More testing on the second WMF exploit



After my Windows 98 tests which failed to exploit the system with either the first or the second vulnerability, I started wondering how well the antivirus companies were doing in detecting this second exploit variation. I had setup and updated metasploit so I could test my Windows 98 SE install against the latest version of the exploit and with each connection to the locally hosted page I got a new random file. After I collected five of these I ran them through virustotal.com to see how well detection has come in just 24 hours.


Unfortunately I don’t think things have improved much in the way of detection since this time yesterday. There was only one antivirus program to raise a red flag at each file. “TheHacker 5.9.2.066 01.01.2006 Exploit/WMF” For two of the files this was the only scanning engine to detect it as malware. The other three were a bit more widely detected (McAfee and Bitdefender, then Symantec did fairly well.)

Unfortunately due to the psuedo-random nature of this second exploit, antivirus software will likely be hard pressed to come up with good ways to detect it, but TheHacker, from http://www.hacksoft.com.pe/ (based in Peru), has done a good job at this point of dealing with the task.

As I was finishing up the article, I thought I’d throw one more at it virustotal and for the last one, only Symantec and TheHacker detected…. again good job Hacksoft.

   Send article as PDF   

Similar Posts