NEWS FROM THE LAB - Wednesday, January 4, 2006

New trojan being distributed via WMF spam Posted by Mikko @ 12:44 GMT

There's a new trojan spam run underway, exploiting again the WMF vulnerability.

The exploit code is taken directly from the last Metasploit distribution. So the Metasploit exploit is assisting botnet herders and spyware distributors to take over the computers of users who still have no Microsoft patch to close the hole.

In this particular case the spammed message was a fake warning from Yale University professor about student vandalism that supposedly happened over the new year:

We are very sad to say that over the New Year the Campus was subjected to  several acts of mindless vandalism.  As well as bricks being thrown through  windows, several members of staff have reported their cars as being the  subject of practical jokes.  Some of these cars were filled with water whilst  others had graffiti daubed across them.  We have uploaded the pictures of the  graffiti here in the hope that someone  may recognise the culprits work. If anyone can shed any light on this unfortunate  incident could they please contact the main office as soon as they have time.

When curious readers follow the link to a web server under comcast.net, they are hit with a WMF file that immediatly downloads a botnet client via tftp and runs it. In case the WMF exploit wouldn't work, the front page of the site also contains an exploit against older versions of Firefox, using the "InstallVersion.compareTo()" flaw. The downloaded client will connect to a botnet hosted via several IRC servers.

F-Secure Anti-Virus detects the WMF exploit in question as Exploit.Win32.IMG-WMF and the downloaded trojan as Breplibot.Q. Abuse reports have been sent about the sites abused in this scam.

Administrators: you might want to block these at your gateways:
   http access to playtimepiano[dot]home[dot]comcast[dot]net (do not visit this site)
   tftp (ie. UDP) access to
   IRC access to
   IRC access to
   IRC access to
   IRC access to
   IRC access to

PS. There seems to be no Professor Robert Gordens in Yale.