This hopefully will be my last post on the whole WMF exploit stuff…. It’s prompted in part by a comment on one of the articles on Windows 98 and the vulnerability. I realized that I hadn’t really brought things to a full conclusion for the Windows 98 users. Of course, Microsoft has released an official patch for Windows 2000 and XP and 2003, the sky is no longer falling quite as quickly and all is well right? Well, not exactly for pre-2000 Windows users. They’ve just been told, they have a vulnerability, it’s not as critical as it is for XP/2000/2003 and if it were critical – “oh we’d fix it there too”, but it’s not, better luck next time (and who knows the same vulnerability could come around more critical for earlier Windows versions next time…) Anyway, there IS a patch for Windows 98 systems.
Tag: antivirus
-
More Fake security sites
More sites that claim to be windows security center or the like are popping up… a list:
securitycaution(dot)com
dnserror404(dot)com
todaywarnings(dot)com
updatesystempage(dot)com
yoursecuritysystem(dot)comFrom sunbeltblog.
-
Makers of fake security software settle lawsuit
The security fix has some news today on some bogus security software makers (the wolves in sheeps clothing as I tend to think of them…) Anyway, they’re settling deceptive trade practice chargers that were brought by the FTC. SpywareAssassin and Spykiller were facing a civil suit over their ads which invariably found infestations on a users pc and offered to clean it up for ~$30 or so.
-
Sober virus watch…
Well, antivirus vendors and IT security folks are waiting now for the expected activation of the sober.y worm searching for a new downloads and a new revision of the pest. kaspersky’s log indicates the expected activation time is 00:00 GMT January 6th, which means here in the EST zone that would be 7PM EST… Of course many of the expected sites have been shut down. It appears that the virus will look periodically for sites to “upgrade” from for some time.
-
Microsoft OneCare and another unofficial patch
Brian Krebs at the SecurityFix today has questions about Microsoft OneCare. In fact, with Microsoft saying that OneCare is “more than just antivirus” you wonder whether that’s just marketing speak, or if that’s really the case…. he speculates about OneCare doing the registry patch that was a recommended workaround and a few other things related to OneCare.
-
Another update to exploit?
I didn’t see this reported anywhere, but since yesterday when there was an update to the metasploit module for the WMF vulnerability I think there’s been yet another update. I read yesterday that it had been updated and could evade all known IDS signatures. I downloaded the update to continue my Win98 testing. Then today found that there was another update. I haven’t compared the old/new versions but can’t help but wonder if this means more scrambling of antivirus writers for new signatures to keep up.
-
Antivirus vs. WMF exploit
There are a number of references out today to a December 31st article (on a study by av-test) about how well antivirus products were keeping up with the shifting signatures of the WMF exploits. There was a list of about 12 products that were at 100% detection. Unfortunately, the important point is that the original article was December 31st. I don’t know if there are new variations in the wild, but I DO know that the metasploit module has changed and currently seems to evade detection from Clamav. (Although clamav has caught up to the most recent batch of the exploit.)
-
WMF exploit virus detection revisited
Yesterday, when I was testing the WMF exploit against a Windows 98 virtual machine, I sent samples through virus total and the only antivirus product to detect each of them was “TheHacker” from hacksoft. This evening I was revisiting the exploit (with the new rule for metasploit) and saved 20 samples which I also tested with virustotal. The results this evening are better. This evening 4 antivirus products detected each one.
-
More testing on the second WMF exploit
After my Windows 98 tests which failed to exploit the system with either the first or the second vulnerability, I started wondering how well the antivirus companies were doing in detecting this second exploit variation. I had setup and updated metasploit so I could test my Windows 98 SE install against the latest version of the exploit and with each connection to the locally hosted page I got a new random file. After I collected five of these I ran them through virustotal.com to see how well detection has come in just 24 hours.
-
WMF vulnerability checker
The same person that has given the New Year’s gift of an unofficial patch for the WMF exploit circulating has also provided a WMF vulnerability checker, download and install, it will tell if you’re vulnerable. Post is available here. According to the first comment it seems as though the vulnerability checker is triggering Norton’s auto-protect. (Norton detects it as “Bloodhound.Exploit.56”). (Which is a good sign…)