We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Attempts to exploit WMF flaw by IM multiply

More than 70 variations

Security researchers have logged more than 70 variations on IMs (instant messages) attempting to exploit the WMF vulnerability since they first were reported on Saturday.

A vulnerability in the way Microsoft's Windows OS handles images in the WMF (Windows Metafile) format means that opening a maliciously crafted WMF image could result in the execution of hostile code. Malicious WMF files can be distributed in a number of ways, including via email, websites, peer-to-peer filesharing services or IM systems.

By sending such a file, or a link to a website where one is hosted, through an IM system and then tricking users into clicking on the file or link, an attacker may be able to gain control of the IM user's computer.

The first attempts to do this were logged on Saturday morning, when security researchers at Kaspersky Labs received reports of a wave of attacks on Dutch users of the MSN Messenger service. They had received messages inviting them to click on a link to a website containing an image with the name 'xmas-2006 FUNNY.jpg' – in reality, a web page containing a maliciously crafted WMF file.

Anyone following the link would set in motion a chain of events, beginning with the downloading of a Trojan Horse identified by Kaspersky as Trojan-Downloader.VBS.Psyme.br. This in turn would try to install a bot named Backdoor.Win32.SdBot.gen, which would then receive instructions over an IRC (Internet Relay Chat) channel to download IM-Worm.Win32.Kelvir, a worm that spreads over IM services, thus triggering a new wave of infections.

Although these early attacks all pointed users to the same file name, attackers have now diversified their methods.

By mid-afternoon today, enterprise IM security company Akonix Systems had blocked attempts to transmit malicious WMF files using 70 different file names, according to Shakeel Itoola, product manager for the company's L7 enterprise IM filtering product. Around one million computers are protected by Akonix systems, Itoola said, but he couldn't say how many malicious messages exploiting the WMF vulnerability had been transmitted in total, as the company's enterprise products are individually managed by the customer and do not report back such statistics.

Until steps can be taken to eliminate the vulnerability in handling WMF files, Microsoft advises Windows users to exercise caution when dealing with messages and links in messages from untrusted sources. The company expects to release a security patch to address the problem on 10 January, through Windows Update and other channels, it said yesterday. Microsoft's security advisory can be found here.


IDG UK Sites

Nexus 6 vs Sony Xperia Z3 comparison: Lollipop phablet takes on KitKat flagship smartphone

IDG UK Sites

Why people aren't upgrading to iOS 8: new features are for power users, not the average Joe

IDG UK Sites

Free rocket & space sounds: NASA launches archive of interstellar audio on SoundCloud

IDG UK Sites

iPad Air 2 review: Insanely fast and alarmingly thin. Speed tests, camera tests, beautiful...