Frank Bemelman wrote...
BTW, what happened to that very dangerous worm... I've been
waiting for that internet melt down, but nothing happened here.
It wasn't a worm. The exploit's purpose was to quietly take
over individual computers, in the sense that you'd not know
your computer is running a process that allows the new remote
owner to send it a command making it do things like send an
email, etc. Or worse. Compromised computers are bundled up
and sold in batches of 50 to 100, etc., for considerable cash.
Ahem, one imagines each computer gets sold multiple times,
unless there's honor among thieves!?
Ww wait for the other shoe to drop.
Steve Gibson* thinks "the WMF vulnerability in Windows was
neither a bug, nor a feature designed without security in
mind, but was actually an intentionally placed backdoor."
Read the transcript or listen to the half-hour podcast,
http://www.grc.com/sn/SN-022.htm
"what Windows did when it encountered this Escape function,
followed by the SETABORTPROC metafile record, was it jumped
immediately to the next byte of code and began to execute it.
That is, it was no longer interpreting my metafile records
record by record, which is the way metafiles are supposed to
be processed. You don't actually execute the metafile. As we
said before last week, and I think the week before, it's sort
of a script. It's a script of Windows graphics calls that allow
you to specify, you know, draw a rectangle from here to here,
draw a line from there to there. And it's in a nice sort of
device-independent fashion. So you don't run the code in the
metafile. But what Windows did when it encountered this
particular nonsensical sequence was to start executing the
next byte of code in the metafile." [...]
"So what I found was that, when I deliberately lied about the
size of this record and set the size to one and no other value,
and I gave this particular byte sequence that makes no sense
for a metafile, then Windows created a thread and jumped into
my code, began executing my code. Okay, Leo? This was not a
mistake. This is not buggy code. This was put into Windows
by someone."
* Gibson Research Corporation,
http://www.grc.com/default.htm