Attempts to Exploit WMF Vulnerability by IM Multiply

Security researchers have logged over 70 variations on instant messages attempting to exploit the WMF vulnerability since the first were reported on Saturday.

A vulnerability in the way Microsoft Corp.’s Windows OS handles images in the WMF (Windows Metafile) format means that opening a maliciously crafted WMF image could result in the execution of hostile code. Malicious WMF files can be distributed in a number of ways, including by e-mail, through Web sites, peer-to-peer file sharing services or by IM (instant message) systems.

By sending such a file, or a link to a Web site where one is hosted, through an IM system and then tricking IM users into clicking on the file or link, an attacker may be able to gain control of the IM user’s computer.

The first attempts to do this were logged on Saturday morning, when security researchers at Kaspersky Labs Ltd. received reports of a wave of attacks on Dutch users of the MSN Messenger service. They had received messages inviting them to click on a link to a Web site containing an image with the name "xmas-2006 FUNNY.jpg" -- in reality a Web page containing a maliciously crafted WMF file.

Anyone following the link would set in motion a chain of events, beginning with the download of a Trojan horse identified by Kaspersky as This in turn would try to install a bot named Backdoor.Win32.SdBot.gen, which would then receive instructions over an IRC (Internet Relay Chat) channel to download IM-Worm.Win32.Kelvir, a worm that spreads over IM services, thus triggering a new wave of infections.

Although these early attacks all pointed IM users to the same file name, attackers have now diversified their methods.

By midafternoon Wednesday, enterprise IM security company Akonix Systems Inc. had blocked attempts to transmit malicious WMF files using 70 different file names, according to Shakeel Itoola, product manager for the company’s L7 enterprise IM filtering product. Around 1 million computers are protected by Akonix systems, Itoola said, but he couldn’t say how many malicious messages exploiting the WMF vulnerability had been transmitted in total, as the company’s enterprise products are individually managed by the customer and do not report back such statistics.

Until steps can be taken to eliminate the vulnerability in handling WMF files, Microsoft advises Windows users to exercise caution when dealing with messages and links in messages from untrusted sources. The company expects to release a security patch to address the problem on Jan. 10, through Windows Update and other channels, it said Tuesday. Microsoft’s security advisory can be found here.

By Peter Sayer - IDG News Service (Paris Bureau)

Copyright © 2006 IDG Communications, Inc.

The 10 most powerful cybersecurity companies