WMF exploit virus detection revisited



Yesterday, when I was testing the WMF exploit against a Windows 98 virtual machine, I sent samples through virus total and the only antivirus product to detect each of them was “TheHacker” from hacksoft. This evening I was revisiting the exploit (with the new rule for metasploit) and saved 20 samples which I also tested with virustotal. The results this evening are better. This evening 4 antivirus products detected each one.


The four that detected each one are listed here:

Fortinet 2.54.0.0 01.02.2006 W32/WMF.fam!exploit
Kaspersky 4.0.2.24 01.03.2006 Exploit.Win32.IMG-WMF
NOD32v2 1.1349 01.02.2006 probably a variant of Win32/Exploit.WMF
TheHacker 5.9.2.067 01.02.2006 Exploit/WMF

Honorable mention (I lost count as to how many the next one detected, but they were the next best at detecting the vulnerability…)

Symantec 8.0 01.03.2006 Bloodhound.Exploit.56

For the record I still can’t seem to prove that the current exploits work on Windows 98. I suspect that since cmd isn’t available that’s part of the problem. I haven’t seen evidence though that there’s any attempt to render the files as a wmf (which would seem to be necessary to actually exploit the vulnerability.) More on that in another post.

   Send article as PDF   

Similar Posts