Security News and Updates for Dec 14 - 31, 2010
The last two weeks of December 2010 saw fewer vulnerability reports than some previous weeks in the last quarter of the year. This doesn't mean that criminals are sitting still, just that they are laying low to try to avoid attracting the attention of local authorities. Lately, Police in such far away places as The Ukraine and Russia have been arresting cyber criminals for unlawful online activities. Many of those arrested thought they were safe in the former USSR, but they were mistaken.
Here is a rundown of the security alerts issued and patched software released by the vendors of exploitable software, from December 14, through 31, 2010.
Son Of Storm Worm
Shadowserver Foundation has uncovered a new spam campaign that they think is the work of a new botnet based on a new generation of the Storm or Waledac Bot executables. One of the main characteristics of this new botnet is its large scale e-card spam campaigns, sending out scam e-mails with links to exploit pages hosted on a Fast-Flux network of botnetted PCs. It also shares some code used in the original Storm Worm and Waledec Bot. ShadowServer is temporarily referring to this new Botnet as Storm 3.0 or Waledac 2.0.
The original Storm Worm Botnet was most active in 2007. Millions of spam messages were sent by zombie computers, all containing links to fellow zombies, with numeric IP URLs in the spam emails. Most featured a fake e-card, or love message, or fake news about a storm than swept across parts of Europe in early 2007. The destination pages had a fake, non-functional video, with an Adobe Flash player that "needed to be updated" with their version. That player was the Storm Worm, which made those computers members of the then largest Botnet on Earth, at the time.
Storm declined in late 2007, but made a big resurgence in the summer of 2008. Because of the sheer number of Windows PCs infected with the Storm Worm, it attracted the attention of the code writers working on the Microsoft Malicious Software Removal Tool. The September 2008 Windows Updates featured code routines that detected both variants of the Storm Worm and completely eradicated it from hundreds of thousands of computers on Patch Tuesday, September 18, 2008. Days later, authorities forced rogue ISP Atrivo off the Internet, severing 3 of the 4 Command and Control servers used by the Russian or Ukranian gang running the Storm Botnet.
I have already warned my readers of my weekly spam analysis to be on the lookout for fake e-card greetings this Winter. They have links to compromised websites, with instant refreshes to fake Flash Player updates and other exploits, hosted on compromised personal computers. The IP addresses change with every connection request (Fast-Flux Domains); rotating the payload among the thousands of zombie PCs in the new Botnet.
Each of these Fast-Flux domains also appears to be hosted on a single Ukrainian IP address at 91.204.48.50. I would recommend blocking access to this IP address. It is already included in my published Russian Blocklist, but you can add it to your Windows computer by opening your HOSTS file and adding this line of code, then saving the file again as HOSTS (no extension):
127.0.0.1 91.204.48.50
_____________________
Wordpress Critical Update
Next up, there was a critical flaw discovered in the base code of the Wordpress PHP files. Therefore, Wordpress.org has released a patched version: 3.0.4 of WordPress, available immediately through the update page in your Wordpress dashboard, or for download here. It is a very important update to apply to your sites as soon as possible because it fixes a core security bug in our HTML sanitation library, called KSES. I would rate this release as "critical."
Note: if your websites, like mine, are hosted on Bluehost, or certain other hosting companies associated with Bluehost, you can use the custom script installers found in the Simple Scripts section of your cPanel control panel. These commonly deployed scripts are kept up to date with security patches and are easy to install with a few mouse clicks. Wordpress is included as it is so commonly probed and exploited. Any out-dated version of Wordpress will be owned by hackers and used to infiltrate your website with hostile redirection scripts, spam comments, or phishing pages.
Zero Day IE Exploit
There is a new zero day exploit for Internet Explorer browsers in the wild. Imagine that! See this page on PCMag for the details.
Microsoft WMI Administrative Tool ActiveX Control Vulnerability
US-CERT is aware of a vulnerability affecting the WBEMSingleView.ocx ActiveX control. This control is part of the Microsoft WMI Administrative Tools package. Exploitation of this vulnerability may allow an attacker to execute arbitrary code.
US-CERT encourages users and administrators to set the kill bit for CLSID 2745E5F5-D234-11D0-847A00C04FD7BB08 to help mitigate the risks until a fix is available from the vendor. Information on how to set a kill bit can be found in Microsoft knowledge-base article KB240797. Users and administrators are also encouraged to implement best security practices defined in the Securing Your Web Browser document to reduce the risk of this and similar vulnerabilities.
That's all I have for you tonight. I'll post more security updates news next week, or sooner if necessary.
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.