New exploit compromises fully patched Windows machines

It seems that 2005 will not end up without another major parasite outbreak. Thanks to the latest Windows exploit. A few days ago, on December 26, a totally new threat was discovered. The WMF exploit, that’s how it was called, penetrates into the system through a serious security flaw found in essential Microsoft Windows component. This exploit is described as “zero day”, because it affects systems with vulnerabilities that were unknown earlier and therefore still aren’t fixed. However, the most interesting fact about the latest exploit is that practically every computer running Microsoft Windows XP or Microsoft Windows Server 2003 is vulnerable. It doesn’t matter at all whether the system is updated with a certain service pack. Furthermore, earlier Windows versions might also be affected.

A machine running Windows XP (Service Pack 1 or Service Pack 2) or Windows 2003 (Service Pack 1 or without it) gets infected in the following cases:
when the user (or software) visits a malicious web site hosting an exploit;
the user (or software) opens a harmful image file with the .wmf extension in Windows Picture and Fax Viewer;
a malicious .wmf file is previewed in Windows Explorer.
However, that’s not all. According to our own information, hackers have already started sending out large amount of dangerous e-mail messages containing malicious code. It is also known that some attackers may already post bogus comments on various blogs. These comments include links to malicious web sites that host the exploit. It might take a second to get infected. Neither antivirus or anti-spyware using slightly outdated malware definitions databases, but with enabled real-time monitoring, can properly detect exploitation attempts. Moreover, even users of alternative web browsers cannot feel safe. Both Mozilla Firefox and Opera are affected.

The exploit is designed to use certain security flaws found in the WMF (Windows Meta File) library, also known as Graphics Rendering Engine, which is used by Windows and installed software applications to handle images of particular types. This means that any program capable of automatic displaying of WMF images can potentially compromise the system. The list of software supporting WMF is quite long. It includes Windows Picture and Fax Viewer, all versions of Internet Explorer, older versions of Mozilla Firefox, current Opera releases, etc.

Once the exploit detects a vulnerable system, it immediately drops malicious code into it. This code is usually a tiny trojan, which downloads from the Internet another, more sophisticated trojan designed to pull down from predefined web servers much more dangerous threats like spyware and adware parasites, backdoors or malicious spam tools. A compromised computer can be easily used for attacking other hosts and sending spam. The hacker can also gain full control over the system and steal user sensitive information.

Alex Eckelberry, president of Sunbelt Software, makers of one of the most popular and powerful spyware removers – CounterSpy, has already found an example of how the WMF exploit is used. He visited a malicious web site with a fully patched Windows XP system. A computer got immediately infected with a trojan changing the desktop background to a fake warning message, which is pretty similar to those displayed by SpySheriff, WinHound and other infamous parasites. It must be noted that this has occurred on the very first day the exploit was discovered. Today more different parasites using the WMF exploit can be seen in the wild.

Although there are no permanent fixes for recently discovered WMF vulnerabilities, users can still avoid the infection. There are few workarounds for the exploit.

Unregistering the WMF library
Graphics Rendering Engine is a standard Windows library. This means that it is a regular file with the .dll extension. According to US-CERT, “Remapping handling of Windows Metafiles to open a program other than the default Windows Picture and Fax Viewer (SHIMGVW.DLL) may prevent exploitation via some current attack vectors.” This means that the user have to manually unregister the shimgvw.dll file located in default system directory. This will disable the ability to view certain images using the Windows Picture and Fax Viewer, but should help to prevent typical exploitation attempts:
1. Click on the Start button.
2. Then navigate to Programs > Accessories and click on Command Prompt. Or launch the Run… tool, enter cmd and press enter.
3. From the command prompt, type regsvr32 /u shimgvw.dll.

Changing file associations for WMF files
New exploit uses WMF files to compromise the system. If a vulnerable application cannot open such files, the system stays protected. This means that the user has to associate .wmf files with programs that aren’t affected. Then even accidentally opening malicious file will not infect the system.
1. Launch Windows Explorer
2. Click on the Tools menu and then select the Folder Options entry.
3. Open the File Types tab.
4. Within the appeared list find the following entry: WMF WMF Image.
5. Click on the Change button and select a program, which is not affected. I suggest choosing Notepad here.
6. Apply changes.

Reputable security experts classify a flaw of the WMF library as highly critical. Microsoft is aware of this vulnerability and most likely already started preparing a fix for it. However, until the patch is not released, all the users should be extremely careful surfing the web these days. It is much easier to get hit by the WMF exploit than pick the infamous SpyAxe trojan, which succeeded in infecting thousands of computers around the globe. The final advice – do not visit web sites listed below! These are malicious resources that run an exploit whenever the visitor accesses them.

iframeurl[dot]biz (most exploits are coming from this site)

This list of web sites is posted on SunbeltBLOG. I would like to thank Sunbelt Software for collecting the addresses of malicious Internet resources. This should really help users to avoid threats posed by the new exploit.