WMF zero-day exploit first hand experience



Well, I’ve just spent the better part of 6 hours (maybe a bit more) “sacrificing” a virtual machine to the zero-day Windows Meta File (WMF) exploit and all the malware that comes in. I picked one site from the sunbeltblog list to infect the virtual machine with and can attest to it being quite nasty. I was able to get the virtual machine *mostly* clean. I still haven’t gone back over it to try and make sure, but I’ll be posting some details from the “fun” tomorrow.


It’s too late now to spend too much time documenting what I had to do to clean things up. I essentially hit the exploit site and got the red circle icon in the system tray with a white x that I’ve seen screen shots of. (In fact I had 4 instances loaded….) I saw at least one trick I haven’t run into first hand before.

It’s worth saying. If a system has been trojaned the best bet to make sure that it’s clean is to re-image it. Cleaning a system is something that is possible to miss files and leave something that the attacker(s) can use to re-enter the system and the fun begins again. I’ll try to pass along some details tomorrow. I’ve collected a few files I want to run through virustotal because clamav doesn’t seem to find anything wrong with them.

Related Posts

Blog Traffic Exchange Related Posts
  • WMF exploit situation summary... Since there's been quite a bit of flux the last couple of days I thought I'd try to "reset" the situation and give a general overview of where we stand now with regards to the recent WMF zero-day exploit. 1st there is a vulnerability in the way Windows renders WMF......
  • Custom livecd's, virtualbox, seamlessrdp and sata dvd burners... I thought this writeup was interesting on the idea of using a web interface to customize a livecd. I've built a couple livecd's (that I still use) for tech support, but I'm always thinking of one more tool that I'd like to have. After looking through their wizard it seems......
  • Workaround for the critical WMF zero-day exploit The Windows Meta File (WMF) zero-day (0-day) exploit is apparently, VERY nasty, no user intervention required (unless running firefox or opera). Just VISITING a malicous site (viewing a malicious email with image...) would be enough to get the system owned. It sounds as though a FULL reinstall is the best......
Blog Traffic Exchange Related Websites
  • FAQ about computer security Q: The virus blocked the registry access and how to get rid of it?A: You can deal with like this: 1. Click on Start -> Run (or Start Search in Windows Vista). 2. Enter GPEdit.msc and then press Enter. 3. Navigate to the following location: User Configuration -> Administrative Templates......
  • An Exercise Plan Everyone Can Enjoy Can exercise really be fun? The answer is yes – if you go about it the right way. There are many different motivational books about exercise and the main component is usually that group exercise is the most effective. If you have been thinking about getting fit, why not help......
  • BonPen Fun Run The normal thing to wear when you're doing a fun run is a running shoes. But when your good pair of running shoes isn't around, what will you do? At the recent BonPen Festival 2011, I asked myself that exact same question. What did I do? I run on slippers......
PDF24    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

One Response to “WMF zero-day exploit first hand experience”

  1. The PC Doctor Says:


    More on the Windows Meta File exploit

    Here are a few more interesting and useful links about the Windows Meta File exploit recently discovered in Windows.
    First is an advisory from Microsoft – Security Advisory (912840) Vulnerability in Graphics Rendering Engine Could Allow Remote Code E…


Switch to our mobile site