Re: Example of WMF Exploit SPAM Targetting Schools?

[Russell Fulton <r.fulton () AUCKLAND AC NZ>]

Gary Flynn wrote:
>          Mitigating Factors for Graphics Rendering Engine Vulnerability
>          - CVE-2005-4560:
>
> "In all cases, however, an attacker would have no way to force
> users to visit these Web sites. Instead, an attacker would have
> to persuade users to visit the Web site, typically by getting
> them to click a link in an e-mail or Instant Messenger request
> that takes users to the attacker's Web site."
>
> Not much of a mitigating factor in my mind. Any half way decent
> social engineering attack would be better than 80% effective
> unless everyone was being told "don't click anything because
> your computer's security has been completely compromised
> by a safety defect" or some other equally politically difficult
> drastic measures were in place.
You don't even need that.  At the beginning of the attack I set up argus
to record the first 100 characters of each outbound session on port 80
and then examined the urls that whose downloads triggered my snort rules.

The most persistent source addresses were in 85.255.112-119.  These
addresses will be well known to anyone who has looked at the source of
spyware recently.  The addresses are registered to a hosting company
based in the Ukraine but traceroute suggest they are being used in the
US (at least the immediate upstream is a major US ISP).

All the url seem to be referred from porn sites.  It is not clear if
these sites have been compromised to redirect suckers to the malicious
web sites or if they are willing participants in this scam.

All the active addresses were supplied to MS via ISC but MS failed to
get them shut down.  Hmmm....

It is misleading of MS to suggest that this requires user action when in
fact all that is required is that the victim visit a malicious web site
which may be hosting other 'legitimate' material.

Moral:  don't use windows to view porn :)

Russell