Windows zero day nightmare exploited


Recommended Posts

byte

F-SECURE, Bugtraq and a number of other security aware outfits have warned of a zero day vulnerability that's being actively exploited as we write.

Fully patched Windows XP SP2 machines are vulnerable and there's no known fix as yet.

A number of trojans are being distributed using the vulnerability, related to Windows' image rendering.

F-Secure says you can get blatted if you visit a site with an image file containing the exploit. IE users may automatically be infected. Firefox users can get infected if the image file is downloaded. There's more solid advice at F-Secure. We await a patch from Microsoft.

Full article and source

Link to post
Share on other sites
sn00pie

NOD32 detected a trojan yesterday in my system32/c2c.dll, it's called Win32/Delf.AHV. Any relation to this?

Link to post
Share on other sites
RootWind

NOD32 detected a trojan yesterday in my system32/c2c.dll, it's called Win32/Delf.AHV. Any relation to this?

Doubt it, if this was really zero day, then NOD32 would give the generic heuristic detection (NewHeur* something like that), and not a name (unless the news source is a bit late, which it might be).

Link to post
Share on other sites
mAcOdIn

Alot of spyware is being classified as trojans now by alot of AV's, and to be fair they do ehibit some trojan behavior, so it was probably spyware of some sort.

Link to post
Share on other sites
bush

sounds pretty creepy. but using irfanview and firefox is it that serious?

Link to post
Share on other sites
madnuke

Just in time for work tomorow, if this realy is true then is the attack ment to happen today or in the next 24 hours?

Link to post
Share on other sites
mAcOdIn

sounds pretty creepy. but using irfanview and firefox is it that serious?

Well using firefox it sounds like you'd have to accept to download the file and then view it in IE or explorer, so I'd say the chances of getting infected via firefox is slim for most of us as we wouldn't accept a download at random.

Link to post
Share on other sites
RootWind

Just in time for work tomorow, if this realy is true then is the attack ment to happen today or in the next 24 hours?

Well it's been spreading in the last 24 hours apparently. It's not really an "attack" where someone is actively attacking something, but you still need to make the user do something (go to a website).

Edit: Well that's interesting. I guess McAfee VS Enterprise is pretty useful since it is able to block it with its Buffer Overflow protection. Does anyone know if the buffer overflow protection from AMD and Intel do anything?

Edited by DefensiveCore
Link to post
Share on other sites
yodat

Doubt it, if this was really zero day, then NOD32 would give the generic heuristic detection (NewHeur* something like that), and not a name (unless the news source is a bit late, which it might be).

Yes, NOD32 detects the malwares which uses this exploit from update 1.1342.

http://www.wilderssecurity.com/showthread.php?t=113132

Link to post
Share on other sites
+Ely

Yes this is out in the open as we speak, I have seen three computers already infected by This in the last two days, The previous link will just take you to a page where you can view information on the exploit, It's REALLY nasty and spreading quickly, ANY XP machine fully patched can get instantly infected if you just view a website containing the exploint while using Internet Explorer.

I have also explained how to remove one of the variants of this exploit Here

Edited by Ely
Link to post
Share on other sites
madnuke

Ok, now on action stations I've seen that this before only today at work, when we going to be able to get a patch from Microsoft or some updated virus protection files. If this exploit is published it could be another few varients of it.

Link to post
Share on other sites
RootWind

Ok, now on action stations I've seen that this before only today at work, when we going to be able to get a patch from Microsoft or some updated virus protection files. If this exploit is published it could be another few varients of it.

Looks like almost every AV has an update for it already.

Link to post
Share on other sites
TimRogers

Does anyone have the sample code, I'd like to have a look at it, and then I might have a hope of working out how to fix it :)

Link to post
Share on other sites
Ficman

This one appears to be picking up steam, hold on to your hats fella's this one could be really bad... :wacko:

Link to post
Share on other sites
BigCheese

OOOHHHHH!

"Over the last 24 hours, we've seen three different WMF files carrying the zero-day WMF exploit. We currently detect them as W32/PFV-Exploit.A, .B and .C."

Yesterday, I went to some dodgy website (using Maxthon), and it kept asking to download some random wmf file. Luckily I didn't.

Link to post
Share on other sites
+Ely

It's funny how yesterday you would make a search on this board for SpySheriff and you would get no results, Just make a search for it now and you'll see how fast it's going........ This is a nasty nasty infection.

Link to post
Share on other sites
chopyaedoff

blocking access to all WMF files and using Knoppix Linux to visit untrustworthy sites.

Link to post
Share on other sites
madnuke

This is looking partically nasty and time consuming to us PC techs, I think its going to be best to format untill there is some easy removal tool or Microsoft patchs it as most normal savy pc users wont know about this, half of them wont even know what a a .wmf is.

Link to post
Share on other sites
+Ely

Here is a video on how this thing behaves one you are infected, telling by the info so far it looks like there's lots of different variants of it, it always works using different antyspyware hoax programs:

Video Here

and Here it is a link to the full article with the video.

Link to post
Share on other sites
+John Teacake

Is there a way to tell if youve been infected?

Link to post
Share on other sites
fascist

yeah, watch the video youll see.

Link to post
Share on other sites
+John Teacake

Hey im watching no video. Sorry but you cant be too careful.

Link to post
Share on other sites
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.