WMF Exploit 0-Day

[Sgt.Schumann]

There is a new unpatched exploit in the wild: 
http://www.f-secure.com/weblog/archives/archive-122005.html#00000752

Does Avast! already prevent from this danger?

[TAP]

I'd recommend avast! users to take advantage from Web Shield by using URL Blocking to block all *.wmf files.

I think it would be good if Alwil releases signature of this exploit so Web Shield should protect us well by scanning HTTP traffic in real time.

[..::ReVaN::..]

I've alerted Alwil to this thread i hope we get some more info on this soon

[Vlk]

Tap's suggestion is a good one.

1. Microsoft has already released a security bulletin about this issue: http://www.microsoft.com/technet/security/bulletin/MS05-053.mspx

2. We do have a sample file for this but preparation of a signature will take some time...

3. So far, no AV is detecting this (AFAIK)

4. The only site known to use this expoit so far is unionseek.com (I don't recommend going there). Adding something like *unionseek.com* to the list of WebShield's blocked URL's would also be a good idea...


Cheers
Vlk

[..::ReVaN::..]

There i blocked *.wmf and unionseek.com....

[Vlk]

Sorry, 1. in my post above is not exactly correct. This is indeed a new variant not covered by the patch. I apologize.

[TAP]

We're protected by the latest VPS 0552-1, avast! detects this exploit as Win32:Exdown [Trj] and other AVs do too but avast!'s users are more effectively protected by Web Shield as it scans HTTP traffic in real time so the exploit is stopped before it gets to our machine.

Many thanks go to Alwil for quick responses. 

[Sgt.Schumann]

Thank you for the replies and the quick response of the Avast! Team! 

[Vlk]

The existing exploit is pretty agressive. It installs an "anti-spyware" (fake) program that tells the user that his/her machine is infected - and offers him/her a cure - for 39 bucks

See it in action: http://www.websensesecuritylabs.com/images/alerts/wmf-movie.wmv


Idiots.

[RejZoR]

SpySheriff was doing that for quiet some time... Drive by installs are real pain in the rear...

[..::ReVaN::..]

SpySheriff was doing that for quiet some time... Drive by installs are real pain in the rear...

SpySheriff huh? O boy i could tell you some stories about that sucker, all the times i had to clean that fu..... mess.
The worst part is people really believe it's a real anti-spyware program....

[polonus]

Hi ReVaN,

Yes SpySheriif was/is a cruel bit of nastiness. It was high on the list of Ben Edelman, the American judicial authority on fighting the malware sellers in court. It came in from Australia and it wants to conquer the world. I have a blend of block lists to cut all this creeps short from my 127.0.0.1. My computer cannot even connect to it.
And I personally think that spyware and scumware is a bigger threat then virus ever was. There must be milions and milions of infested machines on this earth,

Polonus

[Dwarden]

authors of this type of malware should be drop in middle of desert w/o any water ...

[Darren]

New Microsoft Security Advisory (912840) posted today.

http://www.microsoft.com/technet/security/advisory/912840.mspx

[polonus]

Hi forum folks,

There is a work-around available for the WMF-0-Day Exploit,
look here: http://www.eweek.com/article2/0,1895,1906211,00.asp

greets,

polonus