The Antivirus Guy Blog

Keeping people up to date with antivirus and security information

SANS – Internet Storm Center – What do the bad guys do with WMF?

NEWS FLASH!! Another WMF vulnerability post. Hopefully one day this will all be a distant memory.Handler’s Diary January 4th 2006

What do the bad guys do with WMF? (NEW)

Published: 2006-01-04,
Last Updated: 2006-01-05 00:16:31 UTC by Bojan Zdrnja (Version: 1)
With all this confusion about WMF files and various official and unofficial patches, you are probably wondering what the bad guys are doing with this.We tracked quite a bit of exploits going around. Lately exploits started using Metasploit and we even received a standalone utility (so called WMFMaker, already described by Panda Software) that anyone can use:

$ ./wmfmaker

Have fun
ApacheEatsGnu

—- visit —–
wmfmaker

No wonder that the bad guys started exploiting this more and more.

The main vector that the bad guys use to exploit this is still by posting it on web sites. The golden target would be a banner site or something that is visited frequently, but luckily, so far we didn’t see anything widespread as that.

This doesn’t mean that there are no exploits. One spam which was published by F-Secure (http://www.f-secure.com/weblog/archives/archive-012006.html#00000768) tried to get the user follow the link about “Vandalism Over the New Year”. The site in question is now gone, so this is not a problem anymore, but the typical scenario was: WMF file which drops a downloader, which then subsequently downloads other trojans.
Besides this one, we also received various “Greeting Card” spams. Although the e-mail claimed that the greeting card is on 123greetings.com, the link actually pointed to http://mujeg orda.bita coras.com/REMOVED – this site is still active.

So what do all of these exploits actually drop? The answer is: typical “bad guys” stuff. They are usually dropping various versions of SDBot and similar IRC trojans. This will enable them to herd zombie machines that they use in the future.
One other exploit that we saw (thanks to Juha-Matti) dropped a pretty nasty password stealer/trojan,
Trojan.Satiloler.B.

Finally, there was an interesting post by Andreas Marx on Bugtraq. Among various malware that the WMF files drop, they found one with a built-in counter on a “hidden” website. The counter seems to be going up fast – last year it was around 200.000 while today it is over a million. We can’t be sure that the counter is correct, but we can be sure that the bad guys are on track with this vulnerability.

We are yet to see if other vectors will be exploited, but I’m afraid that this is more than enough for the bad guys to build a nice “army” of zombie machines.
So practice safe hex and patch/protect your machines as much as you can.

SANS – Internet Storm Center – Cooperative Cyber Threat Monitor And Alert System.

Advertisements

January 4, 2006 - Posted by | Antivirus News, Security News

No comments yet.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: