Security Labs

Alerts

BOOKMARK THIS ALERT
  digg   |     del.icio.us   |     reddit
  newsvine   |     furl   |     technorati

WMF Attack Update / Timeline

Date:01.02.2006

Threat Type: Malicious Website / Malicious Code

Since mid-December, Websense Security Labs has been tracking a new type of exploit which allows attackers to run malicious code without end-user intervention. Over the last week there have been several reports on our blog, on our alerts page, and on several other sites on the Internet in regards to this attack. This alert is our attempt at plotting the last week activity in a timeline, update the current situation, and provide recommendations to our customers.

The attack is a vulnerability within Windows Operating Systems which currently has no patch available. Because there is no patch from Microsoft available, there is exploit code published on the web, its trivial to create and attack, and there are multiple vectors which allow you to use this attack, we believe that there will continue to be exploits through the Web, Instant Messaging, Email, and other technologies over the next week.

Timeline of Attacks

For a larger image click here: http://www.websensesecuritylabs.com/images/alerts/wmf_timeline.png

Text-Based Timeline

Dec 27, 2005: Websense Security Labs discovers IFRAME exploits that use new exploit code. Sites first starting using this WMF exploit on Dec 14th, 05.

Dec 28, 2005: Sites increase in numbers. Approximately 1000 sites identified. Sites are using exploit to install Potentially Unwanted Software (P.U.S) from IFRAME Cash dot Biz.

Dec 29, 2005: Additional types of sites discovered as Exfol Software starts using exploit to also install (P.U.S).

Dec 31, 2005: Instant Messaging is now being used as Attack Vector (Xmas 2006 attack). First email attack discovered (happynewyear.jpg). FrSIRT publishes exploit code.

Dec 31, 2005: Additional web-attacks surface. These new attacks are installing BOT's and Trojan Horses onto machines.

Jan 1, 2006: Increase in web-attacks. Now more than 100 sites using exploit to install BOT's and Trojan Horses.

Jan2, 2006:  Targeted Trojan Horse attack discovered via email.

See prevention and detection tabs for recommendation details.

Websense Security Labs References:

http://www.websensesecuritylabs.com/blog/

http://www.websensesecuritylabs.com/images/alerts/wmf-movie.wmv

http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=385

http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=387

http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=389

References and Contribution:

* Internet Storm Center (http://isc.sans.org)

* iDEFENSE (http://www.idefense.com)

* Kaspersky Labs (http://www.kaspersky.com)

* Message Labs (http://www.messagelabs.com)

* Tom Fischer (http://www.tomfi.net)