Zero Day Attack - Windows Security Load Image & Help Vulnerabilities

We are currently carefully tracking developing threats centered around vulnerabilities in the Windows operating system.

As the Internet Storm Center (sans.org) puts it:

The holiday news continues to be bleak, with a pair of critical vulnerabilities for Windows NT/2000/2003/XP. First, unless you're running XP SP2, there is a buffer overflow in the LoadImage API, resulting in bitmaps, icons, and animated cursor data files (.bmp, .cur, .ico, and .ani) that can be exploited via HTML delivered either via email or a website. This vulnerability can be used to execute code. Secondly, there is a heap overflow in winhlp32.exe while processing help files on Windows, including XP SP2, apparently. Try not to install help files until some Tuesday in, we hope, January.

Zero day vulnerabilities are those that are released before a patch is available for the software that is affected. Some of them appear while the patch is being made (this is a long process - oftentimes several months). As always, I'm going to focus on the threats that have originated from this and how  to protect against them as, at this time, there is no way to patch the vulnerabilities.

Phel Trojan
The first threat to emerge from this incident was Trojan.Phel, emerging yesterday morning. The Trojan horse, which comes as an HTML file, exploits the Microsoft Internet Explorer HTML Help Control Local Zone Security Restriction Bypass Vulnerability. When executed, Phel downloads information from a domain located in New York City and saves a malicious file as My.hta to the Startup folder. It then adds itself to startup and downloads a backdoor program to the infected computer from a server in Madrid.

This worm is compatible with many languages of Windows: Danish, Dutch, English, Finnish, French, German, Italian, Norweigian, Polish, Portuguese, Spanish, Swedish, and Turkish. At this time, it is believed that Phel is has limited spread. Also, at the time of this writing, the New York City server was down, further limiting its spread. However, the server in Madrid was up, returning a “no web site configured at this address” error. Other than using the zero day exploit, Phel is an unremarkable Trojan and is incapable of spreading on its own.

More information can be found here, courtesy Symantec.

Downloader-TO
The other threat known at this time to use the Microsoft Internet Explorer HTML Help Control Local Zone Security Restriction Bypass Vulnerability is Downloader-TO. Like Phel, it is a Trojan horse that downloads a file and has no other apparent purpose. It does not spread itself.

When the user visits an infected web site, Downloader-TO drops itself to the startup directory as Microsoft Office.hta. When the machine is rebooted, Microsoft Office.hta triggers and downloads a program named server.exe, which is saved as C:\malware.exe. This is the Downloader-TO trojan.

The Trojan horse will also add itself to the Windows XP SP2 authorized applications firewall policy list as cmsscs. It also features the ability to disable a limited number of firewall and antivirus programs. When this is finished, the Trojan horse downloads from a server owned by a hosting company in Houston, Texas. At this time, this file is believed to be a proxy server Trojan horse. This file is also added to firewall policy as module32 and saved to C:\Windows\tgbcde\module32.exe.

For more information, please consult the McAfee write-up.

LoadImage API Vulnerability
For users not running Windows XP Service Pack 2, there is another vulnerability in the LoadImage API while allows animated cursor data files (.bmp, .cur, .ico, and .ani all qualify) to be exploited via HTML. This can include email and web sites. Unlike the Help Control vulnerability, this one can be patched by upgrading to Service Pack 2, which I strongly recommend. So far, there have been no non-proof of concept threats using this vulnerability.

Protection
At this time, no patch is available for either of these vulnerabilities. However, it is important to note that the LoadImage API vulnerability can be fixed by upgrading to Service Pack 2. Those who have not should do so as soon as humanly possible. On the other hand, all systems are at this time vulnerable to the Help Control exploit. Users should wait to install help files that they cannot totally verify the integrity of until a patch is available. When it is, I will of course post the information.

Have a happy, safe New Years!