Author Topic: WMF Exploit 0-Day  (Read 58916 times)

0 Members and 1 Guest are viewing this topic.

Offline Sgt.Schumann

  • Jr. Member
  • **
  • Posts: 72
  • Men of the '303'
WMF Exploit 0-Day
« on: December 28, 2005, 12:54:38 PM »
There is a new unpatched exploit in the wild:  :(
http://www.f-secure.com/weblog/archives/archive-122005.html#00000752

Does Avast! already prevent from this danger?

Offline TAP

  • Sr. Member
  • ****
  • Posts: 201
  • I'm a llama!
Re: WMF Exploit 0-Day
« Reply #1 on: December 28, 2005, 01:12:59 PM »
I'd recommend avast! users to take advantage from Web Shield by using URL Blocking to block all *.wmf files.

I think it would be good if Alwil releases signature of this exploit so Web Shield should protect us well by scanning HTTP traffic in real time.

..::ReVaN::..

  • Guest
Re: WMF Exploit 0-Day
« Reply #2 on: December 28, 2005, 01:27:34 PM »
I've alerted Alwil to this thread i hope we get some more info on this soon ;)

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11665
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re: WMF Exploit 0-Day
« Reply #3 on: December 28, 2005, 01:31:47 PM »
Tap's suggestion is a good one.

1. Microsoft has already released a security bulletin about this issue: http://www.microsoft.com/technet/security/bulletin/MS05-053.mspx

2. We do have a sample file for this but preparation of a signature will take some time...

3. So far, no AV is detecting this (AFAIK)

4. The only site known to use this expoit so far is unionseek.com (I don't recommend going there). Adding something like *unionseek.com* to the list of WebShield's blocked URL's would also be a good idea...


Cheers
Vlk
If at first you don't succeed, then skydiving's not for you.

..::ReVaN::..

  • Guest
Re: WMF Exploit 0-Day
« Reply #4 on: December 28, 2005, 01:37:18 PM »
There i blocked *.wmf and unionseek.com....

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11665
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re: WMF Exploit 0-Day
« Reply #5 on: December 28, 2005, 01:37:54 PM »
Sorry, 1. in my post above is not exactly correct. This is indeed a new variant not covered by the patch. I apologize.
If at first you don't succeed, then skydiving's not for you.

Offline TAP

  • Sr. Member
  • ****
  • Posts: 201
  • I'm a llama!
Re: WMF Exploit 0-Day
« Reply #6 on: December 28, 2005, 05:27:26 PM »
We're protected by the latest VPS 0552-1, avast! detects this exploit as Win32:Exdown [Trj] and other AVs do too but avast!'s users are more effectively protected by Web Shield as it scans HTTP traffic in real time so the exploit is stopped before it gets to our machine.

Many thanks go to Alwil for quick responses.  :)
« Last Edit: December 28, 2005, 05:34:50 PM by TAP »

Offline Sgt.Schumann

  • Jr. Member
  • **
  • Posts: 72
  • Men of the '303'
Re: WMF Exploit 0-Day
« Reply #7 on: December 28, 2005, 07:17:46 PM »
Thank you for the replies and the quick response of the Avast! Team!  :)


Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11665
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re: WMF Exploit 0-Day
« Reply #8 on: December 28, 2005, 10:05:49 PM »
The existing exploit is pretty agressive. It installs an "anti-spyware" (fake) program that tells the user that his/her machine is infected - and offers him/her a cure - for 39 bucks >:(

See it in action: http://www.websensesecuritylabs.com/images/alerts/wmf-movie.wmv


Idiots.
« Last Edit: December 28, 2005, 10:25:10 PM by Vlk »
If at first you don't succeed, then skydiving's not for you.

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9328
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: WMF Exploit 0-Day
« Reply #9 on: December 28, 2005, 10:17:26 PM »
SpySheriff was doing that for quiet some time... Drive by installs are real pain in the rear... >:(
Visit my webpage Angry Sheep Blog

..::ReVaN::..

  • Guest
Re: WMF Exploit 0-Day
« Reply #10 on: December 28, 2005, 11:32:27 PM »
SpySheriff was doing that for quiet some time... Drive by installs are real pain in the rear... >:(

SpySheriff huh? O boy i could tell you some stories about that sucker, all the times i had to clean that fu..... mess.
The worst part is people really believe it's a real anti-spyware program....

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32538
  • malware fighter
Re: WMF Exploit 0-Day
« Reply #11 on: December 28, 2005, 11:42:58 PM »
Hi ReVaN,

Yes SpySheriif was/is a cruel bit of nastiness. It was high on the list of Ben Edelman, the American judicial authority on fighting the malware sellers in court. It came in from Australia and it wants to conquer the world. I have a blend of block lists to cut all this creeps short from my 127.0.0.1. My computer cannot even connect to it.
And I personally think that spyware and scumware is a bigger threat then virus ever was. There must be milions and milions of infested machines on this earth,

Polonus

Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Dwarden

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1787
  • Ideas, that's ocean without borders!
    • Bohemia Interactive
Re: WMF Exploit 0-Day
« Reply #12 on: December 29, 2005, 12:39:44 PM »
authors of this type of malware should be drop in middle of desert w/o any water ...
https://twitter.com/FoltynD , Tech. Community, Online Services & Distribution manager of Bohemia Interactive

Offline Darren

  • Jr. Member
  • **
  • Posts: 55
Re: WMF Exploit 0-Day
« Reply #13 on: December 29, 2005, 04:07:35 PM »
New Microsoft Security Advisory (912840) posted today.

http://www.microsoft.com/technet/security/advisory/912840.mspx

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32538
  • malware fighter
Re: WMF Exploit 0-Day work-around available
« Reply #14 on: December 29, 2005, 05:02:03 PM »
Hi forum folks,

There is a work-around available for the WMF-0-Day Exploit,
look here: http://www.eweek.com/article2/0,1895,1906211,00.asp

greets,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!