17th week of Security Podcast for CERTSTATION

Hello and welcome to the CERTStation Podcast for the 17th week of 2010. I am Jay Johnson and these are the headlines:

The Storm Worm has been found active once again (pause)
Google fixes some critical vulnerabilities in their Chrome web browser while
Majority of hackers are being drawn to cheap and simplistic malware kits (pause)
Revised patch for Microsoft's Windows 2000 Server claims to finally fix problems with Media Services and Finally
Google claims that fake antivirus software are being spread at a rapidly growing speed as technology progresses

And now for this week's newswire details
A number of anti-virus software vendors are reporting that the storm worm, long thought dead, is back and is disseminating spam. In its day, the Storm botnet was one of the biggest botnets out there. At times it encompassed more than a million infected computers and, between 2006 and 2009, was responsible for a significant proportion of spam and many distributed denial of service attacks. The Storm worm, which is strictly speaking a trojan downloader rather than a worm, got its name from infected emails with sensational headlines relating to hurricane Kyrill. In early 2009, the worm went quiet. There was speculation that the bot herder had simply made enough money for the time being and wanted to re-jig the worm's architecture, partly because analysis by an increasing number of virus specialists was getting to grips with the bot. Alternatively, it may simply have been that the Storm worm was pushed out of the market by other bot herders like Srizbi, Mega-D, Rustock and Pushdo. Analysis shows that the new incarnation differs from the original in several minor ways. Communication between bots and C&C servers is now exclusively via HTTP, which bots use to download templates for spam campaigns for Viagra and suchlike. Peer-to-peer communication has been completely removed. Only around 60% of the code from the older version has been retained. Storm was once responsible for 20 percent of the world’s spam but began to decline in 2007 when Microsoft undertook a massive cleaning operation.

(pause)
Google has released version 4.1.249.1064 of its Chrome browser for Windows to correct three critical vulnerabilities. The company had fixed seven vulnerabilities in its WebKit-based browser just a week ago. According to reports, the new problems relate to a bug in the GURL library which allows attackers to circumvent the same origin policy. It's also possible to provoke a memory error using prepared fonts, or when processing HTML5 media data. The vulnerabilities might allow an exploit to inject and execute code. As part of its Chromium Security Reward program, Google paid out $1,000 for notification of the vulnerability in the GURL library. The new version is available for Windows 7, Vista and XP. The automatic update mechanism should install the update, alternatively installation can be initiated manually. However, the old version may, for a short period, still be distributed by download servers.

(pause)
Criminal-controlled botnets are becoming more resilient and powerful than ever. It's easier than ever for even low-skilled hackers to supply botnets with freshly infected PCs by using user-friendly virus tool kits, and many of them are using these tool kits to spread infections on weakly protected webpages put up by legitimate corporations, sayreports issued this week by Symantec's MessageLabs division, Microsoft, M86 Security, WhiteHat Security and Imperva. The MessageLabs report and Microsoft report both show that even when the good guys manage to shut down large swarms of infected, spam-spewing PCs, the bad guys quickly recover and continue to send malicious content almost uninterrupted. The largest and most powerful botnet, controls between 1.6 million to 2.4 million infected PCs, and it has increased spam output by 300% in recent months. Meanwhile, the Ponemon Institute recently surveyed 627 IT pros at more than 400 multinational enterprises and government organizations as part of a study sponsored by WhiteHat Security and Imperva. The survey shows more than 55% of in-house developers assigned to write custom Web apps are too busy to respond to security issues, while 74% of the survey respondents reported that their organization did not have a dedicated security team.

(pause)
Microsoft has released a new version of its patch MS10-025, which aims to finally fix the vulnerability in Windows Media Services under Windows 2000 Server. Last week, the company was forced to withdraw the patch when it turned out that it failed to fix a remotely exploitable buffer overflow. However, there is no easy way for users to test that the patch actually does what it says on the tin illustrating the issues examined in the recently reignited discussion on full disclosure. Adherents of full disclosure generally publish demo exploits alongside information on vulnerabilities in order to demonstrate the problem in question. Such exploits allow users to determine whether a vendor patch actually fixes the vulnerability and whether workarounds work as promised.

(pause)
They sneak up on you while you're working, pretend to help you, and then betray you. By the time you realize what's going on, you're infected. They're sneaky malware programs designed to look and operate like antivirus scan prompts from Windows or other software, but rather than search for bugs, they plant them. And according to a detailed study from Google, they are on the rise and pose an increasing threat. Google says our analysis of 240 million web pages collected by Google's malware-detection infrastructure over a 13-month period discovered over 11,000 domains involved in fake AV distribution. We show that the fake AV threat is rising in prevalence, both absolutely and relative to other forms of web-based malware. Fake antivirus programs amount to 15 percent of the malware Google detected on the web. In most cases, the attacks aim to trick people into buying a bogus program, but they can also be used to grab log-ins and account information. The origin of these attacks goes back to 2003, when social-engineering attacks; those designed to trick the user into granting entry rather than exploiting vulnerable systems, prompted victims via Microsoft Messenger that their systems were vulnerable. Ironically, a similar social-engineering attack is believed to have given hackers located in China access to Google's servers last December in one of the biggest data breaches in history.

If you enjoyed this podcast why not visit CERTStation.com and check out our free Internet Security Dashboard. In the meantime this is your host Jay Johnson wishing you a safe and secure week.