Anatomy of WMF ZeroDay Attacks

1
Anatomy of WMF Zero-Day Attacks

• Ken DunhamDirector of the Rapid Response Team
• May 3, 2006

2
Agenda A Lifecycle Analysis

• WMF (MS06-001) Disclosure
• Vectors of Attack
• Workaround Effectiveness
• Exploitation In-Depth
• Actor Attribution

3
WMF (MS06-001) Disclosure

• WMF Vulnerability Disclosure
• Exploit Code Ramps Up Quickly
• Wednesday, Dec. 28th, Risk Ramps Up
• Early Exploit Efforts
• Extended Exploit Activity
• Wild Wild WMF

4
WMF Vulnerability Disclosure

• Public disclosure Dec. 27, 2005 to Full
  Disclosure
• This post occurs on a Tuesday evening, after
  Christmas and before New Years, when most
  companies are running skeleton crews.
• Problem is caused by a backwards compatibility
  printing parameter for pre-Windows 95. WMF is
  added as a default file association in Windows
  2003/XP, years later.

5
Exploit Code Ramps Up Quickly

• Within just a few hours an exploit is ported to
  the MetaSploit Project
• Now its trivial for hackers to test and deploy
  the exploit into the wild.

6
Wednesday, Dec. 28th, Risk Ramps Up

• WMF is escalated as a serious threat by multiple
  organizations.
• Windows XP Professional and Home SP2 and Earlier,
  Windows Server 2003 SP 1 and earlier, and Windows
  2000 SP4 and earlier are suspected of being
  vulnerable.
• Highly functional public exploit code that is
  available.
• MetaSploit has incorporated the exploit.
• Patches and workarounds are not yet identified
  and tested.
• At least 17 exploitation sites exist within 24
  hours.

7
Early Exploit Efforts

• Nascene.A Downloader Trojan Horse
• WMFMSits.A Downloader Trojan Horse
• WMFMExe.A Downloader Trojan Horse
• WMFioo.A Downloader Trojan Horse
• WMFCrash.A DoS Trojan (Crashes PC)
• SpyAxe Rogue Spyware
• SpySheriff Rogue Spyware
• Pump-and-Dump PGCN
• HappyNY.A (Nascene.C) Downloader Spread over
  e-mail
• Kelvir.DJ Bot spreading over networks and IM

8
Extended Exploit Activity

• Over 70 attacks within 72 hours. About 600 by
  Jan. 8, 2006.
• WMF hacktool (WMF-Maker.exe) is released on Jan.
  3, 2006.
• Improved public WMF exploit code emerges by Dec.
  31, 2005.
• It successfully evades existing Snort signatures
• Is more robust and supports more sophisticated
  attacks
• Hundreds of hostile websites emerge.
• Dozens of new malicious code attacks emerge.
• Anti-virus software is extremely slow to respond
  to the new threat. New exploit code is not
  detected until the work week resumes AFTER the
  New Years holiday. Problems continue as the
  exploit is updated.
• WMF is used to push out more sophisticated codes
  such as MetaFisher.
• Ready Rangers Liberation Front (RRLF) Spawns a
  WMF Worm Writing Contest.

9
Wild Wild WMF

• February 2006 issue of Khaker magazine, "Wild
  Wild WMF"
• Page 66 Only the Beginning
• "According to data from McAfee, asof 6 January
  2006 6 of machines worldwide were infected. And
  this isonly the beginning, friend!"

10
Vectors of Attack

• Whats possible is not always reality
• Hostile Sites
• E-Mail
• Google Desktop Search Indexing
• Automated Threats?

11
Whats Possible is Not Always Reality

• 198 different technologies are identified as
  potentially vulnerable.
• Windows XP 64-bit Edition SP1 (Itanium)
• Windows XP 64-bit Edition Version 2003
• Windows 98
• Windows 2000 Terminal Services
• and so on
• How compatible are existing exploits? Public
  reports conflict!
• Testing reveals that ONLY the following are
  successfully exploited by existing WMF exploits
• Windows XP
• Windows Server 2003
• Older Windows contain a similar vulnerability but
  no exploit exists yet
• Lotus Notes and Google Desktop Search are found
  to be vectors.

12
Hostile Sites

• 583 hostile sites identified before we stopped
  tracking hostile sites
• Xpl.wmf
• Runcalc.exe
• 1.wmf
• Msits.exe
• Xexe.exe
• Test.wmf
• Id9.html
• Xpladv573.wmf
• etc
• Some clearly the work of one actor or group.
• Hundreds expected long term as opportunists cash
  in on the low hanging fruit (unpatched home
  computers).

13
E-mail HappyNY.A (Nascene.C)

• Did not execute automatically upon auto-preview
  within Outlook.

14
Automation??

• If an attack could be automated, likelihood would
  exponentially increase for this new zero day
  attack.
• Kelvir was already partially automated, spreading
  and IM threat, directing users to a hostile site
  with a WMF exploit.
• Could the Google Desktop Search indexing
  component be leveraged for increased automation?
• Could e-mail be automated?
• Could another automation or worm component be
  used to leverage this application layer
  vulnerability?

15
Workaround Effectiveness

• Alternative browsers were helpful but what if you
  must use IE?
• Un-register shimgvw.dll
• Data Execution Protection (DEP)
• Snort Signatures Emerged Rapidly
• Block WMF files
• Change WMF Association
• Other Workaround Options
• 3rd Party Patches

16
Un-Register Shimgvw.dll

• Shell IMaGe VieWer (Shimgvw)
• This was one of the first public workarounds
  posted to the Internet.
• It successfully unregisters the Windows Picture
  and Fax Viewer DLL associated with WMF.
• DISABLE Start\Run regsvr32 /u shimgvw.dll
• REGISTER Start\Run regsvr32 shimgvw.dll
• Windows XP HKLM\SOFTWARE\Classes\SystemFileAssoci
  ations\image\ShellEx\ContextMenuHandlers\ShellImag
  ePreview
• _at_"e84fda7c-1d6a-45f6-b725-cb260c236066"
• Was proven to not be foolproof. Other venues
  exist to attack the escape() function vulnerable
  in gdi32.dll (mspaint)

17
Data Execution Prevention (DEP)

• Hardware DEP was found to be completely effective
  against the initial WMF exploits.
• Software DEP was originally stated as completely
  effective against the original exploit, but this
  was found to not be true after extensive lab
  testing.

18
Snort Signatures Emerged Rapidly

• VeriSign iDefense Snort signature Dec. 28, 2006,
  at 2048 GMT.
• Updated Snort signature within a day.
• Bleeding Snort Signatures published on Dec. 29,
  2006.
• Updated Snort signatures on Dec. 30, 2006.
• Updated Snort signatures against improved exploit
  out on Dec. 31, 2006.

alert tcp any any -gt any any (msg"Metasploit WMF
setabortproc obfuscated SERVER attempt first
packet" pcre"/http\/1\.1.302.moved..?/mis"
sid2001561 flowbitsset,wmfredirect
referenceurl,www.frsirt.com/exploits/20051231.ie_
xp_pfv_metafile.pm.php)
19
Block WMF Files

• What do you do if you have a legitimate need for
  WMF file types?
• Just because it is a WMF extension doesnt mean
  its hostile.
• WMF attacks, such as HappyNY.A, were spread with
  the JPG extension. ANY associated image file type
  could be a hostile WMF file.
• Blocking difficult
• HTTP
• P2P
• IRC
• E-mail
• FTP
• Encrypted
• etc.

20
Change WMF Association

• Users can change easily through Folder Options
• This approach doesn't work for those with a
  legitimate need to view and work with Windows
  Metafiles for vector graphics work.
• Is useful as a short term workaround until a
  patch is available.

21
Other Workaround Options

• Filter MIME header data for WMF content.
• Remove administrator privileges where feasible.
• Requires administrator rights in order to fully
  compromise a computer.
• Configure Internet Explorer to a HIGH security
  level.
• Blacklist known hostile sites.
• Use virtual machines, such as VMWare, with no
  assets loaded to perform external browsing, until
  a patch is made available.

22
3rd Party Patches

• Ilfak Guilfanov (author of IDA Pro), at
  Hexblog.com, posts a 3rd party patch for WMF on
  Dec. 31, 2005.
• Hexlog.com patch ignored escape() calls using
  SETABORTPROC parameters to block exploits and
  allow for normal viewing of legitimate image
  files.
• With no word on a patch from Microsoft, many were
  considering the patch with exploitation well
  underway in early January 2006.
• Debates erupted over 3rd party patching
• Can it be trusted? What if it contains a
  backdoor?
• Will it cause instability or incompatibility
  issues?
• Will it negatively impact my operating
  environment if applied?
• Will updates be made to the patch if it is found
  that it could be improved upon?
• Can I easily remove this patch when an official
  patch is made available?
• At least one more 3rd party patch emerges the
  first week of January 2006, followed by an
  official patch by Microsoft Corp.

23
Exploitation In-Depth

• Rogue Spyware Installations
• Pump and Dump Scams
• Targeted WMF Attacks
• MetaFisher

24
Rogue Spyware Installations

• The first attacks involved many rogue spyware
  installations.
• Is it possible that the rumored 4,000 sale of
  WMF exploit code, out of Russia, took place a few
  weeks prior to Rogue Spyware dealers?
• http//www.spywarewarrior.com/rogue_anti-spyware.h
  tm

25
Pump-and-Dump Scam

• SMTP traffic was found on a WMF attacked computer
  from the beehappyy.biz attack site.
• It contains a GIF promoting the purchase of PGCN
  Pink Sheet stock.
• PGCN was changed to PGCN.OB. A 100 increase in
  value occurred on Dec. 15, 2005.
• This is a common type of spam and fraud, as
  tracked by http//www.spamstocktracker.com/

26
Targeted WMF Attacks

• About 70 interceptions of hostile e-mails
  targeting South Korean military officials was
  discovered on or around Dec. 28, 2005.
• From tommy_at_security.state.gov Subject
  ConfidentialBody (sic) Attached is the digital
  map for you. You should meet that man at those
  points separately. Delete the map thereafter.
  Good luck. TommyAttachment map.wmf (8,710
  bytes)
• Results in a downloader event which installs
  malicious code.
• Utilized www.pass.as second-layer domain name to
  obscure the attack (duhamel17.com).
• Hosted by a victimized computer in Canada
  (207.35.85.254).
• CNET reports another targeted attack at the same
  time, focused on the United Kingdom Parliament.
• Attacks clearly came from a known Chinese Hacking
  gang.
• MessageLabs reportedly blocks all such attacks.
• According to other accounts, the attack, directed
  at UK parliamentary politicians and staff, was
  "precisely tailored" to the recipients

27
MetaFisher
Sorry,you can't view this web site with IE, use
opera please lta href"http//opera.com"gthttp//op
era.comlt/agt ltIFRAME src"xpl.wmf"
28
Actor Attribution

• Sp0Raw Early Attacks
• MetaFisher Later Attacks
• Fuzzing Analysis

29
Sp0Raw Early Attacks

• Anecdotal, unconfirmed evidence, points to a
  Russian hacker called Sp0Raw.
• Self proclaimed Cracker from St. Petersburg,
  RUSSIA."
• www.sporaw.com
• www.sporaw.ru
• According to the Russian online hacker magazine
  Xakep (Khaker), Sp0Raw in 2003 allegedly hacked
  into a testing system facility of the Russian
  Ministry of Defense.
• Early rogue spyware WMF attacks included an
  encoded URL with the string O600KO78RUS.
• Quoted in LiveJournal.com, just prior to WMF
  public knowledge, that WMF was fulfilling its
  work...quietly, peacefully not bothering anyone.
  
• A picture of his car wreck with his Mercedes
  Benz shows the license plate appears to be
  O600KO78RUS.

30
MetaFisher Later Attacks

• Russian WebAttacker Exploit Framework linked to
  ToteR (aka TosteR666).
• At least one MetaFisher variant has been found to
  be distributed by WebAttacker.
• T0teR forum posts on a Russian forum involve
  discussions about the reliability of exploits
  used within WebAttacker.
• A photo of T0teR was published in a
  defacement(eyes obscured here by iDefense).
• Actors behind MetaFisher are likelyseveral due
  to the sophistication andscope of operations to
  date.

31
Fuzzing Analysis

• Fuzzing involves automating thousands of changes
  to a file, and testing of that file, to see if it
  generates any exceptions of interest. This is
  helpful in discovering some types of
  vulnerabilities.
• Anecdotal evidence suggests that these attacks
  have been taking place privately since about Dec.
  12, 2005.
• Pump and Dump correlations
• Reports of the exploit for sale just weeks before
  public knowledge
• Rapid discovery of multiple sites exploiting WMF
• Dates of files uploaded to hostile servers and
  code analysis
• A strings analysis of the original WMF exploit
  revealed interesting strings JNK c, Jun N,
  terminal, and kitase. Kitase is just one letter
  away from kinase (overwritten with s during
  fuzzing. Googling led to a strong match
• http//www.ib.amwaw.edu.pl/home/dslado/apoptoza/ap
  op/preview.wmf
• Similarities of data between the found file and
  the exploit are statistically improbable. This
  is the file fuzzed to find the vulnerability.

32
Q and AKen Dunhamkdunham_at_idefense.com