Mutating Windows exploit puts antivirus firms on high alert

By Steve Malone

Posted on 3 Jan 2006 at 11:15

The security community has set alarm bells ringing as a new vulnerability to Windows has been uncovered. The flaw could be exploited using a specially crafted Windows Metafile (.wmf) file to gain full control of the target computer.

A Windows Metafile (WMF) image is a 16-bit metafile format that can contain both vector information and bitmap information. The problem affects Windows 98, ME, Windows 2000, Server 2003 and Windows XP.

Antivirus producers are particularly concerned because the virus creates a slightly different version of itself each time it replicates. Each iteration is of random size, can use non-wmf file formats and employs other tricks to look like something different.

Traditionally, antivirus software works by matching a particular 'signature' of a suspect file against a database of known malware. By mutating, the new virus makes it that much harder. According to the Sans Internet Storm Center, 'it will likely be difficult to develop very effective signatures (to identify the mutating virus) due to the structure of the WMF files'.

Of even more concern from Microsoft's point of view, is that the exploit, along with source code, has been developed and made available on the Internet via the so-called full disclosure community. Most security investigators first make their findings available to the vendor affected to allow it time to fix the problem before publishing details on the Internet where it can be picked up and used by hackers. Microsoft says it is investigating the exploit and says it has found that the vulnerability can only be exploited if an intended victim is persuaded to visit a website or open an email and click on a link.

According to Luis Corrons at Panda Software, 'This is one of the most serious vulnerabilities recently detected. Simply visiting a web page with a file created to exploit this security problem could see a computer infected by any type of malicious code'.

Microsoft says it is working on a fix although at the time of writing no patch was available from the company. SANS offers an unofficial patch but with the burden of risk falling on the user.