<<<
NEWS FROM THE LAB - Wednesday, January 4, 2006
>>>
 
 
New trojan being distributed via WMF spam Posted by Mikko @ 12:44 GMT

There's a new trojan spam run underway, exploiting again the WMF vulnerability.

The exploit code is taken directly from the last Metasploit distribution. So the Metasploit exploit is assisting botnet herders and spyware distributors to take over the computers of users who still have no Microsoft patch to close the hole.

In this particular case the spammed message was a fake warning from Yale University professor about student vandalism that supposedly happened over the new year:

We are very sad to say that over the New Year the Campus was subjected to several acts of mindless vandalism. As well as bricks being thrown through windows, several members of staff have reported their cars as being the subject of practical jokes. Some of these cars were filled with water whilst others had graffiti daubed across them. We have uploaded the pictures of the graffiti here in the hope that someone may recognise the culprits work. If anyone can shed any light on this unfortunate incident could they please contact the main office as soon as they have time.

When curious readers follow the link to a web server under comcast.net, they are hit with a WMF file that immediatly downloads a botnet client via tftp and runs it. In case the WMF exploit wouldn't work, the front page of the site also contains an exploit against older versions of Firefox, using the "InstallVersion.compareTo()" flaw. The downloaded client will connect to a botnet hosted via several IRC servers.

F-Secure Anti-Virus detects the WMF exploit in question as Exploit.Win32.IMG-WMF and the downloaded trojan as Breplibot.Q. Abuse reports have been sent about the sites abused in this scam.

Administrators: you might want to block these at your gateways:
   http access to playtimepiano[dot]home[dot]comcast[dot]net (do not visit this site)
   tftp (ie. UDP) access to 86.135.149.130
   IRC access to 140.198.35.85:8080
   IRC access to 24.116.12.59:8080
   IRC access to 140.198.165.185:8080
   IRC access to 129.93.51.80:8080
   IRC access to 70.136.88.76:8080

PS. There seems to be no Professor Robert Gordens in Yale.