The Antivirus Guy Blog

Keeping people up to date with antivirus and security information

SANS Internet Storm Center – "Malicious" Websites


“Malicious” Websites

Published: 2007-11-10,
Last Updated: 2007-11-10 21:26:57 UTC
by Koon Yaw Tan (Version: 1)

Previously, we often warn people from visiting unknown/suspicious websites as they could contain malicious content. But nowadays, even visiting known websites, you could be affected. It was reported that the India Times website contains hundreds of malicious files that could infected those visit the website.
Legitimate websites containing malicious content is not something new as it has already happened a couple of times. Web administrators must be prudent to ensure their websites are properly secure. Hackers are now clever enough not to deface your websites to alert you but rather plant malicious content on them and wait for victims. Periodically running a vulnerability scan on your web systems is necessary to avoid known holes. Let us know if you have other good tips for the web admin.

SANS Internet Storm Center; Cooperative Network Security Community – Internet Security – isc


November 11, 2007 Posted by | Security News | 16 Comments

Welcome to the Microsoft Security Response Center Blog! : Looking at the WMF issue, how did it get there?

Looking at the WMF issue, how did it get there?

Hi everyone, Stephen Toulouse here. Now that the monthly release has passed and people are deploying the updates I wanted to take a moment to discuss some things related to questions we’ve been receiving on the recent WMF issue. (Which was addressed in MS06-001).

One question we’ve gotten is about SetAbortProc, the function that allows printing jobs to be cancelled. (The link is to the public documentation of the function)

Specifically people are wondering about how the vulnerability was present. Bear with me, I’m going to get rather technical here in the interests of clearly pointing it out. The long story short is that the vulnerability can be triggered with either correct OR incorrect metafile record size values, there seems to have been some confusion on that point.

To detail it a little bit, SetAbortProc functionality was a needed component in the graphics rendering environment for applications to register a callback to cancel printing, before even the WMF file format existed. Remember, those were the days of co-operative multitasking and the only way to allow the user to cancel a print job would be to call back to them, usually via a dialog. Around 1990, WMF support was added to Windows 3.0 as a file-based set of drawing commands for GDI to consume. The SetAbortProc functionality, like all the other drawing commands supported by GDI, was ported over (all in assembly language at this point) by our developers to be recognized when called from a WMF. This was a different time in the security landscape and these metafile records were all completely trusted by the OS. To recap, when it was introduced, the SetAbortProc functionality served an important function.

The vulnerability was introduced when all that GDI functionality was allowed to be called from metafiles. The potential danger of this type of metafile record was recognized and some applications (Internet Explorer, notably) will not process any metafile record of type META_ESCAPE, the overall type of the SetAbortProc record. That restriction is the reason it’s not possible to exploit this vulnerability by simply referencing an image directly in HTML. IE just won’t process it. How then is Internet Explorer an attack vector for the vulnerability? An example of that is through the Windows Picture and Fax Viewer. That application can convert a raw WMF into a printable EMF record. During this conversion, the application will process the META_ESCAPE record. All the current exploits we’re aware of are based on creating an html construct using an IFRAME. At a high level, the IFRAME passes off content to the Windows shell to display. The shell looks up the registered handler for WMF which is the Windows Picture and Fax Viewer (shimgvw.dll) by default. It can run into the vulnerability when converting a raw WMF to a printable EMF if MS06-001 is not applied to the system.

Now, there’s been some speculation that you can only trigger this by using an incorrect size in your metafile record and that this trigger was somehow intentional. That speculation is wrong on both counts. The vulnerability can be triggered with correct or incorrect size values. If you are seeing that you can only trigger it with an incorrect value, it’s probably because your SetAbortProc record is the last record in the metafile. The way this functionality works is by registering the callback to be called after the next metafile record is played. If the SetAbortProc record is the last record in the metafile, it will be more difficult to trigger the vulnerability.

The next question we’ve been getting is around previous operating systems like Windows 98, Windows 98 SE, and Windows Me. Specifically people are wondering why there is no update available for these platforms. Well first off it’s extremely important to note that these products are under an extended support lifecycle. Back in 2004, we made a decision that we would extend support for security updates for updates rated as Critical only through June of 2006 for these older operating systems. We publicly posted the policy at the following location:

With WMF we want to be very clear: the Windows 9x platform is not vulnerable to any “Critical” attack vector. The reason Windows 9x is not vulnerable to a “Critical” attack vector is because an additional step exists in the Win9x platform: When not printing to a printer, applications will simply never process the SetAbortProc record. Although the vulnerable code does exist in the Win9x platform, all “Critical” attack vectors are blocked by this additional step. The remaining attack vectors that we have identified require extensive user interaction and are not rated “Critical”. Again the “Critical” rating refers to code execution attacks that could result in automated attacks requiring little or no user interaction.

I’d like to thank the members of the Secure Windows Initiative team for the supplemental research and history on this.

Once again we urge everyone to deploy MS06-001 for the supported platforms, and thanks for the feedback we’ve been getting!


*This posting is provided “AS IS” with no warranties, and confers no rights.*

posted on Friday, January 13, 2006 11:57 PM by stepto

Welcome to the Microsoft Security Response Center Blog! : Looking at the WMF issue, how did it get there?.

January 14, 2006 Posted by | Security News | Leave a comment

Slashdot | WMF Vulnerability is an Intentional Backdoor?

WMF Vulnerability is an Intentional Backdoor?

Posted by Zonk on
Friday January 13, @12:36PM

from the take-with-a-grain-of-salt

An anonymous reader writes “Steve Gibson alleges
that the WMF vulnerability in Windows was neither a bug, nor a feature designed
without security in mind, but was actually an intentionally placed backdoor. In
more detailed
, Gibson explains that the way SetAbortProc works in
metafiles does not bear even the slightest resemblance to the way it works when
used by a program while printing. Based on the information presented, it really
does look like an intentional backdoor.” There’s a
transcript available of the ‘Security Now!’
podcast where Gibson discusses this.

Slashdot | WMF
Vulnerability is an Intentional Backdoor?

January 14, 2006 Posted by | Security News | Leave a comment

Symantec borrows page from Sony’s book

Symantec revealed
this week
that they have been using a rootkit like method, similar to Sony’s
BMG rootkit, in Norton SystemWorks 2005 and 2006 to hide a directory involved
with protecting items deleted from the Recycle Bin. 

The “Norton
Protected Recycle Bin” feature that is built in to recent versions of Norton
SystemWorks was designed to hide files from the Windows API, just as Sony’s BMG
Rootkit did; in a directory called “NProtect” that could be used to recover
deleted Recycle Bin files. This was supposed to prevent users from accidentally
deleting these files while cleaning up their PC.

After being warned by security experts, Mark Russinovich and researchers
at antivirus vendor F-Secure, that hiding this directory could give hackers a
great hiding place for infected programs, Symantec made an update for this issue
that is downloadable from LiveUpdate.

Even though this vulnerability is
considered to be
low risk, Symantec is “strongly” recommending
that SystemWorks users update their product immediately to ensure the greatest
protection from threats in the future.

What to do: Even though
virus definitions are handled automatically by Symantec LiveUpdate in default
configurations of SystemWorks 2005\2006, you have to manually run LiveUpdate to
get updates to the product itself.  To do this, open Norton SystemWorks
— usually found on the
desktop or at the of the Start Menu — then open LiveUpdate, and run
LiveUpdate until all available Symantec product updates have been installed.
These updates might require multiple reboots, depending on how many updates
you installation needs.

More information: eWeek, ZDNet, Secunia

January 14, 2006 Posted by | Security News | Leave a comment

From the Internet Storm Center – CERTs warn about old java bug being exploited

CERTs warn about old java bug being exploited

Published: 2006-01-13,
Last Updated: 2006-01-13
19:08:06 UTC by Swa Frantzen (Version: 3(click to
highlight changes)
warn about a bug in java being exploited. They claim bug was made public
in November 2005.Aside of the obvious patch and turn off java support,
the warnings include text as “avoid clicking on any links in emails or instant
messages, unless the email was already expected beforehand” and “by only
accessing Java applets from known and trusted sources the chances of
exploitation are reduced.”To the best of my knowledge the general user
population expects email. They use email to communicate with people they never
met before. And they will click on anything in it. Similarly they call it
“surfing the web”, they will click on links that lead to other sites. Telling
them not to do that is going to have as much effect as asking them not to laugh
at you. There are unfortunately only a very few exceptions where you might have
users and applications where you can limit the exposure. But as a general
recommendation it is rather worthless IMHO.So download that latest
greatest java environment now if you haven’t done so already and upgrade. Better
yet: check those browser settings and turn java off for all sites that you
either not trust 100% to execute code on your machines or that don’t absolutely
need it to work.

We have been informed
multiple times the hostile java seems to be at a webserver at fullchain [dot]
net. Might be interesting to check your logs in a corporate environment. The
supposedly hostile code is still there so we won’t be providing detailed URLs
for now. The class file on that website is not detected as malicious by any
anti-virus product participating in virustotal.Vince told it’s also
necessary to remove the old java environments, not just get the new ones as an
attacker can target the old environments when they are still

According to the bulletins you need
at least

  • Version 1.3.1_16 or later
  • Version 1.4.2_09 or later
  • Version (1.)5 update 4 or later


January 14, 2006 Posted by | Security News | Leave a comment

SANS – Internet Storm Center – Quicktime patches for Mac and Windows

Handler’s Diary
January 10th 2006

Quicktime patches for Mac and Windows
Published: 2006-01-10,
Last Updated: 2006-01-10 20:55:19 UTC by Kyle
Haugsness (Version: 1)
Is Apple hiding behind Microsoft’s advisories? Seems
like Apple has been conveniently releasing security advisories on the same day
as Microsoft’s. Conspiracy theory? You be the judge.

Anyway, Apple
released a security update to Quicktime.
are multiple vulnerabilities patched. To summarize the advisory: A
maliciously-crafted GIF/TIFF/TGA/QTIF image or multimedia file may result in
arbitrary code execution. Well that pretty much covers the whole web browsing

Given the week we’ve had, I suppose that everyone should go back
to using netcat for surfing the web.

Update (from Scott):

those using Quicktime on Windows, a quick note about the versions of Quicktime
available to download at .  As of  5:30 UTC that
the default installer you download includes iTunes.  The version of Quicktime
included is 7.0.3 which is vulnerable per the advisory above. However, if you
download the standalone installer located at
, then you get the updated version of Quicktime 7.0.4.

Additionally, if
you try to update the software using the “Update existing software…” item
under the Help menu, then you receive a message about not being able to make an
Internet connection to the software server. I receive the same message if I use
the update message under the Quicktime settings window. Not sure if this is an
odd configuration problem on my end, or if their update server is having

SANS – Internet Storm Center –
Cooperative Cyber Threat Monitor And Alert System

January 14, 2006 Posted by | Security News | Leave a comment


Important Information for Thursday 5 January 2006

Microsoft announced that it would release a security update to help protect customers from exploitations of a vulnerability in the Windows Meta File (WMF) area of code in the Windows operating system on Tuesday, January 2, 2006, in response to malicious and criminal attacks on computer users that were discovered last week.

Microsoft will release the update today on Thursday, January 5, 2006, earlier than planned.

Microsoft originally planned to release the update on Tuesday, January 10, 2006 as part of its regular monthly release of security bulletins, once testing for quality and application compatibility was complete.
However, testing has been completed earlier than anticipated and the update is ready for release.

In addition, Microsoft is releasing the update early in response to strong customer sentiment that the release should be made available as soon as possible.

Microsoft’s monitoring of attack data continues to indicate that the attacks are limited and are being mitigated both by Microsoft’s efforts to shut down malicious Web sites and with up-to-date signatures form anti-virus companies.

The security update will be available at 2:00 pm PT as MS06-001.

Enterprise customers who are using Windows Server Update Services will receive the update automatically.  In additional the update is supported Microsoft Baseline Security Analyzer 2.0, Systems Management Server, and Software Update Services.  Enterprise customers can also manually download the update from the Download Center.

Microsoft will hold a special Web cast on Friday, January 6, 2006, to provide technical details on the MS06-001 and to answer questions.
Registration details will be available at

Microsoft will also be releasing additional security updates on Tuesday, January 10, 2006 as part of its regularly scheduled release of security updates.

What is this alert?

As part of the monthly security bulletin release cycle, Microsoft provides advance notification to our customers on the number of new security updates being released, the products affected, the aggregate maximum severity and information about detection tools relevant to the update. This is intended to help our customers plan for the deployment of these security updates more effectively.

In addition, to help customers prioritize monthly security updates with any non-security updates released on Microsoft Update, Windows Update, Windows Server Update Services and Software Update Services on the same day as the monthly security bulletins, we also provide:

*    Information about the release of updated versions of the
Microsoft Windows Malicious Software Removal Tool.
*    Information about the release of NON-SECURITY, High Priority
updates on Microsoft Update (MU), Windows Update (WU), Windows Server Update Services (WSUS) and Software Update Services (SUS). Note that this information will pertain ONLY to updates on Windows Update and only about High Priority, non-security updates being released on the same day as security updates. Information will NOT be provided about Non-security updates released on other days.

On 10 January 2006 Microsoft is planning to release:

Security Updates
*    1 Microsoft Security Bulletin affecting Microsoft Windows. The
highest Maximum Severity rating for these is Critical. These updates may require a restart. These updates will be detectable using the Microsoft Baseline Security Analyzer (MBSA).
*    1 Microsoft Security Bulletin affecting Microsoft Exchange and
Microsoft Office. The highest Maximum Severity rating for these is Critical. These updates may require a restart. These updates will be detectable using the Microsoft Baseline Security Analyzer (MBSA).

Microsoft Windows Malicious Software Removal Tool
*    Microsoft is planning to release an updated version of the
Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services and the Download Center.
Note that this tool will NOT be distributed using Software Update Services (SUS).

Non-security High Priority updates on MU, WU, WSUS and SUS
*    Microsoft is planning to  release 1 NON-SECURITY High-Priority
Update on Windows Update (WU) and Software Update Services (SUS).
*    Microsoft is planning release 3 NON-SECURITY High-Priority
Updates on Microsoft Update (MU) and Windows Server Update Services

Although we do not anticipate any changes, the number of bulletins, products affected, restart information and severities are subject to change until released.

Microsoft will host a webcast next week to address customer questions on these bulletins. For more information on this webcast please see below:
*    TechNet Webcast: Information about Microsoft’s Security
Bulletins (Level 100)
*    Wednesday, January 11, 2006 11:00 AM (GMT-08:00) Pacific Time
(US & Canada
At this time no additional information on these bulletins such as details regarding severity or details regarding the vulnerability will be made available until 10 January 2006.

January 5, 2006 Posted by | Antivirus News, Security News | Leave a comment

Microsoft Security Advisory Update Notification – Security Advisory (912840) 1/5/05


Title: Microsoft Security Advisory Notification

Issued: January 5, 2006

Security Advisories Updated or Released Today =============

* Security Advisory (912840)

– Title: Vulnerability in Graphics Rendering Engine Could

Allow Remote Code Execution.

– Web site:

– Reason For Update: FAQ added with information on Windows 98,

Windows 98 Second Edition and Windows

Millennium. FAQ concerning embedded images

in Office documents updated. Workaround

updated with information about re-registering

the Windows Fax and Image Viewer


January 5, 2006 Posted by | Security News | Leave a comment

SANS – Internet Storm Center – What do the bad guys do with WMF?

NEWS FLASH!! Another WMF vulnerability post. Hopefully one day this will all be a distant memory.Handler’s Diary January 4th 2006

What do the bad guys do with WMF? (NEW)

Published: 2006-01-04,
Last Updated: 2006-01-05 00:16:31 UTC by Bojan Zdrnja (Version: 1)
With all this confusion about WMF files and various official and unofficial patches, you are probably wondering what the bad guys are doing with this.We tracked quite a bit of exploits going around. Lately exploits started using Metasploit and we even received a standalone utility (so called WMFMaker, already described by Panda Software) that anyone can use:

$ ./wmfmaker

Have fun

—- visit —–

No wonder that the bad guys started exploiting this more and more.

The main vector that the bad guys use to exploit this is still by posting it on web sites. The golden target would be a banner site or something that is visited frequently, but luckily, so far we didn’t see anything widespread as that.

This doesn’t mean that there are no exploits. One spam which was published by F-Secure ( tried to get the user follow the link about “Vandalism Over the New Year”. The site in question is now gone, so this is not a problem anymore, but the typical scenario was: WMF file which drops a downloader, which then subsequently downloads other trojans.
Besides this one, we also received various “Greeting Card” spams. Although the e-mail claimed that the greeting card is on, the link actually pointed to http://mujeg orda.bita – this site is still active.

So what do all of these exploits actually drop? The answer is: typical “bad guys” stuff. They are usually dropping various versions of SDBot and similar IRC trojans. This will enable them to herd zombie machines that they use in the future.
One other exploit that we saw (thanks to Juha-Matti) dropped a pretty nasty password stealer/trojan,

Finally, there was an interesting post by Andreas Marx on Bugtraq. Among various malware that the WMF files drop, they found one with a built-in counter on a “hidden” website. The counter seems to be going up fast – last year it was around 200.000 while today it is over a million. We can’t be sure that the counter is correct, but we can be sure that the bad guys are on track with this vulnerability.

We are yet to see if other vectors will be exploited, but I’m afraid that this is more than enough for the bad guys to build a nice “army” of zombie machines.
So practice safe hex and patch/protect your machines as much as you can.

SANS – Internet Storm Center – Cooperative Cyber Threat Monitor And Alert System.

January 4, 2006 Posted by | Antivirus News, Security News | Leave a comment

SANS – Internet Storm Center – Oldest infected .wmf?

Handler’s Diary January 4th 2006

Oldest infected .wmf? (NEW)

Published: 2006-01-04,
Last Updated: 2006-01-04 22:28:20 UTC by Marcus Sachs (Version: 1)
We have a little project for all of the forensic treasure hunters out there.  As you all know, the .wmf issue came into public view about a week ago.  Since then, we’ve found that there are infected .wmf files with dates going back several weeks, so this little beauty has been around for a while.  What we are looking for are any confirmed intrusions earlier than the first of December 2005 that can be traced to this current vulnerability.  By confirmed, we mean that not only is the date of an infected .wmf file on a compromised system earlier than December 1st, but you can also prove that it was installed prior to December 1st and had some type of malicious payload embedded in it.  Tell us whatever you can share, and we’ll summarize the details for others.  There’s no prize for the earliest detect, but we are pretty sure that many would be interested in knowing how long this vulnerability has been actively exploited.

SANS – Internet Storm Center – Cooperative Cyber Threat Monitor And Alert System.

January 4, 2006 Posted by | Antivirus News, Security News | Leave a comment