Classic tech archive.
From the original averyjparker.com tech blog — historical context; pair with modern guides where noted.
Full archive · Maker projects ·
Network Ninja
Classic tip · Classic
WMF Exploit -- it's worse...
This is going to be a rough start to the new year for IT staff and computer users.... There's coverage at Incidents.org, the sunbeltblog and f-secure of the latest twist in what will likely be a BIG …
This is going to be a rough start to the new year for IT staff and computer users....
There's coverage at Incidents.org, the sunbeltblog and f-secure of the latest twist in what will likely be a BIG mess to clean up. It looks like there's a someone spamming emails to tons of addresses with a specially crafted image (uses the WMF exploit.) It's also a slightly different variant of the exploit.
According to f-secure....
HappyNewYear.jpgSome clown is spamming out "Happy New Year" emails which will infect Windows machines very easily. These emails contain a new version of the WMF exploit, which doesn't seem to be related to the two earlier Metasploit WMF exploits we've seen.That unofficial patch is looking like the best preventative measure until there's an official MS patch out. The unofficial patch is available at this link and it's been reviewed by (at least) incidents.org and sunbelt. The patch is provided AS IS, no warranties and requires a reboot....
The emails have a Subject: "Happy New Year", body: "picture of 2006" and contain an exploit WMF as an attachment, named "HappyNewYear.jpg" (MD5: DBB27F839C8491E57EBCC9445BABB755). We detect this as PFV-Exploit.D.
When the HappyNewYear.jpg hits the hard drive and is accessed (file opened, folder viewed, file indexed by Google Desktop), it executes and downloads a Bifrose backdoor (detected by us as Backdoor.Win32.Bifrose.kt) from wwwritztours.com. Admins, filter this domain at your firewalls. It's going to get worse.