Page 1 of 10 12345 ... LastLast
Results 1 to 15 of 143
  1. #1
    Joined
    Jul 2001
    Location
    UK
    Age
    51
    Posts
    20,229

    Resolved [Security] WMF Zero-Day Exploit

    A serious zero-day exploit of a vulnerability in Microsoft Windows Graphics Rendering Engine allows remote code execution.

    http://www.microsoft.com/technet/sec...ry/912840.mspx

    The exploit uses specially crafted Windows Metafiles (WMF) to execute malicious code, usually a trojan downloader, to download and install malicious software onto the users computer. At present, these WMF's are being hosted on a number of malicious websites.

    This vulnerability affects ALL versions of Windows

    The Problem

    Users may be infected purely by visiting a malicious website hosting an exploit WMF. Upon visiting such a site, a WMF file is loaded that executes shellcode which utilizes the recently reported windows WMF vulnerability to download and execute another file (a trojan downloader). The trojan downloader then starts downloding and installing various malware to the user's machine. The WMF is commonly detected by most AV's:

    Code:
    Jotti's online virus scanner:
    
    File:  	 xpl.wmf
    Status: 	
    INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
    MD5 	ee656ce9601850f559dfb371f624508e
    Packers detected: 	
    -
    Scanner results
    AntiVir 	Found Exploit/IMG.WMF exploit
    ArcaVir 	Found Trojan.Downloader.Agent.Acd
    Avast 	Found Win32:Exdown
    AVG Antivirus 	Found nothing
    BitDefender 	Found Exploit.Win32.WMF-PFV.C
    ClamAV 	Found Exploit.WMF.A
    Dr.Web 	Found Exploit.MS05-053
    F-Prot Antivirus 	Found security risk or a "backdoor" program
    Fortinet 	Found W32/WMF-exploit
    Kaspersky Anti-Virus 	Found Trojan-Downloader.Win32.Agent.acd
    NOD32 	Found Win32/TrojanDownloader.Wmfex
    Norman Virus Control 	Found nothing
    UNA 	Found nothing
    VBA32 	Found Trojan-Downloader.Win32.Agent.acd
    Note: At the time of posting, AVG still does not detect this exploit

    The following malwares are currently reported as being distributed:

    Trojan.Win32.StartPage.agq
    Trojan-Downloader.Win32.Agent.abs
    Trojan-Dropper.Win32.Small.zp
    Trojan.Win32.Small.ga
    Trojan.Win32.Small.ev
    Trojan-Downloader.Win32.Qoologic.at
    Trojan-Downloader.Win32.Small.ccm
    Trojan-Downloader.Win32.Small.awa
    Hoax.Win32.Renos.aj

    Many of these install hoax AV programs such as AVGold, SpySheriff and WinHound that utilize desktop hijacking and inform you that your computer is infected and invite you to pay $30 for the full version of these hoax applications to clean your machine. Your AV should be detecting these - if it's not, get one that does!



    There are currently 58 known variants of this exploit, with many distributing malware described above. However, recently there are reports of rootkits also being used to hide malware installations, and it's only a matter of time before someone starts using this exploit to distribute something far more malicious.

    The Partial Solution

    ***************************************

    Update: There is now an unofficial patch that has been released. It may be downloaded from our good friends at SANS:

    http://isc.sans.org/diary.php?storyid=999

    ***************************************



    At present, there is no patch for this vulnerability from Microsoft.

    Part of the reason that makes this vulnerability so critical is the fact users can be automatically infected without doing anything. The exploit takes advantage of Windows Picture and Fax Viewer (shimgvw.dll) that automatically displays WMF's. Affected software includes, but is not limited to, Internet Explorer, Windows Explorer, MS Paint, Lotus Notes, Google Desktop.

    A partial solution is to unregister the Windows Picture and Fax Viewer library, shimgvw.dll. Note, however, that this will disable Windows Picture and Fax Viewer and applications that use it to provide previews or thumbnail views.

    Windows Picture and Fax Viewer may be unregistered (disabled) by doing:

    Code:
    Start > Run > regsvr32 -u %windir%\system32\shimgvw.dll
    and may be re-registered by doing:

    Code:
    Start > Run > regsvr32 %windir%\system32\shimgvw.dll
    In addition to unregistering shimgvw.dll, users are advised to temporarily rename that dll (eg, shimgvw.unreg.dl_) to prevent applications that invoke it directly from re-registering it. When a patch is released from Microsoft, users should restore and re-register the dll before installing the patch.

    Users are advised that Windows identifies WMF's by code in the file header, so ALL image file formats have the potential to be exploited as simply renaming an exploited .wmf to .jpg, .bmp, .png etc would still result in exploitation of the vulnerability. Further, users should note that simply entering a directory containing a copy of an infected WMF in Explorer or even from the command line is enough to trigger the exploit. In much the same way, services that use indexing, such as Google Desktop, may trigger an infected WMF stored on the local hard disk.

    Users may further protect themselves until a patch is released by taking the following steps:

    1. Don't use Internet Explorer, use the latest version of Firefox which is unaffected
    2. Don't download or open any image files from untrusted sources
    3. Update your AV. If you don't have one, download and install the free 30-day trial of either Kaspersky or NOD32
    4. Make sure Windows Firewall is turned on - if you do get infected it should block outgoing connection attempts made by the trojan downloader
    5. Don't click ignore if your AV or firewall pops up warnings - read them carefully and understand your response. "My firewall popped up a warning, but I clicked allow because I always do" will get you nailed every time
    6. Don't surf dodgy websites that may be hosting the exploit
    7. Don't use Google Desktop - uninstall it right now!


    If anyone gets infected, post in the Spyware, Trojans and Viruses Forum and we can help you clean your machine.

    Further Reading:

    http://www.websensesecuritylabs.com/...hp?AlertID=385
    http://www.websensesecuritylabs.com/...hp?AlertID=387
    http://www.f-secure.com/weblog/
    http://www.kb.cert.org/vuls/id/181038
    http://isc.sans.org/
    http://secunia.com/advisories/18255/
    http://sunbeltblog.blogspot.com/2005...y-patched.html
    http://www.microsoft.com/technet/sec...ry/912840.mspx

    ..
    Last edited by Ned Slider; 01-05-2006 at 05:38 PM.

  2. #2
    Joined
    Jan 2001
    Location
    Auckland
    Age
    40
    Posts
    30,915

    Re: [Security] WMF Zero-Day Exploit

    some people dont like MS for some reason

    trouble makers

    lots of news about this exploit

    dont know of anyone affected by it on the forum

    some good advice there

  3. #3
    Joined
    Jan 2004
    Location
    My Own Mind
    Age
    53
    Posts
    1,545

    Re: [Security] WMF Zero-Day Exploit

    Lost my ability to preview thumbnails when I unregistered that dll. Any way to get that function back WITHOUT enabling it again OR usuing 3rd party apps? I have no probs while I'm using Photoshop but when I'm not...
    Ebay---Heatware---Paypal verified---Project:Geared Up---My Site-ROSSWERKZ.COM

  4. #4
    Joined
    Aug 2001
    Posts
    74,682

    Re: [Security] WMF Zero-Day Exploit

    Since the file extension can be renamed for an infected file? Not that I know of...but Ned will comment further.

    Also we need to point out that using Firefox 1.5 isnt a solution or by any means a totally safe workaround. From an email we received last night from SANS [concerning Firefox]

    Its a bit safer. Firefox (at least recent versions) will not open .wmf
    files by default. But this is easy enabled the first time you are
    confronted with the popup. Also, most users still consider images
    'safe', and well, if it got the right xxx related name, users usually
    will oblige and open it.

    Overall,it comes down to that this is not a browser vulnerability. The
    browser is just one of many vectors for the image to enter your system.

    --------------------

    And from SANS [Jim Clausing] this morning

    "Firefox doesn't (by default anyway) attempt to render the image, so it
    doesn't tickle it directly. However, it can download it or ask if you
    want to render it with the Fax Viewer. Once on the disk, some indexing
    apps (Google Desktop) or viewing thumbnails will trip the vulnerability."
    Last edited by jimzinsocal; 12-31-2005 at 09:49 AM.

  5. #5
    Joined
    Aug 2001
    Posts
    74,682

    Re: [Security] WMF Zero-Day Exploit

    Quote Originally Posted by grumblemarc
    Lost my ability to preview thumbnails when I unregistered that dll. Any way to get that function back WITHOUT enabling it again OR usuing 3rd party apps? I have no probs while I'm using Photoshop but when I'm not...
    There may be a way...but Id like Ned Slider...and the others to look at it first. One of the guys will post back here.

  6. #6
    Joined
    Dec 2000
    Location
    myrtle beach,south carolina, U. S. of A.!
    Posts
    12,697

    Re: [Security] WMF Zero-Day Exploit

    does anybody STILL use internet explorer!

  7. #7
    Joined
    Nov 2001
    Location
    I've moved.....I'm over here now.
    Age
    60
    Posts
    7,290

    Re: [Security] WMF Zero-Day Exploit

    As jimzinsocal alluded to, this: http://www.f-secure.com/weblog/archi....html#00000756 appears to point to a temporary fix.

    The usual disclaimer applies: This fix seems to come from a reputable source; however, use at your own risk.

  8. #8
    Joined
    Nov 2001
    Location
    I've moved.....I'm over here now.
    Age
    60
    Posts
    7,290

    Re: [Security] WMF Zero-Day Exploit

    Quote Originally Posted by thelmores
    does anybody STILL use internet explorer!
    The exploit can be triggered w/o IE - Explorer itself is enough!

  9. #9
    Joined
    Feb 2001
    Location
    Denver, CO
    Posts
    2,486

    Re: [Security] WMF Zero-Day Exploit

    One option, is the browser appliance with the VMWare player. Run Firefox in a virtual Linux machine on your windows system. Seems like it would always be helpful for safe computing. Haven't tried installed it yet, but I did download it. (The appliance and the player)

    http://www.vmware.com/vmtn/vm/browserapp.html

    So if you ever visit less than reputable locations on the web, it might be a good idea.

  10. #10
    Joined
    Oct 2001
    Location
    Erie, PA
    Age
    45
    Posts
    5,053

    Re: [Security] WMF Zero-Day Exploit

    Quote Originally Posted by thelmores
    does anybody STILL use internet explorer!
    Yeah.... Me I will just play it safe and keep my browsing to a minimum for a while and I have Kaspersky set to Real Time so I should be fine.

  11. #11
    Joined
    Jan 2001
    Location
    Auckland
    Age
    40
    Posts
    30,915

    Re: [Security] WMF Zero-Day Exploit

    Linux seems to be immune. *me hugs LInux*

  12. #12
    Joined
    Jun 2004
    Posts
    3,035

    Re: [Security] WMF Zero-Day Exploit

    Pretty sure my brother got infected by something like this about a month ago. Something claimed his PC had been infected by Spyware and gave a "handy" link to download a tool to remove it which promptly f***ed up his OS install.

    I didn't post anything at the time, as I never got to see it - I talked him through an OS re-install over the phone. A real PITA.

    The folks that come up with this type of stuff can rot in hell as far as I'm concerned.

    Edit: @ 3dfxrain, yes Linux is great, but try explaining to his young kids why they can't game on the PC because it's got a Linux kernel installed - not easy

  13. #13
    Joined
    Jul 2001
    Location
    UK
    Age
    51
    Posts
    20,229

    Re: [Security] WMF Zero-Day Exploit

    OK, here's today's update:

    First up, there's an UNOFFICIAL patch available here. Please note this isn't from MS, so use at your own risk. I haven't tried it so I am unable to comment.

    Next up, there's reports of a new exploit against this vulnerability circulating ITW that is extremely difficult for AV products to detect due to the random junk nature of the files. I think it's safe to say that having an updated AV installed isn't any guarantee of protection. Read about it here:

    http://isc.sans.org/diary.php?rss&storyid=992

    F-Secure havn't minced their words regarding this new development:

    http://www.f-secure.com/weblog/archi....html#00000758

    Quote Originally Posted by Mikko of F-Secure
    We are aware that a new exploit for the WMF vulnerability has been published. This one is much more advanced than the old one, and much more dangerous.

    It enables clueless newcomers to easily craft highly variable and hard-to-detect variations of image files. Images that take over computers when viewed. And do this on all common Windows platforms. With no vendor patch for the vulnerability available. Meaning that there are hundreds of millions of vulnerable computers in the net right now.

    Making such tools publicly available when there's no vendor patch available is irresponsible. Plain and simply irresponsible. Everybody associated in making and publishing the exploit knows this. And they should know better. Moore, A.S, San and FrSIRT: you should know better.
    And finally, there's also an Instant Messaging worm variant doing the rounds so users of IM also need to be aware:

    http://www.f-secure.com/weblog/archi....html#00000757


    Yes, Linux is unaffected - this vulnerability only affects ALL Microsoft OSes. If you're of the paranoid persuasion, then a knoppix Linux LiveCD will give you a safe surfing environment from a bootable CD without any installation or configuration headaches.

    Another option worth investigating is SandboxIE:

    http://www.sandboxie.com/

    This rather cute piece of freeware allows users to run IE (and other apps) in a sandbox thus adding a layer of protection. Note that your computer is not protected, just that infections should be contained within the sandbox rather than running rampant on your hard disk. I have NOT tested this product against this particular vulnerability, but it may well limit any damage should you get nailed!

    And as for Microsoft - here's the latest official word:

    Quote Originally Posted by Microsoft
    Microsoft is investigating new public reports of a vulnerability in Windows. Microsoft is also aware of the public release of detailed exploit code that could be used to exploit this vulnerability. Based on our investigation, this exploit code could allow an attacker to execute arbitrary code on the user's system by hosting a specially crafted Windows Metafile (WMF) image on a malicious Web site. Microsoft is aware that this vulnerability is being actively exploited.

    Microsoft has determined that an attacker using this exploit would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site. In an e-mail based attack, customers would have to be persuaded to click on a link within a malicious e-mail or open an attachment that exploited the vulnerability. In both the web and email based attacks, the code would execute in the security context of the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

    Microsoft will continue to investigate these reports and provide additional guidance depending on customer needs.
    Well Bill, sorry, but this just ain't good enough. You have an extremely critical vulnerability affecting ALL of your operating systems that IS being exploited in the wild with goodness knows how many customers being infected. We are now entering day 5 and that just don't cut it as a timely response. Maybe when they all return from their holidays they'll start thinking about releasing a patch
    Last edited by Ned Slider; 12-31-2005 at 09:48 PM.

  14. #14
    Joined
    Jul 2001
    Location
    UK
    Age
    51
    Posts
    20,229

    Re: [Security] WMF Zero-Day Exploit

    Update: Day 5

    It just got a whole lot worse. These's now a mass e-mailing circulating with this exploit:

    http://www.f-secure.com/weblog/archi....html#00000759

    Some clown is spamming out "Happy New Year" emails which will infect Windows machines very easily. These emails contain a new version of the WMF exploit, which doesn't seem to be related to the two earlier Metasploit WMF exploits we've seen.

    The emails have a Subject: "Happy New Year", body: "picture of 2006" and contain an exploit WMF as an attachment, named "HappyNewYear.jpg" (MD5: DBB27F839C8491E57EBCC9445BABB755). We detect this as PFV-Exploit.D.

    When the HappyNewYear.jpg hits the hard drive and is accessed (file opened, folder viewed, file indexed by Google Desktop), it executes and downloads a Bifrose backdoor (detected by us as Backdoor.Win32.Bifrose.kt) from www[dot]ritztours.com. Admins, filter this domain at your firewalls.

    It's going to get worse.


    Add the domain www[dot]ritztours.com to your host file now!

    See the HOSTS file section in post #2 of this thread if you don't know what a hosts file is for.

    Ned
    Last edited by Ned Slider; 01-01-2006 at 09:42 AM.

  15. #15

    Re: [Security] WMF Zero-Day Exploit

    Nice to see that MS has been working on this problem.


    It's All About Having Fun ..... Isn't It?

    Gigabyte GA-990FXA-UD3 | AMD FX8350 Black Edition | CoolerMaster Hyper 212 EVO | Corsair XMS3 16GB DDR3
    XFX Radeon HD 7950 3GB DDR5 | Acer G246HL 24" WideScreen
    Samsung 840 EVO 500GB | Western Digital Caviar Black 500GB (Storage) | Samsung SH-S224 DVD Burner
    HT|Omega Claro | Technics SL-1210 MKll ~ Stanton 681EEE MKlll
    Esoteric Sounds Rek-O-Kut Professional Phono Preamp MKII
    Klipsch Pro Media v4.1 | Sennheiser HD 580 Precision ~ Sennheiser PC165 (Mic/Headset)
    Lian Li Lancool PC-K7B w/ Enermax NAXN 82+ 750W
    Win7 x64

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •