Attempts to exploit WMF vulnerability by IM multiply

IDG News Service - Security researchers have logged more than 70 variations of instant messages attempting to exploit the Windows Metafile (WMF) vulnerability since the first were reported on Saturday.

A vulnerability in the way Microsoft Corp.'s Windows operating system handles images in the WMF format means that opening a maliciously crafted WMF image could result in the execution of hostile code. Malicious WMF files can be distributed via a number of channels, including e-mail, Web sites, peer-to-peer file sharing services and instant messaging systems.

An attacker may be able to gain control of an IM user's computer by sending such a file, or a link to a Web site where one is hosted, through an IM system and then tricking the recipient into clicking on the file or link.

The first attempts to do this were logged on Saturday morning, when security researchers at Kaspersky Labs Ltd. received reports of a wave of attacks on Dutch users of the MSN Messenger service. They had received messages inviting them to click on a link to a Web site containing an image with the name "xmas-2006 FUNNY.jpg" -- in reality a Web page containing a maliciously crafted WMF file.

Anyone following the link would set in motion a chain of events, beginning with the download of a Trojan horse identified by Kaspersky as Trojan-Downloader.VBS.Psyme.br. This in turn would try to install a bot named Backdoor.Win32.SdBot.gen, which would then receive instructions over an Internet Relay Chat (IRC) channel to download IM-Worm.Win32.Kelvir, a worm that spreads over IM services, thus triggering a new wave of infections.

Although these early attacks all used the same file name to lure IM users, attackers have now diversified their methods.

By today, enterprise IM security company Akonix Systems Inc. had blocked attempts to transmit malicious WMF files using 70 different file names, according to Shakeel Itoola, product manager for the company's L7 enterprise IM filtering product. Around 1 million computers are protected by Akonix systems, Itoola said, although he couldn't say how many malicious messages exploiting the WMF vulnerability had been transmitted in total. The company's enterprise products are individually managed by the customer and do not report back such statistics.

Until steps can be taken to eliminate the vulnerability in handling WMF files, Microsoft advises Windows users to exercise caution when dealing with messages and links in messages from untrusted sources. The company expects to release a security patch to address the problem on Jan. 10, through Windows Update and other channels (see "Microsoft says 'Wait for us' as WMF threat climbs").

Microsoft's security advisory on the vulnerability is available online.

For more on this, read the following stories:
"How to protect against Windows WMF attacks".
"Microsoft says 'wait for us' as WMF threat climbs".
"WMF attacks on the rise".

Reprinted with permission from

IDG.net
Story copyright 2009 International Data Group. All rights reserved.