Trend Micro- TROJ_NASCENE.E – Yet another WMF exploit Trojan
Come on Microsoft, where is that patch??
TROJ_NASCENE.E – Description and solution.
Description:
This Trojan is a Windows Metafile (WMF) that exploits a known vulnerability in the way specially-crafted WMF images are handled that can lead to arbitrary code execution. For more information about this vulnerability, please refer to this page:
This vulnerability is a zero-day exploit that is capable of remote code execution. Zero-day exploits are termed as such because the unpatched vulnerability and its corresponding exploit code are released within the same day. This may pose as a dangerous situation in which a lot of computers may be affected due to the availability of exploit code, and the fact that the vendor has not been given enough time to patch it.
Upon successful exploitation of this vulnerability, this Trojan connects to a certain Web site and downloads a certain file. Trend Micro detects the said file as ADW_EXFOL.A.
SANS – Internet Storm Center – Musings and More WMF Information – Urgent Updated Info
Looks like renaming the dll temporarily is the only option now.
SANS – Internet Storm Center – Cooperative Cyber Threat Monitor And Alert System.
Handler’s Diary December 30th 2005
Musings and More WMF Information (NEW)
Last Updated: 2005-12-30 20:10:48 UTC by Scott Fendley (Version: 1)
One reader send us the following summary, which pretty nicely outlines the issues with this vulnerability:
- Filename extension filtering will not work.
- Even if you un-register the DLL, some programs may re-register it by invoiking it (shimgvw.dll) directly.
- you have to delete or rename the DLL to protect yourself. However, remember to undo this once there is a patch.
- While images embedded into docuements may not immediately trigger the exploit, they may once saved into their own file.
The readers goes on to note that whatever mitigation is offered in Microsoft’s advisory is not much more then a quick temporary bandaid. What we need is a patch and we need it quick.
—
Scott Fendley
Handler on Duty
SANS – Internet Storm Center – Microsoft Advisory – Updated Info
My virus sense is tingling, I hope Microsoft comes up with a patch soon.
SANS – Internet Storm Center – Cooperative Cyber Threat Monitor And Alert System.
Handler’s Diary December 29th 2005
Last Updated: 2005-12-30 07:59:43 UTC by Scott Fendley (Version: 2(click to highlight changes))
Microsoft has updated their security advisory tonight(December 30 UTC) with more information
and frequently asked questions with answers.
Some noteable things that I read in it.
”
** Windows Metafile (WMF) images can be embedded in other files such as Word documents. Am I vulnerable to an attack from this vector?
No. While we are investigating the public postings which seek to utilize specially crafted WMF files through IE, we are looking thoroughly at all instances of WMF handling as part of our investigation. While we’re not
aware of any attempts to embed specially crafted WMF files in, for example Microsoft Word documents, our advice is to accept files only from trusted source would apply to any such attempts.
** It has been reported that malicious files indexed by MSN Desktop Search could lead to exploitation of the vulnerability. Is this true?
We have received reports and are investigating them thoroughly as part of our ongoing investigation. We are not aware at this time of issues around the MSN Desktop Indexer, but we are continuing to investigate.
** Is this issue related to Microsoft Security Bulletin MS05-053 – Vulnerabilities in Graphics Rendering Engine Could Allow Code Execution (896424) which was released in November?*
No, these are different and separate issues.
** Are there any third party Intrusion Detection Systems (IDS) that would help protect against attempts to exploit this vulnerability?
While we don’t know of specific products or services that currently scan or detect for attempts to render specially crafted WMF files, we are working with our partners through industry programs like VIA to provide information as we have it. . Customers should contact their IDS provider to determine if it offers protection from this vulnerability.
“
—
Scott Fendley
Handler on Duty
SANS – Internet Storm Center – Musings and More WMF Information
SANS – Internet Storm Center – Cooperative Cyber Threat Monitor And Alert System.
Handler’s Diary December 30th 2005
Musings and More WMF Information (NEW)
Last Updated: 2005-12-30 07:55:45 UTC by Scott Fendley (Version: 1)
—
Scott Fendley
Handler on Duty
SANS – Internet Storm Center – Lotus Notes Vulnerable to WMF 0-Day Exploit
SANS – Internet Storm Center – Cooperative Cyber Threat Monitor And Alert System.
Handler’s Diary December 30th 2005
Lotus Notes Vulnerable to WMF 0-Day Exploit (NEW)
Last Updated: 2005-12-30 07:55:01 UTC by Scott Fendley (Version: 2(click to highlight changes))
Our dedicated reader from Finland, Juha-Matti Laurio, has confirmed that IBM is aware of the vulnerability above. He had a couple of recommended workarounds for those using the Lotus Notes (Domino) system. I expect that IBM will be releasing an advisory directly with this information.
“1. Filter all common picture file extensions at the network perimeter.
The following file extensions are recommended:
BMP, DIB, EMF, GIF, ICO, JFIF, JPE, JPEG, JPG, PNG, RLE, TIF, TIFF and WMF, because Microsoft Windows handles picture files by information of the file header information, not by file extension used.
2. Do not Open… or View… picture files from untrusted sources.
“
Thanks for that information Juha-Matti.
—
Scott Fendley
Handler on Duty
Trend Micro – JS_ONLOADXPLT.B – Uses MS05-054 Exploit
JS_ONLOADXPLT.B – Description and solution.
Description:
This malicious JavaScript contains an exploit code that is triggered upon interaction with the Web page http://www.hyipg{BLOCKED}index.htm. Upon visiting the said Web page, this malicious Javascript that is embedded in the Web page http://www.hyipg{BLOCKED}/image is executed.
It also executes a shell code that causes the download and execution of the file 1.EXE from the Web page http://www.hyipgold{BLOCKED}.com/image. However, the said Web pages are inacessible as of this writing.
Interaction with the aforementioned Web pages may allow malicious users to execute code of choice on the affected system. The said action may enable them to take virtual control of the system.
This malicious JavaScript takes advantage of the File Download Dialog Box vulnerability in Internet Explorer. However, user interaction is required to fully exploit the said vulnerability. For more information on the said vulnerability, please refer to the Microsoft Web page Microsoft Security Bulletin MS05-054.
-
Recent
- SANS Internet Storm Center – "Malicious" Websites
- SANS – Internet Storm Center – CME-24 (Blackworm) Analysis: The destruction does not appear to spread across Windows network shares
- F-Secure : News from the Lab – Nyxem on a world map
- SANS – Internet Storm Center – Prepraring for Feb 3rd(CME-24\Blackworm)
- Microsoft Security Advisory Notification – Update for Security Advisory (904420) – Win32/Mywife.E@mm
- F-Secure : News from the Lab – First reports of Nyxem damage
- Microsoft Security Advisory (904420): Win32/Mywife.E@mm (aka Blackworm)
- SANS – Internet Storm Center – BlackWorm Summary – Updated Info
- SANS – Internet Storm Center – BlackWorm Summary – Updated Info
- SANS – Internet Storm Center – More on Nyxem
- SANS – Internet Storm Center – What’s the threat? And who is noticing it? Nyxem_e versus CME 508
- SANS – Internet Storm Center – New mass mailer spreading (Blackmal/Grew/Nyxem) – With updated info
-
Links
- WordPress.com
- WordPress.org
- Symantec Security Response
- Secunia – Virus Information
- McAfee – Newly Discovered Threats
- SANS Internet Storm Center
- Trend Micro-Virus Information
- F-Secure: News from the Lab
- F-Secure: 50 latest virus descriptions
- VirusTotal.com
- Common Malware Enumeration (CME)
- worm blog
- Computer Associates Virus Information Center
- Kaspersky Analyst’s Diary
- Kaspersky’s Viruslist.com
- Panda Software Latest Threats
- Norman: Virus and Security
- Sophos Virus Info
- F-Prot Virus Information
- Sybari Threat Info Center
- Anti-Malware Engineering Team
-
Archives
- November 2007 (1)
- February 2006 (8)
- January 2006 (33)
- December 2005 (30)
- November 2005 (5)
-
Categories
-
RSS
Entries RSS
Comments RSS