Posted on 12/28/2005 2:55:03 PM PST by Ernest_at_the_Beach
This alert is a follow-up to a post made yesterday on our blog: http://www.websensesecuritylabs.com/blog/
Websense® Security Labs™ has discovered numerous websites exploiting an unpatched Windows vulnerability in the handling of .WMF image files. The websites which have been uncovered at this point are using the exploit to distribute Spyware applications and other Potentially Unwanted Soware. The user's desktop background is replaced with a message warning of a spyware infection and a "spyware cleaning" application is launched. This application prompts the user to enter credit card information in order to remove the detected spyware. The background image used and the "spyware cleaning" application vary between instances. In addition, a mail relay is installed on the infected computer and it will begin sending thousands of SPAM messages.
We are currently tracking thousands of websites distributing exploit code from iFrameCASH BIZ. A similar zero-day vulnerability being exploited by this entity was discussed earlier this month:http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=364
There is currently no patch available. Visiting an infected webpage with Internet Explorer on a fully-patched XP Service Pack 2 computer causes immediate infection. Earlier Firefox users are vulnerable but they are first prompted to display the WMF image. If a filesystem indexing service (such as Google Desktop) is installed, users of Firefox and even text-based browsers can become infected.
(Excerpt) Read more at websensesecuritylabs.com ...
To re-register the file just go to Start/run and copy in or type:
"regsvr32 shimgvw.dll"
Yes, thanks, I've since found that out by reading...verry, very interesting setup you have there, now that I comprehend what you described earlier.
So, you install Linux as OS, then you download a VMWare machine and then you install Windows in that? (That would install more than a few files, however.)....so, what did I not understand correctly here?
Pretty much.
The windows "disk" is actually a set of files in the Windows filesystem. VMWare makes Windows think it's a disk.
Ahh, so. Clarifying, did you just write that Windows, on install, perceives VMWare to be "a disk" as in, a drive? That the WXP install/setup is performed within the VMWare "machine"?
If that's so, then how is it that you interchange/exchange/replace the WXP installs...just by removing one VMWare "machine" and installing another and then installing WXP on that in kind?
Which then never interacts with the OS of Linux?
If I have that right, then what protective measures do you employ for the OS/Linux? Anything special, like AV and firewall and antispyware programs and all as I now do with WXP as OS?
I'm trying to figure out the usability (certainly not complaining, just trying to figure it...). Thanks for your pointers.
Oh, as to Norton/Symantec AV, my AV and Internet Security was already updated by Symantec and very late last night. I ran manual update after finding no auto updates today after reading this warning thread/issue here, and finding none, ran manually and I'm still current.
So, they must of countered the threat late yesterday with the last update offering I received.
Windows (or any OS within the VM) can interact with the host OS (Linux, etc) through virtual ethernet. Windows sees the usual ethernet port and VMware takes those signals and uses them to communicate to the host OS or to the Internet (or any other machine on your actual network).
VMware can produce multiple virtual machines--it just uses different directories to store the files it uses to simulate the virtual machine's disk. Thus, you can install as many OSes as you have desire and disk space for. These files vary in size depending on the size you set for your virtual hard disk. I've set up VMs with as little as 100MB "hard disks" and as large as 10GB. The only limit is your host filesystem.
As far as protective measures with Linux, the only one I use is a firewall. It prevents any access to my internal network that I don't originate first (web browsing, etc). I don't use any AV, Spybot, etc.
HTH!
"Ahh, so. Clarifying, did you just write that Windows, on install, perceives VMWare to be "a disk" as in, a drive? That the WXP install/setup is performed within the VMWare "machine"?"
VMWare presents an interface to Windows that look like normal hardware, even though it's all just virtual. VMWare intercepts all IO.
"If that's so, then how is it that you interchange/exchange/replace the WXP installs...just by removing one VMWare "machine" and installing another and then installing WXP on that in kin"
It's just a set of files that the VMWare player, the virtual computer, boots. I keep a backup of the files. If something happens to my "windows" install, I just replace the Windows install with a fresh copy and I'm back in business.
"Which then never interacts with the OS of Linux? "
I can cut and paste between them, file share, etc. VMWare runs as a program in Linux, and it boots Windows.
"If I have that right, then what protective measures do you employ for the OS/Linux? Anything special, like AV and firewall and antispyware programs and all as I now do with WXP as OS?"
I never run as Root, the administrative user. That way even if there were some kind of browser nasty, it couldn't destroy the whole computer, unless it knew how to escalate it's priviliges using some other exploit. I use the built in Linux kernel firewall, and a hardware firewall too. I still have to keep Windows patched but I don't do much other than MS Office with it.
I can make the Windows session go full screen... even on my 24" 1920x1200 LCD panel.
You can also use VMWare or MS Virtual PC to run Windows inside a virtual machine that is installed on Windows.
I run Virtual PC to run Windows 2003 on my Mac and I also use it to surf from a virtual machine of Windows XP installed on Windows XP.
Since the virtual machines are self-contained, no contamination can infect the host computer.
As to how to install a "fresh" copy, the easiest way is to backup the SINGLE file that is created when you install Windows in a virtual machine. The entire virtual environment is contained in this file so all you have to do is back it up or copy it somewhere and should your virtual machine ever get infected you can just copy your backup over and start again.
Is this link from Symantec:
http://www.symantec.com/avcenter/security/Content/15352.html
related to the problem? It sounds so, but note the date of the announcement is early November, well before all of the news stories.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.