SecurityFocus reports an estimated 3.5 million computers have been compromised due to a “Downadup worm,” a malicious bot that spreads through websites and blogs.

The Downadup worm, a malicious program that spreads using a recently patched Windows flaw, has compromised more than 3.5 million computers, security firm F-Secure stated this week.

The Downadup worm has successfully spread because it uses a major flaw that Microsoft patched in October to remotely compromise computers running unpatched versions of the Windows operating system. However, the malicious program’s greatest strength appears to be a feature that allows worm-controlled computers to download malicious code from a random drop point.

The program generates addresses for 250 different domains each day. The botnet controller need only register one of the domains and set up a download server to update the bot program with different functionality, said Mikko Hyppönen, chief research officer at F-Secure.

“The bad guys only need to predetermine one possible domain for tomorrow, register it, and set up a website, and they then gain access to all of the infected machines — pretty clever,” Hyppönen said in a blog post.

According to the report, the Downadup worm uses Windows XP’s vulnerability in processing remote procedure call (RPC) requests. While a patch was issued and warnings announced, not everyone has upgraded. The top countries hit by the MS08-067 Worms, as F-Secure calls them, are China, Brazil, and Russia, but it is expected to spread further unless server administrators and webmasters update and patch their Windows Servers and Windows programs immediately, including Internet Explorer.

ZD-Net Security Threats reports that the first sign of infection is usually found when users accounts cannot access their accounts and they are locked out of the Active Directory domain as the worm tries to crack passwords in Windows Servers.

Tracking the Downadup infection, F-Secure reported that reports of infections are up by more than one million within just one day, and growing. As last check, they estimate 3,521,230 infections worldwide. read more

Happy Monday, folks! I’m sure by now you’ve heard the big news: Six Apart bought Pownce. The Pownce team will join 6A, and the Pownce service will shut down. It’s a shame they’re closing the site — it had some really nice features. Hopefully, we’ll see some of those social networking and microblogging features show up in a future version of Movable Type.

Speaking of MT versions, MT 4.23 — the security fix that I told you was coming over a month ago — has finally been released. This is just a security fix, so it should be an easy upgrade. If you’re using the community templates, though, you will need to update those. read more

Happy Monday, folks! We told you last time about this being Movable Type’s 7^th birthday. The celebration concludes this week with a huge party at MT HQ. If you’re going to be in San Francisco, don’t miss it.

But before the party starts, we’ve got work to do. On with the MT news!

Plugins

Minifier — Hirotaka Ogawa released Minifier, which adds block tags for minifying CSS and JavaScript. If your CSS and JS files are already templates in your blog, this shouldn’t take you more than two minutes to set up and should significantly reduce download time for those files. read more

A new version of WordPress is available, version 2.6.3. It is a security release to fix a vulnerability reported in the Snoopy library, which WordPress uses to fetch the feeds you see in the Dashboard. It doesn’t seem to be very serious flaw, and you don’t have to download the full release if you’re running 2.6.4, you can just get the two files needed. Links in the dev blog post, and the full 2.6.3 release is available on the download page now.

If you’re running WordPress 2.1.1 on your blog, and are using Google Webmaster Tools, you might get a security warning from Google. They are conducting a test to warn publishers if your publishing platform of choice is vulnerable to hacking, and WordPress 2.1.1 is just that, and also the test platform of choice. Should the test be successful, Google will expand this service to more platforms and versions in the future.

This is good, because it creates even more awareness to the need for upgrading to safer versions, not matter what CMS you’re using. Read more on the Official Google Webmaster Central blog. Hat tip to Quick Online Tips.

With the line between a legit blog and scam blog getting harder to detect, how do you really know when the blog you are reading is a scam blog? As part of this ongoing series on blog scams, we’ve covered how blog scams are growing and the impact on the economy and job market for stay-at-home workers. Learning to tell the difference between a legit blog and a scam blog is becoming more and more important as the work force moves online looking for jobs.

You begin the process of detection of a scam blog by checking the facts. I covered a lot of information previously on how to check the facts in:

• Web Browser Guide: Scams, Hoaxes, Rumor Mills, and Online Trash – Check the Facts
• Blogging Resources and Sources to Help You Blog
• Blog Resources: Researching the Research, Finding the Facts, and Seeking Supporting Evidence

Some of the sites I recommend you use to check your facts when it comes to the hoaxes, scams, and snake oil claims some blogs can make include: read more

There’s a new version of WordPress out now, 2.6.2, which addresses a database issue as well as the weakness of mt_rand(). This is especially important if you accept registrations to your blog. Also, some bug fixes, but other than the MySQL/PHP issue mentioned, this is another one of those small security releases. Check out the release post for more, and download the new version as well.

Wired has the story of the latest major security hole on the internet, the routing protocol BGP:

Two security researchers have demonstrated a new technique to stealthily intercept internet traffic on a scale previously presumed to be unavailable to anyone outside of intelligence agencies like the National Security Agency.

The tactic exploits the internet routing protocol BGP (Border Gateway Protocol) to let an attacker surreptitiously monitor unencrypted internet traffic anywhere in the world, and even modify it before it reaches its destination.

The demonstration is only the latest attack to highlight fundamental security weaknesses in some of the internet’s core protocols. Those protocols were largely developed in the 1970s with the assumption that every node on the then-nascent network would be trustworthy. The world was reminded of the quaintness of that assumption in July, when researcher Dan Kaminsky disclosed a serious vulnerability in the DNS system. Experts say the new demonstration targets a potentially larger weakness.

read more

The primary focus of activity this week was around the Movable Type Open Source (MTOS) 4.15 beta test and the release of the second beta release. Before we dive into that information however, I thought I’d address one of the hot topics of the last week.

Welcome to Movable Type Monday! read more

A few days back Lorelle asked what one would not blog about. People had varied responses. Some would not write profanities. Some would not offend other people with their writing. And others would not blog about work. Generally, it’s about doing others no harm.

What if blogging can bring you harm? We do know that restrictive regimes have jailed or imprisoned bloggers, or at the very least blocking access to blog hosting providers. People have been fired for what they have written on their blogs. It can be worse. There are a handful of arguments against blogging.

Here’s one example of something I would rather not blog about. When I was new to the blogging world, someone close to me witnessed a murder in broad daylight. Standing in line at a fastfood counter, a man was shot in the head and died on the spot. There were dozens of other witnesses, but no one dared move for fear of being shot themselves.

At first I thought that it was blog-worthy, that it was a good case of citizen journalism. I had finished drafting the post and was almost at the point of publishing the entry. But then at the last minute I changed my mind. I thought that I would rather not endanger myself and that person with that potentially dangerous blog post. I have several reasons.

First, I don’t personally know the nature of the incident, and the background of the perpetrators. For all I know those people could be members of organized crime. And they could perhaps come after me and my family.

Secondly, I’m not sure I can trust our authorities here 100%. In my country, while there are perhaps a good number of honest civil servants, hoodlums in uniform are aplenty. And in these cases I would rather not be involved lest I become involved in a very complicated and potentially dangerous way.

Some things are best kept private. Or at least anonymous. In hindsight, perhaps I could have posted about the incident, but somewhere not directly attributable to me or my friend.

Put simply, I like the freedom that blogging gives me, in terms of expressing myself. Both in writing opinions and reporting observations and facts (even news, where applicable). I can even go to the extent of writing negatively about people and companies. But when my life and those of the people close to me are potentially at risk, then that’s when I’ll keep my mouth (and my blog) shut.