WMF exploit virus detection revisited



Yesterday, when I was testing the WMF exploit against a Windows 98 virtual machine, I sent samples through virus total and the only antivirus product to detect each of them was “TheHacker” from hacksoft. This evening I was revisiting the exploit (with the new rule for metasploit) and saved 20 samples which I also tested with virustotal. The results this evening are better. This evening 4 antivirus products detected each one.


The four that detected each one are listed here:

Fortinet 2.54.0.0 01.02.2006 W32/WMF.fam!exploit
Kaspersky 4.0.2.24 01.03.2006 Exploit.Win32.IMG-WMF
NOD32v2 1.1349 01.02.2006 probably a variant of Win32/Exploit.WMF
TheHacker 5.9.2.067 01.02.2006 Exploit/WMF

Honorable mention (I lost count as to how many the next one detected, but they were the next best at detecting the vulnerability…)

Symantec 8.0 01.03.2006 Bloodhound.Exploit.56

For the record I still can’t seem to prove that the current exploits work on Windows 98. I suspect that since cmd isn’t available that’s part of the problem. I haven’t seen evidence though that there’s any attempt to render the files as a wmf (which would seem to be necessary to actually exploit the vulnerability.) More on that in another post.

Related Posts

Blog Traffic Exchange Related Posts
  • NEW exploit for the WMF vulnerability Just when you thought we had a good understanding of the recent zero-day WMF (Windows metafile exploit) it's worse. Sans is reporting on a new variation on the exploit released today. They have gone to yellow (again) to warn people. Here are some details. This exploit was "made by the......
  • More testing on the second WMF exploit After my Windows 98 tests which failed to exploit the system with either the first or the second vulnerability, I started wondering how well the antivirus companies were doing in detecting this second exploit variation. I had setup and updated metasploit so I could test my Windows 98 SE install......
  • Network Security guide for the home or small business network - Part 13 - Your own worst enemy Once upon a time I did an article about the biggest computer security vulnerability ever. I've also passed along the old "the most dangerous part of a car is the nut behind the wheel" joke. If you haven't got it yet, the computer user can be the "weakest link". Let's......
Blog Traffic Exchange Related Websites
  • Microsoft Security Bulletin Summary for September 2010 - Issued: September 14, 2010 ******************************************************************** Microsoft Security Bulletin Summary for September 2010 Issued: September 14, 2010 ******************************************************************** This bulletin summary lists security bulletins released for September 2010. The full version of the Microsoft Security Bulletin Summary for September 2010 can be found at http://www.microsoft.com/technet/security/bulletin/ms10-sep.mspx. With the release of the bulletins for September 2010, this......
  • Unseeded Champion Wins the Legg Mason Tennis Classic There is never a greater victory in tennis than when a relatively unheard of tennis player rises to the occasion and wins the title at a tournament. This is what happened this week at the Legg Mason Tennis Classic. Those in the audience watched as Radek Stepanek took the title......
  • Forex Expert Adviser - A Good Program That's Versatile To Shifting Market Conditions Previously offered only to a private trading group, this EA (Expert Adviser) is now publicly obtainable. This Expert Adviser has been matched against other EA's within the marketplace and outperformed every single one of them. The key to success of this application is that it is flexible to shifting market......
www.pdf24.org    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.


Switch to our mobile site