BugTraq
WMF exploit Jan 03 2006 09:00PM
Andreas Marx (gega-it web de)
Hi,

I like what SANS is saying about the current MS announcement to deliver a patch by Jan 10, 2006, but not earlier:
http://isc.sans.org/diary.php

This is the interesting part:
"Although the issue is serious and malicious attacks are being attempted, Microsoft's intelligence sources indicate that the scope of the attacks are not widespread."
- Microsoft Security Advisory (912840)

First, there are many websites which intentionally includes Iframes to malware WMF files (like some "crack", "XXX" or "patch" websites). Besides this, there were some mass hacks of usually more trustworthy web sites -- now, the websites will still render fine, but the included WMF file will be started automatically.

We have analysed some 100 malware WMF files and they can do almost anything. We saw download trojans, adware and spyware apps, backdoors, lots of bots (zombie programs), as well as password-spying programs which are looking for PINs and TANs for online banking attacks. I expect that some 1,000 websites are already compromised.

One of the malware apps we have discovered at 2005-12-29 (some days ago!) already had a build-in infection counter at a (hidden) website and we saw the number 233,000. This means, a few days back, some 100,000 PCs seems to be compromised already. Today, the website is still working, and has delivered more than 1,000,000 malware installation files already. With 1+ million PCs under your control, you can do almost everything!

This means, the issue is extremely critical, even if the current attack vector seems to be websites only. We already saw a few malware WMF files in e-mails, but not many. The chances are good, however, that we might see a worm in the next few days which spreads using WMF files and e-mail as infection vector. Well, I can't understand why Microsoft is considering some 1,000,000 infections as being "not widespread". And that's the counter for just ONE special malware file!

Note: I've informed MS (secure (at) microsoft (dot) com [email concealed]) about the malware links, the counter and I've send them the malware WMF files as well as the downloaded EXE files some days ago already.

cheers,
Andreas

http://www.av-test.org

______________________________________________________________
Verschicken Sie romantische, coole und witzige Bilder per SMS!
Jetzt bei WEB.DE FreeMail: http://f.web.de/?mc=021193

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus