What do the bad guys do with WMF?

Published: 2006-01-04
Last Updated: 2006-01-05 00:16:31 UTC
by Bojan Zdrnja (Version: 1)
0 comment(s)
With all this confusion about WMF files and various official and unofficial patches, you are probably wondering what the bad guys are doing with this.

We tracked quite a bit of exploits going around. Lately exploits started using Metasploit and we even received a standalone utility (so called WMFMaker, already described by Panda Software) that anyone can use:

$ ./wmfmaker

        Have fun
     ApacheEatsGnu

---- visit <REMOVED> -----
wmfmaker <file with payload>


No wonder that the bad guys started exploiting this more and more.

The main vector that the bad guys use to exploit this is still by posting it on web sites. The golden target would be a banner site or something that is visited frequently, but luckily, so far we didn't see anything widespread as that.

This doesn't mean that there are no exploits. One spam which was published by F-Secure (http://www.f-secure.com/weblog/archives/archive-012006.html#00000768) tried to get the user follow the link about "Vandalism Over the New Year". The site in question is now gone, so this is not a problem anymore, but the typical scenario was: WMF file which drops a downloader, which then subsequently downloads other trojans.
Besides this one, we also received various "Greeting Card" spams. Although the e-mail claimed that the greeting card is on 123greetings.com, the link actually pointed to http://mujeg orda.bita coras.com/REMOVED - this site is still active.

So what do all of these exploits actually drop? The answer is: typical "bad guys" stuff. They are usually dropping various versions of SDBot and similar IRC trojans. This will enable them to herd zombie machines that they use in the future.
One other exploit that we saw (thanks to Juha-Matti) dropped a pretty nasty password stealer/trojan, Trojan.Satiloler.B.

Finally, there was an interesting post by Andreas Marx on Bugtraq. Among various malware that the WMF files drop, they found one with a built-in counter on a "hidden" website. The counter seems to be going up fast - last year it was around 200.000 while today it is over a million. We can't be sure that the counter is correct, but we can be sure that the bad guys are on track with this vulnerability.

We are yet to see if other vectors will be exploited, but I'm afraid that this is more than enough for the bad guys to build a nice "army" of zombie machines.
So practice safe hex and patch/protect your machines as much as you can.

Keywords:
0 comment(s)

Comments


Diary Archives