the first worm (mass mailer) to (ab)use the wmf 0day is now spreading in australia.

our initial reports indicate the worm is not massive, however it steals financial information from users (phishing trojan from a known group) it infects and is causing quite a buzz in australian media. we expect it to break as a full-blown media hype this morning, tops tomorrow morning.

the worm *does* do the said damage, but as we said does not seem to be widely spread. no reports outside of australia have been received as of yet.

the emails themselves do not contain the payload, but rather a url to sites that will infect users. both the sites that did this are now down, i expect the next one to be up soon (or the bad guys will just get a new variant out in a few days). abusing websites is mostly how wmf is exploited, but no much in the way of emails before today.

(almost) all anti virus vendors do not detect this worm (it’s new), a couple detect it heuristically. (almost) all anti virus vendors detect the attachment regardless because of the wmf exploit detection routines.

hopefully, all av companies will detect this soon. i know most will.

“regular phishing” as we all know it, asking us for information by means of simple email is alive, kickin` and will still be with us 10 years from now. however, it is slowly decreasing in volume while phishing trojan attacks are getting more and more common.

if you are in australia, you already heard about this for sure.. but not clearly. otherwise, this is it before the media gets their hands on it.

we will update as necessary when we know more. the australians have done a good job on this.

gadi evron,
ge@beyondsecurity.com.

-

Is your site safe from XSS Attacks? Sign up for Automated Vulnerability Detection Service today!