Best Wishes and WMF exploit again!

It was only a matter of time, the first IM-Worm exploiting the wmf vulnerability has been spotted. I have received multiple reports from the Netherlands about an IM-Worm which spreads via MSN using a link to "http://[snip]/xmas-2006 FUNNY.jpg". The jpg is actually an HTML page with a (link to a) malicious wmf file.

I also spotted a new marvelous weblog called hexblog. It's the Blog from Ilfak Guilfanov. He's the main author of IDA (Interactive Disassembler Pro which you can find at my friend Pierre's site: www.datarescue.com ) and is one of the best low-level Windows experts in the world. He got a description with a nice temporarily solution for the wmf exploit.
More details from Ilfak's blog: http://www.hexblog.com .
Ilfak recommends you to uninstall this fix and use the official patch from Microsoft as soon as it is available.

Let's hope we don't get too much outbreaks using this new WMF distribution method next year. At this moment I'm getting ready to start with my New Year's Dinner ... hhhhmmmm ... Lobster!!!

My Best Wishes for the New Year 2006 to all of you!

Windows Metafile Flaw getting more serious!

Microsoft's bulletin confirms that this vulnerability applies to all the main versions of Windows: Windows ME, Windows 2000, Windows XP and Windows 2003. Microsoft and CERT.ORG have issued bulletins on the Windows Metafile vulnerability: http://www.microsoft.com/technet/security/advisory/912840.mspx
http://www.kb.cert.org/vuls/id/181038
It's a good idea to use the REGSVR32 workaround, which is listed inside the MS bulletin mentioned above, while waiting for a patch. And finally, you might want to start to filter these domains at your corporate firewalls too. Please don't visit them!
toolbarbiz[dot]
biztoolbarsite[dot]
biztoolbartraff[dot]
biztoolbarurl[dot]
bizbuytoolbar[dot]
bizbuytraff[dot]
biziframebiz[dot]
biziframecash[dot]
biziframesite[dot]
biziframetraff[dot]
biziframeurl[dot]biz .
I'm going to stop notifying you with all these addresses as this list seems to become larger and larger every hour. So use your anti-virus programs and check regularly for a patch or use the workaround from Microsoft. At this moment the WMF exploit is only being used to install spyware or fake anti-malware software on the affected machines. I'm wondering when we will see some other malware like viruses using this distribution method...

WMF exploit getting more problematic...

Be really carefully and please don't go to the following domains as you will get infected!
This exploit works against a fully patched Windows XP box.
Start blocking the domains and WMF files coming from more domains at this moment:
Crackz(dot)ws
unionseek(dot)com
beehappyy(dot)bizw
ww.tfcco(dot)com
Iframeurl(dot)biz

New zero-day WMF exploit.

There's a new zero-day vulnerability related to Windows' image rendering - namely WMF files (Windows Metafiles). Trojan downloaders, available from unionseek(DOT)com, have been actively exploiting this vulnerability. Right now, fully patched Windows XP SP2 machines machines are vulnerable, with no known patch. Note that you can get infected if you visit a web site that has an image file containing the exploit. Internet Explorer users might automatically get infected. Firefox users can get infected if they decide to run or download the image file. The exploit is currently being used to distribute some trojans. Some of these install hoax anti-malware programs. I recommend to do updates of your anti-virus scanners. MS will possibly release soon a solution.

Merry Christmas to all my weblog readers!

And let's hope it will stay a little bit quiet the next days...

Mobile viruses more problematic?

Indeed we will see a lot more mobile viruses next year, that will be one of my predictions for next year and we will get some serious problems with those! I just give some interview to Jan-Frans Lemmens who will publish my opinion shortly. Of course this will be not only about mobile viruses (for mobile phones).
Meanwhile I was contacted today by Belga (4Fm and Qmusic) radio news to give some reaction on an article which appeared in the 'Nieuwsblad' ( a Belgian newspaper) concerning mobile viruses. You can hear the mp3-file at my press page under the short interviews section.
Also Datanews published a few days ago my quote about the 'failing email system'. This was also released on my press page.

Thank you Sober?

A child porn offender in Germany turned himself in to the police after mistaking an email he received from a computer worm for an official warning that he was under investigation, authorities said on Tuesday. The 20-year-old was caught out by a version of the "Sober" worm which sends out messages from a host of fabricated addresses. The trap was set when the man got an email saying "an investigation is underway," that listed the sender as Germany's Federal Criminal Police Office (BKA). Police charged him after finding pornographic images of children on his home computer. At least in my opinion one good effect from the Sober worm!

Typosquatting heavily used also in Belgium and the Netherlands...

Typosquatting is a form of Internet cybersquatting, based on the probability that a certain number of Internet users will mistype the name of a Web site (or actually its URL) when surfing the Web. Typically, a typosquatter will register several possible input errors for a "brand name" Web site known for its high traffic, and then monitor to see how many clicks a day each of their "typo" domain names receives, and use the information to sell advertising for the sites that receive a high volume of accidental traffic. Advertising revenue might come from selling ads to the original site's competitors or by providing redirect pages to related products or services. I have found several sites in Belgium and the Netherlands which have nearly the same name as some known ones even like the company I work for: NOXS ... You can find the official site www.noxs.com and it looks that we got a 'typosquatter' at www.noxs.org ... At least my www.wavci.com site seems not so popular yet! ;-)

Dasher Worm not In-The-Wild yet!

A new computer worm that exploits a critical Microsoft Windows 2000 flaw first revealed by Microsoft in October has been circulating since late last week, and now has morphed into three variants. The Dasher worm takes advantage of a vulnerability in the Windows Distributed Transaction Coordinator (MSDTC), opening a back door on susceptible computers and causing them to connect to a remote server to receive further instructions. All Windows 2000 computers that have not been patched are most at risk from the worm. However at this moment I can confirm that this worm is not really In-The-Wild in Belgium and the Netherlands. Let's hope that it stays like that.

New updates of Sober.X (CME-681) scheduled Jan 5, 2006

A high number of infections of this worm are beginning to cause concern amongst security professionals on various forums, due to the discovery of updating routines within the worm. Infected machines will, on the 5th Jan 2006, attempt to download 'something' from various (not yet active) pages on the internet. Whereas details about these addresses is somewhat vague, I advise that you monitor or block internet traffic (over TCP 80 and 90) to the following internet addresses. These addresses are NOT yet functional. Also ... these addresses are randomly generated by the worm, using an internal algorythm to point at the right web address at a specific time. These addresses are the best fit domain/URL to monitor or to block.
- people.freenet.de
- scifi.pages.at
- home.pages.at
- free.pages.at
- home.arcor.de
Internal addresses that are attempting to connect with these domains may be infected with this malware. However, this may be legitimate traffic - but nonetheless worthy of investigating. I'm not sure if we really will face some problems after that day... but it's true that still a lot of infections are still around us.

No trust in email anymore.

Yesterday, the newspaper De morgen asked my opinion about the escalating spam and malware problem. This was published today in the newspaper at the frontpage. You can read it at my press page. Anyway ... I really have my doubts about the funtionality of email in the way we are using it these days. I've lost trust in email for about 2 years now. Probably we will use it for another ten years but we will see other (read better) communication methods coming up. I'm 100% sure about that.

A gift from an anti-virus vendor.

Today was what we call 'Sinterklaas' in these parts of the world. Trendmicro got the nice idea to give everybody at our office a small chocolate-tasting gift and this was done by 'Sinterklaas' himself. (See picture) Thank you! McAfee, Symantec, etc what can we have for Christmas?

Google scanning for viruses?

Google has added a virus scanning feature to its Gmail Web mail service, complementing the existing virus protection based on blocking certain types of file attachments, such as executables. Google informed users of the new feature on a Web page where the company announces new Gmail features. Now, Gmail will automatically scan all attachments users send and receive, according to a frequently asked questions section devoted specifically to this new functionality. Gmail will attempt to clean or remove viruses from infected attachments so that users can access the attachment's information; otherwise, users will not be able to download the attachment. Gmail will also prevent users from sending messages with infected attachments.
Until now, Google has protected Gmail users by blocking messages that carry attachments commonly associated with virus attacks.

But which anti-virus product are they using ... nobody seems to know ... even my friends on some respected anti-virus forums don't know the answer .. strange?