WMF exploit virus detection revisited



Yesterday, when I was testing the WMF exploit against a Windows 98 virtual machine, I sent samples through virus total and the only antivirus product to detect each of them was “TheHacker” from hacksoft. This evening I was revisiting the exploit (with the new rule for metasploit) and saved 20 samples which I also tested with virustotal. The results this evening are better. This evening 4 antivirus products detected each one.


The four that detected each one are listed here:

Fortinet 2.54.0.0 01.02.2006 W32/WMF.fam!exploit
Kaspersky 4.0.2.24 01.03.2006 Exploit.Win32.IMG-WMF
NOD32v2 1.1349 01.02.2006 probably a variant of Win32/Exploit.WMF
TheHacker 5.9.2.067 01.02.2006 Exploit/WMF

Honorable mention (I lost count as to how many the next one detected, but they were the next best at detecting the vulnerability…)

Symantec 8.0 01.03.2006 Bloodhound.Exploit.56

For the record I still can’t seem to prove that the current exploits work on Windows 98. I suspect that since cmd isn’t available that’s part of the problem. I haven’t seen evidence though that there’s any attempt to render the files as a wmf (which would seem to be necessary to actually exploit the vulnerability.) More on that in another post.

Related Posts

Blog Traffic Exchange Related Posts
  • Network Security guide for the home or small business network - Part 13 - Your own worst enemy Once upon a time I did an article about the biggest computer security vulnerability ever. I've also passed along the old "the most dangerous part of a car is the nut behind the wheel" joke. If you haven't got it yet, the computer user can be the "weakest link". Let's......
  • MS IE Javascript exploit for zero-day (0-day) vulnerability An exploit for last weeks zero-day (0-day) javascript vulnerability in Microsoft's Internet Explorer is in the wild. I saw this post from Sunbelt a couple nights ago go up and disappear, at the time I didn't have long enough to read it... It's back today and there are instructions for......
  • More WMF exploit testing on Windows 98 I've spent some more effort on trying to infect Windows 98 SE in a virtual machine with some of the exploit samples I can find. The first attempt was at a website with the .wmf download. No luck infecting the system there. Then, I've loaded up the image and visited......
Blog Traffic Exchange Related Websites
  • Forex Expert Adviser - A Good Program That's Versatile To Shifting Market Conditions Previously offered only to a private trading group, this EA (Expert Adviser) is now publicly obtainable. This Expert Adviser has been matched against other EA's within the marketplace and outperformed every single one of them. The key to success of this application is that it is flexible to shifting market......
  • What Is a Bad APR? I received an email from a reader who wanted to know what is considered a bad APR, but this is really the wrong question. Instead of focusing on what is a bad or good APR, you should be looking at the APY. Here's why. Focus on APY instead of APR.......
  • How many people make more than $250,000 per year? [The following is an article from Kosmo at The Soap Boxers. The site has a variety of content covering many topics. He has previously analyzed tax return data leading to articles such as How Many People Don't Pay Taxes and What Percent of Taxes are Paid by the Rich.] The......
en.pdf24.org    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.


Switch to our mobile site