republican-creole
Search:  

 
theme to black backgroundlet page decide theme
HomeFind ServiceReviewsISP NewsFAQsForumsToolsDatabaseAbout 
 
   All ForumsHot TopicsGallery






how-to block ads


 
Forums » Up and Running » Security » Security » Windows MetaFiles still vulnerable
Search Topic:
 Share Topic:
RSS topic:
toggle:
flat / full
normal / watch
Posting:
Links: ·Hijack This logs? ·Panda Free Tools ·Vundo Removal
Outpost not blocking traffic on Windows shutdown »
« JaimeSmile Trojan  
AuthorAll Replies


jbob
Reach Out and Touch Someone
Premium
join:2004-04-26
Little Rock, AR
·Comcast
·AT&T Southwest

1 edit		reply to redxii
Re: And this from F-Secure.....

»www.f-secure.com/weblog/#00000753

Over the last 24 hours, we've seen three different WMF files carrying the zero-day WMF exploit. We currently detect them as W32/PFV-Exploit.A, .B and .C.

Fellow researchers at Sunbelt have also blogged about this. They have discovered more sites that are carrying malicious WMF files. You might want to block these sites at your firewall while waiting for a Microsoft patch:

Crackz [dot] ws
unionseek [dot] com
www.tfcco [dot] com
Iframeurl [dot] biz
beehappyy [dot] biz

(some of these blocks already exist in my MVPS Hosts file)

And funnily enough, according to WHOIS, domain beehappyy.biz is owned by a previous president of Soviet Union:

Registrant Name: Mikhail Sergeevich Gorbachev
Registrant Address1: Krasnaya ploshad, 1
Registrant City: Moscow
Registrant Postal Code: 176098
Registrant Country: Russian Federation
Registrant Country Code: RU

"Krasnaya ploshad" is the Red Square in Moscow...

Do note that it's really easy to get burned by this exploit if you're analysing it under Windows. All you need to do is to access an infected web site with IE or view a folder with infected files with the Windows Explorer.

You can get burned even while working in a DOS box! This happened on one of our test machines where we simply used the WGET command-line tool to download a malicious WMF file. That's it, it was enough to download the file. So how on earth did it have a chance to execute?

The test machine had Google Desktop installed. It seems that Google Desktop creates an index of the metadata of all images too, and it issues an API call to the vulnerable Windows component SHIMGVW.DLL to extract this info. This is enough to invoke the exploit and infect the machine. This all happens in realtime as Google Desktop contains a file system filter and will index new files in realtime.

So, be careful out there. And disable indexing of media files (or get rid of Google Desktop) if you're handling infected files under Windows.
to forum · permalink · · 2005-12-28 11:24:06 · (locked)
Thread is
Forums » Up and Running » Security » SecurityOutpost not blocking traffic on Windows shutdown »
« JaimeSmile Trojan  

Thursday, 10-Dec 17:56:01 Terms of Use | Privacy Policy | Hosting by www.nac.net - DSL,Hosting & Co-lo | feedback | contact
over 10 years online! © 1999-2009 dslreports.com.
page compression OFF
Most commented news this week
· [200] Sprint Sued For Distracted Driving Death
· [135] AT&T Launching New 24 Mbps U-Verse Tier
· [86] AT&T Hints At Usage-Based iPhone Data Pricing
· [82] 3G Network Test Says AT&T Is Tops
· [72] Mediacom Unveils 105 Mbps Pricing
· [72] WPA Cracker: Test WPA-PSK Networks In 20 Minutes
· [66] Sprint Poised For A Turnaround?
· [54] Average American Consumes 34 Gigabytes Daily
· [51] The Future Of Wi-Fi Is Bright
· [48] Sprint, T-Mobile Merger Rumor Lives
Most people now reading
· New Mediacom Email [Mediacom]
· malware has been found hidden inside an Ubuntu screensaver [Security]
· Connecting to Google Voice Via SIP [VOIP Tech Chat]
· Icecrown 5-man strats [World of Warcraft]
· Windows 7 boot manager editing questions [Microsoft Help]
· It's happening again [AT&T Southwest]
· Battered Hilt Delimma [World of Warcraft]
· Cross Server Dungeon Experience [World of Warcraft]
· [WIN7] Well, I was dumb, but do I have recourse? [Microsoft Help]
· IMG 1.7 (IMG Updates and Discussion) [Verizon FIOS TV]