Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: curious! on December 30, 2005, 01:18:08 PM

Title: WMF Vulnerability Avast! Official Confirmation
Post by: curious! on December 30, 2005, 01:18:08 PM
Does Avast include signature for this exploit?

I thing Avast is taking a very low profile in this matter.

I know there is a thread in Virus-forum with different suggestions, but I think Avast should give an official confirmation that Avast users are safe! or not?

Regards
Hannibal Lecter
Title: Re: WMF Vulnerability
Post by: TAP on December 30, 2005, 01:30:32 PM
As far as I know avast! is one of the first AVs that release a signature of this exploit.

http://forum.avast.com/index.php?topic=18295.0
Title: Re: WMF Vulnerability
Post by: curious! on December 30, 2005, 01:35:08 PM
TAP:

Could you please quote the official answer to my question in that Thread?

Regards
Hannibal L
Title: Re: WMF Vulnerability Avast! Official Confirmation
Post by: curious! on December 30, 2005, 01:47:48 PM
TAP:

Your suggestion to include *.wmf in the URL block list is good but according to MS Security Advisory 912840 it is possible for the files to disguise as eg gif or another picture format.

Hannibal L
Title: Re: WMF Vulnerability Avast! Official Confirmation
Post by: TAP on December 30, 2005, 01:55:27 PM
TAP:

Your suggestion to include *.wmf in the URL block list is good but according to MS Security Advisory 912840 it is possible for the files to disguise as eg gif or another picture format.

Hannibal L

See my post here (but I can't confirm if it's safe or not)
http://forum.avast.com/index.php?topic=18295.msg155892#msg155892

I can answer your question (first question) about the signature of this exploit, But I can't give an official confirmation that avast users are safe. vlk or other Alwil staff are the right person to do so.

Title: Re: WMF Vulnerability Avast! Official Confirmation
Post by: curious! on December 30, 2005, 02:08:42 PM
Vlk said in the thread I mentioned that Avast were working on it but that it would take some time to produce the signature.

What is the name Avast uses, then I can check in viruslist on Avast site.
The last defs you can read there are from 28.12.

The defs from 29.12 are not specified.

We really need some official clarification.

Hannibal Lecter

Title: Re: WMF Vulnerability Avast! Official Confirmation
Post by: Sgt.Schumann on December 30, 2005, 02:11:28 PM
AFAIK, Avast! uses "Win32:Exdown [Trj]" for the exploit.
It has been added 28.12.
Title: Re: WMF Vulnerability Avast! Official Confirmation
Post by: TAP on December 30, 2005, 02:13:29 PM
Vlk said in the thread I mentioned that Avast were working on it but that it would take some time to produce the signature.

What is the name Avast uses, then I can check in viruslist on Avast site.
The last defs you can read there are from 28.12.

The defs from 29.12 are not specified.

We really need some official clarification.

Hannibal Lecter



As Sgt.Schumann said and I have the sample of this exploit.
Title: Re: WMF Vulnerability Avast! Official Confirmation
Post by: curious! on December 30, 2005, 02:22:33 PM
Thank you all for convincing me!  :)

Hannibal Lecter
"Looking forward to my new year meal"
Title: Re: WMF Vulnerability Avast! Official Confirmation
Post by: Sgt.Schumann on December 30, 2005, 02:28:55 PM
The quote from Vlk was *before* the update containing the signature for the exploit was deployed.
Title: Re: WMF Vulnerability Avast! Official Confirmation
Post by: Zagor on December 30, 2005, 02:57:47 PM
Hi Hlecter  :D,

If I remember corectly, You and I recently had a nice chat at the aSquared Support Forum. You offered help about signature backup and while waiting for moderators to return we talked about casual stuff, remember? ;D

I'm so glad that you're a happy avast user! Well, if you need a chat again, please don't hesitate to return to one of the best forums on this matter  ;)

I'll say once more: "Have a pleasant meal"  8)
Title: Re: WMF Vulnerability Avast! Official Confirmation
Post by: TAP on December 30, 2005, 03:02:16 PM
I just go to some website that contains this exploit but avast! Web Shield protects me very well.
Title: Re: WMF Vulnerability Avast! Official Confirmation
Post by: curious! on December 30, 2005, 03:48:38 PM
Hi Zagor  :)

Yes, we meet again. The world isn`t that big, is it.

I have been a happy Avast user for a very long time, but not very active on this forum as you can see from my number of counts. Never needed help, I guess   ;).

But one thing I will say for sure: we will meet again.  ;)

Have a nice day (and a happy new year) if we don`t meet again THIS YEAR!

TAP:
Could you please PM me the address of said website? Thank you!  ;D

Edit: I suppose you have removed *.wmf from URL blocking now, should not be necessary?
Title: Re: WMF Vulnerability Avast! Official Confirmation
Post by: Zagor on December 30, 2005, 04:17:32 PM
Quote
Have a nice day (and a happy new year)

You too!  ;)
Title: Re: WMF Vulnerability Avast! Official Confirmation
Post by: Chuck58 on December 30, 2005, 05:42:28 PM
Is AVAST's signature for the current version of WMF that was found a couple of days ago as reported here? Apparently this is the second incarnation of WMF and is pretty bad.

http://sunbeltblog.blogspot.com/2005/12/new-exploit-blows-by-fully-patched.html
Title: Re: WMF Vulnerability Avast! Official Confirmation
Post by: Lisandro on December 30, 2005, 06:47:35 PM
Never needed help, I guess   ;).
Welcome anyway... If you could, just come here to help the others  8)
Title: Re: WMF Vulnerability Avast! Official Confirmation
Post by: curious! on December 30, 2005, 07:56:35 PM
Tech:

"Never needed help" was of course a joke.  :)

But to be serious:
Thanks for welcome. We all need help sometimes.

For me Avast has been pretty much "set and forget" for a couple of years.

I am a bit disappointed about Avast not informing more about the serious threat
mentioned in this thread.    :'(

As you see from the thread it was much digging to find  out if this exploit was covered by Avast. I found the answer important, especially before I got the workaround from MS.
Title: Re: WMF Vulnerability Avast! Official Confirmation
Post by: EverlastingGaze on December 30, 2005, 08:52:55 PM
I have read bout this virus a few days ago and i instantly set the "webshield" with a block on wmf files.
So I guess it should be OK for now,...thank god for the webshield function!

Funny but I hardly use these kinds of files (as a graphical designer).  Some wmf files can be vectorized art,..so at work we sometimes have them when we download logo's/images from a CD-ROM.

As you see, virus/malware/spyware writers become more and more clever!
The video that Vlk set on the forum was a very good illustrator what to expect!

greetings

John
Title: Re: WMF Vulnerability Avast! Official Confirmation
Post by: Lisandro on December 30, 2005, 09:06:22 PM
I am a bit disappointed about Avast not informing more about the serious threat mentioned in this thread.    :'(
Why if VPS was updated and avast is protecting you...
On contrary, as you can see, with WebShield you're more protected that other antivirus that does not offer this shield of protection.
Title: Re: WMF Vulnerability Avast! Official Confirmation
Post by: curious! on December 30, 2005, 10:58:22 PM
I have read bout this virus a few days ago and i instantly set the "webshield" with a block on wmf files.



On contrary, as you can see, with WebShield you're more protected that other antivirus that does not offer this shield of protection.


That`s fine, but then it would be natural for Avast as my antivirusprovider to INFORM about this.   :-[

Webshield is ok, but URL BLOCKLIST is EMPTY by default....   >:(

Microsoft informed about wmf-files, not Avast.   :(

It is a question of information. Look at F-SECURES START PAGE ;D

I like Avast, but good things can also get better.  ;)

Hannibal Lecter
Title: Re: WMF Vulnerability Avast! Official Confirmation
Post by: Zagor on December 30, 2005, 11:03:37 PM
but good things can also get better

Agree!

Ok, block the *.wmf & unionseek.com
Been there, done it!

My question is about wildcards in the matter of unionseek.com (and for the future reference). When you put the following:
*unionseek.com*
in the WebShield URL Blocking page, does it mean that first wildcard represent just http:// or any ancestor domain, sibling domain & even ftp protocol of the unionseek.com

In other words will the WebShield block URLs that contain any text prior to name -> unionseek.com

P.S. It's obvious for the willcard after the unionseek.com though.
Title: Re: WMF Vulnerability Avast! Official Confirmation
Post by: Sgt.Schumann on December 30, 2005, 11:25:42 PM
AFAIK there are currently hundreds of servers with malicous WMF-Files out there, so a simple blocking of unionseek[dot]com would be not really effective.

Also wmf-files can be "hidden" with other image-extensions (like .jpg).
Title: Re: WMF Vulnerability Avast! Official Confirmation
Post by: Zagor on December 30, 2005, 11:28:09 PM
Yes of course,

but my interest was about the logic of Web Shield Provider, in case of future reference.

Maybe, someone from Alwil?
Title: Re: WMF Vulnerability Avast! Official Confirmation
Post by: Dwarden on December 31, 2005, 12:39:09 AM
if there is signature and detection in webshield then it should work at any type of file passing thru it ...
Title: Re: WMF Vulnerability Avast! Official Confirmation
Post by: Lisandro on December 31, 2005, 12:53:38 AM
But my interest was about the logic of Web Shield Provider, in case of future reference.
From avast help file:
Quote
URLs to exclude: Use the Add button to enter the URL address that should be ignored. If you want to block a single page only, it is necessary to enter the full path. For example, if you add http://www.yahoo.com/index.html, only the page index.html will be excluded from scanning. If you enter http://www.yahoo.com/*, however, no pages starting with http://www.yahoo.com will be scanned. Similarly, if you do not want to scan a particular file type, e.g. files with txt extension, simply enter *.txt.


So, the * before will make all pages with the string unionseek[dot]com in the address name.
The http:// is automatically added if you start it by www but not with the *
Title: Re: WMF Vulnerability Avast! Official Confirmation
Post by: Zagor on December 31, 2005, 01:19:57 AM
if there is signature and detection in webshield then it should work at any type of file passing thru it ...

Yes Dwarden, but what if I am the first one to experience the "pleasure" of a new variant of some wild creature from the outer-net :) due to not having the latest definition of it?

My opinion: better safe than sorry!
Title: Re: WMF Vulnerability Avast! Official Confirmation
Post by: Zagor on December 31, 2005, 01:39:15 AM
So, the * before will make all pages with the string unionseek[dot]com in the address name.
The http:// is automatically added if you start it by www but not with the *

If I'm reading you wright,

If set to block:   <*site.com*>

It will block:    <addons.site.com>, <products.site.com>, <http://www.site.com>, ...

And what about FTP protocol? ftp://site.com, ...


Cool pic, btw ;)
Title: Re: WMF Vulnerability Avast! Official Confirmation
Post by: Lisandro on December 31, 2005, 02:02:05 AM
If I'm reading you wright,
If set to block:   <*site.com*>
It will block:    <addons.site.com>, <products.site.com>, <http://www.site.com>, ...
As far I could understand, this is the behavior... Hope that someone from Alwil correct me if I'm wrong.

And what about FTP protocol? ftp://site.com, ...
No... WebShield works only with HTTP protocol (not HTTPS, POP, SMTP, UDP, TCP, FTP...).
Title: Re: WMF Vulnerability Avast! Official Confirmation
Post by: curious! on December 31, 2005, 02:11:28 AM
if there is signature and detection in webshield then it should work at any type of file passing thru it ...


if there is signature and detection in webshield then it should work at any type of file passing thru it ...

Yes Dwarden, but what if I am the first one to experience the "pleasure" of a new variant of some wild creature from the outer-net :) due to not having the latest definition of it?

My opinion: better safe than sorry!


My whole point is that url-blocking can be VERY useful in a case like this exploit.
BUT my disappoinment concerning Avast is that they not came forward with information on this, particularly in the period from the exploit was widely known till the sigs were ready.

I guess the average user is not very well oriented on this option in Avast.

Hannibal
Title: Re: WMF Vulnerability Avast! Official Confirmation
Post by: TAP on December 31, 2005, 02:50:59 AM
As far as I know this .WMF exploit can be renamed to any other extensions (such as BMP, GIF, PNG, JPG, JPEG, JPE, JFIF, DIB, RLE, EMF, TIF, TIFF or ICO) and it still works so you have to make sure that Web Shield scans *every* graphic file extensions by removing the following from the exception lists

image/gif
image/png

According to Andreas Marx of AV-Test, avast! offers 100% detection for this exploit.

It's in german: http://www.heise.de/newsticker/meldung/67848

Babel Fish Translation can help you get it in english.

http://babelfish.altavista.com/


.................................................................................

Andreas's Marx von AV AV-Test a short test with 73 different copies durchgef?t, which are common in the InterNet already.

The virus scanners of Avast!, BitDefender, ClamAV, f-Secure, Fortinet, McAfee, Nod32, Panda, Sophos, Symantec, trend Micro and VirusBuster recognized thereby all 73 as safety risk and k?ten

thus an infection prevent eTrust (VET), QuickHeal, AntiVir, Dr. Web, Kaspersky and AVG nevertheless already scarcely 80% identified.

With less than 20 recognized copies the recognition achievement of COMMANDS, f-Prot, Ewido, eSafe, Ikarus and VBA32 is at present still unsatisfactory. Standard to virus scanner malfunctioned not one file in this test v?ig and criticises.
Title: Re: WMF Vulnerability Avast! Official Confirmation
Post by: Zagor on December 31, 2005, 03:08:20 AM
Would such scan of extra objects be a greater pain for system resources?
Title: Re: WMF Vulnerability Avast! Official Confirmation
Post by: TAP on December 31, 2005, 03:14:52 AM
Would such scan of extra objects be a greater pain for system resources?


I haven't noticed any *greater* slow down in system performance or internet connection speed at all.
Title: Re: WMF Vulnerability Avast! Official Confirmation
Post by: Zagor on December 31, 2005, 03:18:43 AM
Nice!  8)
Title: Re: WMF Vulnerability Avast! Official Confirmation
Post by: curious! on January 04, 2006, 12:23:29 AM
The newest pattern did it for me. I hope, avast not just added the heise.de demo exploit to their pattern but have a more common approach in detecting variants of this exploit. There seems to be virus gernerators out in the wild who allow almost anybody to inject harming code in wmf-files.

No, this detection is really a generic detection of the "exploit" itself - the previous detections (Win32:Exdown) were removed from the database.


This is indeed the answer to the question I asked in this thread when I started it 30.12.05. I asked for an official confirmation that the WMF exploit was covered by Avast!. As far as I can interpret this answer from another thread there was NO generic detection at the time I raised the question the first time.  ;)

Why not answer that?  >:(

Well, now the answer to my question is indeed YES and I am again a happy Avast! user.  ;D


HL