Slashdot Mirror

← Back to Stories (view on slashdot.org)

New IM Worm Exploiting WMF Vulnerability

Posted by CmdrTaco on from the happy-new-years-windows-users dept.

An anonymous reader writes "After less than a four days after original mailing list posting there are reports about a new Instant Messaging worm exploiting unpatched Windows Metafile vulnerability. This worm is using MSN to spread, reports Viruslist.com."

30 of 360 comments (clear)

  1. How do I avoid it? Fixes? by Ruff_ilb · · Score: 4, Insightful

    These would be good things to know...

    --
    http://www.TheGamerNation.com/Forums
    1. Re:How do I avoid it? Fixes? by Ruff_ilb · · Score: 4, Funny
      Perhaps the reason they posted it on Slashdot was that they were hoping that one of the thousands of programmers there wrote it. ;-)

      Fixed ;)
      --
      http://www.TheGamerNation.com/Forums
    2. Re:How do I avoid it? Fixes? by Maroulis · · Score: 4, Informative

      Microsoft suggests to unregister the problem dll.
      start->run
      regsvr32 -u %windir%\system32\shimgvw.dll

      http://www.microsoft.com/technet/security/advisory /912840.mspx

    3. Re:How do I avoid it? Fixes? by Lehk228 · · Score: 5, Funny

      use gaim, the image support is terrible you will be safe

      --
      Snowden and Manning are heroes.
    4. Re:How do I avoid it? Fixes? by Anonymous Coward · · Score: 5, Informative

      See discussion list at
      http://www.aota.net/forums/showthread.php?p=143053
      also check out FSecure's blog:
      http://www.f-secure.com/weblog/

    5. Re:How do I avoid it? Fixes? by FhnuZoag · · Score: 4, Informative

      That works for some things, but not everything, because shimgvw is NOT the problem dll. The real problem is in gdi32.dll, which IIRC is too important to be removed.

    6. Re:How do I avoid it? Fixes? by R3NZ · · Score: 5, Informative

      There seems to be a first fix.

      There is now a "Windows WMF Metafile Vulnerability HotFix" available from Ilfak Guilfanov. Have a look here http://www.hexblog.com/2005/12/wmf_vuln.html

      The problem - and the fix - has been discussed also at GRC.com's Security Now podcast. Check out this link http://www.grc.com/sn/notes-020.htm

    7. Re:How do I avoid it? Fixes? by nacturation · · Score: 4, Interesting

      That's about as helpful as advising tsunami victims that they move.

      For those who want actual advice: http://www.hexblog.com/ -- a fix which creates a hook to disable the affected code. The fix has been analyzed by Steve Gibson.

      --
      Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
    8. Re:How do I avoid it? Fixes? by jrockway · · Score: 4, Insightful

      > Don't blame Windows lack of security, it's more its market share

      Explain to me, then, why IIS is less widely-deployed than Apache, but IIS has significantly more worms.

      --
      My other car is first.
    9. Re:How do I avoid it? Fixes? by ltbarcly · · Score: 5, Insightful

      As soon as Windows is dead and "insert linux distro here" gets their market share we will still be hearing about the latest and greatest worms for that distro.

      Pure speculation. There is absolutely no reason to believe that market share is the cause of low security. Shitty programmers with little or no Q/A, and a huge festering codebase which is continually patched together with duck tape to keep it going, along with a refusal to force 3rd party vendors to release software which runs properly (IE doesn't require local admin to run) causes security holes. For example, TOAD, some sql development software for Oracle, requires, REQUIRES, full write privileges to the directory it is installed in, or it refuses to run. This is mainstream software, and is used probably by millions of developers. But it still places fucking ini files in the install directory.

      Don't blame Windows lack of security, it's more its market share, transparency between versions to blame and the lack of brains on the end user's parts.

      Why would an end user suspect that opening a picture file could cause a virus to be installed on to their computer? Windows doesn't have *bad* security, Windows has no security. In order to have a useable system you MUST run Windows as local administrator. Thus every program you run has the power to format your hard drive if it likes. Every process which is run and has a flaw has the potential to fuck your computer up.

      Transparency between versions? How does that cause poor security? Shouldn't the fact that MS recycles about 90% of their code between releases give them a lot more resources to track down those HUGE, GAPING holes in their OS?

      FOR CHRISTS SAKE! Windows can be infected by a virus just by having certain things displayed on the screen! What an insane piece of shit it must be.

    10. Re:How do I avoid it? Fixes? by Heembo · · Score: 4, Informative
      This patch is a good start - but I would take a more defense-in-depth approach:

      1. unregister the ms pic and fax viewer dll
      2. make WMF file extension default to an erroneous app like notepad
      3. turn DEP up a notch
      4. turn off downloads in IE if you must use it (set default security settings to HIGH)
      5. load unofficial patch at http://handlers.sans.org/tliston/wmffix_hexblog13. exe - make sure you check against the md5 hash!!
      6. antivirus up to date, please check several times a day
      7. block all WMF files at the perimiter
      --
      Horns are really just a broken halo.
  2. Happy New Year! by Pedals · · Score: 4, Funny

    Well that didn't take long.

  3. temporary fixes by Phil246 · · Score: 5, Informative

    There is information available on temporary fixes from the following sites
    http://isc.sans.org/diary.php?rss&storyid=996
    http://www.f-secure.com/weblog/#00000760
    http://www.grc.com/sn/notes-020.htm

    be aware the runnable patch is completely unofficial, the only action microsoft suggest is unregistering a vulnerable dll which only mitigates the most common method of exploitation while not fixing the underlying problem.
    NFI how long it will take microsoft to have an official patch out, but from the sans site, it doesnt look promising that it will appear soon.

  4. Re:MSN? by sucker_muts · · Score: 5, Informative

    You MUST mean MSN Messenger.

    Netherlands being the place where it first appeared, and being from Belgium myself, I can say that everybody here simply says 'MSN' when they mean 'MSN Messenger'.
    It's more common in europe anyway to use MSN instead of other popular IM networks used thoughout the USA and other countries. IM was never popular with non-geek computer users here and when broadband internet (with a fixed price/month) arrived most teenagers (the primary group of users in europe) all started using MSN Messenger.

    --
    Dependency hell? => /bin/there/done/that
  5. Re:Macs by Hiro+Antagonist · · Score: 4, Insightful

    Talk about trolling flamebait. Apple makes money on hardware, not operating systems, so it behooves them to make their operating system work on their hardware. The nice thing about this is that they make some damn nice harware (I'm typing this on a PowerBook), and that they have very little incentive to 'feature-pack' their OS like Microsoft does -- so you get less in the way of quirky 'features', and a hell of a lot of functionality.

    Plus, OS X is a Unix, which means it plays nicely with other Unices, and it behaves like a Unix on the command line -- so I get all the power of pipes, vi, Bash, the BSD ports collection (a la Darwinports), gcc, and so on. On the GUI side, it behaves like a Mac -- and I think you'd be hard-pressed to fault Apple for their GUI design.

    Best of both worlds; you just have to shell out a slight premium for the hardware, and given that you get a REAL OS with it, I'd say that Mac offers a better bargain for the desktop user than any Dell or Gateway.

    --

    --
    I Hit the Karma Cap, and All I Got Was This Lousy .sig.
  6. It's worse than that by Anonymous Coward · · Score: 5, Insightful
    I do infosec stuff at a well-known corporation, including Incident Response, and I've been following this closely & working on our response.

    Since the first exploit came to light, H.D.Moore of the Metasploit project has reworked the original package they did. The new exploit spits out exploit WMF files that come:

    • with a random size;
    • no .wmf extension, (.jpg), but could be any other image extension actually;
    • a random piece of junk in front of the bad call; carefully crafted to be larger than the MTU on an ethernet network;
    • a number of possible calls to run the exploit are listed in the source;
    • a random trailer
    This makes it rather hard for antivirus and IDS sigs to detect it, though Snort and the A/V people are working late over their holidays to improve detection.

    SANS/ISC have provided excellent continued summaries of events around this. Here's their FAQ on the issue.

    This is looking truly horrible. On Tuesday morning zillions of Windows desktops will be fired up for the first time in a week or two. This thing's already in widespread use by a number of malware distribution networks for the usual reasons. As such it's a nightmare for network and system admins with Windows machines to look after (and us security people trying to provide advice & assistance for them...) But the stealth nightmare is that this is an absolute jackpot for the less visible targetted attacks, such as those emanating from China for the past couple of years (google around, Slashdot and Schneier have covered this as well as many other places.) There are also the opportunistic types who see an easy opportunity to pwn some key machines where they work, say. I will stick my neck out here and make a prediction. Virtually all organisations with Windows machines are effectively wide open to total compromise by a reasonably informed person. That means much of the IT dept as well as significant numbers of the 'interested poweruser' types, developers with a casual interest in security,.. anyone who's heard of this and is capable of running the findingm, running and using the new exploit, basically. Of course we're all tweaking our IDSes and antivirus, locking things down as tight as possible in the 48 hours remaining, but... *shudder*

    For ten years I've been waiting for Microsoft's luck to run out. This is about #3 on my list of catastrophic MS incidents. There aren't many ways things could be worse.

    It will be a good time to be running Linux on work machine, though :)

    1. Re:It's worse than that by Lehk228 · · Score: 4, Insightful

      this is MUCH worse than a network worm.

      worms are pretty easy to seal out with a firewall and are easally patched. this exploit allows all sorts of local user exploits in a corporate environment. it also so far has been able to fly through hardware and software firewalls of all shapes and sizes.

      --
      Snowden and Manning are heroes.
    2. Re:It's worse than that by borderpatrol · · Score: 5, Informative

      I work for a major electronics retailer in the Service department. Most of our duties are simple PC repair, data backup, and virus/spyware removal.

      I have seen in the past week our work increase 5 fold because of this exploit. What is normally a very slow time of the year for us has become very busy for us and it's making me nervous myself.

      We had a few customer that bought brand new computers and laptop and are bringing them back the same day with this exploit. A quick check reveals that their Norton was up-to-date, yet this stuff still slipped in. Other customers are getting this thing left and right. Unfortunately I have not much to tell them except to keep updating all your security products daily as it's only going to get worse before it gets better. Hand them a copy of Norton and Sunbelt Counterspy and tell them good luck.

      I do believe there is a bit a social engineering planned into this. Customers with year-end financials, tax season starting up, holiday credit card payments and statements coming through. Very ripe time to plucking financial and personal data. And with this being an extended holiday weekend, this exploit has a bit of time to fester and refine itself before the big trojan/virus with a major payload slips past the AV and Adware detections and onto millions of computers. What happens when someone combines with exploit with a backgood into a major ad server network? Imagine the damage then.

      I'm doing the best I can at my house against this thing, but looking at the 7+ Windows boxes I'm now worrying about updating, installing, patching and unregistering, and the 1 Apple laptop I haven't had to restart in 6 months, and I wonder if this is going to be the big one that really gives Microsoft the black eye it can't recover from.

      --
      Yeah I've been starving them, teasing them, singing off key. Me may mah mo, me mo ma me.
  7. Most importantly: THERE IS A FIX by FhnuZoag · · Score: 5, Informative

    It's unofficial, but it works.

    http://www.hexblog.com/2005/12/wmf_vuln.html

  8. Re:Developers, stop using ... by Anonymous Coward · · Score: 4, Informative

    Block popups on the internet security zone and allow them in the trusted zone then add your credit union to the list of sites you trust and refresh the page for the settings to take effect. Basically you need to create a white list of trusted sites while blocking all the riff raff. It doesn't matter what version of IE you use install the IE5.5 power toys which will add two settings to the tools menu called add to restricted zone and add to trusted zone. It ain't rocket science.

  9. Ah, Slashdot... by SheeEttin · · Score: 4, Funny

    Ah, Slashdot... where the first post is modded "redundant".

  10. Re:Another GOOD reason not to run IM! by unity · · Score: 5, Insightful

    My customers use IM. My coworkers use IM. I use IM.

    IM is potentially the most influential communication medium since email.
    I have had quite a few of my customers tell me that "The simple fact that I can reach you via IM, has made your company's service better than any other partner."

    IM is "instant", offers logging of communications and doesn't require somebody to check their email (it pops up on their screen). In many ways it is a better communication tool than other options: phone, email or fax. You can even use it to see if somebody is in the office yet, or out to lunch. I could go on and on...

    Feel free to not use it; the rest of the modern business world won't be joining you.

  11. Fearmongering by eddy · · Score: 4, Interesting

    What we need now is for someone to find a remote exploit in a popular webserver and combine both exploits into a worm, 'cause then we're all really fucked.

    --
    Belief is the currency of delusion.
  12. Re:Can't think with a hang-over by ettlz · · Score: 5, Funny

    Seven Sony rootkits,
    Six keystroke loggers,
    Five porn diallers!
    Four Exploit.WMFs,
    Three Mytobs,
    Two Bifrose-Ds,
    And a homepage stuck on goatse.

  13. Do. This. Now. by Bozdune · · Score: 4, Informative

    Get a patch here: http://www.hexblog.com/2005/12/wmf_vuln.html

    All the necessary information and explanation (plus q/a) is here. This is the only hope at present. Good luck to everyone on Jan 2 when this thing takes over the world.

  14. Re:Is this the exploit reported back in November? by Heembo · · Score: 4, Informative

    This is the same basic exploit - but the seriousness and criticality is dramatically harder. A malicious file can contain any file extension of any random size and still be a WMF file on the "inside" and still have a "arbitrary code" payload. Most security groups are way freaked out now since IDS/IPS and AV patches are not patching this complete yet. Check out http://isc.sans.org/diary.php?rss&storyid=994 more a more indepth answer.

    --
    Horns are really just a broken halo.
  15. Re:so... by borderpatrol · · Score: 5, Informative
    ...Because it's a simple image. Who would think that an image can deliver such a nasty payload? It doesn't need any user interaction. This blows right through fully patched copies of windows, and IE opens and executes it automatically (video here - http://www.websensesecuritylabs.com/images/alerts/ wmf-movie.wmv)

    Does your website have an image on it? It can be exploited that way. Does your email render html, even with scripting turned off? It can be exploited that way. A few trusted sites have been compromised with this exploit. Some seedier as networks (with hundreds or thousands of affiliates) are using this to generate cash. There is no patch for Windows ME, 98, or 95 and there will never be as these OSes are unsupported. These systems will ALWAYS have this vulnerability.

    Imaginine if someone uploaded this to MySpace (http://www.alexa.com/data/details/traffic_details ?q=&url=www.myspace.com/), as they allow full html formatting, embed, iframes and all kinds of crazy crap. One exploit on a popular blog will cause A LOT of damage.

    --
    Yeah I've been starving them, teasing them, singing off key. Me may mah mo, me mo ma me.
  16. I'm doing the best I can... by symbolset · · Score: 4, Informative
    I'm doing the best I can at my house against this thing, but looking at the 7+ Windows boxes I'm now worrying about updating, installing, patching and unregistering, and the 1 Apple laptop I haven't had to restart in 6 months, and I wonder if this is going to be the big one that really gives Microsoft the black eye it can't recover from.

    If you're an IT pro and you're running Windows at home, you should have your boxes imaged so you can just unhook from the net, image, apply the fix, take a new image and hook back up to the net. Seven boxen shouldn't take you more than a couple hours -- less if you use a standard image.

    If you're setting this up for the first time, don't forget to redirect "My Documents" to a different partition, or better yet a server with a backup regime. Oh, yeah, and choose the "Activate Windows over the phone" option before you make your first image so you don't have to re-activate each time.

    If you're an IT pro and you're not using Windows at home, take the extra hours and spend some holiday time with your friends and family. Life is short.

    --
    Help stamp out iliturcy.
  17. Adding the other days and some emphasis... by game+kid · · Score: 5, Funny

    Twelve IRC bots spying,
    Eleven worms-a-wriggling,
    Ten Paypal phishes,
    Nine ActiveX holes,
    Eight Blaster variants,
    Seven Sony rootkits,
    Six keystroke loggers,
    Five porn diallers!
    Four Exploit.WMFs,
    Three Mytobs,
    Two Bifrose-Ds,
    And a homepage stuck on goatse.

    (You, ettlz, rock.)

    --
    You can hold down the "B" button for continuous firing.
  18. Re: There needs to be... by Black+Parrot · · Score: 4, Insightful

    > Windows remains because for the stuff I do with my computer and the expectations I place upon it

    If people would aim their expectations at their software vendors rather than their computers, that problem would go away.

    --
    Sheesh, evil *and* a jerk. -- Jade