New Windows Vulnerability

from Ron's San's link above and very worth while to watch IMHO.

 

As of about 1500 GMT some vendors had detected the .wmf file:

http://www.rsjones.net/img/scan_wmf.gif

The link in Ron's post mentions that this exploit has been seen on other sites.

Agree. Nicely put together.

The .wmf exploit seems to be new but the iframe vulnerability supposedly was patched in MS05-053.

Everytime I tried, IE crashed (javascript prompt). Opera displayed the prompt for a while but didn't crash. The script

body onload="set timeout ('load()', 2000)"​

caused the page to constantly reload.

According to your link, if the exploit runs, it downloads spyware and other junk.

It's Anti-Executable. I replaced the orginal bitmap with the Guard Dog.

Woof,

-rich

 

Wow, it looks like it's getting darn serious for IE users, who aren't armed to the gills like people here or if your AV is not up to the scratch.

 

More than 50 WMF variants in the wild using zero day exploit

 

Workaround for the WMF exploit

Here

 

No politics just facts

Well yeah, i mean for default out of the box IE, you are surfing along, and you get nailed with no chance. With firefox you are prompted and if forwarned you can escape by clicking no. (Firefox 1.5 even as an additional lucky protection, since it offers to open with Windows media player not windows image and fax viewer!) There's a big difference between user interaction and lack of.


Just did some digging and realised why Firefox people were safe.

Firstly firefox does not support WMF (a picture file format) directly unlikely IE. So it just offers to open it with an external application.

How to stay safe (for firefox)

1) In your windows association make sure wmf and to be safe emf is associated to notepad. So even if you download the file and accidently click it, it will be harmless.

2) When i go directly to download a wmf file say to http://whatever.wmf (direct url from exploit), i get offered a download option to open with "windows picture and fax viewer".
Don't do it! , make it open with notepad and check the box that says "Do this automatically for files like this from now on".

3) The funny thing is when I went to the first exploit page (now none functioning) which was a html link and not direct download link to wmf , it wanted to open with windows media player. I'm not sure why there's a difference. Except maybe for the first case, the windows mediaplayer *browser plugin* tried to take over and play the file directly.

Changing the windows association for WMF to some other app like notepad, appears to be sufficient to force IE to handle WMF with that app, but I haven't fully tested this yet.

LOL looks like even this isn't enough because

Looks like this is the best method, but breaks the system.

Also i'm thinking they could send the file via IM, or email as well right? Don't click on wmf files, best defense against accidently clicking local wmf files now seems to be associate it with notepad which should neutralise it for the case of local WMF files.

Politics? Just facts.

 

I wonder if running your browsing in "Normal Usermode" will also stop the attack. And btw, on my machine, WMF files are opened by XnView, which also runs in "normal user mode", that should have also stopped the attack right?

 

I don't think running IE at lower previlages will affect much at least when i used a guest account the exploit happily worked enough to launch the dropper.

I was using the standard out of the box windows xp sp 2 though with wmf associated with windows picture and fax viewer.

I don't know about Xnview, but if it affects irfanview, so I suspect it will hit xnview too.

 

Any program that uses the vulnerable .dll files to process/display WMF images may be a possible source of infection.

This includes Windows Picture and Fax Viewer, and many other file/image viewing applications.

Basically, for the time being, everyone should investigate the workarounds here: http://sunbeltblog.blogspot.com/2005/12/workaround-for-wmf-exploit.html

Also, everyone should disable IFrames for the Internet Zone.
To do so...
1.) Open Internet Explorer.
2.) Click on Tools > Internet Options.
3.) Then click on the "Security" tab, and then on "Internet".
4.) Click on the "Custom Level..." button
5.) Scroll down until you find "Launching programs and files in an IFRAME" and set it to DISABLE.
6.) Click OK.

Best regards,

-Javacool

 

Thanks for the info, I had already removed the association from XnView, it´s now associated with Win Media Player, I´ve read earlier that it can not display WMF files. But doesn´t IE prompt you about WMF files? As far as I know it can not automaticly start files on my machine. And I always have the setting "Start programs/files in Iframe" set to disable, would this have stopped the attack then?

 

Yes, very very tricky, don't forget the windows media/image preview feature in explorer, that will nail you too even if you set the associations to notepad!

 

Maybe you could just rename SHIMGVW.DLL instead of Unregistering it ?


Woof

Anti-Executable, ah now we know, thanks ! I use Winsonar which hasn't ever let me down.


I went to all those sites listed in Sunbelts blog, and very few had the file i found ?

As i mentioned earlier, i have Iframes set to Prompt, but didn't get any prompt at all ! What i did get is this as always

http://img455.imageshack.us/img455/499/dlprompt17fb.png

As i had already DL'd the file before and scanned it etc, i didn't bother this time.


SyevieO

 

Is there a way to disable this Windows "magic bytes" behavior?
If a file is not the same as the extension it says it is, I would not want to run it any way.
Disabling this would help reduce the damage of this exploit, the old JPEG exploit and maybe future exploits of this nature because then a file could not hide as another extension.

 

I think spanner once requested or wrote a program that could work by telling you what the 'real extension' was of a file.

 

Hi devilery http://img510.imageshack.us/img510/7066/smile6ko.gif

I think these are the links you were talking about

Malware Extentions Protector App !

http://www.dslreports.com/forum/remark,13697041

Found 1 And It Works 2 !

http://www.dslreports.com/forum/remark,14298887

I use that App myself, and it works really well !


StevieO

 

I've been using this App for a number of years, and have added lots of extentions into it to intercept anything potentially nasty from launching unannounced. It's not often that it pops up, but when it does it's very reassuring to know that you have the option to Allow/Deny.

It occurred to me that adding in WMF might work too. Whether it will or not i'm not sure, but i have anyway !

. . .

AnalogX Script Defender intercepts all requests to execute a variety of
different script types that are commonly used to infect your computer - Visual
Basic Scripting (.VBS), Java Script (.JS) and Windows Scripting (.WSH) are
the most common and can all be intercepted by SDefender. Best of all, you
can add other scripting extensions later on when virus authors figure out how
to exploit something else.

http://www.analogx.com/contents/download/system/sdefend.htm


StevieO

 

Devilery and StevieO,

Thank you, but how can you tell what type of file you are looking at with the MiniDumper just by looking at the first 256 bytes of the header?
On the MiniDumper page for example, a .mid screenshot is shown, but the first bytes are MThd.

 

StevieO,

Thanks for mentioning the Script Defender. At least it might give a warning before opening this nasty exploit.

I guess I was hoping that there was a registry tweak or something similar that would turn off Windows opening the file based on content rather than extension.

 

Microsoft Security Advisory (912840)
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution.

Regards,

CrazyM

 

Is it this exploit (*.wmf file) availlable for download? Please send me other link to this file or direct this file to my mail ~ e-mail removed, CrazyM ~

Thank
Paul

 

How about .EMF Files?

Is an (Enhanced) Windows Windows Metafile too, and uses the same dll as .WMF files: SHIMGVW.DLL

 

Hi guys!

NicM couldn't test the real malware .wmf exploit with DefenseWall, so I did it. Everybody can repeat it with the same result.

I have WinXP SP2 + DefenseWall. Internet Explorer is running as untrusted. So, I came to "beehappyy.biz/parthner3/xpl.wmf" (if you don't have DefenseWall installed and running- don't follow this link! I don't think you will be happy cleaning your computer hours from this ****!). The exploit was going well, I have got a lot of the malware modules.

That is the list it. Some of them got errors because of the DefenseWall restrictions.

C:\winstall.exe
C:\secure32.html
C:\boot.inx
F:\windows\soft.exe
F:\WINDOWS\system32\z12.exe
F:\WINDOWS\system32\paytime.exe
F:\WINDOWS\system32\z11.exe
F:\WINDOWS\system32\z13.exe
F:\WINDOWS\system32\z14.exe
F:\WINDOWS\system32\z15.exe
F:\WINDOWS\system32\z16.exe
F:\WINDOWS\system32\exeha2.exe
F:\WINDOWS\system32\exeha3.exe
F:\WINDOWS\system32\efsdfgxg.exe
F:\WINDOWS\system32\cmd32.exe
F:\WINDOWS\system32\paradise.raw.exe
F:\WINDOWS\system32\dial32.exe
F:\WINDOWS\system32\sywsvcs.exe
F:\WINDOWS\inet20099\services.exe
F:\WINDOWS\inet20099\winlogon.exe
F:\Documents and Settings\Ilya\Local Settings\Temp\a.exe

They've tryed to change my wallpaper, IE start and search pages, default URL's, WinXP Firewall settings, BHO, make themself autostarted and so on (as all the malware usually do) and failed. The only thing they could do is to put some **** into my Desktop I remove immidiately. After I've closed all their processes I've restarted my computer- non of the malware modules couldn't autostart. The ITW test is passed successfully.