WMF exploit

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: WMF exploit
From: Andreas Marx <gega-it@xxxxxx>
Date: Tue, 03 Jan 2006 22:00:12 +0100
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: http://freemail.web.de/

Hi,

I like what SANS is saying about the current MS announcement to deliver a patch 
by Jan 10, 2006, but not earlier:
http://isc.sans.org/diary.php

This is the interesting part:
"Although the issue is serious and malicious attacks are being attempted, 
Microsoft's intelligence sources indicate that the scope of the attacks are not 
widespread."
- Microsoft Security Advisory (912840)

First, there are many websites which intentionally includes Iframes to malware 
WMF files (like some "crack", "XXX" or "patch" websites). Besides this, there 
were some mass hacks of usually more trustworthy web sites -- now, the websites 
will still render fine, but the included WMF file will be started automatically.

We have analysed some 100 malware WMF files and they can do almost anything. We 
saw download trojans, adware and spyware apps, backdoors, lots of bots (zombie 
programs), as well as password-spying programs which are looking for PINs and 
TANs for online banking attacks. I expect that some 1,000 websites are already 
compromised.

One of the malware apps we have discovered at 2005-12-29 (some days ago!) 
already had a build-in infection counter at a (hidden) website and we saw the 
number 233,000. This means, a few days back, some 100,000 PCs seems to be 
compromised already. Today, the website is still working, and has delivered 
more than 1,000,000 malware installation files already. With 1+ million PCs 
under your control, you can do almost everything!

This means, the issue is extremely critical, even if the current attack vector 
seems to be websites only. We already saw a few malware WMF files in e-mails, 
but not many. The chances are good, however, that we might see a worm in the 
next few days which spreads using WMF files and e-mail as infection vector. 
Well, I can't understand why Microsoft is considering some 1,000,000 infections 
as being "not widespread". And that's the counter for just ONE special malware 
file!

Note: I've informed MS (secure@xxxxxxxxxxxxx) about the malware links, the 
counter and I've send them the malware WMF files as well as the downloaded EXE 
files some days ago already.

cheers,
Andreas

http://www.av-test.org

______________________________________________________________
Verschicken Sie romantische, coole und witzige Bilder per SMS!
Jetzt bei WEB.DE FreeMail: http://f.web.de/?mc=021193

Prev by Date: RE: WMF round-up, updates and de-mystification
Next by Date: Another WMF exploit workaround
Previous by thread: Re: WMF Exploit
Next by thread: Re: WMF Exploit
Index(es):
- Date
- Thread