Avast WEBforum

Other => Viruses and worms => Topic started by: Sgt.Schumann on December 28, 2005, 12:54:38 PM

Title: WMF Exploit 0-Day
Post by: Sgt.Schumann on December 28, 2005, 12:54:38 PM
There is a new unpatched exploit in the wild:  :(
http://www.f-secure.com/weblog/archives/archive-122005.html#00000752

Does Avast! already prevent from this danger?
Title: Re: WMF Exploit 0-Day
Post by: TAP on December 28, 2005, 01:12:59 PM
I'd recommend avast! users to take advantage from Web Shield by using URL Blocking to block all *.wmf files.

I think it would be good if Alwil releases signature of this exploit so Web Shield should protect us well by scanning HTTP traffic in real time.
Title: Re: WMF Exploit 0-Day
Post by: ..::ReVaN::.. on December 28, 2005, 01:27:34 PM
I've alerted Alwil to this thread i hope we get some more info on this soon ;)
Title: Re: WMF Exploit 0-Day
Post by: Vlk on December 28, 2005, 01:31:47 PM
Tap's suggestion is a good one.

1. Microsoft has already released a security bulletin about this issue: http://www.microsoft.com/technet/security/bulletin/MS05-053.mspx

2. We do have a sample file for this but preparation of a signature will take some time...

3. So far, no AV is detecting this (AFAIK)

4. The only site known to use this expoit so far is unionseek.com (I don't recommend going there). Adding something like *unionseek.com* to the list of WebShield's blocked URL's would also be a good idea...


Cheers
Vlk
Title: Re: WMF Exploit 0-Day
Post by: ..::ReVaN::.. on December 28, 2005, 01:37:18 PM
There i blocked *.wmf and unionseek.com....
Title: Re: WMF Exploit 0-Day
Post by: Vlk on December 28, 2005, 01:37:54 PM
Sorry, 1. in my post above is not exactly correct. This is indeed a new variant not covered by the patch. I apologize.
Title: Re: WMF Exploit 0-Day
Post by: TAP on December 28, 2005, 05:27:26 PM
We're protected by the latest VPS 0552-1, avast! detects this exploit as Win32:Exdown [Trj] and other AVs do too but avast!'s users are more effectively protected by Web Shield as it scans HTTP traffic in real time so the exploit is stopped before it gets to our machine.

Many thanks go to Alwil for quick responses.  :)
Title: Re: WMF Exploit 0-Day
Post by: Sgt.Schumann on December 28, 2005, 07:17:46 PM
Thank you for the replies and the quick response of the Avast! Team!  :)

Title: Re: WMF Exploit 0-Day
Post by: Vlk on December 28, 2005, 10:05:49 PM
The existing exploit is pretty agressive. It installs an "anti-spyware" (fake) program that tells the user that his/her machine is infected - and offers him/her a cure - for 39 bucks >:(

See it in action: http://www.websensesecuritylabs.com/images/alerts/wmf-movie.wmv


Idiots.
Title: Re: WMF Exploit 0-Day
Post by: RejZoR on December 28, 2005, 10:17:26 PM
SpySheriff was doing that for quiet some time... Drive by installs are real pain in the rear... >:(
Title: Re: WMF Exploit 0-Day
Post by: ..::ReVaN::.. on December 28, 2005, 11:32:27 PM
SpySheriff was doing that for quiet some time... Drive by installs are real pain in the rear... >:(

SpySheriff huh? O boy i could tell you some stories about that sucker, all the times i had to clean that fu..... mess.
The worst part is people really believe it's a real anti-spyware program....
Title: Re: WMF Exploit 0-Day
Post by: polonus on December 28, 2005, 11:42:58 PM
Hi ReVaN,

Yes SpySheriif was/is a cruel bit of nastiness. It was high on the list of Ben Edelman, the American judicial authority on fighting the malware sellers in court. It came in from Australia and it wants to conquer the world. I have a blend of block lists to cut all this creeps short from my 127.0.0.1. My computer cannot even connect to it.
And I personally think that spyware and scumware is a bigger threat then virus ever was. There must be milions and milions of infested machines on this earth,

Polonus

Title: Re: WMF Exploit 0-Day
Post by: Dwarden on December 29, 2005, 12:39:44 PM
authors of this type of malware should be drop in middle of desert w/o any water ...
Title: Re: WMF Exploit 0-Day
Post by: Darren on December 29, 2005, 04:07:35 PM
New Microsoft Security Advisory (912840) posted today.

http://www.microsoft.com/technet/security/advisory/912840.mspx
Title: Re: WMF Exploit 0-Day work-around available
Post by: polonus on December 29, 2005, 05:02:03 PM
Hi forum folks,

There is a work-around available for the WMF-0-Day Exploit,
look here: http://www.eweek.com/article2/0,1895,1906211,00.asp

greets,

polonus
Title: Re: WMF Exploit 0-Day
Post by: Omar on December 29, 2005, 08:45:46 PM
I'd recommend avast! users to take advantage from Web Shield by using URL Blocking to block all *.wmf files.

I think it would be good if Alwil releases signature of this exploit so Web Shield should protect us well by scanning HTTP traffic in real time.



Ahhh, but it will run even if the swf is renamed as a gif or jpg. Unless avast actually checks the file headers rather than the extension?
Title: Re: WMF Exploit 0-Day
Post by: Steele on December 30, 2005, 09:24:27 AM
Microsoft Security Advisory (912840)

Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution.
Published: December 28, 2005

Microsoft is investigating new public reports of a possible vulnerability in Windows.
Microsoft will continue to investigate the public reports to help provide additional guidance for customers.

Microsoft is aware of the public release of detailed exploit code that could allow an attacker to execute arbitrary code in the security context of the logged-on user, when such user is visiting a Web site that contains a specially crafted Windows Metafile (WMF) image. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site.

Customers are encouraged to keep their antivirus software up to date. The Microsoft Windows AntiSpyware (Beta) can also help protect your system from spyware and other potentially unwanted software. We will continue to investigate these public reports.

Mitigating Factors:

• In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site.

• An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

• By default, Internet Explorer on Windows Server 2003, on Windows Server 2003 Service Pack 1, on Windows Server 2003 with Service Pack 1 for Itanium-based Systems, and on Windows Server 2003 x64 Edition runs in a restricted mode that is known as Enhanced Security Configuration This mode mitigates this vulnerability where the e-mail vector is concerned although clicking on a link would still put users at risk. In Windows Server 2003, Microsoft Outlook Express uses plain text for reading and sending messages by default. When replying to an e-mail message that is sent in another format, the response is formatted in plain text. See the FAQ section of this vulnerability for more information about Internet Explorer Enhanced Security Configuration.

[li]Windows XP Service Pack 2 also includes software-enforced DEP that is designed to reduce exploits of exception handling mechanisms in Windows. By default software-enforced DEP applies to core operating system components and services. This vulnerability can be mitigated by enabling DEP for all programs on your computer.


http://www.microsoft.com/technet/security/advisory/912840.mspx
Title: Re: WMF Exploit 0-Day
Post by: ourasi on December 30, 2005, 10:01:19 AM
I tested this exploid on one site with following result (Avast log):

30.12.2005 2:28:57 SYSTEM 248 Sign of "Win32:Exdown [Trj]" has been found in "http://www.  tfcco.  com / xpl. wmf" file. 

My Avast (29.12.2005 0552-2) stopped loading this file.  :)

If course I had first un-registered the Windows Picture and Fax Viewer (Shimgvw.dll)
with Run "regsvr32 -u windir%\system32\shimgvw.dll"
 
Title: Re: WMF Exploit 0-Day
Post by: TAP on December 30, 2005, 10:18:45 AM
I'd recommend avast! users to take advantage from Web Shield by using URL Blocking to block all *.wmf files.

I think it would be good if Alwil releases signature of this exploit so Web Shield should protect us well by scanning HTTP traffic in real time.

Ahhh, but it will run even if the swf is renamed as a gif or jpg. Unless avast actually checks the file headers rather than the extension?

avast! has signature of this exploit and also scans HTTP traffic in real time (it scans almost all files downloaded via browser). If I'm not wrong, other graphic file type are scanned except *.gif, *.png but you can remove these two file type from Exception lists in Web Shield so it should also be scanned.
Title: Re: WMF Exploit 0-Day
Post by: Sgt.Schumann on December 30, 2005, 06:35:29 PM
The removement of the exceptions in WebShield for the two IMAGE types is a good idea.  I already did this.

Isn't it possible, that this could be done via a Avast!-Update, because a lot of users might not think about it?

Wouldn't it also be recommended to add the image formats to the list of scanned extensions of Standard Shield (WMFs might also come from other sources)?  ???

Title: Re: WMF Exploit 0-Day
Post by: Lisandro on December 30, 2005, 06:40:39 PM
Wouldn't it also be recommended to add the image formats to the list of scanned extensions of Standard Shield (WMFs might also come from other sources)?  ???
When it becomes active, won't the process be an executable, a script, etc. that will be scanned by the Standard Shield?
I mean, the *.gif or *.wmf by themselves are inocuous, aren't they? Only when the infected process start it will be catched by Standard Shield.
Am I wrong?
Title: Re: WMF Exploit 0-Day
Post by: wishiknew on December 30, 2005, 09:33:33 PM
http://www.eweek.com/article2/0,1895,1907131,00.asp

Cool for Avast in detectin the 73 variants so far.

http://www.kaspersky.com/faq?qid=176830011

On the other hand, why does Kaspersky need
.exe patches to their av.  Change the default to scan
wmf maybe?
Title: Re: WMF Exploit 0-Day
Post by: Data_Pirate on January 02, 2006, 06:02:37 AM
this is a news update. apparently avast! cannot protect us just by doing this! (removing shimgvw.dll) i found this in an article:

Quote
New exploit
On New Year's eve the defenders got a 'nice' present from the full disclosure community.

The source code claims to be made by the folks at metasploit and xfocus, together with an anonymous source.

Note: We have been able to confirm that this exploit works. We are in the process of getting information to AV vendors ASAP. We can also confirm that having the file and simply opening the directory can be enough to get the exploit running.

The exploit generates files:

* with a random size;
* no .wmf extension, (.jpg), but could be any other image extension actually;
* a random piece of junk in front of the bad call; carefully crafted to be larger than the MTU on an ethernet network;
* a number of possible calls to run the exploit are listed in the source;
* a random trailer

From a number of scans we did through virustotal, we can safely conclude there is currently no anti-virus signature working for it. Similarly it is very unlikely any of the IDS signatures for the previous versions of the WMF exploits work for this next generation.

Judging from the source code, it will likely be difficult to develop very effective signatures due to the structure of the WMF files.
Infection rate
McAfee announced on the radio yesterday they saw 6% of their customer having been infected with the previous generation of the WMF exploits. 6% of their customer base is a huge number.
Yellow
Considering this upsets all defenses people have in place, we voted to go to yellow in order to warn the good guys out there they need to review their defenses.

We hate going back to yellow for something we were yellow on a couple of days ago and had returned to green, but the more we look at it and the uglier it gets.
UNofficial patch
We want to be very clear on this: we have some very strong indications that simply un-registering the shimgvw.dll isn't always successful. The .dll can be re-registered by other processes, and there may be issues where re-registering the .dll on a running system that has had an exploit attempted against it will cause the exploit to succeed.

For those of you wanting to try an unofficial patch with all the risks involved, please see here. (md5 99b27206824d9f128af6aa1cc2ad05bc)
Initially it was only for Windows XP SP2. Fellow handler Tom Liston worked with Ilfak Guilfanov to help confirm some information required to extend it to cover Windows XP SP1 and Windows 2000.

Note: Tom has taken this thing apart and looked at it very, very closely. It does exactly what it advertises and nothing more. The wmfhotfix.dll will be injected into any process loading user32.dll. It then will then patch (in memory) gdi32.dll's Escape() function so that it ignores any call using the SETABORTPROC (ie. 0x09) parameter. This should allow for Windows to display WMF files normally while still blocking the exploit. We want to give a huge thanks to Ilfak Guilfanov for building this and for allowing us to host and distribute it.

Note #2: When MS comes out with a real patch, simply uninstall this from Add/Remove programs on the Control Panel. Mr. Guilfanov did a great job with this ...

Patching with unofficial patches is very risky business, this comes without any guarantees of any kind.
Please do back out these unofficial patches before applying official patches from Microsoft.
Belt and suspenders
There is possibility to do the proven belt and suspenders approach here. Using the unofficial path and using the workaround from Microsoft together. Just remember to unto the damage done before applying any official patch for this vulnerability.
New Snort signatures
We are receiving signatures from Frank Knobbe that detect this newest variant, but we haven't done much testing for false positives or negatives at this point.
http://www.bleedingsnort.com/...

Frank also restated some warnings:

There is one important note in regards to ALL published signatures including this one. All these signatures will fail to detect the exploits when the http_inspect preprocessor is enabled with default settings. By default, the flow_depth of the preprocessor is 300 which is too short to cover the whole exploit. Should the exploit be transmitted on port 80 and http_inspect is enabled, no alert will occur. Note that it will still alert on any ports (using the all port sig below) that are not configured in http_inspect (ie FTP).
One solution is to add the statement "flow_depth 0" to the http_inspect preprocessor (actually the appropriate http_inspect_server line in the config). This will tell the preprocessor not to truncate the reassembled pseudo-packet, but it will have an adverse impact on performance. On busy networks, this will lead to 100% CPU utilization of the Snort process and major packet drops.
So we're between a rock, a solid surface, and a hard place. The exploits are web based, yet the signature will fail with http_inspect enabled. With it disabled, Snort will miss all rules containing uricontent and pcre/U statements. With it enabled, and flow_depth set to 0, Snort will alert on the exploit, but also process all uricontent rules in such a fashion that its CPU utilization is skyrocketing.
The only viable solution at this point is to run two instances of Snort. One with your normal set of rules and http_inspect enabled with either the default or "sane" values for flow_depth. The second instance should run with http_inspect disabled or flow_depth set to 0 (in the appropriate http_inspect_server config line), and process only rules that have to cover a larger than 300 byte area for content matches on ports configured in http_inspect. This two-pronged approach assures that Snorts performance is kept at normal levels, preventing packet loss.
Overview
A chronological overview of all WMF related articles on this site.
Thanks

Thanks to all handlers working on this today, especially Lorna, Tom, Kevin, Jim, Scott and all those I forgot. This was a cooperative effort.

Wishing all windows machines, their users, owners and administrators a happy New Year, with a bit fewer nasty exploits.

the article can be found here: http://isc.sans.org/diary.php?rss&storyid=992 (SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System)
Title: Re: WMF Exploit 0-Day
Post by: WDGC on January 02, 2006, 06:51:36 AM
F-Secure update:

Monday, January 2, 2006
It's not a bug, it's a feature    Posted by Mikko @ 04:13 GMT

Quote
"The WMF vulnerability" probably affects more computers than any other security vulnerability, ever.

http://www.f-secure.com/weblog/archives/archive-012006.html#00000758

.
Title: Re: WMF Exploit 0-Day
Post by: NonSuch on January 02, 2006, 08:50:04 AM
I installed Ilfak's patch yesterday, I've set rules in my firewall, I'm using URL Blocking for *.wmf files, and I'm being very, very careful.  That's on my XP system.  My Win 98 system will remain disconnected from the internet until there's a patch available for that OS. 

Title: Re: WMF Exploit 0-Day
Post by: Data_Pirate on January 02, 2006, 09:11:38 AM
i would say the safest things to do right now are:

-to be careful on what sites you go onto
-use a different browser instead of IE (like firefox)
-avast! users should use WMF blocking and keep their vps updated
-configure your firewall to block all images (or just WMF ones if it has that option)
-keep an eye out for any new windows security updates
-watch for any news on the exploit

it's all common sense in security really
Title: Re: WMF Exploit 0-Day
Post by: Proteus93 on January 02, 2006, 10:15:41 AM
I've been using Avast! for nearly a couple of years now, and it has proven itself to be a fantastic AV. I've been especially appreciative of the way it goes about protecting email systems, since part of my duties for my job include having the network's email routed here (which is also my home personal computer). The only problem I ran into was when the last Sober variant came out, and it absolutely flooded my inbox. Because I knew pretty much all of the subject lines, I began turning off Avast! when I'd open up the inbox (having it individually scan hundreds of mail first thing in the morning was rather time consuming. Unfortunately, it was still off when I was hit with this exploit. Mind you, it wouldn't have helped a great deal, because my machine was infected in the early morning hours of Dec. 27 (starting at about 1:38 AM EST). I had the red X appear in my system tray with the whole "Spyware has been detected!" warning, and thought, "That's odd... I have the MS Security Center disabled"... immediately after, it dawned that something was wrong.

So... I clicked to restart the AV, and was immediately met with:

Sign of "Win32:Hoaxalarm-K [Trj]" has been found in "C:\WINDOWS\tool2.exe" file. 
Sign of "Win32:Trojano-3110 [Trj]" has been found in "C:\Documents and Settings\Proteus93\Local Settings\Temporary Internet Files\Content.IE5\OD6Z8L2V\child[1].exe" file. 
Sign of "Win32:Trojano-3110 [Trj]" has been found in "C:\DOCUME~1\PROTEU~1\LOCALS~1\Temp\6BC.tmp" file. 
Sign of "Win32:Trojano-3144 [Trj]" has been found in "C:\Documents and Settings\Proteus93\Local Settings\Temporary Internet Files\Content.IE5\SDAZ05U7\adtech2006a[1].exe" file. 
Sign of "Win32:Trojano-3144 [Trj]" has been found in "C:\windows\adtech2006a.exe" file. 
Sign of "Win32:Qoologic-AB [Trj]" has been found in "C:\WINDOWS\system32\wuauclt.dll" file. 
Sign of "Win32:Qoologic-AB [Trj]" has been found in "C:\WINDOWS\system32\wuauclt.dll" file. 
Sign of "Win32:Qoologic-Z [Trj]" has been found in "C:\WINDOWS\system32\vgactl.cpl" file. 
Sign of "Win32:Qoologic-Z [Trj]" has been found in "C:\WINDOWS\system32\vgactl.cpl" file. 
Sign of "Win32:Qoologic-AA [Trj]" has been found in "C:\DOCUME~1\PROTEU~1\LOCALS~1\Temp\f629807835.exe" file. 
Sign of "Win32:Tsupdate-J [Trj]" has been found in "C:\Documents and Settings\Proteus93\Local Settings\Temporary Internet Files\Content.IE5\OD6Z8L2V\stub_113_4_0_4_0[1].exe" file. 
Sign of "Win32:Trojano-2873 [Trj]" has been found in "C:\Documents and Settings\Proteus93\Local Settings\Temporary Internet Files\Content.IE5\4TUNG96F\MTE3NDI6ODoxNg[1].exe" file.
Sign of "Win32:Trojano-2873 [Trj]" has been found in "C:\MTE3NDI6ODoxNg.exe" file. 
Sign of "Win32:Trojano-3173 [Trj]" has been found in "C:\program files\common files\microsoft shared\web folders\ibm00001.dll" file. 
Sign of "Win32:Runner [Trj]" has been found in "C:\WINDOWS\system32\pgws.exe" file. 
Sign of "Win32:Trojano-3173 [Trj]" has been found in "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll" file. 
Sign of "Win32:Trojano-1152 [Trj]" has been found in "C:\Program Files\Common Files\VCClient\SS1001.exe" file. 

All of this seemed to be a result of the exploit, in which time, I was also starting to get a popup of WebSheriff installing and so forth... some Sudoku thing was appearing as well, among other things. Too little, too late. Netstat started showing signs of multiple connections via SMTP and I was getting a load of connections attempting through port 8558. Then Avast! started up with that "Connection timed out" message... over and over and over. Hundreds of these things were showing up, heavily enough that they were effectively DDOSing my machine. Through netstat -b, I was told that it was svchost responsible for all of the traffic, and no specific programs were making the connections, making it impossible for me to track down a simple offending process and destroy it.

All in all, I ended up spending the entire day of the 27th fighting with the machine, disconnected from the web, and having to use another machine to browse for troubleshooting... of course, since it was a 0-day, I was finding squat. By the end of the day, using a combination of anti-spyware programs and some digging through my machine to get it all out (I think I got it all, at least). Anyways, congrats on having excellent coverage on the problem now. I've gone back to just letting it scan through all of the email so I don't forget to turn it back on again. That leads me to the question, though - is there any possibility of a feature to have Avast! simply delete viruses and worms it finds in email instead of having the big popup each time that requires me to hit delete and select delete again when given the second window regarding scanning at start-up if necessary? Not a default feature that just does it, but rather, a setting in the program that allows me to simply tell it to do so, and to always perform the same action each time? That would be fabulous.

Apologies on the long, rambling post... and cheers.
P93
Title: Re: WMF Exploit 0-Day
Post by: galooma on January 02, 2006, 12:18:57 PM
Hi and welcome proteus,
i think what you are looking for is "silent mode" in the advanced settings of mail provider .still not completely hands free but much reduced.



 does your post have anything to do with the original topic of this thread?? ::)
if not why didnt you start a fresh one??
Title: Re: WMF Exploit 0-Day
Post by: Lisandro on January 02, 2006, 02:17:12 PM
That leads me to the question, though - is there any possibility of a feature to have Avast! simply delete viruses and worms it finds in email instead of having the big popup each time that requires me to hit delete and select delete again when given the second window regarding scanning at start-up if necessary? Not a default feature that just does it, but rather, a setting in the program that allows me to simply tell it to do so, and to always perform the same action each time? That would be fabulous.
This is only fully possible in Professional version (see picture here: http://forum.avast.com/index.php?topic=13315.msg112285#msg112285).

In Home version you can check the option "Don't show this window again" as soon as the first virus warning appears, and click on "No action" button. This way, nothing will be done and you will be presented the results at the end (and you can perform actions from there).

Or you can use Silent Mode:

Left click the 'a' blue icon.
It will start On-access protection

Click on Internet Mail and then on Customize.
Go to Advanced tab and select Silent Mode and the default answer No. This will send the file (email) to Chest.

Do the same for the and Outlook/Exchange plugin.
The answer Yes in Silent Mode keeps the virus in the file or into the message (attach) and continue the scanning. You can't configure 'delete the infected file' in the Home version.

You can do the same for Standard Shield provider, but it won't be a good idea...

Silent mode in the case of the WebShield provider simply means that avast will keep pressing the "Abort connection" button for hte user automatically.
Title: Re: WMF Exploit 0-Day
Post by: Riker on January 02, 2006, 08:58:55 PM
Maybe someone from Anvil can look at this Virus - Test-Sample from http://www.heise.de/security/dienste/emailcheck/demos/go.shtml?mail=wmf

Mail-Scanner and On-Access don`t detect this.

And on http://virusscan.jotti.org/ only Kaspersky, Bitdefender and 2 others detect this.

Carsten
Title: Re: WMF Exploit 0-Day
Post by: Sgt.Schumann on January 02, 2006, 09:34:55 PM
I don't know if the 'heise sample' is really representative to real exploits ITW...  ???
Title: Re: WMF Exploit 0-Day
Post by: Darren on January 02, 2006, 09:56:12 PM
Here's another WMF exploit test avast can't pass. Click this link at your own risk. It is supposed to be benign, but you've been warned.

Code: [Select]
http://ii.net/~benwig/addtestuser.wmf
All other antivirus programs catch this test. If you right-click the file and do a selective scan, avast does indeed identify it as Win32:Exdown [Trj]. But, avast will let you execute the file and will not complain at all. The avast real time scanner does not detect it, nor does the Web Shield. What's going on? There's a huge discussion at the PCQandA.com forums...
http://www.pcqanda.com/dc/dcboard.php?az=show_topic&forum=2&topic_id=393697

Pages 7-8 talks about avast.
Title: Re: WMF Exploit 0-Day
Post by: polonus on January 02, 2006, 10:32:01 PM
Hi Darren,

Read the whole thread, and conclusion was that the reg fix was to be preferred: see here:
http://lists.grok.org.uk/pipermail/full-disclosure/2005-December/040699.html

Can you copy?

polonus
Title: Re: WMF Exploit 0-Day
Post by: Darren on January 02, 2006, 10:57:44 PM
Can I copy? I have tried that reg fix and it's worthless. You're not talking to an amateur here.
Do your little registry hack, then download this tester...
http://www.hexblog.com/security/files/wmf_checker_hexblog.exe

I'm not worried about the exploit because I applied the real fix. A patch from Ilfak Guilfanov plugs the hole nicely, thank you.
http://www.hexblog.com/security/files/wmffix_hexblog13.exe

His blog here...
http://www.hexblog.com/2005/12/wmf_vuln.html

But what I am worried about, is why avast doesn't detect these files like alot of the other antivirus scanners?

Save these files from the below links and upload them to the jotti scanner...
http://www.eskimo.com/~darren/wmfexp.jpg
http://www.eskimo.com/~darren/browsercheck.wmf

Jotti Scanner here...
http://virusscan.jotti.org/

Can you copy?




Hi Darren,

Read the whole thread, and conclusion was that the reg fix was to be preferred: see here:
http://lists.grok.org.uk/pipermail/full-disclosure/2005-December/040699.html

Can you copy?

polonus
Title: Re: WMF Exploit 0-Day
Post by: polonus on January 02, 2006, 11:34:17 PM
Hi Darren,

Just did that, and here are the results:
- AntiVir found Exploit IMG.WMF D exploit;
- Arcavir found nothing;
- Avast found NOTHING;
- Bitdefender found Exploit.Win32.WMF-PFV;
- ClamAV (I have that as second opinion thanx goodness) found Exploit WMF-Gen-3;
- Fortinet found W32/WMF exploit;
- Kaspersky found Exploit Win32 IMC.WMF probably variant;
- Nod32 found probable a variant of Win32/Exploit WMF.

Conclusion Avast failed this variety.

greets,

polonus
Title: Re: WMF Exploit 0-Day
Post by: Vlk on January 02, 2006, 11:58:21 PM
That is an incorrect conclusion.
Title: Re: WMF Exploit 0-Day
Post by: Dwarden on January 03, 2006, 12:14:07 AM
seems like even Avast! , bleedingsnort rules for KPF 4 and DEP on full power (well maybe this yes but it's stil lquestionable) :) can't protect You ...

so far only working fix is that non official patch from www.hexblog.com ... oh well ...

any AV will fail to prevent newest RND modified WMFs ... they can only trace known variants not unknown ...

congrats to MS and feature from times of Windows 3.0 ... (yeah ALL versions windows are affected :))
Title: Re: WMF Exploit 0-Day
Post by: DavidR on January 03, 2006, 12:24:35 AM
That is an incorrect conclusion.
Can you expand please Vlk.
Title: Re: WMF Exploit 0-Day
Post by: polonus on January 03, 2006, 12:38:56 AM
Hi Dwarden & others,

The exploit that actually is no exploit, but had been a feature of Windows since 3.03 read here:
http://antivirus.about.com/od/virusdescriptions/a/wmfexploit_4.htm
So the solution to the problem depends on Windows, because the vulnerability has been lying around all that time, and millions of users maybe sitting ducks for any new variety of this exploit.

polonus
Title: Re: WMF Exploit 0-Day
Post by: Vlk on January 03, 2006, 12:43:44 AM
Quote
That is an incorrect conclusion.

Can you expand please Vlk.


Of course. What I meant is: if an AV's goal is to protect you from security threats, it is an incorrent conclusion (that avast FAILS). If the goal is to detect proof-of-concept stuff (completely benign!), then yes, avast FAILS.

In other words, show me one single malicious wmf file that avast does not detect.


That said, we will be releasing a generic solution to the problem in the tomorrow's (well today's if you're based in continental Europe) VPS update that should get rid of the problem for good.


On a side note, Dwarden is right that this is an issue in all versions of Windows, from 3.0 to the latest Vista beta. The funny thing is that it's not a buffer overrun problem (that is, a coding bug) - instead, it's a _feature_ of WMF files. That is, the WMF file format definition allows inclusion of code (that is called when printing fails - it's an error handler). This means that

1. the definition of the WMF file itself is flawed, not the implementation, and
2. other programs that can work with wmf files and adhere to the definition are theoretically  vulnerable as well - and indeed, this is the case with e.g. IrfanView or XNView.

Cheers :)
Vlk
Title: Re: WMF Exploit 0-Day
Post by: DavidR on January 03, 2006, 12:59:50 AM
Thank you very much for the clear (as usual) expansion and the notification on the generic solution.
Title: Re: WMF Exploit 0-Day
Post by: Darren on January 03, 2006, 01:16:23 AM
Thanks Vlk, that's what I wanted to hear.  :)
Title: Re: WMF Exploit 0-Day
Post by: Dwarden on January 03, 2006, 01:23:11 AM
polonus i always wrote here it's exploit thru some very old (and obsolete now) feature ...

one of many ... so  there is still space for more new exploits  ;D

glad to see Vlk reads well what i wrote :) ... contrary to some others  ;)
Title: Re: WMF Exploit 0-Day
Post by: mauserme on January 03, 2006, 01:37:32 AM
Hi All,

I don't know about the test files Avast! might be missing, but I do know I have the following entry in my Avast! log file:

12/31/05 12:59:16 AM  "Sign of WIN32:Exdown{TRJ}" has been found in "http:// ... wmf/wmf_exp.wmf" file

After clicking a link in an email Avast! threw up an alert asking if I wanted to end the connection.  I did, and I find no trace of the wmf file or the exploit on my computer.  I've done multiple scans with Avast! (with updated definitions), ClamWin, BitDefender, Ewido, A Squared, Sypob S&D, and Ad Aware and I am confident my computer is clean.

I'll take real world protection over success with test files any day.

Title: Re: WMF Exploit 0-Day
Post by: Sgt.Schumann on January 03, 2006, 07:57:57 AM
Thank you for the answer Vlk,

for me the only important thing is, that the ITW malicous samples are detected.

Personally, the 'play-examples' (like the heise one) are indeed not important ... but the problem is, that they lead very fast to a 'bad publicity", since they are easy available and a lot of people state them as 'representative'  :-\

Maybe a good idea would be some kind of news section directly on the Avast! start page. This would be e.g. a good place for explanations like Vlk's one above.
Title: Re: WMF Exploit 0-Day
Post by: Data_Pirate on January 03, 2006, 09:06:54 AM
blocking the wmf exploit isn't as easy as you all think right now! just blocking files with that extension will not work as it apparently can change its name. heres a quote i got it from:

Quote
the exploit still works if the .wmf files were renamed to other image extensions.. like .jpg or .bmp... so filtering .wmf wont 100% work

however there are some possibilities, found in this quote:

Quote
No, it doesn't work because they are recognized and therefore executed based on their 'magic' If you filtered by the magic at the border you *may* have a chance of blocking them from the outside. No guarantees though.

this information has been found on another security information forums if anybody is curious.

EDIT: heres some interesting insight on the history of this exploit, because apparently it existed from the beginning of windows!

Quote
he new vulnerability makes it possible for users to infect their computers with spyware or a virus simply by viewing a web page, e-mail or instant message that contains a contaminated image.

“We haven’t seen anything that bad yet, but multiple individuals and groups are exploiting this vulnerability,” Mr Hyppönen said. He said that every Windows system shipped since 1990 contained the flaw.
that small quote was grabbed from an article located at:http://news.ft.com/cms/s/0d644d5e-7bb3-11da-ab8e-0000779e2340.html
Title: Re: WMF Exploit 0-Day
Post by: Vlk on January 03, 2006, 11:20:21 AM
Data_Pirate, most of the stuff has already been said in this thread :)  ;)


Sgt Schuman:

Quote
Personally, the 'play-examples' (like the heise one) are indeed not important ... but the problem is, that they lead very fast to a 'bad publicity", since they are easy available and a lot of people state them as 'representative' 

I agree, and that is one of the reasons we're today releasing a generic solution to the problem.
Title: Re: WMF Exploit 0-Day
Post by: RejZoR on January 03, 2006, 11:31:34 AM
Vlk, i know this won't be directly related to WMF exploit but will you use more generic signatures in the near future or you guys try to avoid them because of possible increase in false positives? I noticed McAfee and Kaspersky use generic signatures quiet often, especially for Beagles, MyDooms and MyTobs plus various SdBot/IrcBot/SpyBot/xBot nasties.
Ok Kaspersky is class for itself because of brutal unpacking but McAfee doesn't seem to be anything extremelly special. I mean, i'm noticing that various bots get pass avast! lately (of course there is some error level on Jotti because of Linux version but i see many users here and there that have such bots on their PCs (using avast!).

Anyway, keep up the good work on detection improvements, i noticed you finally and forever added all samples i ever submitted to you. Thats a very good sign :)

EDIT:
Also it would be smart idea to add WMF Exploit to list of latest threats.
This WMF crap was a big boom in these days and seeing "Just" Zotob as latest threat won't make users any more confident in avast!...
Just a marketing thought and mainstream users perspective for your own good ;D
Title: Re: WMF Exploit 0-Day
Post by: Lisandro on January 03, 2006, 12:17:25 PM
This WMF crap was a big boom in these days and seeing "Just" Zotob as latest threat won't make users any more confident in avast!...
Just a marketing thought and mainstream users perspective for your own good ;D
This is an eternal suggestion... if there is no webpage update, why does this information is there?
Self confidence is important for the product...
Title: Re: WMF Exploit 0-Day
Post by: Dwarden on January 03, 2006, 12:31:19 PM
This WMF crap was a big boom in these days and seeing "Just" Zotob as latest threat won't make users any more confident in avast!...
Just a marketing thought and mainstream users perspective for your own good ;D
This is an eternal suggestion... if there is no webpage update, why does this information is there?
Self confidence is important for the product...

i think that "threat" page need some serious rework ... maybe collaborate with some forum community members who will help etc? :)
Title: Re: WMF Exploit 0-Day
Post by: Lisandro on January 03, 2006, 02:57:52 PM
i think that "threat" page need some serious rework ... maybe collaborate with some forum community members who will help etc? :)
If you're asking to make a compilation, no way...
I've did in the past, on version 4.1 but that thread goes much much further.
I think Alwil should open another tool to this, maybe a pool, or a score of suggestions or anything else.
There are too many suggestion, repetitions, and so on... Does anybody want to read them now? Are they worth for anything?
Title: Re: WMF Exploit 0-Day
Post by: Dwarden on January 03, 2006, 03:32:08 PM
i think that "threat" page need some serious rework ... maybe collaborate with some forum community members who will help etc? :)
If you're asking to make a compilation, no way...
I've did in the past, on version 4.1 but that thread goes much much further.
I think Alwil should open another tool to this, maybe a pool, or a score of suggestions or anything else.
There are too many suggestion, repetitions, and so on... Does anybody want to read them now? Are they worth for anything?

well hard to say but what will be so problematic to "adjust" the threat list bit ...
ie utilize Jotti / Virustotal results
or use similar system like :
ESET http://www.virus-radar.com/
KASPERSKY LABS http://www.viruslist.com/en/viruses/alerts
PANDA SOFWARE http://www.pandasoftware.com/virus_info/
TRENDMICRO http://www.trendmicro.com/map/
SYMANTEC http://www.symantec.com/avcenter/
AVG http://www.grisoft.com/doc/Updates/lng/us/tpl/tpl01
MCAFEE http://vil.nai.com/vil/newly-discovered-viruses.asp or http://vil.nai.com/vil/recently-updated-viruses.asp
there are many others and some bit different (like Message Labs warning service etc.) ...

no need to be "so" detailed just include the biggest latest threats ...
Title: Re: WMF Exploit 0-Day
Post by: Lisandro on January 03, 2006, 05:30:58 PM
No need to be "so" detailed just include the biggest latest threats ...
Maybe we're talking about different things...
I'm refering to this thread list: http://forum.avast.com/index.php?topic=12640.0
Title: Re: WMF Exploit 0-Day
Post by: Vlk on January 03, 2006, 05:56:02 PM
Guys, this discussion is way off-topic here. We all know that the "Latest Threats" section needs a lot of work - but let's stay on topic here.


BTW the "generic" WMF exploit detection has been released as part of the latest VPS update. :)


Thanks
Vlk
Title: Re: WMF Exploit 0-Day
Post by: RejZoR on January 03, 2006, 06:01:16 PM
Well we aren't exactly "offtopic" I know that threats section doesn't mean anything to us since we know you deal fast with new threats but other, new users might not share the same opinion don't you think? Seing only Zotob as latest threat will scare them away from avast! since everyone are talking only about WMF and nothing about it on avast! page (Zotob is last year's snow...). All big ones like McAfee, Trend Micro and Symantec make a huge marketing of any such "boom" malware and i belive they market it pretty well in the end.
Jump on the bandwagon and earn some more $$$ ;)
Title: Re: WMF Exploit 0-Day
Post by: TAP on January 03, 2006, 06:07:52 PM
Well we aren't exactly "offtopic" I know that threats section doesn't mean anything to us since we know you deal fast with new threats but other, new users might not share the same opinion don't you think? Seing only Zotob as latest threat will scare them away from avast! since everyone are talking only about WMF and nothing about it on avast! page (Zotob is last year's snow...). All big ones like McAfee, Trend Micro and Symantec make a huge marketing of any such "boom" malware and i belive they market it pretty well in the end.
Jump on the bandwagon and earn some more $$$ ;)

I totally agree, for me it's a pain to see the lack about malware informations on the virus page on the avast! official site.
Title: Re: WMF Exploit 0-Day
Post by: dadkins_1 on January 03, 2006, 06:28:30 PM
Guys, this discussion is way off-topic here. We all know that the "Latest Threats" section needs a lot of work - but let's stay on topic here.


BTW the "generic" WMF exploit detection has been released as part of the latest VPS update. :)


Thanks
Vlk
Thanks Vlk!  ;)
Title: Re: WMF Exploit 0-Day
Post by: polonus on January 03, 2006, 06:33:05 PM
Hi Folks,

Microsoft is planning a patch for Jan 10th, their reaction:
http://www.microsoft.com/technet/security/advisory/912840.mspx


polonus
Title: Re: WMF Exploit 0-Day
Post by: Spiritsongs on January 03, 2006, 06:49:27 PM
 :) Saw the following posted on the freedomlist.com
    antiSPYWARE  forums yesterday :
"
There is one critical thing you need to do, however, and that is to install the temporary patch from Ilfak to protect your computer from the Microsoft Windows Media Format (WMF) Zero Day Exploit (See WMF FAQ  here ).

FIX DIRECT DOWNLOAD LINK:  http://www.hexblog.com/security/files/wmffix_hexblog13.exe 
Fix Described Here:  http://www.hexblog.com/2005/12/wmf_vuln.html 

VULNERABILITY CHECKER DIRECT DOWNLOAD LINK:  http://www.hexblog.com/security/files/wmf_checker_hexblog.exe 
Checker Described here:  http://www.hexblog.com/2006/01/wmf_vulnera....html#more 

The temporary patch can be uininstalled via Add/Remove programs after Microsoft provides a solution to this exploit. "

 
Title: Re: WMF Exploit 0-Day
Post by: polonus on January 03, 2006, 07:25:58 PM
Hi Spiritsongs,

I have downloaded the Hotfix-1.1.14 by Ilfak Guilfanov,and run it. Does this mean now that I am fully protected?

greets,

polonus
Title: Re: WMF Exploit 0-Day
Post by: Sgt.Schumann on January 03, 2006, 10:02:23 PM
100% Protection is not possible, unfortunately ... :-\

I have not installed the 'interims patch' from Ilfak, since I do not exactly know what it does ... and what it not does.
Since I want to exactly know, what happens at my machine,  I unregistered the .dll (knowing that that this is not sufficient, but here I know 'what command I executed') and also removed the image-exceptions from Avast!-Webshield.
With all current Avast!-Updates and the 'sense of being careful', it seems for me ...  to be quite good protected.  ::)
Title: Re: WMF Exploit 0-Day
Post by: igor on January 03, 2006, 10:20:27 PM
I have not installed the 'interims patch' from Ilfak, since I do not exactly know what it does ... and what it not does.

The patch installs itself to be loaded into virtually any started process (a special autorun method). When loaded, it patches the Escape() function in GDI32.dll such that it doesn't do anything when called with the SETABORTPROC argument (and simply returns immediatelly when called). This way, the WMF exploit is avoided - because normally it's exactly this function that makes it possible to execute the malicious code.
Title: Re: WMF Exploit 0-Day
Post by: Sgt.Schumann on January 03, 2006, 10:29:18 PM
Igor, thank you for the explanation!  :)
Title: Re: WMF Exploit 0-Day
Post by: Darren on January 04, 2006, 12:38:35 AM
Quote
BTW the "generic" WMF exploit detection has been released as part of the latest VPS update.

Ah, but change the extension from .wmf to .jpg and the avast on-access scanner will not detect it, and will even let it be executed. Change the extension back to .wmf, and all the alarms go off.
Title: Re: WMF Exploit 0-Day
Post by: DavidR on January 04, 2006, 01:02:50 AM
But will a .wmf file that has had the file type changed to .jpg execute correctly?

The file associations for .jpg may either not be able to open the file or indicate that the file is in error, etc.

If you have a valid .wmf file, change it to .jpg and try and open it and see what happens.
Title: Re: WMF Exploit 0-Day
Post by: DavidR on January 04, 2006, 01:09:57 AM
In answer to my own question, changing a valid .wmf file to a .jpg results in an error.

So for this to work the exploited .wmf file I assume must remain a .wmf file or the file associations won't work correctly, so no execution of exploit code.

However, SnagIt took a little time and it recognised what file type (rather than a .jpg it was and opened it. So if the generic is only looking at file extensions, which I hope not, then it could in some circumstances work with a changed file type.
Title: Re: WMF Exploit 0-Day
Post by: igor on January 04, 2006, 09:50:03 AM
The detection itself doesn't care for file extensions - it's just that Standard Shield does.
If a viewer recognizes the WMF format by its content, it doesn't really matter what extension you use for the file. So, to prevent any possible loading, Standard Shield would have to scan every possible file. We believe this would be unnecessary overkill (slowing down the computer significantly), because:
1. Both Web Shield and mail providers should scan every received file by default
2. Standard Shield now scans created WMF files by default
So, the infected WMF file should not get to you computer unnoticed (unless it's already there).

However, you are certainly free to make Standard Shield scan all the files by putting * to the "Scan files on open" mask box.
Title: Re: WMF Exploit 0-Day
Post by: polonus on January 04, 2006, 05:18:23 PM
Dear Forum Folks,

Latest news from Belgium, all that like to uninstall the Ilfak WMF Hotfix for one reason or other, or before downloading the official Microsoft patch due for Jan 10th, do this by going to C:\Program Files\Windows MetafileFix\inins000.exe.

greets,

Polonus
Title: Re: WMF Exploit 0-Day
Post by: DavidR on January 04, 2006, 05:26:32 PM
It should also in the Add Remove programs list as Windows WMF Metafile Vulnerability Hotfix 1.x
Title: Re: WMF Exploit 0-Day
Post by: Data_Pirate on January 05, 2006, 08:47:03 AM
looks like somebody beat everybody to blocking it...i found this article at: http://www.pctools.com/news/view/id/123/


Quote
PC Tools issues immediate solution to the Microsoft Windows Metafile (WMF) security flaw

Exploit Guard is currently being added to all computers using Spyware Doctor

SAN FRANCISCO, Jan. 04, 2006 – PC Tools, creator of award-winning spyware removal and real-time protection software, has created and started distributing Exploit Guard, a new feature in Spyware Doctor that protects against threats exploiting the dangerous Microsoft Windows (WMF) vulnerability which was revealed by security researchers and confirmed by Microsoft on Dec. 28.

Microsoft announced plans to release a patch on January 10. Until then, all versions of Windows are at risk from the WMF defect which compromises the security of users worldwide.

"Criminals are already taking advantage of this security defect to install additional malicious spyware and malware onto computers," said Simon Clausen, CEO of PC Tools. "When our R&D team spotted the WMF vulnerability, they developed a solution to guard our users from hackers and other individuals looking to exploit the flaw."

Spyware Doctor users automatically receive protection against the Windows Metafile (WMF) vulnerability as Exploit Guard is delivered to them through the product's real-time update capability. Users who do not run the real-time anti-spyware protection continuously are at risk for this vulnerability as well as other threats.

note: i'm not trying to advertise, this is just a bit of a news update
Title: Re: WMF Exploit 0-Day
Post by: WDGC on January 05, 2006, 10:20:21 PM
MS WMF fix download available now.


Microsoft Security Bulletin MS06-001
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution (912919)
Published: January 5, 2006

Version: 1.0
Summary

Who should read this document: Customers who use Microsoft Windows

Impact of Vulnerability: Remote Code Execution

Maximum Severity Rating: Critical

Recommendation: Customers should apply the update immediately.

Security Update Replacement: None

http://www.microsoft.com/technet/security/bulletin/MS06-001.mspx

.
Title: Re: WMF Exploit 0-Day
Post by: polonus on January 05, 2006, 10:20:43 PM
Hi Data-Pirate,

The official patch due for Jan 10th was already achieved by Dec 28th last, and most certainly has an altered gdl32.dll. Observers say that the official and unofficial patch may be identical. Anyway testing and translating the patch takes time. What can the bad guys do with WMF in the meantime? Read here:
http://isc.sans.org/diary.php?storyid=1016

Anyway, MSN beat me to it, nice to read that for Win98 Unofficial SP2 the flaw is not critical, I knew already from Ilfak's checktool.


greets,

polonus
Title: Re: WMF Exploit 0-Day
Post by: WDGC on January 05, 2006, 10:29:47 PM
The official patch due for Jan 10th

See my post above. MS WMF fix now available.

.
Title: Re: WMF Exploit 0-Day
Post by: mouniernetwork on February 01, 2006, 09:46:31 PM
Good News Microsoft Finaly released the patch !!!

http://www.microsoft.com/downloads/details.aspx?FamilyID=0c1b4c96-57ae-499e-b89b-215b7bb4d8e9&displaylang=en

Have a good Patching
Title: Re: WMF Exploit 0-Day
Post by: DavidR on February 01, 2006, 11:09:15 PM
Your good news is very old (5/1/2006) and the patch is covered in this thread three posts up and it only covers XP as previously stated
Quote
System Requirements

    * Supported Operating Systems: Windows XP Service Pack 2
    * Windows XP Service Pack 1

So no official patch for Win98, etc.