Educause Security Discussion mailing list archives
Re: Example of WMF Exploit SPAM Targetting Schools?
From: Russell Fulton <r.fulton () AUCKLAND AC NZ>
Date: Tue, 10 Jan 2006 19:43:31 +1300
Gary Flynn wrote:
Mitigating Factors for Graphics Rendering Engine Vulnerability - CVE-2005-4560: "In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail or Instant Messenger request that takes users to the attacker's Web site." Not much of a mitigating factor in my mind. Any half way decent social engineering attack would be better than 80% effective unless everyone was being told "don't click anything because your computer's security has been completely compromised by a safety defect" or some other equally politically difficult drastic measures were in place.
You don't even need that. At the beginning of the attack I set up argus to record the first 100 characters of each outbound session on port 80 and then examined the urls that whose downloads triggered my snort rules. The most persistent source addresses were in 85.255.112-119. These addresses will be well known to anyone who has looked at the source of spyware recently. The addresses are registered to a hosting company based in the Ukraine but traceroute suggest they are being used in the US (at least the immediate upstream is a major US ISP). All the url seem to be referred from porn sites. It is not clear if these sites have been compromised to redirect suckers to the malicious web sites or if they are willing participants in this scam. All the active addresses were supplied to MS via ISC but MS failed to get them shut down. Hmmm.... It is misleading of MS to suggest that this requires user action when in fact all that is required is that the victim visit a malicious web site which may be hosting other 'legitimate' material. Moral: don't use windows to view porn :) Russell
Current thread:
- Example of WMF Exploit SPAM Targetting Schools? Gary Flynn (Jan 05)
- <Possible follow-ups>
- Re: Example of WMF Exploit SPAM Targetting Schools? H. Morrow Long (Jan 05)
- Re: Example of WMF Exploit SPAM Targetting Schools? Gary Flynn (Jan 05)
- Re: Example of WMF Exploit SPAM Targetting Schools? Barbara Chung (DURTSCHI) (Jan 06)
- Re: Example of WMF Exploit SPAM Targetting Schools? Russell Fulton (Jan 09)
- Re: Example of WMF Exploit SPAM Targetting Schools? David Gillett (Jan 10)