SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Handler's Diary December 31st 2005

WMF and Indexing (NEW)

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

 Handler's Diary December 31st 2005

Call 1-866-727-2338 for free virus and security-related support from Microsoft (NEW)

Welcome to the Microsoft Security Response Center Blog! : A few thoughts on the WMF vulnerability.

Hi folks- this is Kevin Kean from the MSRC, writing what may just be my last MSRC blog entry for 2005. This morning we noticed that there are some people who are still looking for more information about the Windows Metafile (WMF) vulnerability that we issued a security advisory for on Wednesday. I thought it would be helpful to let you all know what we know about this and what we are doing to take care of it.

Since earlier this week, my team has been hard at work investigating this vulnerability. We take situations such as this one very seriously.

We are aware of publicly released, detailed exploit code that could be used to exploit this vulnerability. Based on our investigation, this exploit code could allow an attacker to execute arbitrary code on a user’s system by hosting a specially crafted WMF image on a malicious Web site. We have determined that an attacker would have no way to force users to visit such a malicious Web site. Instead, an attacker would have to persuade someone to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site.

We have been asked a number of times whether this vulnerability can be exploited via email. I want to be very clear in the response so all users can understand the situation. In an e-mail based attack, customers would have to be persuaded to click on a link within a malicious e-mail or open an attachment that exploited the vulnerability. In both the web and e-mail based attacks, the code would execute in the security context of the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

When we complete this investigation, we’ll do what is best to help protect our customers. We have determined that this vulnerability will be fixed through a security update, and we will release that either through the regular monthly release cycle or out-of-cycle, depending on customer needs.

Right now, we are working very closely with our anti-virus partners and aiding law enforcement with its investigation. We continue to recommend that customers follow our security guidance, including being careful where you browse, never accepting email attachments from unknown senders, keeping your anti-virus software up to date, enabling a firewall and staying current on security updates.

Have a safe and happy New Year!
-Kevin

*This posting is provided "AS IS" with no warranties, and confers no rights.*


posted on Friday, December 30, 2005 9:38 PM by stepto

F-Secure : News from the Lab - December of 2005.

The amount of trojans using the zero-day WMF exploit is increasing rapidly.

Many people have now used the REGSRV32 workaround to stop the immediate threat. Some users have come back to us after we quoted Microsoft on the workaround wondering if the workaround really works. The workaround will stop the exploit for Internet Explorer and Explorer - even though WMF images still show as normal.

What the workaround does not stop against is if you open an exploited file in MSPAINT (aka Paintbrush). And like always, renaming the file to any other image extension will not make a difference to MSPAINT. So our suggestion is to not open any pictures right now with MSPAINT whatsoever. Perhaps leaving image editors out completely for the rest of the year might be a good idea.

TROJ_NASCENE.E - Description and solution.

Description: 

This Trojan is a Windows Metafile (WMF) that exploits a known vulnerability in the way specially-crafted WMF images are handled that can lead to arbitrary code execution. For more information about this vulnerability, please refer to this page:

Microsoft Security Advisory (912840)

This vulnerability is a zero-day exploit that is capable of remote code execution. Zero-day exploits are termed as such because the unpatched vulnerability and its corresponding exploit code are released within the same day. This may pose as a dangerous situation in which a lot of computers may be affected due to the availability of exploit code, and the fact that the vendor has not been given enough time to patch it.

Upon successful exploitation of this vulnerability, this Trojan connects to a certain Web site and downloads a certain file. Trend Micro detects the said file as ADW_EXFOL.A.

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Handler's Diary December 30th 2005

Musings and More WMF Information (NEW)

JS_ONLOADXPLT.B - Description and solution.

Description: 

This malicious JavaScript contains an exploit code that is triggered upon interaction with the Web page http://www.hyipg{BLOCKED}index.htm. Upon visiting the said Web page, this malicious Javascript that is embedded in the Web page http://www.hyipg{BLOCKED}/image is executed.

It also executes a shell code that causes the download and execution of the file 1.EXE from the Web page http://www.hyipgold{BLOCKED}.com/image. However, the said Web pages are inacessible as of this writing.

Interaction with the aforementioned Web pages may allow malicious users to execute code of choice on the affected system. The said action may enable them to take virtual control of the system.

This malicious JavaScript takes advantage of the File Download Dialog Box vulnerability in Internet Explorer. However, user interaction is required to fully exploit the said vulnerability. For more information on the said vulnerability, please refer to the Microsoft Web page Microsoft Security Bulletin MS05-054.

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

 Handler's Diary December 29th 2005

Microsoft Advisory (NEW)

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Handler's Diary December 30th 2005

Musings and More WMF Information (NEW)

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

 Handler's Diary December 30th 2005

Lotus Notes Vulnerable to WMF 0-Day Exploit (NEW)

Here it is, ready for download to use with the new City of Heroes collectible card game.  Made with the City of Heroes CCG Hero Card Builder, here is Hanford Man in his latest costume!!

F-Secure : News from the Lab - WMF, day 2

Microsoft and CERT.ORG have issued bulletins on the Windows Metafile vulnerability:
http://www.microsoft.com/technet/security/advisory/912840.mspx
http://www.kb.cert.org/vuls/id/181038

Microsoft's bulletin confirms that this vulnerability applies to all the main versions of Windows: Windows ME, Windows 2000, Windows XP and Windows 2003.

They also list the REGSVR32 workaround. It's a good idea to use this while waiting for a patch. To quote Microsoft's bulletin:

 Un-register the Windows Picture and Fax Viewer (Shimgvw.dll)

 1. Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll"
 (without the quotation marks), and then click OK.

 2. A dialog box appears to confirm that the un-registration process has succeeded.
 Click OK to close the dialog box.

 Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started
 when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer.

 To undo this change, re-register Shimgvw.dll by following the above steps.
 Replace the text in Step 1 with “regsvr32 %windir%\system32\shimgvw.dll” (without the quotation marks).

This workaround is better than just trying to filter files with a WMF extension. There are methods where files with other image extensions (such as BMP, GIF, PNG, JPG, JPEG, JPE, JFIF, DIB, RLE, EMF, TIF, TIFF or ICO) could be used to exploit a vulnerable machine.

We got several questions on our note on Google Desktop yesterday. Bottom line is that if an image file with the exploit ends up to your hard drive, Google Desktop will try to index it and will execute the exploit in the process. There are several ways such a file could end up to the local drive. And this indexing-will-execute problem might happen with other desktop search engines too.

And finally, you might want to start to filter these domains at your corporate firewalls too. Do not visit them.

toolbarbiz[dot]biz
toolbarsite[dot]biz
toolbartraff[dot]biz
toolbarurl[dot]biz
buytoolbar[dot]biz
buytraff[dot]biz
iframebiz[dot]biz
iframecash[dot]biz
iframesite[dot]biz
iframetraff[dot]biz
iframeurl[dot]biz

So far, we've only seen this exploit being used to install spyware or fake antispyware / antivirus software on the affected machines. I'm afraid we'll see real viruses using this soon.

Trend Micro has renamed previously discovered Trojans that use the 0-day exploit, and have a listing for a fourth. 

TROJ_NASCENE.A

TROJ_NASCENE.B

TROJ_NASCENE.C

TROJ_NASCENE.D

TROJ_WMFCRASH.A

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

 Handler's Diary December 29th 2005

* Update on Windows WMF 0-day (NEW)

Microsoft Security Advisory (912840)
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution.
Published: December 28, 2005

Microsoft is investigating new public reports of a possible vulnerability in Windows. Microsoft will continue to investigate the public reports to help provide additional guidance for customers.

Microsoft is aware of the public release of detailed exploit code that could allow an attacker to execute arbitrary code in the security context of the logged-on user, when such user is visiting a Web site that contains a specially crafted Windows Metafile (WMF) image. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site.

Customers are encouraged to keep their antivirus software up to date. The Microsoft Windows AntiSpyware (Beta) can also help protect your system from spyware and other potentially unwanted software. We will continue to investigate these public reports.

Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This will include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.

Microsoft encourages users to exercise caution when they open e-mail and links in e-mail from untrusted sources. For more information about Safe Browsing, visit the Trustworthy Computing Web site.

We continue to encourage customers to follow our Protect Your PC guidance of enabling a firewall, applying software updates and installing antivirus software. Customers can learn more about these steps at the Protect Your PC Web site.

Customers who believe they may have been affected by this issue can contact Product Support Services. You can contact Product Support Services in the United States and Canada at no charge using the PC Safety line (1 866-PCSAFETY). Customers outside of the United States and Canada can locate the number for no-charge virus support by visiting the Microsoft Help and Support Web site.

For full details, see the following: Microsoft Security Advisory (912840): Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution..

Update on a previous post.

Trend Micro has two new descriptions for Trojans that use this vulnerability as well.

 TROJ_WMFXEXE.A

 TROJ_WMFMSITS.A 

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

 Handler's Diary December 28th 2005

* Update on Windows WMF 0-day (NEW)

F-Secure : News from the Lab - December of 2005.

Over the last 24 hours, we've seen three different WMF files carrying the zero-day WMF exploit. We currently detect them as W32/PFV-Exploit.A, .B and .C.

Fellow researchers at Sunbelt have also blogged about this. They have discovered more sites that are carrying malicious WMF files. You might want to block these sites at your firewall while waiting for a Microsoft patch:

  Crackz [dot] ws
  unionseek [dot] com
  www.tfcco [dot] com
  Iframeurl [dot] biz
  beehappyy [dot] biz

And funnily enough, according to WHOIS, domain beehappyy.biz is owned by a previous president of Soviet Union:

  Registrant Name: Mikhail Sergeevich Gorbachev
  Registrant Address1: Krasnaya ploshad, 1
  Registrant City: Moscow
  Registrant Postal Code: 176098
  Registrant Country: Russian Federation
  Registrant Country Code: RU

"Krasnaya ploshad" is the Red Square in Moscow...

Do note that it's really easy to get burned by this exploit if you're analysing it under Windows. All you need to do is to access an infected web site with IE or view a folder with infected files with the Windows Explorer.

You can get burned even while working in a DOS box! This happened on one of our test machines where we simply used the WGET command-line tool to download a malicious WMF file. That's it, it was enough to download the file. So how on earth did it have a chance to execute?

The test machine had Google Desktop installed. It seems that Google Desktop creates an index of the metadata of all images too, and it issues an API call to the vulnerable Windows component SHIMGVW.DLL to extract this info. This is enough to invoke the exploit and infect the machine. This all happens in realtime as Google Desktop contains a file system filter and will index new files in realtime.

So, be careful out there. And disable indexing of media files (or get rid of Google Desktop) if you're handling infected files under Windows.

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Handler's Diary December 28th 2005

Windows WMF 0-day exploit in the wild (NEW)

Published: 2005-12-28,
Last Updated: 2005-12-28 10:04:51 UTC by Daniel Wesemann (Version: 1)

Just when we thought that this will be another slow day, a link to a working unpatched exploit in, what looks like Windows Graphics Rendering Engine, has been posted to Bugtraq.

The posted URL is   [ uni on seek. com/   d/t    1/  wmf_exp.  htm ]
(DON'T GO HERE UNLESS YOU KNOW WHAT YOU'RE DOING. Added spaces to avoid accidental clicking. See Firefox note below!!)

The HTML file runs another WMF (Windows Meta File) which executes a trojan dropper on a fully patched Windows XP SP2 machine. The dropper will then download Winhound, a fake anti-spyware/virus program which asks user to purchase a registered version of software in order to remove the reported threats.

During the test Johannes ran, it was interesting that the DEP (Data Execution Prevention) on his system stopped this from working. However, as this was tested on a AMD64 machine, we still have to confirm whether (or not) the software DEP also stops this - let us know if you tested this.



Internet Explorer will automatically launch the "Windows Picture and Fax Viewer".  Note that Firefox users are not totally imune either. In my install of Firefox, a dialog box will ask me if I would like to load the image in "Windows Picture and Fax Viewer". If I allow this to happen ("pictures are safe after all" NOT!), the exploit will execute.

For more information, see also http://vil.mcafeesecurity.com/vil/content/v_137760.htm and http://www.securityfocus.com/bid/16074/info

 

F-Secure Blog entry:

 

New WMF 0-day exploit	Posted by Mika @ 08:38 GMT

There's a new zero-day vulnerability related to Windows' image rendering - namely WMF files (Windows Metafiles). Trojan downloaders, available from unionseek[DOT]com, have been actively exploiting this vulnerability. Right now, fully patched Windows XP SP2 machines machines are vulnerable, with no known patch.

The exploit is currently being used to distribute the following threats:
  Trojan-Downloader.Win32.Agent.abs
  Trojan-Dropper.Win32.Small.zp
  Trojan.Win32.Small.ga
  Trojan.Win32.Small.ev.

Some of these install hoax anti-malware programs the likes of Avgold.

Note that you can get infected if you visit a web site that has an image file containing the exploit. Internet Explorer users might automatically get infected. Firefox users can get infected if they decide to run or download the image file.

In our tests (under XP SP2) older versions of Firefox (1.0.4) defaulted to open WMF files with "Windows Picture and Fax Viewer", which is vulnerable. Newer versions (1.5) defaulted to open them with Windows Media Player, which is not vulnerable...but then again, Windows Media Player is not able to show WMF files at all so this might be a bug in Firefox. Opera 8.51 defaults to open WMF files with "Windows Picture and Fax Viewer" too. However, all versions of Firefox and Opera prompt the user first.

As a precaution, we recommend administrators to block access to unionseek[DOT]com and to filter all WMF files at HTTP proxy and SMTP level.

F-Secure Anti-Virus detects the offending WMF file as W32/PFV-Exploit with the 2005-12-28_01 updates.

We expect Microsoft to issue a patch on this as soon as they can.

Update:

 Trend Micro now has a description for the Trojan that exploits this unpatched vulnerability

 TROJ_WMFIOO.A

 

DC Direct: BATMAN UTILITY BELT Replica

DC Direct is proud to offer the Dark Knight's portable arsenal — the BATMAN UTILITY BELT, repository for the majority of Batman's weapons and on-the-spot detection tools.

This finely crafted, high-end, limited-edition replica of the BATMAN UTILITY BELT is a life-sized, fully-lined genuine leather belt with solid-state construction measuring approximately 44" long and weighing approximately five pounds. This replica features a concealed pocket to hold a Batarang (not included). Included are a real metal electroplated belt buckle and nine spring-activated capsules with a gold-tone finish. In addition, the UTILITY BELT features a movable dial for a faux belt radio. The belt is enclosed in a display case with a removable acrylic top, a solid wood lacquer base and comes with a 4-color certificate of authenticity. This replica is packaged in a gold-foil stamped black gift box. Limited edition of 750. The BATMAN UTILITY BELT is designed for display only, and is not meant to be worn. Don't miss the opportunity to own one of your very own!

Looks like several new variants of the Bagle virus was spammed out late last night.  These follow that pattern of “zip attachment with downloader that downloads mass-mailer”.  Fun for the whole family.

Here are some vendor listings so far:

Symantec: W32.Beagle.DB@mm

McAfee (jeez guys): W32/Bagle.gen!F7B43CAC

Trend Micro:
TROJ_BAGLE.GP
WORM_BAGLE.GP
TROJ_BAGLE.GS
WORM_BAGLE.GY
TROJ_BAGLE.GR

F-Secure Weblog:

Thursday, December 22, 2005

We are up to Bagle.FJ. The count for this evening is already 6. Update version number 2005-12-22_07 is on its way.

We have now four new Bagle downloaders - all are very similar varianats. We detect them as W32/Bagle.FE, W32/Bagle.FF, W32/Bagle.FG and W32/Bagle.FH. They are detected with the update 2005-12-22_05.

Looks like the guys behind Bagle don't have a life. Instead of shopping for Christmas they keep creating and spreading new downloaders. We just got a few reports about a new Bagle-related downloader that is now being spammed as a ZIP attachment containing a file named DFC00027.EXE. The mass-mailer that is responsible for this Bagle round was uploaded to one of the websites that are monitored by old Bagle downloaders some time ago. I hope that this round will be as short as the previous one.

Detection for the mass-mailer is already available as Email-Worm.Win32.Bagle.ex. The new downloader will be detected as W32/Bagle.FE with the 2005-12-22_03 updates that are expected shortly.

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Handler's Diary December 22nd 2005

Exploits in the wild for several PHP-based web apps (NEW)

Symantec AntiVirus Decomposition Buffer Overflow.

SYM05-027
December 21, 2005
Symantec AntiVirus Decomposition Buffer Overflow

Revision History
None

Risk Impact
High

Overview

Symantec has become aware of a buffer overflow in the AntiVirus component used to decompose RAR (Roshal Archive). A specially crafted RAR file could potentially cause this buffer overflow to occur and execute hostile content from the RAR file.

Vulnerable Products : (vulnerable builds/Maintenance Releases (MR) where indicated)

Enterprise Products

1. As Symantec continues to investigate this issue, the list of affected products may be updated.
2. As more information and product updates become available, this advisory will be updated to include a link to applicable downloads.
3. Only currently supported Symantec Products will be updated. Customers using unsupported versions are encouraged to upgrade to a supported version.

Symantec Response
Symantec is currently working to create and distribute product updates for all affected products.

To date, Symantec has not had any reports of related exploits of this vulnerability.

Mitigations
Symantec Security Response posted an AntiVirus based protection signature to LiveUpdate on December 20, 2005, providing a heuristic detection for potential exploits of the Symantec decomposer RAR archive vulnerability. This signature is available though LiveUpdate, to all desktop, server and gateway product versions of Symantec’s Security products and appliance solutions that contain the decomposer RAR archive. Symantec strongly recommends that customers immediately ensure their products are up-to-date to protect against possible threats.

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Handler's Diary December 21st 2005

Symantec AV RAR library vulnerability (NEW)

WORM_BLASTER.N - Description and solution.

Description: 

This worm propagates using the RPC/DCOM vulnerability found in Windows, which allows an attacker to gain full access and execute any code on a target machine by sending a malformed packet to the DCOM service. It uses TCP port 135. More information on this vulnerability is found in Microsoft Security Bulletin MS03-026.

Upon execution, this worm drops a copy of itself in the hardcoded location, %Windows%\System32.

(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)

For Windows NT, this worm modifies a Winlogon Shell registry entry to ensure its automatic execution at every system startup.

This worm downloads and executes the file WINBAL.EXE from the Web site, http://serocubase-djs.com{BLOCKED}/csrsscs.bmp.

The aforementioned file is not a valid .EXE file. It only contains HTML tags and other strings. However, the malware author may modify the downloaded file to contain a valid .EXE file with a destructive payload.

More info on the new Bagle variant that I posted about earlier.

Symantec now has new listings for this new variant, and Trojans that are related to the spread of the virus.

W32.Beagle.CZ@mm

Trojan.Lodear.G

Trojan.Lodeight.A

Looks like F-Secure, Trend Micro, and Sophos are the first to see a new Bagle variant so far today.

F-Secure’s blog entry

We have received reports about a Bagle-related downloader being posted on one of the sites, that were used for distribution of Bagle files in the past. This is the second level downloader that just downloads one file and runs it. The downloaded file is a minor variant of the previous Bagle mass-mailer, we will detect it as Bagle.FC. The mass-mailer sends out ZIP archives with a new Bagle-related downloader that we will detect as Bagle.FB in the nearest updates.

Trend Micro: TROJ_BAGLE.GI

Sophos: Troj/BagleDl-AP