Yesterday, when I was testing the WMF exploit against a Windows 98 virtual machine, I sent samples through virus total and the only antivirus product to detect each of them was “TheHacker” from hacksoft. This evening I was revisiting the exploit (with the new rule for metasploit) and saved 20 samples which I also tested with virustotal. The results this evening are better. This evening 4 antivirus products detected each one.
The four that detected each one are listed here:
Fortinet 188.8.131.52 01.02.2006 W32/WMF.fam!exploit
Kaspersky 184.108.40.206 01.03.2006 Exploit.Win32.IMG-WMF
NOD32v2 1.1349 01.02.2006 probably a variant of Win32/Exploit.WMF
TheHacker 5.9.2.067 01.02.2006 Exploit/WMF
Honorable mention (I lost count as to how many the next one detected, but they were the next best at detecting the vulnerability…)
Symantec 8.0 01.03.2006 Bloodhound.Exploit.56
For the record I still can’t seem to prove that the current exploits work on Windows 98. I suspect that since cmd isn’t available that’s part of the problem. I haven’t seen evidence though that there’s any attempt to render the files as a wmf (which would seem to be necessary to actually exploit the vulnerability.) More on that in another post.
Related PostsRelated Posts
- NEW exploit for the WMF vulnerability Just when you thought we had a good understanding of the recent zero-day WMF (Windows metafile exploit) it's worse. Sans is reporting on a new variation on the exploit released today. They have gone to yellow (again) to warn people. Here are some details. This exploit was "made by the......
- Google as a tool for crackers Google is a search tool which I use literally every day. Sometimes it's multiple times per day. Sometimes I can't imagine how I would function without being able to do a quick google search. There are some features that I don't often use and in some ways have promised myself......
- Version 2 of the WMF exploit vs Windows 98 SE Ok, I wasn't quite satisfied with the results of the tests against the first version of the WMF (Windows Metafile) zero day exploit that's now up to 4 or 5 days or so... Windows 98 is listed as being vulnerable, but there are no patches or workarounds currently available for......
- How many people make more than $250,000 per year? [The following is an article from Kosmo at The Soap Boxers. The site has a variety of content covering many topics. He has previously analyzed tax return data leading to articles such as How Many People Don't Pay Taxes and What Percent of Taxes are Paid by the Rich.] The......
- Household Ventilation There is a renewed need for mechanical filtration in our homes, as the technology that has become part of the house helps to work more efficiently, leading to a need for maintain air quality in much tighter quarters. This need is very significant, as the American Lung Association has compiled......
- Microsoft Security Advisory (2286198): Vulnerability in Windows Shell Could Allow Remote Code Execution Vulnerability in Windows Shell Could Allow Remote Code Execution Published: July 16, 2010 Version: 1.0 General Information Executive Summary Microsoft is investigating reports of limited, targeted attacks exploiting a vulnerability in Windows Shell, a component of Microsoft Windows. This advisory contains information about which versions of Windows are vulnerable as......
- More testing on the second WMF exploit
- Windows 98 and the WMF exploit
- Serious Symantec Antivirus Vulnerability
- More WMF exploit testing on Windows 98
- Lack of working exploit does not mean Windows 98 is safe