Potential new unpatched IE exploit ? ~ Yes...may affect other Browsers also...

Websense Security Labs ^ | Dec 28 2005 11:19AM | Websense Security Labs Blog Staff

[Ernest_at_the_Beach]

This alert is a follow-up to a post made yesterday on our blog: http://www.websensesecuritylabs.com/blog/

Websense® Security Labs™ has discovered numerous websites exploiting an unpatched Windows vulnerability in the handling of .WMF image files. The websites which have been uncovered at this point are using the exploit to distribute Spyware applications and other Potentially Unwanted Soware. The user's desktop background is replaced with a message warning of a spyware infection and a "spyware cleaning" application is launched. This application prompts the user to enter credit card information in order to remove the detected spyware. The background image used and the "spyware cleaning" application vary between instances. In addition, a mail relay is installed on the infected computer and it will begin sending thousands of SPAM messages.

We are currently tracking thousands of websites distributing exploit code from iFrameCASH BIZ. A similar zero-day vulnerability being exploited by this entity was discussed earlier this month:http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=364

There is currently no patch available. Visiting an infected webpage with Internet Explorer on a fully-patched XP Service Pack 2 computer causes immediate infection. Earlier Firefox users are vulnerable but they are first prompted to display the WMF image. If a filesystem indexing service (such as Google Desktop) is installed, users of Firefox and even text-based browsers can become infected.

[Baraonda]

This one is a really nasty one. One could get infected by just visiting a website with .WMF files.

[TechJunkYard]

Are you talking about Microsoft programmers or the virus writers ?

How about including Microsoft management?

[adam_az]

"'m beginning to think that the best option for most people would be a dual-boot system with Windows and Linux. Run Windows for the gaming and the applications that aren't available on Linux and run Linux for internet browsing, e-mail, etc."

I'm running Linux, and Windows XP Pro in VMWare. No web surfing in Windows - office, etc. only. All data is saved to a Samba share on Linux. If Windows takes a dump, I replace the VMware image I'm using with a fresh copy.

[kalee]

ping

[MillerCreek]

Suggestions to change it to?

I can find the file type and all but don't comprehend the extended information that's displayed under "Advanced" tab where it's set to open with, etc.

[MillerCreek]

I have Norton AV 2006 and have it selected to disable all ActiveX and Java. Can't see some content on the internet but that's the least of my worries.

When I NEED to interact with a TRUSTED, knowntobereliable site, I modify as necessary, but for general internet use, everyone should just disable those functions. And use "High" Internet security setting, AND use a few other trusted, reliable programs like Spybot Search & Destroy (which blocks a lot of spyware and malware and hacking attempts and will actually close down your browser if anything very terrible attempts to correspond)...

Most people are just far too available on the internet and that's why they have so many of these bugs. And their bugs become bugs for everyone else, so it's important for everyone to try to take control over security on their desktops.

[chronic_loser]

or if you're just using your computer for web, email, mp3s, photos, etc. Get a mac mini for $500 and stop worry about all the spyware and viruses.

Better yet, save the five hundred and d/l a copy of Mepis Linux or Kubuntu. Both are idiot proof to install on every machine I have tried and easy enough to run that my technophobe wife has no problems at all with them. She now prefers linux to windows.

[wolfcreek]

What if you turn off your spyware detection alert?

[Reaganwuzthebest]

When I NEED to interact with a TRUSTED, knowntobereliable site, I modify as necessary, but for general internet use, everyone should just disable those functions.

That's good advice, on the Internet zone I always keep Javascript/ActiveX disabled, not only does it help protect users somewhat against exploits but you don't get popups either.

[Ernest_at_the_Beach]

on the Internet zone I always keep Javascript/ActiveX disabled,

But this is a different exploit.....I don't think that helps with this one!

From Cicero's posting # 38 above......and see Company Man posting at #25.

***********************************************

A new exploit has been discovered in the wild that affects fully patched Windows XP SP2 systems, according to reports by security firms F-Secure and Sunbelt. The malicious code takes advantage of a vulnerability in the WMF graphics rendering engine to automatically download and install malware.

WMF, or Windows Metafile, is a vector based image format used by Microsoft's operating systems. SHIMGVW.DLL is loaded to render the images and contains a flaw that opens the door for a malformed WMF image to cause remote code execution and potentially allow for a full system compromise.

Microsoft previously fixed a vulnerability affecting WMF and EMF files in November. That problem affected Windows 2000, XP and Windows Server 2003.

[Ernest_at_the_Beach]

What if you turn off your spyware detection alert?

Why would you do that?

This is a new exploit....see above!

[Reaganwuzthebest]

But this is a different exploit.....I don't think that helps with this one!

That's what I was looking for and didn't see. Microsoft will probably patch it by their next release so the safest course in XP till then would be to unregister the shimgvw.dll file and do all surfing in a restricted account.

[Ernest_at_the_Beach]

See #50 for some additional detail.

[Ernest_at_the_Beach]

This is criminal:

********************************************

From the Websense Security Labs Website:

December 24, 2005

  Phishing Alert:   Lansing Automakers Federal Credit Union

Websense® Security Labs™ has received reports of a new phishing attack that targets customers of Lansing Automakers Federal Credit Union. Users receive a spoofed email, which claims that due to unauthorized access, their account access has been limited until further personal information is provided. The email provides users with a link to a fraudulent website, where they are prompted to enter their account and password.

This phishing site is hosted in Denmark and was up at the time of this alert.

Phishing email sample:

Dear LANSING AUTOMAKERS F.C.U. Customer,
      
We recently reviewed your account, and suspect that your LANSING AUTOMAKERS F.C.U. Internet Banking account may have been accessed by an unauthorized third party.
Protecting the security of your account and of the LANSING AUTOMAKERS F.C.U. network is our primary concern. Therefore, as a preventative measure, we have temporarily limited access to sensitive account features.
 
To restore your account access, please take the following steps to ensure that your account has not been compromised:
 
1. Login to your LANSING AUTOMAKERS F.C.U. Internet Banking account. In case you are not enrolled for Internet Banking, you will have to fill in all the required information, including your name and your account number.
 
2. Review your recent account history for any unauthorized withdrawals or deposits, and check you account profile to make sure not changes have been made. If any unauthorized activity has taken place on your account, report this to LANSING AUTOMAKERS F.C.U. Bank staff immediately.
 
To get started, please click the link below:

<LINK REMOVED> 
We apologize for any inconvenience this may cause, and appreciate your assistance in helping us maintain the integrity of the entire LANSING AUTOMAKERS F.C.U. Bank system. Thank you for attention to this matter.

Sincerely,
 LANSING AUTOMAKERS F.C.U. Team
 Please do not reply to this e-mail. Mail sent to this address cannot be answered. For assistance, log in to your LANSING AUTOMAKERS F.C.U. Bank account and choose the "Help" link in the header of any page.

Phishing screenshot:

[ShadowAce]

OK. I'm late to this thread (I don't FReep during the evening lately).

Ping to those who haven't discovered it yet.

[Reaganwuzthebest]

This is criminal

Yup, a jail sentence of about 20 years ought to do it.

[MillerCreek]

Yes, I realize that this latest is a different exploit than in reference to the Java/ActiveX disablement mentioned earlier -- but I was (earlier, Java/AX) including a tangential security helps, that's all, that it's wise to have those two capabilities turned off, both in the browser and set to be suppressed by your firewall.

[MillerCreek]

Your browser setup sounds intriguing and yet, I don't understand most of it! Ha...you lost me after Windows XP Pro.

~;-D

I'll go look into "VMWare" and see if I can learn sumthin'.

[Clara Lou]

Question: How, if I wanted to, would I undo that command?

[adam_az]

VMWare is system virtualization software. In a nutshell, I have Windows XP running as a program INSIDE Linux. The entire Windows "filesystem" is just a few files inside Linux.