WMF warnings: I wasn't crying wolf

When a threat is real, warning others is paramount. So why are malware alerting methods so poor?

By coincidence, I was checking my e-mail at the exact moment (7:31 p.m. EST, Dec. 27, 2005) when a new Microsoft Windows zero-day exploit (the WMF buffer overflow exploit) was announced in an anonymous e-mail to Bugtraq. Here’s the e-mail with the URL modified to prevent unknowledgeable readers from accidentally launching the malware:

From: noemailpls@noemail.ziper
To: bugtraq@securityfocus.com
Subject: Is this a new exploit?

Warning the following URL successfully exploited a fully patched windows xp system with a freshly updated norton anti virus.


The url runs a .wmf and executes the virus, f-secure will pick up the virus norton will not.

If the e-mail was true, it would be a rare Windows zero-day exploit, and dangerous because no patches or anti-virus software were available to protect against it. Malware writers could, and would, utilize it to spread malicious programs.

My first duty was to confirm the poster’s attestations. On my two test systems, I first ran the link in Mozilla Firefox to see whether the URL link included downloadable content. Sure enough, it did.

I downloaded the file, which Firefox did not automatically execute, to my malware testing directory. I confirmed the WMF file and its format and then explored the malicious Web site a bit, looking in vain for clues.

I then used both Internet Explorer 6 and 7 to load the same link on fully patched test systems. Both systems immediately downloaded the file, became victims to the exploit, and installed a separate Trojan file called apidm.exe into the %Windir% folder.

I uploaded the original malicious file to several Web sites that specialize in scanning suspected malware simultaneously with multiple anti-virus scanners to reveal whether the malware program was recognized by one or more anti-virus vendors. The sites I used were virusscan.jotti.org and virustotal.com.

Of the 30-plus anti-virus scanners used, none recognized the initial exploit, and only two recognized the secondary dropped Trojan. Within 40 minutes (8:10 p.m.) of the exploit being released into the wild, I had confirmed that this was indeed a new Windows zero-day exploit. I needed to notify as many security people and entities as possible. 

But how do you do this, especially on a night during the holiday season?

My first instinct was to post the warning and my findings to CERT or one of the other “official” agencies that are supposed to handle verification and warning of threats like this one. But the practical reality is that these bodies are slow to post warnings, and I needed to warn as many people as I could as quickly as possible. In the days when a single worm can infect all potential Internet hosts in 8 minutes (for example, SQL Slammer), notification needs to be in minutes, not hours. (CERT confirmed my initial suspicion by posting its first official warning to the public the next day at 8:38 p.m., more than 24 hours after the initial malware release.)

I also considered sending the malware example and my findings to the most popular anti-virus vendors. That was a mistake. Each vendor had its own submission process. I’m guessing that I would have to spend about 20 minutes at each site in order to submit the malware, and even then there was no guarantee they would respond. (Again, confirming my thoughts, most anti-virus vendors did not respond to WMF until late the next day.)

So where do you send a malware example and your findings in order to warn as many people as possible? I wanted to warn administrators, Microsoft, and people in general about the new threat. It was then that I sadly realized that there was no “best” single entity to contact and that I had better take a buckshot approach.

Here’s what I did: I responded to the original e-mail to warn Bugtraq readers at 8:14 p.m. My posts were never approved; I received the rejection notices days later.

At 8:18 p.m., I sent notice to security@microsoft.com. I received a boilerplate auto-response from Microsoft a minute later. Later on, I learned that -- as indicated in the auto-response that I skimmed and did not read -- the correct e-mail address for alerts is secure@microsoft.com. Microsoft’s first official response came out at 8:26 p.m. the next day.

At the same time, I sent a warning to a private mailing list I participate in, made up of other Microsoft Windows Security MVPs (Most Valuable Professionals). The Microsoft MVP program awards knowledgeable people who strongly participate in end-user communities.

The list has a lot of people much smarter and more connected than I am, and true to form, fellow MVPs warned their respective communities, offered advice, and started doing their own research minutes later.

Next, I submitted my findings to handlers at Dshield.org. They responded at 10:58 p.m., thanking me, and offered up their own findings. They posted a warning to Dshield participants, and updated the Handler’s Diary as we discovered more information.

At 9:07 p.m., I warned friends and clients.

At 9:12 p.m., I finished posting as much information as I knew to my new InfoWorld Security Adviser blog. But because the blog was turned on, literally, about two hours before, I figured readership wasn’t going to be strong.

Other than Dshield and the MVP efforts, this malware release was getting no press. End-users would be completely in the dark if this malware went widespread the next morning. Around 3:00 a.m. EST, Dec. 28, 2005, after much deliberation, I notified the mainstream media outlets -- MSNBC, CNN, Fox News, among others -- via e-mail and left my credentials and cell phone number so that the word could spread beyond the limited audience of computer security professionals. Avenues for submitting breaking news to their Web sites were either nonexistent or close to it. None ever responded, and the first media coverage of WMF came out more than 12 hours later.

It is unfortunate that the informal, pseudo-professional mailing lists, such as DShield and MVP, were much more responsive in spreading early warnings than any of the official alert channels. This was true despite the frequent announcements of global coordinating entities designed for discovering and responding to just such a situation. In the end, all of these initiatives fail at their primary purpose: early warning.

OK, the Internet isn’t a baby anymore. Fast, global malware attacks have been happening regularly since 1988 (remember the Morris worm?). Isn’t it time for some official governing agency to make a central site for malware warnings, where submissions can be analyzed, and the public quickly warned -- more quickly than CERT, CNN, or the Department of Homeland Security? Or is it impossible for an “official” channel to be responsive?

If you have ideas or suggestions, I'd love to hear them. Post your comments at my new Security Adviser blog, and let's figure out a better way to deal with malware.