Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: Reiner on January 02, 2006, 08:34:09 PM

Title: WMF exploit problem
Post by: Reiner on January 02, 2006, 08:34:09 PM
High,

I just tried the browser check of the german online service of the c't computer magazine (http://www.heise.de/security/dienste/browsercheck/demos/ie/wmf.shtml) where you can check how your browser or e-mail program behaves regarding the WMF exploit.

My first check was to see if Avast web protection was working. Unfortunately, my avast installation did give no warning. Then I tried the e-mail check, where the online site is sending you an e-mail with an infected file, with jpg-extension. Even this was not discovered by my avast installation (I update my system before I mde the tests). I downloaded the file and did an explicit scan on the file. No result.

What is wrong with my avast installation that it misses files with the WMF exploit?

Regards

Reiner
Title: Re: WMF exploit problem
Post by: Riker on January 02, 2006, 08:52:07 PM
I can confirm that Avast don`t recognize this "Test-Sample" with the Email-Scanner and On-Access.

I tried the Mail-Sample http://www.heise.de/security/dienste/emailcheck/demos/go.shtml?mail=wmf

Carsten
Title: Re: WMF exploit problem
Post by: Reiner on January 02, 2006, 09:20:38 PM
Hi,

is there anybody else who can verify? If avast is not able to discover similar files, I'd like to know, because then I need to secure my system in another way.

So far I was really satisfied with avast, but knowing the limits of a program is neccessary to potect my system.

Regards Reiner
Title: Re: WMF exploit problem
Post by: JimF on January 02, 2006, 09:27:39 PM
Neither of the tests worked for me either.  But since they are benign, maybe avast! does not include them in their signatures.  I would not panic yet.
Title: Re: WMF exploit problem
Post by: Sgt.Schumann on January 02, 2006, 09:37:22 PM
Maybe also look at this thread:
http://forum.avast.com/index.php?topic=18295.0
Title: Re: WMF exploit problem
Post by: polonus on January 02, 2006, 09:41:15 PM
Hi guys,

Maybe these benign signatures are not recognized.
I checked with the DrWeb hyperlink-pre-scanner both hyperlinks, and both came up clear. Notice that Avast have already 73 signatures for various varieties of the exploit. Else on this forum you can read how to block *.wmf in Avast and you put sources of infection into a blocklist, see: http://forum.avast.com/index.php?topic=18295.0
Verzeihung Sgt.Schumann, Ich war nur wenig spaeter. D.

polonus
Title: Re: WMF exploit problem
Post by: Reiner on January 02, 2006, 09:51:55 PM
Hi,

if the demo-exploits on the heise web site are not discovered, I think it is very likely, that other, more threating exploits in the wild are not discovered either.

I doubt, that avast excludes "friendly" exploits which just demonstrate the possibilities. If a demonstration of an exploit is proven by such web sites like the heise web site, it just shows that other exploits may not be discovered by avast or other scanners. At work the mcafee scnner however discoverd the heise demonstration.

Reiner
Title: Re: WMF exploit problem
Post by: polonus on January 02, 2006, 09:56:16 PM
Hallo Reiner,

Maybe if you did download this exploit demo, you could try and upload this to Jotti.de or to VirusTotal, just to see what virusscanners detect it, as you say that some do. Would be interesting to know, ;D

greetings,

polonus
Title: Re: WMF exploit problem
Post by: Reiner on January 02, 2006, 10:02:57 PM
Hi Polonus,

just go to the heise web site, there you can download it. I did install in the meantime the (inoffical) path by Ilfak Guilfanov. This is tested by the Internet Storm Center (sans.org).

Reiner
Title: Re: WMF exploit problem
Post by: Technodrome on January 02, 2006, 10:04:09 PM
AntiVir   6.33.0.70   01.02.2006   no virus found
Avast   4.6.695.0   01.02.2006   no virus found
AVG   718   01.02.2006   no virus found
Avira   6.33.0.70   01.02.2006   no virus found
BitDefender   7.2   01.01.2006   Exploit.Win32.WMF-PFV
CAT-QuickHeal   8.00   01.02.2006   no virus found
ClamAV   devel-20051123   01.02.2006   Exploit.WMF.Gen-3
DrWeb   4.33   01.02.2006   no virus found
eTrust-Iris   7.1.194.0   01.01.2006   no virus found
eTrust-Vet   12.4.1.0   01.01.2006   Win32/Worfo
Ewido   3.5   01.02.2006   no virus found
Fortinet   2.54.0.0   01.02.2006   W32/WMF!exploit
F-Prot   3.16c   01.02.2006   no virus found
Ikarus   0.2.59.0   01.02.2006   no virus found
Kaspersky   4.0.2.24   01.02.2006   Exploit.Win32.IMG-WMF
McAfee   4665   01.02.2006   Exploit-WMF
NOD32v2   1.1349   01.02.2006   probably a variant of Win32/Exploit.WMF
Norman   5.70.10   12.31.2006   no virus found
Panda   9.0.0.4   01.02.2006   Exploit/WMF
Sophos   4.01.0   01.02.2006   no virus found
Symantec   8.0   01.02.2006   no virus found
TheHacker   5.9.2.067   01.02.2006   Exploit/WMF
UNA   1.83   01.02.2006   no virus found
VBA32   3.10.5   01.01.2006   no virus found


Most of these detections are possible with generic signatures. Hopefully Alwil team will release something similar.


tD
Title: Re: WMF exploit problem
Post by: Lisandro on January 03, 2006, 02:52:00 AM
Most of these detections are possible with generic signatures. Hopefully Alwil team will release something similar.
Welcome back tECHNODROME  ;)
You're not being round for a while...  ::)
As far I find in these forums, Alwil team does not intend (in a short period) to implement heuristic (generic) scanning.
Title: Re: WMF exploit problem
Post by: Technodrome on January 03, 2006, 05:47:57 AM
Quote
Welcome back tECHNODROME  ;)
You're not being round for a while...  ::)
As far I find in these forums, Alwil team does not intend (in a short period) to implement heuristic (generic) scanning.

How you been and happy New Year?

But they already use generic malware detection.  ;)



tD
Title: Re: WMF exploit problem
Post by: Reiner on January 03, 2006, 08:17:17 AM
Hi,

I don't know if it is a problem regarding heuristic scanning. I think it is more an issue how and in what way a virus/exploit code is detected.

Reiner
Title: Re: WMF exploit problem
Post by: hlecter on January 03, 2006, 06:00:18 PM
Happy New Year to all!

I can confirm that both the webshield and standard shield on my machine gives me a warning on said page.

The malware is named WMF Exploit.

I have to turn off the webshield to test the standard shield!  ;D

Good work Alwil!  :)

Hannibal Lecter
Title: Re: WMF exploit problem
Post by: Spiritsongs on January 03, 2006, 06:43:29 PM
 :) The following was posted on the freedomlist.com
     antiSPYWARE forums yesterday :
"
There is one critical thing you need to do, however, and that is to install the temporary patch from Ilfak to protect your computer from the Microsoft Windows Media Format (WMF) Zero Day Exploit (See WMF FAQ  here ).

FIX DIRECT DOWNLOAD LINK:  http://www.hexblog.com/security/files/wmffix_hexblog13.exe 
Fix Described Here:  http://www.hexblog.com/2005/12/wmf_vuln.html 

VULNERABILITY CHECKER DIRECT DOWNLOAD LINK:  http://www.hexblog.com/security/files/wmf_checker_hexblog.exe 
Checker Described here:  http://www.hexblog.com/2006/01/wmf_vulnera....html#more 

The temporary patch can be uininstalled via Add/Remove programs after Microsoft provides a solution to this exploit. "

 
Title: Re: WMF exploit problem
Post by: hlecter on January 03, 2006, 06:58:00 PM
:) The following was posted on the freedomlist.com
 antiSPYWARE forums yesterday :
"
There is one critical thing you need to do, however, and that is to install the temporary patch from Ilfak to protect your computer from the Microsoft Windows Media Format (WMF) Zero Day Exploit (See WMF FAQ here ).

FIX DIRECT DOWNLOAD LINK: http://www.hexblog.com/security/files/wmffix_hexblog13.exe
Fix Described Here: http://www.hexblog.com/2005/12/wmf_vuln.html

VULNERABILITY CHECKER DIRECT DOWNLOAD LINK: http://www.hexblog.com/security/files/wmf_checker_hexblog.exe
Checker Described here: http://www.hexblog.com/2006/01/wmf_vulnera....html#more

The temporary patch can be uininstalled via Add/Remove programs after Microsoft provides a solution to this exploit. "

 

There seem not to be a general consensus concerning what to do.

MS Security Advisory does not recommend this solution, but to use their dll unregister. The last version of the advisory(912840) says that an official patch is ready and that only testing remains. They hope it will be available in a week!

I have read a lot of the writings and decided not to run the unofficial patch.
No one knows what is the best thing to do, I think.

(Hexblog is now up to version 1.4 btw)

HL


Edited with link to Microsoft security advisory: 

www.microsoft.com/technet/security/advisory/912840.mspx

HL
Title: Re: WMF exploit problem
Post by: Reiner on January 03, 2006, 07:25:09 PM
Quote
hlecter wrote:
I can confirm that both the webshield and standard shield on my machine gives me a warning on said page.

The malware is named WMF Exploit.

I have to turn off the webshield to test the standard shield!  Grin

The newest pattern did it for me. I hope, avast not just added the heise.de demo exploit to their pattern but have a more common approach in detecting variants of this exploit. There seems to be virus gernerators out in the wild who allow almost anybody to inject harming code in wmf-files.

Nice job done by avast having solved this issue fast.


Regarding the unoffical patch provided by Ilfak Guilfanov, I installed it on my system, having no problems at all. Of couse it is questinonable to install software from "unknown" sources, but this patch was examined by sans.org and if youdon't trust them, you could look at the source code yourself. Removing was painless and as far as I can tell it left nothing behind.

Reiner
Title: Re: WMF exploit problem
Post by: hlecter on January 03, 2006, 07:45:57 PM

Regarding the unoffical patch provided by Ilfak Guilfanov, I installed it on my system, having no problems at all. Of couse it is questinonable to install software from "unknown" sources, but this patch was examined by sans.org and if youdon't trust them, you could look at the source code yourself. Removing was painless and as far as I can tell it left nothing behind.

Reiner

Of course I Trust Sans.org.
But  MANY people have had problems with the unofficial patch.
So I was in doubt. But I decided to wait for the official patch.
I think about e.g. localication problems in my Norwegian version of XP.  MS are making patches for 20+ languages.  :)

Here is a bit from the advisory:

"
What’s Microsoft’s response to the availability of third party patches for the WMF vulnerability?

Microsoft recommends that customers download and deploy the security update for the WMF vulnerability that we are targeting for release on January 10, 2006.

As a general rule, it is a best practice to utilize security updates for software vulnerabilities from the original vendor of the software. With Microsoft software, Microsoft carefully reviews and tests security updates to ensure that they are of high quality and have been evaluated thoroughly for application compatibility. In addition, Microsoft’s security updates are offered in 23 languages for all affected versions of the software simultaneously.

Microsoft cannot provide similar assurance for independent third party security updates.
"

That made MY decision.

HL
Title: Re: WMF exploit problem
Post by: Reiner on January 03, 2006, 08:28:58 PM
You are the first one who reports problems with that patch. I run a german XP Pro version at home and in the office in an Novell environment (Yes! No AD!) and have so far not experienced any problems (2 days). My colleagues installed it as well -> no problems.

Of course MS recommends offical patches but waiting until the offical patch day next week to supply a patch for a real dangerous exploit is in my opinion more than irresponsible. The unoffical patch only shows, how fast a feasible solution can be accomplished by just ONE programmer! MS for sure has more than one experienced programmers. This unoffical path shines a bad light on MS, in my opinion.

Additional, this patch show how fast the free community can come up with solutions!

Just my opinion

Reiner
Title: Re: WMF exploit problem
Post by: igor on January 03, 2006, 09:05:48 PM
The newest pattern did it for me. I hope, avast not just added the heise.de demo exploit to their pattern but have a more common approach in detecting variants of this exploit. There seems to be virus gernerators out in the wild who allow almost anybody to inject harming code in wmf-files.

No, this detection is really a generic detection of the "exploit" itself - the previous detections (Win32:Exdown) were removed from the database.

Regarding the unoffical patch provided by Ilfak Guilfanov, I installed it on my system, having no problems at all. Of couse it is questionable to install software from "unknown" sources, but this patch was examined by sans.org and if you don't trust them, you could look at the source code yourself.

I like that statement  ;D
I mean, the author's name is probably not very-well known to common public, but I, personally, would certainly trust Ilfak Guilfanov more than all the sans.org's in the world.
Title: Re: WMF exploit problem
Post by: hlecter on January 03, 2006, 09:07:29 PM
You are the first one who reports problems with that patch.

Well, I have not tried to install it myself. But I have read hundreds of different meanings about the WMF exploit and the different patches. At first the patch was meant for XP2 only, and I am on XP1...
Then it was extended to several variants of windows...
The problems I read about was either concerning installing the patch or difficulties uninstalling it.

One I read about destroyed his Windows.

Many repoted zero problems as you do.

I had decided to install the patch today after Ghosting my system first, but then I decided to wait for MS.

Everybody has to make up their own mind in this matter, but I think this thread
is more about security than Avast! so I will stop here.

Have a nice evening.  :)

Hannibal Lecter
Title: Re: WMF exploit problem
Post by: neal62 on January 03, 2006, 09:44:36 PM
If this is the patch at GRC by this gentleman Mr. Guilfanov, then the patch he has was written for 64 bit WinXP. I don't know or think it would work for a 32 bit version of WinXP but I may be wrong?
Title: Re: WMF exploit problem
Post by: JimF on January 03, 2006, 09:56:07 PM
If this is the patch at GRC by this gentleman Mr. Guilfanov, then the patch he has was written for 64 bit WinXP. I don't know or think it would work for a 32 bit version of WinXP but I may be wrong?
I downloaded from GRC (http://www.grc.com/miscfiles/wmffix_hexblog14.exe) and it works fine on my 32 bit WinXP SP2 system.  But with avast! now having the generic signatures, I suppose it is safe enough to wait until the Microsoft patch comes out if that is what you want to do.
Title: Re: WMF exploit problem
Post by: Vlk on January 03, 2006, 10:01:38 PM
I don't know but Igor actually reported that the patch  BROKE AVAST on one of our machines. I.e. the on-access scanner in avast stopped working. We didn't spend time analysing WHY was that happening, but if it broke avast, it could have broken other software as well...

I don't think it's necessary (or even desirable) to install the patch - avast with the latest definitions should guard you well.
Title: Re: WMF exploit problem
Post by: neal62 on January 03, 2006, 10:06:23 PM
I have read today that Microsoft is planning to come out with an official patch on Jan 10th. They are testing it now.
Title: Re: WMF exploit problem
Post by: Vlk on January 03, 2006, 10:10:11 PM
Yes, Jan 10 = second Tuesday in month = usual "patch day". ;)
Title: Re: WMF exploit problem
Post by: igor on January 03, 2006, 10:11:17 PM
I don't know but Igor actually reported that the patch  BROKE AVAST on one of our machines. I.e. the on-access scanner in avast stopped working. We didn't spend time analysing WHY was that happening, but if it broke avast, it could have broken other software as well...

I also said that I thought it had been only an unrelated coincidence ;)
The patch doesn't really do much, I don't think it can have many negative effects (appart from very specific UI applications maybe).
Title: Re: WMF exploit problem
Post by: CharleyO on January 03, 2006, 10:47:23 PM
***

For those interested, the below link has 6 pictures of 6 infected websites.

http://news.zdnet.com/2300-1009_22-6016439-1.html?tag=nl.e589  (http://news.zdnet.com/2300-1009_22-6016439-1.html?tag=nl.e589)


***
Title: Re: WMF exploit problem
Post by: artamangr on January 04, 2006, 12:50:16 AM
Hi,
maybe a silly question this one...is it necessary to set the sensitivity of avast to high, in order to be
protected from the wmf exploit?
Title: Re: WMF exploit problem
Post by: hlecter on January 04, 2006, 12:52:57 AM

Here is a bit from the advisory:

"
What’s Microsoft’s response to the availability of third party patches for the WMF vulnerability?

Microsoft recommends that customers download and deploy the security update for the WMF vulnerability that we are targeting for release on January 10, 2006.

As a general rule, it is a best practice to utilize security updates for software vulnerabilities from the original vendor of the software. With Microsoft software, Microsoft carefully reviews and tests security updates to ensure that they are of high quality and have been evaluated thoroughly for application compatibility. In addition, Microsoft’s security updates are offered in 23 languages for all affected versions of the software simultaneously.

Microsoft cannot provide similar assurance for independent third party security updates.
"

That made MY decision.



This I wrote some posts ago in this thread. Seems like not all read the whole thread before posting . >:(

I don't know but Igor actually reported that the patch BROKE AVAST on one of our machines. I.e. the on-access scanner in avast stopped working. We didn't spend time analysing WHY was that happening, but if it broke avast, it could have broken other software as well...

I don't think it's necessary (or even desirable) to install the patch - avast with the latest definitions should guard you well.

Thank you, VLK for supportive post.  ;D

HL
Title: Re: WMF exploit problem
Post by: DavidR on January 04, 2006, 12:57:07 AM
Hi,
maybe a silly question this one...is it necessary to set the sensitivity of avast to high, in order to be protected from the wmf exploit?
No, the Web Shield should be first line of defence and Standard Shield if required should pick it up if it is a newly created file regardless of sensitivity setting.
Title: Re: WMF exploit problem
Post by: artamangr on January 04, 2006, 01:03:00 AM
Hi again,
I am asking because in the normal sensitivity neither the webshield nor the standard shield appear to be scanning png and gif files...
Title: Re: WMF exploit problem
Post by: hlecter on January 04, 2006, 01:10:07 AM
[
Hi,
maybe a silly question this one...is it necessary to set the sensitivity of avast to high, in order to be protected from the wmf exploit?
No, the Web Shield should be first line of defence and Standard Shield if required should pick it up if it is a newly created file regardless of sensitivity setting.

I can confirm that the test at heise which started this thread will stop everything even when the webshield is temporarely disabled. Resident shield=normal.    ;D

Why not do the test?  ???

HL

Title: Re: WMF exploit problem
Post by: DavidR on January 04, 2006, 01:28:10 AM
Hi again,
I am asking because in the normal sensitivity neither the webshield nor the standard shield appear to be scanning png and gif files...
I thought we were talking .wmf here?

They (png and jpg) aren't in the default list of files to scan, the WMF is on the default list. However, when you try to open a file it will be scanned before opening.
Title: Re: WMF exploit problem
Post by: polonus on January 04, 2006, 01:37:16 AM
Hello forum folks,

I stumbled upon this story to-night, read it "cum grano salis",
but you will notice what old "spooks" are hunting us now. Ever heard of a bunch of developers known as the Microsoft "undead"?
Read this: http://www.radsoft.net/resources/rants/20051231,00.shtml
If only 5% is true it is frightening.

polonus
Title: Re: WMF exploit problem
Post by: artamangr on January 04, 2006, 01:39:01 AM
Hi again,
I am asking because in the normal sensitivity neither the webshield nor the standard shield appear to be scanning png and gif files...
I thought we were talking .wmf here?

They (png and jpg) aren't in the default list of files to scan, the WMF is on the default list. However, when you try to open a file it will be scanned before opening.

I did the test...with webshield 'on' the file is .php so it is scanned and virus found, ok
With webshield 'off' the downloaded file is .wmf so it is scanned by the standard shield (even in normal sensitivity) and virus found, ok.
What i am worried about is just for .png and .gif files, since as i read in the other related topic (wmf vulnerability avast official confirmation-message by TAP) the wmf exploit can be renamed to any type of image file, even .png and .gif that are not scanned in normal sensitivity neither by the webshield nor by the standard shield...should i do as suggested by TAP and remove .png and .gif files from the webshield exceptions list?
Title: Re: WMF exploit problem
Post by: polonus on January 04, 2006, 02:03:58 AM
Hello forum folks,

Be sensible, and read this, there is a lot of misinformation out on the Net regarding the WMF exploit and what to do:
http://blogs.zdnet.com/Ou/?p=143
There was a person who had this checking script
-------------
if not exist c:\scripts\nul md c:\scripts
if not exist c:\scripts\wmfdisabled.txt%windiw%\system32\shimgvw.dll)&
(date/t >c:\scripts\wmfdisabled.txt
-------------
greets,

polonus
Title: Re: WMF exploit problem
Post by: Reiner on January 04, 2006, 10:22:56 AM
....
No, this detection is really a generic detection of the "exploit" itself - the previous detections (Win32:Exdown) were removed from the database.
....
I like that statement  ;D
I mean, the author's name is probably not very-well known to common public, but I, personally, would certainly trust Ilfak Guilfanov more than all the sans.org's in the world.
Thanks to Igor for providing the information about how avast is detecting the exploit.

Regarding the patch provided by Ilfak, I have no problems running it with avast (web and on access scanning) on my german XP Pro system. Even at work, with another virus scanner, the patch works flawless.

I think with the patch it is not different than with all the other software being installed and run in Windows. You never know if the next software package you install, programmed by no matter what company, serious or less serious, can break your system. I guess everybody has to decide for himself, what to install and whom to trust. I myself would and will not trust or rely on information provided only by MS.

Concerning what can be harmful and what not, I think there are numerous serious sites on the internet which cover this problem, unfortunately sometimes in a quite technical way, extensively.

As far as I know, a WMF file can be renamed to JPG, GIF, BMP, PNG etc.. If you open such a file, Windows recognizes this file to be a WMF file due to header information within the file. The problem with that is, that a WMF file (or a renamed WMF file) can be found almost everywhere, see
Hello forum folks,

I stumbled upon this story to-night, read it "cum grano salis",
but you will notice what old "spooks" are hunting us now. Ever heard of a bunch of developers known as the Microsoft "undead"?
Read this: http://www.radsoft.net/resources/rants/20051231,00.shtml
If only 5% is true it is frightening.

polonus

They are right concerning where and how WMF pictures can be hidden or used. And that's what is frightening me. Send somebody a word document with an imbedded WMF (or renamed) picture, send somebody an email with an infected picture, posting such a picture on blogs, web-sites, etc. you just name it.

There is even a rumour that there may be more vulnerabilities in the way WMF files are handled by Windows. As I say, so far it's just a rumour, let's see what will happen...
Title: Re: WMF exploit problem
Post by: Reiner on January 04, 2006, 11:10:31 AM
For all those interested in information concerning Ilfaks patch see:

http://castlecops.com/f212-hexblog.html

Reiner
Title: Re: WMF exploit problem
Post by: Lars-Erik on January 04, 2006, 02:50:16 PM
ON my WebShield setup I have exceptions for IMAGE/GIF, IMAGE/JPEG and IMAGE/PNG.  Are all exceptions a threath now with the WMF thing?
Title: Re: WMF exploit problem
Post by: polonus on January 04, 2006, 05:15:29 PM
Dear Forum Folks,

All that like to uninstall the WMF Hotfix for one reason or other, or before downloading the official Microsoft patch due for Jan 10th,
do this by gping to C:\Program Files\Windows MetafileFix\inins000.exe.

greets,

Polonus
Title: Re: WMF exploit problem
Post by: DavidR on January 04, 2006, 05:39:38 PM
It should also be in the Add Remove programs list as Windows WMF Metafile Vulnerability Hotfix 1.x
Title: Re: WMF exploit problem
Post by: HIPPO on January 05, 2006, 01:16:08 PM
Dear Forum Folks,

Microsoft has recommended customers to "disregard" a beta.

Quote
Kaspersky Analyst's Diary :

A beta version of the Microsoft patch, scheduled to be released on January 10, was leaked on the Internet. Microsoft has recommended customers to "disregard" it, warning that threats could be hidden in any patches coming from dubious sources.
Title: Re: WMF exploit problem
Post by: CharleyO on January 06, 2006, 12:44:21 AM
***

The official Fix is out. Go to Windows Update and get it now!    ;)


***
Title: Re: WMF exploit problem
Post by: rwaters on January 06, 2006, 01:08:36 AM
You can get the details here:

http://www.microsoft.com/athome/security/update/bulletins/200601_WMF.mspx