WMF exploit virus detection revisited



Yesterday, when I was testing the WMF exploit against a Windows 98 virtual machine, I sent samples through virus total and the only antivirus product to detect each of them was “TheHacker” from hacksoft. This evening I was revisiting the exploit (with the new rule for metasploit) and saved 20 samples which I also tested with virustotal. The results this evening are better. This evening 4 antivirus products detected each one.


The four that detected each one are listed here:

Fortinet 2.54.0.0 01.02.2006 W32/WMF.fam!exploit
Kaspersky 4.0.2.24 01.03.2006 Exploit.Win32.IMG-WMF
NOD32v2 1.1349 01.02.2006 probably a variant of Win32/Exploit.WMF
TheHacker 5.9.2.067 01.02.2006 Exploit/WMF

Honorable mention (I lost count as to how many the next one detected, but they were the next best at detecting the vulnerability…)

Symantec 8.0 01.03.2006 Bloodhound.Exploit.56

For the record I still can’t seem to prove that the current exploits work on Windows 98. I suspect that since cmd isn’t available that’s part of the problem. I haven’t seen evidence though that there’s any attempt to render the files as a wmf (which would seem to be necessary to actually exploit the vulnerability.) More on that in another post.

Related Posts

Blog Traffic Exchange Related Posts
  • More testing on the second WMF exploit After my Windows 98 tests which failed to exploit the system with either the first or the second vulnerability, I started wondering how well the antivirus companies were doing in detecting this second exploit variation. I had setup and updated metasploit so I could test my Windows 98 SE install......
  • Microsoft December 2005 Security updates Sans has the tip that information on the critical Windows updates expected tomorrow from Microsoft has started to be released. MS 05-54: Cumulative Security Update for Internet Explorer This will hopefully patch the javascript issues... MS 05-55: Vulnerability in Windows Kernel Could Allow Elevation of Privilege. More later in the......
  • Version 2 of the WMF exploit vs Windows 98 SE Ok, I wasn't quite satisfied with the results of the tests against the first version of the WMF (Windows Metafile) zero day exploit that's now up to 4 or 5 days or so... Windows 98 is listed as being vulnerable, but there are no patches or workarounds currently available for......
Blog Traffic Exchange Related Websites
  • How many people make more than $250,000 per year? [The following is an article from Kosmo at The Soap Boxers. The site has a variety of content covering many topics. He has previously analyzed tax return data leading to articles such as How Many People Don't Pay Taxes and What Percent of Taxes are Paid by the Rich.] The......
  • Household Ventilation There is a renewed need for mechanical filtration in our homes, as the technology that has become part of the house helps to work more efficiently, leading to a need for maintain air quality in much tighter quarters. This need is very significant, as the American Lung Association has compiled......
  • Microsoft Security Bulletin Summary for September 2010 - Issued: September 14, 2010 ******************************************************************** Microsoft Security Bulletin Summary for September 2010 Issued: September 14, 2010 ******************************************************************** This bulletin summary lists security bulletins released for September 2010. The full version of the Microsoft Security Bulletin Summary for September 2010 can be found at http://www.microsoft.com/technet/security/bulletin/ms10-sep.mspx. With the release of the bulletins for September 2010, this......
en.pdf24.org    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.


Switch to our mobile site