There are reports of active exploitation of a new vulnerability related to image rendering in Windows XP. The Windows Picture and Fax Viewer is used to view Windows Meta Files (WMF) and is reported as being vulnerable. Note that this is the default viewer used by Internet Explorer and some versions of Firefox for WMF files.
Current reports state that the attack vector being used is embedded malicious images on web pages hosted at unionseek[DOT]com. This vulnerability could equally be exploited through the delivery of a malicious email.
There is additional information available at the following URL's:
http://isc.sans.org/diary.php?storyid=972
http://www.securityfocus.com/bid/16074/info
http://vil.mcafeesecurity.com/vil/content/v_137760.htm
http://www.f-secure.com/weblog/#00000752
Exploit code is publicly available. This is being exploited in the wild.
The vulnerability has been confirmed on a fully patched system running Microsoft Windows XP SP2. Microsoft Windows XP SP1 and Microsoft Windows Server 2003 SP0 / SP1 are reportedly also affected. Other platforms may also be affected.
There is no patch currently available to repair this vulnerability.
In the interim consider the following mitigation:
- block access to the unionseek[DOT]com domain
- block WMF files in your HTTP and SMTP content checkers
- ensure anti-virus software is fully updated
This vulnerability is being tracked by the Internet Storm Center, see isc.sans.org/diary.php?storyid=975 (http://isc.sans.org/diary.php?storyid=975) for the latest news
Users of Google Desktop are also vulnerable to this exploit, see http://www.f-secure.com/weblog/archives/archive-122005.html#00000753
Workaround posted by Sunbelt:
QuoteWednesday, December 28, 2005
Workarounds for the WMF exploit
For this WMF exploit: Until Microsoft patches this thing or your AV provider have updated their defs, here are some workarounds:
1. Unregister SHIMGVW.DLL.
From the command prompt, type REGSVR32 /U SHIMGVW.DLL. A reboot is recommended. (It works post reboot as well. It is a permanent workaround).
You can also do this by going to Start, Run and then pasting in the above command.
This effectively disables your ability to view images using the Windows picture and fax viewer via IE.
However, it is not the most elegant fix. You're probably going to have all kinds of problems viewing images.
But, no biggie: Once the exploit is patched, you can simply do REGSVR32 SHIMGVW.DLL to bring back the functionality.
And, it is a preventative measure. If you are already infected, it will not help.
Works for IE, should work fine for Firefox users as well.
2. Change file associations for WMF files.
An equally ugly fix (but perhaps preferable) is to do the following:
1. Go to My documents, Tools, Folder Options, File Types.
2. Change WMF Image to notepad and select Always Open with this.
Your WMF files will open in Notepad. Ugly, but it is a fix.
3. Run IESPYAD.
IESpyad is a free tool that puts block lists into IE's restricted sites zone. It's managed by Eric Howes, who works as a consultant for Sunbelt. We regularly update him with the latest URLs. Click here. Gravatar
(Note that Eric is currently out of town so I'm not sure it's being updated as frequently.)
Alex Eckelberry
(Hat tip to Jon and Sunbelt researchers Lior Kimchi and Adam Thomas)
http://sunbeltblog.blogspot.com/2005/12/workaround-for-wmf-exploit.html
After you have installed IESPYAD (version December 27th) be sure to also apply the interim update that can be found at dslreports.com/forum/remark,15121689 (http://www.dslreports.com/forum/remark,15121689)
This should be added to the December 27th update - do not remove that before applying this addition.
Harry Waldron's Blog (http://msmvps.com/blogs/harrywaldron/archive/2005/12/29/79944.aspx) has a nice set of instructions:
QuoteCurrent recommendations for Malicious WMF Exploits in-the-wild
1. Keep your Anti-Virus and Anti-Spyware software as up-to-date as possible. For example, McAfee users should install DAT 4661 or higher immediately
2. Stay away from all questionable websites. Do not open WMF files or links in any environment (e.g., IM, email, web surfing, explorer, etc.).
3. Filter and block WMF files in email or content filtering systems in the corporate environment.
4. Don't rely just on the WMF extension. Windows metadata processing can process a disguised and renamed extension. For example, the extension for a corrupted WMF file might renamed to GIF and when Windows opens it, it may recognize that it was a WMF file originally and an infection could result.
5. As an extra safety precaution, you can turn off the vulnerable DLL. The Full Disclosure workaround (http://lists.grok.org.uk/pipermail/full-disclosure/2005-December/040699.html) has downloadable *.REG file that allows toggling shimgvw.dll on and off. Another option might be to turn off the shimgvw.dll service completely. Turning services completely off will result in a minor loss of functionality for thumbnail previews in Explorer and the Windows Fax & Picture viewer can be affected. Still it's easy to restore this service later after better protective solutions emerge, as noted in the Full Disclosure link.
From F-Secure blog (http://www.f-secure.com/weblog/archives/archive-122005.html#00000755):
QuoteThe amount of trojans using the zero-day WMF exploit is increasing rapidly.
There is an important note on that page about the danger of using mspaint until the WMF issue is resolved.
This is how I removed this crap. The method is probably different from case to case, depending on what the downloader is fetching.
So I will keep strictly to how I did:
Tools needed:
Ewido malware-remover http://www.ewido.net/en/download/
datFind.bat : http://virus-protect.net/bat/datFind.bat
Blacklight Beta by F-Secure: http://www.f-secure.com/blacklight/help/
HiJackThis : http://www.thespykiller.co.uk/files/HJTsetup.exe
Taskmanager (Ctrl+Alt+Del)
In my case it installed "UnSpy", which sent up a baloon in the taskbar.It could just as well look like this: http://sunbeltblog.blogspot.com/2005/12/new-exploit-blows-by-fully-patched.html
Start by going to the control panel applet and uninstall whatever strange "antispyware" that is present.
Then HiJack This showed those details, fix them:
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINNT\system32\gvhfx.dll
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINNT\system32\gvhfx.dll
O4 - HKCU\..\Run: [UnSpyPC] "C:\Program\UnSpyPC\UnSpyPC.exe"
O9 - Extra button: Scan and protect your PC - {BF69DF00-4734-477F-8257-27CD04F88779} - C:\Program\UnSpyPC\UnSpyPC.exe (HKCU)
O9 - Extra 'Tools' menuitem: Scan and protect your PC - {BF69DF00-4734-477F-8257-27CD04F88779} - C:\Program\UnSpyPC\UnSpyPC.exe (HKCU)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain =
O17 - HKLM\Software\..\Telephony: DomainName =
O17 - HKLM\System\CCS\Services\Tcpip\..\{48B1CBE5-F7C9-4647-9E5A-CB28ADE3C636}: NameServer = 85.255.115.3,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{50A7A9D9-4795-4D70-B1FD-83183E8A934A}: NameServer = 85.255.115.3,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{5CE88FF2-E304-47EE-B024-D4E0F2170FB3}: NameServer = 85.255.115.3,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{73486B9A-079D-480E-95D2-0B27292DD2EB}: NameServer = 85.255.115.3,85.255.112.12
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain =
O17 - HKLM\System\CS1\Services\Tcpip\..\{48B1CBE5-F7C9-4647-9E5A-CB28ADE3C636}: NameServer = 85.255.115.3,85.255.112.12
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain =
Reboot into safe mode and remove the UnSpy Folder.
If it´s like in my case, Explorer will act awkwardly. You have to use the taskmanager to terminate and start Explorer, many times when it stops responding
Run Ewido, still in safe mode.
Reboot normally.
Run datFind.bat
It will sort newly installed/changed files by date, in "System" , "System32" ,"Windows\Temp" and the "Windows" folder.
Open the "datFind.bat" and it will sort the files by date, in the different folders.To create them, collapse the open log and click any key and a new log is created. Copy the recent month/2 months of each log into the thread.
Look for suspicious files installed simultaniously, the user should have a rather good opinion of when he was hit by this crap.
The logs are by default stored directly under C:\
Navigate to the suspicious files seen in the logs and remoove them. All of them wont however be found.
Run Blacklight and reboot. Run Ewido again.
If datFind.bat is run now, there should be files in the system32-log that aren´t visible
therefore....
Run Blacklight and this time use the option "Rename" of the files it finds, reboot. For simplicity, write down all filenames before it renames and reboots. If this isn´t done, a search can be done for files with the extension ".exe.ren" after Blacklight is run.
Open Explorer and navigate to the system32- folder and remove the remaining files of the infection, all with file-extendions ".exe.ren"
On thing is still to be made. A registry-key at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
will have a value of , in my case , csajj.exe (this is one of the files that had to be renamed by Blacklight)
This is how I did to remove the infection installed by the WMF Exploit , which opened the viewer for fax.
Another strange thing that occured while it was installing, was that AVG flagged WISPIS.EXE as infected. I believe that is the program that handles the mouse. I never realized if it was healed or not, but it still works flawlessly.
Die Hard :)
One of the best articles that I have seen which analyses this exploit comes from Websense (http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=387)
This one also includes a .wmv showing the exploit in action, best run at full screen size :breakkie:
Here is the latest info on this from the Internet Storm Center.
This one is the updates thread that changes as new information is released or more exploits are released.
http://isc.sans.org/diary.php?n&storyid=992
This one is an overview of the situation.
http://isc.sans.org/diary.php?n&storyid=993
This one is the WMF FAQ
http://isc.sans.org/diary.php?n&storyid=994
This is the latest from this morning
"2nd generation WMF 0day Expliot Spammed"
http://isc.sans.org/diary.php?n&storyid=995
The Internet Storm Center (SANS Institute) is proving to be the most reliable source of information in respect of the WMF exploit and it is strongly recommended that you check that site regularly for updated information, this exploit should be taken seriously.
Latest information from the ISC at time of posting:
Trustworthy Computing
http://isc.sans.org/diary.php?storyid=996
Recommended Block List
http://isc.sans.org/diary.php?storyid=997
2nd generation WMF exploit: status of the anti-virus products after one day
http://isc.sans.org/diary.php?storyid=998
Updated version of Ilfak Guilfanov's patch
http://isc.sans.org/diary.php?storyid=999
The strongest recommendations from around the net are to install Ilfak's Temporary WMF Patch until Microsoft issues a patch. Ilfak's temp can then be removed via Add/Remove Programs.
http://www.grc.com/sn/notes-020.htm
Recommended block lists from SANS:
InterCage Inc.: 69.50.160.0/19 (69.50.160.0 - 69.50.191.255)
Inhoster: 85.255.112.0/20 (85.255.112.0 - 85.255.127.255)
UNIRAS (UK Government Briefing) 1/06, released 19:31 UTC January 1st:
QuoteA new exploit has been released for the Windows WMF vulnerability. The exploit
is embedded in image files with a .jpg extension and which are designed to make
detection with IDS more difficult. At the time of release this exploit was not
detectable by anti-virus software although signatures are now being released.
There are further reports that this exploit has been used to construct
malicious emails that have been spammed out. F-Secure have given the following
details for this email:
Subject: Happy New Year
Body: "picture of 2006"
Attachment: HappyNewYear.jpg (MD5: DBB27F839C8491E57EBCC9445BABB755)
When the HappyNewYear.jpg is accessed (i.e. the file is opened, a folder containing
the file is viewed, or the file is indexed by, for example, Google Desktop), it
executes and downloads a Bifrose variant from www[dot]ritztours.com.
Full briefing at http://www.uniras.gov.uk/niscc/docs/br-20060101-00001.html?lang=en
System Administrators may wish to know that SANS are now hosting a MSI version of the unofficial hotfix. It may be downloaded from a link on this page (http://handlers.sans.org/tliston/WindowsMetafileFix.html).
The latest information --
If your computer is Windows 2000, Windows XP, (SP1 and SP2), Windows 2003 (NOT Win98 or ME) it is extremely vulnerable. After applying the temporary fix by Ilfax, you can check your system to ensure it is protected with the vulnerability checker. Further discussion on this top;ic is available in the SunbeltBlog http://sunbeltblog.blogspot.com/2006/01/wmf-vulnerability-checker.html
FIX DIRECT DOWNLOAD LINK: http://www.hexblog.com/security/files/wmffix_hexblog13.exe
Fix Described Here: http://www.hexblog.com/2005/12/wmf_vuln.html
VULNERABILITY CHECKER DIRECT DOWNLOAD LINK: http://www.hexblog.com/security/files/wmf_checker_hexblog.exe
Checker Described here: http://www.hexblog.com/2006/01/wmf_vulnerability_checker.html#more
Corrine the link
Fix Described Here: http://www.hexblog.com/2005/12/wmf_vuln.htm
It gives me a HTTP 404 Page not found
I can only get to it via the home page..
numbnuts. :exorcize:
Thanks, Paddy. Looks like I missed the letter "l" when I copied the URL. I've corrected. it now. :rose:
Even Wikipedia is following this: http://en.wikipedia.org/wiki/2005_WMF_vulnerability
SANS have published links at the Internet Security Center to the WMF FAQ's in various languages:
Quote
Catalan
Deutsch
English
Español
Italiana and Italiana
Polska
Suomenkielinen
See this page (http://isc.sans.org/diary.php?storyid=1005)
Microsoft updated Security Advisory (912840) promising a security update for the vulnerability on 10 January 2006:
Quote[Snip]
Microsoft has completed development of the security update for the vulnerability. The security update is now being localized and tested to ensure quality and application compatibility. Microsoft's goal is to release the update on Tuesday, January 10, 2006, as part of its monthly release of security bulletins. This release is predicated on successful completion of quality testing.
The update will be released worldwide simultaneously in 23 languages for all affected versions of Windows once it passes a series of rigorous testing procedures. It will be available on Microsoft's Download Center, as well as through Microsoft Update and Windows Update. Customers who use Windows' Automatic Updates feature will be delivered the fix automatically.
[Snip]
http://www.microsoft.com/technet/security/advisory/912840.mspx
Update to hotfix .msi
Version 1.4 of the hotfix in msi form for system administrators is now available at this location (http://handlers.sans.org/tliston/WMFHotfix-1.1.14.msi)
QuoteAn equally ugly fix (but perhaps preferable) is to do the following:
1. Go to My documents, Tools, Folder Options, File Types.
2. Change WMF Image to notepad and select Always Open with this.
Your WMF files will open in Notepad. Ugly, but it is a fix.
This is how it looks when associating WMF-files with notepad:
I do not post a link when it´s immediately infectious, but the link is in the address-bar in the screen-shot (if anyone wants to try the local settings )
(https://www.landzdown.com/index.php?action=dlattach;topic=4040.0;attach=794)
[attachment deleted by admin]
Ilfak's servers are temporarilly down. His fix is hosted at both SunBelt and Castle Cops.
Castle Cops Hexblog forum link: http://castlecops.com/f212-Hexblog.html
Sunbelt Download links here: http://sunbeltblog.blogspot.com/2006/01/alternate-download-for-unofficial.html
Information From: http://sunbeltblog.blogspot.com/2006/01/ilfak-temporarily-living-at-castlecops.html
QuoteAn equally ugly fix (but perhaps preferable) is to do the following:
1. Go to My documents, Tools, Folder Options, File Types.
2. Change WMF Image to notepad and select Always Open with this.
Your WMF files will open in Notepad. Ugly, but it is a fix.
In addition, in the next week until Microsoft release their patch:
- Read emails in plain text.
- If you have a Windows XP computer, enable DEP (http://www.microsoft.com/technet/security/prodtech/windowsxp/depcnfxp.mspx) (Data Execution Prevention).
- Do not click on links received via email or instant messaging programs and sent by unknown senders.
Update in respect of Ilfak Guilfanov's unofficial patch for the Windows .WMF flaw (from the ISC weblog (http://isc.sans.org/diary.php?storyid=1013)
QuoteIlfak's site is back, reduced to the bare minimum as it had very high load. If you still can't reach it's possible that there is some caching between you/your ISP/Ilfak's site.
Thanks to Alexander H for pointing out that, due to changes on Ilfak's site, URLs from old diary entries don't work anymore. You can go to the main web page, http://www.hexblog.com to access Ilfak's files.
Just one more update - if you can't access the site, the main reason is that your DNS server(s) still don't have the updated (new) DNS entries. Ilfak changed IP address of his site so it will take a while for this to propagate. The new IP address is 216.227.222.95, and you can reach the site by going to http://216.227.222.95.
Microsoft appeared to be releasing the patch for this danger today.
Article Link: http://news.yahoo.com/s/ap/20060105/ap_on_hi_te/microsoft_security
Article:
Microsoft Releases Patch for Windows Flaw
SEATTLE - Microsoft Corp. released a software patch for its Windows operating system Thursday to fix a flaw that has spawned attempts to take control of Internet-connected computers.
Initially, Microsoft said it didn't expect to do so until at least Tuesday, but the Redmond software maker said it finished testing earlier than planned and was able to release it on its Web site.
The flaw is in an element of Windows that is used to view images. If a user is tricked into viewing an image, such as on a malicious Web site or within an e-mail attachment, that person's computer could be attacked.
Microsoft confirmed last week that some people were trying to take advantage of it. On Thursday, the company said outbreaks appeared to be limited.
One mitigating factor is the fact that the vulnerability requires a person to take action, such as opening an e-mail from a stranger or following a link to an unknown Web page.
Nevertheless, security experts have said the flaw could still pose a risk because personal firewalls offer little protection and the attacks can easily be modified to get around security software such as antivirus programs. Also, the flaw affects versions of Windows desktop and server software going back to Windows 98.
Microsoft had offered some technical options for decreasing the risk of an exploit. Other security companies had prepared their own patches while Microsoft worked on the official one.
___
On the Net:
http://www.microsoft.com/technet/security/bulletin/ms06-001.mspx
With the release of the official patch from Microsoft the significance of this thread has decreased. As a result I am unpinning this and returning it to the usual thread sequence. See this thread for patch details (http://www.landzdown.com/index.php?topic=4252.0)
May I express my thanks to all of you who have contributed to this and other threads in respect of the WMF vulnerability - you make a great team! :thumbsup:
I really like this article at Castle Cops. A Must Read article. Which I think that Corrine linked above already.
http://castlecops.com/a6445-WMF_Exploit_FAQ.html