|
28 Dec 2005, 21:01
|
#1
|
Insomniac
Join Date: May 2003
Posts: 3,583
|
dont go opening them thar .wmf files now...
just so you lot know, theres a nasty new windows exploit going around
information from digg.com
information from sans
information from fsecure
basically, dont touch any .wmf file, or folder containing them with a bargepole.
and for the love of god DONT USE INTERNET EXPLORER , it infects you instantly.
Firefox and Opera both will still infect you, but they ask you if you really want to open it first, and in what
windows picture and fax viewer is what is vulnerable, or rather a componant of it which reads the file metadata from what i can gather
you can still get infected if you download it using a dos box and wget also, if you have something like google desktop which will notice it, and cache the file ( and in the process read the metadata which triggers this )
theres a video here if you want to watch it infect a (deliberately set up) machine, and turn into a rather slick scam.
|
|
|
28 Dec 2005, 21:23
|
#2
|
Insanity Prawn Boy!
Join Date: Dec 2001
Location: In a bush where you can't find me
Posts: 2,474
|
Re: dont go opening them thar .wmf files now...
so, what, is it that Winhound thing that's the scam?
__________________
They shall not grow old, as we who are left grow old:
Age shall not weary them, nor the years condemn.
At the going down of the sun and in the morning
We shall remember them.
|
|
|
28 Dec 2005, 21:27
|
#3
|
Insomniac
Join Date: May 2003
Posts: 3,583
|
Re: dont go opening them thar .wmf files now...
in the video example it is, the "register now, giv eus your cc details" part.
could be redirecting from a valid site to a scam site set up to harvest cc details
the exploit itself can ( and is ) being used to deliver anything though, from scam , through trojan, all the way (potentially) to rootkit
|
|
|
28 Dec 2005, 21:30
|
#4
|
Insanity Prawn Boy!
Join Date: Dec 2001
Location: In a bush where you can't find me
Posts: 2,474
|
Re: dont go opening them thar .wmf files now...
fun. I'll be keeping an eye out for that then
__________________
They shall not grow old, as we who are left grow old:
Age shall not weary them, nor the years condemn.
At the going down of the sun and in the morning
We shall remember them.
|
|
|
28 Dec 2005, 21:30
|
#5
|
Caveat Lector
Join Date: Feb 2003
Location: Tucson, Arizona
Posts: 3,038
|
Re: dont go opening them thar .wmf files now...
I believe IE warns you before opening downloaded files too.
|
|
|
28 Dec 2005, 21:33
|
#6
|
Insomniac
Join Date: May 2003
Posts: 3,583
|
Re: dont go opening them thar .wmf files now...
not wmf files - it opens those automatically , watch the video if you want proof
|
|
|
28 Dec 2005, 21:39
|
#7
|
Caveat Lector
Join Date: Feb 2003
Location: Tucson, Arizona
Posts: 3,038
|
Re: dont go opening them thar .wmf files now...
Oh.
|
|
|
28 Dec 2005, 21:53
|
#8
|
Registered User
Join Date: Jan 2005
Posts: 3,174
|
Re: dont go opening them thar .wmf files now...
So it just installs a convincing looking AV program that harvests CC details. Is that all or can you just ignore it and remove it?
__________________
If one person is in delusion, they're called insane.
If many people are in delusion, it's called a religion.
|
|
|
28 Dec 2005, 21:56
|
#9
|
Insomniac
Join Date: May 2003
Posts: 3,583
|
Re: dont go opening them thar .wmf files now...
that variation of it does, but the point i was trying to make ( and seemingly failing ) is that its a new exploit, discovered literally within the last 24-48 hours and is already being abused.
this is just the tip of the iceberg imo, lots of other, and potentially nastier stuff will follow
|
|
|
28 Dec 2005, 23:05
|
#10
|
Bored
Join Date: Apr 2001
Location: Nottm ->Shef ->Croydon ->Manc ->Durham ->Sheffield
Posts: 6,506
|
Re: dont go opening them thar .wmf files now...
can you explain what a wmf file is actually used for?
|
|
|
28 Dec 2005, 23:06
|
#11
|
Generic funny comment.
Join Date: May 2000
Location: Basingstoke, UK
Posts: 136
|
Re: dont go opening them thar .wmf files now...
Thanks for the warning. I've now set Windows to ask before opening .wmf files (Folder Options > File Types > Select WMF, click 'Advanced' button > check 'Confirm open after download' checkbox > 'OK' > 'OK'). Hopefully having done that will keep me safe until MS put out a patch.
__________________
- GlimmerMan
Kick the Baby! - did we rock your world?
|
|
|
28 Dec 2005, 23:07
|
#12
|
NEWSBOT
Join Date: Dec 2000
Location: The enby cave!
Posts: 4,872
|
Re: dont go opening them thar .wmf files now...
windows meta file, can be used for graphics iirc.
edit : filext.com
__________________
[20:27:47] <nodrog-aawy> **** i think my housemate just caught me masturbating
[11:25:32] <idimmu> you are a little piggy arent you
[13:17:00] <KaneED> i'm so closet i'm like narnia
__________________
Pretty parks and funky scrap metal things here
|
|
|
28 Dec 2005, 23:28
|
#13
|
wild one
Join Date: Feb 2001
Location: River Edge, NJ
Posts: 3,313
|
Re: dont go opening them thar .wmf files now...
...as he sits here quite comfortably on OS 10.4.3.
|
|
|
28 Dec 2005, 23:47
|
#14
|
:cool:
Join Date: Jul 2001
Location: Here, there and everywhere
Posts: 791
|
Re: dont go opening them thar .wmf files now...
Quote:
Originally Posted by skiddy
...as he sits here quite comfortably on OS 10.4.3.
|
Me too!
__________________
Danger gleams like sunshine to a brave man's eyes.
|
|
|
29 Dec 2005, 02:25
|
#15
|
Insomniac
Join Date: May 2003
Posts: 3,583
|
Re: dont go opening them thar .wmf files now...
quick update : http://blogs.washingtonpost.com/secu...t_release.html
basically you can disable the vulnerable dll by doing :
1. Click on the Start button on the taskbar.
2. Click on Run...
3. Type "regsvr32 /u shimgvw.dll" to disable.
4. Click ok when the change dialog appears
once microsoft have released a patch for this, you can re-enable it by :
1. Click on the Start button on the taskbar.
2. Click on Run...
3. Type "regsvr32 shimgvw.dll" to enable.
|
|
|
29 Dec 2005, 11:01
|
#16
|
Join Date: Jan 2002
Posts: 421
|
Re: dont go opening them thar .wmf files now...
oh why do i bother
you're wrong, most of you at least
http://forums.somethingawful.com/sho...readid=1759573
that should give you enough info, along with a patch to the problem by R1CH
|
|
|
29 Dec 2005, 15:38
|
#17
|
Insomniac
Join Date: May 2003
Posts: 3,583
|
Re: dont go opening them thar .wmf files now...
gdi32.dll isnt the file which has the flaw so why thats the one being patched i dunno.
edit : according to cert now, it could be too. : http://www.kb.cert.org/vuls/id/181038
personally i wouldnt touch that patch - no telling of what it will or wont do. would much prefer to see the source for it, see a diff for what modifications were done, and compile it myself before i use it
maybe im just paranoid but there you go
ive done the regsvr workaround for now, and will use any ms patch when they eventually get off their arses and make one
as for the DEP , its worked in some cases, it hasnt in others from what ive seen on sites like fsecures blog, sans, etc.
Last edited by Phil^; 29 Dec 2005 at 15:53.
|
|
|
29 Dec 2005, 15:42
|
#18
|
Join Date: Jan 2002
Posts: 421
|
Re: dont go opening them thar .wmf files now...
try using the sample .wmf file he posted before and after applying his patch
you will see the difference
|
|
|
29 Dec 2005, 19:44
|
#19
|
Raaaaaaaah!
Join Date: Apr 2000
Location: United Kingdom
Posts: 2,296
|
Re: dont go opening them thar .wmf files now...
I think this sums up all the advice DONT USE INTERNET EXPLORER. Not only does using something else offer more protection you can safely lord it over all those poor IE users,
__________________
Hicks
Mercury & Solace
Always [Fury]
|
|
|
29 Dec 2005, 20:20
|
#20
|
Registered User
Join Date: Jan 2005
Posts: 3,174
|
Re: dont go opening them thar .wmf files now...
I've never had a problem with IE, is there some Coolness Internet Memo I didn't get?
__________________
If one person is in delusion, they're called insane.
If many people are in delusion, it's called a religion.
|
|
|
29 Dec 2005, 22:41
|
#22
|
Insomniac
Join Date: May 2003
Posts: 3,583
|
Re: dont go opening them thar .wmf files now...
it prevents the individual trojans/etc which use the exploit at present im sure but it wont plug the hole the exploit sails in though. it'll be a cat-and-mouse game with all anti-virus companies and virus writers until the actual exploit hole is fixed, and people patch up.
|
|
|
29 Dec 2005, 23:13
|
#23
|
Mr. Blobby
Join Date: Nov 2000
Location: Belgium
Posts: 8,271
|
Re: dont go opening them thar .wmf files now...
Quote:
Originally Posted by sniborp
I've never had a problem with IE, is there some Coolness Internet Memo I didn't get?
|
I've never had an accident while drunk driving, so I don't know what everyone's complaining about as it's perfectly fine!
|
|
|
30 Dec 2005, 02:17
|
#24
|
Join Date: Jan 2002
Posts: 421
|
Re: dont go opening them thar .wmf files now...
Quote:
Originally Posted by Hicks
I think this sums up all the advice DONT USE INTERNET EXPLORER. Not only does using something else offer more protection you can safely lord it over all those poor IE users,
|
again, wrong
had you said "dont use windows ME, 2000, XP or 2003" I would have agreed but unfortunately it is not the browser that is vulnerable, but the image previewing, which is also used by any other browser (opera, firefox). even google desktop search uses the preview to cache the pictures, so that makes you vulnerable as well.
|
|
|
30 Dec 2005, 02:24
|
#25
|
Mr. Blobby
Join Date: Nov 2000
Location: Belgium
Posts: 8,271
|
Re: dont go opening them thar .wmf files now...
Quote:
Originally Posted by Flavius
had you said "dont use windows ME, 2000, XP or 2003" I would have agreed but unfortunately it is not the browser that is vulnerable, but the image previewing, which is also used by any other browser (opera, firefox). even google desktop search uses the preview to cache the pictures, so that makes you vulnerable as well.
|
The main issue, however, is that at least Opera and Firefox ask you whether you wish to open the file, whereas Internet Explorer simply does so.
While this doesn't make Firefox or Opera immune or immensely more safe, it does show that in situations like these they provide an extra layer of security that Internet Explorer does not. And with the main source of security still being the end user, that is not a layer that should be easily overlooked.
|
|
|
30 Dec 2005, 02:42
|
#26
|
Join Date: Jan 2002
Posts: 421
|
Re: dont go opening them thar .wmf files now...
Quote:
Originally Posted by Leshy
The main issue, however, is that at least Opera and Firefox ask you whether you wish to open the file, whereas Internet Explorer simply does so.
While this doesn't make Firefox or Opera immune or immensely more safe, it does show that in situations like these they provide an extra layer of security that Internet Explorer does not. And with the main source of security still being the end user, that is not a layer that should be easily overlooked.
|
an extra layer of security? how often do you suspect of a .gif or .jpg file?
anyone can make his own .wmf file, rename it to .gif and place it as an avatar
firefox won't ask you to open it, it will simply display it.
firefox asks if you want to open a .wmf since it's not registered internally as a picture file format
|
|
|
30 Dec 2005, 03:05
|
#27
|
Mr. Blobby
Join Date: Nov 2000
Location: Belgium
Posts: 8,271
|
Re: dont go opening them thar .wmf files now...
Quote:
Originally Posted by Flavius
how often do you suspect of a .gif or .jpg file?
[...]
firefox asks if you want to open a .wmf
|
And this is exactly why that question, which arouses suspicion, is pretty effective.
|
|
|
30 Dec 2005, 03:07
|
#28
|
Join Date: Jan 2002
Posts: 421
|
Re: dont go opening them thar .wmf files now...
Quote:
Originally Posted by Leshy
Does not compute.
|
ok .. the infected file is blah.wmf
Internet Explorer opens it without questions. Opera/Firefox doesn't.
Take the infected file, rename it to blah.gif
All browsers will open it automatically since they assume it to be a picture.
|
|
|
30 Dec 2005, 03:08
|
#29
|
Join Date: Jan 2002
Posts: 421
|
Re: dont go opening them thar .wmf files now...
Quote:
Originally Posted by Leshy
And this is exactly why that question, which arouses suspicion, is pretty effective.
|
you can rename a .wmf to .gif, which escapes that added "layer of protection" you claim firefox/opera have.
|
|
|
30 Dec 2005, 04:09
|
#30
|
Mr. Blobby
Join Date: Nov 2000
Location: Belgium
Posts: 8,271
|
Re: dont go opening them thar .wmf files now...
Isn't it the case that as soon as you rename it to a .gif or whatever, the browser will attempt to open the file itself, realise that the file is either unreadable or corrupted and thus be unable to display it, rather than sending it on to the vulnerable Windows Image Viewer component?
I seem to recall a .jpeg vulnerability issue a while back that was a problem caused by a faulty Windows component as well, which Opera was not affected by because it uses it's own programming to handle the viewing of .jpeg images.
|
|
|
30 Dec 2005, 04:15
|
#31
|
Join Date: Jan 2002
Posts: 421
|
Re: dont go opening them thar .wmf files now...
Quote:
Originally Posted by Leshy
Isn't it the case that as soon as you rename it to a .gif or whatever, the browser will attempt to open the file itself, rather than send it on to the vulnerable Windows part? That is, if it fails to realise that the file's type doesn't match it's extension.
I seem to recall a .jpeg vulnerability issue a while back that was a problem caused by a faulty Windows component as well, which Opera was not affected by because it uses it's own programming to handle that stuff.
|
Ok I take back part of what I said before regarding the rendering of the picture within the browser.
Here's a short summary: "IE automatically opens the fax/image viewer when directly accessing a .wmf. Firefox does not (in later versions). If you viewed it as an embedded image on a page it would not have displayed properly, but it would not have executed any exploit code.
You can't run the code directly simply by browsing (browsing can indirectly lead to the code being executed if something like google desktop indexes/touches the cached copy of the file in your temp internet files or you browse to the folder in explorer and the autopreview/thumbnail generation kicks in). You have to click a link directly to the infected file so that the fax and picture viewer runs."
So this is not a browser vs browser argument, and browsing generally should not be a problem. The problem lies in the fax/picture viewer and any other program that uses the same image processing libraries to open .wmf files (such as Google Desktop).
|
|
|
30 Dec 2005, 15:36
|
#32
|
mmm.. pills
Join Date: Apr 2000
Location: Australia
Posts: 2,152
|
Re: dont go opening them thar .wmf files now...
It's a pity I didn't see this earlier, my PC fell victom to this attack yesterday. A nasty one it is too, despite having popup blockers a page launched that contained a infected WMF file. Even when I saw the file open I instantly suspected it was an exploit but didn't have time to stop the file from opening.
Within 5 seconds I had a symptoms very much like those demonstrated in the video, my desktop was filled with links, that fake malware message appeared in my tasktray and the desktop background changed to the infected warning. It was a completly different fraudulant anti-spyware proggy though, Spysheriff installed itself on my machine along with a host of other malware. Fortunately I've already had dealings with this particular program having removed it from a couple of customers machines, it changes group policies in the registry in an attempt to prevent you from undoing the damage and even loads in safe mode. After 5 hours I'm reasonably certain my PC is free of everything, but I'll be monitoring it over the next 48 hours for anything I may have missed.
__________________
CSS : the result of letting artists design something only an engineer should touch.
|
|
|
30 Dec 2005, 15:59
|
#33
|
Aardvark is a funny word
Join Date: Sep 2002
Location: I'm No Nino Rota
Posts: 5,923
|
Re: dont go opening them thar .wmf files now...
good old internet explorer eh
__________________
Efficiency, efficiency they say
Get to know the date and tell the time of day
As the crowds begin complaining
How the Beaujolais is raining
Down on darkened meetings on the Champs Élysées
|
|
|
30 Dec 2005, 16:25
|
#34
|
Bored
Join Date: Apr 2001
Location: Nottm ->Shef ->Croydon ->Manc ->Durham ->Sheffield
Posts: 6,506
|
Re: dont go opening them thar .wmf files now...
what kind of sites are doing this? (and no - links aren't good)
btw I upgraded to firefox a few days ago anyway
|
|
|
30 Dec 2005, 16:41
|
#35
|
Insomniac
Join Date: May 2003
Posts: 3,583
|
Re: dont go opening them thar .wmf files now...
theres a list of some sites which have been caught doing it on the fsecure link i believe, ( not clickable ones for obvious reason )
thing is, the exploit code which makes this work has been public ever since the first ones started rolling off the 'assembly line', so you can imagine every scriptkiddie/virus writer/malware author from here to timbuctoo now having it and churning out something to use it
|
|
|
30 Dec 2005, 16:44
|
#36
|
Insomniac
Join Date: May 2003
Posts: 3,583
|
Re: dont go opening them thar .wmf files now...
djbass, you might want to post detailed removal instructions in this thread incase anyone else gets infected since youve already dealt with this thing before btw.
|
|
|
30 Dec 2005, 17:13
|
#37
|
Registered User
Join Date: Jan 2005
Posts: 3,174
|
Re: dont go opening them thar .wmf files now...
Quote:
Originally Posted by Phil^
djbass, you might want to post detailed removal instructions in this thread incase anyone else gets infected since youve already dealt with this thing before btw.
|
[comedy option]
Nortons?
[/comedy option]
__________________
If one person is in delusion, they're called insane.
If many people are in delusion, it's called a religion.
|
|
|
30 Dec 2005, 18:29
|
#38
|
overtired
Join Date: Aug 2003
Posts: 5,900
|
Re: dont go opening them thar .wmf files now...
I've just seen one... but on opera it appeared as a download dialog (filename was xpl.wmf) to which I simply pressed 'cancel'
|
|
|
31 Dec 2005, 01:24
|
#39
|
Join Date: Jan 2002
Posts: 421
|
Re: dont go opening them thar .wmf files now...
Imagine someone adds an infected picture inline on a .html page. You open that page and the file stays in your cache. If you have Google Desktop Search and the indexing is turned on, you're infected.
|
|
|
|
All times are GMT +1. The time now is 18:21.
| |