Drastik

I just thought I'd give the heads up to everyone here regarding this rather brand spanking new exploit. Signatures may not be allowed here, but to the people who visit other forums that do, this is good advice.



quote:
--------------------------------------------------------------------------------
By abusing a loophole with a .wmf file, just by looking at those images, many nasty things can be set loose on your computer, however, it's very dangerous in forums because of the of all the places images are made, signatures, topics, etc.
[quote="Something Awful Forums"]WHAT IS IT?
There is a new exploit out that uses WMF (windows metafile format) files to infect a computer. All you have to do to get infected is view a webpage that has the image on it, or access an infected image that is on your computer. That means the forums can be a vector for infection too. (In fact, user Blue Reptile has already been permabanned for putting the exploit in his signature.)


WHO IS VULNERABLE?
The exploit affects Firefox, Internet Explorer, and any other browser that displayes or downloads the file into the cache on the local machine. The file could also be a WMF renamed to any other image type, or possible other filetypes. Anything that puts the image exploit onto your computer or opens it up in windows fax viewer or the part of windows that generates thumbnails of WMF files is a vulnerability. This means any vector that puts the image onto your computer (wget, browser, email, IM, etc) can potentially cause the problem.

This affects anyone on Windows (98, 98SE, ME, 2000, XP, 2003). USING FIREFOX DOES NOT ELIMINATE THE RISK as the file is still downloaded to your cache in most cases, but it does reduce your chances somewhat since the image is often not displayed in the browser. But if you then interact with the file in any way (thumbnail it, Google Desktop, hover over with the mouse) that causes it to be handled by the windows subsystem responsible for WMF then you will have problems. Once again, YOU CAN BE CAUGHT BY THIS EXPLOIT EVEN IF THE IMAGE DOES NOT SHOW IN THE BROWSER. If you use Windows, your system is vulnerable.




WHAT DOES IT DO?
The exploit can be used to drop viruses, trojans, installers etc onto your computer when the exploit is activated (when the file is parsed by the part of windows with the problem). It does not do anything by itself until it is activated. There have been several reports of trojans being downloaded, which then download other things, other spyware, etc. Some of these are "SpyAxe", "AYL" trojan downloader, "ASC" trojan, and other stuff.

Here's a video of what this version is doing: http://www.websensesecuritylabs.com...s/wmf-movie.wmv (thanks Merijin).

For further technical information please see the SH/SC thread - http://forums.somethingawful.com/sh...hreadid=1759573




WHAT YOU CAN DO TO HELP PROTECT YOURSELF
1. SCAN YOUR COMPUTER - Update your defs and scan your comptuer. Even if you think you are safe, scan your Windows computer anyway. If you don't have antivirus software, NOD32 TRIAL VERSION is a good one and works as a trial for 30 days. Update the definitions right away after installing - they auto-update but you want to be sure you have the latest. I have personally tested NOD32 and found that it's AMON on-access scanner stopped the image as soon as it was saved to the cache, before it was able to execute anything.

Most AV companies should have definitions updated by now, but check to be sure that they protect against the actual exploit itself, not just against whatever trojan the exploit drops on the computer. NOTE: SCAN ALL FILES. Some AV solutions only scan "infectable" files and do not scan image files because the program thinks they are safe. Check for an option to scan all file types and make sure that is enabled.

Now that almost all AV software has some kind of definition for it, you can really use whatever you want and are comfortable with. So it's not like anyone is pushing you to go pay for NOD32 if you are already happy with what you have. There are still pros and cons to using each particular software.

Whichever AV you use, just make sure that:
1) You have your realtime scanner turned on for now, and
2) You set it to scan all files, including images (not just exe's anymore!), and
3) The AV software of your choice detects the actual exploit and not just the payload it drops once activated.


2. USE AN ALTERNATIVE BROWSER - Using Firefox or an alternative browser will reduce your risk because it does not display the image. However the image is still downloaded to your cache, and some browsers prompt you to open the file - which you should not do!

3. TURN OFF SALR's feature that makes text links into images. If you have that feature turned on, someone could make just a text link that displays the infected image in your browser.

4. TURN OFF GOOGLE DESKTOP or anything else that does indexing of files on your computer.

5. USE COMMON SENSE - Don't go to links you don't trust, don't open files you aren't expecting, including suspicious email or IM's, etc.

6. KEEP ON TOP OF WINDOWS UPDATES - Hopefully they can fix this one quickly, but you really should be up-to-date on everything else anyway.

7. AVOID IMAGE SEARCHING and visiting webpages you don't trust. Some of the places this image has been popping up are: eBay XBOX auctions, porn sites, google image search, wikipedia, myspace, other forums, etc - places where people can post their own images. If you have a competent realtime scanner that can catch the image before it executes anything you are ahead of the game here.


BONUS TECHY STUFF
8. You can try unhooking the part of Windows that views those image files. To do this, click Start -> Run and type regsvr32 /u shimgvw.dll then press OK. You will get a confirmation message. To undo this, repeat but type regsvr32 shimgvw.dll instead. Note: This only has a minimal benefit - it only disables the image viewer itself. It doesn't prevent against viewing the exploit image in Internet Explorer, for example. Messing around with this is at your own risk

9. Forum user R1CH, the Ron Jeremy of Coding, has come up with a patched file that can reportedly help eliminate the problem. Here are the instructions. This is also at your own risk since it's not an official Microsoft patch.

10. If you want to test that your antivirus is working, forum user R1CH, the Ron Jeremy of Coding, has created a test file that can do this for you. THIS IS NOT AN EXPLOIT, IT IS A TEST THAT R1CH CREATED. "Here's a sample, safe exploit to determine whether you are vulnerable (shutdown dialog) or patched (simple crash/nothing): http://r-1.ch/test.wmf " WARNING: If your antivirus does not catch this, and the shutdown dialog pops up, then you will have to go to Start -> Run -> type shutdown -a and press ENTER before the timer expires, or your computer will reboot.



BOTTOM LINE: If you use Windows, you will not be 100% safe from this exploit until the problem in windows is patched - there is no official patch yet.

Xycron

1.Old News.

2.Most forum's have that extension disabled, even on my forum, it has the extension disabled and who try's to use it is reported to me automatically via e-mail, so the member can be WATCHED, becuase there is no prove there is anything actully wrong with it...

3.Any good anit-virus will protect you from it easy, my norten does

smokey99

My Norton Didn't!
V 11.01 6 2
With daily updates, and all bells and whistles on

I hate norton, I am changing to Node32

Hairy_Lee

the fix was released for that quite a while back now

__________________
Intel Core 2 Duo E6750
EVGA nForce 650i Ultra mainboard
EVGA 7950 GT KO SC 512Mb w/ Zalman VF-900Cu
2Gb of OCZ GOLD XTC *SPECIAL OPS* Eition


Notebook - Acer Aspire 9300 - Turion TL-60/ 2 Gb RAM/ Geforce Go 7600 128 Dedicated (400 Mb turbocache)

Altanore

Yes, I highly recommend Nod32. Saved me lots of trouble, thats for sure and uses less system resources. Does a VERY good job and blocking out viruses etc on websites... blocks them before they are even downloaded or ran.

__________________
Processor: AMD Athlon64 3200+ S939
Ram: 2x 1GB PC3200 Corsair DDR @dual Channel
Video Card: PCI express ATI Radeon X800XL 256mb DDR3 *Overclocked*
Motherboard: MSI K8N Neo4 Platinum
Drive: LG 16x16 DL DVD±RW w/Light Scribe
Hard Drive: Western Digital Sata 120GB 7200rpm, 2x Seagate 320GB 7200RPM 16MB SATA II, WD 150GB Raptor 10k RPM, SATA, 250GB Lacie External HD
Sound: Sound Blaster X-Fi Fatal1ty FPS
Power Supply: Enermax 535W FMA2
Cooling: Many fans, Thermaltake Bigwater SE.

matt12685848

Norton is pretty good but with the firewall it uses 100mb of memory!!! NOT GOOD FOR BF2!!!

__________________
3 GHz P4 HT processor
ATI x700 Pro 256mb PCI-E graphics card
2 x 512 Dual Channel Ram
160GB 7200rpm hard drive
ATI Tv Tuner Pro
1024 x 768, 75 Hz LCD Monitor


98% of the teenage population will try, does or has tried smoking pot. If you're one of the 2% who hasn't, copy & paste this into your signature

Veurruckte

Also, in the future it would be better to simply link to your source, rather than copy and pasting the post and not even citing the source. Also, this would most likely fit into the Security catagory.

Still, I applaud you for your effort .

calumn

I have avast and use firefox
i went to the link and a window poped up in firefox asking me wether to save or open it and then avast started ringing and deisplaying this even though I hadn't open or even clicked anything yet