Zombie PCs spew out 80% of spam

March 8, 2008 – 3:19 PM

Four-fifths of spam now emanates from computers contaminated with Trojan horse infections, according to a study by network management firm Sandvine out this week. Trojans and worms with backdoor components such as Migmaf and SoBig have turned infected Windows PCs into drones in vast networks of compromised zombie PCs.

Sandvine reckons junk mails created and routed by “spam Trojans” are clogging ISP mail servers, forcing unplanned network upgrades and stoking antagonism between large and small ISPs.

Using its own technology, Sandvine was able to identify subscribers bypassing their home mail servers and contacting many mail servers within a short period of time – a sure sign of spam Trojan activity – over sustained periods. It also looked at SMTP error messages returned, which helps to clarify the total volume of spam within the service provider network. “After comparing those data points with the total volume of legitimate messages passing through the service provider’s mail system, we are able to arrive at our percentage of 80 per cent,” explained Sandvine spokesman Mark De Wolf.

Sandvine’s analysis, cross referenced with data from SORBS, to determine what IP space is assigned to residential subscriber pools of global service providers, shows most spam now originating from residential broadband networks.

Viral marketing

Instead of using open mail relays or unscrupulous hosts (so-called ‘bullet-proof’ hosting – in reality, ISPs in developing countries who pull the plug on spammers when enough complaints are received by their upstream provider), spammers are using compromised machines to get their junk mail out. Many security firms reckons many of the most well-publicized worm attacks in recent months (such as MyDoom and Bagle) were launched expressly to install spam Trojans on unsuspecting end users’ machines – waiting to be utilized later as a spam delivery relay. This expanding network of infected, zombie PCs can also be used as platforms for DDoS attacks, such as those that many online bookies have suffered in recent months.

Sandvine’s preliminary analysis has shown that the most active Trojans for spamming purposes are the Migmaf and SoBig variants. Its work on this area of the problem is still at an early stage.

The behaviour of spam Trojans on the network taxes ISP infrastructure and, in the case of smaller ISPs, creates the perception that some networks are generating more than their fair share of spam and other types of malicious traffic. The mounting scope of the problem means ISP need to begin filtering traffic – rather than leaving the problem up to end users – if spam is to be contained, Sandvine argues.

“While spam filters can provide an effective treatment, the scale & scope of the spam problem means additional remedies are needed”, said Marc Morin, co-founder and chief technology officer of Sandvine. “As a complement to existing mail server and client based tools, service providers need to arm themselves with network-based anti-spam defences and combat this growing form of malicious traffic.”

http://www.theregister.co.uk/2004/06/04/trojan_spam_study/

Security Bug in Linksys Wireless-G Router

March 8, 2008 – 3:18 PM

Cisco’s Linksys WRT54G Wireless-G Broadband Router has a flaw that could allow an attacker to gain administrative privileges on vulnerable devices. Even if the remote administration feature on the device is turned off, the router serves the administration web page on ports 80 and 443, protected only by a weak default password. Secunia rates the flaw as ‘moderately critical’ and advises users to use a stronger password for administrative access, or restrict access to the interface altogether. Alternatively, the device can be configured to forward traffic on the port to a non-existent server; even if sent to an existent server, forwarding will override the default behavior.

http://www.internetnews.com/infra/article.php/3362321

99 Ways to Speed Up Windows XP

March 8, 2008 – 3:17 PM

There’s a handy guide over at PC Stats which outlines about 99 ways to speed up your Windows installation. While some of them are elementary, quite a few listed are adjustments that probably wouldn’t come to the forefront for many out there.

The guide covers the following areas:

* Preparing Your System
* Graphics Performance Tweaks
* BIOS tweaks and Insight
* Network and Internet Performance Tweaks
* Overclocking your processor and memory (Be very careful here!)
* WindowsXP Software and Registry Performance Tweaks
* WindowsXP User Interface Shortcuts and Hints
* Improving Windows XP boot speed
* Increasing XP shutdown speed

The site’s worth a look – read up on it over at PC Stats.

How to remove any BHO from your Computer

March 8, 2008 – 3:17 PM

What I am about to suggest may not be the most correct method to remove a BHO from your system. In fact, there is no guarantee that instructions below will resolve your issue. What I can tell you, however, is that I have used the following methods to safely remove and restore many systems that have been infected with scumware / Spyware / Adware toolbars.

Before proceeding, please make a backup of your most critical files.

1. Attempt to disable the BHO.

A little while back, I came across a program called BHODemon which can disable BHO’s from launching when Internet Explorer starts. BHODemon can also be used to identify the main ‘plugin’ file associated with the BHO (typically a .DLL or .OCX file located in the Windows System folder). A full explanation of BHODemon (and the link to download the freeware program) is available in a recent Gazette issue.

2. Identify other ‘plugin’ file(s) associated with the BHO.

Some BHO’s are despicably stealthy and will reinstall themselves after your system is rebooted / restarted — even after the BHO has been disabled. Obtaining the list of files associated with the BHO will require some research:

* Use BHODemon to identify the main .DLL or .OCX file (as seen in the picture above).
* Go to Google.com and type in the BHO filename followed by the word ‘remove’ (example: “NN_BAR.DLL remove”). 9 times out of 10, Google will provide a list of web sites that have manual removal instructions, along with the list of files associated with the offending BHO.
* Finally, write down the file names and folder locations of the BHO ‘plugin’ files (example: %SystemDir%winnb40.dll).

3. Reboot into Safe Mode and remove the BHO files from your computer.

In order to permanently remove the BHO files from your computer, you must reboot into Safe Mode (or DOS mode) or your system will report a ‘sharing violation’ error when attempting to delete the file(s). To access Safe Mode:

* Click Start -> Shutdown (or Turn Off).
* Select ‘Restart’.
* Once the computer restarts, press F8 repeatedly on the keyboard until a Boot Menu appears. This *must* be done before the Windows boot screen appears.
* Choose to boot Windows in Safe Mode.

Once you are in Safe Mode, use your notes detailing the file names and paths of the offending BHO’s and rename (or remove) the files from your system. Renaming the .DLL / .OCX file will allow you to undo your changes — whereas deleting a file is not easily undone.

Side note: A safe way to rename a file is to place a few harmless characters in front of the real file name (example: if the file is popups.dll, rename it to zz_popups.dll).

4. Remove the BHO references from your System Registry.

* Click Start -> Run -> type in “regedit” (no quotes, and press Enter).
* Once RegEdit appears, click File -> Export to make a backup of your registry. In case you make a mistake, you can import your old registry to reverse the proceeding changes.
* Now you’re ready to remove the BHO references from your Registry. In the RegEdit window, press F3 to search. Next, type in the name of each BHO file you recorded in Step #2 — minus the file extension (for example: search for ‘popups’ instead of ‘popups.dll’).
* When a match is found, look on the left side of the RegEdit Window. Left click the expanded folder which encapsulates the BHO entry. Press DEL on your keyboard to delete it.
* Press F3 and until no more matches are found; repeat this process for all BHO files you recorded in Step #2.

5. Remove any suspicious references from your Startup locations.

Download Startup_CPL.exe from Mike Lin’s web site. This program will list multiple startup locations that launch programs when Windows is booted. If you see anything suspicious, disable it from launching in your startup. If you are unsure of whether or not a program entry is safe to disable, you can research it using Pac’s Portal web site.

6. Reboot your computer.

The offending BHO should now be removed from your computer. If, however, you are unable to resolve your problem, you can:

* Attempt a System Restore (if applicable).
* Import your Registry backup and reboot your computer (if you think you may have accidentally deleted the wrong registry entry and have inadvertently caused your system to become unstable), or
* Backup your most critical files and reinstall Windows. I have a downloadable eBook and video guide which explains how to do this in great detail.

Good luck!

Note: This article appeared originally in the May 25th Infopackets Gazette

http://www.spywareinfo.net/may26,2004#toolbars

Tip: Delete index.dat

March 8, 2008 – 3:16 PM

There are many, many programs for cleaning out temporary files and other junk that Windows lets build up on the hard drive. Sometimes though, you just want to do things like this yourself. It seems simple enough to open the temp folder and delete everything in it, until you actually go to do it. For whatever reason, Windows throws up a roadblock to people who want to delete their cookies and temporary internet files (also called browser cache).

Windows keeps a file called index.dat in memory the entire time it is running. Index.dat is located inside a hidden subdirectory of the Temporary Internet Files folder. You can delete every single file and folder around and underneath that file, but Windows refuses to allow you to delete index.dat itself. This is why most cleaner programs want you to reboot when you tell them to clean out the internet files. Those programs insert a start up entry that deletes the file before you log into your account.

In the past, people running Windows 95, 98 or ME could simply boot to MS-DOS and delete the file at the command line. Unfortunately, for Windows 2000 and XP, this is not an option. So how do you purge this stubborn file if Windows won’t let you touch it and there is no MS-DOS to boot into? There is a very simple way to do this that does not involve installing third party software or writing scripts to run at start up.

Basically, you have to create a new administrator account, then log into it. Since your normal account is not active, Windows is not able to lock you out of the index.dat file and everything can be deleted normally.

In Windows 2000, right-click the “My Computer” icon on the desktop. Highlight “manage” and click. The “Computer Management” console should pop up. Under “System Tools”, double-click the item called “Local Users and Groups”, then right-click on “Users”. Highlight “New User” and click. Set up a new user and click “Ok”.

After you’ve created the user, find the icon for them in the list and double-click it. Click the “Member Of” tab. Select “Administrators” in the list, then press “OK”. You’ve just given your new user administrative privileges, so make sure you gave it a password!

In XP, this is much simpler (although you can follow the same directions as for 2000 if you want). Open the Control Panel (usually listed on the Start Menu) and open the “User Accounts” applet. Click “Create User” and create your new account. Make sure to choose “Computer Administrator”.

Now, log out of your normal user account and log into the new account you just created. Find the Temporary Internet Files folder (c:|Documents and Settings|<your user name>|Local Settings), open it, press CTRL + A and then delete everything there. Don’t worry, Windows will recreate what it needs the next time you log in. This also works for the index.dat file located in the cookies folder.

Log out of the new account and back into your normal account. Windows will create a new, empty index.dat file that will be much smaller than the old one.

http://www.spywareinfo.net/may26,2004#tip