MoMusings

Whoopee! I’ve won a car from Honda and a pile of money, must be my lucky day…. I’ve already won about 12 Million US Dollars according to the various e-mails I’ve so far received today*.

Let’s look at this latest e-mail informing me that I’ve won a car and £150,000 [UK Pounds, about 260,000 US Dollars]; which claims it comes from Honda.

Here are a series of screenshots of the actual e-mail:

Looks very convincing, yes?

Well, as you may have already guessed, this e-mail isn’t from Honda, there is no car or money…..it is a scam!

I blogged about what 419s are [aka Nigerian scam and Advance Fee Frauds] a few months ago as this form of fraud is widespread and new variants appear from time to time as the boys from Lagos try out new ways to hook new victims.

This [Honda] one is a new twist on the lottery version which I also blogged about recently, this one ties to get suckers, er…..I mean willing, naive victims to give away personal details, and probably a fair bit of money to boot; such as handling fees for the non-existent money…..in other words the only ones who come out of this richer are those that run the scam.

In this case the claim is that you have won a car from Honda [NOT], and a pile of money [NOT].

Whatever you do don’t fall for this scam [or any of it’s relations], it relies on what the Lagos boys call Wad [rich, greedy people]. They also use a less polite name for the people they dupe; Mgbada**.

Oh by the way, just in case you didn’t get it, like all the other multitudinous versions, this latest one is nothing more than a scam, there is no car, [money or other valuables, such as Oil, Gold, Diamonds, etc.]. To the boys from Lagos [the 419ers that run these scams] it is a business, some say it should be considered an African cottage industry, however they want to try and justify it, it is still a crime, no more, no less.

Bigger versions of the pictures can be found here:

• Top of the Honda 419
• Middle of the Honda 419
• Foot of the Honda 419

I tried to see if Honda had a warning on their site about this, but at the time of writing this, no warning could be found. I have now forwarded a copy onto them.

* Of course I haven’t really got any of the money or the car, it is just the total of all the 419 scams, that if the money really existed and it wasn’t a scam, I would have collected in a single day. In other words, I’m not rich, so don’t come asking me for a loan or a handout
** I would be interested in what this translates to in English; anyone who knows please send me an e-mail, rather than posting a comment.

Not only is MyWife infecting unsuspecting victims, offering naughty pictures, videos, or a kiss, but she is going to turn destructive on the 3rd of February 2006 and every month after that date!

What?….No I’m not talking about my ‘better half’, my ‘partner’ or my ’spouse’; you didn’t think I was, did you?

What I’m talking about is the latest nasty piece of malware that appeared on January 20th 2006. This is known as: Nyxem.E, Kama Sutra, W32.Blackmal.E@mm, W32/MyWife.d@MM, Email-Worm.Win32.Nyxem.e, Blackworm and several other names too.

How do I get infected?
Unlike most modern malware this one doesn’t rely on a vulnerability in the operating system or applications on your computer.

Instead it uses a known vulnerability in the ‘WetWare’ [Human behind the keyboard].

To do this it finds those that are vulnerable to the ‘click or double-click attachment‘ exploit. This relies on the WetWare’s own internal processing and logic circuits being overridden by more base, animal instincts, such as SEX; which causes a short-circuit of the higher processing and logic functions in the vulnerable ‘WetWare’.

Those vulnerable to this exploit are sometimes known as ‘click-a-holics‘.

The end result is an infected computer, unless other mitigating processes block the infection, such as up-to-date anti-virus software.

In other words, you infect your computer because you can’t resist the temptation to open the attachment, just in case it may be ‘interesting’.

What does it look like?
Well, the e-mail may come from someone you know or trust, or a complete stranger, as the system that became infected and actually sent the e-mail was searched and any e-mail addresses it found on the infected system were used to forge the from: address line. The subject lines include any of the following:

• *Hot Movie*
• A Great Video
• Arab sex DSC-00465.jpg
• eBook.pdf
• Fuckin Kama Sutra pics
• Fw:
• Fw: DSC-00465.jpg
• Fw: Funny
• Fw: Picturs
• Fw: Sexy
• Fwd: image.jpg
• Fwd: Photo
• give me a kiss
• Miss Lebanon 2006
• My photos
• Part 1 of 6 Video clipe
• Re:
• Re: Sex Video
• School girl fantasies gone bad
• The Best Videoclip Ever
• the file
• Word file
• You Must View This Videoclip!

The message body may be one of the following, or just contain the infected attachment:

• —– forwarded message —–
• >> forwarded message
• F*ckin Kama Sutra pics
• forwarded message attached.
• Hot XXX Yahoo Groups
• how are you?
• i just any one see my photos. It’s Free
• i send the details.
• Note: forwarded message attached.
• OK ?
• Please see the file.
• ready to be F*CKED
• VIDEOS! FREE! (US$ 0,00)

What does it do?
The worm has a dangerous payload. If the date is equal to 3 (3rd of February, 3rd of March, etc) and the worm’s UPDATE.EXE file is run, it destroys files with the following extensions on all available drives:

• *.doc
• *.xls
• *.mdb
• *.mde
• *.ppt
• *.pps
• *.zip
• *.rar
• *.pdf
• *.psd
• *.dmp

The attachments may be a variety of names with one of the following extensions:

.PIF, .MIM, .HQX, .BHX, .B64, .SCR, .UU or .UUE

These can be in upper, lower or mixed case.

The files which are targeted are overwritten and the contents get replaced with a text string “DATA Error [47 0F 94 93 F4 K5]”.

This malware can also spread via any Windows shares that the infected computer has access to. It also contains its own SMTP engine to construct outgoing messages and will target a number of security tools/applications, including anti-virus and personal firewalls. Finally the malware adds an icon to the systray, displaying the string “Update Please wait” and connects to a website to increment a counter when a system is originally infected. At this moment in time this counter reads over 1,000,000!

Update: This just in - Fortinet said the worm adds 18 entries to the Windows Registry to slip the ActiveX control by the operating system’s defenses. “By creating the following entries, the control is considered ’safe’ and digitally signed”

In addition, Trend Micro, which calls the worm ‘WORM_GREW.A’, claims the worm is capable of disabling the mouse and keyboard of an affected system.

How do I protect my computer/self?
Well for starters make sure your anti-virus is updated at least once a day, this will then help to mitigate the ‘WetWare’ vulnerability.

At this time there is no fix for the WetWare ‘click or double-click attachment‘ exploit, however repeated exposure tends to reduce the size of the problem, although some affected users are very resistant. Frequent ‘booting’ might help.

Symantec have a stand-alone fix tool for this [for infected computer, not the WetWare], it can be downloaded from here: http://securityresponse.symantec.com/avcenter/venc/data/w32.blackmal@mm.removal.tool.html

Links to descriptions:
More details on this malware can be found via the following links:-
http://www.f-secure.com/v-descs/nyxem_e.shtml
http://vil.nai.com/vil/content/v_138027.htm
http://www.sarc.com/avcenter/venc/data/w32.blackmal.e@mm.html
http://www.isc.sans.org/diary.php?storyid=1067
http://secunia.com/virus_information/11803/mywife.d/
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_GREW.A
http://www.fortinet.com/VirusEncyclopedia/search/encyclopediaSearch.do?method=viewVirusDetailsInfoDirectly&fid=119856

I mentioned some months ago that I would blog about Spyware, well I finally got round to it, hope it was worth the wait?

So, to start let me actually define what Spyware is in single sentence:-

“Spyware is the generic name for any application that may track your online and/or offline PC activity and is capable of locally saving or transmitting those findings for third parties sometimes with, but more often without your knowledge or consent”.

If you want the full definition of what makes something spyware, then feel free to look here: http://www.antispywarecoalition.org/documents/definitions.htm.

However, don’t expect it to be very concise! Just like virus and other malware nomenclature, if you ask several experts, you’ll probably get multiple and sometimes opposing definitions, you have been warned.

Spyware comes in many forms including adware, keyloggers, Trojans, browser hijackers, and dialers.


Is Spyware a Problem?
Well, according to a number of surveys it is a BIG problem, trouble is that many of those infected may not even be aware of spyware. Furthermore they may be blissfully unaware that their browsing habits, at the very least, or their financial data or every keypress they make is actually being recorded, and being sent to the ‘Bad Guys [TM]’, at the very worst, to use, or should that be mis-use, as they see fit.

• More than 33 percent of system crashes reported to Microsoft were found to be due to spyware.
• Nine out of Ten PCs connected to the Internet are infected with spyware.[2]
• A recent spy audit report[1] published by Earthlink and Webroot found an average of 26.5 spyware traces are present on a given PC. In a six-month period, two million scans found 55 million pieces of spyware.
• 92% of corporate IT managers at companies with more than 100 employees claim they have a “major” spyware problem.[3]

[1] http://www.webroot.com/company/pressmedia/pressreleases/20040804-spywarereport/
[2] National Cyber Security Alliance, June 2003
[3] Web@Work Study, March 2004

How do I get infected:
There are many ways to get infected with spyware, however the most common ways are via web sites that use scripting, known vulnerabilities or social engineering to get you to install their spyware, or spyware being installed as part of a free tool or utility that you installed.

There are many other ways, these include:

• Get in via: Exploits/Vulnerabilities, Browser Helper Objects [BHOs].
• Java, JavaScript, VBScript, Plugins (ActiveX), Cabs/Executables (Viewers).
• Spyware bundled with other applications.
• Other malware downloading and installing Spyware.
• Self-updating spyware/adware ‘multi-component’
• Spyware used to sell anti-spyware tools.
• Spyware disguised as anti-spyware software.

What about Cookies?
No I’m not talking about those yummy things that come with chocolate chips in; amongst other things. However, if you are interested in malware trivia, then you may be interested in what some consider to be the first computer virus[4]; known as ‘Cookie, Cookie Monster or Cookie Bear‘. However, this bears [no pun intended] no relation to the Cookies I’m covering here.

[4] I’m not one of them. The first virus was Elk Cloner, the first PC virus was Brain, which has just had it’s 20th birthday!

The cookies I’m covering here are a way for websites to store session or other data when you visit their site. These ‘cookies’ are not spyware. If you want to classify them as any sort of threat, then classify them as minor ‘privacy’ issue. However they can be used for tracking purposes.

So, What can I do to protect myself?
There are loads of tools that you can use to help fight spyware already on your PC, and others that can stop it getting on there in the first place. The first bit of advice I will offer is to use a browser that doesn’t use/support ActiveX, as this is one of the main ways for spyware to get onto your system. I would suggest that you use Opera or Mozilla/Firefox instead. Don’t get me wrong this won’t stop all spyware getting onto your system via a web browser, but it should help to minimise the risk. Likewise, not visiting the internet’s ‘grey’ areas or its seedy under-belly which help. Also, be very careful with free programs, as some offset the cost of the program by bundling adware or spyware in with their software.

Anti-spyware tools:

• Adaware
• Spybot S&D
• WinPatrol

Be very careful when selecting an anti-spyware solution/tool, as there are a number of them that are spyware in their own right. You can find a list of the known ‘bogus’ anti-spyware and anti-malware tools here: http://www.spywarewarrior.com/rogue_anti-spyware.htm

Here are some other things that you might want to do to help protect your computer:

• Keep your operating system fully patched.
• Be careful of what you download, and read the EULA before you allow the install to continue.
• If you must use Internet Explorer then adjust your settings for ActiveX.

The good news is that many anti-virus products are starting to detect some of the most common spyware. Other vendors have acquired companies that specialise in spyware detection and elimination; these will then be incorporated into the vendors products.

The bad news is that spyware is now commonly used by professional cyber-criminals to steal data, be it corporate secrets or your credit card or bank details. Even worse is that the quality of the spyware is getting better; this means that we are talking about these programs being written by proffesional programmers rather than the more usual stereo-typical malware author. Increasingly we are seing new techniques to make the detection and removal of some spyware very, very, difficult.

Other useful tools:

• CWShredder This can get rid of some of the most pernicious spyware known to man, this being ‘Coolwebsearch’.
• HijackThis I blogged about this tool some time ago, it is a very useful diagnostic tool.
• HijackThis Log Analyser This is a useful site for turning the output of HijackThis into something that means something to most end-users, not just techies or propeller-heads.

Anyone who has other useful tips and/or techniques then please feel free to post them as feedback. I’m sure that there are many others that will help other readers in the endless fight against the growing scourge of spyware.

For those of you who would like to know more about spyware then you are in luck as I’m writing a conference paper on this subject. Spyware is a big and complex arena, and as much as I try, there is no way a single blog entry could ever do it real justice. The paper will be made available after the conference. So, if you are interested then check back around the 6th of May 2006 for a link to the paper.

December has come and gone and another interesting but somewhat quieter month on the malware front at least, it has been.

Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.

I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter for December.

I have included four sources of information for the graphs and pie-charts, these are:

• Kaspersky
• SOPHOS
• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 3 years, Malware Bayesian Filter 2 years.

In total I captured 1822 samples during December, which have been catalogued as 61 distinct families and variants. In comparison during November 2005 I captured 2489 samples which were catalogued as 59 distinct families/variants. As you can see December was well below the average malware haul for 2005. As a guide, an average month’s captures for 2005 was around 3,000 samples.

During December I captured and submitted 3 brand new malware strains/variants [unknown to all or most AV companies at the time of submission].
The low haul in December is partly due to an apparent drop-off in new samples being spread via SMB [Windows shares], the relatively low impact of the latest Sober strains [via E-mail], and finally but not least; I moved ISP due to my old one starting to block SMB and other ports used by malware to spread from machine to machine.

During December I reported 40 new Phishing sites which are now included in the Netcraft phishing site database used by the Netcraft anti-phishing toolbar which I blogged about some time ago

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:

W32/Tenga.3666 [Frisk] held onto pole position during December. Tenga accounted for a whopping 63 percent of all captured files during December!
Surprisingly the Mytobs put in a poor show during December only managing to retain one place in the top 10. The Sober family managed to remain in the top 10 during December.
It seems that the share-crawling worms and bots took back a number of slots during December; in fact they took six, leaving just four for the e-mail based worms and bots that have dominated many of the 2005 monthly top 10 charts.

If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple ‘vectors’ and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

As you can see the top 10 from Kaspersky [below] this month has seen Mytob.c knocked off pole position by none other than Zafi.d, which accounts for over 29 percent of reports. Mytob.c has had to make do with second place in December; accounting for seventeen percent of reports. The rest of the chart is made up of Lovgate.w in third, Sober.y [aka Sober.Z] in fourth, another Zafi [b] in fifth place followed by a pair of Netsky variants [q and b] in sixth and seventh place. The last three places see three more Mytob variants [ t, u and q], just managing to keep a place in the top 10. These trailing Mytobs account for a mere 6 percent of the top 10; this is a long fall from grace for a malware family that has at times swamped the top 10. Doombot [b and d] have both fallen out of the top 10.

In the SOPHOS chart we see a different pattern, with Sober-Z sitting in pole position. Netsky.p has to make do with third place this month; its second place spot from November has been stolen by Zafi.b. 6 Mytob variants [ EX, FO,BE, GH, C, and FM] appear in the top 10. Just like in the data from Kaspersky we have the Zafi.D variant too.

The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots. This month the table is headed up once more by Septembers leader, Tenga accounting for over 63 percent of all samples caught. Mytob could only manage a measly 4th place accounting for a mere 6 percent of captured samples.

The Sdbot family has regained some of its share over the last month; jumping from 2.1 percent in November to over 8 percent of all captured samples in December. Interestingly Zafi only just managed to scrape in to the top 10 this month; accounting for only 1.2 percent of all captured samples.

If you wish to see the current top 10, then see my external website at http://arachnid.homeip.net. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day [barring power-cuts, internet connectivity issues or hardware faults].

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let’s switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of 2004 and 2005 [up to the end of December] here. This clearly shows that December was significantly quieter than November; in fact it was the quietest month in the last two years, as far as e-mail-bourne malware was concerned!

The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware so far this year, it grew from 112,438 [as at the end of December 2004] to 168,807 [as at the end of December 2005]. That’s a growth of 56,369 during 2005! In 2004 we saw 28,327 new malware strains, so we have seen an almost 200 percent increase in new malware strains during 2005.

What’s New?

A number of interesting things occurred during December these will be covered below:

More on Sober
I covered Sober in my November report; however there have been several developments in the case. So, to refresh your memory, here’s a quick recap:
Sober.Z used a trick which worked well for an earlier version of the family; it sent forged e-mail messages which claimed to have come from the FBI which claimed that the recipient had violated copyright by downloading music from file-sharing networks. The e-mail message instructs the recipient to open the attachment, which, the e-mail claims, contains data relating to the alleged offence.

Development 1:
In a very ‘Twilight Zone’ like twist the Sober-Z worm led to the arrest of a child porn offender this month. The 20-year-old German man believed the contents of the infected email stating that he was being investigated by the BKA for visiting illegal websites; in a moment of panic he turned himself into the police.
Carole Theriault from Sophos had this to say about the latest twist with Sober:

“Rarely does a virus actually benefit society, but few people would discourage the German police from investigating this guy,” continued Theriault. “However, it is an inadvertent victory for justice - the Sober virus writer has been causing havoc for computer users around the world for several years. The good news is that this persistent worm is easy to combat if home users and businesses have effective up-to-date anti-virus and anti-spam protection in place, and if they follow safe computing practices.”

Development 2:
Sober.Z is programmed to force all the infected machines to download and run a file from a website starting from Midnight on January 6th, 2006. To ensure that this event takes place Sober.Z even synchronizes the computers internal clock using the atomic clocks on the internet.

To make the anti-virus vendors life more difficult the virus writer does not use a single, constant address in the virus body, as it will be quickly blocked. Instead, the Sober.Z author coded an algorithm to create pseudorandom URLs, these will change based on date and use free hosting servers typically operating in Germany or in Austria.

The Sober.Z author can pre-calculate the URL for any date, and when he wants to run something on all the infected machines, he registers the right URL on the required free web server; uploads his program and it gets downloaded by all the infected systems and executed. It is estimated that the current size of infected pool of computers is in the range of hundreds of thousands of machines.

Because the Sober virus author can pre-calculate the URLs, the Anti-Virus companies wanted to be able to do the same thing. So they reverse engineered the algorithm. This enabled them to calculate the Sober.Z download URLs for any future date.

So what do these pseudorandom URLs look like?

They look like this:

• home.arcor.de/dixqshv/
• people.freenet.de/wjpropqmlpohj/
• people.freenet.de/zmnjgmomgbdz/
• people.freenet.de/mclvompycem/
• home.arcor.de/jmqnqgijmng/
• people.freenet.de/urfiqileuq/
• home.arcor.de/nhirmvtg/
• free.pages.at/emcndvwoemn/
• people.freenet.de/fseqepagqfphv/
• home.arcor.de/ocllceclbhs/
• scifi.pages.at/zzzvmkituktgr/
• people.freenet.de/qisezhin/
• home.arcor.de/srvziadzvzr/
• people.freenet.de/smtmeihf/
• home.pages.at/npgwtjgxwthx/

At the time of writing none of these URLs are in use or contain any update files. I will cover what happened with regards the Sober update in the January 2006 report.

However, the list of web links will change every 14 days.

More details can be found here: http://www.lurhq.com/soberdates.html and here: http://www.f-secure.com/weblog/archives/archive-122005.html#00000729

Conclusions:
As you may have noticed SPAM has been very aggressive during December. I will be putting together a ‘Malware Review for 2005′ which will cover the whole year and make some predictions on the probable threats and trends for 2006.

Links:
Virus Top Twenty for December 2005 [Kaspersky]
Top ten viruses and hoaxes for December 2005 [Sophos]

A number of new developments have come to light in the mysterious case of the WMF vulnerability:

First off, the people behind MetaSploit have updated their exploit code again; the latest version allows lots of random data to be used to create malicious WMF files. This is a ‘bad thing ^[TM]‘ and will only lead to more malware using the WMF vulnerability.

Secondly; the ‘bad guys ^[TM]‘ are experimenting with other ways to use this vulnerability, as this snippet from the Kaspersky web log shows:

“At the moment, the number of different WMF exploits we’ve seen has gotten well past a hundred and more are coming every hour.

But that’s not the worst. The most recent exploits show that malicious users bad guys have been very very busy finding and implementing new ways to get their exploits past various AV products. So much for the dark side taking a break over the winter holidays and New Year.”

On this note, Andreas Marx from [http://www.av-test.org] posted the following on Bugtraq:

“We have analysed some 100 malware WMF files and they can do almost anything. We saw download trojans, adware and spyware apps, backdoors, lots of bots (zombie programs), as well as password-spying programs which are looking for PINs and TANs for online banking attacks. I expect that some 1,000 websites are already compromised.

One of the malware apps we have discovered at 2005-12-29 (some days ago!) already had a build-in infection counter at a (hidden) website and we saw the number 233,000. This means, a few days back, some 100,000 PCs seems to be compromised already. Today, the website is still working, and has delivered more than 1,000,000 malware installation files already. With 1+ million PCs under your control, you can do almost everything!

This means, the issue is extremely critical, even if the current attack vector seems to be websites only. We already saw a few malware WMF files in e-mails, but not many. The chances are good, however, that we might see a worm in the next few days which spreads using WMF files and e-mail as infection vector. Well, I can’t understand why Microsoft is considering some 1,000,000 infections as being “not widespread”. And that’s the counter for just ONE special malware file!”

The patch from Ilfak Guilfanov’s is now available from a number of ’security’ sites; this is due to the fact that around half the planet has tried to download his patch from his own server, which caused his service provider to get upset. The new links to the patch appear below:

• http://www.grc.com/miscfiles/wmffix_hexblog14.exe
• http://handlers.sans.org/tliston/wmffix_hexblog14.exe
• http://castlecops.com/modules.php?name=Downloads&d_op=getit&lid=496
• http://csc.sunbelt-software.com/wmf/wmffix_hexblog14.exe
• http://www.antisource.com/download/wmffix_hexblog14.exe
• http://hexblog.axmo12.de/wmffix_hexblog14.exe
• http://www.dsinet.org/files/wmffix_hexblog14.exe
• http://lab.nsl.it/wmffix_hexblog14.exe

Microsoft have stated the following: “Although the issue is serious and malicious attacks are being attempted, Microsoft’s intelligence sources indicate that the scope of the attacks are not widespread.” - Quoted from Microsoft Security Advisory (912840)

Now what was it that the captain of the Titanic is supposed to have said before the ship’s fateful maiden voyage? Oh yeah, that’s right: “Even God couldn’t sink this ship”

Could this WMF vulnerability be Microsoft’s digital version of the fatal Titanic iceberg……only time will tell!

EICAR have just informed me that my abstract, entitled: ‘Spyware: Risks and Prevention‘ has been selected for the EICAR 2006 conference to be held in Hamburg, Germany between the 29th April and the 2nd of May 2006.

The abstract for the paper appears below:

Spyware has grown over the last two years from a minor annoyance to what it is today; a major headache for companies and academia (most of them just don’t know it yet) and home users alike.

This paper will investigate the growth of this threat and the ‘cart-load’ of risks and issues that Spyware and related risks bring to the corporate table. Furthermore it will investigate what the security staff in corporations can implement to address the risks and their companies liability, including.

• Policy
• Education
• Firewalls
• Proxies
• Intrusion Detection Systems
• Anti-Virus tools
• And last but not least, Anti-Spyware tools.

The processes, procedures and other solutions and guidance offered in this paper will come mainly from real-world experience of tackling spyware and related issues/risks.

All I have to do now, is carry out all the required research and write the paper; should only take me about 3 months…Hang on they need the completed paper by the 17th of March!!!

The full paper will be made available after the conference. I’ll post an announcement here shortly after the conference has finished.

Now most people are back at work and are aware of the WMF exploit problem I thought it might be a good time to collate and discuss the myriad tools, patches and workarounds for this issue. So, here goes:

Un-official patches:

1. Ilfak Guilfanov has published a temporary fix which does not remove any functionality from the system (all pictures and thumbnails continue to work normally). The fix works by injecting itself to all processes loading USER32.DLL. It patches the Escape() function in GDI32.DLL, revoking WMF’s SETABORT escape sequence that is the root of the problem. The fix is available here: http://www.hexblog.com/2005/12/wmf_vuln.html
2. Paolo Monti from Eset has also released an unofficial patch which he claims will work on all Windows versions except the 64 Bit version. The fix is available here: http://www.nod32.it/getfile.pp?tool=wmfpatch

Mitigation Tools/Techniques:

1. For administrators/security staff there are SNORT signatures available from Bleedingsnort. These can be used with the SNORT/Sourcefire IDS/IPS products and may also work with the ISS RealSecure IDS/IPS products via the TRONS [SNORT backwards] functionality.
2. Kerio personal firewall [now owned by Sunbelt] can use the Snort signatures in the in-built NIPS, and you can use it for FREE, or if you prefer you can pay for it. Details on how to use the SNORT signatures can be found here: http://sunbeltblog.blogspot.com/2005/12/protect-yourself-from-wmf-exploit.html



3. Make sure you anti-virus is updated regularly; at least once a day.
4. Keep a close eye on your personal firewall; be especially suspicious of new programs/files asking to connect to the internet after visiting an untrusted site.
5. Use Firefox or Mozilla web browser instead of Internet Explorer as this offers some protection; you’ll at least be warned.
6. If you must use Internet Explorer set the security level to High which allegedly will stop automatic exploitation via a malicious WMF.
7. Do not go to untrusted URLS [websites] even if they are sent to you via e-mail or instant messaging from someone you know.
8. Anyone receiving graphic file attachments [via e-mail] from UNTRUSTED sources should NOT open or view them.
9. Anyone receiving graphic file attachments [via e-mail] from TRUSTED sources should verify with the alleged sender that they actually sent them, before they open or view them.
10. It is strongly suggested that you unregister the offending DLL from the registry as this will stop you becoming infected via a browser or explorer.
11. For administrators/security staff you can also block the currently known web sites that are hosting the malicious WMF files.
12. Roger Thompson has made a new tool available; known as SocketScanner. It is currently in BETA phase, but in limited testing seems to work as advertised. The neat thing about SocketScanner is that can be updated remotely, so if another unpatched vulnerability is found then SocketScanner can be quickly updated to close the usual window of opportunity that new exploit code uses to compromise vulnerable systems. In other words SocketScanner is not a single, fixed, exploit patch, unlike the others.
13. Ilfak Guilfanov has also published a testing tool which will tell you if your system is vulnerable or not. It can be found here: http://www.hexblog.com/2006/01/wmf_vulnerability_checker.html

Do not install any of the above on a computer that you are not responsible for, such as a work computer. If in doubt check with your support/security staff first. The same goes for the steps below which will unregister the Windows Picture and Fax viewer.

Unregistering the Windows Picture and Fax Viewer
Click ‘Start‘, then ‘Run‘ and type the following ‘regsvr32 -u %windir%\system32\shimgvw.dll‘ (without the single quotes), and then click ‘OK‘.

This will stop the Windows Picture and Fax Viewer from being run when a registered extension is double-clicked, and will also disable the thumbnail function in certain programs and explorer.

Re-registering the Windows Picture and Fax Viewer
Click ‘Start‘, then ‘Run‘ and type the following ‘regsvr32 %windir%\system32\shimgvw.dll‘ (without the single quotes), and then click ‘OK‘.

Latest news just in is that Microsoft expect to have their own ‘official’ patch ready for the 10th of January…..I’m just hoping that they mean THIS year.

It seems that some ‘kind soul’ [that should be pronounced as ‘IDIOT’] has released new WMF exploit code which is significantly different from the currently known versions that are known to be in-the-wild. This original exploit code is being used by malware and spyware authors to own vulnerable boxes via a user visiting an infected web site, either directly or via an Instant Message containing a link to a booby trapped website, or opening a malicious wmf file attached to an e-mail. Yes, that includes Lotus Notes too!

The latest one uses the same basic trick; the ‘escape’ function ‘SETABORTPROC’ in the WMF file format, however it uses a random byte instead.

Here’s what the original WMF exploits used: 0x0626
The new exploit code uses a random byte, so that any value can be used to replace ‘06′, such a modified byte stream may look like this: 0x9026 or 0x6626, or any value. The first byte is nothing more than a parameter count, the next byte is the actual value used.

So, what does this mean?
Well, it means that many anti-malware products will need to modify their signatures to detect the exploit code, as will many IDS vendors. Limited testing shows that the ‘old’ WMF exploit detection signatures; which worked for the original exploit code, do not detect the new exploit code in many cases.

Bogus WMF files being spammed out:
There have been two new cases of bogus WMF files being sent out [spammed] to try and get users to infect their systems, these are:

From: “tommy@security.state.gov”
Subject: “Confidential”
Attachment: “map.wmf”
Size: 8710

Email body:

“Attached is the digital map for you. You should meet that man at those points separately.

Delete the map thereafter. Good luck.

Tommy”

Nice bit of social engineering there, even if the user is not expecting this, then they will be tempted to open it just to satisfy their curiosity.

Real cloak-and-dagger stuff, almost worthy of Mission Impossible, James Bond, XXX, or the Bourne Identity! While looking for a suitable image to use for this blog entry I found this and couldn’t resist using it:

The second case of spammed out bogus WMF files via e-mail, looks like this:

Subject: “Happy New Year”
Attachment: “HappyNewYear.jpg”
Email body:

“picture of 2006″

Yes, this one is using a JPG extension but is really a WMF file and will be treated by Windows as such, this means that the exploit code will be executed unless you have detection in place or have carried out other mitigating steps to effectively disable or patch [this is an unofficial patch as Microsoft currently don’t have one available] the vulnerable system file(s).

Expect these to be just the forefront of more complex attacks, such as e-mail worms. Let us hope that we don’t see a similar state of affairs as we did once before when a number of well-known ad-servers were compromised and malcode added to existing adverts being served to many thousands of popular websites. The malware in question was Bofra back in November 2004.

Oh and by the way, This blog entry, should you choose to read it, will self-destruct in 5 seconds……5, 4, 3, 2, 1, too late!