MoMusings

It appears that the malware authors have been busy coming up with an unexpected ‘Christmas Gift’ for all the Windows users in the World; in this case simply browsing an infected website will run the exploit code and allow the ‘bad-guys’ to install malware onto the compromised system without the assistance or knowledge of the victim.

Yes, you read that correctly, just BROWSING a site which contains a malicious WMF file will infect your Windows system.

Although this exploit works invisibly on ‘Fully Patched’ Windows systems [including Windows XP SP2] using Internet Explorer, all the Mozilla/Firefox users out there are also vulnerable, although the malicious image requires some help to infect via Mozilla/Firefox.

On Mozilla/Firefox you may see a message asking you to open the WMF file in ‘Windows Picture and Fax Viewer’, don’t do it as your system will be exploited and malware will probably end up being installed on your system as a result of allowing the WMF file to be viewed. You can also get infected by downloading the MALICIOUS WMF and then simply clicking on or opening the file in explorer, or by just browsing the directory that contains the malicious WMF file via explorer!

This is a zero-day exploit which can be used to execute code on a vulnerable machine at the same level of system rights as the user currently logged in. There is currently NO PATCH available from Microsoft [at the time of writing this].

The exploit works by using a specially crafted SETABORTPROC [escape] record in a malicious WMF file. This allows arbitary code to be called via a user-defined function when the file is rendered and triggers the ‘escape’ record when the file fails.

So far we have seen this exploit being used to install Spyware and trojans [such as backdoors and droppers]. However, it is expected that this will include bots shortly.

What is WMF?

WMF is the Windows Metafile image format which is usually rendered via the Windows Picture and Fax Viewer and the rendering engine [shimgvw.dll] is also used to create thumbnails when you browse a directory that contains graphics files. Any users of ‘Google Desktop’ should be aware that it uses this engine when indexing files, and therefore may be responsible for infecting a system that contains a ‘malicious WMF’ file.

Please be aware that the malicious WMF file may not have a .wmf file extension, as Windows can correctly identify a disguised WMF file from it’s internal structure; the so-called ‘magic-bytes’. So, we will almost certainly see malicious wmf files disguised as .gif, .jpg, .jpe, .jpeg, .bmp, .dib, .rle, .emf, .ico, .tif and .tiff [there may well be others used too].

How do I protect myself?

1. Make sure you anti-virus is updated regularly; at least once a day.
2. Keep a close eye on your personal firewall; be especially suspicious of new programs/files asking to connect to the internet after visiting an untrusted site.
3. Use Firefox or Mozilla web browser instead of Internet Explorer as this offers some protection; you’ll at least be warned.
4. If you must use Internet Explorer set the security level to High which allegedly will stop automatic explotation via a malicious WMF.
5. Do not go to untrusted URLS [websites] even if they are sent to you via e-mail or instant messaging from someone you know; this may well be the next method to be used to get users to infect their Windows computers.
6. It is strongly suggested that you unregister the offending DLL from the registry as this will stop you becoming infected via a browser or explorer.
7. For administrators/security staff there are SNORT signatures available from Bleedingsnort.
8. For administrators/security staff you can also block the currently known web sites that are hosting the malicious WMF files.

It is expected that we will see e-mail worms using this exploit very soon, other malware using other distribution methods may well follow within the next 5-7 days.

Unregistering the Windows Picture and Fax Viewer
Do not do this on a computer that you are not responsible for, such as a work computer. If in doubt check with your support/security staff first.

Click ‘Start‘, then ‘Run‘ and type the following ‘regsvr32 -u %windir%\system32\shimgvw.dll‘ (without the single quotes), and then click ‘OK‘.

This will stop the Windows Picture and Fax Viewer from being run when a registered extension is double-clicked, and will also disable the thumbnail function in associated programs as well as in explorer.

Re-registering the Windows Picture and Fax Viewer
Click ‘Start‘, then ‘Run‘ and type the following ‘regsvr32 %windir%\system32\shimgvw.dll‘ (without the single quotes), and then click ‘OK‘.

More information can be found from the links offered below:

• http://www.symantec.com/avcenter/venc/data/bloodhound.exploit.56.html
• http://www.isc.sans.org/diary.php?date=2005-12-29
• http://www.microsoft.com/technet/security/advisory/912840.mspx
• http://www.f-secure.com/weblog/
• http://secunia.com/advisories/18255/
• http://vil.mcafeesecurity.com/vil/content/v_137760.htm
• http://www.securityfocus.com/bid/16074/info
• http://www.bleedingsnort.org/

The bottom line is that ANYTHING can be installed onto a vulnerable system using this exploit!

I would not be surprised if the Phishers started to use this to steal confidential data or install a keylogger.

Meanwhile all the *NIX and Mac users can sit smuggly on the sidelines watching Windows users in headless-chicken mode once again