how-to block ads
|
hayc59
VoodooChild
Premium
join:2001-02-26
David R.I.P.
| BOClean Windows WMF Vulnerability Info
This is being sent out to our "BOClean update" customers in advance of the mailing of this same information to our "newsletter" subscribers. It is possible that you may receive a duplicate if this is the case.
This message is being sent to you in order to clarfiy the issues of the "Windows WMF vulnerability" and explain to you what BOClean's situation is with respect to this problem ...
HAPPY NEW YEAR TO OUR CUSTOMERS FROM PRIVACY SOFTWARE!
Just days after Christmas, the holiday season brought concern to many about an unrepaired vulnerability in Microsoft's "Media Player," "MS-PAINT," "Internet Explorer browser" and numerous other programs as a result of a "buffer overflow" fault in one of the Windows operating system files for Windows2000 and XP known as "SHIMGVW.DLL." This is remarkably similar to an older exploit which existed in June of 2003 with the same characteristics. The solution at the time until Microsoft could replace the GDI code itself involved turning off the "Preview" function in "My computer" and Internet Explorer. This old cure still works, however there are a few more issues with this latest exploit, first publicly reported on December 27th among antimalware researchers.
Because of the tremendous amount of concern and email which it has created for us at the height of the holiday season where malware creators depend on the "white hats" taking off the holiday and the sheer volume of "the usual suspects" as a result, we're compelled to help explain to our BOClean customers what we have done and what we cannot do about WMF since it is the operating system itself which is the "trojan" here. We're going to make this as non-technical as possible as well as provide links to more technical details for those who understand the issues and wish to take some convoluted and difficult steps to assuage the situation until such time as Microsoft develops a "band-aid" for the situation at hand.
DOES BOCLEAN PREVENT WMF EXPLOITS?
BOClean is not a "file scanner" in the traditional sense of an antivirus or other "filtering" program, and these are best-suited to this task in general should you be presented with the "exploit." Having BOClean scan incoming files would only result in costly duplication of effort as "filtering" and "antivirus" software normally handle these situations already prior to the writing of a file to the disk of any data which could possibly make use of an "exploit." So the short answer is "no" but there's considerably more involved here, so let's go into some details on all this.
What BOClean DOES do is protect you should an exploit be SUCCESSFUL and actually install and then attempt to run a program that is dangerous. The simple reality is that there are many OTHER exploits which are not getting this degree of attention, and it is the widespread and frequent use of exploits that get machines infected in the first place. For all of the attention, this one is pretty seriously limited in what it can do.
Most people are smart enough not to click on links in spam to get infected, and thus the use of exploits has become the MAJOR means by which people and their machines get hijacked in the first place. In other words, this one isn't so special aside from the Public Relations "attention" it's garnered. The "CHM exploit" is also still alive and well, and it's used every day because it gets far better results for malware distributors. Same for the "IFrame," "redirect" and registry exploits which are so precious to the malware authors in "landing that bad boy." That these still exist years after their original discoveries is its own issue, and not a matter for discussion here.
Over the last few days, there have been several different exploits of WMF released as a direct result of this attention. There is also a malicious tool out there which can automatically generate RANDOM "new" exploits of this WMF flaw which were publicly disclosed by Tedd Towles in his "Technocrat Blog" here: http://djtechnocrat.blogspot.com/ In other words, a self-fulfilling prophesy now that the "bottom feeders" have been attracted.
Since "file scanning" depends on signatures of the "already existing" or the ability to spot a particular pattern, detection of any and all WMF exploits will be difficult, and newly written malware which makes use of it will likely slip past until such time as new signatures or a general signature for this tool come into being. The one referred to however is not the only such tool.
Further complicating matters is that "exploits" are not the same as general viruses, worms, and other malware in that they are not a "standalone executable." By use of "exploits" the actual "malware" is the legitimate portions of the operating system itself which actually host and operate the data which takes advantage of them. About all that can be practically done therefore is to delete the offending piece of the operating system since the exploits make use of what would otherwise be valid data used by the exploited piece of the operating system or other program. Not an option for us.
It's also been noted in numerous malware research communications between us and other parties that despite claims by several antivirus and firewall and other security companies that they have this matter "under control" it turns out not to be entirely true. Even some companies which provide software-based "filtering" or "execution protection" have been informed by Microsoft that any software based "injection protection" tools completely fail to work against this exploit. Even worse, HARDWARE based "execution protection" in newer CPUs and motherboards have either failed to protect or were not reliably configured either. Therefore it must be assumed that until such time as Microsoft fixes the flaws in SHIMGVW.DLL, regardless of the protection and means available to end users, it's more than likely that a targetted exploit will be successful regardless of "layered security" as a means to prevent the exploit from being downloaded.
Because of all of these factors, BOClean itself stands ready in its standard operating mode to be that "second line of defense." *IF* an exploit is successful, then BOClean is there as always to foil the NEXT step in the attack, the downloading and installation of trojans, worms, adware, whatever as there is a major issue with this exploit, it only offers 1700 bytes or so of "payload space." A link to the site where the tool to exploit this and technical details on this 1700+ byte limitation can be seen - we'd rather not link to it here directly. If you check the "Thoughts of a technocrat" blog, the link to it is there. This exploit differs though from the earlier one where a "luxurious" 5081 bytes of "payload space" was available which allowed pretty much any old downloader to work successfully. Big difference here is the tight space which obviously limits what can actually be dropped through use of this exploit.
Even the most "svelt" trojan downloaders are usually larger than 1750 or so bytes in size and because of the limitations of the "payload space" the number of "trojan downloaders" that can be made to fit are extraordinarily small. A few exploits have actually embedded a "script" rather than an executable, but the end result of this WMF exploit is always the same - the exploit itself contains code which causes Internet Explorer or another utility to go to a site and download the ACTUAL trojan once the exploit is triggered. The exploit is simply too small to embed an actual "trojan" within it. Thus, BOClean ends up with two chances to win without actually "seeing" the exploit itself - either at the downloader execution stage, or at the "trojan is now downloaded and ready to run" stage.
At THIS point, things turn plain old vanilla. We've seen several different uses for this exploit now - the vast majority of them being the installation of "pseudo-rootkits" like MIRC, WINGATE, SERV-U or more traditional bots such as SDBOT, RBOT, AGOBOT, MYBOT and other bots used for theft of machines or a keylogger/"BANCOBRA" identity thief. We have also (one of the reasons why we're not including links here) hit a few of the sites linked to in the blog we mentioned and upon clicking on the links in the "metasploit" site, received instantly good old Coolwebsearch "CWS/SMU18" and other hijackers such as LOP, SPYSCAM or IST junk. Bottom line, the kids are mighty busy and so far, knock on plastic, the EVENTUAL payload is the "same old, same old."
Again, the PRIMARY purpose of this exploit is a "way in" and because of the nature of this being Windows itself rather than "traditional" malware or "sucker bait" such as "free porn," "free smilies," "cracks/keygens" makes it very difficult for anyone to actually stop every possibility BECAUSE it's the exploitation of the operating system itself. Traditional antiviruses and other "scanners" are making inroads though as each new one is "discovered." For us, we prefer to lie in wait for the REAL trojan once it slips past the boundary as we always have. And this situation is no different for us with this exploit as opposed to all of the others by which malware lands successfully on machines every day.
WHAT IS A BUFFER OVERFLOW?
Most exploits take advantage of a critical design flaw in some software where the size of data isn't properly checked to ensure that it can't splash somewhere else. Buffer overflows occur routinely in a great deal of software and at worst, the end result is a crash or blue screen from time to time when invalid information is just too big. What makes "exploits" different is that this "excess baggage" just happens to land in a bad place in memory where the "overflow" somehow gets applied to a space where programs are being executed or can be "called" by some other function in the software which is being exploited. Very FEW "buffer overflows" actually result in the possibility of data being "run" but when they happen, they can be pretty serious.
Good programming design requires (where possible) that any data which goes into memory be validated to be no larger than the space provided for that data. It's along the lines of trying to put 50 pounds of meat into a 5 pound bag. Prudent code will check any inbound data for its size and cut it to the alloted space if it's longer than the proper amount. Certain spots though in memory are critical and what will happen here is that if the data is made a specific size too large, then executable stuff can end up directly in another part of memory where it will be run just like the rest of the program it's trashing. That's what's going on here - add enough junk and put code in just the right place at the right distance, and the exploit will run as part of the operating system itself.
In situations like this, where the program being exploited is part of the operating system itself, it doesn't matter if it's a "limited user" or other security undertakings since it's part of the "operating system itself" which has all necessary rights. And as far as firewalls, or process integrity monitors or even BOClean, it's LEGITIMATE because the operating system component itself is legitimate and has more "rights to execute" than an "administrator" will ever see. "SYSTEM rights!" THIS is why "exploits" are so valuable to "malware people" ... it uses the operating system against itself and there's really nothing anyone can really do, except for Microsoft. IF they think it's important enough.
HOW CAN I PROTECT MYSELF?
There have been several suggestions offered in numerous corners, and most have not worked as had been hoped. Ultimately, Microsoft has to repair their defects in their SHIMGVW.DLL library. This is the only solution. However, some "workarounds" have been made available with varying degrees of difficulty and even more varying degrees of success. Perhaps the BEST solution is one that was made available by a fellow programmer, but it involves "patching" the DLL. For many of our larger customers this solution, despite its apparent effectiveness since Microsoft will replace the library at some point anyway, is unacceptable. For those customers who do not accept "patch the kernel" as a solution, BOClean will continue to serve as it always has in the face of exploits. We'll get it once the "payload does its thing" and stop the NEXT step where an actual infection will occur.
[color=gray]For those interested in "the patch" detailed information on it is available here:[/color]
http://www.hexblog.com/2005/12/wmf_vuln.html#more
Run the patch, and it will solve the problem as best as possible until Microsoft solves this, whereupon you can remove this patch. Source code is provided for those daring, but paranoid souls who do not object to "kernel hooking." IMPORTANT: This is NOT an OFFICIAL MICROSOFT patch, be governed accordingly.
For those who do NOT wish to do this, then a less reliable means is to follow the instructions provided here at F-Secure's weblog:
http://www.f-secure.com/weblog/
PLEASE note though that unregistering the offending DLL doesn't guarantee protection as MS-PAINT and possibly other programs might call the DLL and load it anyway. For now, the patch provided by Ilfak Guilfanov is about as good as it gets based on what we've determined, and as is further amplified on Kaspersky's blog:
http://www.viruslist.com/en/weblog?discuss...892530&return=1
And for those wondering, the FIREFOX and OPERA browsers are only SLIGHTLY less susceptible to this exploit. As far as Windows itself goes, turning off "preview" mode in the options settings for "My computer," "(File) Explorer," "Internet Explorer," "MS-PAINT" and any other programs which provide a visual "preview mode" of graphics, as well as forgoing the use of Media Player for now is probably the best option short of applying the "patch" outlined above.
BOTTOM LINE
New exploits are being launched hourly against WMF. These exploits make use of legitimate Microsoft Windows components and are not your "traditional malware." And so far, each attempt we've seen is different in various ways. The "exploit generator tool" ensures randomness and degrees of uniqueness in each customized exploit it makes. AND there are other "click and exploit" tools for the bottom feeders of the "script-kiddies." Blocking sites doesn't work as the malware types are constantly acquiring new sites, the datastream may or may not be spotted by firewalls, antivirus or other detection tools. Programs which are designed to limit or prevent "injection" into other programs will not work or are at best limited in their capacity - Microsoft says so here with respect to "software-based DEP":
http://www.microsoft.com/technet/security/...ory/912840.mspx
BOClean makes no claims that we can stop the exploit. However, those using BOClean can rest assured that only a small handful of already known "downloader trojans" are small enough to be used as a "payload" with this exploit and, should a new "downloader" somehow be created, the purpose TO using this exploit is to download other, larger known malware which is the end purpose of the use of this exploit. And it also needs to be known that every day brings new malware of course, and as usual we're here for it as we are now on New Year's Day - keeping an eye out and carefully watching this and other situations daily. And we will continue to do so as we do every day.
We hope this has been helpful, please forgive us if time to answer specific questions is difficult to come by - we're in a record time as far as the sheer number of nasties, and we occasionally have customers who have genuine emergencies that require our attention in email along with maintaining our commitment to "getting the trojans covered." Our rule here is that covering every trojan comes FIRST, THEN the emails. Emergencies are more important than "questions and comments." If you email us about this newsletter or have questions that are not an emergency, we beg your indulgence for a reply if the insanity remains as high on our end as it's been. Unfortunately, there are higher priorities at the moment, and we promise we'll eventually get to questions if asked. Only a question of when time permits, and that's been thin lately for all of us.
--
ãrê ¥Øu êxpêriêncêD
9/11/01 Never Forget | |
inTulsa
Premium
join:2002-02-24
|  That's a wonderful overview of what's going on today. Thank you!
said by hayc59  :The simple reality is that there are many OTHER exploits which are not getting this degree of attention, and it is the widespread and frequent use of exploits that get machines infected in the first place. For all of the attention, this one is pretty seriously limited in what it can do. The WMF exploit certainly seems to be getting attention. The occaional loud thump like this also serves to remind people that security is an ongoing process.
Whenever Microsoft gets around to fixing the GDI for this, there will still be older exploits and probably newer ones too. | |
starfish8
join:2004-06-30
| said by inTulsa :That's a wonderful overview of what's going on today. Thank you! said by hayc59 :The simple reality is that there are many OTHER exploits which are not getting this degree of attention, and it is the widespread and frequent use of exploits that get machines infected in the first place. For all of the attention, this one is pretty seriously limited in what it can do. The WMF exploit certainly seems to be getting attention. The occaional loud thump like this also serves to remind people that security is an ongoing process. Whenever Microsoft gets around to fixing the GDI for this, there will still be older exploits and probably newer ones too. If this exploit is "pretty seriously limited in what it can do", why are so many people up in arms about it? How concerned should we be? | |
Nancymca
Security Goddess, retired.
Premium
join:2001-09-30
Voorheesville, NY
 ·Verizon Online DSL
| said by starfish8 :If this exploit is "pretty seriously limited in what it can do", why are so many people up in arms about it? How concerned should we be? I think that has to do with the media for one reason or another, latching onto this one (as opposed to the many they simply ignore) and its timing- during the holidays when many have vacation time, new computers, and time to read up on these things. Add to that sheer number of malware releases along with those released specifically for this exploit (and the exploit datafile generation tool)and it's a recipe for panic. 
--
BOClean means never having to run a HJT log again.
www.boclean.com | |
starfish8
join:2004-06-30
1 edit | said by Nancymca :said by starfish8 :If this exploit is "pretty seriously limited in what it can do", why are so many people up in arms about it? How concerned should we be? I think that has to do with the media for one reason or another, latching onto this one (as opposed to the many they simply ignore) and its timing- during the holidays when many have vacation time, new computers, and time to read up on these things. Add to that sheer number of malware releases along with those released specifically for this exploit (and the exploit datafile generation tool)and it's a recipe for panic. I've been keeping an eye on the Symantec ThreatCon Level and it hasn't budged from level 2. I take that to mean they don't consider this a severe threat over there, at least not yet. | |
heels_fan
1.20.09 The start of Socialism
Premium
join:2003-02-07
Columbia, TN | reply to hayc59
I havnt seen this in the media | |
norwegian
Premium
join:2005-02-15
Outback
·WestNet Broadband
| Niether have I, considering the cufuffle, there has been NO alerts on TV, news, so there is at least most of Australia, and obviously other places, where there unpatched systems still, arrgghhhh
i wonder if Microsoft will advertise soon DEP is your savour, use Vista
how can we win when we have these odds stacked against us | |
inTulsa
Premium
join:2002-02-24
| reply to starfish8
said by starfish8 :If this exploit is "pretty seriously limited in what it can do", why are so many people up in arms about it? How concerned should we be? I didn't mean to stress too much insignificance of this exploit. Maybe I shouldn't have quoted that portion at all since the full post contains quite a bit of insightful content.
One dangerous thing about this latest exploit is its ability to download other more serious problems on you.
quote:
*IF* an exploit is successful, then BOClean is there as always to foil the NEXT step in the attack, the downloading and installation of trojans, worms, adware, whatever as there is a major issue with this exploit, it only offers 1700 bytes or so of "payload space."
Yet we should remember there's still other open doors and windows that haven't been locked down. This latest event is ... just the latest event. Other events are still ongoing, and others haven't started yet. For example: »New Sober worm expected to hit Jan. 5 | |
Mele20
Premium
join:2001-06-05
Hilo, HI
| reply to norwegian
said by norwegian :Niether have I, considering the cufuffle, there has been NO alerts on TV, news, so there is at least most of Australia, and obviously other places, where there unpatched systems still, arrgghhhh i wonder if Microsoft will advertise soon DEP is your savour, use Vista how can we win when we have these odds stacked against us I thought software DEP wouldn't help?
--
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions" | |
SpannerITWks
Premium
join:2005-04-22
| Hi Mele,
No but Hardware might - »Windows MetaFiles still vulnerable
Spanner
--
I Only Know What I Know But I'm Learning all The Time - Stay Safe - Spanner intheWorks/SpannerITWks | |
Mele20
Premium
join:2001-06-05
Hilo, HI
| Yes, I know Hardware DEP should protect. But what I wanted to know is why would MS promote Vista on the basis of software DEP being able to prevent an exploit like this? I don't think would because it won't help...only Hardware DEP will and that capability depends on the chip not OS.
--
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions" | |
inTulsa
Premium
join:2002-02-24
| said by Mele20 :But what I wanted to know is why would MS promote Vista ... "Vista". I think of a Vista as being a memorable view that retains its appeal only when you're as far away from it as you can possibly get.
Five or ten miles is often sufficient. The more you move into it, the harder it is to remember what the original appeal was.
 :D:D | |
Mele20
Premium
join:2001-06-05
Hilo, HI
| LOL That is a good way to describe Vista. I'm sticking with XP Pro until the next REAL OS is out.. Blackcomb...2009/2010 which will bring the radical file structure changes that were to be in Vista and also hopefully by then the DRM crap that is in Vista will have be thorougly trampled and be dead.
--
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions" | |
richtig
Music Is Emotion
Premium
join:2003-02-19
Australia
clubs:
| reply to Nancymca
said by Nancymca :said by starfish8 :If this exploit is "pretty seriously limited in what it can do", why are so many people up in arms about it? How concerned should we be? I think that has to do with the media for one reason or another, latching onto this one (as opposed to the many they simply ignore) and its timing- during the holidays when many have vacation time, new computers, and time to read up on these things. Add to that sheer number of malware releases along with those released specifically for this exploit (and the exploit datafile generation tool)and it's a recipe for panic. Hmmm... Careful reading will reveal that you do not even have to use a browser. You might even have a WMF image on your computer, or in an email. It does not have to have the .wmf extension because WMF files have a structure that tells them what to do. It could be a .jpg, or whatever. ANY KIND OF FILE!!!
Remember the hole which can be exploited is already in your OS, and if the file was crafted to take advantage of the 'problem', ANY access to the file can trigger a 'result'. The 'result' can be a worm, a trojan, a rogue emailer, anything.
I think the press does not understand this at all, because even so-called experts have analysed this wrongly, and proposed wrong or inadequate 'solutions'.
I have looked carefully at the *only recommended workaround*. It does work, there is no known harm, or visible effect on your system, except that, in a rare case a certain 'escape-sequence' will not work. It is believed that this escape-sequence has no legitimate value, ever.
The recommended workaround 'live-patches' certain .DLLs at the time they are activated, every time they are activated. There are no known side-effects.
Meanwhile, every exploit when triggered any way at all, will be caught by BOclean as the exploit tries to run! As explained elsewhere, BOclean always catches things as they run, not when they are just sitting around.
There has been some mis-guided advice about the recommended workaround. It installs easily (required a re-boot on this system of mine), can be un-installed, and tells you to un-install it if and when Microsoft issues the official patch.
And I say again, Windows systems earlier than Windows 2000 are at risk, and they can not be fixed, ever!! What does that mean? Users of Win95, Win98, etc, MUST UPGRADE to 2000, XP, or better !!!!!!!!!!!!!
--
We are the music makers,We are the dreamers of dreams.Arthur William Edgar O'Shaugnessy | |
SpannerITWks
Premium
join:2005-04-22
| Quote
" And I say again, Windows systems earlier than Windows 2000 are at risk, and they can not be fixed, ever!! What does that mean? Users of Win95, Win98, etc, MUST UPGRADE to 2000, XP, or better !!!!!!!!!!!!! "
MUST ?
I'm doing just fine on 98SE thanx, and so are quite a number of others on here + elsewhere too. I have NO plans to " Downgrade "
Spanner
--
I Only Know What I Know But I'm Learning all The Time - Stay Safe - Spanner intheWorks/SpannerITWks | |
Mele20
Premium
join:2001-06-05
Hilo, HI
| reply to richtig
Why do you insist on spreading lies about W98, ME? They WILL be patched. Microsoft has stated they will be patched. This is the second thread where you persist in trying to spread hysteria. Stop doing that.
--
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions" | |
richtig
Music Is Emotion
Premium
join:2003-02-19
Australia
clubs:
| Re: BOClean Windows WMF Vulnerability Info
Sorry about the double posting. The mods will remove the last one.
Also, if this post lasts, forgive some small editing errors.
--
We are the music makers,We are the dreamers of dreams.Arthur William Edgar O'Shaugnessy | |
richtig
Music Is Emotion
Premium
join:2003-02-19
Australia
clubs:
| reply to Mele20
said by Mele20 :Why do you insist on spreading lies about W98, ME? They WILL be patched. Microsoft has stated they will be patched. This is the second thread where you persist in trying to spread hysteria. Stop doing that. The advice from real *experts* is that the early versions of Windows *can not ever* be patched, and will not be patched by Microsoft, *referring to this particular* problem.
Ignore this advice at your own peril. The 'hole' affects all Windows systems on which there can ever be support for WMF files.
Before accusing me of spreading hysteria, please read all of the information and follow links!!
--
We are the music makers,We are the dreamers of dreams.Arthur William Edgar O'Shaugnessy | |
Mele20
Premium
join:2001-06-05
Hilo, HI
| reply to Anon
Even Steve Gibson has posted a notice stating that he too was WRONG when he said MS would not patch 98/ME. He has RETRACTED that erroneous statement and now is telling everyone that MS WILL BE PATCHING 98/ME. So, why do YOU persist in spreading your WRONG information?
»www.grc.com/x/news.exe?cmd=artic···21&utag=
--
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions" | |
|
