News:

December 4, 2010
The highest number of spam-spewing computers is in the U.S. -- Is yours one of them?

If you're like most people, despite spam filters, your inbox is full of spam advertising fake Rolexes, fake pills from fake Canadians, fake diplomas, fake girlfriends who want to have fake sex, etc. It's all illegal. How do they get away with breaking the law so flagrantly?

Part of the reason is that "they" are usually in countries like Russia, where spamming and scamming is legal, as long as the victims aren't Russian. But how much spam can they send before people stop accepting email from their computers? Can't everybody get together and block them?

We can, and we do, using "blocklists" like those maintained by groups like Spamhaus, Spamcop.net, and Project Honey Pot. So why hasn't it stopped the spam?

The problem is that spammers don't have to mail from their own computers. They can mail from other people's computers. They can mail from yours.

How do they do that? By using malware (bad software, like computer viruses). The malware they usually use is called a Trojan horse. Like the famous gift from the Greek army, the victim has to allow it past their defenses. Once inside, it opens the doors from the inside and allows in all its little friends.

Trojans also may be "root kits." That means they insert themselves into the Windows system files that launch early in the boot process, so early that they are already running before your antivirus program launches. They can then evade detection and even inactivate the antivirus.

Having an up-to-date antivirus program is an important way to prevent getting a Trojan, because they are a huge pain to remove once they are installed. But even the very best antivirus cannot detect all malware. The malware authors are constantly changing their code to vary the parts that are detected by AV programs. For an AV program to detect 95% of trojans on the first day they are released is an excellent record, and most don't do that well. But even 95% success means that 1 in 20 new infections slip in unnoticed.

Using common sense, being suspicious about things that arrive in email, being careful about the source of downloaded files (and avoiding illegal downloading), avoiding the use of the Internet Explorer browser and using a browser add-on that turns off javascript and other vulnerable applications unless you specifically enable them -- all those measures help. But even the most astute person can be fooled if a spammer knows personal details about him, or if the spammer just gets lucky guessing. You have to consider the possiblity that your computer is already infected with a Trojan.

Wouldn't you be able to tell? Wouldn't it be running slow? Actually, it may not. The criminals trying to seize control of computers don't want you to get suspicious. They don't want you to get your computer checked for trouble. They may even remove other people's malware to prevent your computer slowing down. They want to have more control over your computer than you do.

Some malware can make itself invisible by removing itself from directories and concealing itself from programs. But some of the most common ones prey on people that don't know how to look for malware. They can be detected easily if you know how to look.

One of the most important ways is to look for attempts to make internet connections to outside computers. A Trojan can't send spam, steal your passwords or identity data, or receive instructions from the criminals controlling it unless it can make an internet connection to another computer.

PC users are used to their computers doing things automagically. They just launch a program and see websites from all around the world. But there are a lot of background processes going on, and there are ways to reveal what is actually happening. Microsoft distributes a free program called TCPview.exe that will show the internet connections your computer is making. That means that except for the cleverest Trojans, you can watch the Trojan actually contacting outside computers and receiving instructions from "command and control" centers.

To use it, download the tcpview.zip file to your desktop. Then shut down your browser and as many other programs as you can, as even programs you aren't using may be keeping internet connections in the background to check for updates. Launch tcpview.zip and tell it to run. (If it tells you you need to buy a program like WinZip or WinRAR to open it, right-click the zipped folder instead and choose "Extract all" to use the decompression utility built into Windows.) You'll have to click "yes" to a few more dialog boxes, but it is safe to do so.

Once it launches, you will see a list of all the internet connections open on your computer. As new ones open, they will be green, and as they close they will remain visible in red for a while.

If you have shut down all the usual internet programs, there shouldn't be too much activity. There may be some persistent connections to things like Facebook and Google after your browser has closed, but you don't want to see connections to computers in countries in eastern Europe and Asia, you don't want to see connections that use port 25 or smtp, and you don't want to see a lot of ongoing green and red activity when the computer should be dormant.

How do you know where the "remote" computers are located? Copy their IP addresses (numbers that are four sets of numbers from 0-255, for example "125.45.1.160") and paste it into the whois lookup at LACNIC. Don't worry about anything that starts with "192.168.xxx.xxx" or "127.0.xxx.xxx," as those are numbers given to your own computer or computers inside your own network.

Suppose your tcpview lights up like Times Square on New Years Eve? How do you make it stop? The first thing you can do is install a firewall. Although Windows includes one, it only stops incoming traffic, and it won't stop anything the Trojan has invited in. You need one that stops outgoing traffic, like the free download from Comodo. Then you can get help from a site like Spywarehammer.com or Bleepingcomputer.com, where experts will guide you through the Trojan removal process. Be prepared for it to take time, as they are far more difficult to remove than to prevent.

Example of TCPview.exe screen: Green entries are new connections. Remote address 193.227.240.135 is Naunet.ru, in Russia. The port is "http" since I have it open in my browser, Firefox. (Port 80 is also a browser.) Port 25 or smtp would mean outgoing email. If you don't recognize the programs on the left, you can right-click and look at properties. If I hadn't had my browser open, there would still be connections, but only occasional green lines showing new connections opening.