 
|
|
In partnership with:
16 January 2006 Focused attacks and botnets greater threat than WMF type vulnsCath EverettWhile the Microsoft Windows Metafile vulnerability may have generated a frenzy of media attention, the real threat in the year ahead will consist of increasingly stealthy, targeted attacks. That is not to say that the Windows hole was not significant in its potential for damage to millions of XP-based PCs running Service Pack 1 and 2 and Windows Server 2003 machines running Service Pack O and 1. The vulnerability was found in the WMF library, which is used for storing image data in formats such as vectors rather than bitmaps. The problem lay in the fact that someone creating an image had the option to include a 64kb chunk of code in the vector that they could execute should an error occur. This meant that code with a malicious payload could be used to deliberately corrupt the rest of the file, enabling attackers to install backdoors, adware or a bot program to turn infected machines into zombies. However, while the vulnerability had been known about for some time, on 27 December last year, a Trojan horse, dubbed Exploit-WMF, was discovered and rated a category two level risk by Symantec and highly critical by Kaspersky Labs. The exploit was installed at two confirmed web sites, which meant that, if visited by Internet Explorer users, or in certain circumstances, Firefox browser users, their systems became infected. Users were also vulnerable when previewing .wmf format files with Windows Explorer. As a result, by early January, security experts had taken the unusual step of recommending that organizations deploy an unofficial patch, developed by security software developer, Ilfak Guilfanov. The move was an unusual one, says Russ Cooper, senior information security analyst at Cybertrust, because most security firms encourage their customers to avoid downloading free, unverified software. "Microsoft has deep pockets and can do more quality assurance testing than any individual could possibly do. So, as a rule, corporates should rely on Microsoft to provide the solution rather than look to individual third parties that aren’t in a position to test enough to ensure there aren’t any problems,” he explains. In practice, however, says Steve Manzuik, eEye’s security product manager in charge of research, the third party patch was applied by few large organizations because of just such a perceived risk. But by Thursday 5 January, an authorized fix was released by Microsoft itself, several days ahead of its usual monthly ‘Patch Tuesday’ schedule because it finished testing earlier than anticipated and was eager to calm the media furore. Manzuik explains the significance of the situation: “It was a big deal and it wasn’t. It was a big deal in that it was a zero day vulnerability with no patch that could have been used to do really bad things. But in reality, it wasn’t a big deal because no one took advantage of the exploit in a really bad way. It was only used by a handful of obscure sites and people were made aware of the situation very quickly.” Nonetheless, believes Richard Ford, associate professor at Florida Institute of Technology, the affair is likely to see people, both “black and white hats”, taking a closer look at WMF to see if there are other vulnerabilities. And sure enough, two more flaws in the code have already been posted on the Bugtraq security mailing list by a hacker known as ‘cocoruder’ although they are not considered as serious as the initial one. "The key thing to learn from this is that there are always going to be zero day exploits no matter who the vendor is, so the industry needs to focus very hard on the problem and start thinking about ways to deal with this beyond patches,” Ford says. This is because, while most larger organizations are relatively well protected using multiple layers of defence, the same is not true of small to medium businesses and home users. "It’s important because we’re talking about putting a pool of CPU power into the wrong hands and that’s damaging for everyone. But focusing on patching is the wrong lesson here because it’s like closing the stable door after the horse has bolted,” Ford explains. Moreover, Cooper believes that the real threat in the year ahead is likely to come less from issues such as WMF vulnerabilities, which he describes as “a blip”, and more from an increase in stealthy attacks with tools such as botnets. Botnets are formed when a collection of machines are infected with worms, Trojan horses or backdoors and controlled remotely by a botherder or malware writer using a common command and control system. Such control enables the botherder to undertake denial-of-service attacks, use SMTP mail relays for spam, or steal log-in IDs and financial information such as credit card numbers. "People aren’t sending out millions of infected emails from zombies any more. It’s now more like thousands that are targeted more selectively. The hope is that because the individual machines doing the work won’t appear to be bogged down, people won’t add more anti-virus (AV) software because they won’t notice there’s a problem,” Cooper says. Moreover, because distribution is more selective, the malware is less likely to hit the radar of the anti-virus vendor community. This was true of the case of three men arrested in the Netherlands in October last year for controlling a network of more than 100,000 computers using the Zotob worm. "All the AV software was registering it as a low threat and
there wasn’t much fuss made about it, but it was controlling
100,000 machines so there’s clearly a gap. I think this issue
is only going to continue and get larger, with more of these types
of attack simply not being registered by the industry,” Cooper
concludes.
|
|
