Bugtraq mailing list archives

WMF exploit

From: Andreas Marx <gega-it () web de>
Date: Tue, 03 Jan 2006 22:00:12 +0100

Hi,

I like what SANS is saying about the current MS announcement to deliver a patch by Jan 10, 2006, but not earlier:
http://isc.sans.org/diary.php

This is the interesting part:
"Although the issue is serious and malicious attacks are being attempted, Microsoft's intelligence sources indicate
that the scope of the attacks are not widespread."
- Microsoft Security Advisory (912840)

First, there are many websites which intentionally includes Iframes to malware WMF files (like some "crack", "XXX" or
"patch" websites). Besides this, there were some mass hacks of usually more trustworthy web sites -- now, the websites
will still render fine, but the included WMF file will be started automatically.

We have analysed some 100 malware WMF files and they can do almost anything. We saw download trojans, adware and
spyware apps, backdoors, lots of bots (zombie programs), as well as password-spying programs which are looking for PINs
and TANs for online banking attacks. I expect that some 1,000 websites are already compromised.

One of the malware apps we have discovered at 2005-12-29 (some days ago!) already had a build-in infection counter at a
(hidden) website and we saw the number 233,000. This means, a few days back, some 100,000 PCs seems to be compromised
already. Today, the website is still working, and has delivered more than 1,000,000 malware installation files already.
With 1+ million PCs under your control, you can do almost everything!

This means, the issue is extremely critical, even if the current attack vector seems to be websites only. We already
saw a few malware WMF files in e-mails, but not many. The chances are good, however, that we might see a worm in the
next few days which spreads using WMF files and e-mail as infection vector. Well, I can't understand why Microsoft is
considering some 1,000,000 infections as being "not widespread". And that's the counter for just ONE special malware
file!

Note: I've informed MS (secure () microsoft com) about the malware links, the counter and I've send them the malware
WMF files as well as the downloaded EXE files some days ago already.

cheers,
Andreas

http://www.av-test.org

______________________________________________________________
Verschicken Sie romantische, coole und witzige Bilder per SMS!
Jetzt bei WEB.DE FreeMail: http://f.web.de/?mc=021193

Current thread:

Re: WMF Exploit Justin Myers (Jan 03)
- <Possible follow-ups>
- Re: RE: WMF Exploit grasshopa (Jan 03)
  - Re: WMF Exploit Joshua (Jan 05)
- Re: WMF Exploit Frank Knobbe (Jan 03)
- RE: WMF Exploit Paul (Jan 03)
- WMF exploit Andreas Marx (Jan 04)
- Re: WMF Exploit Paul Laudanski (Jan 04)
- RE: WMF Exploit Discussion Lists (Jan 04)