Date: Tue, 03 Jan 2006 12:03:18 -0500
From: Ted White <twhite8 at cox.net>
To: WSFA members <WSFAlist at KeithLynch.net>
Subject: [WSFA] Re: Crash, thud
Reply-To: WSFA members <WSFAlist at KeithLynch.net>

Michael Walsh wrote:

>  Elspeth's computer suffered a strange virus attack last night so
>  she'll be offline until the machine is cleansed, proper exorcism
>  rituals performed, and the like.
>
>  And please, no comments "Gosh, you should switch to FricFrac
>  Operating system..."

I think it's time I posted here a message I received from my old friend
George Andrews a few days ago.  Some of you may remember George; he
lived in the Maryland suburbs for many years before moving to San Diego
in the late '90s.  I've known him for over 30 years, have worked for and
with him (at Logotel), and I trust him completely on this matter.

This problem (outlined by George) *may* be the cause of Elspeth's
computer problem.

--Ted White

Hello.

A Microsoft-based pandemic is on the horizon and I'm trying to help
you.  I'm not selling anything and I'll freely provide my contact
information (below) for anyone needing further assurance.  If you
don't believe that, or you just want to argue trivial points, please
close up this message and discard it.  I'm happy to let you learn this
information the hard way.

I'm sending this out to some friends and acquaintances who know me
personally, but--since I'm urging them to pass this information along
for everyone's benefit, I'd better start with some explaining.

WHO AM I?

My name is George Andrews and I live in San Diego, California.  My
personal e-mail address is:
gandrews711 at gmail.com

My home office phone is 1-619-841-0121 and my cell is 1-619-379-7896.
Feel free to ring me (Pacific time, please!) if you have questions or
issues.

I have nearly 30 years experience as a developer, trainer, system
administrator, database administrator, and technical consultant.
Currently, I'm working with a company in the Chicago area on a
cutting-edge Web services/database application as a technical writer
and developer. My primary duties are presently documentation and
testing for the project. I have a Microsoft Certified Systems Engineer
(MCSE) credential and a Microsoft Certified Database Administrator
(MCDBA) credential, as well as several other technical certifications.
I'm also certified by the State of California as a technical trainer.
I'm 58 years old and not prone to pulling off pranks.

WHAT'S THE PROBLEM?

Last Tuesday evening (27-Dec-05), the first public reports (to my
knowledge) of a serious flaw in Microsoft Windows were released.
Microsoft has confirmed the problem exists:
http://www.microsoft.com/technet/security/advisory/912840.mspx
but, to date, has released no solution. By Wednesday of last week, at
least 50 different malware (evil software) implementations using this
exploit were known to exist in the "wild" on the Internet. See:
http://sunbeltblog.blogspot.com/2005/12/more-than-50-wmf-variants-in-wild.html
As I write this, on New Year's Day, it's anybody's guess how many
variations of this exploit are out there now or on the way.  This is
what's known to security experts as a "zero-day exploit," which means,
among other things, that Microsoft doesn't have a solution for the
problem.

HOW DOES IT WORK?

Essentially, all one needs to do to become infected is to open an
infected file.  These files are posted on Web sites (most browsers
open graphics files automatically), sent in e-mails, and even spread
on innocent sites with 3rd party banner ads. As I write this, a worm
was discovered in the Netherlands that was spreading infected files
over MSN Instant Messenger.  Transporting infected files is a trivial
challenge to any black hat and, since the user doesn't need to "click
here" (as Microsoft suggests in their advisory), even an innocent
e-mail program that previews content like Outlook Express can trigger
the exploit.

WHY IS THIS SO BAD?

It's bad because it's an exploit, not a virus or a worm or a trojan
back door or spyware or any other bad stuff you may have encountered.
It's a flaw in Windows and--if you run Microsoft Windows--you've
already got it.  Microsoft gave it to you.

This flaw allows anyone, anywhere, to install any of the above evil
software on your computer without your knowledge (assuming you're
running with administrative privileges). If you can install software
on your computer--any software--then you have those privileges and the
exploit can run successfully on your system. You are in serious
danger.

Imagine this: you browse to a site with an infected banner ad.  Those
ads can come from anywhere and pop up on any site that has contracted
to take 3rd party ads.  So, anyway, your system becomes infected.  The
particular infection on your system "phones home" to a system in Asia,
Europe, the Middle East, South America, Africa, or--just to be even
handed--Detroit, and downloads a little program without your
knowledge.  That "little program" might be spyware, or it might be a
keylogger that records all your passcodes, bank account numbers,
credit card information--literally anything you type in anywhere--even
if you're not currently using the Internet, and sends it back to the
bad guys in [insert the scariest place you can think of here].  Just
imagine having Anthony "The Tuna" Fibonacci or James "Slick Eye"
Labowski looking over your shoulders at everything you type!  Even
worse, they won't have to ask "Was dat a six or a eight?" because
they'll have a key-by-key transcript of your entire session!

WHAT CAN I DO???

If you are running Windows 95, Windows 98, or Windows ME; I suggest
you disconnect your system from the Internet or shut it down entirely
and curl up with a good book.  As far as I know, you have no options
today.  You can try the unregistration option (#2, below), but you may
still get hit.

If you are running Windows 2000, Windows XP, or Windows 2003 Server,
here are a couple of options:

1.Steve Gibson is a well-known (and well-promoted) self-styled
security expert.  Generally, he seems to know his stuff and works hard
at staying up-to-date.  He's addressed this in a recent podcast with
Leo Laporte called "Security Now!"  Here are Steve's links:
http://grc.com/securitynow.htm
Episode 20 addresses the issue at the start of the program and his
show notes recommend this:
http://www.grc.com/sn/notes-020.htm
(He's recently changed the notes, so watch that page closely.)
Originally, Steve was recommending unregistration of a particular
Windows library (scroll down the page), but Guilfanov's patch is
probably a better solution.  Libraries can re-register, but Guilfanov
has addressed the heart of the issue.  Programmatically, it's a
SETABORT escape in a Windows library that is vulnerable.

2. Gibson's link to Guilfanov's patch is a little stale, but it will
work just fine.  That's what is on my laptop currently. Guilfanov's
site has been a little busy, but you can try his download page here
for a fuller explanation and a link to the patch:
http://www.hexblog.com/2005/12/wmf_vuln.html
The current version is 13, not 11 as Gibson has it.
If you have trouble, you can download the patch (unmodified--just
mirrored) from my server:
http://pbbiz.com/patches/wmffix_hexblog13.exe
There's no page associated with this link and the domain is unused,
but it's there if you need it.

Note that Guifanov's patch is an executable (.exe) file.  It runs an
installer that politely installs the patch and then allows you to
remove it through Add/Remove Programs in your Control Panel.  It is
entirely benign, but--if I were you--I'd go to the source and get
Guilfanov's latest directly from him.  I'm just providing the link for
people who know they can trust me, and only as a convenience.
Guilfanov's site is going to get even busier.

I have not and will not certify this patch.  SANS, an Internet
security authority, has already suggested that this is probably okay
to install:
http://isc.sans.org/diary.php?storyid=992
If they trust Guifanov, then I do, too.

NOTE--PLEASE READ: If you install the Guifanov patch, you will be
prompted to reboot your system.  You must do this (reboot) before you
are fully protected. Also, BE SURE TO REMOVE THE GUIFANOV PATCH BEFORE
APPLYING THE OFFICIAL MICROSOFT PATCH so you can avoid conflicts
between the two.  If and when Microsoft addresses the issue, that is.

BUT WON'T MY ISP OR ANTIVIRUS WARE PROTECT ME?

The short answer is, unfortunately, no.  This is an exploit--a
weakness or vulnerability--not a specific threat.  Antivirus
software--regardless of the hype--primarily works by identifying a
software signature (a specific and identifiable bit pattern) of the
virus.  How do they get that?  By users reporting infections--so that
means somebody has to "get" the virus first. Ouch!

Since this is a weakness, the bad guys may choose to install bad stuff
that your antivirus or antispyware applications can identify, but
maybe not.  So then you are the one who gets stung. And remember, the
really ambitious bad guys won't be spamming you or tracking your
Internet activity for ad targeting; they'll be grabbing your personal
information to bleed your bank accounts or brokerage accounts or
credit cards.  With all that "low hanging fruit," they may not even
get to your accounts for months. . .

Internet Service Providers (like AOL, Cox, and Comcast) can't monitor
your activity closely enough to protect you at all.  I don't know it
it's still true, but a couple of years ago, AOL was advertising
"child-safe" browsing by filtering certain undesirable content. All
the Internet-savvy child had to do to bypass the protection was to
open a second browser window.  Great protection!  TV advertising is
produced by marketing people, not techies.  And your kids probably
know more about the Internet than you ever will.

Call your ISP and ask them if they can filter MSN Instant Messenger
content or block malicious 3rd-party banner ads.  After you sit on
hold for 35 minutes, I'll bet the answer is, "Huh?  Oh, yeah, I think
so. . . I'm not really sure. . .do you wanna talk to a technician?"
Nope, they don't do that at all, to my knowledge.  The banner ad
blocking would be easy (but against their business model), while
inspecting files transferred over the IM protocols for malware would
completely elude them, I expect.

WHAT IF I DO NOTHING?

Then you're driving through the Internet at midnight with your lights
off on the wrong side of the road.  And--perhaps--playing Russian
roulette with an automatic pistol.  Is this a false alarm?  Who can
say?  How many people will actually die from Avian Flu in the upcoming
months?

I'll close with this: in my experience, this is potentially the worst
threat the Internet has ever encountered.  We're better connected
today, and in more ways (IM, VoIP, VPNs, and more), than we ever were.
 Previous exploits have done serious damage and inconvenienced many
people in their heydays.  Just by the increased traffic alone, we'll
all be affected.  Don't trust me? Google "wmf exploit" for more
information.

See?  I'm not selling anything. . .

Happy New Year!  Stay safe.

--George Andrews
San Diego
01-Jan-2006