So why is this new WMF email such a problem?

Well because of other developing information that a few others including SANS have already talked about it. The people at FrSIRT have posted an updated version of the WMF exploit code and our friends over at F-Secure said: enables clueless newcomers to easily craft highly variable and hard-to-detect variations of image files. Another quote from the same blog entry at F-Secure: Making such tools publicly available when there’s no vendor patch available is irresponsible. Plain and simply irresponsible. Everybody associated in making and publishing the exploit knows this. And they should know better. Moore, A.S, San and FrSIRT: you should know better.

And I totally agree with them! Seasoned computer users to totally novice users are getting hit with these WMF file exploits right and left. The peer support forums are getting bombarded by questions and stories of user spending hours trying to remove Torjans, Spyware, Adware, and backdoors opened by these attacks from their computers. These users really did not need this problem to escalate which is just what the guys at FrSIRT have done.

So we now have spam attacks plus an IM-Worm and the current exponentially growing list of websites hosting these attacks. Now we have to deal with a new variant of the exploit code which makes things very difficult for security vendors.

SANS has a great explanation about the new exploit code here. And the crux of the issues is that as SANS states it: From a number of scans we did through virustotal, we can safely conclude there is currently no anti-virus signature working for it. Similarly it is very unlikely any of the IDS signatures for the previous versions of the WMF exploits work for this next generation. Judging from the source code, it will likely be difficult to develop very effective signatures due to the structure of the WMF files.

Infection rates
McAfee announced on the radio yesterday they saw 6% of their customers having been infected with the previous generation of the WMF exploits. 6% of their customer base is a huge number.

Until Microsoft releases a patch for this GDI32.DLL WMF bug surfing the web, reading your email, and chatting via IM is like playing Russian Roulette with your computer.

The most promising temporary fix for this issue currently is to use Ilfak Guilfanov’s DLL injection patch from his blog. And to keep up-to-date on your Anti-spyware, Anti-virus, and firewall IDS signatures.

Eric Sites
VP of Research & Development
Sunbelt Software