Broadband Tech > Security > Security > Windows MetaFiles still vulnerable

reply to redxii

Re: Windows MetaFiles still vulnerable

quote:

---

Update 23:19 UTC: Not that we didn't have enough "good" news already, but if you are relying on perimeter filters to block files with WMF extension from reaching your browser, you might have a surprise waiting for you. Windows XP will detect and process a WMF file based on its content ("magic bytes") and not rely on the extension alone, which means that a WMF sailing in disguise with a different extension might still be able to get you.

---

To those of us using Avast!

Enable URL-blocking in Web-shield,
and add *.wmf.

Just read it on the Avast forum.

reply to redxii

reply to redxii
Ok, I've just made a big discovery with Proxomitron.

Apparently it can match by Hex, which is significant, because I've written a filter that searches for the magic bytes for the .WMF file.

I am now certain Proxomitron can now act as a very strong workaround for this issue, by killing all .WMF files, by identifying them by their magic bytes.

If you've imported my Header filter, you can delete it. (And also delete the old Web Page filter.)

This filter now only kills infected .WMF (or any extension) files.

Here is the new Web Page filter:

[Patterns]
Name = "Kill Infected .WMF Files [Kye-U]"
Active = TRUE
URL = "$TYPE(oth)"
Limit = 5
Match = "[%01][%00][%09][%00][%00]"
Replace = "\k$ALERT(Infected .WMF File Killed on:\n\n\u)"

[HTTP headers]
In = FALSE
Out = TRUE
Key = "URL: All File Extensions Force Filter (Out)"
URL = "*.*"
Replace = "$FILTER(true)"

reply to redxii
Beehappyy.biz is now closed.

quote:

---

Account closed due terms violation

---

reply to KyeU

[Patterns]
Name = "Kill .WMF Files [Kye-U]"
Active = TRUE
URL = "$TYPE(oth)"
Limit = 15
Match = "[%D7][%CD][%C6][%9A][%00]$SET(1=\k$ALERT(.WMF File Killed on:\n\n\u))"
        "|[%01][%00][%09][%00][%00]$SET(1=\k$ALERT(Infected .WMF File Killed on:\n\n\u))"
Replace = "\1"

I've updated the filter

Now only kills infected files. (Can be any file extension)

I miss those good old days

Anyways, now, people using Proxomitron can be well protected.

This filter provides the user extra security when surfing on sites, which is the initial area where they get infected.

I've tested this filter against many infected WMF files, and it works just fine

Terrific work as always KyeU .

reply to redxii
Filter was missing a ")".

Fixed now

reply to KyeU
A number of source sites have been cleaned up or otherwise shutdown, but of course others are springing up. It would also appear that most AV's have now picked up on the signature, so ensure your AV is up to date.

Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel

reply to redxii
I'm not infected but have read of some who are. How can they repair the mess this leaves? I don't seem to be finding any approach to fixing the machines that are hosed...

It installs 2 rootkits, and if you are slow to stop whatever has been executed from the WMF (about a few minutes) then it will install more stuff and probably more rootkits. I wouldn't bother cleaning it.
--
Open Source -> Close Minded
Microsoft Windows 2000/XP Security: Some Assembly Required.
Excessive use of "$" as in "M$" may make you look like a fool.

xpladv470.wmf/xpl.wmf.. there is no "site" in particular they're the same. wmf_decode.wmf didn't seem to do anything even in the admin account.

I know by running Rootkitrevealer and seeing that the files it found aren't visible in Explorer (all files shown). Plus there are corresponding drivers shown in Device Manager.
--
Open Source -> Close Minded
Microsoft Windows 2000/XP Security: Some Assembly Required.
Excessive use of "$" as in "M$" may make you look like a fool.

reply to redxii
Here we have a dangerous exploit spreading rapidly with no patch in sight and nobody has even mentioned the most reliable fallback defense you can construct: an image! Image your drive BEFORE you get clobbered and your recovery will be much, much faster, not to mention easier and more complete.

reply to redxii
Thanks to JJoeBugg, I've discovered that I've forgotten that Proxomitron does not filter .WMF files by default. A separate filter had to be made to be able to filter all file extensions.

Web Page filter:

[Patterns]
Name = "Kill Infected .WMF Files [Kye-U]"
Active = TRUE
URL = "$TYPE(oth)"
Limit = 5
Match = "[%01][%00][%09][%00][%00]"
Replace = "\k$ALERT(Infected .WMF File Killed on:\n\n\u)"

[HTTP headers]
In = FALSE
Out = TRUE
Key = "URL: All File Extensions Force Filter (Out)"
URL = "*.*"
Replace = "$FILTER(true)"

reply to redxii
Forgive this no doubt stupid question, but exactly how is IE vulnerable?
It doesn't display *.wmf's that I know of...