Tuesday, January 03, 2006

Viruses, Việt Nam, and WMF

From Thanh Nien Daily: Survey finds computer virus explosion in Vietnam:

Vietnam’s leading cyber security center said Wednesday 232 computer viruses, adware, and spyware were spotted this year, up from 84 last year. A survey of 2,000 users by the Hanoi University of Technology’s Bach Khoa Inter-network Security Center (BKIS) showed 94 percent of computers to be infected with viruses, and 87 percent with spyware and adware.

Spyware is a software that covertly gathers user information through the user's Internet connection, usually for advertising purposes. Adware is a form of spyware that collects information about the user to display advertisements in the web browser based on the information it collects from the user's browsing patterns.

Forty-four percent of the surveyed users said their companies or organizations had to stop working for at least one day due to virus infections. Viruses hit 96 percent of computers of people working in the field of commerce, 95 percent in education, and 94 percent in services.

... By late last month, Vietnam had 9.9 million Internet users, or over 11.9 percent of the total population, compared with 6 million and 7.3 percent a year earlier. Nearly 2.7 million were Internet subscribers, many of whom used broadband, the Vietnam Internet Network Information Center told Xinhua, noting the country's total international bandwidth stood at 3,505 Mbps. Vietnam linked up with the global computer network in December 1997.

Here's the situation as I see it. This country got a fairly large population of users. They're growing rapidly too: the figures above equate to 65% growth per annum. Most use the Internet in Internet Cafes or at work, some use them over a phone modem, and very few use broadband connections like ADSL. Accordingly, technological literacy is low, but growing - albeit slowly. Two years ago, many Internet Cafes didn't have anti-virus software; even the administrators didn't know any better. Installation is now the norm. However, I'm not sure how many people suss out that you're supposed to keep your anti-virus files up to date as well. Installation isn't enough; you've got to download the latest patches to fight the newest viruses. Antiviral software are essential for Windows machines in this day in age. But they have to be used properly, and not just as a totem to ward off evil. For these reasons, I'm dismayed (but not too shocked) at the 9X% incidence of infection.

I wouldn't blame the users too much, however. First, Vietnamese people speak Vietnamese... but computer security material is generally written in English. This discriminates aagainst the computer professionals - but it really causes problems for the amateurs, the computer hobbyists and so forth in this country. Unless someone translates for them, they'll be kept in the dark like everyone else. The second problem is that most users don't use their own machine. It's owned by someone else, whether it is their employer or the local cafe. If the machine crashes, it's not their problem, but that of the people who are meant to maintain the machines. (Do not pass Go; go straight to coffee break.) In short, they've got less incentive to learn. One final factor: this is a place where hardware is expensive, but software is pirated and cheap. If the machine is well and truly cocked up, you save as much as you can and reinstall. Never mind that you've lost about 20 new security patches as well.

Then, there are incidents when the lack of local knowledge interferes with my machine, and I get really pissed off. A year ago, when my wife had her own graphic design business, some one decided to install PurityScan (please don't click) on some of the computers, including my laptop. The woman thought it was some sort of anti-viral software. Alas, it's not; it's spyware, as I tried to explain to her afterwards... but I got the feeling she wasn't grokking what "spyware" was. 

And there was that time, a month ago, when I got reconnected to ADSL, and someone decided to turn the firewall off. Imbecility.

Now, we have a new virus on the scene: the Windows Metafile Vulnerability. It's a nasty one, too. From Wikipedia:

The Windows Metafile vulnerability is a vulnerability in Microsoft Windows which was first disclosed on Bugtraq on 27 December 2005 [1], and subsequently used in a variety of exploits. The vulnerability, located in gdi32.dll, arises from the way in which Windows operating systems handle Windows Metafile (WMF) vector images, and permits arbitrary code to be executed on affected computers without the permission of their users. Windows versions from Windows 98 to Windows Server 2003 R2 are known to be vulnerable to the exploit, while versions as old as Windows 3.0 are probably also vulnerable. Exploits of this vulnerability are thus among the very few examples of genuine drive-by download.

So we've got a 15 year old bug that's now become a problem. Given what I know about Microsoft quality assurance, I'm not too surprised. However, this is the sort of bug where you could infect yourself instantaneously by viewing the wrong page. Especially with that abomination called Internet Explorer, which still seems to be the norm here. But other browsers aren't safe either. The flaw is in the operating system, and how it display the file.  

Don't trust your anti-virus software either. We learn from the Internet Storm Centre how the malicious WMF files could be tweaked in almost infinitely random permutations - making it harder to detect by antiviral software. This quotes an email by "white hackers" Metasploit, who are trying to show how the WMF vulnerability could be exploited:

We released a new version of the metasploit framework module for the WMF flaw, this one uses some header padding tricks and gzip encoding to bypass all known IDS signatures. Consider this "irresponsible" if you like, but it clearly demonstrates that a run-of-the-mill signature-based IDS (or A/V) is not going to work for this flaw. If anyone has any questions about why we are releasing these types of modules so early after the disclosure, feel free to drop me an email.


So what can you do, dear reader? Fortunately, there are several things you can do.

  • First: check if you are vulnerable. From IDA Pro, you can download a program from that address, and run it. It will not infect your machine; it will only test it, and state whether you are vulnerable or not. I have run this program.
  • Secondly, if you are unprotected, install the patch on your computer. It's not by Microsoft, I'm afraid; they seem to be on an extended New Years Break. But there's a temporary hotfix also by IDA Pro. What it does is disable the dodgy command in gdi32.dll. I've installed it. It works fine. Microsoft will probably get around to releasing an "official" patch in a fortnight or so. But that may be a little long to wait.
  • Thirdly, Sunbelt Blog recommends that you unregister "shimgvw.dll":

As CERT says, “Remapping handling of Windows Metafiles to open a program other than the default Windows Picture and Fax Viewer (SHIMGVW.DLL) may prevent exploitation via some current attack vectors. However, this may still allow the underlying vulnerability to be exploited via other known attack vectors.” ... At any rate, here’s how you do it. From the command prompt, type REGSVR32 /U SHIMGVW.DLL.  A reboot is recommended.  (It works post reboot as well.  It is a permanent workaround). You can also do this by going to Start, Run and then pasting in the above command. This effectively disables your ability to view images using the Windows picture and fax viewer via IE. However, it is not the most elegant fix.  You’re probably going to have all kinds of problems viewing images. But, no biggie: Once the exploit is patched, you can simply type “REGSVR32 SHIMGVW.DLL” to bring back the functionality.

  • Finally, it won't do you any harm (and it will do you a lot of good) if you stop using Internet Explorer. Perhaps you could change to another browser like Firefox, which both my wife and I use happily. This may be hard at work if clueless system administrators insist you use IE. But you have no excuse at home. 

How will this affect the Vietnamese computing community? There is some awareness, at least: Nhân Dân has an article on it, and so does VCDOnline. But it looks like there's going to be a lot of infected machines. It will take time for information to percolate down to the users. More people will use the Internet, ignorant of viruses and adware and spyware. Most people already on line won't change their habits; they'll continue to use IE, and forget to update their anti-virus patches, and their machines will end up trashed. Then they'll reinstall and start again. Just like anywhere else, really. 

Oh, and I'd best say Happy New Year. We'll need it.