MoMusings

A number of new developments have come to light in the mysterious case of the WMF vulnerability:

First off, the people behind MetaSploit have updated their exploit code again; the latest version allows lots of random data to be used to create malicious WMF files. This is a ‘bad thing ^[TM]‘ and will only lead to more malware using the WMF vulnerability.

Secondly; the ‘bad guys ^[TM]‘ are experimenting with other ways to use this vulnerability, as this snippet from the Kaspersky web log shows:

“At the moment, the number of different WMF exploits we’ve seen has gotten well past a hundred and more are coming every hour.

But that’s not the worst. The most recent exploits show that malicious users bad guys have been very very busy finding and implementing new ways to get their exploits past various AV products. So much for the dark side taking a break over the winter holidays and New Year.”

On this note, Andreas Marx from [http://www.av-test.org] posted the following on Bugtraq:

“We have analysed some 100 malware WMF files and they can do almost anything. We saw download trojans, adware and spyware apps, backdoors, lots of bots (zombie programs), as well as password-spying programs which are looking for PINs and TANs for online banking attacks. I expect that some 1,000 websites are already compromised.

One of the malware apps we have discovered at 2005-12-29 (some days ago!) already had a build-in infection counter at a (hidden) website and we saw the number 233,000. This means, a few days back, some 100,000 PCs seems to be compromised already. Today, the website is still working, and has delivered more than 1,000,000 malware installation files already. With 1+ million PCs under your control, you can do almost everything!

This means, the issue is extremely critical, even if the current attack vector seems to be websites only. We already saw a few malware WMF files in e-mails, but not many. The chances are good, however, that we might see a worm in the next few days which spreads using WMF files and e-mail as infection vector. Well, I can’t understand why Microsoft is considering some 1,000,000 infections as being “not widespread”. And that’s the counter for just ONE special malware file!”

The patch from Ilfak Guilfanov’s is now available from a number of ’security’ sites; this is due to the fact that around half the planet has tried to download his patch from his own server, which caused his service provider to get upset. The new links to the patch appear below:

• http://www.grc.com/miscfiles/wmffix_hexblog14.exe
• http://handlers.sans.org/tliston/wmffix_hexblog14.exe
• http://castlecops.com/modules.php?name=Downloads&d_op=getit&lid=496
• http://csc.sunbelt-software.com/wmf/wmffix_hexblog14.exe
• http://www.antisource.com/download/wmffix_hexblog14.exe
• http://hexblog.axmo12.de/wmffix_hexblog14.exe
• http://www.dsinet.org/files/wmffix_hexblog14.exe
• http://lab.nsl.it/wmffix_hexblog14.exe

Microsoft have stated the following: “Although the issue is serious and malicious attacks are being attempted, Microsoft’s intelligence sources indicate that the scope of the attacks are not widespread.” - Quoted from Microsoft Security Advisory (912840)

Now what was it that the captain of the Titanic is supposed to have said before the ship’s fateful maiden voyage? Oh yeah, that’s right: “Even God couldn’t sink this ship”

Could this WMF vulnerability be Microsoft’s digital version of the fatal Titanic iceberg……only time will tell!