Jump to content


Photo

Windows WMF 0-day exploit in the wild


  • Please log in to reply
43 replies to this topic

#1 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 28 December 2005 - 04:10 AM

FYI...

- http://isc.sans.org/...php?storyid=972
Last Updated: 2005-12-28 03:56:13 UTC
"Just when we thought that this will be another slow day, a link to a working unpatched exploit in, what looks like Windows Graphics Rendering Engine, has been posted to Bugtraq...
The HTML file runs another WMF (Windows Meta File) which executes a trojan dropper on a fully patched Windows XP SP2 machine. The dropper will then download Winhound*, a fake anti-spyware/virus program which asks user to purchase a registered version of software in order to remove the reported threats.
During the test Johannes ran, it was interesting that the DEP (Data Execution Prevention) on his system stopped this from working. However, as this was tested on a AMD64 machine, we still have to confirm whether (or not) the software DEP also stops this - let us know if you tested this.
Internet Explorer will automatically launch the "Windows Picture and Fax Viewer". Note that Firefox users are not totally imune either. In my install of Firefox, a dialog box will ask me if I would like to load the image in "Windows Picture and Fax Viewer". If I allow this to happen ("pictures are safe after all" NOT!), the exploit will execute.
For more information, see also http://vil.mcafeesec...nt/v_137760.htm and http://www.securityf.../bid/16074/info ..."

* http://www.spywarewa...nti-spyware.htm
"...Most recent additions: ...WinHound (11-29-05)...
stealth installs through exploits, system hijacking (1,2); scare-mongering used as goad to purchase [A: 11-29-05 / U: 11-29-05]"

:( :ph34r:

Edited by apluswebmaster, 28 December 2005 - 04:26 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#2 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 28 December 2005 - 05:54 AM

FYI...

- http://secunia.com/advisories/18255/
Release Date: 2005-12-28
Critical: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched...
NOTE: Exploit code is publicly available. This is being exploited in the wild.
The vulnerability has been confirmed on a fully patched system running Microsoft Windows XP SP2. Microsoft Windows XP SP1 and Microsoft Windows Server 2003 SP0 / SP1 are reportedly also affected. Other platforms may also be affected.
Solution:
Do not open or preview untrusted ".wmf" files and set security level to "High" in Microsoft Internet Explorer..."

:ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#3 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 28 December 2005 - 04:23 PM

FYI...

Be careful with WMF files...
- http://www.f-secure.com/weblog/
Wednesday, December 28, 2005
" Over the last 24 hours, we've seen three different WMF files carrying the zero-day WMF exploit. We currently detect them as W32/PFV-Exploit.A, .B and .C. Fellow researchers at Sunbelt* have also blogged about this. They have discovered more sites that are carrying malicious WMF files. You might want to block these sites at your firewall while waiting for a Microsoft patch:
Crackz [dot] ws
unionseek [dot] com
www.tfcco [dot] com
Iframeurl [dot] biz
beehappyy [dot] biz
And funnily enough, according to WHOIS, domain beehappyy.biz is owned by a previous president of Soviet Union:
Registrant Name: Mikhail Sergeevich Gorbachev
Registrant Address1: Krasnaya ploshad, 1
Registrant City: Moscow
Registrant Postal Code: 176098
Registrant Country: Russian Federation
Registrant Country Code: RU
"Krasnaya ploshad" is the Red Square in Moscow..."

* http://sunbeltblog.blogspot.com/
December 28, 2005
"For this WMF exploit: Until Microsoft patches this thing, here is a workaround:
From the command prompt, type REGSVR32 /U SHIMGVW.DLL.
You can also do this by going to Start, Run and then pasting in the above command. This effectively disables your ability to view images using the Windows picture and fax viewer via IE. This is an old Windows feature that doesn’t even show up under programs. Not “core” or critical..." However, it is a preventative measure. If you are already infected, it will not help..."

Update on Windows WMF 0-day / [ISC] Infocon changed to yellow
- http://isc.sans.org/...php?storyid=975
"Update 19:07 UTC: We are moving to Infocon Yellow...Regarding DEP (Data Execution Protection) of XPSP2, the default settings of DEP will not prevent this exploit from working. Comments we have received in the meantime suggest that if you enable DEP to cover all programs (as documented on Microsoft Technet**), the WMF exploit attempt will result in a warning and not run on its own. Don't feel too safe though, we have also received comments stating that a fully enabled DEP did not do anything good in their case..."
** http://www.microsoft...p/depcnfxp.mspx

:ph34r:

Edited by apluswebmaster, 28 December 2005 - 04:35 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#4 Corrine

Corrine

    The Mystical Rose

  • Ambassador
  • PipPipPip
  • 186 posts

Posted 28 December 2005 - 08:20 PM

I wonder how many people use Google Desktop. See Eric the Red's update:

This vulnerability is being tracked by the Internet Storm Center, see isc.sans.org/diary.php?storyid=975 for the latest news

Users of Google Desktop are also vulnerable to this exploit, see http://www.f-secure.com/weblog/archives/archive-122005.html#00000753


From: http://www.landzdown...g15988#msg15988

It is predicted in Harry Walden's Blog that Microsoft will prioritize & patch quickly. See his blog here: http://msmvps.com/bl...2/28/79902.aspx

Forum%20Sig_zpsjw5k8xhn.jpg

Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.


#5 Corrine

Corrine

    The Mystical Rose

  • Ambassador
  • PipPipPip
  • 186 posts

Posted 28 December 2005 - 08:52 PM

Workaround posted by Sunbelt:

Wednesday, December 28, 2005
Workarounds for the WMF exploit

For this WMF exploit: Until Microsoft patches this thing or your AV provider have updated their defs, here are some workarounds:

1. Unregister SHIMGVW.DLL.

From the command prompt, type REGSVR32 /U SHIMGVW.DLL. A reboot is recommended. (It works post reboot as well. It is a permanent workaround).

You can also do this by going to Start, Run and then pasting in the above command.

This effectively disables your ability to view images using the Windows picture and fax viewer via IE.

However, it is not the most elegant fix. You’re probably going to have all kinds of problems viewing images.

But, no biggie: Once the exploit is patched, you can simply do REGSVR32 SHIMGVW.DLL to bring back the functionality.

And, it is a preventative measure. If you are already infected, it will not help.

Works for IE, should work fine for Firefox users as well.

2. Change file associations for WMF files.

An equally ugly fix (but perhaps preferable) is to do the following:

1. Go to My documents, Tools, Folder Options, File Types.
2. Change WMF Image to notepad and select Always Open with this.

Your WMF files will open in Notepad. Ugly, but it is a fix.

3. Run IESPYAD.

IESpyad is a free tool that puts block lists into IE’s restricted sites zone. It’s managed by Eric Howes, who works as a consultant for Sunbelt. We regularly update him with the latest URLs. Click here. Gravatar

(Note that Eric is currently out of town so I’m not sure it’s being updated as frequently.)

Alex Eckelberry
(Hat tip to Jon and Sunbelt researchers Lior Kimchi and Adam Thomas)


http://sunbeltblog.b...mf-exploit.html

Forum%20Sig_zpsjw5k8xhn.jpg

Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.


#6 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 29 December 2005 - 04:53 PM

FYI...

- http://www.techweb.c...1&site_section=
December 29, 2005
"As bleaker details emerged Thursday about the threat posed by a zero-day vulnerability in Windows, Microsoft said it would produce a patch for the flaw but declined to put the fix on a timetable. In a security advisory posted on its Web site, Microsoft confirmed the vulnerability and the associated release of exploit code that could compromise PCs, and listed the operating systems at risk. Windows 2000 SP4, Windows XP, Windows Server 2000, Windows 98, and Windows Millennium can be attacked using the newly-discovered vulnerability in WMF (Windows Metafile) image file parsing, said Microsoft. "Upon completion of [our] investigation, Microsoft will take the appropriate action to help protect our customers," the advisory stated. "This will include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs." Microsoft rarely goes out-of-cycle to patch a vulnerability -- it's done so only three times since it began a once-a-month patch release schedule in October, 2003; the last time was over a year ago -- and didn't patch early in December when another zero-day bug surfaced, even after experts called on the Redmond, Wash.-based developer to fix fast. One security vendor told its customers Thursday not to hold their breath waiting for a fix for the flaw..."

:ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#7 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 29 December 2005 - 11:49 PM

FYI...

Informational Alert: Zero-day profiteering
- http://www.websenses...php?AlertID=387
December 29, 2005
"...Starting in mid December, 2005 we started investigating several website that were using browser exploits to download and run code on end-users machines without any end-user knowledge. These sites were not just using older Internet Explorer vulnerabilities but were also utilizing a recent zero-day vulnerability that at that time had no fix for it (this was the window(open) MS IE vulnerability. After tracing the code we discovered an entity called Exfol software that was a registered company in Vanuatu, in the South Pacific and who had ties to the following other entities (from their licensing agreement). As of this week the same sites are using the current WMF zero-day exploit that has no patch available in order to install their affiliates programs. The code is placed within IFRAMES on websites. Both Exfol and Freecat.biz are hosted on web serves in South America and were up at the time of this alert... We created a short video example of a machine that has visited a site that has the IFRAME code on it. Even though there is an ActiveX popup warning the code downloads and installs in the background. Post download and launching the code you can see that there are several security warnings that prompt you to purchase some software.The security alerts are fraudulent.
http://www.websenses...exfol-movie.wmv
Upon accessing the site a WMF file is loaded that executes shellcode which utilizes the recently reported windows WMF vulnerability. ( see http://www.websenses...php?AlertID=385 ). The shellcode calls URLmon.dll to download and execute another file. Strings of WMF file showing download site for Trojan Horse. The file pawn00#.exe in turn downloads other executables..."

(Screenshots available at first URL above.)

:(
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#8 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 30 December 2005 - 12:35 AM

FYI...

Lotus Notes Vulnerable to WMF 0-Day Exploit
- http://isc.sans.org/...php?storyid=981
Last Updated: 2005-12-30 05:15:59 UTC
"John Herron at NIST.org discovered today that Lotus Notes versions 6.x and higher is vulnerable to the WMF 0-day exploit. In the advisory, located on the NIST website*, John reports that Lotus Notes remained vulerable even after running the regsvr32 workaround in the Microsoft security advisory."

* http://www.nist.org/....php?content.25

:ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#9 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 30 December 2005 - 06:38 AM

FYI...

- http://www.f-secure.com/weblog/
December 29, 2005
WMF, day 2
"...We've seen 57 different versions of malicious WMF files so far. We detect them all as PFV-Exploit*..."
* http://www.f-secure....v-exploit.shtml

:eek:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#10 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 30 December 2005 - 01:52 PM

FYI...

...More WMF Information...
- http://isc.sans.org/...php?storyid=982
Last Updated: 2005-12-30 19:40:36 UTC
"...One reader send us the following summary, which pretty nicely outlines the issues with this vulnerability:
1. Filename extension filtering will not work.
2. Even if you un-register the DLL, some programs may re-register it by invoking it (shimgvw.dll) directly.
3. You have to delete or rename the DLL to protect yourself. However, remember to undo this once there is a patch.
4. While images embedded into documents may not immediately trigger the exploit, they may once saved into their own file.
The reader goes on to note that whatever mitigation is offered in Microsoft's advisory is not much more then a quick temporary bandaid. What we need is a patch and we need it quick."

:(

Edited by apluswebmaster, 31 December 2005 - 02:14 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#11 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 31 December 2005 - 11:06 AM

FYI...

New IM Worm Exploiting WMF Vulnerability
- http://isc.sans.org/...php?storyid=991
Last Updated: 2005-12-31 16:33:11 UTC
"We have received information that a new IM Worm is hitting the Netherlands. Apparently the worm is spreading with MSN and is spreading with a malformed WMF file called "xmas-2006 FUNNY.jpg".
Kaspersky Lab Blogs*
Be very careful when opening the New Years Greetings that you receive folks. We wouldn't want you to have to spend the rest of your holiday weekend rebuilding your computer..."

* http://www.viruslist...logid=176892530
December 31, 2005 | 11:54 GMT
"It was only a matter of time, the first IM-Worm exploiting the wmf vulnerability has been spotted. We have received multiple reports from the Netherlands about an IM-Worm which spreads via MSN using a link to "hxxp://[snip]/xmas-2006 FUNNY.jpg". This may well turn out to become a local epidemic(in NL), however so far it has not become big (Not even 1000 bots at this moment). The jpg is actually an HTML page with a (link to a) malicious wmf file which is heuristically detected as Exploit.Win32.IMG-WMF by Kaspersky Anti-Virus.
This wmf will download and execute a .vbs file which is detected as Trojan-Downloader.VBS.Psyme.br which in turn will download an Sdbot. The IRCBot is detected as Backdoor.Win32.SdBot.gen by KAV. At the time of writing this SdBot is instructed to download an IM-Worm.Win32.Kelvir variant. As you will know Kelvir is responsible for spreading across MSN. Looking at this IRCBot it's extremely likely that it has been made for cyber criminals.
Going back to the wmf vulnerability itself, we see number of sites mention that shimgvw.dll is the vulnerable file. This doesn't seem correct as it's possible to exploit a system on which shimgvw.dll has been unregistered and deleted. The vulnerability seems to be in gdi32.dll. So while unregistering shimgvw.dll may make you less vulnerable, several attack scenarios come to mind where the system can still be compromised..."

:ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#12 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 31 December 2005 - 05:58 PM

FYI...

New exploit released for the WMF vulnerability - Infocon to YELLOW
- http://isc.sans.org/...php?storyid=992
Last Updated: 2005-12-31 23:16:11 UTC
"On New Year's eve the defenders got a 'nice' present from the full disclosure community.
The source code claims to be made by the folks at metasploit and xfocus, together with a anonymous source.
The exploit generates files:
* with a random size;
* no .wmf extension, (.jpg), but could be any other image extension actually;
* a random piece of junk in front of the bad call; carefully crafted to be larger than the MTU on an ethernet network;
* a number of possible calls to run the exploit are listed in the source;
* a random trailer
From a number of scans we did through virustotal, we can safely conclude there is currently no anti-virus signature working for it. Similarly it is very unlikely any of the current IDS signatures work for it. Judging from the source code, it will likely be difficult to develop very effective signatures due to the structures of the WMF files. Considering this upsets all defenses people have in place, we voted to go to yellow in order to warn the good guys out there they need to review their defenses. We hate going back to yellow for something we were yellow on a couple of days ago and had returned to green, but the more we look at it and the uglier it gets.
For those of you wanting to try an unofficial patch with all the risks involved, please see http://www.hexblog.c...2/wmf_vuln.html. Initially it was only for Windows XP SP2. Fellow handler Tom Liston is working with Ilfak Guilfanov to extend it to also cover Windows XP SP1 and Windows 2000. We will host the files once we have it verified. We are receiving signatures from Frank Knobbe that detect this newest variant, but we haven't done much testing for false positives or negatives at this point.
http://www.bleedingsnort.com/ ..."

:ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#13 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 01 January 2006 - 12:23 AM

FYI...

Malicious Websites / Malicious Code: Zero-day used for BOT's and Crimeware
- http://www.websenses...php?AlertID=389
December 31, 2005
"Websense Security Labs ™ is now tracking several dozen cases of websites which are using the WMF vulnerability (see: http://www.websenses...tylabs.com/blog *) for some details.
The sites are all using the IFRAME technique in order to run code on the end-users machine without their intervention. In every case these have been Trojan Horse Downloader's which use HTTP to download and run new code. Of the ones that we have finished researching they are all either installing other Trojan Horses or BOT's (mostly SDBots). This is different from the other sites we have identified in the past few days that are installing Potentially Unwanted Software.
We have also seen reports of emails that are posing as New Years Greetings that include a malicious .JPG file."

* WMF exploits increasing
- http://www.websenses...ylabs.com/blog/
Dec 31 2005 9:24PM
"We are now tracking several new versions of the WMF exploits in the wild. We have discovered at least 30 new websites which are all using the IFRAMES to run code without end-user intervention. Most of these are hacked web servers, however some appear to be setup on purpose as there is no content besides the IFRAME code.
We have also seen reports of emails that are using the same vulnerability to run code with a .JPG attachement.
All of these sites are installing BOT's (mostly SD Bot variants) and/or Trojan Horses..."

:eek:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#14 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 01 January 2006 - 12:44 AM

FYI...

1a. a-squared update announcements
- http://forum.emsisof...p?p=21575#21575
Sat Dec 31, 2005 6:58 am
"Added detection for the WMF exploit."


1b.Overview of the WMF related articles at the ISC
- http://isc.sans.org/...php?storyid=993
Last Updated: 2006-01-01 03:19:50 UTC
"Since this is one of the more complex stories to follow I've made a quick overview of the WMF issues.

The first story on the WMF vulnerability and the initial exploit
http://isc.sans.org/...php?storyid=972
The update explaining why we went to yellow the first time around
http://isc.sans.org/...php?storyid=975
The story pointing to the Microsoft bulletin
http://isc.sans.org/...php?storyid=976
The availability of the first snort sigs
http://isc.sans.org/...php?storyid=977
The going back to green article
http://isc.sans.org/...php?storyid=978
More WMF signatures
http://isc.sans.org/...php?storyid=980
Lotus notes affected
http://isc.sans.org/...php?storyid=981
The bandaid post: deregistering not reliable, extension filtering not enough
http://isc.sans.org/...php?storyid=982
The free phone number for micrsoft support
http://isc.sans.org/...php?storyid=985
Indexing and WMF
http://isc.sans.org/...php?storyid=986
Musings on how to protect organisations beyond the trivial
http://isc.sans.org/...php?storyid=990
An IM worm found using the WMF stuff
http://isc.sans.org/...php?storyid=991
The second exploit, back to yellow, new sigatures and an unoffical patch
http://isc.sans.org/...php?storyid=992
The WMF FAQ
http://isc.sans.org/...php?storyid=994

.
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#15 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 01 January 2006 - 08:01 AM

FYI...

- http://www.f-secure....6.html#00000758
Sunday, January 1, 2006 - 00:49 GMT
"We are aware that a new exploit for the WMF vulnerability has been published. This one is much more advanced than the old one, and much more dangerous.
It enables clueless newcomers to easily craft highly variable and hard-to-detect variations of image files. Images that take over computers when viewed. And do this on all common Windows platforms. With no vendor patch for the vulnerability available. Meaning that there are hundreds of millions of vulnerable computers in the net right now.
Making such tools publicly available when there's no vendor patch available is irresponsible. Plain and simply irresponsible. Everybody associated in making and publishing the exploit knows this. And they should know better. Moore, A.S, San and FrSIRT: you should know better."

2nd generation WMF 0-day Expliot Spammed
- http://isc.sans.org/...php?storyid=995
Last Updated: 2006-01-01 11:06:07 UTC
"According to F-Secure's blog today*, the 2nd generation WMF exploit has been spammed and "When the HappyNewYear.jpg hits the hard drive and is accessed (file opened, folder viewed, file indexed by Google Desktop), it executes and downloads a Bifrose backdoor (detected by us as Backdoor.Win32.Bifrose.kt) from www[dot]ritztours.com.".
Trend Micro is calling it TROJ_NASCENE.H":
- http://www.trendmicr.....ENE.H&VSect=T

* http://www.f-secure....6.html#00000759
Sunday, January 1, 2006 - 09:38 GMT
"Some clown is spamming out "Happy New Year" emails which will infect Windows machines very easily. These emails contain a new version of the WMF exploit, which doesn't seem to be related to the two earlier Metasploit WMF exploits we've seen. The emails have a Subject: "Happy New Year", body: "picture of 2006" and contain an exploit WMF as an attachment, named "HappyNewYear.jpg" (MD5: DBB27F839C8491E57EBCC9445BABB755). We detect this as PFV-Exploit.D.
When the HappyNewYear.jpg hits the hard drive and is accessed (file opened, folder viewed, file indexed by Google Desktop), it executes and downloads a Bifrose backdoor (detected by us as Backdoor.Win32.Bifrose.kt) from www[dot]ritztours.com. Admins, filter this domain at your firewalls.
It's going to get worse..."

:ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#16 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 01 January 2006 - 10:36 AM

FYI...

Trustworthy Computing
- http://isc.sans.org/...php?storyid=996
Last Updated: 2006-01-01 15:47:02 UTC by Tom Liston (Version: 1)
"Looking forward to the week ahead, I find myself in the very peculiar position of having to say something that I don't believe has ever been said here in the Handler's diary before: "Please, trust us."
I've written more than a few diaries, and I've often been silly or said funny things, but now, I'm being as straightforward and honest as I can possibly be: the Microsoft WMF vulnerability is bad. It is very, very bad.
We've received many emails from people saying that no one in a corporate environment will find using an unofficial patch acceptable. Acceptable or not, folks, you have to trust someone in this situation.
To the best of my knowledge, over the past 5 years, this rag-tag group of volunteers hasn't asked for your trust: we've earned it. Now we're going to expend some of that hard-earned trust:
This is a bad situation that will only get worse. The very best response that our collective wisdom can create is contained in this advice - unregister shimgvw.dll and use the unofficial patch. You need to trust us.
Looking back over the past year, the ISC handlers have faced up to any number of challenges: from worms and viruses to DNS poisoning and hurricanes. We've done our best to keep you informed and to tell it like it is. Somehow, it seems fitting that on the last day of 2005 we rang in the New Year in what can only be described as typical ISC style.
On December 31st, we received word that a "new and improved" version of the WMF exploit had been published. This new exploit code generated WMF files that were sufficiently different that they bypassed nearly all AV and IDS signatures. Publishing exploit code such as this for an unpatched vulnerability on a holiday weekend is, without any doubt, a totally irresponsible act.
And so, as the hours to the New Year slowly counted down, a group of volunteers gave up their holiday weekend to come together as a team and put their collective knowledge and intellect to work on the problems this reckless disclosure created. Some tested the exploit, some talked to AV vendors, some worked toward finding a means to mitigate the vulnerability, some tested "fix" ideas and the resulting patches.
I was privileged to be a part of that team, and I'm incredibly proud of everyone who participated. As it became obvious that the "fix" that we were working toward was essentially what had already been created by Ilfak Guilfanov, we wrote to him to ask if we could redistribute his patch from the ISC*. He was incredibly gracious and courteous in allowing us to do so and we were able to work with him to verify several changes that allowed the patch to work on a wider variety of Windows systems.

We have very carefully scrutinized this patch. It does only what is advertised, it is reversible, and, in our opinion, it is both safe and effective.
The word from Redmond isn't encouraging. We've heard nothing to indicate that we're going to see anything from Microsoft before January 9th.
The upshot is this: You cannot wait for the official MS patch, you cannot block this one at the border, and you cannot leave your systems unprotected.
It's time for some real trustworthy computing. All we're asking is if we've proved ourselves to be worthy of your trust."

* >>> http://isc.sans.org/...php?storyid=994
(See "What can I do to protect myself?")

:ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#17 secret-squirrel

secret-squirrel

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 01 January 2006 - 12:33 PM

FYI...

- http://www.f-secure....6.html#00000758
Sunday, January 1, 2006 - 00:49 GMT
"We are aware that a new exploit for the WMF vulnerability has been published. This one is much more advanced than the old one, and much more dangerous.
It enables clueless newcomers to easily craft highly variable and hard-to-detect variations of image files. Images that take over computers when viewed. And do this on all common Windows platforms. With no vendor patch for the vulnerability available. Meaning that there are hundreds of millions of vulnerable computers in the net right now.
Making such tools publicly available when there's no vendor patch available is irresponsible. Plain and simply irresponsible. Everybody associated in making and publishing the exploit knows this. And they should know better. Moore, A.S, San and FrSIRT: you should know better."

2nd generation WMF 0-day Expliot Spammed
- http://isc.sans.org/...php?storyid=995
Last Updated: 2006-01-01 11:06:07 UTC
"According to F-Secure's blog today*, the 2nd generation WMF exploit has been spammed and "When the HappyNewYear.jpg hits the hard drive and is accessed (file opened, folder viewed, file indexed by Google Desktop), it executes and downloads a Bifrose backdoor (detected by us as Backdoor.Win32.Bifrose.kt) from www[dot]ritztours.com.".
Trend Micro is calling it TROJ_NASCENE.H":
- http://www.trendmicr.....ENE.H&VSect=T

* http://www.f-secure....6.html#00000759
Sunday, January 1, 2006 - 09:38 GMT
"Some clown is spamming out "Happy New Year" emails which will infect Windows machines very easily. These emails contain a new version of the WMF exploit, which doesn't seem to be related to the two earlier Metasploit WMF exploits we've seen. The emails have a Subject: "Happy New Year", body: "picture of 2006" and contain an exploit WMF as an attachment, named "HappyNewYear.jpg" (MD5: DBB27F839C8491E57EBCC9445BABB755). We detect this as PFV-Exploit.D.
When the HappyNewYear.jpg hits the hard drive and is accessed (file opened, folder viewed, file indexed by Google Desktop), it executes and downloads a Bifrose backdoor (detected by us as Backdoor.Win32.Bifrose.kt) from www[dot]ritztours.com. Admins, filter this domain at your firewalls.
It's going to get worse..."

:ph34r:


what I want to know is why the service providers to these domains that keep getting listed are not removing these machines and servers from the internet.

While I agree that it is a real poor judgement to release the exploit code, it is even worse judgement for these ISPs or backbone connection providers not to disconnect the very machines that are exploiting this code on users. That, in my opinion, is a REAL CRIME and should be punishable by the people who were infected by those servers. I think the server owners need to be held liable for their actions in using this code and should be punished to the farthest reaches of the law. And if they claim they didn't know it was on their servers, then they shouldn't be allowed to administer a server that faces the internet.

Sorry to interrupt this post which has been tracking this exploit, but I feel that without some kind of push from the public, sites like this are going to keep running and exploiting users regardless if MS releases a patch or not. MS is liable for unpatched software -- people who exploit it should be drawn and quartered (to quote Mike)...

#18 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 01 January 2006 - 12:46 PM

what I want to know is why the service providers to these domains that keep getting listed are not removing these machines and servers from the internet.



$$$$$$$$$$$$$$$$$$$$$$$$




:oops:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#19 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 01 January 2006 - 12:58 PM

FYI...

Updated version of Ilfak Guilfanov's patch
- http://isc.sans.org/...php?storyid=999
Last Updated: 2006-01-01 18:18:10 UTC by Tom Liston (Version: 1)
"Ilfak Guilfanov has released an updated version of his unofficial patch for the Window's WMF issue. We have reverse engineered, reviewed, and vetted the version here*. Note: If you've already successfully installed the patch, this new version adds nothing new. It only adds code to make it able to install on some other very specific configurations and code to recognize when the patch has already been installed."
* http://handlers.sans...x_hexblog13.exe

:thumbsup:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#20 secret-squirrel

secret-squirrel

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 01 January 2006 - 02:42 PM

what I want to know is why the service providers to these domains that keep getting listed are not removing these machines and servers from the internet.



$$$$$$$$$$$$$$$$$$$$$$$$


:oops:


And it's a damned shame, too.

The whole thing just makes me sick... Every response I had to this one seems almost as bad as the fact that it's even happening... <sarcasm> We could hire crackheads to hunt them down... Costs less than lawyers and I bet it'd be much more effective... </sarcasm>

#21 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 01 January 2006 - 07:01 PM

FYI...

Updated version of Ilfak Guilfanov's patch / ,msi file
- http://isc.sans.org/...php?storyid=999
Last Updated: 2006-01-01 23:13:01 UTC
"...We have also created a .msi file suitable for unattended installation from version 1.3 of the patch...

EDIT/ADD:
- http://isc.sans.org/...e=1&storyid=999
Last Updated: 2006-01-02 22:00:33 UTC
"...We have pulled the .msi that we posted earlier due to some issues with the file. We will attempt to make a new .msi available, but until we do, you'll need to use the wmffix_hexblog13.exe ..."

.

Edited by apluswebmaster, 02 January 2006 - 04:23 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#22 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 02 January 2006 - 11:19 AM

FYI...

Malicious Website / Malicious Code: WMF Attack Update / Timeline
- http://www.websenses...php?AlertID=390
January 02, 2006
"...The attack is a vulnerability within Windows Operating Systems which currently has no patch available. Because there is no patch from Microsoft available, there is exploit code published on the web, its trivial to create and attack, and there are multiple vectors which allow you to use this attack, we believe that there will continue to be exploits through the Web, Instant Messaging, Email, and other technologies over the next week...
Jan 1, 2006: Increase in web-attacks. Now more than 100 sites using exploit to install BOT's and Trojan Horses.
Jan2, 2006: Targeted Trojan Horse attack discovered via email..."

:ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#23 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 02 January 2006 - 06:02 PM

FYI...

- http://isc.sans.org/...hp?storyid=1004
Last Updated: 2006-01-02 22:34:08 UTC
"...A reminder: be sure to test the patch above before deploying it across an enterprise. While the handlers (including me) are running it on our own personal systems and it works as advertised, we can't vouch for any special software you might have in your own systems that could be disabled after the patch is installed."


:oops:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#24 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 03 January 2006 - 07:41 AM

FYI...

Microsoft Security Advisory (912840)
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution.
- http://www.microsoft...ory/912840.mspx
Updated: January 3, 2006
"...> What’s Microsoft’s response to the availability of third party patches for the WMF vulnerability?
Microsoft recommends that customers download and deploy the security update for the WMF vulnerability that we are targeting for release on January 10, 2006.
As a general rule, it is a best practice to utilize security updates for software vulnerabilities from the original vendor of the software. With Microsoft software, Microsoft carefully reviews and tests security updates to ensure that they are of high quality and have been evaluated thoroughly for application compatibility. In addition, Microsoft’s security updates are offered in 23 languages for all affected versions of the software simultaneously.
Microsoft cannot provide similar assurance for independent third party security updates.
> Why is it taking Microsoft so long to issue a security update?
Creating security updates that effectively fix vulnerabilities is an extensive process. There are many factors that impact the length of time between the discovery of a vulnerability and the release of a security update. When a potential vulnerability is reported, designated product specific security experts investigate the scope and impact of a threat on the affected product. Once the MSRC knows the extent and the severity of the vulnerability, they work to develop an update for every supported version affected. Once the update is built, it must be tested with the different operating systems and applications it affects, then localized for many markets and languages across the globe..."

.
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#25 quietman7

quietman7

    quietman7

  • Helper
  • PipPipPipPipPip
  • 680 posts

Posted 03 January 2006 - 09:52 AM

WMF Attack Update / Timeline

Edit: AplusWebMaster I posted too fast and missed your previous one on this.

Edited by quietman7, 03 January 2006 - 09:54 AM.

.
Windows Insider MVP 2017-2019
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators


#26 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 03 January 2006 - 03:30 PM

FYI...

Oxy-morons
- http://isc.sans.org/...hp?storyid=1011
Last Updated: 2006-01-03 18:17:57 UTC by Tom Liston (Version: 1)
"Although the issue is serious and malicious attacks are being attempted, Microsoft's intelligence sources indicate that the scope of the attacks are not widespread."
- Microsoft Security Advisory (912840)

"...Microsoft's intelligence sources..."?!?

Go ahead and laugh. I'll wait.

Through? O.K. While all of the rest of us were sleeping, it appears that the propeller-heads working on Billy Wonka's Official Microsoft Research and Development Team have been hard at work creating a crystal ball capable of foretelling the future. The only problem: it appears that they made it from rose-colored crystal.
In their rosy vision of the future, over the next seven days, nothing bad is going to happen. The fact that there are point-n-click toolz to build malicious WMFs chock full o' whatever badness the kiddiez can cook up doesn't exist in that future. The merry, lil' Redmond Oompa Loompas are chanting "Our patch isn't ready / you have to wait / so keep antivirus / up-to-date" which makes perfectly accurate, current AV signatures appear on every Windows computer - even those with no antivirus software.
The future, according to Microsoft, is a wonderful, safe, chocolaty place.
And why not? Everything just seems to work out for them!
Imagine! You have tons and tons of work to do! Even now, the Oompa Loompas are hard at work out in Redmond, simultaneously regression-testing and translating Microsoft's WMF patch into Swahili and Urdu. And, somehow, as if by magic, all of this work will wind down at precisely the right moment so that the WMF patch doesn't have to be released "out of cycle." How convenient! Especially if you're wanting to avoid all of that nasty "Microsoft Releases Emergency Patch" publicity.
And remember, if something bad does happen to you during the next seven days, Billy Wonka and his Magic Metafiles aren't to blame. You are!
"Customers who follow safe browsing best practices are not likely to be compromised by any exploitation of the WMF vulnerability. Users should take care not to visit unfamiliar or un-trusted Web sites that could potentially host the malicious code."
Why are you visiting places on the web you've never been before? Restrict your browsing to safe places*, and everything will be just fine. 'Cause no one could ever put a bad graphic file on a place you trust**."
* http://handlers.dshi...ich/wmffaq.html

** http://www.microsoft.../Apocalypse.gif

:oops:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#27 vini-v

vini-v

    Member

  • Full Member
  • Pip
  • 77 posts

Posted 03 January 2006 - 08:49 PM

FYI...

Oxy-morons
- http://isc.sans.org/...hp?storyid=1011
Last Updated: 2006-01-03 18:17:57 UTC by Tom Liston (Version: 1)
"Although the issue is serious and malicious attacks are being attempted, Microsoft's intelligence sources indicate that the scope of the attacks are not widespread."
- Microsoft Security Advisory (912840)

"...Microsoft's intelligence sources..."?!?

Go ahead and laugh. I'll wait.

Through? O.K. While all of the rest of us were sleeping, it appears that the propeller-heads working on Billy Wonka's Official Microsoft Research and Development Team have been hard at work creating a crystal ball capable of foretelling the future. The only problem: it appears that they made it from rose-colored crystal.
In their rosy vision of the future, over the next seven days, nothing bad is going to happen. The fact that there are point-n-click toolz to build malicious WMFs chock full o' whatever badness the kiddiez can cook up doesn't exist in that future. The merry, lil' Redmond Oompa Loompas are chanting "Our patch isn't ready / you have to wait / so keep antivirus / up-to-date" which makes perfectly accurate, current AV signatures appear on every Windows computer - even those with no antivirus software.
The future, according to Microsoft, is a wonderful, safe, chocolaty place.
And why not? Everything just seems to work out for them!
Imagine! You have tons and tons of work to do! Even now, the Oompa Loompas are hard at work out in Redmond, simultaneously regression-testing and translating Microsoft's WMF patch into Swahili and Urdu. And, somehow, as if by magic, all of this work will wind down at precisely the right moment so that the WMF patch doesn't have to be released "out of cycle." How convenient! Especially if you're wanting to avoid all of that nasty "Microsoft Releases Emergency Patch" publicity.
And remember, if something bad does happen to you during the next seven days, Billy Wonka and his Magic Metafiles aren't to blame. You are!
"Customers who follow safe browsing best practices are not likely to be compromised by any exploitation of the WMF vulnerability. Users should take care not to visit unfamiliar or un-trusted Web sites that could potentially host the malicious code."
Why are you visiting places on the web you've never been before? Restrict your browsing to safe places*, and everything will be just fine. 'Cause no one could ever put a bad graphic file on a place you trust**."
* http://handlers.dshi...ich/wmffaq.html

** http://www.microsoft.../Apocalypse.gif

:oops:



LMAO


Just wondering if its safe to go to Ebay and shop ? :eek:

#28 quietman7

quietman7

    quietman7

  • Helper
  • PipPipPipPipPip
  • 680 posts

Posted 04 January 2006 - 09:37 AM

New trojan being distributed via WMF spam
Posted by Mikko @ 12:44 GMT
Wednesday, January 4, 2006

There's a new trojan spam run underway, exploiting again the WMF vulnerability.

The exploit code is taken directly from the last Metasploit distribution. So the Metasploit exploit is assisting botnet herders and spyware distributors to take over the computers of users who still have no Microsoft patch to close the hole.

In this particular case the spammed message was a fake warning from Yale University professor about student vandalism that supposedly happened over the new year...When curious readers follow the link to a web server under comcast.net, they are hit with a WMF file that immediatly downloads a botnet client via tftp and runs it. In case the WMF exploit wouldn't work, the front page of the site also contains an exploit against older versions of Firefox, using the "InstallVersion.compareTo()" flaw. The downloaded client will connect to a botnet hosted via several IRC servers.

http://www.f-secure....6.html#00000768

.
Windows Insider MVP 2017-2019
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators


#29 vini-v

vini-v

    Member

  • Full Member
  • Pip
  • 77 posts

Posted 04 January 2006 - 09:44 AM

I have a question.

I went and did the REGSVR32 /u shimgvw.dll and it shut down ALL viewing of pictures in my folders, is that what it's supposed to do ?

#30 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 04 January 2006 - 02:44 PM

FYI...

- http://www.microsoft...ory/912840.mspx
"...Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer..."


:huh:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#31 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 04 January 2006 - 03:04 PM

FYI...

Preparing for Battle
- http://isc.sans.org/...hp?storyid=1014
Last Updated: 2006-01-04 20:40:11 UTC
"Are you ready to battle a large virus/worm outbreak? Please don't view this is a prediction that there will be a large event, but let me just say that conditions are right for a big storm (WMF issue and the return
of the Sober worm). Regarding the WMF issue, you have probably decided to either wait for the official Microsoft patch, or you are rolling out Ilfak's patch. But there is still about 6-10 days of risk here for a major worldwide event. So here are some recommendations for preparing for the battle. (This is primarily written for system and network admins...)

Prepare a short briefing for management on the situation:
1) There is a serious vulnerability in Microsoft operating systems.
2) An official patch will not be available from Microsoft until Jan. 10.
3) There are multiple propogation vectors: e-mail, instant messaging, web surfing, etc.
4) Several different versions of the exploit are in the wild and are being actively used by criminal groups. All propogation methods are being used. As of Wednesday, Jan 4 20:15:00 UTC, our current poll indicates that 22% of respondents (340) have seen exploit attempts through one of the exploitation vectors.
5) Tools to generate random files to exploit the vulnerability are publicly available. These tools may be used to evade anti-virus and IDS/IPS signatures.
6) Anti-virus signatures and intrusion detection/prevention system signatures may only be able to catch the first generation of exploits.
7) If an outbreak does occur, how are you going to sanitize laptops that were infected outside of your network before allowing them to connect to your internal network?

As you provide this information, you should also provide an action plan for mitigating damage in the worst case scenario. You should consider the following action items in your plan. Also consider that your organization may have no internal infections, but that the rest of the Internet is having problems. Solicit input from your management on the circumstances that would dictate each of the actions below.

1) Disconnect from the Internet.
2) Disconnect specific services from the Internet. Talk with your network/firewall admins and have them be prepared to shut-off specific services (SMTP or HTTP) at strategic locations.
3) If you have multiple locations, consider the action plan of disconnecting internal WAN pipes to minimize damage to other parts of your organization.
4) Disconnect internal and/or external e-mail servers to prevent further damage.
5) If you plan to perform any of the above actions, then you should also plan on how to bring these sites/services back online.
6) Determine an action plan for local workstation admins. How are they going to receive virus updates and virus removal tools to clean workstations?

You should take this time to validate that you have good backups of your e-mail servers. If things go really badly, you may be restoring from backup. You should also make sure that everyone that could be involved in the incident response has an updated contact list (cell phones, pagers, home phones, etc) for all of the appropriate operational personnel. Remember that some of these communication methods may fail during a virus outbreak. Finally, you should identify secondary Internet access (maybe dial-up) to download virus updates, IDS/IPS updates, or get latest news about the event. In a virus outbreak/worm event, communication between the operational folks and management is critical. Make sure that there is a clear understanding of when/how to shut-off services and when/how to turn them back on. Communication to end-users is also critical and you may want to start informing them now that the next 6-10 days could be very difficult times.

You can find much more information about incident response plans at the following sites:

http://www.intrusions.org/
http://www.sans.org/...apers/incident/
http://www.cert.org/...rt-handbook.pdf ..."

:oops:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#32 Swandog46

Swandog46

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 10,190 posts

Posted 04 January 2006 - 06:48 PM

I went and did the REGSVR32 /u shimgvw.dll and it shut down ALL viewing of pictures in my folders, is that what it's supposed to do ?

Well, specifically it shuts down "thumbnail" or "preview" viewing. You can still view pictures by double-clicking on each one.

The reason for doing this is as follows: if "thumbnails" or "preview" viewing are enabled, then what really happens when you open a folder containing pictures is that Windows internally opens all the image files and scales them to preview size, and puts them in memory. Naturally this means that if any of them contain malicious code (this WMF exploit), the malicious code will be executed too. And it is very bad if the malicious code can be executed just by opening a FOLDER containing an infected file! At the very least we want the bad code to execute only if you open the bad file itself. Make sense? :)

#33 vini-v

vini-v

    Member

  • Full Member
  • Pip
  • 77 posts

Posted 04 January 2006 - 11:31 PM

Yep i can understand that perfectly thanks:)

Edited by vini-v, 04 January 2006 - 11:31 PM.


#34 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 05 January 2006 - 07:28 AM

FYI...

- http://www.theinquir.../?article=28708
04 January 2006, 16:36
"THE INVENTOR of a security patch that covers Microsoft’s zero day flaw has been given his marching orders by his ISP. Ilfak Guilfanov's original "HexBlog" web site has been administratively suspended by his ISP due to excessive use... Guilfanov has moved his site and changed its IP address to this one..."
>>> http://216.227.222.95/

:(
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#35 Nosrep

Nosrep

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 05 January 2006 - 08:19 AM

I love how Microsoft downplays these things:

"Microsoft added it has been monitoring any attempts to attack the vulnerability in Windows.

"Although the issue is serious and the attacks are being attempted, Microsoft's intelligence sources indicate that the scope of the attacks is limited," it said."

Crazy.

#36 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 05 January 2006 - 04:21 PM

FYI...and the (minor) details are:

MS Security Bulletin MS06-001
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution (912919)
http://www.microsoft...n/ms06-001.mspx
Published: January 5, 2006
Version: 1.0
Summary
Who should read this document: Customers who use Microsoft Windows
Impact of Vulnerability: Remote Code Execution
Maximum Severity Rating: Critical...
Vulnerability Details
Graphics Rendering Engine Vulnerability - CVE-2005-4560:
A remote code execution vulnerability exists in the Graphics Rendering Engine because of the way that it handles Windows Metafile (WMF) images. An attacker could exploit the vulnerability by constructing a specially crafted WMF image that could potentially allow remote code execution if a user visited a malicious Web site or opened a specially crafted attachment in e-mail. An attacker who successfully exploited this vulnerability could take complete control of an affected system..."

Microsoft Patches Released
- http://isc.sans.org/...hp?storyid=1019
Last Updated: 2006-01-05 21:47:54 UTC
"Many of you already know this if you receive advance notification from Microsoft. For everybody else, see their announcement about an early release of the WMF patch. The patch and details about it are available here. If you have installed any of the earlier patches or workarounds, here is our recommendation for updating:
1. Reboot your system to clear any vulnerable files from memory
2. Download and apply the new patch
3. Reboot
4. Uninstall the unofficial patch, by using Add/Remove Programs on single systems. If you used msi to install the patch on multiple machines you can uninstall it with this:
msiexec.exe /X{E1CDC5B0-7AFB-11DA-8CD6-0800200C9A66} /qn
5. Re-register the .dll if you previously unregistered it (use the same command but without the "-u"):
regsvr32 %windir%\system32\shimgvw.dll
6. Reboot one more time just for good measure..."

:oops:

Edited by apluswebmaster, 05 January 2006 - 04:24 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#37 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 05 January 2006 - 07:57 PM

FYI...

- http://www.websenses...php?AlertID=392
January 05, 2006
"...Websense® Security Labs™ was acknowledged as a contributor in the bulletin from Microsoft.
http://www.microsoft...n/ms06-001.mspx
At this time more than 1100 URLs are still actively attempting to exploit users who have not installed the patch. Most attacks are Trojan horse downloaders which update over HTTP and install and run other pieces of malicious code. Depending on your patch rollout procedures, we still recommend that customers block all URLs that end in .WMF..."

:(

Edited by apluswebmaster, 05 January 2006 - 08:00 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#38 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 06 January 2006 - 03:42 PM

FYI...

- http://isc.sans.org/...hp?storyid=1023
Last Updated: 2006-01-06 20:57:58 UTC
"...The Internet Storm Center is made up of a group of volunteers that have different backgrounds and perspectives on the overall risk of the WMF vulnerability, and the active exploitation seen. The group consensus was that the risk was high enough to warrant raising the Infocon level, and then testing and endorsing the unofficial patch. We are well aware that one size doesn't fit all. At the time it was the only mitigation technique that actually worked. Anti-virus, IDS/IPS do not give adequate protection against this attack and all of its vectors..."

Get the patch now. Choose Windows Update, MS Update, or manual download. But get it NOW. Other subliminal messages may be posted at anytime...

:oops:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#39 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 16 January 2006 - 02:55 PM

FYI...

MS Windows Metafile (WMF) Remote File Download Exploit Generator
- http://isc.sans.org/...hp?storyid=1047
Last Updated: 2006-01-16 17:14:37 UTC
"We received notification last night that a working exploit "MS Windows Metafile (WMF) Remote File Download Exploit Generator" has been released to the public. The code takes advantage of the "Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution", MS# MS06-001. The exploit code will generate a .wmf that downloads and executes a specified URL. The sad part to this story is that we have a set of 'plug & play' source code for evil-doers to spread their wares with. And only 10 days after a patch has been released... we can expect to see variants coming very soon. The group responsible for this release is well-known for this."

:eek:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#40 quietman7

quietman7

    quietman7

  • Helper
  • PipPipPipPipPip
  • 680 posts

Posted 17 January 2006 - 09:38 AM

WMFishing

Today we saw a phishing scam exploiting this vulnerability. This scam works by sending out emails, urging customers of the global HSBC bank to visit a site called www[dot]jhsbc[dot]com. This domain, naturally, has nothing to with the real bank but it sounds close enough.

The site is running on a owned home computer somewhere in Illinois. This machine, connected to the net via a high-speed cable connection, is hosting or has been hosting several other phishing-related domains, including these gems that administrators might want to filter at their gateways: www[dot]i7tgg4rv[dot]com and www[dot]ll67ffgsp[dot]com, www[dot]mrhpd74e[dot]com and www[dot]pph4e32q[dot]com.

http://www.f-secure....6.html#00000779

.
Windows Insider MVP 2017-2019
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators


#41 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 31 January 2006 - 07:15 AM

FYI...

Exploits from AMD?
- http://www.f-secure....eblog/#00000795
January 30, 2006 - Posted by Mikko @ 16:51 GMT
"We're not sure what's going on in here, but there's something wrong at AMD's user discussion forum, located at forums[dot]amd[dot]com. If you visit the site (and please don't visit it right now), you get a WMF exploit sent to you right from the front page..."


:eek:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#42 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 31 January 2006 - 04:26 PM

More on this:

- http://news.zdnet.co...l?tag=printthis
January 30, 2006
"...The forums were taken offline as soon as AMD learned of the exploit, said Drew Prairie, a spokesman for the Sunnyvale, Calif.-based chipmaker. The forums are maintained by another company that apparently failed to update its software in order to protect against the exploit, he said. Prairie was unaware of the name of the company, which is dealt with by AMD's staff in Europe. The forums were back online late Monday afternoon. A poster started a thread on Saturday warning other forum users about the exploit..."

:(
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#43 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 02 February 2006 - 06:20 PM

FYI...

WMF Exploits Sold By Russian Hackers
- http://www.techweb.c..._section=700028
February 02, 2006
"The Windows Metafile (WMF) bug that caused users -- and Microsoft -- so much grief in December and January spread like it did because Russian hackers sold an exploit to anyone who had the cash, a security researcher said Friday. The bug in Windows' rendering of WMF images was serious enough that Microsoft issued an out-of-cycle patch for the problem in early January, in part because scores of different exploits lurked on thousands of Web sites, including many compromised legitimate sites. At one point, Microsoft was even accused of purposefully creating the vulnerability as a "back door" into Windows. Alexander Gostev, a senior virus analyst for Moscow-based Kaspersky Labs, recently published research* that claimed the WMF exploits could be traced back to an unnamed person who, around Dec. 1, 2005, found the vulnerability. "It took a few days for exploit-enabling code to be developed," wrote Gostev in the paper published online, but by the middle of the month, that chore was completed. And then exploit went up for sale. "It seems that two or three competing hacker groups from Russia were selling this exploit for $4,000," said Gostev..."
* http://www.viruslist...=178619907#zero

:grrr:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#44 quietman7

quietman7

    quietman7

  • Helper
  • PipPipPipPipPip
  • 680 posts

Posted 03 February 2006 - 11:21 AM

Trojan Horse/WMF exploit: Fake Bird Flu Epidemic Email

Websense Security Labs™ has received reports of a Trojan horse that attempts to trick users into visiting a malicious website to run malicious code. Users receive an email with the subject "Attention Bird Flu in England." The body requests users to click on a link to go either of two websites to get more information... Upon clicking on a link, users are directed to a website...within the HTML, an IFRAME is loaded that uses the recent WMF exploit to run code without user-intervention. The code is a Trojan horse downloader, which connects to another site to download new malicious code. The filename is "expl1.wmf," which downloads and runs "expl1.exe."

websensesecuritylabs.com/alerts

.
Windows Insider MVP 2017-2019
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators





Member of UNITE
Support SpywareInfo Forum - click the button