tarna Posted January 4, 2006 Posted January 4, 2006 http://antivirus.about.com/od/virusdescrip...mfexploit_4.htm January 1, 2005 The WMF exploit is made possible because of a design flaw. In other words, according to F-Secure, it's not a bug, it's a feature. And F-Secure says this design mistake may have been around since the days of Windows 3.0. As SANS says, "the Microsoft WMF vulnerability is bad. It is very, very bad." Here are five other facts about the WMF flaw that is leaving all of us Windows users very, very vulnerable. Fact #1: You do not have to open the image file to be affected.. If you browse to a folder it's in, view a website it's on, receive it in email, click a link pointing to an exploited image in IM or email, select it with your mouse or keyboard, or if you use Google Desktop, the exploit will render. Fact #2: This is not a browser problem. Using Firefox or Opera isn't going to help. This exploit is made possible because of a design flaw in the Windows operating system. The rendering of the exploit happens within Windows (gdi32.dll to be exact, and not from within and not because of the browser). As seen in Fact #1 above, you can also encounter an exploited image file in a variety of ways, not just by web surfing. Fact #3: The .WMF extension is immaterial. Just because the image has a different extension, doesn't mean it's not a WMF file containing the exploit. The most recent version spotted in email was disguised as HappyNewYear.JPG. This wasn't some double extension ruse either. Windows doesn't care what extension the image file has, it will still recognize that it's a WMF file and the handling for it will be the same - thus the exploit will render. Fact #4: The exploit is not restricted to Windows Fax and Picture Viewer. The vulnerable DLL is actually GDI32.DLL. The previously implicated SHIMGVW.DLL is guilty, but apparently only because it calls GDI32.DLL. However, you can not unregister GDI32.DLL - not if you want your system to function, that is. A patch for GDI32.DLL was created by IDA Pro genius Ilfak Guilfanov and it's backed up by SANS. You can read more about Iflak's patch, and how to download it, here. Fact #5: The exploit impacts nearly all Windows users. Affected versions include: all versions of Windows XP (SP1 and SP2, Pro and Home, 32-bit and 64-bit), Windows Server 2003 (including SP1, 32-bit and 64-bit, and Itantium-based versions), Microsoft Windows 2000 Service Pack 4, as well as Windows 98 (including SE), and Windows ME. In short, if you use Windows, odds are you are one of the 'hundreds of millions' sitting ducks to this exploit. There is a patch that seems to be effective but the site is down right now. I'll keep checking and post a link here after I've looked into it further. Just got the info today so I'm still trying to get accurate information. Ruminations... When a man has no Future, the Present passes too quickly to be assimilated and only the static Past has value.
kirottu Posted January 4, 2006 Posted January 4, 2006 This piece of information actually found it This post is not to be enjoyed, discussed, or referenced on company time.
Diamond Posted January 4, 2006 Posted January 4, 2006 Not as dangerous as previous bug that Microsoft GDI+ had with JPEG implementation.
Kaftan Barlast Posted January 4, 2006 Posted January 4, 2006 But what does this exploit do really? Noone actualy says what it does except that it may download trojans to your computer DISCLAIMER: Do not take what I write seriously unless it is clearly and in no uncertain terms, declared by me to be meant in a serious and non-humoristic manner. If there is no clear indication, asume the post is written in jest. This notification is meant very seriously and its purpouse is to avoid misunderstandings and the consequences thereof. Furthermore; I can not be held accountable for anything I write on these forums since the idea of taking serious responsability for my unserious actions, is an oxymoron in itself. Important: as the following sentence contains many naughty words I warn you not to read it under any circumstances; botty, knickers, wee, erogenous zone, psychiatrist, clitoris, stockings, bosom, poetry reading, dentist, fellatio and the department of agriculture. "I suppose outright stupidity and complete lack of taste could also be considered points of view. "
Surreptishus Posted January 4, 2006 Posted January 4, 2006 (edited) A new strain of virus has appeared which means that a specially designed Windows Metafile (wmf) could be used to gain access to a machine and take control. The situation is worsened by the fact that source code for the exploit has been published on the Internet and that the virus changes itself when it replicates, making it harder for it to be detected by traditional signature-based security software. Oh and Microsoft will have a patch on the 10th. Edited January 4, 2006 by Surreptishus
LadyCrimson Posted January 4, 2006 Posted January 4, 2006 (edited) But what does this exploit do really? Noone actualy says what it does except that it may download trojans to your computer Ahhh..glad I'm not the only one scratching my head about that. The article is a year old, too, which seems odd if it's just getting around as common 'news' now...? Edit - ahh...I looked again...maybe that site just forgot it was a new year... Edited January 4, 2006 by LadyCrimson “Things are as they are. Looking out into the universe at night, we make no comparisons between right and wrong stars, nor between well and badly arranged constellations.” – Alan Watts
Diamond Posted January 4, 2006 Posted January 4, 2006 Viewing a specially crafted WMF file causes buffer overflow and allows to execute any code on compromised system. So any exploit using that vunerability can potentially do many things to your computer.
LadyCrimson Posted January 4, 2006 Posted January 4, 2006 (edited) Reformat is always my answer. <snippage> Edit - nvm, I asked a techie friend...got my answers... Edited January 4, 2006 by LadyCrimson “Things are as they are. Looking out into the universe at night, we make no comparisons between right and wrong stars, nor between well and badly arranged constellations.” – Alan Watts
Blank Posted January 4, 2006 Posted January 4, 2006 There is a patch that seems to be effective but the site is down right now. I'll keep checking and post a link here after I've looked into it further. Just got the info today so I'm still trying to get accurate information. <{POST_SNAPBACK}> hmm, thanks. i downloaded the fix. but like the others, i never had any particular problems before for any unexplained reasons.oh well...
BattleCookiee Posted January 4, 2006 Posted January 4, 2006 (edited) Basically anything can be installed. But currently there have been many reports that it is being used to install KEYLOGGERS. Which are nasty buggers because they log every keystrike you make, allowing for an easy construction of any password you type on your PC... Edited January 4, 2006 by Battlewookiee
Blank Posted January 5, 2006 Posted January 5, 2006 Basically anything can be installed. But currently there have been many reports that it is being used to install KEYLOGGERS. Which are nasty buggers because they log every keystrike you make, allowing for an easy construction of any password you type on your PC... <{POST_SNAPBACK}> Thanks very much then. and in that case it was a good idea to put this as a sticky
tarna Posted January 6, 2006 Author Posted January 6, 2006 To those of you that asked what this bug can do, it opens a door to your system, puts it's foot in it and then invites it's friends to party at your place. This is one of the known party crashers... Trojan.Satiloler.B Trojan.Satiloler.B is a Trojan horse that attempts to steal user names, passwords, and other information from the compromised computer. It also attempts to open a proxy server on a random TCP port. It has been reported that the Trojan is downloaded by malformed WMF files that utilize the Microsoft Windows Graphics Rendering Engine WMF Format Unspecified Code Execution Vulnerability (as described in BID 16074). Type: Trojan Horse Infection Length: 39,424 bytes Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP When Trojan.Satiloler.B is executed, it performs the following actions: Creates a mutex named "_Toolbar_Class_32" so that only one instance of the Trojan is executed on the compromised computer. Copies %System%\userinit.exe, which is a valid system file, as the following file and then deletes it: %Windir%\system\userinit.exe Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt. Copies itself as: %System%\userinit.exe %ProgramFiles%\Common Files\system\lsass.exe Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP). %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files. Creates the following files: %System%\xvid.dll %System%\xvid.ini %System%\divx.ini Adds the value: "system" = "%ProgramFiles%\Common Files\system\lsass.exe" to the registry subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run so that it runs every time Windows starts. Modifies the values: "SFCDisable" = "FFFFFF9D" "SFCScan" = "0" in the registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon to disable Windows File Protection. Adds the value: "System" = "" to the registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Modifies the original %System%\sfc_os.dll or sfc.dll file and its backup in %Windir%\dllcache in order to disable System File Protection. Attempts to close windows that have the following titles: Create rule for %s Un processus cache requiert une connexion reseau. Ne plus afficher cette invite Un proceso oculto solicita acceso a la red Aceptar Warning: Components Have Changed &Make changed component shared Hidden Process Requests Network Access Ein versteckter Prozess verlangt Netzwerkzugriff. PermissionDlg &Remember this answer the next time I use this program. &Yes Windows Security Alert Allow all activities for this application Attempts to end the following processes: WINLDRA.EXE NETSCAPE.EXE OPERA.EXE FIREFOX.EXE MOZILLA.EXE M00.EXE WINTBPX.EXE SWCHOST.EXE SVOHOST.EXE SVC.EXE WINSOCK.EXE SPOOLS.EXE Attempts to disable the following programs: C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe Steals the following information and saves it to %System%\desktops.ini: POP3 Username Password for Internet Explorer AutoComplete TheBat passwords e-gold account information Searches for the following strings in the Web browser: postbank.de deutsche-bank.de diba.de 1822direkt.com .haspa.de .sparkasse- mbs-potsdam.de .homebanking- .bankingportal. dresdner-privat.de .gad.de citibank.de .portal-banking.de vr-ebanking.de vr-networld-ebanking.de cc-bank.de commerzbanking.de lacaixa.es axabanque.fr/client/sauthentification cahoot egg if.com smile first nation abbey natwest citi barclay allianc bank hsbc lloyd nwolb online hali npbs marbles trade rbs. lacaixa.es pin2 viabcp.com pin Payee_Account bancaonline. CLAVES ebankinter.com Logs the following Web activity to %System%\divx.ini: URLs visited Radio button and checkbox status Keystrokes Opens a proxy server on a random TCP port. Posts the collected log files to [http://]fiv.bestswf.com/[REMOVED]/log.php. Sends a HTTP request to [http://]fiv.bestswf.com/[REMOVED]/cmd.php with the following data gathered from the compromised computer and saves the response to %System%\xvid.ini: Username Geographical location Opened port number A little wordy and technical but even the least of geeks can see that it gets into places and looks for stuff where it doesn't belong. Those of you that use Norton, there is already an Update for it that I've loaded and tested. Update and then use the link BW provided to test your firewall. Ruminations... When a man has no Future, the Present passes too quickly to be assimilated and only the static Past has value.
Child of Flame Posted January 6, 2006 Posted January 6, 2006 So what you're saying is I should update my subscription to Norton or stop looking up so much porn for a little while?
Blank Posted January 7, 2006 Posted January 7, 2006 Patch available now via Windows Update <{POST_SNAPBACK}> via windows update, eh? can i get a link for that?
tarna Posted January 7, 2006 Author Posted January 7, 2006 http://update.microsoft.com/windowsupdate/...t.aspx?ln=en-us Ruminations... When a man has no Future, the Present passes too quickly to be assimilated and only the static Past has value.
Judge Hades Posted January 7, 2006 Posted January 7, 2006 If this was such an old weakness, since Windows 3.0 why are they just fixing it now?
tarna Posted January 7, 2006 Author Posted January 7, 2006 From what I've read about this one, it's been known about on hacker's boards but Microshaft couldn't be bothered until now. You have to wonder if they like the praise... "Microsoft to the rescue from those horrible hackers." Ruminations... When a man has no Future, the Present passes too quickly to be assimilated and only the static Past has value.
Magena Posted January 9, 2006 Posted January 9, 2006 I've thought for a while that MS leaves problems in their code... or maybe even creates them so that they have something to deal with in the next release.. and it gives them reasons for more releases.
Diamond Posted January 9, 2006 Posted January 9, 2006 I've thought for a while that MS leaves problems in their code... or maybe even creates them so that they have something to deal with in the next release.. and it gives them reasons for more releases. <{POST_SNAPBACK}> They definitely do not do this intentionally, because maintenance is additional cost. No company will create costs for itself.
tarna Posted January 10, 2006 Author Posted January 10, 2006 Un-stuck. Ruminations... When a man has no Future, the Present passes too quickly to be assimilated and only the static Past has value.
Synaesthesia Posted January 10, 2006 Posted January 10, 2006 From what I've read about this one, it's been known about on hacker's boards but Microshaft couldn't be bothered until now. You have to wonder is they like the praise... "Microsoft to the rescue from those horrible hackers." <{POST_SNAPBACK}> Microshaft? Are we on Slashdot now?
SteveThaiBinh Posted January 10, 2006 Posted January 10, 2006 They definitely do not do this intentionally, because maintenance is additional cost. No company will create costs for itself. <{POST_SNAPBACK}> Indeed, and that presumably includes the extra testers and engineers that would be needed to spot this kind of thing and fix it before the product was released. "An electric puddle is not what I need right now." (Nina Kalenkov)
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now