December 2005 - Posts

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Handler's Diary December 31st 2005

WMF and Indexing (NEW)

Published: 2005-12-31,
Last Updated: 2005-12-31 12:24:04 UTC by Patrick Nolan (Version: 1)

WMF Indexing, White Elephants and White Rabbits

The WMF White Elephant in the room as far as I'm concerned is Indexing. YMMV. How many Vendors have other Indexing services installed that are going to automagically enable WMF exploitation on or across your network?

 F-Secure pointed out the White Elephant when they recommended you "disable indexing of media files (or get rid of Google Desktop) if you're handling infected files under Windows" and  said "This is enough to invoke the exploit and infect the machine. This all happens in realtime as Google Desktop contains a file system filter and will index new files in realtime.". And I agree, turn all Indexing off until a fix is out.

Microsoft, Google and other vendors should immediately address what the role is of their indexing services, particularly as it relates to shares, synchronization and potential mitigation activities. Their lack of comment on this issue is glaring.

MS Indexing (White Rabbit Link)

F-Secure's blog today has a new vulnerability workaround (unrelated to indexing).

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

 Handler's Diary December 31st 2005


Call 1-866-727-2338 for free virus and security-related support from Microsoft (NEW)

Published: 2005-12-31,
Last Updated: 2005-12-31 11:58:48 UTC by Patrick Nolan (Version: 1)

 Preparation for the Inevitable (and New Years Resolution?)

When your Family and friends inevitably ask for help to "clean" their systems exploited by malicious WMF (or other) attacks, refer them to MS's free phone support.

Microsoft's No-Charge support phone number for virus and other security-related issue support is 1-866-727-2338, and "is available 24 hours a day for the U.S. and Canada."

"Outside of the U.S. and Canada", click here and then select your region to obtain the free support phone number for virus and other security-related issue.
OK, looks like Microsoft is working on a patch after all. I never should have doubted them..

Welcome to the Microsoft Security Response Center Blog! : A few thoughts on the WMF vulnerability.


Hi folks- this is Kevin Kean from the MSRC, writing what may just be my last MSRC blog entry for 2005. This morning we noticed that there are some people who are still looking for more information about the Windows Metafile (WMF) vulnerability that we issued a security advisory for on Wednesday. I thought it would be helpful to let you all know what we know about this and what we are doing to take care of it.

Since earlier this week, my team has been hard at work investigating this vulnerability. We take situations such as this one very seriously.

We are aware of publicly released, detailed exploit code that could be used to exploit this vulnerability. Based on our investigation, this exploit code could allow an attacker to execute arbitrary code on a user’s system by hosting a specially crafted WMF image on a malicious Web site. We have determined that an attacker would have no way to force users to visit such a malicious Web site. Instead, an attacker would have to persuade someone to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site.

We have been asked a number of times whether this vulnerability can be exploited via email. I want to be very clear in the response so all users can understand the situation. In an e-mail based attack, customers would have to be persuaded to click on a link within a malicious e-mail or open an attachment that exploited the vulnerability. In both the web and e-mail based attacks, the code would execute in the security context of the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

When we complete this investigation, we’ll do what is best to help protect our customers. We have determined that this vulnerability will be fixed through a security update, and we will release that either through the regular monthly release cycle or out-of-cycle, depending on customer needs.

Right now, we are working very closely with our anti-virus partners and aiding law enforcement with its investigation. We continue to recommend that customers follow our security guidance, including being careful where you browse, never accepting email attachments from unknown senders, keeping your anti-virus software up to date, enabling a firewall and staying current on security updates.

Have a safe and happy New Year!
-Kevin

*This posting is provided "AS IS" with no warranties, and confers no rights.*


posted on Friday, December 30, 2005 9:38 PM by stepto

 

Knock, knock. Anyone working on a patch Microsoft?

F-Secure : News from the Lab - December of 2005.

WMF, day 3 Posted by Stefan @ 12:29 GMT

Paint BrushThe amount of trojans using the zero-day WMF exploit is increasing rapidly.

Many people have now used the REGSRV32 workaround to stop the immediate threat. Some users have come back to us after we quoted Microsoft on the workaround wondering if the workaround really works. The workaround will stop the exploit for Internet Explorer and Explorer - even though WMF images still show as normal.

What the workaround does not stop against is if you open an exploited file in MSPAINT (aka Paintbrush). And like always, renaming the file to any other image extension will not make a difference to MSPAINT. So our suggestion is to not open any pictures right now with MSPAINT whatsoever. Perhaps leaving image editors out completely for the rest of the year might be a good idea.


 

Come on Microsoft, where is that patch??

TROJ_NASCENE.E - Description and solution.

Description: 

This Trojan is a Windows Metafile (WMF) that exploits a known vulnerability in the way specially-crafted WMF images are handled that can lead to arbitrary code execution. For more information about this vulnerability, please refer to this page:

This vulnerability is a zero-day exploit that is capable of remote code execution. Zero-day exploits are termed as such because the unpatched vulnerability and its corresponding exploit code are released within the same day. This may pose as a dangerous situation in which a lot of computers may be affected due to the availability of exploit code, and the fact that the vendor has not been given enough time to patch it.

Upon successful exploitation of this vulnerability, this Trojan connects to a certain Web site and downloads a certain file. Trend Micro detects the said file as ADW_EXFOL.A.

Well I felt safe for a little while, just sent out a script to unregister that vulnerable dll.  According to the info below, it might not stay that way.

Looks like renaming the dll temporarilly is the only option now.

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Handler's Diary December 30th 2005

Musings and More WMF Information (NEW)

Published: 2005-12-30,
Last Updated: 2005-12-30 20:10:48 UTC by Scott Fendley (Version: 1)


Websense released some more information about their investigation in some website exploitation that involves IFRAMEs and WMF vulnerability.  My fellow handler Lorna said recently, "IFrames are always suspect in my eyes."  In light of this information, I have to agree with her.  Take a look at Websense Security Labs website for  details of their investigation including a nice movie file showing the exploitation at work.

As a side note,  I am quite thankful that most university and K-12 schools are still on holiday until next week.  This will hopefully give enough lead time for the mass media to report on this issue, and maybe, just maybe, Microsoft will have a better solution for the home users and our student populations.  *crossing his fingers that MS will release a preliminary update quickly*

One reader send us the following summary, which pretty nicely outlines the issues with this vulnerability:

  1. Filename extension filtering will not work.
  2. Even if you un-register the DLL, some programs may re-register it by invoiking it (shimgvw.dll) directly.
  3. you have to delete or rename the DLL to protect yourself. However, remember to undo this once there is a patch.
  4. While images embedded into docuements may not immediately trigger the exploit, they may once saved into their own file.
The readers goes on to note that whatever mitigation is offered in Microsoft's advisory is not much more then a quick temporary bandaid. What we need is a patch and we need it quick.


--
Scott Fendley
Handler on Duty

JS_ONLOADXPLT.B - Description and solution.

Description: 

This malicious JavaScript contains an exploit code that is triggered upon interaction with the Web page http://www.hyipg{BLOCKED}index.htm. Upon visiting the said Web page, this malicious Javascript that is embedded in the Web page http://www.hyipg{BLOCKED}/image is executed.

It also executes a shell code that causes the download and execution of the file 1.EXE from the Web page http://www.hyipgold{BLOCKED}.com/image. However, the said Web pages are inacessible as of this writing.

Interaction with the aforementioned Web pages may allow malicious users to execute code of choice on the affected system. The said action may enable them to take virtual control of the system.

This malicious JavaScript takes advantage of the File Download Dialog Box vulnerability in Internet Explorer. However, user interaction is required to fully exploit the said vulnerability. For more information on the said vulnerability, please refer to the Microsoft Web page Microsoft Security Bulletin MS05-054.

My virus sense is tingling, I hope Microsoft comes up with a patch soon.

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

 Handler's Diary December 29th 2005

Microsoft Advisory (NEW)

Published: 2005-12-30,
Last Updated: 2005-12-30 07:59:43 UTC by Scott Fendley (Version:
2(click to highlight changes))

Microsoft has issued a security advisory on the WMF vulnerability.

Details are available
here

Update by Scott Fendley:
Microsoft has updated their
security advisory tonight(December 30 UTC) with more information
and frequently asked questions with answers.

Some noteable things that I read in it.

"
** Windows Metafile (WMF) images can be embedded in other files such as Word documents. Am I vulnerable to an attack from this vector?

No. While we are investigating the public postings which seek to utilize specially crafted WMF files through IE, we are looking thoroughly at all instances of WMF handling as part of our investigation. While we're not
aware of any attempts to embed specially crafted WMF files in, for example Microsoft Word documents, our advice is to accept files only from trusted source would apply to any such attempts.


** It has been reported that malicious files indexed by MSN Desktop Search could lead to exploitation of the vulnerability. Is this true?

We have received reports and are investigating them thoroughly as part of our ongoing investigation. We are not aware at this time of issues around the MSN Desktop Indexer, but we are continuing to investigate.

** Is this issue related to Microsoft Security Bulletin MS05-053 - Vulnerabilities in Graphics Rendering Engine Could Allow Code Execution (896424) which was released in November?*

No, these are different and separate issues.

** Are there any third party Intrusion Detection Systems (IDS) that would help protect against attempts to exploit this vulnerability?

While we don't know of specific products or services that currently scan or detect for attempts to render specially crafted WMF files, we are working with our partners through industry programs like VIA to provide information as we have it. . Customers should contact their IDS provider to determine if it offers protection from this vulnerability.
"

--
Scott Fendley
Handler on Duty

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Handler's Diary December 30th 2005

Musings and More WMF Information (NEW)

Published: 2005-12-30,
Last Updated: 2005-12-30 07:55:45 UTC by Scott Fendley (Version: 1)


Websense released some more information about their investigation in some website exploitation that involves IFRAMEs and WMF vulnerability.  My fellow handler Lorna said recently, "IFrames are always suspect in my eyes."  In light of this information, I have to agree with her.  Take a look at Websense Security Labs website for  details of their investigation including a nice movie file showing the exploitation at work.

As a side note,  I am quite thankful that most university and K-12 schools are still on holiday until next week.  This will hopefully give enough lead time for the mass media to report on this issue, and maybe, just maybe, Microsoft will have a better solution for the home users and our student populations.  *crossing his fingers that MS will release a preliminary update quickly*

--
Scott Fendley
Handler on Duty
The hits just keep on coming...

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

 Handler's Diary December 30th 2005

Lotus Notes Vulnerable to WMF 0-Day Exploit (NEW)

Published: 2005-12-30,
Last Updated: 2005-12-30 07:55:01 UTC by Scott Fendley (Version:
2(click to highlight changes))

John Herron at NIST.org discovered today that Lotus Notes versions 6.x and higher is vulnerable to the WMF 0-day exploit. In the advisory, located on the NIST website here, John reports that Lotus Notes remained vulerable even after running the regsvr32 workaround in the Microsoft security advisory.

Update:

Our dedicated reader from Finland, Juha-Matti Laurio, has confirmed that IBM is aware of the vulnerability above. He had a couple of recommended workarounds for those using the Lotus Notes (Domino) system. I expect that IBM will be releasing an advisory directly with this information.

"1. Filter all common picture file extensions at the network perimeter.

The following file extensions are recommended:

BMP, DIB, EMF, GIF, ICO, JFIF, JPE, JPEG, JPG, PNG, RLE, TIF, TIFF and WMF, because Microsoft Windows handles picture files by information of the file header information, not by file extension used.

2. Do not Open... or View... picture files from untrusted sources.
"

Thanks for that information Juha-Matti.

--
Scott Fendley
Handler on Duty

Here it is, ready for download to use with the new City of Heroes collectible card game.  Made with the City of Heroes CCG Hero Card Builder, here is Hanford Man in his latest costume!!

Hanford Man's latest costume

F-Secure : News from the Lab - WMF, day 2

WMF, day 2 Posted by Mikko @ 08:30 GMT

Microsoft and CERT.ORG have issued bulletins on the Windows Metafile vulnerability:
http://www.microsoft.com/technet/security/advisory/912840.mspx
http://www.kb.cert.org/vuls/id/181038

Microsoft's bulletin confirms that this vulnerability applies to all the main versions of Windows: Windows ME, Windows 2000, Windows XP and Windows 2003.

They also list the REGSVR32 workaround. It's a good idea to use this while waiting for a patch. To quote Microsoft's bulletin:

 Un-register the Windows Picture and Fax Viewer (Shimgvw.dll)

 1. Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll"
 (without the quotation marks), and then click OK.

 2. A dialog box appears to confirm that the un-registration process has succeeded.
 Click OK to close the dialog box.

 Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started
 when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer.

 To undo this change, re-register Shimgvw.dll by following the above steps.
 Replace the text in Step 1 with “regsvr32 %windir%\system32\shimgvw.dll” (without the quotation marks).

This workaround is better than just trying to filter files with a WMF extension. There are methods where files with other image extensions (such as BMP, GIF, PNG, JPG, JPEG, JPE, JFIF, DIB, RLE, EMF, TIF, TIFF or ICO) could be used to exploit a vulnerable machine.

iframecash - don't visit the siteWe got several questions on our note on Google Desktop yesterday. Bottom line is that if an image file with the exploit ends up to your hard drive, Google Desktop will try to index it and will execute the exploit in the process. There are several ways such a file could end up to the local drive. And this indexing-will-execute problem might happen with other desktop search engines too.

And finally, you might want to start to filter these domains at your corporate firewalls too. Do not visit them.

toolbarbiz[dot]biz
toolbarsite[dot]biz
toolbartraff[dot]biz
toolbarurl[dot]biz
buytoolbar[dot]biz
buytraff[dot]biz
iframebiz[dot]biz
iframecash[dot]biz
iframesite[dot]biz
iframetraff[dot]biz
iframeurl[dot]biz

So far, we've only seen this exploit being used to install spyware or fake antispyware / antivirus software on the affected machines. I'm afraid we'll see real viruses using this soon.

Trend Micro has renamed previously discovered Trojans that use the 0-day exploit, and have a listing for a fourth. 

TROJ_NASCENE.A

TROJ_NASCENE.B

TROJ_NASCENE.C

TROJ_NASCENE.D

TROJ_WMFCRASH.A

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

 Handler's Diary December 29th 2005

* Update on Windows WMF 0-day (NEW)

Published: 2005-12-29,
Last Updated: 2005-12-29 11:23:53 UTC by Chris Carboni (Version: 1)


Update 23:00 UTC:  The vulnerability seems to be within SHIMGVW.DLL.  Unregistering this DLL  (type REGSVR32 /U SHIMGVW.DLL at the command prompt or in the "Start->Run" Window, then reboot) will resolve most of the vulnerability, but will also break your Windows "Picture and Fax Viewer", as well as any ability of programs like "Paint" and "Explorer" to display thumbnails of any picture and real (benign) WMF files.

Update 23:19 UTC: Not that we didn't have enough "good" news already, but if you are relying on perimeter filters to block files with WMF extension from reaching your browser, you might have a surprise waiting for you. Windows XP will detect and process a WMF file based on its content ("magic bytes") and not rely on the extension alone, which means that a WMF sailing in disguise with a different extension might still be able to get you.
Microsoft finally releases a security advisory on the 0-day WMF exploit.

Microsoft Security Advisory (912840)
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution.
Published: December 28, 2005

Microsoft is investigating new public reports of a possible vulnerability in Windows. Microsoft will continue to investigate the public reports to help provide additional guidance for customers.

Microsoft is aware of the public release of detailed exploit code that could allow an attacker to execute arbitrary code in the security context of the logged-on user, when such user is visiting a Web site that contains a specially crafted Windows Metafile (WMF) image. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site.

Customers are encouraged to keep their antivirus software up to date. The Microsoft Windows AntiSpyware (Beta) can also help protect your system from spyware and other potentially unwanted software. We will continue to investigate these public reports.

Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This will include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.

Microsoft encourages users to exercise caution when they open e-mail and links in e-mail from untrusted sources. For more information about Safe Browsing, visit the Trustworthy Computing Web site.

We continue to encourage customers to follow our Protect Your PC guidance of enabling a firewall, applying software updates and installing antivirus software. Customers can learn more about these steps at the Protect Your PC Web site.

Customers who believe they may have been affected by this issue can contact Product Support Services. You can contact Product Support Services in the United States and Canada at no charge using the PC Safety line (1 866-PCSAFETY). Customers outside of the United States and Canada can locate the number for no-charge virus support by visiting the Microsoft Help and Support Web site.

For full details, see the following: Microsoft Security Advisory (912840): Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution..

Update on a previous post.

Trend Micro has two new descriptions for Trojans that use this vulnerability as well.

 TROJ_WMFXEXE.A

 TROJ_WMFMSITS.A 

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

 Handler's Diary December 28th 2005

* Update on Windows WMF 0-day (NEW)

Published: 2005-12-28,
Last Updated: 2005-12-28 20:02:19 UTC by Daniel Wesemann (Version: 1)

Update 19:07 UTC: We are moving to Infocon Yellow for a bit. There has been some debate among the handlers about this step, but considering that a lot of people are on holidays and might otherwise miss the WMF 0-day problem, we have decided to raise the alert level.

The folks at Websense Labs have a nice movie on how it looks like if a system gets exploited by this WMF 0-day, see http://www.websensesecuritylabs.com/images/alerts/wmf-movie.wmv . Don't go to any of the URLs visible in the movie unless you know what you are doing (or feel like spending the next hours reinstalling your PC).

The orignal exploit site (unionseek.com) is no longer up. But the exploit is being served from various sites all over by now, see the F-Secure Blog on http://www.f-secure.com/weblog/ for an update on the versions of the exploit found in the wild.

Working exploit code is widely available, and has also been published by FRSIRT and the Metasploit Framework.

Regarding DEP (Data Execution Protection) of XPSP2, the default settings of DEP will not prevent this exploit from working. Comments we have received in the meantime suggest that if you enable DEP to cover all programs (as documented on Microsoft Technet ), the WMF exploit attempt will result in a warning and not run on its own.

While the original exploit only refered to the Microsoft Picture and Fax Viewer, current information is that any application which automatically displays or renders WMF files is vulnerable to the problem. This includes Google Desktop, if the indexing function finds one of the exploit WMFs on the local hard drive - see the F-Secure Weblog mentioned above for details.
More Posts Next page »