By Elinor Mills, CNET News.com
Published on ZDNet News: December 28, 2005, 4:04 PM PT


A new Trojan horse program was infecting PCs on Wednesday, exploiting a hole in Windows systems to sneak onto computers, then dropping adware or spyware or turning them into zombies, according to several Internet security companies.

The Trojan, dubbed Exploit-WMF (Windows Meta File), was rated a category 2 level risk, meaning it had the potential to continue to spread, said Dave Cole, director of security response at Symantec.

The exploit "is misusing a function in the WMF library in Windows," dropping onto the machine a downloader Trojan "that pulls down its big brother, a more sophisticated Trojan" from a server on the Internet, he said.

"Then it might try to pull down adware, spyware or a bot program," that can turn the computer into a zombie to be used for attacking other machines or sending spam, or just leave a hole on the computer through which sensitive data could be stolen, Cole said.

Kaspersky Lab rated the vulnerability "highly critical" and predicted that "new modifications of these programs may well appear in the near future."

The WMF vulnerability affects computers running Windows XP with Service Pack 1 and Service Pack 2, as well as Windows Server 2003 with Service Pack 0 and Service Pack 1. It can be exploited when an Internet Explorer user, or Firefox user under certain circumstances, visits a Web site that has malicious code on it or when a user previews .wmf format files with Windows Explorer, Kaspersky said in a statement.

The WMF library allows the computer to handle particular image types of Windows machines, Cole said. There is no patch for it yet from Microsoft, although antivirus vendors had released software to help protect against it, he said.

"Microsoft is investigating new public reports of a possible vulnerability in Windows and will continue to investigate the reports to help provide additional guidance for customers," a Microsoft spokesperson wrote in an e-mail. "Upon completion of this investigation, Microsoft will take the appropriate action to protect customers, which may include providing a fix through the monthly release process or issuing a security advisory, depending on customer needs."

Windows users can get more information about security issues at http://support.microsoft.com/security.

OH! Trojan horse program.... The thread title had me started down a whole other line of thought. ;) Silly moi! Too bad those with a bootleg copy of Windows can't do much about it. :( Or can they?

New Exploit for Unpatched Windows Flaw (http://blogs.washingtonpost.com/securityfix/2005/12/new_exploit_for.html)

ALSO see
Urgent update at about.com (http://antivirus.about.com/b/a/2006_01_01.htm), and an
Alert from The Internet Storm Center (http://isc.sans.org/diary.php?storyid=996)

Maybe by next computer will be a Mac. :angryfire

Oh man I feel for you, this is VERY bad!

Yep, proj, it's VERY bad

& it all could get very Very VERY BAD in a hurry... BUT!

As it is I didn't get WMF'ed, but a friend of a friend did

Now I don't know if that person had any AV or spyware protection but all I know is, besides updating my definitions daily, I'm taking the ''belt & suspenders" approach as mentioned at the Internet Storm Center
-

..."an ounce of prevention"
& all that, knowhutImean?

Yes, but the antivirus cannot possibly see these... the reason it is so bad is you cannot protect yourself! The patch they are offering at SANS is the only thing I saw that would work, and even then if you have certain software installed, it still will not help, and you don't even have to look at the image file...

See, the biggest problem is, how can you possibly know your computer is not 100% taken over? You cannot! Your AV is useless, this is a windows low level problem, and they will not release a patch for quite a few days it seems.

I personally would either shut down my PC until a patch is found (or run linux or apple OS), or reinstall windows immediately after patch is done.

I could have changed the header of our site just for instance, and every single member would be nailed, no chance to get away from it.

Well Proj I can tell you I'm already using that patch from SANS as part of the belt & suspenders

And I know the AV is useless for this problem in particular

As it is, I'm not keeping my AV/spyware up-to-date for the WMF exploit ITSELF

I'm updating it for the nasty payloads a WMF (or similar) exploit might deposit
!!

That friend of a friend reportedly had in the neighborhood of 50

Are we having fun yet ?

Doesn't matter as one of the first things any decent worm or virus will do is kill or change your AV scanner.

There is no protection, and as any security person will tell you, if you may be infected, you must proceed as if you are infected.

About the only chance for most people is to not view an image of any sort while in Windows, and to disable any meta-searching agent active on your system... yahoo or google toolbar for instance...

A 'decent' worm or virus, eh?

Guess
I was only prepared for
indecent exposure
;)

Hopefully all-around, this WMF business won't get over-exposure


Anahoo, thanx for your sage info, Proj
(Well worth more than my 2 cents! :D)

The Windows WMF exploit could be the last wake up call Microsoft and others get
Submitted by Rollie Hawk on Thu, 2006-01-05 at allyourtech.com (http://allyourtech.com/content/news/05_01_2006_the_windows_wmf_exploit_could_be_the_la st_wake_up_call_microsoft_and_others_get.php)

An ill wind is blowing near Microsoft right now. It's come and passed before, but this time seems different. I'm starting to get a lot of clients asking about this "Linux stuff." And I'm not even talking about the corporations trying to save money on software; I'm talking about individuals trying to save their home computers.

To begin with, I'm not alone in having my doubts about the "upcoming patch" that Microsoft has promised on the tenth of January. It's simply not going to be all it needs to be (even if it does appear on time).

Now in all honesty, there should be no problem patching this specific issue. After all, Microsoft needs only to read the MSIs that are being distributed to get a pretty good idea of what to do. Still, I have a feeling that they won't really be fixing this. It's just not a good sign when Microsoft is starting to make money fixing its own software (http://www.microsoft.com/services/microsoftservices/srv_support.mspx).

Besides that, what about all the versions of Windows that are no longer supported? There are still plenty of people using those. Even if this one issue is patched for all versions, it's presuming everyone is updating in the first place. I'm not so much worried about Joe Average losing his Web surfing/gaming/porn/email box but rather the damage those boxes will cause professionals in terms of Spam and DDoS attacks in coming months.

If they want a chance in the future, they'd better fundamentally change the Windows architecture in Vista. It's no longer a matter of "Windows is lame!" and "Linux is teh 1337!" shouts from the Linux fanboys. Instead, they are facing down the fact that malware is beginning to make their software unsafe for the average user to even consider exclusively. It won't matter how easy Vista is to use once it gets to the point that your system is broken as soon as it connects to the Net.

The trend is starting to look like there won't be a way for Windows to stay ahead of (or at least a few yards behind) the malware writers. There are just too many of them out there. With closed source, there is no way to have as many bright people working on secure code as there are equally bright criminals wanting to break it.

Why is that? It's a simple matter of economics that can't be circumvented - no matter how much money Microsoft has, it can't pay enough to talented coders to compete with the money available to malicious coders. This is a fundamental fact that all closed source software vendors had better consider.

Don't like using open source software? The way things are going, you may not have a choice in a few years. Sloppy coding, slow updates, malware, and ignoring more than 30 years of best practices in software architecture will run traditional software consumers out of the closed source market and the traditional vendors out of town as a result.

I suppose that would be a rather ironic end to all the Microsofts out there. They love capitalism when it works in their favor, but it's the capitalist principals of competition and a free market that will make open source shine and could destroy the old guard of software vendors.

As a matter of fact, it gets even more ironic than that for Microsoft. They designed Internet Explorer as an embedded part of their operating system in an effort to monopolize the Web. Now, that monopoly is slowly choking the life out of the software it was meant to promote.

Someone had better wake up Bill and the boys at Redmond. All that "Linux stuff" is going to look a lot less geeky when it's the only damned thing left running.

Microsoft Ships 'Emergency' WMF Patch
By Ryan Naraine
January 5, 2006

Microsoft Corp.'s fix for the Windows Metafile vulnerability will be shipped Thursday as a critical, out-of-cycle update.
Reversing an earlier decision to release the patch on Jan. 10., the software maker announced that strong customer demand for an emergency update triggered the shift in plans.
The fixes have been included in the MS06-001 bulletin and apply to users of Windows 2000 SP4, Windows XP SP1 and SP2, and Windows Server 2003 SP1.
There are no free patches available for computer users running Windows 98, Windows ME and pre-SP4 versions of Windows 2000, since those versions of the operating system are out of mainstream product support.

More at http://www.eweek.com/article2/0,1895,1908393,00.asp

I got a security update on Wednesday. A day early.