The Antivirus Guy Blog

Keeping people up to date with antivirus and security information

SANS – Internet Storm Center – WMF and Indexing

SANS – Internet Storm Center – Cooperative Cyber Threat Monitor And Alert System.

Handler’s Diary December 31st 2005

WMF and Indexing (NEW)

Published: 2005-12-31,
Last Updated: 2005-12-31 12:24:04 UTC by Patrick Nolan (Version: 1)

WMF Indexing, White Elephants and White Rabbits

The WMF White Elephant in the room as far as I’m concerned is Indexing. YMMV. How many Vendors have other Indexing services installed that are going to automagically enable WMF exploitation on or across your network?

F-Secure pointed out the White Elephant when they recommended you “disable indexing of media files (or get rid of Google Desktop) if you’re handling infected files under Windows” and said “This is enough to invoke the exploit and infect the machine. This all happens in realtime as Google Desktop contains a file system filter and will index new files in realtime.”. And I agree, turn all Indexing off until a fix is out.

Microsoft, Google and other vendors should immediately address what the role is of their indexing services, particularly as it relates to shares, synchronization and potential mitigation activities. Their lack of comment on this issue is glaring.

MS Indexing (White Rabbit Link)

F-Secure’s blog today has a new vulnerability workaround (unrelated to indexing).

December 31, 2005 Posted by | Antivirus News, Security News | Leave a comment

Trend Micro- TROJ_NASCENE.E – Yet another WMF exploit Trojan

Come on Microsoft, where is that patch??

TROJ_NASCENE.E – Description and solution.

Description:

This Trojan is a Windows Metafile (WMF) that exploits a known vulnerability in the way specially-crafted WMF images are handled that can lead to arbitrary code execution. For more information about this vulnerability, please refer to this page:

This vulnerability is a zero-day exploit that is capable of remote code execution. Zero-day exploits are termed as such because the unpatched vulnerability and its corresponding exploit code are released within the same day. This may pose as a dangerous situation in which a lot of computers may be affected due to the availability of exploit code, and the fact that the vendor has not been given enough time to patch it.

Upon successful exploitation of this vulnerability, this Trojan connects to a certain Web site and downloads a certain file. Trend Micro detects the said file as ADW_EXFOL.A.

December 30, 2005 Posted by | Antivirus News, Security News, Virus Outbreaks | Leave a comment

SANS – Internet Storm Center – Musings and More WMF Information – Urgent Updated Info

Looks like renaming the dll temporarily is the only option now.

SANS – Internet Storm Center – Cooperative Cyber Threat Monitor And Alert System.

Handler’s Diary December 30th 2005

Musings and More WMF Information (NEW)

Published: 2005-12-30,
Last Updated: 2005-12-30 20:10:48 UTC by Scott Fendley (Version: 1)
Websense released some more information about their investigation in some website exploitation that involves IFRAMEs and WMF vulnerability. My fellow handler Lorna said recently, “IFrames are always suspect in my eyes.” In light of this information, I have to agree with her. Take a look at Websense Security Labs website for details of their investigation including a nice movie file showing the exploitation at work.As a side note, I am quite thankful that most university and K-12 schools are still on holiday until next week. This will hopefully give enough lead time for the mass media to report on this issue, and maybe, just maybe, Microsoft will have a better solution for the home users and our student populations. *crossing his fingers that MS will release a preliminary update quickly*

One reader send us the following summary, which pretty nicely outlines the issues with this vulnerability:

  1. Filename extension filtering will not work.
  2. Even if you un-register the DLL, some programs may re-register it by invoiking it (shimgvw.dll) directly.
  3. you have to delete or rename the DLL to protect yourself. However, remember to undo this once there is a patch.
  4. While images embedded into docuements may not immediately trigger the exploit, they may once saved into their own file.

The readers goes on to note that whatever mitigation is offered in Microsoft’s advisory is not much more then a quick temporary bandaid. What we need is a patch and we need it quick.


Scott Fendley
Handler on Duty

December 30, 2005 Posted by | Security News, Virus Removal Tools | Leave a comment

SANS – Internet Storm Center – Microsoft Advisory – Updated Info

My virus sense is tingling, I hope Microsoft comes up with a patch soon.

SANS – Internet Storm Center – Cooperative Cyber Threat Monitor And Alert System.

Handler’s Diary December 29th 2005

Microsoft Advisory (NEW)

Published: 2005-12-30,
Last Updated: 2005-12-30 07:59:43 UTC by Scott Fendley (Version:
2(click to highlight changes))
Microsoft has issued a security advisory on the WMF vulnerability.Details are available hereUpdate by Scott Fendley:
Microsoft has updated their
security advisory tonight(December 30 UTC) with more information
and frequently asked questions with answers.

Some noteable things that I read in it.


** Windows Metafile (WMF) images can be embedded in other files such as Word documents. Am I vulnerable to an attack from this vector?

No. While we are investigating the public postings which seek to utilize specially crafted WMF files through IE, we are looking thoroughly at all instances of WMF handling as part of our investigation. While we’re not
aware of any attempts to embed specially crafted WMF files in, for example Microsoft Word documents, our advice is to accept files only from trusted source would apply to any such attempts.

** It has been reported that malicious files indexed by MSN Desktop Search could lead to exploitation of the vulnerability. Is this true?

We have received reports and are investigating them thoroughly as part of our ongoing investigation. We are not aware at this time of issues around the MSN Desktop Indexer, but we are continuing to investigate.

** Is this issue related to Microsoft Security Bulletin MS05-053 – Vulnerabilities in Graphics Rendering Engine Could Allow Code Execution (896424) which was released in November?*

No, these are different and separate issues.

** Are there any third party Intrusion Detection Systems (IDS) that would help protect against attempts to exploit this vulnerability?

While we don’t know of specific products or services that currently scan or detect for attempts to render specially crafted WMF files, we are working with our partners through industry programs like VIA to provide information as we have it. . Customers should contact their IDS provider to determine if it offers protection from this vulnerability.


Scott Fendley
Handler on Duty

December 30, 2005 Posted by | Antivirus News, Security News | Leave a comment

SANS – Internet Storm Center – Musings and More WMF Information

SANS – Internet Storm Center – Cooperative Cyber Threat Monitor And Alert System.

Handler’s Diary December 30th 2005

Musings and More WMF Information (NEW)

Published: 2005-12-30,
Last Updated: 2005-12-30 07:55:45 UTC by Scott Fendley (Version: 1)
Websense released some more information about their investigation in some website exploitation that involves IFRAMEs and WMF vulnerability. My fellow handler Lorna said recently, “IFrames are always suspect in my eyes.” In light of this information, I have to agree with her. Take a look at Websense Security Labs website for details of their investigation including a nice movie file showing the exploitation at work.As a side note, I am quite thankful that most university and K-12 schools are still on holiday until next week. This will hopefully give enough lead time for the mass media to report on this issue, and maybe, just maybe, Microsoft will have a better solution for the home users and our student populations. *crossing his fingers that MS will release a preliminary update quickly*


Scott Fendley
Handler on Duty

December 30, 2005 Posted by | Antivirus News, Security News | Leave a comment

SANS – Internet Storm Center – Lotus Notes Vulnerable to WMF 0-Day Exploit

SANS – Internet Storm Center – Cooperative Cyber Threat Monitor And Alert System.

Handler’s Diary December 30th 2005

Lotus Notes Vulnerable to WMF 0-Day Exploit (NEW)

Published: 2005-12-30,
Last Updated: 2005-12-30 07:55:01 UTC by Scott Fendley (Version:
2(click to highlight changes))
John Herron at NIST.org discovered today that Lotus Notes versions 6.x and higher is vulnerable to the WMF 0-day exploit. In the advisory, located on the NIST website here, John reports that Lotus Notes remained vulerable even after running the regsvr32 workaround in the Microsoft security advisory.Update:

Our dedicated reader from Finland, Juha-Matti Laurio, has confirmed that IBM is aware of the vulnerability above. He had a couple of recommended workarounds for those using the Lotus Notes (Domino) system. I expect that IBM will be releasing an advisory directly with this information.

“1. Filter all common picture file extensions at the network perimeter.

The following file extensions are recommended:

BMP, DIB, EMF, GIF, ICO, JFIF, JPE, JPEG, JPG, PNG, RLE, TIF, TIFF and WMF, because Microsoft Windows handles picture files by information of the file header information, not by file extension used.

2. Do not Open… or View… picture files from untrusted sources.

Thanks for that information Juha-Matti.


Scott Fendley
Handler on Duty

December 30, 2005 Posted by | Antivirus News, Security News | Leave a comment

Trend Micro – JS_ONLOADXPLT.B – Uses MS05-054 Exploit

JS_ONLOADXPLT.B – Description and solution.

Description:

This malicious JavaScript contains an exploit code that is triggered upon interaction with the Web page http://www.hyipg{BLOCKED}index.htm. Upon visiting the said Web page, this malicious Javascript that is embedded in the Web page http://www.hyipg{BLOCKED}/image is executed.

It also executes a shell code that causes the download and execution of the file 1.EXE from the Web page http://www.hyipgold{BLOCKED}.com/image. However, the said Web pages are inacessible as of this writing.

Interaction with the aforementioned Web pages may allow malicious users to execute code of choice on the affected system. The said action may enable them to take virtual control of the system.

This malicious JavaScript takes advantage of the File Download Dialog Box vulnerability in Internet Explorer. However, user interaction is required to fully exploit the said vulnerability. For more information on the said vulnerability, please refer to the Microsoft Web page Microsoft Security Bulletin MS05-054.

December 30, 2005 Posted by | Antivirus News, Security News | Leave a comment

F-Secure : News from the Lab – WMF, day 2

F-Secure : News from the Lab – WMF, day 2

WMF, day 2 Posted by Mikko @ 08:30 GMT

Microsoft and CERT.ORG have issued bulletins on the Windows Metafile vulnerability:
http://www.microsoft.com/technet/security/advisory/912840.mspx
http://www.kb.cert.org/vuls/id/181038

Microsoft’s bulletin confirms that this vulnerability applies to all the main versions of Windows: Windows ME, Windows 2000, Windows XP and Windows 2003.

They also list the REGSVR32 workaround. It’s a good idea to use this while waiting for a patch. To quote Microsoft’s bulletin:

 Un-register the Windows Picture and Fax Viewer (Shimgvw.dll)

 1. Click Start, click Run, type “regsvr32 -u %windir%\system32\shimgvw.dll”
 (without the quotation marks), and then click OK.

 2. A dialog box appears to confirm that the un-registration process has succeeded.
 Click OK to close the dialog box.

 Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started
 when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer.

 To undo this change, re-register Shimgvw.dll by following the above steps.
 Replace the text in Step 1 with “regsvr32 %windir%\system32\shimgvw.dll” (without the quotation marks).

This workaround is better than just trying to filter files with a WMF extension. There are methods where files with other image extensions (such as BMP, GIF, PNG, JPG, JPEG, JPE, JFIF, DIB, RLE, EMF, TIF, TIFF or ICO) could be used to exploit a vulnerable machine.

iframecash - don't visit the siteWe got several questions on our note on Google Desktop yesterday. Bottom line is that if an image file with the exploit ends up to your hard drive, Google Desktop will try to index it and will execute the exploit in the process. There are several ways such a file could end up to the local drive. And this indexing-will-execute problem might happen with other desktop search engines too.

And finally, you might want to start to filter these domains at your corporate firewalls too. Do not visit them.

toolbarbiz[dot]biz
toolbarsite[dot]biz
toolbartraff[dot]biz
toolbarurl[dot]biz
buytoolbar[dot]biz
buytraff[dot]biz
iframebiz[dot]biz
iframecash[dot]biz
iframesite[dot]biz
iframetraff[dot]biz
iframeurl[dot]biz

So far, we’ve only seen this exploit being used to install spyware or fake antispyware / antivirus software on the affected machines. I’m afraid we’ll see real viruses using this soon.

December 29, 2005 Posted by | Antivirus News, Security News, Virus Removal Tools | Leave a comment

Microsoft Security Advisory (912840): Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution.

Microsoft finally releases a security advisory on the 0-day WMF exploit.

Microsoft Security Advisory (912840)
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution.
Published: December 28, 2005

Microsoft is investigating new public reports of a possible vulnerability in Windows. Microsoft will continue to investigate the public reports to help provide additional guidance for customers.

Microsoft is aware of the public release of detailed exploit code that could allow an attacker to execute arbitrary code in the security context of the logged-on user, when such user is visiting a Web site that contains a specially crafted Windows Metafile (WMF) image. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker’s Web site.

Customers are encouraged to keep their antivirus software up to date. The Microsoft Windows AntiSpyware (Beta) can also help protect your system from spyware and other potentially unwanted software. We will continue to investigate these public reports.

Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This will include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.

Microsoft encourages users to exercise caution when they open e-mail and links in e-mail from untrusted sources. For more information about Safe Browsing, visit the Trustworthy Computing Web site.

We continue to encourage customers to follow our Protect Your PC guidance of enabling a firewall, applying software updates and installing antivirus software. Customers can learn more about these steps at the Protect Your PC Web site.

Customers who believe they may have been affected by this issue can contact Product Support Services. You can contact Product Support Services in the United States and Canada at no charge using the PC Safety line (1 866-PCSAFETY). Customers outside of the United States and Canada can locate the number for no-charge virus support by visiting the Microsoft Help and Support Web site.

For full details, see the following: Microsoft Security Advisory (912840): Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution..

December 28, 2005 Posted by | Antivirus News, Security News, Virus Outbreaks | Leave a comment

SANS – Internet Storm Center – * Update on Windows WMF 0-day

SANS – Internet Storm Center – Cooperative Cyber Threat Monitor And Alert System.

 Handler’s Diary December 28th 2005

* Update on Windows WMF 0-day (NEW)

Published: 2005-12-28,
Last Updated: 2005-12-28 20:02:19 UTC by Daniel Wesemann (Version: 1)

Update 19:07 UTC: We are moving to Infocon Yellow for a bit. There has been some debate among the handlers about this step, but considering that a lot of people are on holidays and might otherwise miss the WMF 0-day problem, we have decided to raise the alert level.

The folks at Websense Labs have a nice movie on how it looks like if a system gets exploited by this WMF 0-day, see http://www.websensesecuritylabs.com/images/alerts/wmf-movie.wmv . Don’t go to any of the URLs visible in the movie unless you know what you are doing (or feel like spending the next hours reinstalling your PC).

The orignal exploit site (unionseek.com) is no longer up. But the exploit is being served from various sites all over by now, see the F-Secure Blog on http://www.f-secure.com/weblog/ for an update on the versions of the exploit found in the wild.

Working exploit code is widely available, and has also been published by FRSIRT and the Metasploit Framework.

Regarding DEP (Data Execution Protection) of XPSP2, the default settings of DEP will not prevent this exploit from working. Comments we have received in the meantime suggest that if you enable DEP to cover all programs (as documented on Microsoft Technet ), the WMF exploit attempt will result in a warning and not run on its own.

While the original exploit only refered to the Microsoft Picture and Fax Viewer, current information is that any application which automatically displays or renders WMF files is vulnerable to the problem. This includes Google Desktop, if the indexing function finds one of the exploit WMFs on the local hard drive – see the F-Secure Weblog mentioned above for details.

December 28, 2005 Posted by | Antivirus News, Security News, Virus Outbreaks | Leave a comment

Follow

Get every new post delivered to your Inbox.