MoMusings

It seems that some ‘kind soul’ [that should be pronounced as ‘IDIOT’] has released new WMF exploit code which is significantly different from the currently known versions that are known to be in-the-wild. This original exploit code is being used by malware and spyware authors to own vulnerable boxes via a user visiting an infected web site, either directly or via an Instant Message containing a link to a booby trapped website, or opening a malicious wmf file attached to an e-mail. Yes, that includes Lotus Notes too!

The latest one uses the same basic trick; the ‘escape’ function ‘SETABORTPROC’ in the WMF file format, however it uses a random byte instead.

Here’s what the original WMF exploits used: 0x0626
The new exploit code uses a random byte, so that any value can be used to replace ‘06′, such a modified byte stream may look like this: 0x9026 or 0x6626, or any value. The first byte is nothing more than a parameter count, the next byte is the actual value used.

So, what does this mean?
Well, it means that many anti-malware products will need to modify their signatures to detect the exploit code, as will many IDS vendors. Limited testing shows that the ‘old’ WMF exploit detection signatures; which worked for the original exploit code, do not detect the new exploit code in many cases.

Bogus WMF files being spammed out:
There have been two new cases of bogus WMF files being sent out [spammed] to try and get users to infect their systems, these are:

From: “tommy@security.state.gov”
Subject: “Confidential”
Attachment: “map.wmf”
Size: 8710

Email body:

“Attached is the digital map for you. You should meet that man at those points separately.

Delete the map thereafter. Good luck.

Tommy”

Nice bit of social engineering there, even if the user is not expecting this, then they will be tempted to open it just to satisfy their curiosity.

Real cloak-and-dagger stuff, almost worthy of Mission Impossible, James Bond, XXX, or the Bourne Identity! While looking for a suitable image to use for this blog entry I found this and couldn’t resist using it:

The second case of spammed out bogus WMF files via e-mail, looks like this:

Subject: “Happy New Year”
Attachment: “HappyNewYear.jpg”
Email body:

“picture of 2006″

Yes, this one is using a JPG extension but is really a WMF file and will be treated by Windows as such, this means that the exploit code will be executed unless you have detection in place or have carried out other mitigating steps to effectively disable or patch [this is an unofficial patch as Microsoft currently don’t have one available] the vulnerable system file(s).

Expect these to be just the forefront of more complex attacks, such as e-mail worms. Let us hope that we don’t see a similar state of affairs as we did once before when a number of well-known ad-servers were compromised and malcode added to existing adverts being served to many thousands of popular websites. The malware in question was Bofra back in November 2004.

Oh and by the way, This blog entry, should you choose to read it, will self-destruct in 5 seconds……5, 4, 3, 2, 1, too late!