New IM Worm Exploiting WMF Vulnerability

An anonymous reader writes "After less than a four days after original mailing list posting there are reports about a new Instant Messaging worm exploiting unpatched Windows Metafile vulnerability. This worm is using MSN to spread, reports Viruslist.com."

How do I avoid it? Fixes?

[Ruff_ilb]

These would be good things to know...

Re:How do I avoid it? Fixes?

[jrockway]

> Don't blame Windows lack of security, it's more its market share

Explain to me, then, why IIS is less widely-deployed than Apache, but IIS has significantly more worms.

Re:How do I avoid it? Fixes?

[ltbarcly]

As soon as Windows is dead and "insert linux distro here" gets their market share we will still be hearing about the latest and greatest worms for that distro.

Pure speculation. There is absolutely no reason to believe that market share is the cause of low security. Shitty programmers with little or no Q/A, and a huge festering codebase which is continually patched together with duck tape to keep it going, along with a refusal to force 3rd party vendors to release software which runs properly (IE doesn't require local admin to run) causes security holes. For example, TOAD, some sql development software for Oracle, requires, REQUIRES, full write privileges to the directory it is installed in, or it refuses to run. This is mainstream software, and is used probably by millions of developers. But it still places fucking ini files in the install directory.

Don't blame Windows lack of security, it's more its market share, transparency between versions to blame and the lack of brains on the end user's parts.

Why would an end user suspect that opening a picture file could cause a virus to be installed on to their computer? Windows doesn't have *bad* security, Windows has no security. In order to have a useable system you MUST run Windows as local administrator. Thus every program you run has the power to format your hard drive if it likes. Every process which is run and has a flaw has the potential to fuck your computer up.

Transparency between versions? How does that cause poor security? Shouldn't the fact that MS recycles about 90% of their code between releases give them a lot more resources to track down those HUGE, GAPING holes in their OS?

FOR CHRISTS SAKE! Windows can be infected by a virus just by having certain things displayed on the screen! What an insane piece of shit it must be.

Re:Macs

[Hiro+Antagonist]

Talk about trolling flamebait. Apple makes money on hardware, not operating systems, so it behooves them to make their operating system work on their hardware. The nice thing about this is that they make some damn nice harware (I'm typing this on a PowerBook), and that they have very little incentive to 'feature-pack' their OS like Microsoft does -- so you get less in the way of quirky 'features', and a hell of a lot of functionality.

Plus, OS X is a Unix, which means it plays nicely with other Unices, and it behaves like a Unix on the command line -- so I get all the power of pipes, vi, Bash, the BSD ports collection (a la Darwinports), gcc, and so on. On the GUI side, it behaves like a Mac -- and I think you'd be hard-pressed to fault Apple for their GUI design.

Best of both worlds; you just have to shell out a slight premium for the hardware, and given that you get a REAL OS with it, I'd say that Mac offers a better bargain for the desktop user than any Dell or Gateway.

It's worse than that

I do infosec stuff at a well-known corporation, including Incident Response, and I've been following this closely & working on our response.

Since the first exploit came to light, H.D.Moore of the Metasploit project has reworked the original package they did. The new exploit spits out exploit WMF files that come:

• with a random size;
• no .wmf extension, (.jpg), but could be any other image extension actually;
• a random piece of junk in front of the bad call; carefully crafted to be larger than the MTU on an ethernet network;
• a number of possible calls to run the exploit are listed in the source;
• a random trailer

This makes it rather hard for antivirus and IDS sigs to detect it, though Snort and the A/V people are working late over their holidays to improve detection.

SANS/ISC have provided excellent continued summaries of events around this. Here's their FAQ on the issue.

This is looking truly horrible. On Tuesday morning zillions of Windows desktops will be fired up for the first time in a week or two. This thing's already in widespread use by a number of malware distribution networks for the usual reasons. As such it's a nightmare for network and system admins with Windows machines to look after (and us security people trying to provide advice & assistance for them...) But the stealth nightmare is that this is an absolute jackpot for the less visible targetted attacks, such as those emanating from China for the past couple of years (google around, Slashdot and Schneier have covered this as well as many other places.) There are also the opportunistic types who see an easy opportunity to pwn some key machines where they work, say. I will stick my neck out here and make a prediction. Virtually all organisations with Windows machines are effectively wide open to total compromise by a reasonably informed person. That means much of the IT dept as well as significant numbers of the 'interested poweruser' types, developers with a casual interest in security,.. anyone who's heard of this and is capable of running the findingm, running and using the new exploit, basically. Of course we're all tweaking our IDSes and antivirus, locking things down as tight as possible in the 48 hours remaining, but... *shudder*

For ten years I've been waiting for Microsoft's luck to run out. This is about #3 on my list of catastrophic MS incidents. There aren't many ways things could be worse.

It will be a good time to be running Linux on work machine, though :)

Re:It's worse than that

[Lehk228]

this is MUCH worse than a network worm.

worms are pretty easy to seal out with a firewall and are easally patched. this exploit allows all sorts of local user exploits in a corporate environment. it also so far has been able to fly through hardware and software firewalls of all shapes and sizes.

Re:Another GOOD reason not to run IM!

[unity]

My customers use IM. My coworkers use IM. I use IM.

IM is potentially the most influential communication medium since email.
I have had quite a few of my customers tell me that "The simple fact that I can reach you via IM, has made your company's service better than any other partner."

IM is "instant", offers logging of communications and doesn't require somebody to check their email (it pops up on their screen). In many ways it is a better communication tool than other options: phone, email or fax. You can even use it to see if somebody is in the office yet, or out to lunch. I could go on and on...

Feel free to not use it; the rest of the modern business world won't be joining you.

Re: There needs to be...

[Black+Parrot]

> Windows remains because for the stuff I do with my computer and the expectations I place upon it

If people would aim their expectations at their software vendors rather than their computers, that problem would go away.