WMF Exploit 0-Day

There is a new unpatched exploit in the wild: :frowning:
http://www.f-secure.com/weblog/archives/archive-122005.html#00000752

Does Avast! already prevent from this danger?

Iā€™d recommend avast! users to take advantage from Web Shield by using URL Blocking to block all *.wmf files.

I think it would be good if Alwil releases signature of this exploit so Web Shield should protect us well by scanning HTTP traffic in real time.

Iā€™ve alerted Alwil to this thread i hope we get some more info on this soon :wink:

Tapā€™s suggestion is a good one.

  1. Microsoft has already released a security bulletin about this issue: http://www.microsoft.com/technet/security/bulletin/MS05-053.mspx

  2. We do have a sample file for this but preparation of a signature will take some timeā€¦

  3. So far, no AV is detecting this (AFAIK)

  4. The only site known to use this expoit so far is unionseek.com (I donā€™t recommend going there). Adding something like unionseek.com to the list of WebShieldā€™s blocked URLā€™s would also be a good ideaā€¦

Cheers
Vlk

There i blocked *.wmf and unionseek.comā€¦

Sorry, 1. in my post above is not exactly correct. This is indeed a new variant not covered by the patch. I apologize.

Weā€™re protected by the latest VPS 0552-1, avast! detects this exploit as Win32:Exdown [Trj] and other AVs do too but avast!'s users are more effectively protected by Web Shield as it scans HTTP traffic in real time so the exploit is stopped before it gets to our machine.

Many thanks go to Alwil for quick responses. :slight_smile:

Thank you for the replies and the quick response of the Avast! Team! :slight_smile:

The existing exploit is pretty agressive. It installs an ā€œanti-spywareā€ (fake) program that tells the user that his/her machine is infected - and offers him/her a cure - for 39 bucks >:(

See it in action: http://www.websensesecuritylabs.com/images/alerts/wmf-movie.wmv

Idiots.

SpySheriff was doing that for quiet some timeā€¦ Drive by installs are real pain in the rearā€¦ >:(

SpySheriff huh? O boy i could tell you some stories about that sucker, all the times i had to clean that fuā€¦ mess.
The worst part is people really believe itā€™s a real anti-spyware programā€¦

Hi ReVaN,

Yes SpySheriif was/is a cruel bit of nastiness. It was high on the list of Ben Edelman, the American judicial authority on fighting the malware sellers in court. It came in from Australia and it wants to conquer the world. I have a blend of block lists to cut all this creeps short from my 127.0.0.1. My computer cannot even connect to it.
And I personally think that spyware and scumware is a bigger threat then virus ever was. There must be milions and milions of infested machines on this earth,

Polonus

authors of this type of malware should be drop in middle of desert w/o any water ā€¦

New Microsoft Security Advisory (912840) posted today.

http://www.microsoft.com/technet/security/advisory/912840.mspx

Hi forum folks,

There is a work-around available for the WMF-0-Day Exploit,
look here: http://www.eweek.com/article2/0,1895,1906211,00.asp

greets,

polonus

Ahhh, but it will run even if the swf is renamed as a gif or jpg. Unless avast actually checks the file headers rather than the extension?

Microsoft Security Advisory (912840)

Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution.
Published: December 28, 2005

Microsoft is investigating new public reports of a possible vulnerability in Windows.
Microsoft will continue to investigate the public reports to help provide additional guidance for customers.

Microsoft is aware of the public release of detailed exploit code that could allow an attacker to execute arbitrary code in the security context of the logged-on user, when such user is visiting a Web site that contains a specially crafted Windows Metafile (WMF) image. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attackerā€™s Web site.

Customers are encouraged to keep their antivirus software up to date. The Microsoft Windows AntiSpyware (Beta) can also help protect your system from spyware and other potentially unwanted software. We will continue to investigate these public reports.

Mitigating Factors:

ā€¢ In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attackerā€™s Web site.

ā€¢ An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

ā€¢ By default, Internet Explorer on Windows Server 2003, on Windows Server 2003 Service Pack 1, on Windows Server 2003 with Service Pack 1 for Itanium-based Systems, and on Windows Server 2003 x64 Edition runs in a restricted mode that is known as Enhanced Security Configuration This mode mitigates this vulnerability where the e-mail vector is concerned although clicking on a link would still put users at risk. In Windows Server 2003, Microsoft Outlook Express uses plain text for reading and sending messages by default. When replying to an e-mail message that is sent in another format, the response is formatted in plain text. See the FAQ section of this vulnerability for more information about Internet Explorer Enhanced Security Configuration.

[li]Windows XP Service Pack 2 also includes software-enforced DEP that is designed to reduce exploits of exception handling mechanisms in Windows. By default software-enforced DEP applies to core operating system components and services. This vulnerability can be mitigated by enabling DEP for all programs on your computer.

http://www.microsoft.com/technet/security/advisory/912840.mspx

I tested this exploid on one site with following result (Avast log):

30.12.2005 2:28:57 SYSTEM 248 Sign of ā€œWin32:Exdown [Trj]ā€ has been found in ā€œhttp://www. tfcco. com / xpl. wmfā€ file.

My Avast (29.12.2005 0552-2) stopped loading this file. :slight_smile:

If course I had first un-registered the Windows Picture and Fax Viewer (Shimgvw.dll)
with Run ā€œregsvr32 -u windir%\system32\shimgvw.dllā€

avast! has signature of this exploit and also scans HTTP traffic in real time (it scans almost all files downloaded via browser). If Iā€™m not wrong, other graphic file type are scanned except *.gif, *.png but you can remove these two file type from Exception lists in Web Shield so it should also be scanned.

The removement of the exceptions in WebShield for the two IMAGE types is a good idea. I already did this.

Isnā€™t it possible, that this could be done via a Avast!-Update, because a lot of users might not think about it?

Wouldnā€™t it also be recommended to add the image formats to the list of scanned extensions of Standard Shield (WMFs might also come from other sources)? ???