Threat Level: green Handler on Duty: Daniel Wesemann

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

aim for a gdi exploit.

Published: 2004-09-28
Last Updated: 2004-09-29 21:04:36 UTC
by donald smith (Version: 1)
0 comment(s)
Lawrence Abrams has created a step by step end user documentation for the gdiscan.exe scan tool by Tom Liston.
http://www.bleepingcomputer.com/forums/topict3077.html

Many people have asked what to do about dlls being reported as vulnerable to MS04-028. Currently we are recommending they contact the vendor of the product that installed the dll. Some people have had fairly good results copying a non-vulnerable dll over the top of the vulnerable one. If you choose to do that please first backup the vulnerable dll in case your software relies on that specific version of the dll.

Anyone still needing a copy of Tom's most excellent tool can obtain it here
http://isc.sans.org/gdiscan.php
Anyone wanting modifications will have to wait because Tom is goofing off in vegas with a bunch of other off duty handlers.
If your going to SANS Network Security Las Vegas, Sep 28-Oct 04,
be sure to look for our missing handlers.

The handlers have received several reports that AIM messages are being used to entice users to download and view jpegs that match current signatures for the GDIplus.dll exploit.

The basic method is to attach GDI exploits to profiles on AIM.
The attacker then sends messages to get the user to go look
at the user profile that has a jpg with the gdiplus.dll exploit in it.

This is the message being seen "Check out my profile, click GET INFO!"
But of course that would be easy to change so it is probably not worth adding to your IDS signature list.

We have not received any copies of the jpegs involved in AIM propagation so it is possible that these were false positives from the IDS. But the signatures being used are very accurate so I strongly suspect these images contained a gdiplus.dll exploit.

We have also received several reports of Newsgroups having jpgs with a gdiplus exploit in them. These appear to have been Backdoor.Roxe.

We were alerted by Chris Mosby, to two new trojans that exploit the GDIPlus.dll.
http://www.sarc.com/avcenter/venc/data/trojan.moo.html
Trojan.Moo is a Trojan horse program that exploits the Microsoft GDI+ Library JPEG Segment Length Integer Underflow vulnerability (described in the Microsoft Security Bulletin MS04-028).

http://www.sarc.com/avcenter/venc/data/backdoor.roxe.html
Backdoor.Roxe is a backdoor Trojan horse program that exploits the Microsoft GDI+ Library JPEG Segment Length Integer Underflow Vulnerability (described in the Microsoft Security Bulletin MS04-028).

A new version of bagle is spreading fast.
The From address is spoofed so any SMART antivirus mail portals will NOT respond with "you sent us a virus message".

The subjects seen so far appear to be responses to a email.

RE: blank, hello, thank you!, thanks :), hi

The body of the message is a smiley :) or :))

Attachments have an extension of .exe, .scr, .com or .cpl.
and the first part of the name is joke or price.

We have received several copies of bagle.az.mm.whokeeps changingtheversionnumberbetweenAVvendorssonoonereally
knowswhichversionanygivenvendordetects

This is the result from several Antivirus vendors of the newest bagle:

BitDefender 7.0 09.28.2004 Win32.Bagle.AU@mm

ClamWin devel-20040822 09.28.2004 Worm.Bagle.AP

F-Prot 3.15a 09.28.2004 W32/Bagle.AM@mm

Kaspersky 4.0.2.24 09.28.2004 I-Worm.Bagle.as

McAfee 4395 09.28.2004 W32/Bagle.az@MM

NOD32v2 1.880 09.28.2004 Win32/Bagle.AQ

Norman 5.70.10 09.28.2004 -

Panda 7.02.00 09.28.2004 W32/Bagle.BB.worm

Sybari 7.5.1314 09.28.2004 W32/Bagle.az@MM

Symantec 8.0 09.27.2004 -

TrendMicro 7.100 09.26.2004 -

Those with - at the end did NOT detect this new version. Newer versions of their av engines and dats may have detected it. Those with bagle.xx.NN.## detected it but nearly all called it by a different version number.

For more information:
http://vil.nai.com/vil/content/v_128582.htm
Keywords:
0 comment(s)
Diary Archives