Wiz's Computer and Website Security Blog

Spybot Search & Destroy is a free (for personal non-business use) anti-spyware/spyware removal program used by millions of people around the World, to protect their computers from spyware, adware, Trojans and other types of malware. Spybot updates for malware detections are released every Wednesday and this week's updates were released on schedule. If you are using Spybot S&D to protect your computer you should check for updates every Wednesday afternoon and apply all that are available.

Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. This week's updates were released on schedule, as listed below. Updated detections include new or modified fake security programs (fraudulent anti virus/spyware), Trojans, rootkits, online game password stealers and spam bots. I noticed that one of the Trojan updates detects UPS Courier fake notices (Fraud.UPSInvoice), which usually contain the Zbot Trojan (Zeus bank password stealing Trojan), or something equally sinister, inside a zip or pdf file attachment.

Note: one + sign before a detection indicates an update to an existing malware family for which previous definitions have been released. Two ++ signs indicate a completely new detection of a new or rewritten malware type.

Definition updates made on 04/28/2010

Adware
++ FunnyMall

Malware
++ Fraud.OneClean
++ Fraud.TrustDoctor
+ Fraud.XPInternetSecurity2010
+ Lop
++ Win32.Agent.fg

Spyware
+ AdRotator
+ WurldMedia

Trojan
++ BDS.MalwareCatcher
++ Fraud.UPSInvoice
+ Virtumonde.dll
+ Virtumonde.sci
+ Virtumonde.sdn
++ Win32.Agent.ah
++ Win32.Agent.fd
++ Win32.Agent.mc
++ Win32.Agent.msm
+ Win32.Agent.wu
+ Win32.Allaple.ab
+ Win32.FakeAlert.ttam
+ Win32.FraudLoad
+ Win32.FraudLoad.edt
+ Win32.FraudPack
+ Win32.OnLineGames.down
++ Win32.OnLineGames.mfdt
++ Win32.OnLineGames.mfev
++ Win32.OnLineGames.urls
+ Win32.ScreenBlaze
+ Win32.TDSS.pr
+ Win32.ZBot

Total: 3030783 checksums in 1086724 rules for 5365 products.

This week's false positive reports and program usage instructions are in the extended content.

False Positives Reported This Past Week

No false positives were reported this past week..

Installing or uninstalling and Immunizing Spybot S&D

Installing, upgrading to a new version, or uninstalling Spybot requires Administrator level privileges. Updating definitions does not require these permissions most of the time. But, to immunize against all threats does require Admin privileges. If you. like me, operate as a Power/Standard User, you can right-click on the icon to launch Spybot S&D and Run As (an) Administrator. From there you can download the latest definitions, immunize completely and scan/disinfect with full administrator authority.

Updating Spybot Search and Destroy

Before you update Spybot Search and Destroy make sure you have the latest official version. Older versions are no longer supported and will cause you a lot of grief when you immunize and scan for problems. Only download Spybot S&D from the official website, at: spybot.info, or from its alternate domain: Safer-Networking.org. Fake versions with similar names will rip you off for payment to remove threats, whereas the real Spybot Search & Destroy is free for personal use. No subscriptions, no download fees, but, donations are gladly accepted.

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers. When all updates have succeeded, click on "Exit."

You can also download the latest definition includes file from a clean PC and save them to a removable disk or drive, then install them into the Spybot S&D program while the infected PC is offline. This helps you disinfect a PC that cannot presently get online, or cannot access security websites for updates (because of the Conficker or similar malware), or due to other networking problems. The downloaded definition includes will look for a typical Spybot installation location and will update it instantly, as long as the program is closed during the updating process.

Download links and more instructions about using Spybot Search and Destroy are in my article titled "How to use Spybot Search & Destroy to fight malware".

TeaTimer false positives

In the case of Teatimer false positives that are fixed by updates, TeaTimer will have to be restarted after the update is applied. TeaTimer cannot be updated with new definitions if it is still running! After you update definitions to fix false positives, a restart of either TeaTimer or the Computer is required. If this doesn't fix the false positives, you may need to reset the TeaTimer detection list, as follows:

Right click the (TeaTimer) Resident tray icon
Select "Reset lists"

Alternately, close and restart TeaTimer using this method:

* start Spybot S&D
* switch to advanced mode
* navigate to "Tools" , then "Resident"
* uncheck the check box for Resident TeaTimer to close TeaTimer
* wait a bit so TeaTimer can unload completely, for instance wait 1min
* check the check box for Resident TeaTimer again to restart the TeaTimer

If that fails also, please read the rest of the things to try on this forum page, in replies #2 and #4.

When TeaTimer blocks the file you can also allow the file to be executed (also remove the check mark for deletion). You can exclude any file from further detections during a scan by right clicking the items in the Spybot S&D scan result and select "exclude this detection from further searches"

If you are running several brands of security software, make sure that only one active protection (realtime monitoring) feature runs at a time. In case you want to deactivate the TeaTimer, to avoid conflicts, you can do this in Spybot S&D advanced mode in Tools - Resident, as described above..

Posted by Wiz at 2:46 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics. These reports can help you adjust the order of your own spam filters.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

Spam levels have increased slightly this week as last week, at 54% of all my incoming email. Fluctuations in spam levels sometimes are seasonal, or may be due to problems or successes Bot-masters have with maintaining the command and control (C&C) servers used to reactivate sleeping zombie computers in their spam Botnets. Or, these changes in spam levels may be caused when large numbers of zombie computers are disinfected, or taken offline by the ISPs who provide Internet connectivity to them. In case you didn't already know this, almost all spam is now sent from "zombie" computers in spam Botnets, unbeknownst to the owners of those infected PCs.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. This past week again saw a typical variety of categories of spam, led by counterfeit Viagra and other illicit and counterfeit pharmaceuticals, including spam for the totally fake Canadian Pharmacy. Other categories of spam included counterfeit watches and brand name goods and some Nigerian scams and Zbot threats in fake courier failed delivery notices. Keep the Viagra, Canadian Pharmacy, Male Enhancement and the counterfeit Watches filters high up your list of custom filters, to minimize the impact on your CPU when analyzing incoming messages for spam content.

My updated blacklisted senders list proved quite effective this week, auto-deleting 15.90% of all incoming spam (see my extended content for details). I saw a decrease in the number of emails forging my own accounts as the senders, with 69 this week, which was 18% of my total spam. Many of these spam messages also included the same account names in the Subject. This illegal practice is known as a "Joe Job" and it is used to slip spam past our filters. Joe Jobs depend on people white-listing their own accounts and domains. Fortunately, MailWasher custom filters allow you to override the friends list, so you can easily detect and delete Joe Job spam, if you are using MailWasher Pro as your spam filter.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job." Fortunately, MailWasher Pro has a custom filter option that overrides the "Friends" list (a Whitelist of approved senders), allowing user created spam filters to read the content and flag or auto delete spam that's using one's own accounts as the forged sender.

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for April 19 - 25, 2010, and the latest additions to my custom MailWasher Pro filters and Blacklist.

MailWasher Pro spam category breakdown for April 19 - 25, 2010. Spam amounted to 54% of my incoming email this week. This represents +2% change from last week.

Here are some facts from my MailWasher Statistics for the past week. Of the 383 incoming email messages that were classified as spam, 310 were from my custom filters, 59 were from my custom Blacklist and 1 from the DNS Servers Blacklist (mostly the SpamCop Blocklist (SBL)). I actually only saw 39 spam messages, all of which I reported through my SpamCop reporting account. The rest were automatically deleted by my custom filters and Blacklist.

Viagra:	41.24%
Blacklisted Senders (dating scams & Viagra, etc):	15.90%
Other Filters (misc filters):	8.09%
Canadian Pharmacy Scams:	7.82%
Pharmaceutical Spam:	7.28%
Known Spam Domains:	5.12%
Watches:	4.31%
Male Enhancement Scams:	2.96%
Diploma scams:	2.16%
Counterfeit Goods:	1.89%
HTML Tricks (mostly fake Viagra):	1.35%
TO: Contains << >>:	1.35%
DNS Blacklisted Servers:	0.54%

This was an average week for updates/tweaking to my custom spam filters. Most of the leading pharmaceutical spam is already well defined by my custom filters. The latest updates to my custom MailWasher Pro filters were to these filters:

Known Spam [From]
Known Spam Subjects #1
Phishing Scam [S or F]
Re:Your Order Approve
Weight Loss Drugs
(New) Amazon.com Scam
(New) TO: Contains << >>

The following recent MailWasher Pro Email Blacklist entries were able to block 15.90% of this week's spam. Some weeks will have higher percentages of blacklisted senders, depending on which Botnets are used to send those messages, with forged sender names and email addresses. Since the Blacklist is processed before the custom filters, the processing time and cpu load is greatly reduced.
+@+.br (New)
+@+.cn
+@+.de
+@+.es
+@+.gr (New)
+@+.hk
+@+.in (New)
+@+.jp
+@+.kr
+@+.ru
+@+.tw
+@+.vn
[email protected]
+@*.hinet.net
+@*ukrtel.net
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
notification*@googlemail.com
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
*discount*@yahoo.com
*viagra*@+ (New)
[email protected] (New)

About MailWasher Pro

MailWasher Pro intercepts POP3 and IMAP email before you download it to your desktop email client (e.g: Microsoft Outlook, Outlook Express, Windows Live Mail) and scans it for threats or spam content, then either manually or automatically deletes any messages matching your pre-determined criteria and custom filters. It is my primary line of defense against incoming spam, scams, phishing and exploit attacks. If you are not already using this fine anti-spam tool I invite to to read about it on my MailWasher Pro web page. You can download the latest version and try it for free for a month. Registration costs just $39.95 and is only required once, for the life of the program.

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. MailWasher Pro is able to forward messages marked as spam to SpamCop, which then sends a confirmation email to you, containing a link. You must click on the enclosed reporting link and open it in your browser, then manually submit your report. This is how SpamCop wants it done.

If you use a POP email client on your desktop to send and receive your email, rather than your browser, you too will benefit from the added protection that MailWasher Pro provides. I can't even begin to tell you how many dangerous attachments, exploit encoded messages, 419 fraud, as well as courier, bank, eBay and PayPal phishing scams, plus hundreds of hostile link emails it has deleted, after identifying them with my rules and its own heuristic and known spam detections.

I am available for hire to write custom MailWasher Pro filters for you or your company. They require that you have a copy of MailWasher on each computer to be customized.

Finally, many security threats will come to you via spam email; some in hostile attachments, some as "phishing" scams, some as financial fraud or money laundering scams, and many more in links to web pages rigged to serve up exploit codes or Trojan downloads.You need really good up-to-date protection to fight off the multitude of attack codes flying like machine gun bullets these days. To protect your computer from web pages rigged with exploit codes, malware in email attachments, dangerous links to hostile web pages, JavaScript redirects, Phishing scams, or router DNS attack codes, I recommend Trend Micro Internet Security (or Internet Security Pro for travelers). It has strong realtime monitoring modules that stop rootkits and spam Trojans from installing themselves into your operating system. Also known as PC-cillin, it is very frequently updated as new and altered malware definitions become available and it checks for web based threats and new malware definitions by searching secure online servers owned by Trend Micro. This is referred to as "in-the-cloud" security. Best of all, you can try it fully functional for a month, then decide to pay to keep it or uninstall it.

See you all next week, same time, same station! Keep the sunny side up and don't take no wooden nickles!

Wiz - out

Posted by Wiz at 12:59 PM | Permalink

back to top ^

For a while now, the freeware Foxit PDF reader, an alternative to the also free and much exploited Adobe Reader, has been shipping bundled with the ASK search engine toolbar. Foxit is doing this because they get paid a commission for each installation of the Toolbar, by Ask.com, which helps offset the cost of developing and updating the Foxit Reader. Ask is a search engine, formerly known as "Ask Jeeves," which has been losing its popularity over the last several years. In an effort to improve their sagging search engine ranking, they have ramped up their partnerships with various software designers who are paid to include the Ask Toolbar in their program installers. In the Foxit PDF reader installer, this toolbar is also called the "Foxit Toolbar, Powered by Ask.com." In the terms of use license that most people usually agree to without reading, the option to install this toolbar is pre-checked by default. Many users of Foxit are used to simply accepting the default options when installing or updating the Foxit software. If you do allow the toolbar to be installed, the terms of Ask Toolbar service is displayed to you, beginning with these words:

"We reserve the right to add additional features or functions to the existing Toolbar. When installed on your computer, the Toolbar periodically communicates with our servers.We may require the updating of the Toolbar ... This update may occur automatically."

The installation options warn that if you opt out of installing the "Foxit" toolbar you lose the Typewriter Tools, Text Viewer and Text Converter. This results in a lot more users allowing the Ask Toolbar to be installed than might have otherwise been the case. But, if someone wanted to remove it afterward, or disable it, there was no problem in the past.

However, as of April 2010, Foxit has been altered in the way the Ask Toolbar gets installed, so that it cannot be uninstalled in a simple fashion. According to Ellen7, on a Foxit Corporation Forum, when a user asked how to permanently remove the advertising and Ask Toolbar from the browser, after it was installed with a recent Foxit security update, her reply was: "sorry, the current version can not remove, but will be remove in the next version." (sic). Another person on that forum was told by the Forum Administrator that the current version does not allow you to remove the Ask Search from Foxit, but the next version will allow that option, as well as the removal of the browser toolbar and search changes that are forced by this version (Foxit Reader 3.2.1.401).

Furthermore, people have discovered that even if you uncheck the toolbar option during setup, it is still getting installed, or at least keeps trying to install itself, even when you tell Scotty to block it! Then, when they try to remove it, it remains in their browsers, including the current version of Firefox. Once installed, your default search engine is forcibly changed to Ask.com. Normal procedures to switch back to Google or Yahoo are met with resistance by the Ask Toolbar, which remains active even if you uninstall it via Control Panel, or via the Add-ons utility in IE and Firefox.

Freeware software that bundles advertising and toolbars that are difficult to remove, or the removal of which break the functionality of said programs, are known in the security business as "Adware." Adware that sends home details about the browsing history of users is also sometimes called "Spyware." Programs that fall into this category are also affectionately referred to as PUPS, meaning Potentially Unwanted (or Unpopular) Programs. Most anti spyware programs will detect such applications and remove them from your PC during or after a scan, if you choose to have them do so. Some of the better known anti spyware programs that remove Adware and PUPS include Spybot Search and Destroy, Ad-Aware, and Malwarebytes Anti-Malware (a.k.a: MBAM, which also removes most really nasty spyware, rootkits, keyloggers and fake security alerts).

Instructions for manually resetting your search preferences in Internet Explorer and Firefox are found in my extended comments. Use them if the Ask Search Toolbar has hijacked your desired search engine in your browser.

If you have tried removing an unwanted Ask Toolbar via Control Panel > Add/Remove Programs, and via your browser Add-ons options, but to no avail, there is another means of subduing the beast. Try following these steps.

For Internet Explorer, first open Control Panel, then...

1. Uninstall the Ask.com toolbar using the Add/Remove Programs


2. Remove it from the Internet Options, under the General Tab > Search > Change search Defaults > "Settings" > click to highlight "Ask.com" then click on the "Remove" button at the bottom right side of the page.

For Firefox browsers, with Firefox open...

1. On the address bar type: about:config (acknowledge the warning to continue)


2. Change the setting - keyword.URL; - from ask.com to http://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&q=


3. Change the setting - browser.search.defaulturl - from ask.com to http://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&q=


4. change the settings - extension.snipit.chromeURL - from ask.com to http://www.google.com/search?&q={searchTerms}


5. restart Firefox

You can also remove Ask.com from the list of Search Engines, in the Search box on the upper right of the Firefox browser, by scrolling down to the bottom and clicking Manage Search Engines. Click on Ask, then click Remove. Last, click on the Restore Defaults button to make Google the default search engine. This will fix the search, but won't get rid of the Toolbar. The previous steps should help accomplish that.

In all fairness, I should point out that there are many other companies that are supplying freeware applications that come bundled with optional search toolbars. These include Yahoo, Google and Bing toolbars, among others. But, in most of the programs, deselecting or not installing the toolbar does not break the program, nor does the toolbar keep trying to install against your wishes. The issue brought up in this article pertains to the Foxit implementation only, which pretty much forces the toolbar on you and resists efforts to uninstall it, or breaks portions of the program for refusing to install it. In my opinion, this makes Foxit fall into the category of PUP.

Posted by Wiz at 5:02 PM | Permalink

back to top ^

Spybot Search & Destroy is a free (for personal non-business use) anti-spyware/spyware removal program used by millions of people around the World, to protect their computers from spyware, adware, Trojans and other types of malware. Spybot updates for malware detections are released every Wednesday and this week's updates were released on schedule. If you are using Spybot S&D to protect your computer you should check for updates every Wednesday afternoon and apply all that are available.

Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. This week's updates were released on schedule, as listed below. Updated detections include new or modified fake security programs (fraudulent anti virus/spyware), Trojans, rootkits, online game password stealers and spam bots.

These updates may include variants of the infamous Zbot, a.k.a Zeus, banking Trojan. This is a keylogger that captures your logins to banks or other financial institutions, then sends them home to criminals in Russia and other parts of the former Soviet Union, where most Botnets and Trojans are written and controlled. If you run an anti spyware scan and discover that you have the Zbot on your computer and use that PC for online banking, PayPal, or auctions, call your bank right away and change all of your passwords after removing the key-logging Trojans.

Note: one + sign before a detection indicates an update to an existing malware family for which previous definitions have been released. Two ++ signs indicate a completely new detection of a new or rewritten malware type.

Definition updates made on 04/21/2010

Malware
+ Fraud.ControlCenter
++ Fraud.DigitalProtection
++ Fraud.IQManager
++ Fraud.MyProtection
+ Fraud.PaladinAntivirus
+ Lop
+ Mirar
+ Win32.Bifrost
+ Win32.FraudLoad
+ Win32.FraudLoad.edt
+ Win32.Renos

Spyware
+ AdRotator
+ Fake.AdobeUpdater
+ Marketscore.RelevantKnowledge
+ Win32.Spynet.a

Trojan
++ Adload.dl
++ IRCBot.gu
++ SmileyDistrict
+ Virtumonde.sci
+ Virtumonde.sdn
+ Win32.Agent.ark
++ Win32.Agent.cls
++ Win32.Agent.fw
++ Win32.Agent.of
++ Win32.Agent.svc
+ Win32.Agent.wu
+ Win32.Allaple.ab
++ Win32.AutoRun.ul
++ Win32.Delf.wsg
+ Win32.FakeAlert.ttam
+ Win32.FraudPack
++ Win32.OnLineGames.mfem
+ Win32.TDSS.cl
+ Win32.TDSS.rtk
+ Win32.ZBot
+ Win32.ZBot.rtk

Total: 3018027 checksums in 1083786 rules for 5353 products.

False Positives Reported This Past Week

A confirmed false positive detection of "Virtumonde.sdn" in the file "zlibwapi" has been fixed with this week's updates.

---

Note, that there are types of malware that use legitimate file names for their evil components to try to fool computer users and anti-virus programs into ignoring them. When Spybot S&D tells you it has flagged or quarantined a file, it creates a report that includes a 32 character code containing a fingerprint of the file, as well as the file size, date stamp and any author and copyright information that has been extracted. This fingerprint is known as the md5 signature. Team Spybot has a database of known good file md5 signatures, which it uses to weed out false positives, or confirm hijacked file names as being infected. You can open these plain text reports from the program interface, under Tools > Reports, then copy and paste the contents into a new post in the False Positives forum, for investigation. Read how to report false positives here.

---

Installing or uninstalling and Immunizing Spybot S&D

Installing, upgrading to a new version, or uninstalling Spybot requires Administrator level privileges. Updating definitions does not require these permissions most of the time. But, to immunize against all threats does require Admin privileges. If you. like me, operate as a Power/Standard User, you can right-click on the icon to launch Spybot S&D and Run As (an) Administrator. From there you can download the latest definitions, immunize completely and scan/disinfect with full administrator authority.

Updating Spybot Search and Destroy

Before you update Spybot Search and Destroy make sure you have the latest official version. Older versions are no longer supported and will cause you a lot of grief when you immunize and scan for problems. Only download Spybot S&D from the official website, at: spybot.info, or from its alternate domain: Safer-Networking.org. Fake versions with similar names will rip you off for payment to remove threats, whereas the real Spybot Search & Destroy is free for personal use. No subscriptions, no download fees, but, donations are gladly accepted.

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers. When all updates have succeeded, click on "Exit."

You can also download the latest definition includes file from a clean PC and save them to a removable disk or drive, then install them into the Spybot S&D program while the infected PC is offline. This helps you disinfect a PC that cannot presently get online, or cannot access security websites for updates (because of the Conficker or similar malware), or due to other networking problems. The downloaded definition includes will look for a typical Spybot installation location and will update it instantly, as long as the program is closed during the updating process.

Download links and more instructions about using Spybot Search and Destroy are in my article titled "How to use Spybot Search & Destroy to fight malware".

TeaTimer false positives

In the case of Teatimer false positives that are fixed by updates, TeaTimer will have to be restarted after the update is applied. TeaTimer cannot be updated with new definitions if it is still running! After you update definitions to fix false positives, a restart of either TeaTimer or the Computer is required. If this doesn't fix the false positives, you may need to reset the TeaTimer detection list, as follows:

Right click the (TeaTimer) Resident tray icon
Select "Reset lists"

Alternately, close and restart TeaTimer using this method:

* start Spybot S&D
* switch to advanced mode
* navigate to "Tools" , then "Resident"
* uncheck the check box for Resident TeaTimer to close TeaTimer
* wait a bit so TeaTimer can unload completely, for instance wait 1min
* check the check box for Resident TeaTimer again to restart the TeaTimer

If that fails also, please read the rest of the things to try on this forum page, in replies #2 and #4.

When TeaTimer blocks the file you can also allow the file to be executed (also remove the check mark for deletion). You can exclude any file from further detections during a scan by right clicking the items in the Spybot S&D scan result and select "exclude this detection from further searches"

If you are running several brands of security software, make sure that only one active protection (realtime monitoring) feature runs at a time. In case you want to deactivate the TeaTimer, to avoid conflicts, you can do this in Spybot S&D advanced mode in Tools - Resident, as described above..

Posted by Wiz at 6:01 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

Spam levels have increased slightly this week as last week, at 52% of all my incoming email. Fluctuations in spam levels sometimes are seasonal, or may be due to problems or successes Bot-masters have with maintaining the command and control (C&C) servers used to reactivate sleeping zombie computers in their spam Botnets. Or, these changes in spam levels may be caused when large numbers of zombie computers are disinfected, or taken offline by the ISPs who provide Internet connectivity to them. In case you didn't already know this, almost all spam is now sent from "zombie" computers in spam Botnets, unbeknownst to the owners of those infected PCs.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. This past week again saw a typical variety of categories of spam, led by counterfeit Viagra and other illicit and counterfeit pharmaceuticals, including spam for the totally fake Canadian Pharmacy. Other measurable categories of spam included many for counterfeit watches, Russian bride dating scams (via Live.com spam links) and fake courier failed delivery notices that have attachments containing the Zbot, a.k.a. the Zeus banking Trojan.

My updated blacklisted senders list proved slightly effective this week, auto-deleting 7.52% of all incoming spam (see my extended content for details). I saw a huge increase in the number of emails forging my own accounts as the senders, with 101 this week, which was 33% of my total spam. This illegal practice is known as a "Joe Job" and it is used to slip spam past our filters. Joe Jobs depend on people white-listing their own accounts and domains. Fortunately, MailWasher custom filters allow you to override the friends list, so I can easily detect and delete Joe Job spam.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job." Fortunately, MailWasher Pro has a custom filter option that overrides the "Friends" list (a Whitelist of approved senders), allowing user created spam filters to read the content and flag or auto delete spam that's using one's own accounts as the forged sender.

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for April 12 - 18, 2010, and the latest additions to my custom MailWasher Pro filters and Blacklist.

MailWasher Pro spam category breakdown for April 12 - 18, 2010. Spam amounted to 52% of my incoming email this week. This represents +4% change from last week.

Here are some facts from my MailWasher Statistics for the past week. Of the 335 incoming email messages that were classified as spam, 294 were from my custom filters, 24 were from my custom Blacklist and 1 from the DNS Servers Blacklist (mostly the SpamCop Blocklist (SBL)). I actually only saw 50 spam messages, all of which I reported through my SpamCop reporting account. The rest were automatically deleted by my custom filters and Blacklist.

Viagra:	41.38%
Pharmaceutical Spam:	12.54%
Other Filters (misc filters):	10.66%
Blacklisted Senders (dating scams & Viagra, etc):	7.52%
Canadian Pharmacy Scams:	6.58%
Known Spam Domains:	4.39%
Counterfeit Watches:	3.45%
Diploma scams:	3.45%
Counterfeit Goods:	3.94%
Male Enhancement Scams:	2.82%
Watches:	2.51%
Live.com Spam Links:	2.51%
Lottery Scams:	1.88%
DNS Blacklisted Servers:	0.31%

This was a busy week for updates to my custom spam filters. The latest updates to my custom MailWasher Pro filters were to these filters:

APNIC
Counterfeit Goods
Dating (Russian bride scams)
DHL Courier Scam
HTML Spam Tricks
Money Mule Scam
Software Spam
Viagra.com Spam,
Added new pirated "Software for MAC" filter

The following recent MailWasher Pro Email Blacklist entries were able to block over 7.5% of this week's spam. Some weeks will have higher percentages of blacklisted senders, depending on which Botnets are used to send those messages, with forged sender names and email addresses. Since the Blacklist is processed before the custom filters, the processing time and cpu load is greatly reduced.
+@+.br (New)
+@+.cn
+@+.de
+@+.es
+@+.gr (New)
+@+.hk
+@+.in (New)
+@+.jp
+@+.kr
+@+.ru
+@+.tw
+@+.vn
[email protected]
+@*.hinet.net
+@*ukrtel.net
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
notification*@googlemail.com
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected] (New)
*discount*@yahoo.com (New)

About MailWasher Pro

MailWasher Pro intercepts POP3 and IMAP email before you download it to your desktop email client (e.g: Microsoft Outlook, Outlook Express, Windows Live Mail) and scans it for threats or spam content, then either manually or automatically deletes any messages matching your pre-determined criteria and custom filters. It is my primary line of defense against incoming spam, scams, phishing and exploit attacks. If you are not already using this fine anti-spam tool I invite to to read about it on my MailWasher Pro web page. You can download the latest version and try it for free for a month. Registration costs just $39.95 and is only required once, for the life of the program.

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. MailWasher Pro is able to forward messages marked as spam to SpamCop, which then sends a confirmation email to you, containing a link. You must click on the enclosed reporting link and open it in your browser, then manually submit your report. This is how SpamCop wants it done.

If you use a POP email client on your desktop to send and receive your email, rather than your browser, you too will benefit from the added protection that MailWasher Pro provides. I can't even begin to tell you how many dangerous attachments, exploit encoded messages, 419 fraud, as well as courier, bank, eBay and PayPal phishing scams, plus hundreds of hostile link emails it has deleted, after identifying them with my rules and its own heuristic and known spam detections.

I am available for hire to write custom MailWasher Pro filters for you or your company. They require that you have a copy of MailWasher on each computer to be customized.

Finally, many security threats will come to you via spam email; some in hostile attachments, some as "phishing" scams, some as financial fraud or money laundering scams, and many more in links to web pages rigged to serve up exploit codes or Trojan downloads.You need really good up-to-date protection to fight off the multitude of attack codes flying like machine gun bullets these days. To protect your computer from web pages rigged with exploit codes, malware in email attachments, dangerous links to hostile web pages, JavaScript redirects, Phishing scams, or router DNS attack codes, I recommend Trend Micro Internet Security (or Internet Security Pro for travelers). It has strong realtime monitoring modules that stop rootkits and spam Trojans from installing themselves into your operating system. Also known as PC-cillin, it is very frequently updated as new and altered malware definitions become available and it checks for web based threats and new malware definitions by searching secure online servers owned by Trend Micro. This is referred to as "in-the-cloud" security. Best of all, you can try it fully functional for a month, then decide to pay to keep it or uninstall it.

See you all next week, same time, same station! Keep the sunny side up and don't take no wooden nickles!

Wiz - out

Posted by Wiz at 3:12 PM | Permalink

back to top ^

Spybot Search & Destroy is a free (for personal non-business use) anti-spyware/spyware removal program used by millions of people around the World, to protect their computers from spyware, adware, Trojans and other types of malware. Spybot updates for malware detections are released every Wednesday and this week's updates were released on schedule. If you are using Spybot S&D to protect your computer you should check for updates every Wednesday afternoon and apply all that are available.

Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. This week's updates were released on schedule, as listed below. 5 new or modified fake security programs (fraudulent anti virus/spyware) were added to the "Malware" detections, plus 33 new or modified Trojans, rootkits, online game password stealers and spam bots were added to the "Trojan" list. These include variants of the infamous Zbot, a.k.a Zeus, banking Trojan. If you have the Zbot on your computer and use that PC for online banking, call your bank right away. Cyber-criminals in Eastern Europe may have already emptied your accounts!

Note: one + sign before a detection indicates an update to an existing malware family for which previous definitions have been released. Two ++ signs indicate a completely new detection of a new or rewritten malware type.

Definition updates made on 04/14/2010

Adware
+ BaiduBar

Hijacker
+ Win32.Cherche.us

Malware
+ Fake.Antivir
+ Fraud.LivePCGuard
+ Fraud.SecurityCentral
+ Fraud.Sysguard
+ Fraud.YourProtection
+ Lop + Win32.FraudLoad
+ Win32.FraudLoad.edt

PUPS
+ MyWay.MyWebSearch

Spyware
+ AdRotator
+ Fake.AdobeUpdater
+ Win32.Spynet.a

Trojans
+ Virtumonde.sci
+ Virtumonde.sdn
+ Win32.Agent.acc
+ Win32.Agent.dfg
+ Win32.Agent.exp
+ Win32.Agent.ghs
+ Win32.Agent.ie
+ Win32.Agent.msu
+ Win32.Agent.run
+ Win32.Agent.xwr
+ Win32.Allaple.ab
+ Win32.Ambler
+ Win32.FraudPack
+ Win32.OnLineGames.bknd
+ Win32.OnLineGames.tnba
+ Win32.OnLineGames.tndv
+ Win32.OnLineGames.tnee
+ Win32.OnLineGames.tnet
+ Win32.OnLineGames.tnfs
+ Win32.OnLineGames.tnhn
+ Win32.OnLineGames.tnsc
+ Win32.OnLineGames.tnwc
+ Win32.OnLineGames.tnxp
+ Win32.OnLineGames.ubga
+ Win32.OnLineGames.unsp
+ Win32.OnLineGames.vcrs
+ Win32.Rbot.cmd
+ Win32.Rbot.kav
+ Win32.SDBot.sys
+ Win32.TDSS.reg
+ Win32.TDSS.rtk
+ Win32.ZBot
+ Win32.ZBot.rtk

Total: 2997706 checksums in 1077577 rules for 5338 products.

False Positives Reported This Past Week

A possible false positive was reported stating that Spybot Search & Destroy flagged the file "zlibwapi" as being infected with Virtumonde.sdn Trojan. No reply has been made as of this post.

A confirmed false positive detection of "Virtumonde.sdn" in c:\windows\system32\encapi32.dll (an old file referring to Microsoft Encarta) was fixed with today's updates. Note, the reporting member submitted the md5 signature and file size of the file in question, confirming that it was the legitimate Microsoft file and not a Trojan masquerading as a legitimate file.

---

Note, that there are types of malware that use legitimate file names for their evil components to try to fool computer users and anti-virus programs into ignoring them. When Spybot S&D tells you it has flagged or quarantined a file, it creates a report that includes a 32 character code containing a fingerprint of the file, as well as the file size, date stamp and any author and copyright information that has been extracted. This fingerprint is known as the md5 signature. Team Spybot has a database of known good file md5 signatures, which it uses to weed out false positives, or confirm hijacked file names as being infected. You can open these plain text reports from the program interface, under Tools > Reports, then copy and paste the contents into a new post in the False Positives forum, for investigation. Read how to report false positives here.

---

Installing or uninstalling and Immunizing Spybot S&D

Installing, upgrading to a new version, or uninstalling Spybot requires Administrator level privileges. Updating definitions does not require these permissions most of the time. But, to immunize against all threats does require Admin privileges. If you. like me, operate as a Power/Standard User, you can right-click on the icon to launch Spybot S&D and Run As (an) Administrator. From there you can download the latest definitions, immunize completely and scan/disinfect with full administrator authority.

Updating Spybot Search and Destroy

Before you update Spybot Search and Destroy make sure you have the latest official version. Older versions are no longer supported and will cause you a lot of grief when you immunize and scan for problems. Only download Spybot S&D from the official website, at: spybot.info, or from its alternate domain: Safer-Networking.org. Fake versions with similar names will rip you off for payment to remove threats, whereas the real Spybot Search & Destroy is free for personal use. No subscriptions, no download fees, but, donations are gladly accepted.

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers. When all updates have succeeded, click on "Exit."

You can also download the latest definition includes file from a clean PC and save them to a removable disk or drive, then install them into the Spybot S&D program while the infected PC is offline. This helps you disinfect a PC that cannot presently get online, or cannot access security websites for updates (because of the Conficker or similar malware), or due to other networking problems. The downloaded definition includes will look for a typical Spybot installation location and will update it instantly, as long as the program is closed during the updating process.

Download links and more instructions about using Spybot Search and Destroy are in my article titled "How to use Spybot Search & Destroy to fight malware".

TeaTimer false positives

In the case of Teatimer false positives that are fixed by updates, TeaTimer will have to be restarted after the update is applied. TeaTimer cannot be updated with new definitions if it is still running! After you update definitions to fix false positives, a restart of either TeaTimer or the Computer is required. If this doesn't fix the false positives, you may need to reset the TeaTimer detection list, as follows:

Right click the (TeaTimer) Resident tray icon
Select "Reset lists"

Alternately, close and restart TeaTimer using this method:

* start Spybot S&D
* switch to advanced mode
* navigate to "Tools" , then "Resident"
* uncheck the check box for Resident TeaTimer to close TeaTimer
* wait a bit so TeaTimer can unload completely, for instance wait 1min
* check the check box for Resident TeaTimer again to restart the TeaTimer

If that fails also, please read the rest of the things to try on this forum page, in replies #2 and #4.

When TeaTimer blocks the file you can also allow the file to be executed (also remove the check mark for deletion). You can exclude any file from further detections during a scan by right clicking the items in the Spybot S&D scan result and select "exclude this detection from further searches"

If you are running several brands of security software, make sure that only one active protection (realtime monitoring) feature runs at a time. In case you want to deactivate the TeaTimer, to avoid conflicts, you can do this in Spybot S&D advanced mode in Tools - Resident, as described above.

Posted by Wiz at 10:57 AM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

Spam levels have remained the same this week as last week, at 48% of all my incoming email. Fluctuations in spam levels sometimes are seasonal, or may be due to problems or successes Bot-masters have with maintaining the command and control (C&C) servers used to reactivate sleeping zombie computers in their spam Botnets. Or, these changes in spam levels may be caused when large numbers of zombie computers are disinfected, or taken offline by the ISPs who provide Internet connectivity to them. In case you didn't already know this, almost all spam is now sent from "zombie" computers in spam Botnets, unbeknownst to the owners of those infected PCs.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. This past week again saw a typical variety of categories of spam, led by counterfeit Viagra and other illicit and counterfeit pharmaceuticals, including spam for the totally fake Canadian Pharmacy. Other measurable categories of spam included many for counterfeit watches and Russian bride dating scams.

My updated blacklisted senders list proved very effective this week, auto-deleting 12% of all incoming spam (see my extended content for details). I saw a huge increase in the number of emails forging my own accounts as the senders, with 90 this week, which was 30% of my total spam. This illegal practice is known as a "Joe Job" and it is used to slip spam past our filters. Joe Jobs depend on people white-listing their own accounts and domains. Fortunately, MailWasher custom filters allow you to override the friends list, so I can easily detect and delete Joe Job spam.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job." Fortunately, MailWasher Pro has a custom filter option that overrides the "Friends" list (a Whitelist of approved senders), allowing user created spam filters to read the content and flag or auto delete spam that's using one's own accounts as the forged sender.

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for April 5 - 11, 2010, and the latest additions to my custom MailWasher Pro filters and Blacklist.

MailWasher Pro spam category breakdown for April 5 - 11, 2010. Spam amounted to 48% of my incoming email this week. This represents zero change from last week.

Here are some facts from my MailWasher Statistics for the past week. Of the 294 incoming email messages that were classified as spam, 242 were from my custom filters, 34 were from my custom Blacklist and 3 from the DNS Servers Blacklist (mostly the SpamCop Blocklist (SBL)). I actually only saw 61 spam messages, all of which I reported through my SpamCop reporting account. The rest were automatically deleted by my custom filters and Blacklist.

Viagra:	31.54%
Pharmaceutical Spam:	13.26%
Blacklisted Senders (dating scams & Viagra, etc):	12.19%
Counterfeit Watches:	10.39%
Other Filters (misc filters):	8.60%
Dating Scams:	6.81%
Canadian Pharmacy Scams:	4.66%
Other Counterfeit Goods:	3.94%
Male Enhancement Scams:	2.51%
Known Spam Domains:	2.15%
Live.com Spam Links:	1.43%
HTML Tricks:	1.43%
DNS Blacklisted Servers:	1.08%

This was a slow week for updates to my custom spam filters. The latest updates to my custom MailWasher Pro filters were to these filters:

Dating (Russian bride scams)
Known Spam Subjects #3
Unlicensed Prescription Drugs
Watches
(New) Email Address in Subject

The following recent MailWasher Pro Email Blacklist entries were able to block over 12% of this week's spam. Some weeks will have higher percentages of blacklisted senders, depending on which Botnets are used to send those messages, with forged sender names and email addresses. Since the Blacklist is processed before the custom filters, the processing time and cpu load is greatly reduced.
+@+.cn
+@+.de
+@+.es
+@+.hk
+@+.jp
+@+.kr
+@+.ru
+@+.tw
+@+.vn
[email protected]
+@*.hinet.net
+@*ukrtel.net
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
notification*@googlemail.com
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]

About MailWasher Pro

MailWasher Pro intercepts POP3 and IMAP email before you download it to your desktop email client (e.g: Microsoft Outlook, Outlook Express, Windows Live Mail) and scans it for threats or spam content, then either manually or automatically deletes any messages matching your pre-determined criteria and custom filters. It is my primary line of defense against incoming spam, scams, phishing and exploit attacks. If you are not already using this fine anti-spam tool I invite to to read about it on my MailWasher Pro web page. You can download the latest version and try it for free for a month. Registration costs just $39.95 and is only required once, for the life of the program.

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. MailWasher Pro is able to forward messages marked as spam to SpamCop, which then sends a confirmation email to you, containing a link. You must click on the enclosed reporting link and open it in your browser, then manually submit your report. This is how SpamCop wants it done.

If you use a POP email client on your desktop to send and receive your email, rather than your browser, you too will benefit from the added protection that MailWasher Pro provides. I can't even begin to tell you how many dangerous attachments, exploit encoded messages, 419 fraud, as well as courier, bank, eBay and PayPal phishing scams, plus hundreds of hostile link emails it has deleted, after identifying them with my rules and its own heuristic and known spam detections.

I am available for hire to write custom MailWasher Pro filters for you or your company. They require that you have a copy of MailWasher on each computer to be customized.

Finally, many security threats will come to you via spam email; some in hostile attachments, some as "phishing" scams, some as financial fraud or money laundering scams, and many more in links to web pages rigged to serve up exploit codes or Trojan downloads.You need really good up-to-date protection to fight off the multitude of attack codes flying like machine gun bullets these days. To protect your computer from web pages rigged with exploit codes, malware in email attachments, dangerous links to hostile web pages, JavaScript redirects, Phishing scams, or router DNS attack codes, I recommend Trend Micro Internet Security (or Internet Security Pro for travelers). It has strong realtime monitoring modules that stop rootkits and spam Trojans from installing themselves into your operating system. Also known as PC-cillin, it is very frequently updated as new and altered malware definitions become available and it checks for web based threats and new malware definitions by searching secure online servers owned by Trend Micro. This is referred to as "in-the-cloud" security. Best of all, you can try it fully functional for a month, then decide to pay to keep it or uninstall it.

See you all next week, same time, same station! Keep the sunny side up and don't take no wooden nickles!

Wiz - out

Posted by Wiz at 2:05 PM | Permalink

back to top ^

According to a security bulletin posted on Adobe.com, on April 13, 2010 they will be releasing updated version 9.3.2 of Adobe's PDF Reader and Acrobat PDF encoder software, for Windows, Mac and Linux/Unix operating systems. This is a critical update that will correct a feature that has been demonstrated to be an attack vector that can be used by criminal exploiters. There is also going to be an update from version 8.2.1 to v 8.2.2 for Windows and Macintosh platforms using that version.

If you have installed Adobe Acrobat or Reader 9.3.1 and chosen to set the preferences to automatically check for and apply updates, you should receive the new version when it is released in your timezone, on April 13, 2010. If you haven't set that preference, you can do so now, by following these steps...

Open Adobe Reader 9.x. Click on Edit. Scroll down to the bottom of the flyout options and click on "Preferences." When the Preferences box opens go to the last entry on the left, labeled "Updater" and click on it. In the left options select "Automatically install updates." Click OK to save your changes.

If you cannot allow the automatic updater to be enabled, due to company policy or paranoia, you should check for updates manually, by opening Reader or Acrobat, then go to the "Help" menu item, then click on the flyout option "Check for Updates." You must have Administrator privileges to check for updates, or to alter the automatic updater preferences.

The feature that is being patched on April 13 is a command known as "/Launch /Action" - which has been a part of Adobe' Reader and Acrobat for a long long time. Adobe's Reader and Acrobat are able to open or launch embedded and external applications by using this function, but they first display a dialog box requesting the user's permission. The wording inside the dialog box can be set by the author of the PDF file in question. This would allow a criminal or hacker to craft words designed to fool users into thinking that they were doing the right thing by opening an application or executable that may be embedded within the PDF package. This could be accomplished by social engineering tactics, such as are already used successfully in various Phishing attacks. They could make a PDF document look like a message from your bank or loan company, with authentic logos, then present the Open dialog box with wording to the effect that you must click Open to submit the enclosed form. You could be fooled into installing a keylogger, or Bot malware on your PC, just like that.

As was demonstrated by researcher Didier Stevens, on March 29, 2010, if a user receives such a specially crafted PDF file and is tricked into allowing the Launch action to take place, their computer could become infected with an embedded virus, or malware downloader, or the default browser could be opened to a URL where malware attacks could be launched. Furthermore, another proof of concept exploit has been demonstrated showing the this attack could be used to infect other clean PDF files on that computer, turning the original malware laden PDF file into a replicating Worm.

If you don't want to wait for Adobe's patch to be released on April 13, you can manually disable the feature that allows the exploit to occur. Just open the Adobe Reader or Acrobat Preferences (under Edit), find the left sidebar option labeled "Trust Manager" and click on it. When the Trust Manager options load, uncheck the top option labeled: "Allow opening of non-PDF file attachments with external applications." Click OK and you are protected from this particular exploit vector.

While the Reader/Acrobat Preferences are still open, consider disabling JavaScript (under "JavaScript") and/or displaying of PDF documents in Web browsers (under "Internet"). That fixes two other attack vectors already in use by malware authors. If you find that you need JavaScript to fill in forms or read certain documents, just re-enable it as needed.

You can really reduce your computer's likelihood of becoming infected by operating with non-Administrator rights. If you use Windows XP Home you can demote your account to Limited User, while XP Professional users can become Power Users. Vista and Windows 7 has a new account type called Standard User and that is what you should use for your every day operation. You should read my recent post explaining how 90% of critical Windows vulnerabilities can be mitigated by removing Admin rights from an account.

Posted by Wiz at 1:11 AM | Permalink

back to top ^

Spybot Search & Destroy is a free (for personal non-business use) anti-spyware/spyware removal program used by millions of people around the World, to protect their computers from spyware, adware, Trojans and other types of malware. Spybot updates for malware detections are released every Wednesday and this week's updates were released on schedule. If you are using Spybot S&D to protect your computer you should check for updates every Wednesday afternoon and apply all that are available.

Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. This week's updates were released on schedule, as listed below. 4 new or modified fake security programs (fraudulent anti virus/spyware) were added to the "Malware" detections, plus 13 new or modified Trojans, rootkits and spam bots were added to the "Trojan" list. These include a variant of the infamous Zbot, a.k.a Zeus, banking Trojan. If you have the Zbot on your computer and use that PC for online banking, call your bank right away. Cyber-criminals in Eastern Europe may have already emptied your accounts!

Note: one + sign before a detection indicates an update to an existing malware family for which previous definitions have been released. Two ++ signs indicate a completely new detection of a new or rewritten malware type.

Definition updates made on 04/7/2010

Malware
++ Fraud.BPSPCSpeedScanPro
+ Fraud.Sysguard
+ Win32.FraudLoad.edt
+ Win32.VB.bpbu

Spyware
+ Fake.AdobeUpdater
+ Win32.Spynet.a

Trojans
+ Virtumonde.dll
+ Virtumonde.sci
+ Virtumonde.sdn
+ Win32.Agent.exp
+ Win32.Agent.sys
+ Win32.Agent.wu
+ Win32.FakeAlert.ttam
+ Win32.Koobface
++ Win32.OnLineGames.tned
++ Win32.OnLineGames.tnee
++ Win32.OnLineGames.tneu
++ Win32.OnLineGames.tngi
+ Win32.ZBot

Worm
+ Win32.Amburadul

Total: 2249732 checksums in 841186 rules for 5305 products.

False Positives Reported This Past Week

Here's a reverse false positive; against Spybot itself!

Warning - False Positive! McAfee detects parts of Spybot-S&D as Trojan Horse!
6. April 2010

With recent virus definitions (5938, 2-Apr-2010), McAfee detects the SDShred.exe of Spybot Search & Destroy as Generic.dx!qln (Trojan).

This is a false positive from McAfee that has already been fixed. Please search for new updates (5940, 3-Apr-2010 or later) for your McAfee version.

In case McAfee has deleted any of our files, to get Spybot - Search & Destroy back, please uninstall, then download a fresh copy of Spybot-S&D 1.6.2 and install it.

---

One false positive was reported for last week and was under investigation. It appears that people with Avast Pro 5.0.462 and Spybot will get a report that they have a rootkit named "Win32.ZBot.rtk" in various strange files, after updating to the 3/31/2010 Spybot definitions. It has now been confirmed that this is a false positive caused by the anti-rootkit module used in Avast Pro, mistakenly flagged by Spybot. The definition updates for April 7, 2010, will fix this problem.

There was a false positive detection of the Morpheus Toolbar confirmed in Malwarebytes Anti-Malware 1.45 setup file. MBAM is normally white listed via its digital signature, however, it appears that the new MBAM 1.45 installer uses a new digital signature serial number. This new one will be added to the Spybot white list just to be on the safe side.

---

Installing or uninstalling and Immunizing Spybot S&D

Installing, upgrading to a new version, or uninstalling Spybot requires Administrator level privileges. Updating definitions does not require these permissions most of the time. But, to immunize against all threats does require Admin privileges. If you. like me, operate as a Power/Standard User, you can right-click on the icon to launch Spybot S&D and Run As (an) Administrator. From there you can download the latest definitions, immunize completely and scan/disinfect with full administrator authority.

Updating Spybot Search and Destroy

Before you update Spybot Search and Destroy make sure you have the latest official version. Older versions are no longer supported and will cause you a lot of grief when you immunize and scan for problems. Only download Spybot S&D from the official website, at: spybot.info, or from its alternate domain: Safer-Networking.org. Fake versions with similar names will rip you off for payment to remove threats, whereas the real Spybot Search & Destroy is free for personal use. No subscriptions, no download fees, but, donations are gladly accepted.

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers. When all updates have succeeded, click on "Exit."

You can also download the latest definition includes file from a clean PC and save them to a removable disk or drive, then install them into the Spybot S&D program while the infected PC is offline. This helps you disinfect a PC that cannot presently get online, or cannot access security websites for updates (because of the Conficker or similar malware), or due to other networking problems. The downloaded definition includes will look for a typical Spybot installation location and will update it instantly, as long as the program is closed during the updating process.

Download links and more instructions about using Spybot Search and Destroy are in my article titled "How to use Spybot Search & Destroy to fight malware".

TeaTimer false positives

In the case of Teatimer false positives that are fixed by updates, TeaTimer will have to be restarted after the update is applied. TeaTimer cannot be updated with new definitions if it is still running! After you update definitions to fix false positives, a restart of either TeaTimer or the Computer is required. If this doesn't fix the false positives, you may need to reset the TeaTimer detection list, as follows:

Right click the (TeaTimer) Resident tray icon
Select "Reset lists"

Alternately, close and restart TeaTimer using this method:

* start Spybot S&D
* switch to advanced mode
* navigate to "Tools" , then "Resident"
* uncheck the check box for Resident TeaTimer to close TeaTimer
* wait a bit so TeaTimer can unload completely, for instance wait 1min
* check the check box for Resident TeaTimer again to restart the TeaTimer

If that fails also, please read the rest of the things to try on this forum page, in replies #2 and #4.

When TeaTimer blocks the file you can also allow the file to be executed (also remove the check mark for deletion). You can exclude any file from further detections during a scan by right clicking the items in the Spybot S&D scan result and select "exclude this detection from further searches"

If you are running several brands of security software, make sure that only one active protection (realtime monitoring) feature runs at a time. In case you want to deactivate the TeaTimer, to avoid conflicts, you can do this in Spybot S&D advanced mode in Tools - Resident, as described above..

Posted by Wiz at 2:55 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

Spam levels have decreased 8% this week from last week's level, making two consecutive weeks of declines in spam volumes. Fluctuations in spam levels sometimes are seasonal, or may be due to problems or successes Bot-masters have with maintaining the command and control (C&C) servers used to reactivate sleeping zombie computers in their spam Botnets. Or, these changes in spam levels may be caused when large numbers of zombie computers are disinfected, or taken offline by the ISPs who provide Internet connectivity to them. In case you didn't already know this, almost all spam is now sent from "zombie" computers in spam Botnets, unbeknownst to the owners of those infected PCs.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. This past week again saw a typical variety of categories of spam, led by counterfeit Viagra and other illicit pharmaceuticals. The totally fake Canadian Pharmacy is back in the count, with a lot of landing pages hosted on spaces.live.com pages, as well as on Botnetted PCs. Other measurable categories of spam included counterfeit watches and other knockoffs, fake diplomas, Russian bride dating scams and UPS Phishing scams.

My updated blacklisted senders list proved very effective this week, auto-deleting almost 15% of all incoming spam (see my extended content for details). I saw slight decrease in the number of emails forging my own accounts as the senders, with 48 this week, which was 16% of my total spam. This illegal practice is known as a "Joe Job" and it is used to slip spam past our filters. Joe Jobs depend on people whitelisting their own accounts and domains.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job." Fortunately, MailWasher Pro has a custom filter option that overrides the "Friends" list (a Whitelist of approved senders), allowing user created spam filters to read the content and flag or auto delete spam that's using one's own accounts as the forged sender.

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for March 29 - April 4, 2010, and the latest additions to my custom MailWasher Pro filters and Blacklist.

MailWasher Pro spam category breakdown for March 29 - April 4, 2010. Spam amounted to 48% of my incoming email this week. This represents a -8% change from last week.

Here are some facts from my MailWasher Statistics for the past week. Of the 282 incoming email messages that were classified as spam, 236 were from my custom filters, 42 were from my custom Blacklist and 4 from the DNS Servers Blacklist (mostly the SpamCop Blocklist (SBL)). I actually only saw 52 spam messages, all of which I reported through my SpamCop reporting account. The rest were automatically deleted by my custom filters and Blacklist.

Viagra:	27.82%
Blacklisted Senders (dating scams & Viagra, etc):	14.79%
Pharmaceutical Spam:	14.08%
Counterfeit Watches:	10.92%
Other Filters (misc filters):	9.86%
Known Spam Domains:	4.58%
Diploma Scams:	4.23%
UPS Phishing Scams (including links to Zbot/Zeus):	3.52%
Counterfeit Goods:	2.82%
Canadian Pharmacy Scams:	2.11%
Dating Scams:	2.11%
HTML Tricks:	1.76%
DNS Blacklisted Servers:	1.41%

This was a slow week for updates to my custom spam filters. The latest updates to my custom MailWasher Pro filters were to these filters:

Known Spam Domains
Pharmaceuticals [S]
Unlicensed Prescription Drugs
New: Garbage Subject filter

The following recent MailWasher Pro Email Blacklist entries were able to block almost 15% of this week's spam. Some weeks will have higher percentages of blacklisted senders, depending on which Botnets are used to send those messages, with forged sender names and email addresses. Since the Blacklist is processed before the custom filters, the processing time and cpu load is greatly reduced.
+@+.cn
+@+.de
+@+.hk
+@+.jp
+@+.kr
+@+.ru
+@+.tw
[email protected]
+@*.hinet.net
+@*ukrtel.net
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
notification*@googlemail.com
[email protected]
[email protected]
[email protected]
[email protected]
[email protected] (New)

About MailWasher Pro

MailWasher Pro intercepts POP3 and IMAP email before you download it to your desktop email client (e.g: Microsoft Outlook, Outlook Express, Windows Live Mail) and scans it for threats or spam content, then either manually or automatically deletes any messages matching your pre-determined criteria and custom filters. It is my primary line of defense against incoming spam, scams, phishing and exploit attacks. If you are not already using this fine anti-spam tool I invite to to read about it on my MailWasher Pro web page. You can download the latest version and try it for free for a month. Registration costs just $39.95 and is only required once, for the life of the program.

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. MailWasher Pro is able to forward messages marked as spam to SpamCop, which then sends a confirmation email to you, containing a link. You must click on the enclosed reporting link and open it in your browser, then manually submit your report. This is how SpamCop wants it done.

If you use a POP email client on your desktop to send and receive your email, rather than your browser, you too will benefit from the added protection that MailWasher Pro provides. I can't even begin to tell you how many dangerous attachments, exploit encoded messages, 419 fraud, as well as courier, bank, eBay and PayPal phishing scams, plus hundreds of hostile link emails it has deleted, after identifying them with my rules and its own heuristic and known spam detections.

Finally, many security threats will come to you via spam email; some in hostile attachments, some as "phishing" scams, some as financial fraud or money laundering scams, and many more in links to web pages rigged to serve up exploit codes or Trojan downloads.You need really good up-to-date protection to fight off the multitude of attack codes flying like machine gun bullets these days. To protect your computer from web pages rigged with exploit codes, malware in email attachments, dangerous links to hostile web pages, JavaScript redirects, Phishing scams, or router DNS attack codes, I recommend Trend Micro Internet Security (or Internet Security Pro for travelers). It has strong realtime monitoring modules that stop rootkits and spam Trojans from installing themselves into your operating system. Also known as PC-cillin, it is very frequently updated as new and altered malware definitions become available and it checks for web based threats and new malware definitions by searching secure online servers owned by Trend Micro. This is referred to as "in-the-cloud" security. Best of all, you can try it fully functional for a month, then decide to pay to keep it or uninstall it.

See you all next week, same time, same station! Keep the sunny side up and don't take no wooden nickles!

Wiz - out

Posted by Wiz at 1:45 PM | Permalink

back to top ^

According to a recent study, as much as 90% of all Windows 7 vulnerabilities can be mitigated by forcing users to operate their computers with Standard User privileges, rather than Administrator privileges. This is something I have been harping about for several years. The following are some of their findings after an extensive study.

From a news release published by BeyondTrust, on March 29, 2010, BeyondTrust's Analysis of 15 months of Microsoft Security Bulletins finds the vast majority of vulnerabilities can be diminished by configuring end users as Standard Users. They found that the removal of administrator rights from Windows users is a mitigating factor for 90% of Critical Windows 7 Vulnerabilities.

Key findings from this report show that removing administrator rights will better protect companies against the exploitation of:

• 90% of critical Windows 7 vulnerabilities reported to date


• 100% of Microsoft Office vulnerabilities reported in 2009


• 94% of Internet Explorer and 100% of Internet Explorer 8 vulnerabilities reported in 2009


• 64% of all Microsoft vulnerabilities reported in 2009

"Enterprises continue to face imminent danger from zero-day attacks as new vulnerabilities are exploited before patches can ever be developed and deployed," said Steve Kelley, EVP of corporate development. "Our findings reflect the critical role that restricting administrator rights, plays in protecting against these types of threats. As companies migrate to Windows 7 they need to be aware that despite enhanced security features on the new operating systems, better controls for administrative rights are still needed to provide adequate protection."

My note: The same results can be had with the Windows 2000, XP Pro and Vista operating systems. See my 2009 article titled Running a PC with reduced user privileges stops 92% of malware

For information about how to manage user account privileges, please read my web page titled Windows 2000, XP, Vista & 7 User Account Privileges Explained. Although it was originally written when Windows 2000 and XP were the mainstream OSes, updated information for Windows Vista and Windows 7 computers has been added. Besides, some of you are probably reading this on an XP computer and this information can protect that PC from malware attacks that would otherwise be successful.

That said, no Windows computer is truly safe without some form of anti-virus, anti-spyware and anti-malware protection installed and kept up to date. If you are looking for an all in one solution for complete malware protection please look into Trend Micro Internet Security. A single license allows you to install it on up to 5 computers for as long as the subscription is paid up.

Posted by Wiz at 3:14 PM | Permalink

back to top ^