e-cards, postcards, verification messages, free music, free games, funny cats, dancing skeletons, Naughty Christmas cards and now, New Years greetings postcards. All of these scams contain a link which the person reading the email must click on. If you are running a windows computer that has not been fully patched against all known vulnerabilities in the wild, and you clicked on one of those links, chances are good that your computer has become a "zombie" member of the Storm Botnet.

Most of the time, the owners of these compromised machines don't know what is happening behind the scenes, as all of this activity is hidden from the user interface. The only give-away that something is amiss would be occasional unexplainable computer and Internet slowdowns, along with periods of high activity on their (external or broadband) modem "activity" lights, as thousands of spam emails, or DDoS attacks are launched from their computer. So, aside from flickering modem lights, how can you tell if your Windows computer has been infected with the Storm Trojan?

Since the Storm Trojan has been around for about a year now, it is safe to say that all anti virus and anti spyware programs have definitions to detect and eliminate this threat. If you have an anti virus and/or spyware program, make sure your scanning engine is fully current, and the definitions are up to date, then reboot into Safe Mode and scan all files. Safe Mode scanning is recommended, because, although the Storm Trojan installs its "service" as a hidden "rootkit," it still has supporting processes and files that can be stopped and deleted from Safe Mode. After the support files and registry entries are terminated the rootkit infector will be vulnerable. With any luck your security program will find and remove the files and services associated with this Trojan.

If you don't have an anti virus or anti spyware program on your Windows computer you are probably already infected with all manner of malware. There is a manual method that you can use to determine if your computer has/might have the Storm Trojan. A rootkit keeps its own main operational files from being viewed in Windows Explorer, or in Command Windows, by intercepting attempts to find those file names, or slight variations of their names and sending a null result to the screen. These are known as "super hidden" files. So, if your computer does have a rootkit infector and you were to look for their presence using a Windows Search, or a "Dir" command in a DOS Command window, the rootkit file(s) would not reveal themselves to you. Interestingly, if you were to create a new text file on your Windows desktop, with the same prefix as the rootkit's files, that file would instantly disappear from view, or would not appear in a DOS Window directory listing.

While the Windows desktop file may or may not work as described, a Command Window can be used to reveal the presence of the Storm Trojan's rootkit.

Since Windows Explorer refuses to display super hidden rootkit files and services, a good old DOS window and some special commands might do the trick, by hiding a specially named file that you just created. Here's what you need to do to check for the presence of the Storm Trojan rootkit component.

1. Go to Start > Run and type in: CMD and press Enter


2. A "Command" Window will open, with a blinking cursor, waiting for text input from you.


3. Case doesn't matter with these commands.


4. In the Command Window type this: copy con spooldr.txt


5. Press Enter. The blinking cursor should move down to a blank line.


6. Type a few words to create some filesize, then press F6. You should see a ^Z, after the last character that you typed.


7. Now, press Enter. You should see "1 file(s) copied" and the cursor will blink again on a new command line.


8. At the blinking cursor, type: DIR spooldr.txt and press Enter.


9. If you see a report showing 1 file(s) and a filesize in bytes and the file name, you have passed the first test.


10. Repeat rules 4-8, substituting these filenames each time: noskrnl.txt, wincom.txt, clean.txt, bldy.txt


11. If all of these files are listed in the DIR results, you're probably ok (the file names are now being changed frequently), but, if the DIR command shows 0 files found for any of these files, you are infected with the Storm Trojan and it's rootkit.


12. If all of these files show in a DIR listing, you should delete them by typing: DEL filename.txt (substituting the actual filenames) and press Enter and the named file will be deleted.

If I come up with some effective manual removal instructions, that can be used by the average computer owner, I will post them in a follow-up blog article.

Posted by Wiz at 5:40 PM | Permalink

This is a heads up to you all to beware of a new round of Storm Trojan email threats, now making the rounds. They contain a New Year subject and one line of body text and a link on the second line that contains the word postcard, or a variation thereof. Do not click on this link. Delete the message. The destination is a Storm Worm Trojan infected computer, running an Nginx small web server, with but one page. The page contains code to instantly redirect you to an automatic download location, where you will receive your very own copy of the Storm Trojan. If you visit the first page with JavaScript disabled, you will be presented with an enticement to manually install the Trojan; to view your "postcard." Not! The three spammed email messages I analyzed this morning all contained variations of the following two lines of deactivated text:

As the new year...
h**p://uhavepostcard.***/

That URL was spammed out on Christmas day, three days ago. The current Storm Trojan spam messages now have links to happycards2008.com, or newyearcards2008.com, or familypostcards2008.com, which are different URLs than in the attacks that began on Christmas Day and more changes are expected over this weekend.

The emails I have analyzed so far today led to infected computers, with web pages containing a clickable link to a locally hosted file named "happy-2008.exe," or "happynewyear.exe," which is the Storm Trojan itself. The infected host computers are zombie members of the Storm Botnet and are all over the World. The redirects in them lead to exploited servers, similarly all over the World. These servers have been compromised over the year in anticipation of serving up payloads on demand. They are zombie servers in that no unusual activity would be noticed from them until people start arriving from redirects on infected PCs. Unless people report these infected servers they will remain online long enough to do a lot of damage. One way to report them is to become a reporting member of SpamCop.

If, like me, you use an anti spam front end for your email client, such as MailWasher Pro, and it allows you to create regular expression spam filters, try adding these rules to detect the Storm Postcard threats:

UPDATED 12/30/2007 to add new target domain names and shorter RegExpr.
The subject contains any of these words: "(e-) card, or greeting, or postcard, or New Year, or New 2008 Year"
AND, The body contains any of the same words; AND
The body contains a hyperlink containing this regular expression:

http://(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/|(.+postcards?|newyearwithlove|.+cards2008)\.com)

Here is that entire updated rule, in MailWasher Pro format, for use in the MailWasher filters.txt file (This code should be on one long line):

[enabled],"Postcard Trojan Scam","Postcard Scam",16711680,AND,Delete,Automatic,Subject,containsRE,"\b(e-?)?(card|greeting|postcard|new\ year|Happy\ 2008!|New\ Hope\ and\ New\ Beginnings|new\s.*year)",Body,containsRE,"\b((e-?)?(post|greeting\s)?card)|new\ year\b",Body,containsRE,"\bhttp://(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/|(.+postcards?|newyearwithlove|.+cards2008)\.com)"

I am posting updates as I detect changes to the target domain name or subject/body text. Remember, the authors of the Storm Trojan are constantly altering the text and payload URLs, to fool spam filters and people. If you are not screening your incoming POP email you leave your computer at risk, should one of these threats fool you into clicking on a link to an infected computer, or server. I have a full page describing the email screening program - MailWasher Pro, with links where you can download it for a free trial. It is very inexpensive to license, for the life of the product. You don't have to pay for version updates like you do with most security programs these days. The only recurring charge associated with MailWasher Pro is voluntary membership in their managed spam reporting group, called FirstAlert.

MailWasher Pro is free to try for 30 days, and still costs only $37.00 to register, which includes a one year, renewable subscription to the FirstAlert! spam reporting system, plus, FREE Mailwasher program updates for life.

Posted by Wiz at 10:36 AM | Permalink

The so-called Storm (Worm) Trojan has been continuously changing the subject and body text used to trick victims into clicking on links which cause their computers to become part of the "Storm" Botnet. Previously, all Storm scam messages came in with numeric links to compromised Windows computers, on broadband connections, which were a clear giveaway to even the most casual recipient that something was not right. Then, at the beginning of September I began to see Storm scams that had the numeric IP destinations wrapped inside a fake domain name. The true, numeric destination was revealed by mousing-over the link, so it was still relatively easy to detect that the message was most likely as scam.

It is extremely unusual for hyperlinks to be numeric, but not totally unseen. Most websites use a "friendly name" for the domain; like example.com. On very rare occasions a website may not use a friendly name, usually when it is in transit from one server to another, and DNS changes need time to propagate throughout the name servers system. In the case of the webpages hosted on Storm Trojan infected computers the URLs had to be numeric. This was because the zombie computers did not have registered domain names. Instead, they have a small web server, called NginX, installed by the Storm Trojan, and are usually always connected to broadband Cable or DSL Internet Services, with infrequently changing IP addresses. Since the IP addresses of these zombie computers do occasionally change, due to rebooting the modem, or forced IP renewals by their ISP, the authors of the Storm Trojan had to come up with a new way to keep them available through changes in IP addresses, and they have done just that.

In a new twist to the previous numeric IP scam, the authors of the new scam are using free DNS services to point their parked domain name servers to always on cable Internet computers that are part of the BotNet. Thus, if the intended victim mouses-over the link it still displays the friendly domain name (e.g: example.com). If they are fooled by the scam pitch into clicking on that link, they will arrive at what looks like a standard, large web page all about the subject of the scam message. There will be lots of links on that page, just like you would find on a real web page. But, in this instance, what you don't know can and will hurt you!

See my extended comments for a more technical description about this new NFL Tracker threat.

Your best defense against the Storm (Worm) Trojan, in all of its incarnations, is to use common sense and not click on links in unexpected emails, featuring dubious text sales pitches. If you use anti-spam software you should train it to recognize what you recognize as spam, or scams.

I use MailWasher Pro to screen all of my incoming email. It uses a variety of methods to identify and deal with known, or suspected spam email, including custom filter rules that define the kinds of spam that are most common. I happen to write and publish three sets of custom filters for MailWasher. They are in direct response to the daily variations in email spam and scam threats that I see as I check my numerous accounts on 12 minute intervals. While my filters admittedly slow down the processing of your incoming messages, they provide a defined warning in the Status field, indicating what types of spam filters have been matched. The first two sets of filters only flag spam that is matched by my rules, leaving you to decide if they are truly spam, or legitimate - false positives.

filters.txt is the largest set with rules going back several years, including the most current rules.

filters2.txt uses a reduced set of the most current filters, which I use a more potent version of.

filters3.txt is what I call my Judge Dread rules, because they, like my personal filters, are set to automatically hide and/or delete anything that is identified as spam. I describe them as my "Murder-Death-Kill rules," as borrowed from the movie "Judge Dread." In the rare instances where a legitimate email is automatically deleted by a filter, I can review and restore that message from the MailWasher Pro Recycle Bin.

To recap, the authors of the Storm Trojan are constantly changing the subject and body text, in an effort to deceive more and more people and to accumulate the largest BotNet in the history of distributed computing. As of this week, it is estimated that the Storm BotNet has more computer and CPU power than all five of the World's top 5 Super Computers put together. The damage that has been, is and may come from this BotNet is beyond anything ever seen on the Internet, until now. If all of these machines are used in DDoS attacks there is very little that would be able to stand up to them. That includes websites, governments, even entire countries (The country of Estonia was effectively taken offline by a huge DDoS attack, earlier this year).

I strongly urge every reader of my blog to install the best anti virus and anti spyware software that you can afford, keep it completely updated and scan for threats every night.

Continue reading "Storm Trojan now using real domain links in NFL Tracker scams" »

Posted by Wiz at 5:07 PM | Permalink

The authors and promulgators of the Storm Trojan are very devious and criminally clever people. Every month they seem to completely change the nature of the scams used in the spam emails sent from already infected computers. Each new scam uses a different type of social engineering to decieve spam recipients into clicking on the (numeric) link embedded in those messages. Usually the links are shown as numeric, but lately some are concealing the destination until you hold the mouse over the link, at which time you will see a numeric URL. An example of a numeric URL would be: http://127.0.0.1/. The same link wrapped inside a friendly name cover might resemble this: devious words, which leads to the same numeric destination, when you mouse-over the link. The destinations in my examples go to your own computer, at 127.0.0.1 (local machine), for safety sake.

Earlier this summer the trick most widely used was the postcard scam. Now they are kicking it up a notch and appealing to sports fans' curiousity; to fool them into infecting themselves. With the US professional football season kicking off this month (pun intended), the criminal minds authoring the Storm Trojan email scams have unleashed a series of new messages all aimed at enticing football fans into downloading a so-called "game tracker." As with all of the previous Storm Trojan payloads this one resides inside infected computers onto which a web server has been installed. If you click on the link in the scam email you will see a real web page containing all kinds of descriptions and links to features and information. There is even an image map that is one huge link. Every single one of the links on these pages go to one and only one place: "tracker.exe." Click on that and what you thought was a game tracker program will in reality turn your computer into another zombie member of the Storm Trojan BotNet.

Another trick being employed by the Storm Trojan is a link supposedly to a program that prevents the RIAA from tracking files shared illegally over peer to peer networks. Again, this is the Storm Trojan at the other end of those links.

If you use MailWasher Pro to screen your incoming email and are not already using my custom spam filters, what are you waiting for? They are free for you to use! They are my gift to the World. I hate spam and want to help others detect and delete it, before threats like the Storm Trojan can fool them into becoming unwitting victims. You can even discuss my filters in my own topic labeled: A new filter set for MWP users brought to you by Wizcrafts, on CastleCops.com (already 7 pages long).

Please use caution with any links arriving in email messages from senders you don't know, or even those you do know. Do not click blindly on links in emails, especially if they are numeric! Those IP addresses are infected home or office computers, on DSL or Cable Internet services.

Continue reading "New Storm Trojan tactic uses football game tracker as bait" »

Posted by Wiz at 10:59 PM | Permalink

This is a follow-up to an article I wrote about the Storm Worm, in my blog a couple of days ago. That entry was meant to warn you about the new variations in the subjects and body text, designed to trick you into getting your computer infected. This article presents a brief history and analysis of the methods used to infect computers, as well as a description of the actual payload, of the so-called "Storm Worm" Trojan downloader.

History of the Storm Worm Trojan

Distributed through massive blasts of spam emails, the threat now known as the "Storm Worm" Trojan-Downloader was first noticed in the wild in November, 2006 and has gone through many external alterations since then, although the payload has remained basically the same. Various anti virus companies have labeled the variants with such names as: Win32/Nuwar, Trojan.Peacomm, Trojan-Downloader.Win32.Small.DAM, Trojan.Downloader-647, Trojan.DL.Tibs.Gen!Pac13, Win32.Zhelatin, and of course: "Storm Worm."

The Trojan now called the "Storm Worm" got it's name after a huge spam run on Friday, January 19, 2007, which used the subject line "230 dead as storm batters Europe," to trick people into clicking on links to supposedly read news articles and emergency bulletins about the terrible storms that ravaged Europe during that week. By the following Monday the Storm Worm accounted for 8% of all spam, on a global basis. It received even more notoriety when it was used by infected zombie computers, all members of a BotNet using the eDonkey/Overnet P2P protocol, to launch DDoS attacks against several well known anti spam websites, from January through June, 2007. In fact, some of those attacks are still ongoing against Spamhaus and CastleCops.

How the Storm Worm is able to carry out such large scale attacks is directly related to it's success in getting a huge installed base of zombie computers, with different security sources giving varying numbers of infected machines ranging from 2 to 20 million. Either number is too many. There are enough members of the Storm Worm Botnets to bring down an entire country! This has been done entirely by using social engineering tricks to deceive people into clicking on links in spam emails, which lead the victim to other infected computers, where they become infected and join the largest peer-to-peer Botnet ever assembled in the history of Botnets. Each new member of this network receives copies of the Storm Worm Trojan Downloader, a copy of the Nginx web server, an email address collection program, a spam sending program (SMTP Server), a DDoS tool, and connection scripts related to the P2P node in which it has been enlisted. All of these machines are remote controlled by criminal masterminds, known as "BotMasters." The owners of this Botnet are suspected of residing in various parts of the Former Soviet Union and are the most prolific spammers in the World.

Method of Infection

As I said in the previous paragraph, the Storm Worm spreads by tricking people into clicking on links to a web page hosted on an already infected computer, where they are then infected and zombified into the Botnet. There, they await remote control orders to do the bidding of the BotMaster. So how are these computers infected with the Worm/Trojan itself?

When a person using any version of Windows arrives at the fraudulant web page being hosted on a Storm Worm infected computer there are two things that can occur, depending on whether or not the visitor's browser has JavaScript enabled (most do, by default).

1. If JavaScript is disabled they will see a plain text message claiming that the website they want is undergoing some tests, or that an additional plug in or applet is needed to view the content they were enticed with, followed by a text link to click to manually get or see the needed file, or applet. Now, what should I do? It says to click here, but I don't know if I should or not... Oh well, I'll just try it real fast to see what it does and back out if it doesn't look right -> "Click" ... They just infected themselves with the Storm Worm! Idiots!


2. If JavaScript is enabled a script will instantly redirect them to a foreign server which is acting as a Worm host for their Botnet node. Once there their browser will be subjected to at least three attempts to exploit different known vulnerabilities in unpatched Windows computers. Chances are very good that one of these attempts will be successful, unless the computer is very well protected and completely up to date with all available Windows Patches and Internet Explorer 7 with all patches installed. Older versions of Firefox may also be at risk (prior to 2.0.0.6), if JavaScript is enabled, because the script initiates a file download. If the victim arrives using an older, unsupported version of Windows (9x, M.E, 2000 before SP4, or XP with SP1), or is running an invalid pirated copy of Windows XP, they will NOT be up to date with critical patches and WILL probably be infected immediately (except for Limited User or Power User accounts).
   

Subjects recently used in the Storm Worm e-mail messages include:
Postcard scams:
You've received a (postcard, ecard, greeting card) from a (Friend, Worshipper, Mate, Class-Mate, Family Member, etc).

Newest scam subjects as of mid-August, 2007:
Cat Lovers, Dated Confirmation, Internal Support, Internal Verification, Login Info, Login Information, Login Verification, Member Confirm, Member Details, Member Registration, Membership Details, Membership Support, New Member Confirmation, New User Confirmation, New User Details, New User Letter, New User Support, Poker World, Registration Confirmation, Registration Details, Secure Registration, Tech Department, Thank You For Joining, User Info, User Verification, Your Member Info, Welcome New Member

And the senders aliases have been:

Bartenders guide, Bartenders Guide, Coolpics, Dog lovers, Entertaining pics, Entertaining pros, Fun World, Free ringtones, Free web tools, Game Connect, Internet Dating, Job search pros, Joke-a-day, Mobile Fun, MP3 world, Net gambler, Net-jokes, Online hook-up, Poker world, Resume Hunters, Ringtone heaven, Web, Web cooking, Web connects, Webtunes, Wine Lovers

To learn more about the payload delivered when a PC is infected with the Storm Worm, read my extended comments...

Continue reading "Email Threat - Trojan-Downloader "Storm Worm" - It's History, Payload and Variants" »

Posted by Wiz at 12:35 AM | Permalink

On July 1, 2007, I wrote a blog article titled "Warning; Trojan in Email Link: You've received a greeting postcard from a family member!" For well over a month my various email accounts were inundated with a constant daily flow of these Postcard scams. There is now an entirely new variation of these threats, in circulation World wide. For those who for some reason don't know what this is about (what rock have you been hiding under?), read the next paragraph. If you understand the basic nature of this threat you can skip to my extended comments.

Since sometime in June this year a Trojan Horse threat, called the "Storm Worm Trojan," has been circulating across the Internet, infecting millions of Windows PCs along it's path. At first the subject and message body text referred to ecards, or (greeting) postcards supposedly sent to you from a "Friend," or "Worshipper," or "Class-Mate," or "Mate." They all provided a link (with a numeric IP address in the URL), to visit a website where you could view your card, which would remain viable for "the next 30 days." If you've been on the Internet for a long enough time you are probably aware that URLs are not usually numeric, but are in the form of named websites. Seeing a link that is numeric usually sets off alarm bells! A person would either have to be a total newbie to the Internet, or not accustomed to looking at the destination of links in their email client's status bar, or are using browser based email that does not reveal the destination of links found in emails. Maybe the person receiving that email is a young child who isn't aware of the danger of such links and was excited to think they had received a greeting card.

Anybody who was tricked into clicking on the link was transported to a web page hosted on a compromised zombie computer on a home or business broadband network, located at the numeric IP found in the link they clicked on. This computer is already infected with the Storm Worm and has had a micro Web Server installed on it and is hosting a single web page. That web page contains JavaScript redirection codes and a plain text link to a copy of the Worm that has been placed on that computer. People going to that hostile web page with JavaScript disabled will see the link and the text will urge them to click on it to see their (ecard/message). If the victim arrived using a browser with JavaScript enabled, as most are, a hidden script on that page would send their browser to yet another website, where an image of a fake greeting card, or text about it is displayed. What the victim didn't know is that while they were looking at the fake ecard a hidden download was occurring that was automatically infecting their computer with the Storm Worm Trojan. This turned their computer into both a host of a similar redirection web page and as a sender of spam emails containing a link to their hostile web page, but sent through another compromised computer somewhere else in the World.

Judging by the millions of infected computers hosting these hostile web pages and sending spam links out, there are a lot of folks who have not been practicing "safe hex" (computing). They have not been keeping their Windows computers thoroughly updated and patched, and are not running up-to-date security software (both definitions and program updates). Read the tips in my extended comments about securing your PCs against this and other modern threats to your security.

Continue reading "Beware of new variations of Storm Worm Trojan email threats" »

Posted by Wiz at 2:28 PM | Permalink

If (rather, when) you receive an email with a subject line that matches or closely matches this:

You've received a greeting postcard from a family member!
or
You've received a postcard from a family member!

DELETE IT! These messages are sent from infected computers and contain links to go to a web page that is hosted on some poor schmuck's personal computer, on a broadband ISP connection, possibly with a static IP address. That web page contains exploit code that is used to download a Trojan Horse remote control program onto your computer. The bait is that a "family member" has just sent you a (greeting) postcard and there is a link to copy and paste into your browser's address bar (or to click on). If you mouse over that link you will see the numeric IP address in it. I have analyzed several of these recent spam messages and learned that they either point to a .hk (Hong Kong) domain, or a numeric IP address, followed by a question mark and a long group of hexidecimal characters (referred to as your card's claim number). The destinations are usually US based broadband customers' home computers that have had a (proxy) server surreptitiously installed, without the owner's knowledge. The one's I have looked at use a freeware server called "nginx." The web page they serve up contains a link to a copy of the Trojan program and deals with both people lacking and people having JavaScript enabled browsers. If you visit the link without JavaScript you will see a message that if you don't see your card you should click on a link. That link goes directly to an infected file on the hijacked computer. If you visit the page with JavaScript enabled you will be in danger of becoming infected by the JavaScript exploit that is encoded into a huge line of hostile code.

My advise, other than not even opening messages with the above mentioned subject lines, is to keep updated anti virus (and anti Trojan) and anti spyware programs running at all times on your computers. If you use Outlook (Express) or a similar stand alone email client you should add a spam/virus screening front-end program, like MailWasher Pro, which I use. MailWasher Pro uses a combination of an intelligent learning filter, blacklists of known spam, a virus detector, plain text display of messages and source codes, and best of all - user configurable filter rules. I have authored two sets of custom MailWasher filter rules, widely acclaimed and listed on CastleCops in a thread bearing my name. My filter rules are updated frequently to respond to the latest spam and scam threats and are available online, on my MailWasher Filters page. It was the ability to read incoming email source codes in MailWasher Pro that allowed me to discover the nature of these greeting postcard threats.

I hope this saves somebody from the misery of having their computer taken over due to ignorance and unpreparedness. Stay alert and keep your anti malware defenses running and up to date at all times. Assume that "they" are out to get you, because they are! If you receive a notice from your ISP that they suspect that your computers are sending out harmful messages - have the computers checked for proxy servers. Stay off-line until all vestiges of such programs have been completely removed, then equip your computers with the best security programs you can afford. There are links all over this page and others of mine for Spy Sweeper, Spyware Doctor, Norton Anti Virus and other similar products. Some offer a free trila, so use it, then purchase a subscription. Don't let your computers become unwitting members of zombie BotNets for use as spam/virus relays, or hosts for spamvertised websites.

Continue reading "Warning; Trojan in Email Link: You've received a greeting postcard from a family member!" »

Posted by Wiz at 4:57 PM | Permalink