[Security] WMF Zero-Day Exploit

[Ned Slider]

A serious zero-day exploit of a vulnerability in Microsoft Windows Graphics Rendering Engine allows remote code execution.

http://www.microsoft.com/technet/sec...ry/912840.mspx

The exploit uses specially crafted Windows Metafiles (WMF) to execute malicious code, usually a trojan downloader, to download and install malicious software onto the users computer. At present, these WMF's are being hosted on a number of malicious websites.

This vulnerability affects ALL versions of Windows

The Problem

Users may be infected purely by visiting a malicious website hosting an exploit WMF. Upon visiting such a site, a WMF file is loaded that executes shellcode which utilizes the recently reported windows WMF vulnerability to download and execute another file (a trojan downloader). The trojan downloader then starts downloding and installing various malware to the user's machine. The WMF is commonly detected by most AV's:

Code:

Jotti's online virus scanner:

File:  	 xpl.wmf
Status: 	
INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 	ee656ce9601850f559dfb371f624508e
Packers detected: 	
-
Scanner results
AntiVir 	Found Exploit/IMG.WMF exploit
ArcaVir 	Found Trojan.Downloader.Agent.Acd
Avast 	Found Win32:Exdown
AVG Antivirus 	Found nothing
BitDefender 	Found Exploit.Win32.WMF-PFV.C
ClamAV 	Found Exploit.WMF.A
Dr.Web 	Found Exploit.MS05-053
F-Prot Antivirus 	Found security risk or a "backdoor" program
Fortinet 	Found W32/WMF-exploit
Kaspersky Anti-Virus 	Found Trojan-Downloader.Win32.Agent.acd
NOD32 	Found Win32/TrojanDownloader.Wmfex
Norman Virus Control 	Found nothing
UNA 	Found nothing
VBA32 	Found Trojan-Downloader.Win32.Agent.acd

Note: At the time of posting, AVG still does not detect this exploit

The following malwares are currently reported as being distributed:

Trojan.Win32.StartPage.agq
Trojan-Downloader.Win32.Agent.abs
Trojan-Dropper.Win32.Small.zp
Trojan.Win32.Small.ga
Trojan.Win32.Small.ev
Trojan-Downloader.Win32.Qoologic.at
Trojan-Downloader.Win32.Small.ccm
Trojan-Downloader.Win32.Small.awa
Hoax.Win32.Renos.aj

Many of these install hoax AV programs such as AVGold, SpySheriff and WinHound that utilize desktop hijacking and inform you that your computer is infected and invite you to pay $30 for the full version of these hoax applications to clean your machine. Your AV should be detecting these - if it's not, get one that does!



There are currently 58 known variants of this exploit, with many distributing malware described above. However, recently there are reports of rootkits also being used to hide malware installations, and it's only a matter of time before someone starts using this exploit to distribute something far more malicious.

The Partial Solution

***************************************

Update: There is now an unofficial patch that has been released. It may be downloaded from our good friends at SANS:

http://isc.sans.org/diary.php?storyid=999

***************************************


At present, there is no patch for this vulnerability from Microsoft.

Part of the reason that makes this vulnerability so critical is the fact users can be automatically infected without doing anything. The exploit takes advantage of Windows Picture and Fax Viewer (shimgvw.dll) that automatically displays WMF's. Affected software includes, but is not limited to, Internet Explorer, Windows Explorer, MS Paint, Lotus Notes, Google Desktop.

A partial solution is to unregister the Windows Picture and Fax Viewer library, shimgvw.dll. Note, however, that this will disable Windows Picture and Fax Viewer and applications that use it to provide previews or thumbnail views.

Windows Picture and Fax Viewer may be unregistered (disabled) by doing:

Code:

Start > Run > regsvr32 -u %windir%\system32\shimgvw.dll

and may be re-registered by doing:

Code:

Start > Run > regsvr32 %windir%\system32\shimgvw.dll

In addition to unregistering shimgvw.dll, users are advised to temporarily rename that dll (eg, shimgvw.unreg.dl_) to prevent applications that invoke it directly from re-registering it. When a patch is released from Microsoft, users should restore and re-register the dll before installing the patch.

Users are advised that Windows identifies WMF's by code in the file header, so ALL image file formats have the potential to be exploited as simply renaming an exploited .wmf to .jpg, .bmp, .png etc would still result in exploitation of the vulnerability. Further, users should note that simply entering a directory containing a copy of an infected WMF in Explorer or even from the command line is enough to trigger the exploit. In much the same way, services that use indexing, such as Google Desktop, may trigger an infected WMF stored on the local hard disk.

Users may further protect themselves until a patch is released by taking the following steps:

1. Don't use Internet Explorer, use the latest version of Firefox which is unaffected
2. Don't download or open any image files from untrusted sources
3. Update your AV. If you don't have one, download and install the free 30-day trial of either Kaspersky or NOD32
4. Make sure Windows Firewall is turned on - if you do get infected it should block outgoing connection attempts made by the trojan downloader
5. Don't click ignore if your AV or firewall pops up warnings - read them carefully and understand your response. "My firewall popped up a warning, but I clicked allow because I always do" will get you nailed every time
6. Don't surf dodgy websites that may be hosting the exploit
7. Don't use Google Desktop - uninstall it right now!

If anyone gets infected, post in the Spyware, Trojans and Viruses Forum and we can help you clean your machine.

Further Reading:

http://www.websensesecuritylabs.com/...hp?AlertID=385
http://www.websensesecuritylabs.com/...hp?AlertID=387
http://www.f-secure.com/weblog/
http://www.kb.cert.org/vuls/id/181038
http://isc.sans.org/
http://secunia.com/advisories/18255/
http://sunbeltblog.blogspot.com/2005...y-patched.html
http://www.microsoft.com/technet/sec...ry/912840.mspx

..

[3dfxrain]

some people dont like MS for some reason

trouble makers

lots of news about this exploit

dont know of anyone affected by it on the forum

some good advice there

[grumblemarc]

Lost my ability to preview thumbnails when I unregistered that dll. Any way to get that function back WITHOUT enabling it again OR usuing 3rd party apps? I have no probs while I'm using Photoshop but when I'm not...

[jimzinsocal]

Since the file extension can be renamed for an infected file? Not that I know of...but Ned will comment further.

Also we need to point out that using Firefox 1.5 isnt a solution or by any means a totally safe workaround. From an email we received last night from SANS [concerning Firefox]

Its a bit safer. Firefox (at least recent versions) will not open .wmf
files by default. But this is easy enabled the first time you are
confronted with the popup. Also, most users still consider images
'safe', and well, if it got the right xxx related name, users usually
will oblige and open it.

Overall,it comes down to that this is not a browser vulnerability. The
browser is just one of many vectors for the image to enter your system.

--------------------

And from SANS [Jim Clausing] this morning

"Firefox doesn't (by default anyway) attempt to render the image, so it
doesn't tickle it directly. However, it can download it or ask if you
want to render it with the Fax Viewer. Once on the disk, some indexing
apps (Google Desktop) or viewing thumbnails will trip the vulnerability."

[jimzinsocal]

Lost my ability to preview thumbnails when I unregistered that dll. Any way to get that function back WITHOUT enabling it again OR usuing 3rd party apps? I have no probs while I'm using Photoshop but when I'm not...

There may be a way...but Id like Ned Slider...and the others to look at it first. One of the guys will post back here.

[thelmores]

does anybody STILL use internet explorer!

[Sick Willie]

As jimzinsocal alluded to, this: http://www.f-secure.com/weblog/archi....html#00000756 appears to point to a temporary fix.

The usual disclaimer applies: This fix seems to come from a reputable source; however, use at your own risk.

[Sick Willie]

does anybody STILL use internet explorer!

The exploit can be triggered w/o IE - Explorer itself is enough!

[xinco]

One option, is the browser appliance with the VMWare player. Run Firefox in a virtual Linux machine on your windows system. Seems like it would always be helpful for safe computing. Haven't tried installed it yet, but I did download it. (The appliance and the player)

http://www.vmware.com/vmtn/vm/browserapp.html

So if you ever visit less than reputable locations on the web, it might be a good idea.

[Crazy Chuckster]

does anybody STILL use internet explorer!

Yeah.... Me I will just play it safe and keep my browsing to a minimum for a while and I have Kaspersky set to Real Time so I should be fine.

[3dfxrain]

Linux seems to be immune. *me hugs LInux*

[scrandman]

Pretty sure my brother got infected by something like this about a month ago. Something claimed his PC had been infected by Spyware and gave a "handy" link to download a tool to remove it which promptly f***ed up his OS install.

I didn't post anything at the time, as I never got to see it - I talked him through an OS re-install over the phone. A real PITA.

The folks that come up with this type of stuff can rot in hell as far as I'm concerned.

Edit: @ 3dfxrain, yes Linux is great, but try explaining to his young kids why they can't game on the PC because it's got a Linux kernel installed - not easy

[Ned Slider]

OK, here's today's update:

First up, there's an UNOFFICIAL patch available here. Please note this isn't from MS, so use at your own risk. I haven't tried it so I am unable to comment.

Next up, there's reports of a new exploit against this vulnerability circulating ITW that is extremely difficult for AV products to detect due to the random junk nature of the files. I think it's safe to say that having an updated AV installed isn't any guarantee of protection. Read about it here:

http://isc.sans.org/diary.php?rss&storyid=992

F-Secure havn't minced their words regarding this new development:

http://www.f-secure.com/weblog/archi....html#00000758

We are aware that a new exploit for the WMF vulnerability has been published. This one is much more advanced than the old one, and much more dangerous.

It enables clueless newcomers to easily craft highly variable and hard-to-detect variations of image files. Images that take over computers when viewed. And do this on all common Windows platforms. With no vendor patch for the vulnerability available. Meaning that there are hundreds of millions of vulnerable computers in the net right now.

Making such tools publicly available when there's no vendor patch available is irresponsible. Plain and simply irresponsible. Everybody associated in making and publishing the exploit knows this. And they should know better. Moore, A.S, San and FrSIRT: you should know better.

And finally, there's also an Instant Messaging worm variant doing the rounds so users of IM also need to be aware:

http://www.f-secure.com/weblog/archi....html#00000757


Yes, Linux is unaffected - this vulnerability only affects ALL Microsoft OSes. If you're of the paranoid persuasion, then a knoppix Linux LiveCD will give you a safe surfing environment from a bootable CD without any installation or configuration headaches.

Another option worth investigating is SandboxIE:

http://www.sandboxie.com/

This rather cute piece of freeware allows users to run IE (and other apps) in a sandbox thus adding a layer of protection. Note that your computer is not protected, just that infections should be contained within the sandbox rather than running rampant on your hard disk. I have NOT tested this product against this particular vulnerability, but it may well limit any damage should you get nailed!

And as for Microsoft - here's the latest official word:

Microsoft is investigating new public reports of a vulnerability in Windows. Microsoft is also aware of the public release of detailed exploit code that could be used to exploit this vulnerability. Based on our investigation, this exploit code could allow an attacker to execute arbitrary code on the user's system by hosting a specially crafted Windows Metafile (WMF) image on a malicious Web site. Microsoft is aware that this vulnerability is being actively exploited.

Microsoft has determined that an attacker using this exploit would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site. In an e-mail based attack, customers would have to be persuaded to click on a link within a malicious e-mail or open an attachment that exploited the vulnerability. In both the web and email based attacks, the code would execute in the security context of the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Microsoft will continue to investigate these reports and provide additional guidance depending on customer needs.

Well Bill, sorry, but this just ain't good enough. You have an extremely critical vulnerability affecting ALL of your operating systems that IS being exploited in the wild with goodness knows how many customers being infected. We are now entering day 5 and that just don't cut it as a timely response. Maybe when they all return from their holidays they'll start thinking about releasing a patch

[Ned Slider]

Update: Day 5

It just got a whole lot worse. These's now a mass e-mailing circulating with this exploit:

http://www.f-secure.com/weblog/archi....html#00000759

Some clown is spamming out "Happy New Year" emails which will infect Windows machines very easily. These emails contain a new version of the WMF exploit, which doesn't seem to be related to the two earlier Metasploit WMF exploits we've seen.

The emails have a Subject: "Happy New Year", body: "picture of 2006" and contain an exploit WMF as an attachment, named "HappyNewYear.jpg" (MD5: DBB27F839C8491E57EBCC9445BABB755). We detect this as PFV-Exploit.D.

When the HappyNewYear.jpg hits the hard drive and is accessed (file opened, folder viewed, file indexed by Google Desktop), it executes and downloads a Bifrose backdoor (detected by us as Backdoor.Win32.Bifrose.kt) from www[dot]ritztours.com. Admins, filter this domain at your firewalls.

It's going to get worse.

Add the domain www[dot]ritztours.com to your host file now!

See the HOSTS file section in post #2 of this thread if you don't know what a hosts file is for.

Ned

[IAmGhostDog]

Nice to see that MS has been working on this problem.