[Dshield] Exploits versus vectors (was: WMF exploit

Jeff Kell jeff-kell at utc.edu
Wed Jan 18 21:47:34 GMT 2006

Tom wrote:
> At 11:02 AM -0500 1/18/06, Mark Tombaugh wrote:
>> On Wed, 2006-01-18 at 07:32 -0700, Philip H. O'Neill wrote:
>>>  WMF exploit is flying through YaHoo groups. I have not looked at the
>>>  payload. In the last 2 day I received over 100 messages from various
>>>  groups always sized 180-181 of HXQ or UUE and 129 for PIF type files.
>> I don't think these are exploiting WMF. Sounds more like:
>> http://www.sophos.com/virusinfo/analyses/w32nyxemd.html
>> http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%
>> 5FGREW%2EA&VSect=T
> ClamAV calls it Worm VB-8

There seems to be a growing confusion about just what constitutes
malware/ratware and the infection vector.

Yahoo/AIM/MSN/IRC/ICQ/email/web/Word macros/Excel macros/pop-up
messages/pop-up ads - these are all just *methods* to present the victim
with a piece of adware/spyware/malware/ratware.  These can be:

* silent "drive-by" installs of xyzzy (e.g., .wmf)
* click here to allow us to do a drive-by install of xyzzy (e.g., AIM),
* click here and OK the warning to let us install xyzzy (download

All of these can deliver a payload of the bad guy's choosing because the
user opens the door and lets them in.  Granted, there are a few tools
and plugins that can help the ratware spread using any or all of the
vectors above, but they still boil down to the user inviting the first
stage in the door.

The traditional "virus" that strikes unsuspecting machines over the
network without the user doing ANYTHING other than having their machine
plugged in (Code Red, Slammer, Blaster, Nachi, etc) are rare these days.
 This is not to say they are gone; quite the contrary, the network is
still flooded with background noise.  Ask anyone that deals with
perimeter security.  All of the above are still flying around today.
They are probably running out of vulnerable victims, but they still try
because they were never told to stop.

The current trend is to just get the user to let the first guy in the
door, usually a downloader, bot, or backdoor, that can then in turn be
used to silently install *anything* else the bad guys desire.

The goals these days seem to be zombies, bots, drones, proxies, and
power.  The installed ratware could format your C: drive just as easily
as they can signon to an IRC network as a drone.  Or if they do signon,
not much to prevent the army of drones from being instructed to format
their C: drives simultaneously.  But what's the point -- that's a dead end.

HOW these things get in isn't much of a mystery anymore.

WHY people keep letting them in amazes me.

And there is no magic bullet to stop it either.


More information about the list mailing list