© SANS Institute 2005 SANS Internet Storm Center WMF workarounds and patches

Slides:



Advertisements
Similar presentations
Thank you to IT Training at Indiana University Computer Malware.
Advertisements

Computer Viruses and Worms* *Referred to slides by Dragan Lojpur, Zhu Fang at Florida State University.
 Application software consists of programs designed to make users more productive and/or assist with personal tasks.  Growth of internet simplified.
Compiled by : S. Agarwal, Lecturer & Systems Incharge, St. Xavier's Computer Centre, Kolkata : Compiled By : S. Agarwal, S. Agarwal, Lecturer.
CHAPTER 2 KNOW YOUR VILLAINS. Who writes it: Malware writers vary in age, income level, location, social/peer interaction, education level, likes, dislikes.
A Complete Tool For System Penetration Testing Presented By:- Mahesh Kumar Sharma B.Tech IV Year Computer Science Roll No. :- CS09047.
COMPUTER VIRUS: Potentially damaging computer program designed to infect other software or files by attaching itself to the software or files with which.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Viruses and Spyware. What is a Virus? A virus can be defined as a computer program that can reproduce by changing other programs to include a copy of.
1 Computer Viruses (and other “Malicious Programs) Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.
14,698 High & Critical Vulnerabilities since 2005 Source: CVE Details
Maintaining & Reviewing a Web Application’s Security By: Karen Baldacchino Date: 15 September 2012.
IT:Network:Microsoft Applications
Fermi Computer Incident Response Team Computer Security Awareness Day March 8, 2005 Michael Diesburg.
R. FRANK NIMS MIDDLE SCHOOL A BRIEF INTRODUCTION TO VIRUSES.
Done By:Salha Mohammed Obaid AL-kaabi ID:
Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden
Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)
Staying Safe. Files can be added to a computer by:- when users are copying files from a USB stick or CD/DVD - downloading files from the Internet - opening.
Virus & Anti-Virus Itthiwat Phiphopsukhawadee M.2/7 No.5 Saranpat Prasertthum M.2/7 No.17 Korakrit Laotrakul M.2/7 No.23 Pesan Kasemkitjanuwat M.2/7 No.25.
Threat to I.T Security By Otis Powers. Hacking Hacking is a big threat to society because it could expose secrets of the I.T industry that perhaps should.
The Simple Side of Computer Security for The Brownies That Like To Read!!
CS 1308 Computer Literacy and the Internet. Introduction  Von Neumann computer  “Naked machine”  Hardware without any helpful user-oriented features.
Talking points Attacks are more frequent, more aggressive, require more time to repair and prevent Machines get compromised in 2003 for the same reasons.
Introduction to Computer Ethics
A virus is software that spreads from program to program, or from disk to disk, and uses each infected program or disk to make copies of itself. Basically.
1 What is a computer virus? Computer program Replicating Problematic "Event" Types Detection and prevention.
1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.
Computer project – computer virus 1D Christy Chan (9) Patricia Cheung (14)
Compiled & Designed by : Presentation Point Idea by: SAAD(CEO Future IT) © 2011 Presentation Point Compiled By & Designed : Presentation Point(
Administrative: Objective: –Tutorial on Risks –Phoenix recovery Outline for today.
Chapter 10 Malicious software. Viruses and ” Malicious Programs Computer “ Viruses ” and related programs have the ability to replicate themselves on.
Course code: ABI 204 Introduction to E-Commerce Chapter 5: Security Threats to Electronic Commerce AMA University 1.
1 © 2001, Cisco Systems, Inc. All rights reserved. Cisco Info Center for Security Monitoring.
C OMPUTER V IRUSES Julia White. W HAT ARE COMPUTER VIRUSES ? Computer viruses are small software programs that are designed to spread from one computer.
1 CERN’s Computer Security Challenges Denise Heagerty CERN Computer Security Officer Openlab Security Workshop, 27 Apr 2004.
STANFORD UNIVERSITY INFORMATION TECHNOLOGY SERVICES Desktop Security Strategy Common Solutions Group September 19, 2006 Bill Clebsch.
Client-based Application Attacks Adli Abdul Wahid Dept. of Comp. Science, IIUM
Lecture 19 Page 1 CS 236 Online 16. Account Monitoring and Control Why it’s important: –Inactive accounts are often attacker’s path into your system –Nobody’s.
Computer Viruses and Worms By: Monika Gupta Monika Gupta.
Understanding Computer Viruses: What They Can Do, Why People Write Them and How to Defend Against Them Computer Hardware and Software Maintenance.
Microsoft Security Response Center Presented by Fan Chiang, Chun-Wei( 范姜竣韋 ) 2015/11/14 1 NTUIM.
Copyright ©2005 CNET Networks, Inc. All rights reserved. Practice safety Learn how to protect yourself against common attacks.
Computer security By Isabelle Cooper.
Lecture 19 Page 1 CS 236 Online Securing Your System CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Security Vulnerabilities in A Virtual Environment
NetTech Solutions Protecting the Computer Lesson 10.
Internet safety By Suman Nazir
©2015 HEAT Software. All rights reserved. Proprietary & Confidential. Ransomware: How to Avoid Extortion Matthew Walker – VP Northern Europe.
W elcome to our Presentation. Presentation Topic Virus.
按一下以編輯母片文字樣式 第二層 第三層 第四層 第五層 Microsoft Security Response Center Presented by Fan Chiang, Chun-Wei( 范姜竣韋 ) 2016/2/16 1 OPLab, NTUIM.
Computer virus Done: Aaesha Mohammed ID: H
Writing Security Alerts tbird Last modified 2/25/2016 8:55 PM.
Virus Infections By: Lindsay Bowser. Introduction b What is a “virus”? b Brief history of viruses b Different types of infections b How they spread b.
Securing a Host Computer BY STEPHEN GOSNER. Definition of a Host  Host  In networking, a host is any device that has an IP address.  Hosts include.
NETWORK SECURITY LAB 1170 REHAB ALFALLAJ CT1406. Introduction There are a number of technologies that exist for the sole purpose of ensuring that the.
WannaCry/WannaCrypt Ransomware
WannaCry/WannaCrypt Ransomware
Legal challenges related to software vulnerability disclosure
Rootkit A rootkit is a set of tools which take the ability to access a computer or computer network at administrator level. Generally, hackers install.
CYB 110 Competitive Success/snaptutorial.com
CYB 110 Teaching Effectively-- snaptutorial.com
Nessus Vulnerability Scanning
Chap 10 Malicious Software.
Chap 10 Malicious Software.
16. Account Monitoring and Control
Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Presentation transcript:

© SANS Institute SANS Internet Storm Center WMF workarounds and patches

© SANS Institute Outline How does WMF work? How does the exploit work? What does the Microsoft recommendation do? What does the unofficial patch do?

© SANS Institute About the Internet Storm Center Cooperative Incidents Response Community Volunteer Operated (about 40 ISC Handlers) vendor neutral operating the largest worldwide sensor network, DShield.org. depending on input from readers and volunteers donating a large part of their holiday weekend.

© SANS Institute WMF: how it works WMF file Application shimgvw.dll GDI32.DLL

© SANS Institute WMF: how it works A WMF file finds its way onto a windows machine The application opening the file calls shimgvw.dll Which in turns call GDI32.DLL do to the actual work

© SANS Institute WMF: exploit WMF file Application shimgvw.dll GDI32.DLL Escape() exploit

© SANS Institute WMF: exploit A WMF exploit is an image with a potentially huge payload of exploit code The application will open the file and call shimgvw.dll Which will call GDI32.DLL But the function calls in the image data will cause the Escape() of GDI32.DLL to jump back to the data (now code) in the image itself. From there on it depends on the payload what will happen next …

© SANS Institute WMF: Microsoft unregister WMF file Application Shimgvw.dll GDI32.DLL Escape() exploit X Who’s gonna call ?

© SANS Institute WMF: Microsoft’s solution Microsoft advised to unregister the shimgvw.dll in order to break the chain that leads to the vulnerable Escape() in GDI32.DLL This will work for all applications that follow this path, but Nothing prevents direct calls to GDI32.DLL from being made by other applications Some applications (e.g. mozilla) rely on the functionality provided by shimgvw.dll to do things people use in daily life The library might be registered again by other software Aside of the unregistration, Microsoft also recommends: user awareness, not surfing to “bad” places and all other sorts of generic solutions that are not relevant to this problem. to keep anti-virus signatures up to date, but our tests show that many anti-virus products trigger on the payload if they trigger at all. And the payload of the successful massive attack will be new.

© SANS Institute WMF: how it works: unofficial patch WMF file Application shimgvw.dll GDI32.DLL Escape() exploit UNOFFICIAL PATCH

© SANS Institute WMF: how it works: unofficial patch The unofficial patch protects the in-memory copy of GDI32.DLL by preventing access to the vulnerable Escape() function. This patch was made by Ilfak Guilfanov. Unofficial patches generally are indeed a bad idea, but: This patch was reviewed and vetted by Tom Liston, handler at the Internet Storm Center. There is no other proper solution till Microsoft fixes things. The bad guys now know the deadline: they have 1 week to come up with the über-payload to infect millions. Do you want to be among the casualties ? Or do you want to be prepared to the best of your abilities?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.