Month: January 2006

Earlier today we mentioned that Steve Gibson had reported on a leaked hotfix for the WMF exploit from Microsoft.

We got a copy of the hotfix from an anonymous source who had carefully verified its authenticity by following the certificate chain backward and verifying that it was signed by the identical root certificate as other past updates.

We ran it through a quick and informal test in our labs.

And we found it easily stops at least one exploit that we tested against.  The Windows Picture and Fax Viewer shows up but you don’t get exploited.

And it is the real deal.  Microsoft has been very upfront about it:

“It really was an inadvertent thing that happened,” Fry Wilson said. “We have the security update on a fast track…(and) somebody accidentally posted a prerelease version on a community site. It has been taken down, and we don’t recommend customers use it–it is not the version that we will be releasing on Tuesday.”

Link here.

The good news is that, based on our early and quick tests, it looks very effective. It also appears to co-exist just fine with Ilfak’s hotfix.

Alex Eckelberry

 

Don’t forget along with all this WMF exploit madness, there is Sober fun in the midst. But experts in the AV community aren’t overly concerned.

If you’ll recall, in December researchers uncovered a bunch of sites that the worm would report back to for more downloads on January 6.

For example, starting January 6 and continuing for 14 days, the URLs are (from F-Secure):

• home.arcor.de/dixqshv/
• people.freenet.de/wjpropqmlpohj/
• people.freenet.de/zmnjgmomgbdz/
• people.freenet.de/mclvompycem/
• home.arcor.de/jmqnqgijmng/
• people.freenet.de/urfiqileuq/
• home.arcor.de/nhirmvtg/
• free.pages.at/emcndvwoemn/
• people.freenet.de/fseqepagqfphv/
• home.arcor.de/ocllceclbhs/
• scifi.pages.at/zzzvmkituktgr/
• people.freenet.de/qisezhin/
• home.arcor.de/srvziadzvzr/
• people.freenet.de/smtmeihf/
• home.pages.at/npgwtjgxwthx/

These URLs are all dead, but this article at CIAC continues with: 

At the end of fourteen days they will change to a new set of random URLs. While most of the connection attempts will be to non-existant URLs, the virus writer knows in advance what the URLs will be on any particular day. Thus, when he wants to upload new code, he simply registers the appropriate URL and uploads the new code.

Microsoft just sent me this:  

Microsoft has issued Security Advisory #912920 to provide guidance to customers to help protect themselves: (link here) .

Also, Microsoft has added detection for the latest Sober variants to the Malicious Software Removal Tool and Windows Live Safety Center. Customers who believe they are infected can go to http://safety.live.com and choose “Protection Scan” to remove all known variants of Win32/Sober.  The Malicious Software Removal Tool will also be updated as part of the regular, security update release cycle on January 10, 2006 to scan and remove any known infections of Win32/Sober.Z from a users’ computer. 

Win32/Sober attempts to entice users into opening an attached executable or clicking a malicious URL via an instant message. The worm then sends itself to all contacts in a computer’s address book.  The worm does not appear to target a security vulnerability, but rather relies on the user opening the attachment or clicking a link in their instant messaging window to execute. On systems infected by Win32/Sober.Z@mm, the malware is programmed to download and run malicious files from certain Web domains beginning on January 6, 2006. Beginning approximately every two weeks thereafter, the worm is set to begin downloading and running malicious files from additional sites on the same Web domains.

Just keep your AV sigs updated, all should be fine.

Alex Eckelberry

From Larry Seltzer at eWeek:

Days after the revelation of a flaw in Windows’ handling of WMF graphics files, dozens of exploits are being spread from thousands of adware sites. But good protection is available.

At the same time, further testing confirms that a workaround issued by third parties and endorsed by Microsoft Corp. is effective in most regards, and in the most important circumstances, but not in all. Also, the workaround has side effects that could prove troublesome.

AV-Test, which tests anti-malware products, has been tracking the situation closely and has, so far, analyzed 73 variants of malicious WMF files. Products from the following companies have identified all 73:

• Alwil Software (Avast)
• Softwin (BitDefender)
• ClamAV
• F-Secure Inc.
• Fortinet Inc.
• McAfee Inc.
• ESET (Nod32)
• Panda Software
• Sophos Plc
• Symantec Corp.
• Trend Micro Inc.
• VirusBuster

These products detected fewer variants:

• 62 — eTrust-VET
• 62 — QuickHeal
• 61 — AntiVir
• 61 — Dr Web
• 61 — Kaspersky
• 60 — AVG
• 19 — Command
• 19 — F-Prot
• 11 — Ewido
•  7 — eSafe
•  7 — eTrust-INO
•  6 — Ikarus
•  6 — VBA32
•  0 — Norman

Link here via CastleCops.

UPDATE:  More info and apparently updated comparisons (go to the end of the thread) at Wilders Security.

Alex Eckelberry

From Steve Gibson:

Microsoft’s OFFICIAL SECURITY UPDATE leaked onto the Internet early (and it works great!)
It would seem that we can be pretty certain that Microsoft will have this WMF vulnerability mess cleaned up shortly. Microsoft’s cryptographically signed and authentic (though perhaps not final), security update addressing this vulnerability has prematurely leaked onto the Internet.

As expected, Ilfak’s WMF vulnerability suppression patch, and his WMF vulnerability testing utility, both interact smoothly and seamlessly with Microsoft’s forthcoming official security update. Ilfak’s code can be left running while installing Microsoft’s security update, then safely removed forever once the system has rebooted from the update.

Link here.

 

Alex Eckelberry

We have one unconfirmed report that a corporate user had printing problems after using the unofficial hotfix for the WMF exploit. 

From a post on Full Disclosure:

Today I received information from one corporative user that installation of unofficial WMF patch (wmffix_hexblog13.exe) on Windows XP workstation causes to him network printing problems. The problem was solved via System Restore.

The experiment was repeated and the result was identical. After installing the patch at the attempt of printing documents  either the error message ?printer error? was shown or nothing  happened at all. Workstation had one printer Samsung ML-1210  installed. Has anybody encountered something alike?

Link here.

As always, we caution network managers to follow prudent practices in rolling out an unofficial, unsupported patch.  Set up test systems before deployment, closely monitor post deployment.

 

Alex Eckelberry

This is interesting.  SANs just posted a presentation (PDF file and Powerpoint) on the WMF exploit.

It does a really good job of explaining how this thing works.  If you feel a bit unclear on it, check this presentation out.  It makes it quite clear.

 

 

The full SANS article link here.

In a week, this thing will be patched and all will be (hopefully) better.  But in the meantime, the temporary hotfix is a fine solution, along with unregistering shimgvw.dll.  We are hosting the hotfix on our servers in case you’re having a hard time getting it. Also, Ilfak (the creator of this patch) is temporarily living at CastleCops as his server went down from overwhelming traffic.

Of course, antivirus protection is essential these days, and if you’re on a budget, you can always get one for free.  Read my article on cheap and free security tools here.

Alex Eckelberry

If you’re looking for the temporary hotfix by Ilfak Guilfanov for the WMF exploit, his servers are down, so Paul Laudanski at CastleCops was kind enough to host Ilfak. 

You can see the new Hexblog forum here.  FAQ here.

You can also download the patch from my servers, here.

 

Alex Eckelberry

Ilfak Guilfanov, who has brilliantly come up with the ONLY legitimate patch for the WMF exploit, is getting hammered with hits on his site.  Hence, you will have a very hard time getting to it. 

I’ve thrown the hotfix up on our servers for people looking for an alternate download site.

This is unofficial, it’s enough to just get everyone by until Ilfak can get things up again.  

Here are links:

Hotfix (version 1.4) link here.

Hotfix checker link here.

 

Alex

 

I saw a post on Larry Seltzer’s excellent security blog that iDEFENSE is claiming that only Windows XP, SP1, SP2, Windows 2003, SP1 and (possibly) Lotus Notes are vulnerable to WMF exploit. Windows 2000, ME, and 98 are not vulnerable (they didn’t test Windows NT).  Link here.

Later, Larry did some more testing and came to the following conclusion:

I have been testing a lot tonight and it appears to me that iDEFENSE is right: In a practical sense, only Windows XP and Windows Server 2003 (in all their service pack levels) are vulnerable to the WMF flaw. Here’s why.

Link here. F-Secure also mentions his blog. 

Note that I have one email from a user who tested the exploit, and got an infestation, on a W2k machine using a third-party graphics handler.  It’s a research point…

Alex Eckelberry

 

Latest advisory says:

Microsoft has completed development of the security update for the vulnerability. The security update is now being localized and tested to ensure quality and application compatibility. Microsoft’s goal is to release the update on Tuesday, January 10, 2006, as part of its monthly release of security bulletins. This release is predicated on successful completion of quality testing.

Alex Eckelberry
(Thanks for the heads-up David)

More news today at SANs on the WMF exploit situation.  

Metasploit, a well-known “white hat” group that comes up with code for exploits to test network systems, has come up with a new way to use the WMF exploit to “bypass all known IDS signatures”.

Link here.

And new ways to install the unofficial hotfix, silently and via a script.

So what’s your best defense?  We recommend doing the following two simple steps:

1. Apply the unofficial hotfix.

2. Unregister shimgvw.dll.

Of course, antivirus protection is essential these days, and if you’re on a budget, you can always get one for free.  Read my article on cheap and free security tools here.

My latest word from Microsoft is that there is no official timeline for a patch, but I would be quite surprised if they didn’t patch this at the very least on Tuesday the 10th.  One hopes sooner…

 

Alex Eckelberry

Ilfak Guilfanov, who has brilliantly come up with the ONLY legitimate patch for the WMF exploit, has a new tool to check to make sure it’s working.

Link to his vulnerability checker here. Link to the actual WMF exploit patch here.

I recommend applying his hotfix.  At this point, it is the only broadly effective deterrent to the WMF exploit. 

As Tom Liston at SANs says:

To the best of my knowledge, over the past 5 years, this rag-tag group of volunteers hasn’t asked for your trust: we’ve earned it.  Now we’re going to expend some of that hard-earned trust:

This is a bad situation that will only get worse.  The very best response that our collective wisdom can create is contained in this advice – unregister shimgvw.dll and use the unofficial patch.  You need to trust us

However, it does not support Windows 98 and ME.  For that, I would unregister shimgvw.dll (still not a perfect fix) as explained here and keep your AV signatures updated.   You can apply all my other ideas optionally, but those two things are the core things to do.  

 

Alex Eckelberry

From SANS:

Updated version of Ilfak Guilfanov’s patch

Published: 2006-01-01,Last Updated: 2006-01-01 18:54:14 UTC by Tom Liston

Ilfak Guilfanov has released an updated version of his unofficial patch for the Window’s WMF issue. We have reverse engineered, reviewed, and vetted the version here. Note: If you’ve already successfully installed the patch, this new version adds nothing new. It only adds code to make it able to install on some other very specific configurations and code to recognize when the patch has already been installed.MD5: 14d8c937d97572deb9cb07297a87e62a – wmffix_hexblog13.exe

Here is a list of changes from version 1.1 from Ilfak Guilfanov at Hex Blog:

Version 1.2: if the hotfix has already been applied to the system, informs the user at the second installation attempt. Version 1.3: added support for Windows 2000 SP4

If you have already installed version 1.1 you do not need to reinstall. This path should work for Windows 2000, XP 32-bit, XP 64-bit, and Windows Server 2003.

Cheers,

Eric Sites
VP of Research & Development

So why is this new WMF email such a problem?

Well because of other developing information that a few others including SANS have already talked about it. The people at FrSIRT have posted an updated version of the WMF exploit code and our friends over at F-Secure said: enables clueless newcomers to easily craft highly variable and hard-to-detect variations of image files. Another quote from the same blog entry at F-Secure: Making such tools publicly available when there’s no vendor patch available is irresponsible. Plain and simply irresponsible. Everybody associated in making and publishing the exploit knows this. And they should know better. Moore, A.S, San and FrSIRT: you should know better.

And I totally agree with them! Seasoned computer users to totally novice users are getting hit with these WMF file exploits right and left. The peer support forums are getting bombarded by questions and stories of user spending hours trying to remove Torjans, Spyware, Adware, and backdoors opened by these attacks from their computers. These users really did not need this problem to escalate which is just what the guys at FrSIRT have done.

So we now have spam attacks plus an IM-Worm and the current exponentially growing list of websites hosting these attacks. Now we have to deal with a new variant of the exploit code which makes things very difficult for security vendors.

SANS has a great explanation about the new exploit code here. And the crux of the issues is that as SANS states it: From a number of scans we did through virustotal, we can safely conclude there is currently no anti-virus signature working for it. Similarly it is very unlikely any of the IDS signatures for the previous versions of the WMF exploits work for this next generation. Judging from the source code, it will likely be difficult to develop very effective signatures due to the structure of the WMF files.

Infection rates
McAfee announced on the radio yesterday they saw 6% of their customers having been infected with the previous generation of the WMF exploits. 6% of their customer base is a huge number.

Until Microsoft releases a patch for this GDI32.DLL WMF bug surfing the web, reading your email, and chatting via IM is like playing Russian Roulette with your computer.

The most promising temporary fix for this issue currently is to use Ilfak Guilfanov’s DLL injection patch from his blog. And to keep up-to-date on your Anti-spyware, Anti-virus, and firewall IDS signatures.

Eric Sites
VP of Research & Development
Sunbelt Software

1/1/2006

In an email advisory I just received from McAfee AVERT labs a new version of the WMF exploit using new Exploit-WMF code released today has been confimed in spam attacks resulting in the installation of a new Backdoor-CEP variant.

An email message containing the Exploit-WMF sample built from this new code has been spammed. The message appears as follows:

Subject: Happy New Year
Body: picture of 2006
Attachment: HappyNewYear.jpg (actually a WMF file with a .JPG extension)

The attachment causes a new BackDoor-CEP variant to be downloaded and run from www.ritztours[dot]com.

I have not seen a copy of this email yet, and I am not sure if you need to click on the attachment or it will autorun and infect the receiving computer. If anyone comes across this email, please forward it to me ASAP in a password protected zip file to eric@sunbelt-software.com

Here is the email from AVERT Labs:

Advisory
AVERT is releasing this advisory to make our customers aware of new Exploit-WMF code having been released today and currently being used in spam attacks resulting in the installation of a new Backdoor-CEP variant.

Justification
Updated DAT files to detect new Exploit-WMF and Backdoor-CEP variants are being prepared now and will be released shortly.

Read About It
Information about Exploit-WMF is located on VIL at: http://vil.nai.com/vil/content/v_125294.htm

Detection
New Exploit-WMF and Backdoor-CEP variants have been discovered on 1/1/2006 (GMT) and detection will be added to the 4664 dat files (Release Date: 1/1/2006).
The EXTRA.DAT is available at https://www.webimmune.net/extra/getextra.aspx.
If you suspect you have Exploit-WMF or Backdoor-CEP, please submit samples to http://www.webimmune.net/.

Risk Assessment Definition
For further information on the Risk Assessment and AVERT Recommended Actions please see:
http://www.mcafeesecurity.com/us/security/resources/risk_assessment.htm

Best Regards,

McAfee AVERT – Anti Virus and Vulnerability Research, Analysis, and Solutions visit us at http://www.avertlabs.com

A WMF exploit FAQ as been released by SANS at http://isc.sans.org/diary.php?date=2006-01-01 Lots of great information here.

Unofficial patch for all WMF exploit variants.

An unofficial patch was made available by Ilfak Guilfanov the main developer of IDA Pro from DataRescue.

SANS own Tom Liston reviewed the patch and we tested it. The SANS reviewed and tested version is available for download. (MD5: 99b27206824d9f128af6aa1cc2ad05bc). THANKS to Ilfak Guilfanov for providing the patch!!

Ilfak’s blog at Hex Blog has more information about this patch including and an MSI file provided by a blog reader that can be deployed to desktops through group policies. Currently this repackaging is also provided ‘AS IS’ without any kind of warranty. After applying either of these patches your computer must be rebooted for it to take affect.

Eric Sites
VP of Research & Development
Sunbelt Software
eric@sunbelt-software.com