WMF exploit virus detection revisited



Yesterday, when I was testing the WMF exploit against a Windows 98 virtual machine, I sent samples through virus total and the only antivirus product to detect each of them was “TheHacker” from hacksoft. This evening I was revisiting the exploit (with the new rule for metasploit) and saved 20 samples which I also tested with virustotal. The results this evening are better. This evening 4 antivirus products detected each one.


The four that detected each one are listed here:

Fortinet 2.54.0.0 01.02.2006 W32/WMF.fam!exploit
Kaspersky 4.0.2.24 01.03.2006 Exploit.Win32.IMG-WMF
NOD32v2 1.1349 01.02.2006 probably a variant of Win32/Exploit.WMF
TheHacker 5.9.2.067 01.02.2006 Exploit/WMF

Honorable mention (I lost count as to how many the next one detected, but they were the next best at detecting the vulnerability…)

Symantec 8.0 01.03.2006 Bloodhound.Exploit.56

For the record I still can’t seem to prove that the current exploits work on Windows 98. I suspect that since cmd isn’t available that’s part of the problem. I haven’t seen evidence though that there’s any attempt to render the files as a wmf (which would seem to be necessary to actually exploit the vulnerability.) More on that in another post.

Related Posts

Blog Traffic Exchange Related Posts
  • More testing on the second WMF exploit After my Windows 98 tests which failed to exploit the system with either the first or the second vulnerability, I started wondering how well the antivirus companies were doing in detecting this second exploit variation. I had setup and updated metasploit so I could test my Windows 98 SE install......
  • Google as a tool for crackers Google is a search tool which I use literally every day. Sometimes it's multiple times per day. Sometimes I can't imagine how I would function without being able to do a quick google search. There are some features that I don't often use and in some ways have promised myself......
  • Version 2 of the WMF exploit vs Windows 98 SE Ok, I wasn't quite satisfied with the results of the tests against the first version of the WMF (Windows Metafile) zero day exploit that's now up to 4 or 5 days or so... Windows 98 is listed as being vulnerable, but there are no patches or workarounds currently available for......
Blog Traffic Exchange Related Websites
  • What Is a Bad APR? I received an email from a reader who wanted to know what is considered a bad APR, but this is really the wrong question. Instead of focusing on what is a bad or good APR, you should be looking at the APY. Here's why. Focus on APY instead of APR.......
  • How many people make more than $250,000 per year? [The following is an article from Kosmo at The Soap Boxers. The site has a variety of content covering many topics. He has previously analyzed tax return data leading to articles such as How Many People Don't Pay Taxes and What Percent of Taxes are Paid by the Rich.] The......
  • Unseeded Champion Wins the Legg Mason Tennis Classic There is never a greater victory in tennis than when a relatively unheard of tennis player rises to the occasion and wins the title at a tournament. This is what happened this week at the Legg Mason Tennis Classic. Those in the audience watched as Radek Stepanek took the title......
www.pdf24.org    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.


Switch to our mobile site