Attempts to exploit WMF vulnerability by IM multiply
Security researchers have logged over 70 variations on instant messages attempting to exploit the WMF vulnerability since the first were reported on Saturday.
A vulnerability in the way Microsoft Corp.'s Windows OS handles images in the WMF (Windows Metafile) format means that opening a maliciously crafted WMF image could result in the execution of hostile code. Malicious WMF files can be distributed in a number of ways, including by e-mail, through Web sites, peer-to-peer file sharing services or by IM (instant message) systems.
By sending such a file, or a link to a Web site where one is hosted, through an IM system and then tricking IM users into clicking on the file or link, an attacker may be able to gain control of the IM user's computer.
The first attempts to do this were logged on Saturday morning, when security researchers at Kaspersky Labs Ltd. received reports of a wave of attacks on Dutch users of the MSN Messenger service. They had received messages inviting them to click on a link to a Web site containing an image with the name "xmas-2006 FUNNY.jpg" -- in reality a Web page containing a maliciously crafted WMF file.
Anyone following the link would set in motion a chain of events, beginning with the download of a Trojan horse identified by Kaspersky as Trojan-Downloader.VBS.Psyme.br. This in turn would try to install a bot named Backdoor.Win32.SdBot.gen, which would then receive instructions over an IRC (Internet Relay Chat) channel to download IM-Worm.Win32.Kelvir, a worm that spreads over IM services, thus triggering a new wave of infections.
Although these early attacks all pointed IM users to the same file name, attackers have now diversified their methods.
By midafternoon Wednesday, enterprise IM security company Akonix Systems Inc. had blocked attempts to transmit malicious WMF files using 70 different file names, according to Shakeel Itoola, product manager for the company's L7 enterprise IM filtering product. Around 1 million computers are protected by Akonix systems, Itoola said, but he couldn't say how many malicious messages exploiting the WMF vulnerability had been transmitted in total, as the company's enterprise products are individually managed by the customer and do not report back such statistics.
Until steps can be taken to eliminate the vulnerability in handling WMF files, Microsoft advises Windows users to exercise caution when dealing with messages and links in messages from untrusted sources. The company expects to release a security patch to address the problem on Jan. 10, through Windows Update and other channels, it said Tuesday. Microsoft's security advisory can be found here: http://www.microsoft.com/technet/security/advisory/912840.mspx .
IDG News Service
Symantec Backup Exec 12 and Backup Exec System Recovery 8 deliver industry leading Windows data protection and system recovery. Download this whitepaper to find out the top reasons to upgrade and how to get continuous data protection and complete system recovery.
Data and system loss — from a hard drive failure, malicious attack, natural disaster, or simple human error — can happen anytime. Don’t leave your business vulnerable. Make sure you have a secure recovery strategy in place. Symantec's latest backup and system recovery technology can efficiently restore critical applications, individual emails and documents and even restore your entire system in minutes in the event of a loss.
Businesses face a growing challenge to ensure that the IT environment is properly protected. Backup Exec 12 integrates with other applications in the Symantec family of products, to complement your current data protection strategy, keep your data securely backed up and make it recoverable when you need it most.
Enterprise 2.0 Implementation
By Aaron C. Newman, Jeremy Thomas
Published by McGraw-Hill
Learn more!
Deploying Cisco Wide Area Application Services
By Zach Seils, Joel Christner
Published by Cisco Press
Learn more!
