By Paul F. Roberts  |  Posted 2006-01-05 Print this article Print

-Mail Exploit Defeats Anti-virus Products"> E-mail attacks that trick users into clicking on WMF images have also been spotted, though they are less prevalent, Daymont said. "Were seeing e-mail as a vector for targeted attacks that are smaller in number," he said.
Still, ISC knows of one spam blast with a WMF attachment to around 5 million e-mail addresses that is believed to have compromised about 50,000 hosts, which were then added to a bot network, Ullrich said.
The attack worked even though most anti-virus products spotted the malicious attachment and the attempted exploit used in the e-mail attack, he said. Some anti-virus companies, including Kaspersky Lab and McAfee Inc., have also developed detection signatures for WMFMaker, a scripting tool that makes it easy for unsophisticated hackers to craft their own attacks, according to Ullrich. WMFMaker is a simple, command-line tool that allows hackers to add malicious code to WMF images. The tool is like a simplified version of the popular Metasploit hacking tool and allows unsophisticated hackers to create WMF attack images with very little effort, Ullrich said. The program may be partially responsible for a surge in malicious activity linked to the WMF exploit, he added. Read details here about adware threats that exploit the WMF flaw. Kevin Ladd, director of infrastructure at Direct Media Inc. in Greenwich, Conn., said he had a computer compromised by a WMF attack while surfing, but also said malicious Web sites were mostly to be found on "the dark side" of the Internet: sites frequented by hackers or those looking for the compromised versions of commercial software known as "warez." That may become less true as time progresses, SecureWorks Daymont said. Legitimate Web pages such as those on MySpace.com or America Online Inc.s site could potentially be used as launching pads for WMF exploits if they are not carefully monitored for malicious images, he said, adding, "Well be dealing with [WMF] for a long time to come … We expect to be responding to this attack for more than a year." Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel