Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2006-01-04 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

What do the bad guys do with WMF?

Published: 2006-01-04
Last Updated: 2006-01-05 00:16:31 UTC
by Bojan Zdrnja (Version: 1)
0 comment(s)
With all this confusion about WMF files and various official and unofficial patches, you are probably wondering what the bad guys are doing with this.

We tracked quite a bit of exploits going around. Lately exploits started using Metasploit and we even received a standalone utility (so called WMFMaker, already described by Panda Software) that anyone can use:

$ ./wmfmaker

        Have fun
     ApacheEatsGnu

---- visit <REMOVED> -----
wmfmaker <file with payload>


No wonder that the bad guys started exploiting this more and more.

The main vector that the bad guys use to exploit this is still by posting it on web sites. The golden target would be a banner site or something that is visited frequently, but luckily, so far we didn't see anything widespread as that.

This doesn't mean that there are no exploits. One spam which was published by F-Secure (http://www.f-secure.com/weblog/archives/archive-012006.html#00000768) tried to get the user follow the link about "Vandalism Over the New Year". The site in question is now gone, so this is not a problem anymore, but the typical scenario was: WMF file which drops a downloader, which then subsequently downloads other trojans.
Besides this one, we also received various "Greeting Card" spams. Although the e-mail claimed that the greeting card is on 123greetings.com, the link actually pointed to http://mujeg orda.bita coras.com/REMOVED - this site is still active.

So what do all of these exploits actually drop? The answer is: typical "bad guys" stuff. They are usually dropping various versions of SDBot and similar IRC trojans. This will enable them to herd zombie machines that they use in the future.
One other exploit that we saw (thanks to Juha-Matti) dropped a pretty nasty password stealer/trojan, Trojan.Satiloler.B.

Finally, there was an interesting post by Andreas Marx on Bugtraq. Among various malware that the WMF files drop, they found one with a built-in counter on a "hidden" website. The counter seems to be going up fast - last year it was around 200.000 while today it is over a million. We can't be sure that the counter is correct, but we can be sure that the bad guys are on track with this vulnerability.

We are yet to see if other vectors will be exploited, but I'm afraid that this is more than enough for the bad guys to build a nice "army" of zombie machines.
So practice safe hex and patch/protect your machines as much as you can.

Keywords:
0 comment(s)

Ilfak Guilfanov's website, Hexblog.com back again

Published: 2006-01-04
Last Updated: 2006-01-04 23:57:38 UTC
by Bojan Zdrnja (Version: 1)
0 comment(s)
As you probably noticed, Ilfak Guilfanov's website, Hexblog.com, has been suspended. We presume that the main reason for this are bandwidth issues; we'll let you know if that's not the case (hopefully there were no evil intentions behind this).

In the mean time, if you need the unofficial patch, you can download it from our website. The link was posted in a previous story, here.

UPDATE

Ilfak's site is back, reduced to the bare minimum as it had very high load. If you still can't reach it's possible that there is some caching between you/your ISP/Ilfak's site.

Thanks to Alexander Hoff for pointing out that, due to changes on Ilfak's site, URLs from old diary entries don't work anymore. You can go to the main web page, http://www.hexblog.com to access Ilfak's files.

Just one more update - if you can't access the site, the main reason is that your DNS server(s) still don't have the updated (new) DNS entries. Ilfak changed IP address of his site so it will take a while for this to propagate.

Ilfak added several other servers - the DNS entries should have propagated changes by now so you should use the domain name (and let DNS servers help with load balancing).
Keywords:
0 comment(s)

Oldest infected .wmf?

Published: 2006-01-04
Last Updated: 2006-01-04 22:28:20 UTC
by Marcus Sachs (Version: 1)
0 comment(s)
We have a little project for all of the forensic treasure hunters out there.  As you all know, the .wmf issue came into public view about a week ago.  Since then, we've found that there are infected .wmf files with dates going back several weeks, so this little beauty has been around for a while.  What we are looking for are any confirmed intrusions earlier than the first of December 2005 that can be traced to this current vulnerability.  By confirmed, we mean that not only is the date of an infected .wmf file on a compromised system earlier than December 1st, but you can also prove that it was installed prior to December 1st and had some type of malicious payload embedded in it.  Tell us whatever you can share, and we'll summarize the details for others.  There's no prize for the earliest detect, but we are pretty sure that many would be interested in knowing how long this vulnerability has been actively exploited.

Keywords:
0 comment(s)

Preparing for Battle

Published: 2006-01-04
Last Updated: 2006-01-04 20:40:11 UTC
by Kyle Haugsness (Version: 1)
0 comment(s)
Are you ready to battle a large virus/worm outbreak?  Please don't view
this is a prediction that there will be a large event, but let me just
say that conditions are right for a big storm (WMF issue and the return
of the Sober worm).

Regarding the WMF issue, you have probably decided to either wait for
the official Microsoft patch, or you are rolling out Ilfak's patch.  But
there is still about 6-10 days of risk here for a major worldwide event.
So here are some recommendations for preparing for the battle.  (This is
primarily written for system and network admins...)

Prepare a short briefing for management on the situation:
1) There is a serious vulnerability in Microsoft operating systems.
2) An official patch will not be available from Microsoft until Jan. 10.
3) There are multiple propogation vectors: e-mail, instant messaging, web
surfing, etc.
4) Several different versions of the exploit are in the wild and are
being actively used by criminal groups.  All propogation methods are
being used.  As of Wednesday, Jan 4 20:15:00 UTC, our current poll
indicates that 22% of respondents (340) have seen exploit attempts
through one of the exploitation vectors.
5) Tools to generate random files to exploit the vulnerability are
publicly available.  These tools may be used to evade anti-virus and
IDS/IPS signatures.
6) Anti-virus signatures and intrusion detection/prevention system
signatures may only be able to catch the first generation of exploits.
7) If an outbreak does occur, how are you going to sanitize laptops that
were infected outside of your network before allowing them to connect
to your internal network?


As you provide this information, you should also provide an action plan
for mitigating damage in the worst case scenario.  You should consider
the following action items in your plan.  Also consider that your
organization may have no internal infections, but that the rest of the
Internet is having problems.  Solicit input from your management on the
circumstances that would dictate each of the actions below.

1) Disconnect from the Internet.
2) Disconnect specific services from the Internet.  Talk with your
network/firewall admins and have them be prepared to shut-off specific
services (SMTP or HTTP) at strategic locations.
3) If you have multiple locations, consider the action plan of
disconnecting internal WAN pipes to minimize damage to other parts of
your organization.
4) Disconnect internal and/or external e-mail servers to prevent further
damage.
5) If you plan to perform any of the above actions, then you should also
plan on how to bring these sites/services back online.
6) Determine an action plan for local workstation admins.  How are they
going to receive virus updates and virus removal tools to clean
workstations?

You should take this time to validate that you have good backups of your
e-mail servers.  If things go really badly, you may be restoring from
backup.  You should also make sure that everyone that could be involved
in the incident response has an updated contact list (cell phones,
pagers, home phones, etc) for all of the appropriate operational
personnel.  Remember that some of these communication methods may fail
during a virus outbreak.  Finally, you should identify secondary
Internet access (maybe dial-up) to download virus updates, IDS/IPS
updates, or get latest news about the event.

In a virus outbreak/worm event, communication between the operational
folks and management is critical.  Make sure that there is a clear
understanding of when/how to shut-off services and when/how to turn them
back on.  Communication to end-users is also critical and you may want
to start informing them now that the next 6-10 days could be very
difficult times.

You can find much more information about incident response plans at the
following sites:

http://www.intrusions.org/
http://www.sans.org/rr/whitepapers/incident/
http://www.cert.org/archive/pdf/csirt-handbook.pdf

Keywords:
0 comment(s)

.MSI installer file for WMF flaw available

Published: 2006-01-04
Last Updated: 2006-01-04 04:19:23 UTC
by Tom Liston (Version: 2)
0 comment(s)
For all of you corporate folk out there, we now have a .msi installer file available for version 1.4 of Ilfak Guilfanov's unofficial patch for the Windows .WMF flaw.  A very big "thank you" goes out to Evan Anderson of Wellbury Information Services, L.L.C. for his diligent efforts to get this put together.  Note:  Like Mr. Guilfanov's original patch, this will dump out not only Guilfanov's source code, but also the code that Evan wrote to do the install from within the .msi.  Note also:  We have reverse engineered and verified that the installation/uninstallation code in the .msi does what it says it does and nothing more.  The wmfhotfix.dll installed is the binary equivalent of the previously vetted version 1.4.

WMFHotfix-1.4.msi has an MD5 of 0dd56dac6b932ee7abf2d65ec34c5bec
A pgp signature using the SANS ISC key is available as well.

We renamed the file from WMFHotfix-1.1.14.msi to WMFHotfix-1.4 to be more consistent with the version number (1.4)
To uninstall, use the "Add / Remove Program" button in your control panel.
Keywords:
0 comment(s)

Lotus Notes Vulnerable to WMF 0-Day Exploit

Published: 2006-01-04
Last Updated: 2006-01-04 02:28:56 UTC
by Scott Fendley (Version: 3)
0 comment(s)

John Herron at NIST.org discovered today that Lotus Notes versions 6.x and higher is vulnerable to the WMF 0-day exploit. In the advisory, located on the NIST website here, John reports that Lotus Notes remained vulerable even after running the regsvr32 workaround in the Microsoft security advisory.

Update December 30, 2005

Our dedicated reader from Finland, Juha-Matti Laurio, has confirmed that IBM is aware of the vulnerability above. He had a couple of recommended workarounds for those using the Lotus Notes (Domino) system. I expect that IBM will be releasing an advisory directly with this information.

"1. Filter all common picture file extensions at the network perimeter.

The following file extensions are recommended:

BMP, DIB, EMF, GIF, ICO, JFIF, JPE, JPEG, JPG, PNG, RLE, TIF, TIFF and WMF, because Microsoft Windows handles picture files by information of the file header information, not by file extension used.

2. Do not Open... or View... picture files from untrusted sources.
"

Thanks for that information Juha-Matti.

Update January 04, 2006

IBM has released an advisory that states the following:
"Lotus Notes allows users to optionally "View" or "Open" file attachments contained in email messages and documents. These attachments do not auto-launch or execute without user action."  Their recommendation is to follow the recommendations from Microsoft and apply the patch when available.  http://www-1.ibm.com/support/docview.wss?rs=475&uid=swg21227004

--
Scott Fendley
Handler on Duty


Keywords:
0 comment(s)
Diary Archives