PSC Newsletter January, 2006 - Windows WMF Vulnerability for the non-technical

Discussion in 'malware problems & news' started by Nancy_McAleavey, Jan 4, 2006.

Thread Status:
Not open for further replies.
  1. Nancy_McAleavey

    Nancy_McAleavey Expert Member

    Feb 10, 2002
    Voorheesville, NY, USA
    Just days after Christmas, the holiday season brought concern to many about an unrepaired vulnerability in Microsoft's "Media Player," "MS-PAINT," "Internet Explorer browser" and numerous other programs as a result of a "buffer overflow" fault in one of the Windows operating system files for Windows2000 and XP known as "SHIMGVW.DLL." This is remarkably similar to an older exploit which existed in June of 2003 with the same characteristics. The solution at the time until Microsoft could replace the GDI code itself involved turning off the "Preview" function in "My computer" and Internet Explorer. This old cure still works, however there are a few more issues with this latest exploit, first publicly reported on December 27th among antimalware researchers.

    Because of the tremendous amount of concern and email which it has created for us at the height of the holiday season where malware creators depend on the "white hats" taking off the holiday and the sheer volume of "the usual suspects" as a result, we're compelled to help explain to our BOClean customers what we have done and what we cannot do about WMF since it is the operating system itself which is the "trojan" here. We're going to make this as non-technical as possible as well as provide links to more technical details for those who understand the issues and wish to take some convoluted and difficult steps to assuage the situation until such time as Microsoft develops a "band-aid" for the situation at hand.


    BOClean is not a "file scanner" in the traditional sense of an antivirus or other "filtering" program, and these are best-suited to this task in general should you be presented with the "exploit." Having BOClean scan incoming files would only result in costly duplication of effort as "filtering" and "antivirus" software normally handle these situations already prior to the writing of a file to the disk of any data which could possibly make use of an "exploit." So the short answer is "no" but there's considerably more involved here, so let's go into some details on all this.

    What BOClean DOES do is protect you should an exploit be SUCCESSFUL and actually install and then attempt to run a program that is dangerous. The simple reality is that there are many OTHER exploits which are not getting this degree of attention, and it is the widespread and frequent use of exploits that get machines infected in the first place. For all of the attention, this one is pretty seriously limited in what it can do.

    Most people are smart enough not to click on links in spam to get infected, and thus the use of exploits has become the MAJOR means by which people and their machines get hijacked in the first place. In other words, this one isn't so special aside from the Public Relations "attention" it's garnered. The "CHM exploit" is also still alive and well, and it's used every day because it gets far better results for malware distributors. Same for the "IFrame," "redirect" and registry exploits which are so precious to the malware authors in "landing that bad boy." That these still exist years after their original discoveries is its own issue, and not a matter for discussion here.

    Over the last few days, there have been several different exploits of WMF released as a direct result of this attention. There is also a malicious tool out there which can automatically generate RANDOM "new" exploits of this WMF flaw which were publicly disclosed by Tedd Towles in his "Technocrat Blog" here: In other words, a self-fulfilling prophesy now that the "bottom feeders" have been attracted.

    Since "file scanning" depends on signatures of the "already existing" or the ability to spot a particular pattern, detection of any and all WMF exploits will be difficult, and newly written malware which makes use of it will likely slip past until such time as new signatures or a general signature for this tool come into being. The one referred to however is not the only such tool.

    Further complicating matters is that "exploits" are not the same as general viruses, worms, and other malware in that they are not a "standalone executable." By use of "exploits" the actual "malware" is the legitimate portions of the operating system itself which actually host and operate the data which takes advantage of them. About all that can be practically done therefore is to delete the offending piece of the operating system since the exploits make use of what would otherwise be valid data used by the exploited piece of the operating system or other program. Not an option for us.

    It's also been noted in numerous malware research communications between us and other parties that despite claims by several antivirus and firewall and other security companies that they have this matter "under control" it turns out not to be entirely true. Even some companies which provide software-based "filtering" or "execution protection" have been informed by Microsoft that any software based "injection protection" tools completely fail to work against this exploit. Even worse, HARDWARE based "execution protection" in newer CPUs and motherboards have either failed to protect or were not reliably configured either. Therefore it must be assumed that until such time as Microsoft fixes the flaws in SHIMGVW.DLL, regardless of the protection and means available to end users, it's more than likely that a targetted exploit will be successful regardless of "layered security" as a means to prevent the exploit from being downloaded.

    Because of all of these factors, BOClean itself stands ready in its standard operating mode to be that "second line of defense." *IF* an exploit is successful, then BOClean is there as always to foil the NEXT step in the attack, the downloading and installation of trojans, worms, adware, whatever as there is a major issue with this exploit, it only offers 1700 bytes or so of "payload space." A link to the site where the tool to exploit this and technical details on this 1700+ byte limitation can be seen - we'd rather not link to it here directly. If you check the "Thoughts of a technocrat" blog, the link to it is there. This exploit differs though from the earlier one where a "luxurious" 5081 bytes of "payload space" was available which allowed pretty much any old downloader to work successfully. Big difference here is the tight space which obviously limits what can actually be dropped through use of this exploit.

    Even the most "svelt" trojan downloaders are usually larger than 1750 or so bytes in size and because of the limitations of the "payload space" the number of "trojan downloaders" that can be made to fit are extraordinarily small. A few exploits have actually embedded a "script" rather than an executable, but the end result of this WMF exploit is always the same - the exploit itself contains code which causes Internet Explorer or another utility to go to a site and download the ACTUAL trojan once the exploit is triggered. The exploit is simply too small to embed an actual "trojan" within it. Thus, BOClean ends up with two chances to win without actually "seeing" the exploit itself - either at the downloader execution stage, or at the "trojan is now downloaded and ready to run" stage.

    At THIS point, things turn plain old vanilla. We've seen several different uses for this exploit now - the vast majority of them being the installation of "pseudo-rootkits" like MIRC, WINGATE, SERV-U or more traditional bots such as SDBOT, RBOT, AGOBOT, MYBOT and other bots used for theft of machines or a keylogger/"BANCOBRA" identity thief. We have also (one of the reasons why we're not including links here) hit a few of the sites linked to in the blog we mentioned and upon clicking on the links in the "metasploit" site, received instantly good old Coolwebsearch "CWS/SMU18" and other hijackers such as LOP, SPYSCAM or IST junk. Bottom line, the kids are mighty busy and so far, knock on plastic, the EVENTUAL payload is the "same old, same old."

    Again, the PRIMARY purpose of this exploit is a "way in" and because of the nature of this being Windows itself rather than "traditional" malware or "sucker bait" such as "free porn," "free smilies," "cracks/keygens" makes it very difficult for anyone to actually stop every possibility BECAUSE it's the exploitation of the operating system itself. Traditional antiviruses and other "scanners" are making inroads though as each new one is "discovered." For us, we prefer to lie in wait for the REAL trojan once it slips past the boundary as we always have. And this situation is no different for us with this exploit as opposed to all of the others by which malware lands successfully on machines every day.


    Most exploits take advantage of a critical design flaw in some software where the size of data isn't properly checked to ensure that it can't splash somewhere else. Buffer overflows occur routinely in a great deal of software and at worst, the end result is a crash or blue screen from time to time when invalid information is just too big. What makes "exploits" different is that this "excess baggage" just happens to land in a bad place in memory where the "overflow" somehow gets applied to a space where programs are being executed or can be "called" by some other function in the software which is being exploited. Very FEW "buffer overflows" actually result in the possibility of data being "run" but when they happen, they can be pretty serious.

    Good programming design requires (where possible) that any data which goes into memory be validated to be no larger than the space provided for that data. It's along the lines of trying to put 50 pounds of meat into a 5 pound bag. Prudent code will check any inbound data for its size and cut it to the alloted space if it's longer than the proper amount. Certain spots though in memory are critical and what will happen here is that if the data is made a specific size too large, then executable stuff can end up directly in another part of memory where it will be run just like the rest of the program it's trashing. That's what's going on here - add enough junk and put code in just the right place at the right distance, and the exploit will run as part of the operating system itself.

    In situations like this, where the program being exploited is part of the operating system itself, it doesn't matter if it's a "limited user" or other security undertakings since it's part of the "operating system itself" which has all necessary rights. And as far as firewalls, or process integrity monitors or even BOClean, it's LEGITIMATE because the operating system component itself is legitimate and has more "rights to execute" than an "administrator" will ever see. "SYSTEM rights!" THIS is why "exploits" are so valuable to "malware people" ... it uses the operating system against itself and there's really nothing anyone can really do, except for Microsoft. IF they think it's important enough.


    There have been several suggestions offered in numerous corners, and most have not worked as had been hoped. Ultimately, Microsoft has to repair their defects in their SHIMGVW.DLL library. This is the only solution. However, some "workarounds" have been made available with varying degrees of difficulty and even more varying degrees of success. Perhaps the BEST solution is one that was made available by a fellow programmer, but it involves "patching" the DLL. For many of our larger customers this solution, despite its apparent effectiveness since Microsoft will replace the library at some point anyway, is unacceptable. For those customers who do not accept "patch the kernel" as a solution, BOClean will continue to serve as it always has in the face of exploits. We'll get it once the "payload does its thing" and stop the NEXT step where an actual infection will occur.

    For those interested in "the patch" detailed information on it is available here:

    Run the patch, and it will solve the problem as best as possible until Microsoft solves this, whereupon you can remove this patch. Source code is provided for those daring, but paranoid souls who do not object to "kernel hooking." IMPORTANT: This is NOT an OFFICIAL MICROSOFT patch, be governed accordingly.

    For those who do NOT wish to do this, then a less reliable means is to follow the instructions provided here at F-Secure's weblog:

    PLEASE note though that unregistering the offending DLL doesn't guarantee protection as MS-PAINT and possibly other programs might call the DLL and load it anyway. For now, the patch provided by Ilfak Guilfanov is about as good as it gets based on what we've determined, and as is further amplified on Kaspersky's blog:

    And for those wondering, the FIREFOX and OPERA browsers are only SLIGHTLY less susceptible to this exploit. As far as Windows itself goes, turning off "preview" mode in the options settings for "My computer," "(File) Explorer," "Internet Explorer," "MS-PAINT" and any other programs which provide a visual "preview mode" of graphics, as well as forgoing the use of Media Player for now is probably the best option short of applying the "patch" outlined above.


    New exploits are being launched hourly against WMF. These exploits make use of legitimate Microsoft Windows components and are not your "traditional malware." And so far, each attempt we've seen is different in various ways. The "exploit generator tool" ensures randomness and degrees of uniqueness in each customized exploit it makes. AND there are other "click and exploit" tools for the bottom feeders of the "script-kiddies." Blocking sites doesn't work as the malware types are constantly acquiring new sites, the datastream may or may not be spotted by firewalls, antivirus or other detection tools. Programs which are designed to limit or prevent "injection" into other programs will not work or are at best limited in their capacity - Microsoft says so here with respect to "software-based DEP":

    BOClean makes no claims that we can stop the exploit. However, those using BOClean can rest assured that only a small handful of already known "downloader trojans" are small enough to be used as a "payload" with this exploit and, should a new "downloader" somehow be created, the purpose TO using this exploit is to download other, larger known malware which is the end purpose of the use of this exploit. And it also needs to be known that every day brings new malware of course, and as usual we're here for it as we are now on New Year's Day - keeping an eye out and carefully watching this and other situations daily. And we will continue to do so as we do every day.

    We hope this has been helpful, please forgive us if time to answer specific questions is difficult to come by - we're in a record time as far as the sheer number of nasties, and we occasionally have customers who have genuine emergencies that require our attention in email along with maintaining our commitment to "getting the trojans covered." Our rule here is that covering every trojan comes FIRST, THEN the emails. Emergencies are more important than "questions and comments." If you email us about this newsletter or have questions that are not an emergency, we beg your indulgence for a reply if the insanity remains as high on our end as it's been. Unfortunately, there are higher priorities at the moment, and we promise we'll eventually get to questions if asked. Only a question of when time permits, and that's been thin lately for all of us.

    © 2006 Privacy Software Corporation. All rights reserved.
Thread Status:
Not open for further replies.