Bugtraq mailing list archives
WMF exploit
From: Andreas Marx <gega-it () web de>
Date: Tue, 03 Jan 2006 22:00:12 +0100
Hi, I like what SANS is saying about the current MS announcement to deliver a patch by Jan 10, 2006, but not earlier: http://isc.sans.org/diary.php This is the interesting part: "Although the issue is serious and malicious attacks are being attempted, Microsoft's intelligence sources indicate that the scope of the attacks are not widespread." - Microsoft Security Advisory (912840) First, there are many websites which intentionally includes Iframes to malware WMF files (like some "crack", "XXX" or "patch" websites). Besides this, there were some mass hacks of usually more trustworthy web sites -- now, the websites will still render fine, but the included WMF file will be started automatically. We have analysed some 100 malware WMF files and they can do almost anything. We saw download trojans, adware and spyware apps, backdoors, lots of bots (zombie programs), as well as password-spying programs which are looking for PINs and TANs for online banking attacks. I expect that some 1,000 websites are already compromised. One of the malware apps we have discovered at 2005-12-29 (some days ago!) already had a build-in infection counter at a (hidden) website and we saw the number 233,000. This means, a few days back, some 100,000 PCs seems to be compromised already. Today, the website is still working, and has delivered more than 1,000,000 malware installation files already. With 1+ million PCs under your control, you can do almost everything! This means, the issue is extremely critical, even if the current attack vector seems to be websites only. We already saw a few malware WMF files in e-mails, but not many. The chances are good, however, that we might see a worm in the next few days which spreads using WMF files and e-mail as infection vector. Well, I can't understand why Microsoft is considering some 1,000,000 infections as being "not widespread". And that's the counter for just ONE special malware file! Note: I've informed MS (secure () microsoft com) about the malware links, the counter and I've send them the malware WMF files as well as the downloaded EXE files some days ago already. cheers, Andreas http://www.av-test.org ______________________________________________________________ Verschicken Sie romantische, coole und witzige Bilder per SMS! Jetzt bei WEB.DE FreeMail: http://f.web.de/?mc=021193
Current thread:
- Re: WMF Exploit Justin Myers (Jan 03)
- <Possible follow-ups>
- Re: RE: WMF Exploit grasshopa (Jan 03)
- Re: WMF Exploit Joshua (Jan 05)
- Re: WMF Exploit Frank Knobbe (Jan 03)
- RE: WMF Exploit Paul (Jan 03)
- WMF exploit Andreas Marx (Jan 04)
- Re: WMF Exploit Paul Laudanski (Jan 04)
- RE: WMF Exploit Discussion Lists (Jan 04)