December 2005 - Posts

Kapsersky has received information on a new IM Worm is hitting the Netherlands.  Apparently the worm is spreading with MSN and is spreading with a malformed WMF file called xmas-2006 FUNNY.jpg

Kaspersky Lab Blogs

Please be careful when opening the New Years Greeting links or other seaonal greetings.

There is a "new and improved" edition of the WMF exploit that does not use a WMF extension.  It also varies in size randomly to better evade AV detection.  A code Yellow alert has been issued by the Internet Storm Center.  There is little or no AV protection available, so extra caution should be used.

New exploit released for the WMF vulnerability - YELLOW 

A copy of the actual exploit can be found at FrSIRT for anyone wanting to review the code, but please use caution.  The exploit generates files with the following characteristics:

* with a random size;
* no .wmf extension, (.jpg), but could be any other image extension actually;
* a random piece of junk in front of the bad call; carefully crafted to be larger than the MTU on an ethernet network;
* a number of possible calls to run the exploit are listed in the source;
* a random trailer

A security firm from Belgium offers a testing facility for browsers.  I tested IE 6 (XP SP2 version), Firefox 1.5, and Opera 8.51 and all three passed the test as follows:

The Browser Security Test is finished. Please find the results below:

High Risk Vulnerabilities 0
Medium Risk Vulnerabilities 0
Low Risk Vulnerabilities 0

QUOTE:  Can someone hack into your computer via your browser? How vulnerable you are? Can websites install spyware through your browser?  Scanit's Browser Security Test automatically checks your browser for various security problems. When the test is finished you get a complete report explaining the discovered vulnerabilities, their impact and how to eliminate them.

Start the Test

   Microsoft has issued Security Advisory 912840 for a Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution. As noted in the bulletin they have the highest priority in testing out and providing solutions for the WMF exploits that are currently circulating.  So far, most WMF attacks come from visiting unsafe websites, so follow best practices and "think before you click" in web surfing and never click on links in email or Instant Messenging.

Current recommendations for Malicious WMF Exploits in-the-wild

1. Keep your Anti-Virus and Anti-Spyware software as up-to-date as possible.  For McAfee users should install DAT 4661 or higher now
2. Stay away from any questionable sites and do not open WMF files or links in any environment (e.g., IM, email, web surfing, explorer, etc.).
3. Filter and block WMF files in email or content filtering systems
4. Don't rely just on the WMF extension as Windows metadata processing can process a disguised and renamed extension.  For example, the extension of a WMF file might renamed to GIF and when Windows tries to open it, it may recognize that it's a WMF file originally and try to open it that way.
5. As an extra safety precaution, you can turn off the vulnerable DLL.   The Full Disclosure workaround has downloadable *.REG file that allows toggling shimgvw.dll on and off.  Another option might be to turn off the shimgvw.dll service completely, which will result in a minor loss of functionality.  Turning off this DLL will impact thumbnail previews in Windows Explorer and Windows Fax & Picture viewer, as both will no longer work.  Still you can restore this service later after better protective solutions emerge.

Please click on this link for more information:

Malicious Zero Day Windows Media File Exploits are in-the-wild

Microsoft has issued a security advisory to share initial information on this new unpatched vulnerability which is being exploited in-the-wild.  As Microsoft advises keep your AV and anti-spyware software updated to the latest definitions.  

Microsoft Security Advisory (912840)
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution

Please be careful with sites that you visit and particularly playing WMF (Windows Media File) using Internet Explorer or other browsers.   I believe Microsoft will prioritize and patch this new vulnerability expediently, so please look for upcoming security advisories, workarounds, and ultimately a patch.  In the mean time, follow best practices in only visiting safe sites and keep your AV protection updated as anti-virus vendors will also prioritize security protection for this new in-the-wild exploit.  Finally, the workaround offered by FrSIRT appears promising, as noted at the bottom. 







Microsoft Windows WMF Handling Arbitrary Code Execution

Secunia Advisory: SA18255   
Release Date: 2005-12-28

Rating: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched

QUOTE: A vulnerability has been discovered in Microsoft Windows, which can be exploited by malicious people to compromise a vulnerable system.  The vulnerability is caused due to an error in the handling of corrupted Windows Metafile files (".wmf"). This can be exploited to execute arbitrary code by tricking a user into opening a malicious ".wmf" file in "Windows Picture and Fax Viewer" or previewing a malicious ".wmf" file in explorer (i.e. selecting the file). This can also be exploited automatically when a user visits a malicious web site using Microsoft Internet Explorer.

Solution:  Do not open or preview untrusted ".wmf" files and set security level to "High" in Microsoft Internet Explorer.






QUOTE: The Windows Picture and Fax Viewer vulnerability is a zero-day exploit that is capable of remote code execution. Zero-day exploits are termed as such because the unpatched vulnerability and its corresponding exploit code are released within the same day. This may pose as a dangerous situation in which a lot of systems may be affected due to the availability of exploit code, and the fact that the vendor has not been given enough time to patch it.



Microsoft Windows WMF Handling Remote Code Execution Vulnerability

FrSIRT Advisory: FrSIRT/ADV-2005-3086
Rated as : Critical
Remotely Exploitable : Yes
Locally Exploitable :
Release Date :

Recommended Workaround by FrSIRT: Disable "Windows Picture and Fax Viewer" : on the Start menu, choose Run, and then type "regsvr32.exe /u shimgvw.dll".

  A new MSN "beta" is being offered to lure folks into infecting their existing PCs and MSN environment.  As a best practice, never accept software updates or products by email.  As an example, Microsoft does not distribute any software by email.

Virkel.F: Spoofed as an MSN Messenger beta 8 download

QUOTE: There is no MSN Messenger 8. Not yet anyway.However, there's a new virus going around pretending to be "MSN Messenger 8 Working BETA".  There's two ways to catch it. First, by downloading it from a fake site where it has been supposedly "leaked" ...

During the past week, several spam emails have been received labeled simply as "MERRY CHRISTMAS".  However, the author was an unfamiliar name, so that is one method to quickly spot and avoid these types of messages. 

As a person's name is spoofed in the author field, these messages could appear to be legimitate.  On a couple of these, the author seemed to be a familiar name and I wasn't certain if it was spam until the message was opened.   

Some of these messages were carefully evaluated from a security standpoint.  While most were aggressive advertising messages, some pointed to websites.  Visiting an unknown website can introduce spyware or other malware agents.

Most likely "HAPPY NEW YEAR" messages will be coming.  In addition to spam, many viruses use themes and social engineering approaches centered around holiday greetings. 

Please be careful with all email you encounter, as messages that appear to be safe could be designed to trick folks in infecting their PCs with spyware or virusesKeep your AV software and Windows updated to the latest levels of protection.  Finally, as an additional safety precaution, processing email in a plain text mode can help some.

VMware: an EMC Company VMware is a great management product for server consolidation as it creates logical partitions on large corporate servers to run multiple operating systems efficiently.  A critical security update has been issued and system administrators are urged to apply this patch quickly.

VMware ESX Server - Critical update for Cross Site Scripting Issue

Advisory ID : FrSIRT/ADV-2005-3084
Rated as : Moderate Risk
Remotely Exploitable : Yes
Locally Exploitable : Yes

Release Date : 2005-12-24

Technical Description: A vulnerability has been identified in VMware ESX Server, which may be exploited by attackers to inject malicious HTML code. This flaw is due to an input validation error in the VMware Management Interface that does not properly validate certain parameters, which may be exploited by attackers to cause arbitrary scripting code to be executed by the user's browser in the security context of an affected Web site.

Affected Products: WMware ESX Server 2.0.x, 2.1.x, 2.5.x

Solution: Apply latest VmWare Patches

   Below are some key links that can help strengthen Linux security controls:

Internet Storm Center Article

Introduction to IP Tables

Advanced Tutorial


Some of my friends at the SpyWare forums, have created an interesting version of the 12 days of Christmas.  May everyone reading this have a wonderful Christmas, Hanukkah, and other special holidays being celebrated at this time.   Here's also hoping that 2006 is the best year ever as we go into a brand new year next week. smile.gifsmile.gifsmile.gif

SpyWare Forums: The twelve e-mails of Christmas!

On the first day of Christmas my e-mail sent to me; A virus for my PC.

On the second day of Christmas my e-mail sent to me; Two Sasser Worms, and a virus for my PC.

On the third day of Christmas my e-mail sent to me; Three search bars, two Sasser Worms and a virus for my PC.

On the fourth day of Christmas my e-mail sent to me; Four Trojan horses, three search bars, two Sasser Worms and a virus for my PC.

On the fifth day of Christmas my e-mail sent to me; Cool Web Search, four Trojan horses, three search bars, two Sasser Worms and a virus for my PC.

On the sixth day of Christmas my e-mail sent to me; Six WinTools, Cool Web Search, four Trojan horses, three search bars, two Sasser Worms and a virus for my PC.

On the seventh day of Christmas my e-mail sent to me; Seven rootkits, six WinTools, Cool Web Search, four Trojan horses, three search bars, two Sasser Worms and a virus for my PC.

On the eighth day of Christmas my e-mail sent to me; Eight Smitfrauds, seven rootkits, six WinTools, Cool Web Search, four Trojan horses, three search bars, two Sasser Worms and a virus for my PC.

On the ninth day of Christmas my e-mail sent to me; Nine Qoologics, eight Smitfrauds, seven rootkits, six WinTools, Cool Web Search, four Trojan horses, three search bars, two Sasser Worms and a virus for my PC.

On the tenth day of Christmas my e-mail sent to me; Ten BHOs, nine Qoologics, eight Smitfrauds, seven rootkits, six WinTools, Cool Web Search, four Trojan horses, three search bars, two Sasser Worms and a virus for my PC.

On the eleventh day of Christmas my e-mail sent to me; Eleven peper files, ten BHOs, nine Qoologics, eight Smitfrauds, seven rootkits, six WinTools, Cool Web Search, four Trojan horses, three search bars, two Sasser Worms and a virus for my PC.

On the twelfth day of Christmas my e-mail sent to me; A link to

  A major new phpBB attack is circulating and site administrators should ensure they are on phpBB version 2.0.18 or higher.

phpBB Remote Command Execution and SQL Injection Vulnerabilities

Technical Description: Multiple vulnerabilities were identified in phpBB, which could be exploited by remote attackers to execute arbitrary commands or conduct SQL injection and cross site scripting attacks.

Exploit Code example
Please be careful as actual exploit code is present here

Affected Products: phpBB version 2.0.17 and prior

Solution - Upgrade to phpBB version 2.0.18

  Several new variants of the Bagle downloader trojan and corresponding email worm have surfaced recently.   These new variants use ZIP files with an individual's name as a social engineering scheme to appear as possibly safe attachments.  Users should avoid opening any email attachment until it has been tested to ensure it safe even on legitimate email correspondence. 

Bagle - McAfee Information

This is a downloader trojan. However, like previous Bagle variants, it is likely that in the near future, the author(s) will post an accompanying EXE file on a remote server, which SPAMs new versions of Bagle (not to addresses harvested on the local system, but to addresses specified in spam lists also on remote web servers). This trojan was mass-spammed in a ZIP attachment and uses peoples names as the filenames:


Symantec information is noted below:



Several reports from Sophos are noted below:

- BagleDl-BD Reported by Sophos
- BagleDl-BB Reported by Sophos
- BagleDl-BC Reported by Sophos
- BagleDl-BA Reported by Sophos
- BagleDl-AZ Reported by Sophos

A corporate attorney sent the following out to the employees in his company.

1.  The next time you order checks have only your initials (instead of first name) and last name put on them.  If someone takes your checkbook, they will not know if you sign your checks with just your initials or your first name, but your bank will know how you sign your checks.

2.  Do not sign the back of your credit cards.  Instead, put "PHOTO ID REQUIRED."

3.  When you are writing checks to pay on your credit card accounts, DO NOT put the complete account number on the "For" line.  Instead, just put the last four numbers.   The credit card company knows the rest of the number, and anyone who might be handling your check as it passes through all the check-processing channels will not have access to it.

4.  Put your work phone # on your checks instead of your home phone.  If you have a PO Box, use that instead of your home address.  If you do not have a PO Box, use your work address.   Never have your Social Security printed on your checks, (DUH!).  You can add it if it is necessary.  However, if you have it printed, anyone can get it.

5.  Place the contents of your wallet on a photocopy machine.  Do both sides of each license, credit card, etc.  You will know what you had in your wallet and all of the account numbers and phone numbers to call and cancel. Keep the photocopy in a safe place.   Also carry a photocopy of your passport when traveling either here or abroad.  We have all heard horror stories about fraud that is committed on us in stealing a name, address, Social Security number, credit cards.

6.  When you check out of a hotel that uses cards for keys (and they all seem to do that now), do not turn the "keys" in.  Take them with you and destroy them.   Those little cards have on them all of the information you gave the hotel, including address and credit card numbers and expiration dates.  Someone with a card reader, or employee of the hotel, can access all that information with no problem whatsoever.

* * * 

Unfortunately, as an attorney, I have first hand knowledge because my wallet was stolen last month.  Within a week, the thieve(s) ordered an expensive monthly cell phone package, applied for a VISA credit card, had a credit line approved to buy a Gateway computer and received a PIN number from DMV to change my driving record information online.   Here is some critical information to limit the damage in case this happens to you or someone you know:

1.  We have been told we should cancel our credit cards immediately.  The key is having the toll free numbers and your card numbers handy so you know whom to call.   Keep those where you can find them.

2.  File a police report immediately in the jurisdiction where your credit cards, etc., were stolen.  This proves to credit providers you were diligent, and this is a first step toward an investigation (if there ever is one).   However, here is what is perhaps most important of all (I never even thought to do this.)

3.  Call the three national credit reporting organizations immediately to place a fraud alert on your name and Social Security number.  I had never heard of doing that until advised by a bank that called to tell me an application for credit was made over the Internet in my name.   The alert means any company that checks your credit knows your information was stolen, and they have to contact you by phone to authorize new credit.  By the time I was advised to do this, almost two weeks after the theft, all the damage had been done   There are records of all the credit checks initiated by th= e thieves' purchases, none of which I knew about before placing the alert. Since then, no additional damage has been done, and the thieves threw my wallet away this weekend (someone turned it in).   It seems to have stopped them dead in their tracks.

Now, here are the numbers you always need to contact about your wallet and contents being stolen:

1.) Equifax: 1-800-525-6285
2.) Experian (formerly TRW): 1-888-397-3742
3.) TransUnion : 1-800-680-7289
4.) Social Security Administration (fraud line): 1-800-269-0271

   Folks need to treat Instant Messages with the same care and suspicions they would email.  Files or URLs found in Instant Messages can be malicious.  This new IM worm installs a rootkit which can be very difficult for AV software to detect and remove.

Links are noted below

Internet Storm Center Warning


IM Logic

QUOTE: A new worm posing as a come-on to a Santa Claus site is traveling across all the major instant messaging networks, a security firm warned Tuesday, and when recipients visit the bogus site, they're infected with a file hidden from sight by a rootkit. IMlogic said that the worm, dubbed "M.GiftCom.All," is circulating on the MSN, AOL, ICQ, and Yahoo instant messaging services, is a "Medium" threat, a relatively rare classification for the Waltham, Mass.-based company. Most IM worms and Trojans listed on its Threat Center receive only a "Low" classification. Like virtually all IM worms, M.GiftCom.All includes a URL in messages it spams out to contacts hijacked from previously-infected PCs

More Posts Next page »