Re: what is your advice to your users

[David Taylor <ltr () ISC UPENN EDU>]

We were trying to figure out how to tell if a system has been compromised as
well.  

There are so many ways to deliver the payload and since people can insert
their own code it would be pretty much impossible to have a tool to clean
the system.  We have been wondering if there is a way to even tell if a
system has been exploited.  Some evil doers may just exploit a system and
plant a rootkit with keylogger and not show any noticeable signs they are
there. I would also guess that these intruders might use one of the patches
available to plug the WMF hole.

Does anyone know if the actual exploit of the WMF vulnerability generate
some kind of eventlog entry or leave a dump file behind of some type?  This
would be at least a way to see if the system was exploited.  I don't have an
XP system at this time to test this on.

Some other frightening things to think about as far as how some may try to
exploit this vulnerability:

Breaking into one machine on a Windows network and planting an evil WMF on a
network share.  Could compromise the server as well as anyone else browsing
the share with Windows XP.

Windows 2003 webservers that have upload components.  Not totally sure if
indexing the file alone would execute but something to think about.

==

There is an interesting post on securityfocus from Andreas at av-test.org.

http://www.securityfocus.com/archive/1/420769/30/0/threaded

==================================================
David Taylor //Sr. Information Security Specialist
University of Pennsylvania Information Security 
Philadelphia PA USA
(215) 898-1236
http://www.upenn.edu/computing/security/
================================================== 

SANS - The Twenty Most Critical Internet Security Vulnerabilities 
http://www.sans.org/top20/

SANS - Internet Storm Center
http://isc.sans.org

irc.freenode.net #dshield
http://freenode.net/



-----Original Message-----
From: Ken Connelly [mailto:Ken.Connelly () UNI EDU] 
Sent: Wednesday, January 04, 2006 3:19 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] what is your advice to your users


A removal tool for WMF might be to install linux on the machine...

Seriously, the WMF vulnerability will allow any number of exploits to be 
installed on the infected computer, so there is no single removal tool 
that could be used.  As is the case with any bot-like infection (where 
the bad guy has complete control of the infected computer), 
reformat/reinstall is the only real cure.

- ken

Jim Schug wrote:

> > Does anyone know of a removal tool for the WMF exploit?  
>
>
>
> Ability is what you're capable of doing.
>     Motivation determines what you do.
>         Attitude determines how well you do it.
> /-Lee Holz/
>
> Jim Schug
> Information Security Instructor
> http://oncampus.matc.edu/infosec
> Milwaukee Area Technical College
> 5555 West Highland Road, Mequon, WI 53092  USA
> Phone: (262) 238-2267

-- 
- Ken
=================================================================
Ken Connelly             Associate Director, Security and Systems
ITS Network Services                  University of Northern Iowa
email: Ken.Connelly () uni edu   p: (319) 273-5850 f: (319) 273-7373
It's much more important to know what you don't know than what you do know!