Archive for December, 2005

Another new WMF exploit

Saturday, December 31st, 2005

It's been a busy few days and there's little sign of things easing off.  Now SANS is reporting a new [tag]WMF[/tag] vulnerability:

The source code claims to be made by the folks at metasploit and xforce, together with a anonymous source.
 
The exploit generates files:

  • with a random size;
  • no .wmf extension, (.jpg), but could be any other image extension actually;
  • a random piece of junk in front of the bad call; carefully crafted to be larger than the MTU on an ethernet network;
  • a number of possible calls to run the exploit are listed in the source;
  • a random trailer

This is a pretty serious vulnerability and as yet there is not detection routine for antivirus products.  The folks at SANS also think that this one is going to be difficult to create detection signatures for because fo the structure of WMF files.

This again rasies the Internet Storm Center threat level to yellow again.

More information on Security Fix

WMF exploit now spreading via IM

Saturday, December 31st, 2005

An [tag]IM worm[/tag] is now using the [tag]WMF[/tag] exploit.  According to Kaspersky Labs it's not spreading fast as of yet but that could all change.

We have received multiple reports from the Netherlands about an IM-Worm which spreads via MSN using a link to "http://[snip]/xmas-2006 FUNNY.jpg".
This may well turn out to become a local epidemic(in NL), however so far it has not become big.(Not even 1000 bots at this moment)

The jpg is actually an HTML page with a (link to a) malicious wmf file which is heuristically detected as [tag]Exploit.Win32.IMG-WMF[/tag] by Kaspersky Anti-Virus.
This wmf will download and execute a .vbs file which is detected as Trojan-Downloader.VBS.Psyme.br which in turn will download an Sdbot. The IRCBot is detected as Backdoor.Win32.SdBot.gen by KAV.

At the time of writing this SdBot is instructed to download an [tag]IM-Worm.Win32.Kelvir[/tag] variant. As you will know Kelvir is responsible for spreading across MSN.  Looking at this IRCBot it's extremely likely that it has been made for cyber criminals.

You might also want to avoid sending and receiving New Year e-cards too ...

I'm afraid we have to end this year with the warning to watch out for any unknown imagefile. With the flurry of e-cards and Happy New Year messages this could get really messy, so be careful.

F-Secure has also picked up on this.

More information on Security Fix

Office 12 screenshots

Saturday, December 31st, 2005

Paul Thurrott has some [tag]Office 12 beta[/tag] screenshots that are well worth taking a look at.

From a personal perspective I'm not allowed to post anything about Office 12 which is annoying to say the least and seeing some people doing so (either braving the wrath of [tag]Microsoft[/tag] of with permission) is doubly annoying.

How antivirus companies have responded to the WMF exploit

Saturday, December 31st, 2005

An article in eWeek has posted results from [tag]AV-Test[/tag] looking at how antivirus companies have responded to the [tag]WMF[/tag] threat. 

So far there have been 73 analyzed variants and products from the following companies identify all 73 (if you have the latest updates downloaded and installed!):

  • Alwil Software (Avast)
  • ClamAV
  • ESET (Nod32)
  • Fortinet Inc.
  • F-Secure Inc.
  • McAfee Inc.
  • Panda Software
  • Softwin (BitDefender)
  • Sophos Plc
  • Symantec Corp.
  • Trend Micro Inc.
  • VirusBuster

Some of the others haven't faired so well:

  • 62 - eTrust-VET
  • 62 - QuickHeal
  • 61 - AntiVir
  • 61 - Dr Web
  • 61 - Kaspersky
  • 60 - AVG
  • 19 - Command
  • 19 - F-Prot
  • 11 - Ewido
  • 7 - eSafe
  • 7 - eTrust-INO
  • 6 - Ikarus
  • 6 - VBA32
  • 0 - Norman

I'm surprised at Kaspersky not detecting all of the variants as they are usually quite prompt.  However, what we also see is that antivirus products that use heuristic detection (looking for malware-like behavior rather than just detecting specific threats).

I predict that 2006 will be a busy and challenging year for antivirus and security companies.

Send an email to yourself in the future

Saturday, December 31st, 2005

Making a New Year resolution or two and want to remind yourself of it in a year, five years of ten years?  Quick Online Tips has links to a number of services that allow you to do just that - write an [tag]email[/tag] now and have it sent to you (or someone else) in the future.

Just consider these important points:

"Before you send an email in future, ponder this...
Will these services exist till the period you want the email to be sent?
What is the guarantee that your email will be delivered?
What if your email address changes?
Do you trust your private / personal messages get into the right hands in future?"