WMF exploit virus detection revisited



Yesterday, when I was testing the WMF exploit against a Windows 98 virtual machine, I sent samples through virus total and the only antivirus product to detect each of them was “TheHacker” from hacksoft. This evening I was revisiting the exploit (with the new rule for metasploit) and saved 20 samples which I also tested with virustotal. The results this evening are better. This evening 4 antivirus products detected each one.


The four that detected each one are listed here:

Fortinet 2.54.0.0 01.02.2006 W32/WMF.fam!exploit
Kaspersky 4.0.2.24 01.03.2006 Exploit.Win32.IMG-WMF
NOD32v2 1.1349 01.02.2006 probably a variant of Win32/Exploit.WMF
TheHacker 5.9.2.067 01.02.2006 Exploit/WMF

Honorable mention (I lost count as to how many the next one detected, but they were the next best at detecting the vulnerability…)

Symantec 8.0 01.03.2006 Bloodhound.Exploit.56

For the record I still can’t seem to prove that the current exploits work on Windows 98. I suspect that since cmd isn’t available that’s part of the problem. I haven’t seen evidence though that there’s any attempt to render the files as a wmf (which would seem to be necessary to actually exploit the vulnerability.) More on that in another post.

Related Posts

Blog Traffic Exchange Related Posts
  • NEW exploit for the WMF vulnerability Just when you thought we had a good understanding of the recent zero-day WMF (Windows metafile exploit) it's worse. Sans is reporting on a new variation on the exploit released today. They have gone to yellow (again) to warn people. Here are some details. This exploit was "made by the......
  • Network Security guide for the home or small business network - Part 13 - Your own worst enemy Once upon a time I did an article about the biggest computer security vulnerability ever. I've also passed along the old "the most dangerous part of a car is the nut behind the wheel" joke. If you haven't got it yet, the computer user can be the "weakest link". Let's......
  • More WMF exploit testing on Windows 98 I've spent some more effort on trying to infect Windows 98 SE in a virtual machine with some of the exploit samples I can find. The first attempt was at a website with the .wmf download. No luck infecting the system there. Then, I've loaded up the image and visited......
Blog Traffic Exchange Related Websites
  • Forex Expert Adviser - A Good Program That's Versatile To Shifting Market Conditions Previously offered only to a private trading group, this EA (Expert Adviser) is now publicly obtainable. This Expert Adviser has been matched against other EA's within the marketplace and outperformed every single one of them. The key to success of this application is that it is flexible to shifting market......
  • Microsoft Security Bulletin MS10-046 - Critical Microsoft Security Bulletin MS10-046 - Critical Vulnerability in Windows Shell Could Allow Remote Code Execution (2286198) Published: August 02, 2010¬†|¬†Updated: August 03, 2010 Version: 1.1 General Information Executive Summary This security update resolves a publicly disclosed vulnerability in Windows Shell. The vulnerability could allow remote code execution if the icon......
  • Microsoft Security Bulletin Summary for September 2010 - Issued: September 14, 2010 ******************************************************************** Microsoft Security Bulletin Summary for September 2010 Issued: September 14, 2010 ******************************************************************** This bulletin summary lists security bulletins released for September 2010. The full version of the Microsoft Security Bulletin Summary for September 2010 can be found at http://www.microsoft.com/technet/security/bulletin/ms10-sep.mspx. With the release of the bulletins for September 2010, this......
en.pdf24.org    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.


Switch to our mobile site