WMF exploit
Hi,
I like what SANS is saying about the current MS announcement to deliver a patch
by Jan 10, 2006, but not earlier:
http://isc.sans.org/diary.php
This is the interesting part:
"Although the issue is serious and malicious attacks are being attempted,
Microsoft's intelligence sources indicate that the scope of the attacks are not
widespread."
- Microsoft Security Advisory (912840)
First, there are many websites which intentionally includes Iframes to malware
WMF files (like some "crack", "XXX" or "patch" websites). Besides this, there
were some mass hacks of usually more trustworthy web sites -- now, the websites
will still render fine, but the included WMF file will be started automatically.
We have analysed some 100 malware WMF files and they can do almost anything. We
saw download trojans, adware and spyware apps, backdoors, lots of bots (zombie
programs), as well as password-spying programs which are looking for PINs and
TANs for online banking attacks. I expect that some 1,000 websites are already
compromised.
One of the malware apps we have discovered at 2005-12-29 (some days ago!)
already had a build-in infection counter at a (hidden) website and we saw the
number 233,000. This means, a few days back, some 100,000 PCs seems to be
compromised already. Today, the website is still working, and has delivered
more than 1,000,000 malware installation files already. With 1+ million PCs
under your control, you can do almost everything!
This means, the issue is extremely critical, even if the current attack vector
seems to be websites only. We already saw a few malware WMF files in e-mails,
but not many. The chances are good, however, that we might see a worm in the
next few days which spreads using WMF files and e-mail as infection vector.
Well, I can't understand why Microsoft is considering some 1,000,000 infections
as being "not widespread". And that's the counter for just ONE special malware
file!
Note: I've informed MS (secure@xxxxxxxxxxxxx) about the malware links, the
counter and I've send them the malware WMF files as well as the downloaded EXE
files some days ago already.
cheers,
Andreas
http://www.av-test.org
______________________________________________________________
Verschicken Sie romantische, coole und witzige Bilder per SMS!
Jetzt bei WEB.DE FreeMail: http://f.web.de/?mc=021193