rudedog
12-28-2005, 05:52 PM
There's a new zero-day vulnerability related to Windows' image rendering - namely WMF files (Windows Metafiles). Trojan downloaders, available from unionseek[DOT]com, have been actively exploiting this vulnerability. Right now, fully patched Windows XP SP2 machines machines are vulnerable, with no known patch.
Anyone running WinXP or Windows 2003 server you may want to block the following sites via your host file:
Crackz [dot] ws
unionseek [dot] com
tfcco [dot] com
Iframeurl [dot] biz
beehappyy [dot] biz
F-Secure writes: Over the last 24 hours, we've seen three different WMF files carrying the zero-day WMF exploit. We currently detect them as W32/PFV-Exploit.A, .B and .C.
Fellow researchers at Sunbelt have also blogged (http://sunbeltblog.blogspot.com/2005/12/new-exploit-blows-by-fully-patched.html) about this. They have discovered more sites that are carrying malicious WMF files. You might want to block these sites at your firewall while waiting for a Microsoft patch:
Crackz [dot] ws
unionseek [dot] com
www. tfcco [dot] com
Iframeurl [dot] biz
beehappyy [dot] biz
And funnily enough, according to WHOIS, domain beehappyy.biz is owned by a previous president of Soviet Union:
Registrant Name: Mikhail Sergeevich Gorbachev
Registrant Address1: Krasnaya ploshad, 1
Registrant City: Moscow
Registrant Postal Code: 176098
Registrant Country: Russian Federation
Registrant Country Code: RU
"Krasnaya ploshad" is the Red Square in Moscow...
Do note that it's really easy to get burned by this exploit if you're analysing it under Windows. All you need to do is to access an infected web site with IE or view a folder with infected files with the Windows Explorer.
You can get burned even while working in a DOS box! This happened on one of our test machines where we simply used the WGET command-line tool to download a malicious WMF file. That's it, it was enough to download the file. So how on earth did it have a chance to execute?
Google desktop
The test machine had Google Desktop installed. It seems that Google Desktop creates an index of the metadata of all images too, and it issues an API call to the vulnerable Windows component SHIMGVW.DLL to extract this info. This is enough to invoke the exploit and infect the machine. This all happens in realtime as Google Desktop contains a file system filter and will index new files in realtime.
So, be careful out there. And disable indexing of media files (or get rid of Google Desktop) if you're handling infected files under Windows.
- For more info on this and the WMF 0-day exploit, click here (http://www.f-secure.com/weblog/archives/archive-122005.html#00000753)
Anyone running WinXP or Windows 2003 server you may want to block the following sites via your host file:
Crackz [dot] ws
unionseek [dot] com
tfcco [dot] com
Iframeurl [dot] biz
beehappyy [dot] biz
F-Secure writes: Over the last 24 hours, we've seen three different WMF files carrying the zero-day WMF exploit. We currently detect them as W32/PFV-Exploit.A, .B and .C.
Fellow researchers at Sunbelt have also blogged (http://sunbeltblog.blogspot.com/2005/12/new-exploit-blows-by-fully-patched.html) about this. They have discovered more sites that are carrying malicious WMF files. You might want to block these sites at your firewall while waiting for a Microsoft patch:
Crackz [dot] ws
unionseek [dot] com
www. tfcco [dot] com
Iframeurl [dot] biz
beehappyy [dot] biz
And funnily enough, according to WHOIS, domain beehappyy.biz is owned by a previous president of Soviet Union:
Registrant Name: Mikhail Sergeevich Gorbachev
Registrant Address1: Krasnaya ploshad, 1
Registrant City: Moscow
Registrant Postal Code: 176098
Registrant Country: Russian Federation
Registrant Country Code: RU
"Krasnaya ploshad" is the Red Square in Moscow...
Do note that it's really easy to get burned by this exploit if you're analysing it under Windows. All you need to do is to access an infected web site with IE or view a folder with infected files with the Windows Explorer.
You can get burned even while working in a DOS box! This happened on one of our test machines where we simply used the WGET command-line tool to download a malicious WMF file. That's it, it was enough to download the file. So how on earth did it have a chance to execute?
Google desktop
The test machine had Google Desktop installed. It seems that Google Desktop creates an index of the metadata of all images too, and it issues an API call to the vulnerable Windows component SHIMGVW.DLL to extract this info. This is enough to invoke the exploit and infect the machine. This all happens in realtime as Google Desktop contains a file system filter and will index new files in realtime.
So, be careful out there. And disable indexing of media files (or get rid of Google Desktop) if you're handling infected files under Windows.
- For more info on this and the WMF 0-day exploit, click here (http://www.f-secure.com/weblog/archives/archive-122005.html#00000753)