New IM Worm Exploiting WMF Vulnerability 360
An anonymous reader writes "After less than a four days after original mailing list posting there are reports about a new Instant Messaging worm exploiting unpatched Windows Metafile vulnerability. This worm is using MSN to spread, reports Viruslist.com."
How do I avoid it? Fixes? (Score:4, Insightful)
Re:Macs (Score:5, Insightful)
Plus, OS X is a Unix, which means it plays nicely with other Unices, and it behaves like a Unix on the command line -- so I get all the power of pipes, vi, Bash, the BSD ports collection (a la Darwinports), gcc, and so on. On the GUI side, it behaves like a Mac -- and I think you'd be hard-pressed to fault Apple for their GUI design.
Best of both worlds; you just have to shell out a slight premium for the hardware, and given that you get a REAL OS with it, I'd say that Mac offers a better bargain for the desktop user than any Dell or Gateway.
It's worse than that (Score:5, Insightful)
Since the first exploit came to light, H.D.Moore of the Metasploit project has reworked the original package they did. The new exploit spits out exploit WMF files [sans.org] that come:
- with a random size;
- no
.wmf extension, (.jpg), but could be any other image extension actually;
- a random piece of junk in front of the bad call; carefully crafted to be larger than the MTU on an ethernet network;
- a number of possible calls to run the exploit are listed in the source;
- a random trailer
This makes it rather hard for antivirus and IDS sigs to detect it, though Snort and the A/V people are working late over their holidays to improve detection.SANS/ISC have provided excellent continued summaries of events around this. Here's their FAQ on the issue [sans.org].
This is looking truly horrible. On Tuesday morning zillions of Windows desktops will be fired up for the first time in a week or two. This thing's already in widespread use by a number of malware distribution networks for the usual reasons. As such it's a nightmare for network and system admins with Windows machines to look after (and us security people trying to provide advice & assistance for them...) But the stealth nightmare is that this is an absolute jackpot for the less visible targetted attacks, such as those emanating from China for the past couple of years (google around, Slashdot and Schneier have covered this as well as many other places.) There are also the opportunistic types who see an easy opportunity to pwn some key machines where they work, say. I will stick my neck out here and make a prediction. Virtually all organisations with Windows machines are effectively wide open to total compromise by a reasonably informed person. That means much of the IT dept as well as significant numbers of the 'interested poweruser' types, developers with a casual interest in security,.. anyone who's heard of this and is capable of running the findingm, running and using the new exploit, basically. Of course we're all tweaking our IDSes and antivirus, locking things down as tight as possible in the 48 hours remaining, but... *shudder*
For ten years I've been waiting for Microsoft's luck to run out. This is about #3 on my list of catastrophic MS incidents. There aren't many ways things could be worse.
It will be a good time to be running Linux on work machine, though :)
Re:How do I avoid it? Fixes? (Score:0, Insightful)
Re:Another GOOD reason not to run IM! (Score:5, Insightful)
IM is potentially the most influential communication medium since email.
I have had quite a few of my customers tell me that "The simple fact that I can reach you via IM, has made your company's service better than any other partner."
IM is "instant", offers logging of communications and doesn't require somebody to check their email (it pops up on their screen). In many ways it is a better communication tool than other options: phone, email or fax. You can even use it to see if somebody is in the office yet, or out to lunch. I could go on and on...
Feel free to not use it; the rest of the modern business world won't be joining you.
Re:How do I avoid it? Fixes? (Score:3, Insightful)
Re:It's worse than that (Score:2, Insightful)
BTW, according to testing by AV-Test of 73 variants all of the major AV packages and most of the others are detecting all of them. You're right though that there will be holes in this coverage, especially in as much as some of them are doing exploit-by-exploit coverage as opposed to a true heuristic. The ones that do sniff out the actual WMFs and look for the exploit sequence seem to be working so far.
Re:There needs to be... (Score:4, Insightful)
Re:Another GOOD reason not to run IM! (Score:2, Insightful)
Re:It's worse than that (Score:5, Insightful)
worms are pretty easy to seal out with a firewall and are easally patched. this exploit allows all sorts of local user exploits in a corporate environment. it also so far has been able to fly through hardware and software firewalls of all shapes and sizes.
Re:Another GOOD reason not to run IM! (Score:4, Insightful)
Being "instant" allows people to annoy you for any little thing. The dozen or so phone interruptions I used to get a day are now 20-30 IM interruptions.
"Logging of communications" also means you have no privacy. And if you think your boss isn't tracking you by your IM status you're kidding yourself.
Screen popups mean that you don't have to wait for the recipient to check their email/vmail but it also means that you just interrupted what they were doing. I don't know how many times I was trying to solve a problem and I got IMed by multiple people asking if I had solved the problem.
The difference between IM and previous forms of communication is that I used to have a choice.
Straw Man, Mod Parent Down (Score:3, Insightful)
Re:How do I avoid it? Fixes? (Score:2, Insightful)
Re:How do I avoid it? Fixes? (Score:5, Insightful)
Explain to me, then, why IIS is less widely-deployed than Apache, but IIS has significantly more worms.
Re: There needs to be... (Score:5, Insightful)
If people would aim their expectations at their software vendors rather than their computers, that problem would go away.
Re: How do I avoid it? Fixes? (Score:3, Insightful)
By Tuesday we'll probably be getting e-mail trojans claiming to be a fix.
Re:There needs to be... (Score:4, Insightful)
We've all been trying this years ago. But just yesterday, I got my ass kicked down to troll and flamebait for daring to suggest that Linux/Open Source/OS X/BSD/Anything-but-Windows is anything but an utter turd. What hope is there to educate a public who cannot get past the idea that the internet is just AOL and Bill Gates invented the computer and a hundred other misconceptions? You're advocating college education for people who can't pass kindergarten.
From my ledge, I see it as counterproductive to call users "Joe Sixpack" and "Gramma". These are false stereotypes. Given the opportunity, anybody can learn. Nobody was born knowing Windows 20 years ago, but it caught on, didn't it? There's more "for Dummies" books where "DOS for Dummies" came from.
But yeah, I do my part to post hints 'n' tips every other day on my geek blog, but it's more directed at people who've already found Linux. I tried in a past life to do similar for Windows users, and got nowhere: it's a hole with no bottom.
Re:why would they do this? (Score:3, Insightful)
Until Micorosft fixes the problem, publishing information such as linked in the post above helps those of us who have to actually secure machines. True it might result in more end-user Windows PC's being exploited, but at least we can figure out how to protect the computers that must be secure.
The information may help the "bad guys" but it's not anything they couldn't have come up with themselves. "Because it's there" isn't the reason.
Re:so... (Score:2, Insightful)
Worse is that implanting this thing doesn't even need ownership of a site. If a site allows tags, an anonymous commenter, forum poster or anything can drop an infected file on it, and screw over every IE user that visits. I don't know if it is possible, but imagine if someone adds an infected file to the Main Page of Wikipedia...
Re:There needs to be... (Score:3, Insightful)
Re:There needs to be... (Score:4, Insightful)
The earlier poster was correct - some poeple have no choice but to use MS Windows - but the answer as it has been for years is not to let their machines onto the net without adult supervision. I completely block this MS windows clone of IRC and it doesn't bother anyone - using instant messaging for business communication is a braindead idea anyway unless everyone is tied to their desks and focuses on short term tasks, and luckily I don't work in such an environment.
Re:How do I avoid it? Fixes? (Score:5, Insightful)
Pure speculation. There is absolutely no reason to believe that market share is the cause of low security. Shitty programmers with little or no Q/A, and a huge festering codebase which is continually patched together with duck tape to keep it going, along with a refusal to force 3rd party vendors to release software which runs properly (IE doesn't require local admin to run) causes security holes. For example, TOAD, some sql development software for Oracle, requires, REQUIRES, full write privileges to the directory it is installed in, or it refuses to run. This is mainstream software, and is used probably by millions of developers. But it still places fucking ini files in the install directory.
Don't blame Windows lack of security, it's more its market share, transparency between versions to blame and the lack of brains on the end user's parts.
Why would an end user suspect that opening a picture file could cause a virus to be installed on to their computer? Windows doesn't have *bad* security, Windows has no security. In order to have a useable system you MUST run Windows as local administrator. Thus every program you run has the power to format your hard drive if it likes. Every process which is run and has a flaw has the potential to fuck your computer up.
Transparency between versions? How does that cause poor security? Shouldn't the fact that MS recycles about 90% of their code between releases give them a lot more resources to track down those HUGE, GAPING holes in their OS?
FOR CHRISTS SAKE! Windows can be infected by a virus just by having certain things displayed on the screen! What an insane piece of shit it must be.
Can IM/RSS clients download automatically? (Score:4, Insightful)
I have seen in the past week our work increase 5 fold because of this exploit. What is normally a very slow time of the year for us has become very busy for us and it's making me nervous myself.
I know next to nothing about IM/RSS software, so I am just speculating here.
But suppose you had some IM/RSS client [MSN, AOL, Yahoo, whatever] that had an image rendering aspect to it. For example, suppose your IM/RSS client were capable of rendering the JPGs in an HTML message.
Then it seems to me that if you had such an IM/RSS client running on your desktop, and if someone knew your IM/RSS handle, then they could send you an IM/RSS message with very elementary instructions for downloading the evil file:
and you'd be hosed without ever having clicked on any link. And if the worm were really smart, it could then install "thttpd" trivial http daemons to spread itself internally on any corporate network [via each person's IM/RSS "address book"].If that's true, and if lots of employees left their computers running and logged into windows with such "automatic" IM/RSS clients running on the desktop, then Tuesday or Wednesday morning [or whenever people decide to come back from their New Year's vacation], there could be literally MILLIONS of infected machines.
So the question: Are there IM/RSS clients that can download files automatically?
Re:Most importantly: THERE IS A FIX (Score:4, Insightful)
Re:It's worse than that (Score:3, Insightful)
But this is where the issue lies and why IMO viruses are of virtually no threat anymore, it's going to be all ad/spyware from here on. For instance, I finished up a cleanup of a machine yesterday. Went through it with 1 AV scanner, and 7 different AntiSpyware tools, plus had to go in by hand and do manual removals. 1 virus, over 36 different ad/spyware programs from over 900 traces. Norton was of course expired and hadn't been updated in 8 months.
When the virus fight used to be AV Companies vs. Johnny Scriptkiddy, it's now AV Companies vs. Permission Based Marketing (read: Adware) companies, or an army of zombie bots controlled by the Russian Mafia.
Companies like Symantec, Mcafee, and Microsoft are very careful to step on toes in labeling other companies products as ad/spyware. Those very companies profiting from the adware also have their own army of lawyers and will file suit against anyone who dare defile their product! After all, you read the EULA right?
So when a customer tells me she still has Norton and she wants to know why she is still getting popups, I have to explain to her what the difference between viruses and adware, and why Norton just plain sucks for the new threats we face.
Never thought I would wish for the days of Melissa again, lol
BTW, Sometimes after a cleanup I install MS AntiSpy and Firefox with the IE Theme (http://www.firefoxie.net/ [firefoxie.net]). Just change that blue "e" to point to FF, and they're just a bit more secure.
Re:How do I avoid it? Fixes? (Score:4, Insightful)
This is the cause for a simple reason: Imagine you're a programmer making an app that runs properly as a less-privileged user. You do a little developing. You log out. You log back in as a less-privileged user. You test the app, using printf as the main debugging tool. You log out. You log back in. You restart the IDE and get everything back like it was. You do a little developing. And so forth. It's a waking nightmare of the type formerly encountered only in H.P. Lovecraft stories.
Microsoft's tools punish you for trying to do the right thing, because they want bad software so the customers expect to be on an upgrade treadmill.
*The original total rewrite of the C-language tools, the Java toolset, and the CLR toolset.
Indeed. If only Bill Gates had put sane people like Dave Cutler (NT kernel chief architect) in charge of every major project, instead of whoring out the codebase in a mad dash to squash Netscape and Sun. It's one thing for a tiny company barely staying afloat to cut standards, and entirely another for a rich company with billion dollar piles of cash lying about. The former is understandable, the latter is recklessness bordering on malice.Re:How do I avoid it? Fixes? (Score:3, Insightful)
Let's see... How about forcing you to run even much of microsoft's own software as local admin in order to get it to work?
How about running active X code with the same privileges as the current user? Hundreds of exploits have depended on this... clearly bad design.
Instead of closing these ongoing and massive security holes, they have now released anti-spyware as a solution. So MS's idea of security is to have a daemon which can recognize and kill any known threat (which will always be one step behind), instead of just closing the holes those threats make use of.
Of course, I could just point out the huge insane flaws in previous versions of windows, such as the screen saver running as local administrator, and so changing the screen saver to cmd.exe would give one administrator access in NT, or a malformed packet to a certain port bluescreening 98, but you would just reply that "they are better now!". Which is hard to dispute, not because it is true, but because we don't know of all the huge holes that may still be discovered in Windows. You might claim that they aren't there, but that is just arguing from ignorance, and the fact is we don't know. Every single piece of evidence and experience says that they are there and that they are potentially killer threats.
Now I'm going to appeal to my own lying eyes. I rarely surf the web for more than 5 or 6 hours before explorer.exe mysteriously dies and has to restart itself. You'll notice when this happens because everything on your screen goes away except your desktop wallpaper, and about 8 seconds later your desktop and programs reappear (sometimes) and every instance of explorer or internet explorer is missing. Sometimes this will happen repeatedly in a short period of time, other times it won't.
Another example from the lying eyes department. Windows gradually gets slower, and errors start appearing more and more often, as the uptime increases. After about a week or two of uptime on a desktop machine outlook starts to wig out, things paint slowly, applications start to grind to a halt, etc etc. Despite repeated claims to the contrary, this continues to happen even in the newest and most patched versions of windows.
In windows I have to run a virus scan daemon. If I don't I will be infected with a virus within a few days of web surfing. Unless I use Firefox, which doesn't seem to have all the gaping vulnerabilities of IE in this regard.
At work I routinely have to fix computers which are infected with spyware. These machines are fully patched, not that they should allow magic remote spyware installation by default. The user manages to get spyware, not by installing software or running an executable, but merely by clicking on links which have been emailed to them to "look at the funny movie/picture on this website". This is a FUCKING MASSIVE SECURITY CONCERN. There is nothing preventing this spyware from phoning home with lots of information, screen shots, and files from the users computer, including keylogs etc etc.
An since you are accusing me of changing the subject, how does 4 hundred bajillion automated tests have anything to do with Q/A in the sense of vulnerabilities? See: http://www.asp101.com/articles/john/kb887289/defa
Re:How do I avoid it? Fixes? (Score:2, Insightful)