33 replies to this topic

[AplusWebMaster]

FYI...

- http://isc.sans.org/...php?storyid=972
Last Updated: 2005-12-28 03:56:13 UTC
"Just when we thought that this will be another slow day, a link to a working unpatched exploit in, what looks like Windows Graphics Rendering Engine, has been posted to Bugtraq...
The HTML file runs another WMF (Windows Meta File) which executes a trojan dropper on a fully patched Windows XP SP2 machine. The dropper will then download Winhound*, a fake anti-spyware/virus program which asks user to purchase a registered version of software in order to remove the reported threats.
During the test Johannes ran, it was interesting that the DEP (Data Execution Prevention) on his system stopped this from working. However, as this was tested on a AMD64 machine, we still have to confirm whether (or not) the software DEP also stops this - let us know if you tested this.
Internet Explorer will automatically launch the "Windows Picture and Fax Viewer". Note that Firefox users are not totally imune either. In my install of Firefox, a dialog box will ask me if I would like to load the image in "Windows Picture and Fax Viewer". If I allow this to happen ("pictures are safe after all" NOT!), the exploit will execute.
For more information, see also http://vil.mcafeesec...nt/v_137760.htm and http://www.securityf.../bid/16074/info ..."

* http://www.spywarewa...nti-spyware.htm
"...Most recent additions: ...WinHound (11-29-05)...
stealth installs through exploits, system hijacking (1,2); scare-mongering used as goad to purchase [A: 11-29-05 / U: 11-29-05]"

Edited by AplusWebMaster, 28 December 2005 - 04:27 AM.

[AplusWebMaster]

FYI...

- http://secunia.com/advisories/18255/
Release Date: 2005-12-28
Critical: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched...
NOTE: Exploit code is publicly available. This is being exploited in the wild.
The vulnerability has been confirmed on a fully patched system running Microsoft Windows XP SP2. Microsoft Windows XP SP1 and Microsoft Windows Server 2003 SP0 / SP1 are reportedly also affected. Other platforms may also be affected.
Solution:
Do not open or preview untrusted ".wmf" files and set security level to "High" in Microsoft Internet Explorer..."

[AplusWebMaster]

FYI...

Be careful with WMF files...
- http://www.f-secure.com/weblog/
Wednesday, December 28, 2005
" Over the last 24 hours, we've seen three different WMF files carrying the zero-day WMF exploit. We currently detect them as W32/PFV-Exploit.A, .B and .C. Fellow researchers at Sunbelt* have also blogged about this. They have discovered more sites that are carrying malicious WMF files. You might want to block these sites at your firewall while waiting for a Microsoft patch:
Crackz [dot] ws
unionseek [dot] com
www.tfcco [dot] com
Iframeurl [dot] biz
beehappyy [dot] biz
And funnily enough, according to WHOIS, domain beehappyy.biz is owned by a previous president of Soviet Union:
Registrant Name: Mikhail Sergeevich Gorbachev
Registrant Address1: Krasnaya ploshad, 1
Registrant City: Moscow
Registrant Postal Code: 176098
Registrant Country: Russian Federation
Registrant Country Code: RU
"Krasnaya ploshad" is the Red Square in Moscow..."

* http://sunbeltblog.blogspot.com/
December 28, 2005
"For this WMF exploit: Until Microsoft patches this thing, here is a workaround:
From the command prompt, type REGSVR32 /U SHIMGVW.DLL.
You can also do this by going to Start, Run and then pasting in the above command. This effectively disables your ability to view images using the Windows picture and fax viewer via IE. This is an old Windows feature that doesn’t even show up under programs. Not “core” or critical..." However, it is a preventative measure. If you are already infected, it will not help..."

Update on Windows WMF 0-day / [ISC] Infocon changed to yellow
- http://isc.sans.org/...php?storyid=975
"Update 19:07 UTC: We are moving to Infocon Yellow...Regarding DEP (Data Execution Protection) of XPSP2, the default settings of DEP will not prevent this exploit from working. Comments we have received in the meantime suggest that if you enable DEP to cover all programs (as documented on Microsoft Technet**), the WMF exploit attempt will result in a warning and not run on its own. Don't feel too safe though, we have also received comments stating that a fully enabled DEP did not do anything good in their case..."
** http://www.microsoft...p/depcnfxp.mspx

Edited by AplusWebMaster, 28 December 2005 - 04:34 PM.

[AplusWebMaster]

FYI...

MS Security Advisory (912840)
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution.
- http://www.microsoft...ory/912840.mspx
Published: December 28, 2005

Also:
MS Windows Metafile Handling Buffer Overflow
- http://www.us-cert.g.../TA05-362A.html
Original release date: December 28, 2005
Updates will be made at http://www.kb.cert.org/vuls/id/181038 ..."

.

[AplusWebMaster]

FYI...

- http://www.techweb.c...1&site_section=
December 29, 2005
"As bleaker details emerged Thursday about the threat posed by a zero-day vulnerability in Windows, Microsoft said it would produce a patch for the flaw but declined to put the fix on a timetable. In a security advisory posted on its Web site, Microsoft confirmed the vulnerability and the associated release of exploit code that could compromise PCs, and listed the operating systems at risk. Windows 2000 SP4, Windows XP, Windows Server 2000, Windows 98, and Windows Millennium can be attacked using the newly-discovered vulnerability in WMF (Windows Metafile) image file parsing, said Microsoft. "Upon completion of [our] investigation, Microsoft will take the appropriate action to help protect our customers," the advisory stated. "This will include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs." Microsoft rarely goes out-of-cycle to patch a vulnerability -- it's done so only three times since it began a once-a-month patch release schedule in October, 2003; the last time was over a year ago -- and didn't patch early in December when another zero-day bug surfaced, even after experts called on the Redmond, Wash.-based developer to fix fast. One security vendor told its customers Thursday not to hold their breath waiting for a fix for the flaw..."

[AplusWebMaster]

FYI...

Informational Alert: Zero-day profiteering
- http://www.websenses...php?AlertID=387
December 29, 2005
"...Starting in mid December, 2005 we started investigating several website that were using browser exploits to download and run code on end-users machines without any end-user knowledge. These sites were not just using older Internet Explorer vulnerabilities but were also utilizing a recent zero-day vulnerability that at that time had no fix for it (this was the window(open) MS IE vulnerability. After tracing the code we discovered an entity called Exfol software that was a registered company in Vanuatu, in the South Pacific and who had ties to the following other entities (from their licensing agreement). As of this week the same sites are using the current WMF zero-day exploit that has no patch available in order to install their affiliates programs. The code is placed within IFRAMES on websites. Both Exfol and Freecat.biz are hosted on web serves in South America and were up at the time of this alert... We created a short video example of a machine that has visited a site that has the IFRAME code on it. Even though there is an ActiveX popup warning the code downloads and installs in the background. Post download and launching the code you can see that there are several security warnings that prompt you to purchase some software.The security alerts are fraudulent.
http://www.websenses...exfol-movie.wmv
Upon accessing the site a WMF file is loaded that executes shellcode which utilizes the recently reported windows WMF vulnerability. ( see http://www.websenses...php?AlertID=385 ). The shellcode calls URLmon.dll to download and execute another file. Strings of WMF file showing download site for Trojan Horse. The file pawn00#.exe in turn downloads other executables..."

(Screenshots available at first URL above.)

[AplusWebMaster]

FYI...

Lotus Notes Vulnerable to WMF 0-Day Exploit
- http://isc.sans.org/...php?storyid=981
Last Updated: 2005-12-30 05:15:59 UTC
"John Herron at NIST.org discovered today that Lotus Notes versions 6.x and higher is vulnerable to the WMF 0-day exploit. In the advisory, located on the NIST website*, John reports that Lotus Notes remained vulerable even after running the regsvr32 workaround in the Microsoft security advisory."

* http://www.nist.org/....php?content.25

[AplusWebMaster]

FYI...

- http://www.f-secure.com/weblog/
December 29, 2005
WMF, day 2
"...We've seen 57 different versions of malicious WMF files so far. We detect them all as PFV-Exploit*..."
* http://www.f-secure....v-exploit.shtml

[AplusWebMaster]

FYI...

...More WMF Information...
- http://isc.sans.org/...php?storyid=982
Last Updated: 2005-12-30 19:40:36 UTC
"...One reader send us the following summary, which pretty nicely outlines the issues with this vulnerability:
1. Filename extension filtering will not work.
2. Even if you un-register the DLL, some programs may re-register it by invoiking it (shimgvw.dll) directly.
3. you have to delete or rename the DLL to protect yourself. However, remember to undo this once there is a patch.
4. While images embeded into docuements may not immediatly trigger the exploit, they may once saved into their own file.
The readers goes on to note that whatever mitigation is offered in Microsoft's advisory is not much more then a quick temporary bandaid. What we need is a patch and we need it quick."

[AplusWebMaster]

FYI...

New IM Worm Exploiting WMF Vulnerability
- http://isc.sans.org/...php?storyid=991
Last Updated: 2005-12-31 16:33:11 UTC
"We have received information that a new IM Worm is hitting the Netherlands. Apparently the worm is spreading with MSN and is spreading with a malformed WMF file called "xmas-2006 FUNNY.jpg".
Kaspersky Lab Blogs*
Be very careful when opening the New Years Greetings that you receive folks. We wouldn't want you to have to spend the rest of your holiday weekend rebuilding your computer..."

* http://www.viruslist...logid=176892530
December 31, 2005 | 11:54 GMT
"It was only a matter of time, the first IM-Worm exploiting the wmf vulnerability has been spotted. We have received multiple reports from the Netherlands about an IM-Worm which spreads via MSN using a link to "hxxp://[snip]/xmas-2006 FUNNY.jpg". This may well turn out to become a local epidemic(in NL), however so far it has not become big (Not even 1000 bots at this moment). The jpg is actually an HTML page with a (link to a) malicious wmf file which is heuristically detected as Exploit.Win32.IMG-WMF by Kaspersky Anti-Virus.
This wmf will download and execute a .vbs file which is detected as Trojan-Downloader.VBS.Psyme.br which in turn will download an Sdbot. The IRCBot is detected as Backdoor.Win32.SdBot.gen by KAV. At the time of writing this SdBot is instructed to download an IM-Worm.Win32.Kelvir variant. As you will know Kelvir is responsible for spreading across MSN. Looking at this IRCBot it's extremely likely that it has been made for cyber criminals.
Going back to the wmf vulnerability itself, we see number of sites mention that shimgvw.dll is the vulnerable file. This doesn't seem correct as it's possible to exploit a system on which shimgvw.dll has been unregistered and deleted. The vulnerability seems to be in gdi32.dll. So while unregistering shimgvw.dll may make you less vulnerable, several attack scenarios come to mind where the system can still be compromised..."

[AplusWebMaster]

FYI...

New exploit released for the WMF vulnerability - Infocon to YELLOW
- http://isc.sans.org/...php?storyid=992
Last Updated: 2005-12-31 23:16:11 UTC
"On New Year's eve the defenders got a 'nice' present from the full disclosure community.
The source code claims to be made by the folks at metasploit and xfocus, together with a anonymous source.
The exploit generates files:
* with a random size;
* no .wmf extension, (.jpg), but could be any other image extension actually;
* a random piece of junk in front of the bad call; carefully crafted to be larger than the MTU on an ethernet network;
* a number of possible calls to run the exploit are listed in the source;
* a random trailer
From a number of scans we did through virustotal, we can safely conclude there is currently no anti-virus signature working for it. Similarly it is very unlikely any of the current IDS signatures work for it. Judging from the source code, it will likely be difficult to develop very effective signatures due to the structures of the WMF files. Considering this upsets all defenses people have in place, we voted to go to yellow in order to warn the good guys out there they need to review their defenses. We hate going back to yellow for something we were yellow on a couple of days ago and had returned to green, but the more we look at it and the uglier it gets.
For those of you wanting to try an unofficial patch with all the risks involved, please see http://www.hexblog.c...2/wmf_vuln.html. Initially it was only for Windows XP SP2. Fellow handler Tom Liston is working with Ilfak Guilfanov to extend it to also cover Windows XP SP1 and Windows 2000. We will host the files once we have it verified. We are receiving signatures from Frank Knobbe that detect this newest variant, but we haven't done much testing for false positives or negatives at this point.
http://www.bleedingsnort.com/ ..."

[AplusWebMaster]

FYI...

Malicious Websites / Malicious Code: Zero-day used for BOT's and Crimeware
- http://www.websenses...php?AlertID=389
December 31, 2005
"Websense Security Labs ™ is now tracking several dozen cases of websites which are using the WMF vulnerability (see: http://www.websenses...tylabs.com/blog *) for some details.
The sites are all using the IFRAME technique in order to run code on the end-users machine without their intervention. In every case these have been Trojan Horse Downloader's which use HTTP to download and run new code. Of the ones that we have finished researching they are all either installing other Trojan Horses or BOT's (mostly SDBots). This is different from the other sites we have identified in the past few days that are installing Potentially Unwanted Software.
We have also seen reports of emails that are posing as New Years Greetings that include a malicious .JPG file."

* WMF exploits increasing
- http://www.websenses...ylabs.com/blog/
Dec 31 2005 9:24PM
"We are now tracking several new versions of the WMF exploits in the wild. We have discovered at least 30 new websites which are all using the IFRAMES to run code without end-user intervention. Most of these are hacked web servers, however some appear to be setup on purpose as there is no content besides the IFRAME code.
We have also seen reports of emails that are using the same vulnerability to run code with a .JPG attachement.
All of these sites are installing BOT's (mostly SD Bot variants) and/or Trojan Horses..."

[AplusWebMaster]

FYI...

1a. a-squared update announcements
- http://forum.emsisof...p?p=21575#21575
Sat Dec 31, 2005 6:58 am
"Added detection for the WMF exploit."


1b.Overview of the WMF related articles at the ISC
- http://isc.sans.org/...php?storyid=993
Last Updated: 2006-01-01 03:19:50 UTC
"Since this is one of the more complex stories to follow I've made a quick overview of the WMF issues.

The first story on the WMF vulnerability and the initial exploit
http://isc.sans.org/...php?storyid=972
The update explaining why we went to yellow the first time around
http://isc.sans.org/...php?storyid=975
The story pointing to the Microsoft bulletin
http://isc.sans.org/...php?storyid=976
The availability of the first snort sigs
http://isc.sans.org/...php?storyid=977
The going back to green article
http://isc.sans.org/...php?storyid=978
More WMF signatures
http://isc.sans.org/...php?storyid=980
Lotus notes affected
http://isc.sans.org/...php?storyid=981
The bandaid post: deregistering not reliable, extension filtering not enough
http://isc.sans.org/...php?storyid=982
The free phone number for micrsoft support
http://isc.sans.org/...php?storyid=985
Indexing and WMF
http://isc.sans.org/...php?storyid=986
Musings on how to protect organisations beyond the trivial
http://isc.sans.org/...php?storyid=990
An IM worm found using the WMF stuff
http://isc.sans.org/...php?storyid=991
The second exploit, back to yellow, new sigatures and an unoffical patch
http://isc.sans.org/...php?storyid=992
The WMF FAQ
http://isc.sans.org/...php?storyid=994

.