Trend Micro- TROJ_NASCENE.E – Yet another WMF exploit Trojan

Come on Microsoft, where is that patch??

TROJ_NASCENE.E – Description and solution.

Description:

This Trojan is a Windows Metafile (WMF) that exploits a known vulnerability in the way specially-crafted WMF images are handled that can lead to arbitrary code execution. For more information about this vulnerability, please refer to this page:

Microsoft Security Advisory (912840)

This vulnerability is a zero-day exploit that is capable of remote code execution. Zero-day exploits are termed as such because the unpatched vulnerability and its corresponding exploit code are released within the same day. This may pose as a dangerous situation in which a lot of computers may be affected due to the availability of exploit code, and the fact that the vendor has not been given enough time to patch it.

Upon successful exploitation of this vulnerability, this Trojan connects to a certain Web site and downloads a certain file. Trend Micro detects the said file as ADW_EXFOL.A.

December 30, 2005 Posted by antivirusguy | Antivirus News, Security News, Virus Outbreaks | Leave a comment

SANS – Internet Storm Center – Musings and More WMF Information – Urgent Updated Info

Looks like renaming the dll temporarily is the only option now.

SANS – Internet Storm Center – Cooperative Cyber Threat Monitor And Alert System.

Handler’s Diary December 30th 2005

Musings and More WMF Information (NEW)

Published: 2005-12-30,
Last Updated: 2005-12-30 20:10:48 UTC by Scott Fendley (Version: 1)

Websense released some more information about their investigation in some website exploitation that involves IFRAMEs and WMF vulnerability. My fellow handler Lorna said recently, “IFrames are always suspect in my eyes.” In light of this information, I have to agree with her. Take a look at Websense Security Labs website for details of their investigation including a nice movie file showing the exploitation at work.As a side note, I am quite thankful that most university and K-12 schools are still on holiday until next week. This will hopefully give enough lead time for the mass media to report on this issue, and maybe, just maybe, Microsoft will have a better solution for the home users and our student populations. *crossing his fingers that MS will release a preliminary update quickly*

One reader send us the following summary, which pretty nicely outlines the issues with this vulnerability:

1. Filename extension filtering will not work.
2. Even if you un-register the DLL, some programs may re-register it by invoiking it (shimgvw.dll) directly.
3. you have to delete or rename the DLL to protect yourself. However, remember to undo this once there is a patch.
4. While images embedded into docuements may not immediately trigger the exploit, they may once saved into their own file.

The readers goes on to note that whatever mitigation is offered in Microsoft’s advisory is not much more then a quick temporary bandaid. What we need is a patch and we need it quick.

—
Scott Fendley
Handler on Duty

December 30, 2005 Posted by antivirusguy | Security News, Virus Removal Tools | Leave a comment

SANS – Internet Storm Center – Microsoft Advisory – Updated Info

My virus sense is tingling, I hope Microsoft comes up with a patch soon.

SANS – Internet Storm Center – Cooperative Cyber Threat Monitor And Alert System.

Handler’s Diary December 29th 2005

Microsoft Advisory (NEW)

Published: 2005-12-30,
Last Updated: 2005-12-30 07:59:43 UTC by Scott Fendley (Version: 2(click to highlight changes))

Microsoft has issued a security advisory on the WMF vulnerability.Details are available hereUpdate by Scott Fendley:
Microsoft has updated their security advisory tonight(December 30 UTC) with more information
and frequently asked questions with answers.

Some noteable things that I read in it.

”
** Windows Metafile (WMF) images can be embedded in other files such as Word documents. Am I vulnerable to an attack from this vector?

No. While we are investigating the public postings which seek to utilize specially crafted WMF files through IE, we are looking thoroughly at all instances of WMF handling as part of our investigation. While we’re not
aware of any attempts to embed specially crafted WMF files in, for example Microsoft Word documents, our advice is to accept files only from trusted source would apply to any such attempts.

** It has been reported that malicious files indexed by MSN Desktop Search could lead to exploitation of the vulnerability. Is this true?

We have received reports and are investigating them thoroughly as part of our ongoing investigation. We are not aware at this time of issues around the MSN Desktop Indexer, but we are continuing to investigate.

** Is this issue related to Microsoft Security Bulletin MS05-053 – Vulnerabilities in Graphics Rendering Engine Could Allow Code Execution (896424) which was released in November?*

No, these are different and separate issues.

** Are there any third party Intrusion Detection Systems (IDS) that would help protect against attempts to exploit this vulnerability?

While we don’t know of specific products or services that currently scan or detect for attempts to render specially crafted WMF files, we are working with our partners through industry programs like VIA to provide information as we have it. . Customers should contact their IDS provider to determine if it offers protection from this vulnerability.
“

—
Scott Fendley
Handler on Duty

December 30, 2005 Posted by antivirusguy | Antivirus News, Security News | Leave a comment

SANS – Internet Storm Center – Musings and More WMF Information

SANS – Internet Storm Center – Cooperative Cyber Threat Monitor And Alert System.

Handler’s Diary December 30th 2005

Musings and More WMF Information (NEW)

Published: 2005-12-30,
Last Updated: 2005-12-30 07:55:45 UTC by Scott Fendley (Version: 1)

Websense released some more information about their investigation in some website exploitation that involves IFRAMEs and WMF vulnerability. My fellow handler Lorna said recently, “IFrames are always suspect in my eyes.” In light of this information, I have to agree with her. Take a look at Websense Security Labs website for details of their investigation including a nice movie file showing the exploitation at work.As a side note, I am quite thankful that most university and K-12 schools are still on holiday until next week. This will hopefully give enough lead time for the mass media to report on this issue, and maybe, just maybe, Microsoft will have a better solution for the home users and our student populations. *crossing his fingers that MS will release a preliminary update quickly*

—
Scott Fendley
Handler on Duty

December 30, 2005 Posted by antivirusguy | Antivirus News, Security News | Leave a comment

SANS – Internet Storm Center – Lotus Notes Vulnerable to WMF 0-Day Exploit

SANS – Internet Storm Center – Cooperative Cyber Threat Monitor And Alert System.

Handler’s Diary December 30th 2005

Lotus Notes Vulnerable to WMF 0-Day Exploit (NEW)

Published: 2005-12-30,
Last Updated: 2005-12-30 07:55:01 UTC by Scott Fendley (Version: 2(click to highlight changes))

John Herron at NIST.org discovered today that Lotus Notes versions 6.x and higher is vulnerable to the WMF 0-day exploit. In the advisory, located on the NIST website here, John reports that Lotus Notes remained vulerable even after running the regsvr32 workaround in the Microsoft security advisory.Update:

Our dedicated reader from Finland, Juha-Matti Laurio, has confirmed that IBM is aware of the vulnerability above. He had a couple of recommended workarounds for those using the Lotus Notes (Domino) system. I expect that IBM will be releasing an advisory directly with this information.

“1. Filter all common picture file extensions at the network perimeter.

The following file extensions are recommended:

BMP, DIB, EMF, GIF, ICO, JFIF, JPE, JPEG, JPG, PNG, RLE, TIF, TIFF and WMF, because Microsoft Windows handles picture files by information of the file header information, not by file extension used.

2. Do not Open… or View… picture files from untrusted sources.
“

Thanks for that information Juha-Matti.

—
Scott Fendley
Handler on Duty

December 30, 2005 Posted by antivirusguy | Antivirus News, Security News | Leave a comment

Trend Micro – JS_ONLOADXPLT.B – Uses MS05-054 Exploit

JS_ONLOADXPLT.B – Description and solution.

Description:

This malicious JavaScript contains an exploit code that is triggered upon interaction with the Web page http://www.hyipg{BLOCKED}index.htm. Upon visiting the said Web page, this malicious Javascript that is embedded in the Web page http://www.hyipg{BLOCKED}/image is executed.

It also executes a shell code that causes the download and execution of the file 1.EXE from the Web page http://www.hyipgold{BLOCKED}.com/image. However, the said Web pages are inacessible as of this writing.

Interaction with the aforementioned Web pages may allow malicious users to execute code of choice on the affected system. The said action may enable them to take virtual control of the system.

This malicious JavaScript takes advantage of the File Download Dialog Box vulnerability in Internet Explorer. However, user interaction is required to fully exploit the said vulnerability. For more information on the said vulnerability, please refer to the Microsoft Web page Microsoft Security Bulletin MS05-054.

December 30, 2005 Posted by antivirusguy | Antivirus News, Security News | Leave a comment