WMF vulnerability, exploits, and FIX
FYI...
-
http://isc.sans.org/diary.php?storyid=972
Last Updated: 2005-12-28 03:56:13 UTC
"Just when we thought that this will be another slow day, a link to a working unpatched exploit in, what looks like Windows Graphics Rendering Engine, has been posted to Bugtraq...
The HTML file runs another WMF (Windows Meta File) which executes a trojan dropper on a fully patched Windows XP SP2 machine. The dropper will then download
Winhound*,
a fake anti-spyware/virus program which asks user to purchase a registered version of software in order to remove the reported threats.
During the test Johannes ran, it was interesting that the DEP (Data Execution Prevention) on his system stopped this from working. However, as this was tested on a AMD64 machine, we still have to confirm whether (or not) the software DEP also stops this - let us know if you tested this.
Internet Explorer will automatically launch the "Windows Picture and Fax Viewer". Note that Firefox users are not totally imune either. In my install of Firefox, a dialog box will ask me if I would like to load the image in "Windows Picture and Fax Viewer". If I allow this to happen ("pictures are safe after all" NOT!), the exploit will execute.
For more information, see also
http://vil.mcafeesecurity.com/vil/content/v_137760.htm and
http://www.securityfocus.com/bid/16074/info ..."
*
http://www.spywarewarrior.com/rogue_anti-spyware.htm
"...Most recent additions: ...WinHound (11-29-05)...
stealth installs through exploits, system hijacking (1,2); scare-mongering used as goad to purchase [A: 11-29-05 / U: 11-29-05]"
-
http://secunia.com/advisories/18255/
Release Date: 2005-12-28
Critical:
Extremely critical
FYI...
Be careful with WMF files...
-
http://www.f-secure.com/weblog/
Wednesday, December 28, 2005
" Over the last 24 hours, we've seen three different WMF files carrying the zero-day WMF exploit. We currently detect them as W32/PFV-Exploit.A, .B and .C. Fellow researchers at Sunbelt* have also blogged about this. They have discovered more sites that are carrying malicious WMF files. You might want to
block these sites at your firewall while waiting for a Microsoft patch:
Crackz [dot] ws
unionseek [dot] com
www.tfcco [dot] com
Iframeurl [dot] biz
beehappyy [dot] biz
And funnily enough, according to WHOIS, domain beehappyy.biz is owned by a previous president of Soviet Union:
Registrant Name: Mikhail Sergeevich Gorbachev
Registrant Address1: Krasnaya ploshad, 1
Registrant City: Moscow
Registrant Postal Code: 176098
Registrant Country: Russian Federation
Registrant Country Code: RU
"Krasnaya ploshad" is the Red Square in Moscow..."
*
http://sunbeltblog.blogspot.com/
December 28, 2005
"For this WMF exploit: Until Microsoft patches this thing, here is a workaround:
From the command prompt, type REGSVR32 /U SHIMGVW.DLL.
You can also do this by going to Start, Run and then pasting in the above command. This effectively disables your ability to view images using the Windows picture and fax viewer via IE. This is an old Windows feature that doesn’t even show up under programs. Not “core” or critical..." However, it is a preventative measure. If you are already infected, it will not help..."
Update on Windows WMF 0-day / [ISC] Infocon changed to yellow
-
http://isc.sans.org/diary.php?storyid=975
"Update 19:07 UTC: We are moving to Infocon Yellow...Regarding DEP (Data Execution Protection) of XPSP2, the default settings of DEP will not prevent this exploit from working. Comments we have received in the meantime suggest that if you enable DEP to cover all programs (as documented on Microsoft Technet**), the WMF exploit attempt will result in a warning and not run on its own. Don't feel too safe though, we have also received comments stating that a fully enabled DEP did not do anything good in their case..."
**
http://www.microsoft.com/technet/security/prodtech/windowsxp/depcnfxp.mspx
FYI...
-
http://isc.sans.org/diary.php?storyid=991
Last Updated: 2005-12-31 16:33:11 UTC
"We have received information that a new IM Worm is hitting the Netherlands. Apparently the worm is spreading with MSN and is spreading with a malformed WMF file called "xmas-2006 FUNNY.jpg".
Kaspersky Lab Blogs*
Be very careful when opening the New Years Greetings that you receive folks. We wouldn't want you to have to spend the rest of your holiday weekend
rebuilding your computer..."
*
http://www.viruslist.com/en/weblog?weblogid=176892530
December 31, 2005 | 11:54 GMT
"It was only a matter of time, the first IM-Worm exploiting the wmf vulnerability has been spotted. We have received multiple reports from the Netherlands about an IM-Worm which spreads via MSN using a link to "hxxp://[snip]/xmas-2006 FUNNY.jpg". This may well turn out to become a local epidemic(in NL), however so far it has not become big (Not even 1000 bots at this moment). The jpg is actually an HTML page with a (link to a) malicious wmf file which is heuristically detected as Exploit.Win32.IMG-WMF by Kaspersky Anti-Virus.
This wmf will download and execute a .vbs file which is detected as Trojan-Downloader.VBS.Psyme.br which in turn will download an Sdbot. The IRCBot is detected as Backdoor.Win32.SdBot.gen by KAV. At the time of writing this SdBot is instructed to download an IM-Worm.Win32.Kelvir variant. As you will know Kelvir is responsible for spreading across MSN. Looking at this IRCBot it's extremely likely that it has been made for cyber criminals.
Going back to the wmf vulnerability itself, we see number of sites mention that shimgvw.dll is the vulnerable file. This doesn't seem correct as it's possible to exploit a system on which shimgvw.dll has been unregistered and deleted. The vulnerability seems to be in
gdi32.dll. So while unregistering shimgvw.dll may make you less vulnerable, several attack scenarios come to mind where the system can still be compromised..."
FYI...
-
http://isc.sans.org/diary.php?storyid=992
Last Updated: 2005-12-31 23:16:11 UTC
"On New Year's eve the defenders got a 'nice' present from the full disclosure community.
The source code claims to be made by the folks at metasploit and xfocus, together with a anonymous source.
The exploit generates files:
* with a random size;
* no .wmf extension, (.jpg), but could be any other image extension actually;
* a random piece of junk in front of the bad call; carefully crafted to be larger than the MTU on an ethernet network;
* a number of possible calls to run the exploit are listed in the source;
* a random trailer
From a number of scans we did through virustotal,
we can safely conclude there is currently no anti-virus signature working for it. Similarly it is very unlikely any of the current IDS signatures work for it. Judging from the source code, it will likely be difficult to develop very effective signatures due to the structures of the WMF files. Considering this upsets all defenses people have in place, we voted to go to yellow in order to warn the good guys out there they need to review their defenses. We hate going back to yellow for something we were yellow on a couple of days ago and had returned to green, but
the more we look at it and the uglier it gets.
For those of you wanting to try an unofficial patch with all the risks involved, please see
http://www.hexblog.com/2005/12/wmf_vuln.html. Initially it was only for Windows XP SP2. Fellow handler Tom Liston is working with Ilfak Guilfanov to extend it to also cover Windows XP SP1 and Windows 2000. We will host the files once we have it verified. We are receiving signatures from Frank Knobbe that detect this newest variant, but we haven't done much testing for false positives or negatives at this point.
http://www.bleedingsnort.com/ ..."
:banghead:
FYI...
-
http://www.f-secure.com/weblog/archives/archive-012006.html#00000758
Sunday, January 1, 2006 - 00:49 GMT
"We are aware that a new exploit for the WMF vulnerability has been published. This one is much more advanced than the old one, and much more dangerous.
It enables clueless newcomers to easily craft highly variable and hard-to-detect variations of image files. Images that take over computers when viewed. And do this on all common Windows platforms. With no vendor patch for the vulnerability available. Meaning that there are hundreds of millions of vulnerable computers in the net right now.
Making such tools publicly available when there's no vendor patch available is irresponsible. Plain and simply irresponsible. Everybody associated in making and publishing the exploit knows this. And they should know better. Moore, A.S, San and FrSIRT: you should know better."
2nd generation WMF 0-day Expliot Spammed
-
http://isc.sans.org/diary.php?storyid=995
Last Updated: 2006-01-01 11:06:07 UTC
"According to F-Secure's blog today*, the 2nd generation WMF exploit has been spammed and "When the HappyNewYear.jpg hits the hard drive and is accessed (file opened, folder viewed, file indexed by Google Desktop), it executes and downloads a Bifrose backdoor (detected by us as Backdoor.Win32.Bifrose.kt) from www[dot]ritztours.com.".
Trend Micro is calling it TROJ_NASCENE.H":
-
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_NASCENE.H&VSect=T
*
http://www.f-secure.com/weblog/archives/archive-012006.html#00000759
Sunday, January 1, 2006 - 09:38 GMT
"Some clown is spamming out "Happy New Year" emails which will infect Windows machines very easily. These emails contain a new version of the WMF exploit, which doesn't seem to be related to the two earlier Metasploit WMF exploits we've seen. The emails have a Subject: "Happy New Year", body: "picture of 2006" and contain an exploit WMF as an attachment, named "HappyNewYear.jpg" (MD5: DBB27F839C8491E57EBCC9445BABB755). We detect this as PFV-Exploit.D.
When the HappyNewYear.jpg hits the hard drive and is accessed (file opened, folder viewed, file indexed by Google Desktop), it executes and downloads a Bifrose backdoor (detected by us as Backdoor.Win32.Bifrose.kt) from www[dot]ritztours.com. Admins, filter this domain at your firewalls.
It's going to get worse..."
FYI...
-
http://isc.sans.org/diary.php?storyid=996
Last Updated: 2006-01-01 15:47:02 UTC by Tom Liston (Version: 1)
"Looking forward to the week ahead, I find myself in the very peculiar position of having to say something that I don't believe has ever been said here in the Handler's diary before: "
Please, trust us."
I've written more than a few diaries, and I've often been silly or said funny things, but now, I'm being as straightforward and honest as I can possibly be: the Microsoft WMF vulnerability is bad. It is very,
very bad.
We've received many emails from people saying that no one in a corporate environment will find using an unofficial patch acceptable. Acceptable or not, folks, you have to trust
someone in this situation.
To the best of my knowledge, over the past 5 years, this rag-tag group of volunteers hasn't asked for your trust: we've
earned it. Now we're going to expend some of that hard-earned trust:
This is a bad situation that will only get worse. The very best response that our collective wisdom can create is contained in this advice - unregister shimgvw.dll and use the unofficial patch. You need to trust us.
Looking back over the past year, the ISC handlers have faced up to any number of challenges: from worms and viruses to DNS poisoning and hurricanes. We've done our best to keep you informed and to tell it like it is. Somehow, it seems fitting that on the last day of 2005 we rang in the New Year in what can only be described as typical ISC style.
On December 31st, we received word that a "new and improved" version of the WMF exploit had been published. This new exploit code generated WMF files that were sufficiently different that they bypassed nearly all AV and IDS signatures. Publishing exploit code such as this for an unpatched vulnerability on a holiday weekend is, without any doubt, a totally irresponsible act.
And so, as the hours to the New Year slowly counted down, a group of volunteers gave up their holiday weekend to come together as a team and put their collective knowledge and intellect to work on the problems this reckless disclosure created. Some tested the exploit, some talked to AV vendors, some worked toward finding a means to mitigate the vulnerability, some tested "fix" ideas and the resulting patches.
I was privileged to be a part of that team, and I'm incredibly proud of everyone who participated. As it became obvious that the "fix" that we were working toward was essentially what had already been created by Ilfak Guilfanov, we wrote to him to ask if we could redistribute his patch from the ISC*. He was incredibly gracious and courteous in allowing us to do so and we were able to work with him to verify several changes that allowed the patch to work on a wider variety of Windows systems.
We have very carefully scrutinized this patch. It does only what is advertised, it is reversible, and, in our opinion, it is both safe and effective.
The word from Redmond isn't encouraging. We've heard nothing to indicate that we're going to see anything from Microsoft before January 9th.
The upshot is this: You cannot wait for the official MS patch, you cannot block this one at the border, and you cannot leave your systems unprotected.
It's time for some real trustworthy computing. All we're asking is if we've proved ourselves to be worthy of your trust."
* >>>
http://isc.sans.org/diary.php?storyid=994
(See "What can I do to protect myself?")
Updated version of Ilfak Guilfanov's patch
-
http://isc.sans.org/diary.php?storyid=999
Last Updated: 2006-01-01 18:18:10 UTC by Tom Liston (Version: 1)
"Ilfak Guilfanov has released an updated version of his unofficial patch for the Window's WMF issue. We have reverse engineered, reviewed, and vetted the version here**. Note: If you've already successfully installed the patch, this new version adds nothing new. It only adds code to make it able to install on some other very specific configurations and code to recognize when the patch has already been installed."
**
http://handlers.sans.org/tliston/wmffix_hexblog14.exe
AplusWebMaster's Note: -You- have to decide for yourself. After a few years of following the good efforts and works of the folks at the ISC, they ARE -my- source for "Trustworthy Computing".
FYI...
-
http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=390
January 02, 2006
"...The attack is a vulnerability within Windows Operating Systems which currently has no patch available. Because there is no patch from Microsoft available, there is exploit code published on the web, its trivial to create and attack, and there are multiple vectors which allow you to use this attack, we believe that there will continue to be exploits through the Web, Instant Messaging, Email, and other technologies over the next week...
Jan 1, 2006: Increase in web-attacks. Now
more than 100 sites using exploit to install BOT's and Trojan Horses.
Jan 2, 2006: Targeted Trojan Horse attack discovered via email..."
FYI...
Microsoft releases fix for Windows flaw
Company had said security patch would take until next week
http://www.msnbc.msn.com/id/10726151/
Updated: 4:32 p.m. ET Jan. 5, 2006
SEATTLE - Microsoft Corp. on Thursday released a patch to fix a flaw in its Windows operating system that had spawned attempts to take control of Internet-connected computers.
The Redmond software maker had originally said it didn't expect to release the patch until Tuesday, but the company said Thursday it was able to complete testing earlier than planned.
The patch was available from Microsoft's Web site.
http://www.microsoft.com/technet/security/bulletin/ms06-001.mspx
Bitman, thank you very much. Tarheel
having unregistered SHIMGVW.DLL, now that I have installed the Microsoft patch, how do I re-register it
thx
having unregistered SHIMGVW.DLL, now that I have installed the Microsoft patch, how do I re-register it
-
http://isc.sans.org/diary.php?storyid=1019
"...5. Re-register the .dll if you previously unregistered it (use the same command but without the "-u"):
regsvr32 %windir%\system32\shimgvw.dll ..."
[Start > Run > (enter) regsvr32 %windir%\system32\shimgvw.dll (in the box/window)]
Or, see
http://isc.sans.org/diary.php?storyid=1019
FYI...
-
http://isc.sans.org/diary.php?storyid=1023
Last Updated: 2006-01-06 20:57:58 UTC
"...The Internet Storm Center is made up of a group of volunteers that have different backgrounds and perspectives on the overall risk of the WMF vulnerability, and the active exploitation seen. The group consensus was that the risk was high enough to warrant raising the Infocon level, and then testing and endorsing the unofficial patch. We are well aware that one size doesn't fit all. At the time it was the only mitigation technique that actually worked. Anti-virus, IDS/IPS do not give adequate protection against this attack and all of its vectors..."
Get the patch now. Choose
Windows Update,
MS Update, or
manual download. But get it NOW. Other subliminal messages may be posted at anytime...
