WMF zero-day exploit first hand experience



Well, I’ve just spent the better part of 6 hours (maybe a bit more) “sacrificing” a virtual machine to the zero-day Windows Meta File (WMF) exploit and all the malware that comes in. I picked one site from the sunbeltblog list to infect the virtual machine with and can attest to it being quite nasty. I was able to get the virtual machine *mostly* clean. I still haven’t gone back over it to try and make sure, but I’ll be posting some details from the “fun” tomorrow.


It’s too late now to spend too much time documenting what I had to do to clean things up. I essentially hit the exploit site and got the red circle icon in the system tray with a white x that I’ve seen screen shots of. (In fact I had 4 instances loaded….) I saw at least one trick I haven’t run into first hand before.

It’s worth saying. If a system has been trojaned the best bet to make sure that it’s clean is to re-image it. Cleaning a system is something that is possible to miss files and leave something that the attacker(s) can use to re-enter the system and the fun begins again. I’ll try to pass along some details tomorrow. I’ve collected a few files I want to run through virustotal because clamav doesn’t seem to find anything wrong with them.

   Send article as PDF   

Similar Posts