Saturday, December 31, 2005

WMF Exploit Firsthand

The last few days have been pretty crappy with regards to the computer situation.  On Wednesday (the 27th), I was trying to recover some files from a portable harddrive that had decided to go tits-up.  Well, the short story is that I was browsing the web using Google cache and all of the sudden my AV package and MS Antispyware went crazy.  Something was dropping trojans onto my machine at an alarming rate.  This was before all the hubbub broke out the next day describing the issue.

I spent an inordinate amount of time trying to undo all the hooks that had been put into my XP SP2 (fully patched) box.  First, I found that my firewall had been disabled, group policy had been applied to prevent me from accessing the task manager, and a bunch of stuff was injected into my startup portions in the registry.

Using Autoruns and Process Explorer, I also discovered that my Explorer.exe had been replaced and shelled out by another program that was trying to prevent me from removing the trojan(s).  A number of unknown services were installed and all of my browser settings were hijacked (no help from Antispyware there for some reason).  A static HTML page was inserted as my homepage that told me that my computer was at risk from spyware.  I suspect the idiots that wrote the malware expected me to take them up on an offer to remove it.

I was able to undo all the hooks and set the system in order, but I was not comfortable that I got every last thing.  As such, I had to back up a few files I was working on and restore a backup image I luckily had.  This took me a few days with everything else I had going on.

The points that bother me are:

  • I don’t think running as lower privilege user would have helped (yes, I run as an Admin, bad Ryan).  It appears that this is using a buffer overflow and RevertToSelf() to get to SYSTEM account.  Perhaps I am wrong on this one, but I have not read anything to contravene this viewpoint as it appears all XP machines are vulnerable regardless of setup.  I got this from Google’s cache, not by clicking or running any files.
  • MS Antispyware was easily defeated.  It did notify me that a trojan was installed and tried to let me remove it (which it said it did, but did not).  It did not protect me from any of my settings being hijacked.  That was a big miss.  Not only that, but I could not restore my old settings since the trojan wiped them as well.
  • My AV package did not help either.  It was nice enough to let me know that trojans were being installed, but did not appear to prevent it either.  What was the point of that?

This is a really bad one folks.  This is the very first time I have ever been infected or compromised.  I shudder to think how easily it occurred.  Make sure you patch up.  There is an unofficial patch you can use right now to help.