funsec mailing list archives
Re: potential worm exploiting WMF [was: Ilfak's WMF patch v. Microsoft's solution]
From: Matthew Murphy <mattmurphy () kc rr com>
Date: Tue, 03 Jan 2006 04:00:44 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Gadi Evron wrote:
Hi Matthew.. Well, maybe a worm won't work best being sent via email, but try and look at what might work instead.. and the Bad Guys will surely find it. They already used sending via IM, sending URL's.. etc. If spam is any GIVE-AWAY, these tactics work. It is one of the oldest tricks in the book to infect people.. via web pages. No need for much innovation.
You're absolutely right that these kinds of tactics work. I wasn't meaning to discount the possibility that this could be used in some kind of worm, as it most certainly could. What I *am* trying to put to rest is the apocalyptic line that such a worm would bring exceptional devastation. Indeed, there would most likely be a slight uptick in the number of infected systems from a WMF worm as opposed to a worm that requires the user to extract a binary from a password-protected zip and then willfully open it. However, I think this kind of a worm would have less staying power. Whereas a standard .EXE worm relies on exploiting user stupidity, the potential victim pool for a WMF worm will dry up quickly after patches come out. Once we are 30 days or so post-patch, those who would be snared by a WMF worm will be patched. The folks who aren't patched by then are going to be the same ones who keep opening every Bagle/Sober/etc. variant under the sun and seem absolutely determined to infect themselves with any malware they can get their hands (or their mice) on. The problem is what happens in the interim. The only time I see a WMF worm being "successful" long-term is as a conduit to other malware. If systems of users who would otherwise *not* fall victim to e-mail worms are infected by a WMF virus, and that virus is used to deploy *OTHER* malware, we could be looking at a rise (at least in the short term) in the number of compromised systems. Even so, the chance of the "mother-of-worms" is pretty slim. There are other formats (JPEG, GIF, etc.) that almost every application utilizes that will probably have holes as well. Those are truly ubiquitous formats... most apps will render them and a user won't even blink. If the workarounds are this *CRAPPY* (with Ilfak's software being the exception) when *those* types of holes appear... we could really be in for trouble. - -- "Social Darwinism: Try to make something idiot-proof, nature will provide you with a better idiot." -- Michael Holstein -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDuktMfp4vUrVETTgRAxaYAJ4vIJYBfboqM9kbWNgMaMqOeI2IAwCghKqN /8zkzT2Q7SxqaSQ1VewdKmM= =Yd6+ -----END PGP SIGNATURE-----
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: Ilfak's WMF patch v. Microsoft's solution, (continued)
- Re: Ilfak's WMF patch v. Microsoft's solution Alex Shipp (elist) (Jan 03)
- RE: Ilfak's WMF patch v. Microsoft's solution Larry Seltzer (Jan 02)
- RE: Ilfak's WMF patch v. Microsoft's solution Richard M. Smith (Jan 02)
- RE: Ilfak's WMF patch v. Microsoft's solution Larry Seltzer (Jan 02)
- Re: Ilfak's WMF patch v. Microsoft's solution Aviram Jenik (Jan 02)
- RE: Ilfak's WMF patch v. Microsoft's solution Richard M. Smith (Jan 02)
- Re: Ilfak's WMF patch v. Microsoft's solution Matthew Murphy (Jan 02)
- RE: Ilfak's WMF patch v. Microsoft's solution Richard M. Smith (Jan 02)
- Re: Ilfak's WMF patch v. Microsoft's solution Matthew Murphy (Jan 02)
- potential worm exploiting WMF [was: Ilfak's WMF patch v. Microsoft's solution] Gadi Evron (Jan 03)
- Re: potential worm exploiting WMF [was: Ilfak's WMF patch v. Microsoft's solution] Matthew Murphy (Jan 03)