Wiz's Computer and Website Security Blog

On November 26, 2008, I wrote an article concerning the "Srizbi" Botnet coming back to life, following the shutdown of its Command-and-Control servers (C&C) at McColo, Inc. This happened because the Russian criminals running the Srizbi Botnet, thought to number over 450,000 PCs, were able to lease servers from a web hosting firm in Estonia, to which they uploaded the C&C software. Once these servers came online the zombie computers making up the Botnet army were able to contact the servers and receive new instructions and spam templates. This resulted in a 10% increase in the volume of spam I saw last week, over the previous week (following the C&C servers at McColo being shut down).

Well, starting on Sunday night, November 30, 2008, I noticed another sudden decline in the amount of spam that was detected, classified and deleted by my spam filtering program, MailWasher Pro. This decline continues today, Monday, December 1, 2008. There is virtually no significant amount of spam arriving in any of my accounts. Being curious I did a little investigating and learned that the people running the Estonian ISP Starline Web Services, that temporarily hosted the Command-and-Control servers for the Srizbi botnet, has cut off those servers. This followed complaints from Estonia's Computer Emergency Response Team (CERT) and threats of total disconnection by the companies who supply the Internet IP connections to that ISP, and others in Estonia.

Note, that the ISP that was temporarily hosting the Srizbi C&C machines gets their IP addresses and Internet connectivity from a hosting company named Compic, which is known to CERT as a company that has been friendly to criminals who host malware on their websites. Many complaints have been filed with Compic concerning illegal activities by their customers, conducted on their servers and those of their downstream resellers. Reference.

Most of my readers are more concerned about repelling spam, than tracing it. I have written many articles offering filtering solutions involving MailWasher Pro, as well as website email filters that can be applied by people whose websites are hosted on cPanel control panels and Linux/Apache based servers. Just look in my recent posts links, in the right sidebar, or search this blog for the keywords "spam filters." But I seem to have overlooked one area of this spam-demic that deserves mentioning now. That area is your own computers and what unknown spam applications and scripts may be running on them.

The question every computer owner should be asking themselves, or their IT personnel, is: "Am I Botted?" What I mean by this is that every computer owner needs to scan for the presence of Bot infections on their PCs. Any operating system can become invaded by a Bot infection, either as an invisible rootkit or a visible process. Each OS will have tools available to its administrators to test for the presence of hostile applications (e.g. Snort). However, the rest of this article and the recommendations in it are meant for Windows based computer owners.

This article has extended content.
Continue reading "Srizbi Spam Botnet goes offline again!" »

Posted by Wiz at 6:27 PM | Permalink

back to top ^

If you are reading this you have a computer. If you have a computer you also probably have at least one email address. Unless you live on another planet, or your email provider only allows whitelisted email through, you, like me, get a lot of junk mail, a.k.a. "spam" messages.While spam is an annoyance to most people, it is combat for me. I publish custom spam filters to block spam email for people who use the MailWasher Pro anti-spam email client.

This is the latest entry in a weekly series about classifications of spam, according to my custom filter rules used by the anti-spam tool, MailWasher Pro.

MailWasher Pro is a spam screening POP3 email program that goes between your email servers and your desktop email client (application). With this program you can actually read all of your incoming email in plain text, and click on links, if you are so inclined. MailWasher Pro uses a variety of techniques to recognize and designate what is and isn't spam, including a learning filter and user created custom filter rules. I personally write and use MailWasher Pro custom filters to detect and delete most incoming spam email. I have created and published a large assortment of spam filters which "plug-in" to MailWasher Pro, to flag or delete known spam. You can read about them, or download and use them in your own registered copy of MailWasher Pro.

MailWasher Pro has a "Statistics" display page that breaks down the types of spam it has deleted, listed by categories. Each program and user-created filter has a name and when a measurable percentage of spam is matched by a particular filter it shows up in the Statistics, with its percentage shown next to it. The percentages for various categories of spam listed below are taken from my MailWasher Pro "Statistics" page.

The category "Other Filters" combines several of my custom filters which did not receive enough spam to rate a measurable percentage, thus were all grouped into the one category called "Other Filters." Since I have a lot of custom filters and spam types do vary every week, the Other Filters category is always quite large, percentage-wise.

Before I get into the various categories of spam received this week, I want to mention the fact that while the volume of spam is still down from October and early November, it is definitely on the rise, with a 10% increase from last week. The volume of spam had dropped to near zero a couple of weeks ago, due to the termination of service to a server co-location hosting company, named McColo. McColo's customers were responsible for over 75% of the daily spam sent from zombie computers in several major Botnets. The "zombie" computers in these Botnets were unable to receive instructions from their mothership controllers and had mostly fallen silent; but have now begun to awaken.

When it comes to major spam runs, sent entirely through zombie computers which are unwittingly members of Botnets, certain types of spam rise to the top of the threat list, every week or two. The most common types of spam this week is for fake watches and various pharmaceuticals, including male enhancement pills, Viagra, Cialis and other sex oriented drugs. Spam for the fake "Canadian Pharmacy" remained strong as usual, but was surpassed for a second week by spam caught by my "Hidden ISO Subject" filter. Most of the Hidden ISO spam is for Indian Viagra or ineffective male enhancement pills and patches.

"Canadian Pharmacy" and it's offshoot "Canadian Health and Care Mall" is a scam website, hosted unknowingly on hijacked (Botnetted) personal computers, or on bulletproof Chinese hosting servers owned by criminals in Russia. The prescription drugs and herbal remedies promoted by the fake Canadian Pharmacy come from a lab in India, named after a flower. Those prescription drugs are illegal to import into the US or Canada and may be seized by postal inspectors upon arrival.

The male enhancement spams are mostly leading to Botnetted computers hosting a web page touting VPXL, Power Gain Plus, or other herbal enlargement formulas, all of which are scams. Male enhancement pills are totally ineffective and may even be dangerous to your health.

MailWasher Pro spam category breakdown for November 24 - 30, 2008. Spam amounted to 25% of my incoming email this week, with 74 spam messages analyzed.

Download MailWasher Pro Here

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as an incoming email screener for your POP email program (Microsoft Outlook, Microsoft Outlook Express, Microsoft Live Mail, Eudora, Mozilla and other stand-alone email programs).

This article has extended content.
Continue reading "My Spam analysis for Nov 24 - 30, 2008" »

Posted by Wiz at 2:26 PM | Permalink

back to top ^

On November 14, 2008, I published an article on my blog about how spam had dropped significantly following the shutdown of McColo, a server co-location hosting company. The reason for the huge drop in spam was because several of the World's largest and busiest Botnets had their Command and Control (C&C) servers housed and connected to the Internet by McColo. The C&C servers send instructions and spam templates to the Zombies under their control. When those C&C servers lost their connections to the Internet the Zombie computers in the Botnets they controlled all fell silent; becoming sleeper agents awaiting new instructions from new Controllers.

Today I began seeing an increase in the number of spam emails arriving in my spam screening program, MailWasher Pro. I did a little digging into security news and discovered that this increase is not a coincidence. Apparently, the so-called "Srizbi Botnet" has been rebuilding its C&C computers, which are now hosted in Estonia. Those C&C machines are now issuing instructions to the sleeping zombies, which are awakening and beginning to send out spam again. While researchers and detectives are able to identify the new locations of those C&C machines, shutting them down will be difficult, as the people hosting them and local Government officials could care less about the damage being done by the Botnets under their control.

Whether today's spam is coming from the Srizbi Botnet, or some other Botnet is unimportant to spam recipients. Unless you are a security researcher you are probably more interested in blocking this spam than in knowing who designed it and ordered it to be sent to you. I can help you do that, using special rules in a spam filtering program named MailWasher Pro. This can only be done if you read your email in a POP3 desktop email client, like Outlook, Outlook Express, Windows Live Mail, Apple Mail, Mozilla Thunderbird, etc. MailWasher Pro stands between the Internet email servers and your desktop email client, where it filters out spam, scams and virus threats, before downloading any messages to your desktop email client. If you are not already using MailWasher Pro you can read about it here and download a trial or purchase a copy for yourself.

The first prong in my attack against spam is to add wildcard email addresses, that spammers repeatedly forge as the sender, to the program's Blacklist. Blacklist rules are processed before other types of rules, so the wildcard addresses in the Blacklist will cut down a lot on the amount of unclassified spam you have to deal with. Open MailWasher Pro, click on the "View" menu item, then select "Filter Side Bar." The Filter Side Bar will appear on the right side of the program. It has three tabbed sections: "Friends List" and "Blacklist" and "Filters." Click on the "Blacklist" tab, then click on the round green "Add" button. A new "Add address to list" box will open. Click on the option "Wildcard expression." Copy and paste, or type in the following codes, one per Blacklist entry, then click OK to close each new entry box. Repeat the sequence for each of the six Blacklist additions listed below. The first two entries are very commonly matched right now.

kef+diz@+

lin+met@+.de

dw+m@+

_+@+.+

-+@+.+

+@mail.*ru

After saving these Blacklist Wildcard rules you must decide how you want MailWasher Pro to deal with the messages matching these expressions. While still in the mail Blacklist tab, click on the "Options" button. In the "Actions" section select "Delete the email." Just under that you can choose whether that happens manually, where you see the email flagged as "Blacklisted" in the incoming messages list, or if any messages matching those criteria are automatically deleted off the email server, on the spot. I use automatic deletion, as nobody I communicate with has an email prefix or suffix matching these criteria. To be safe, use manual deletion for a while, while listing (add to Friends list) any false detections, then switch to "Automatically, without notification" when you are confident in the accuracy of these (and other) Blacklist rules.

Next, go to my MailWasher Pro Custom Filters web page and scroll down to the iframe, in which one of my three versions of my custom MailWasher Pro filters will be loaded. Read the notes about each of these filters and choose the one that you prefer to use. You can either copy and paste the rules from the iframe into your own "filters.txt" file, or download the file, deposit it into the appropriate location, renaming it to filters.txt if required. MailWasher Pro keeps all user settings, filters and white/black lists in your logged-in identity's %AppData%\MailWasherPro folder. You may need to edit your Folder View settings to unhide hidden and system files and folders, and show known extensions, to see these files. You can also locate and open the data folder where the filters.txt lives by clicking on "Help" (with MailWasher Pro open), then "About," then click on the link to your application data files, at the bottom of the "About" box. More details about using my filters are found on the aforementioned Custom Filters web page.

This article has extended content.
Continue reading "Spam volume increasing as Srizbi Botnet is reactivated" »

Posted by Wiz at 4:20 PM | Permalink

back to top ^