The OpenSSL flaw is the more serious of the two problems at this point, with experts recommending that affected users regenerate both their SSH keys and their SSL certificates immediately. The bottom line with this vulnerability is that any SSH key or SSL certificate generated between September 2006 and May 13, 2008, should be considered compromised.

“The situation with web certificates is even worse – the public key is really that: public. So, for a weak key generated on Debian, an attacker could derive the private key and construct a Man-In-The-Middle attack without any problems in the browser,” the folks at the Internet Storm Center wrote in a post about the problem. “Very very scary. Makes one wonder how many people used Debian to generate their SSL keys.”

The increase in SSH probes seems to be a separate issue at this point, as those brute-force attempts mostly involve password guessing. A number of posts on the Unisog security mailing list described spikes of 10 or 20 times the normal number of login attempts per day, beginning sometime in April. These attacks are mainly classic dictionary attacks, in which the attacker runs a script that attempts a remote login to an SSH server using a large list of possible passwords.

In other words, run, don’t walk, to the console and update those keys and certificates. If the good guys have already developed scripts and tools for brute-forcing the keys, you have to assume the crackers have as well.

MessageLabs spokesperson Matt Sergeant, said the spam messages are successful in getting through most enterprise email filters. The messages don’t contain content, only a link that takes recipients to a Google Docs file. Once opened the file touts the all too familiar pharmaceuticals hyped in many spam campaigns.

“This is another method that spammers have found of hosting a website in a place that’s bulletproof basically,” Sergeant said.

Google has labeled the hosted file as being registered as spam. The good news is that Google Docs is still in its infancy, so there aren’t a lot of people using them in a corporate setting, Sergeant told me. So far the messages have come in very small numbers, but large enough that they triggered an alert at MessageLabs.

In figures released by Marshal’s research team, Srizbi compromised more than 300,000 machines and sends more than 60 billion spam messages per day, according to Marshal. The botnet is also spreading malware, using social engineering tactics to get computer users to click on a malicious link in the spam email.

Marshal points to efforts to combat the Storm botnet as the reason for its decline. Microsoft’s Malicious Software Removal Tool has been successful in slowing Storm.

What is clear now is that no botnet has a firm footing as the number one player on the block. Marshal said the Storm botnet was outpaced in January by the Mega-D botnet, otherwise known as Ozdok. Srizbi came grew strong enough to be recognized in February.

Other researchers, Damballa for example, are tracking far more malicious botnets. Kraken has been spreading dangerous malware and is more sophisticated, allowing its maker to evade detection by simply moving its command and control function to another domain in a hard-coded list.

Damballa saw more than 400,000 unique infected IP addresses on one day in March, with the number continuing to trend upward from about 300,000 in early March.

Which botnet is the biggest? It depends on what month and which security research team you talk to. I’m not sure it really matters.

Before her stint at Tablus, Bonaparte was CEO of MailFrontier, an email security company, which she led through its acquisition by SonicWall in 2006. Her experience in leading start-ups through their second phase as they look for either an acquisition partner or major investors will come in handy at Solidcore, a vendor that is smack in the middle of that stage in its growth right now. The company started out as a provider of software for companies looking to prevent admins from making unauthorized changes to servers. It has since evolved into a player in the security market, mainly as a result of its role in compliance efforts.

“This binary that is download by this attack appears to be part of a kit we have seen in the Chinese malware family for some time now. The first thing this malware does once installed is download a configuration file. This configuration file has several commands and tells the system what to do next. In our instance it [tells it] to download yet another file and to report in to a URL,” the Shadowserver analysis says.

Fun for the whole family. Shadowserver also has a good list of some of the malicious sites and IP addresses that are serving the malware, for your filtering pleasure.

Spammers are turning their attention to social networking sites to hawk their products, according to Cloudmark, a messaging security company. As email antispam technology has improved, spammers have branched out to other areas, said Adam O’Donnell, director of emerging technology at Cloudmark. “The social networking side provided a fertile ground for spammers,” he said.

Junk emailers are using multiple messaging vectors available on social networking sites, including direct messaging to friends, bulletin board posts and profiles, O’Donnell said. For example, a spammer will create a profile, which includes a link to a porn or dating site, then invites a bunch of people to be their friend or contact.

In a recent six-month period, Cloudmark tracked a 300 percent increase in spam on a large social networking site that it works with. Also, at several major social networking sites, about one-third of new accounts created are fraudulent, designed for spam and other attacks, the company said.

On Monday, Cloudmark released what it said was the only commercial product to combat spam, phishing and other attacks on social networks. Cloudmark Authority for Social Networking Providers, which extends Cloudmark’s carrier-grade platform, is designed to protect all communication channels on a social networking site. The company said the technology has been deployed at one of the largest social networking sites, but wouldn’t identify it.

There’s no spam filter that end users can deploy to protect themselves on social networking sites, O’Donnell said. Some sites like LinkedIn are used as business tools, he said, adding, “If it came to a point on social networks where 80 percent of inbound content is spam, they’re no longer a useful business tool.”

Jamz Yaneza, a senior threat researcher at Trend Micro who uses several social networking sites including Facebook and MySpace, said he’s noticed an increase in friend invitations that push products. There have been a lot of exploits against social networking sites, he said, citing last year’s hack of singer Alicia Keys’ MySpace page.

Paul Ferguson, also a threat researcher at Trend Micro, said the growth of users on social networking sites “far outpaces their ability to keep the platform secure.” He added, “The back-end mechanisms that allow the interactivity also allow people to use them for malicious purposes.”

There are a handful of other security updates included in SP3, and Microsoft has a good description of all of the new features in Windows XP SP3. Here are some highlights:

• IPSec Simple Policy Update for Windows Server 2003 and Windows XP. This is a tool to help simplify the creation of IPSec filters.
• Digital Identity Management Service. This allows users on any PC that’s a member of a domain to access all of their digital certificates and encryption keys for applications and services on that domain.
• Support for the WPA2 wireless security standard.
• Black hole router detection turned on by default.

The other major news with Windows XP SP3 is the fact that it does not include Internet Explorer 7. Some users have complained about IE 7 being pushed to their PCs as a critical update and Microsoft even went so far as to release a special toolkit to block the delivery of the browser last year. For users who don’t update their machines regularly, SP3 is a good opportunity to get back on the right track all at once.

The company acquiring Anonymizer, Abraxas, is a provider of technology and risk management services to the national security community and was founded by Richard H. Helms, a former CIA officer (no relation to Richard M. Helms, former director of CIA). The two companies, both based in San Diego, already share some similarities. Lance Cottrell, the founder and chief scientist at Anonymizer, is also chief scientist at Abraxas. Abraxas’ board of advisers includes former DHS secretary Tom Ridge, and Alan Wade, the former CIO of CIA.

This is, ah, how should I put it, ridiculous. These new attacks are exactly the kind of things that should worry you if you’re charged with protecting a corporate network. Hackers pay good money for reliable attack methods like this, particularly when they are brand new and not well understood. Security specialists know what a buffer overflow attack looks like, and there are any number of products out there that are capable of stopping these attacks. But the complex techniques like Litchfield’s and Dowd’s are the ones that find the cracks in network defenses and by the time they’re recognized for what they are, it’s game over. And who’s to say that some hacker in the Ukraine or Brazil or China hasn’t been using the same techniques for months?

Sure, worms and viruses and phishing are still threats, but to ignore new attacks because they look difficult or complex is foolish at best and negligent at worst.