Sunday, January 01, 2006

More WMF exploit madness

This thing only gets worse. The good news is that the temporary fix that I wrote about yesterday has been tested and the code has been reviewed by several experts. It appears to work as advertised for Windows XP (32 and 64 bit versions) and Windows 2000 machines. That covers most users, but it leaves a significant number of people vulnerable.

Update your virus definitions NOW. It may not be a complete help (as noted below), but it can prevent a number of infections that are now using the WMF exploit to propagate. According to SANS, via Sunbelt Blog:
On New Year's eve the defenders got a 'nice' present from the full disclosure community.

The source code claims to be made by the folks at metasploit and xfocus, together with an anonymous source.

Note: We have been able to confirm that this exploit works. We are in the process of getting information to AV vendors ASAP. We can also confirm that having the file and simply opening the directory can be enough to get the exploit running.

The exploit generates files:
  • with a random size;
  • no .wmf extension, (.jpg), but could be any other image extension actually;
  • a random piece of junk in front of the bad call; carefully crafted to be larger than the MTU on an ethernet network;
  • a number of possible calls to run the exploit are listed in the source;
  • a random trailer
From a number of scans we did through virustotal, we can safely conclude there is currently no anti-virus signature working for it. Similarly it is very unlikely any of the IDS signatures for the previous versions of the WMF exploits work for this next generation.

Judging from the source code, it will likely be difficult to develop very effective signatures due to the structure of the WMF files.

Infection rate

McAfee announced on the radio yesterday they saw 6% of their customer having been infected with the previous generation of the WMF exploits. 6% of their customer base is a huge number.

F-Secure is reporting that this exploit is now being spread through worms and Spam. The worms are coming through Microsoft's Instant Messenger. From F-Secure's blog:
It' a MSN Messenger worm sending links to an image file (link ending with "xmas-2006 FUNNY.jpg"). The link actually contains a web page with a malicious WMF file.

The emails have a Subject: "Happy New Year", body: "picture of 2006" and contain an exploit WMF as an attachment, named "HappyNewYear.jpg" (MD5: DBB27F839C8491E57EBCC9445BABB755). We detect this as PFV-Exploit.D.

When the HappyNewYear.jpg hits the hard drive and is accessed (file opened, folder viewed, file indexed by Google Desktop), it executes and downloads a Bifrose backdoor (detected by us as Backdoor.Win32.Bifrose.kt) from www[dot] Admins, filter this domain at your firewalls.

It's going to get worse.

This latest, email Spam, way into the system is a new version of the WMF exploit based on code published online. As F-Secure notes:

We are aware that a new exploit for the WMF vulnerability has been published. This one is much more advanced than the old one, and much more dangerous.

It enables clueless newcomers to easily craft highly variable and hard-to-detect variations of image files. Images that take over computers when viewed. And do this on all common Windows platforms. With no vendor patch for the vulnerability available. Meaning that there are hundreds of millions of vulnerable computers in the net right now.

Making such tools publicly available when there's no vendor patch available is irresponsible. Plain and simply irresponsible. Everybody associated in making and publishing the exploit knows this. And they should know better. Moore, A.S, San and FrSIRT: you should know better.

SANS has a terrific WMF FAQ. Also from SANS (regarding the patch linked to at the top of this post):
We have very carefully scrutinized this patch. It does only what is advertised, it is reversible, and, in our opinion, it is both safe and effective.

The word from Redmond isn't encouraging. We've heard nothing to indicate that we're going to see anything from Microsoft before January 9.

The upshot is this: You cannot wait for the official MS patch, you cannot block this one at the border, and you cannot leave your systems unprotected.

No comments: