Author Topic: WMF exploit problem  (Read 20144 times)

0 Members and 1 Guest are viewing this topic.

Offline Reiner

  • Jr. Member
  • **
  • Posts: 53
  • I'm a llama!
WMF exploit problem
« on: January 02, 2006, 08:34:09 PM »
High,

I just tried the browser check of the german online service of the c't computer magazine (http://www.heise.de/security/dienste/browsercheck/demos/ie/wmf.shtml) where you can check how your browser or e-mail program behaves regarding the WMF exploit.

My first check was to see if Avast web protection was working. Unfortunately, my avast installation did give no warning. Then I tried the e-mail check, where the online site is sending you an e-mail with an infected file, with jpg-extension. Even this was not discovered by my avast installation (I update my system before I mde the tests). I downloaded the file and did an explicit scan on the file. No result.

What is wrong with my avast installation that it misses files with the WMF exploit?

Regards

Reiner

Offline Riker

  • Jr. Member
  • **
  • Posts: 26
  • The Star`s the Limit
Re: WMF exploit problem
« Reply #1 on: January 02, 2006, 08:52:07 PM »
I can confirm that Avast don`t recognize this "Test-Sample" with the Email-Scanner and On-Access.

I tried the Mail-Sample http://www.heise.de/security/dienste/emailcheck/demos/go.shtml?mail=wmf

Carsten
MCSA

Offline Reiner

  • Jr. Member
  • **
  • Posts: 53
  • I'm a llama!
Re: WMF exploit problem
« Reply #2 on: January 02, 2006, 09:20:38 PM »
Hi,

is there anybody else who can verify? If avast is not able to discover similar files, I'd like to know, because then I need to secure my system in another way.

So far I was really satisfied with avast, but knowing the limits of a program is neccessary to potect my system.

Regards Reiner

Offline JimF

  • Jr. Member
  • **
  • Posts: 21
Re: WMF exploit problem
« Reply #3 on: January 02, 2006, 09:27:39 PM »
Neither of the tests worked for me either.  But since they are benign, maybe avast! does not include them in their signatures.  I would not panic yet.

Offline Sgt.Schumann

  • Jr. Member
  • **
  • Posts: 72
  • Men of the '303'
Re: WMF exploit problem
« Reply #4 on: January 02, 2006, 09:37:22 PM »
Maybe also look at this thread:
http://forum.avast.com/index.php?topic=18295.0

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32613
  • malware fighter
Re: WMF exploit problem
« Reply #5 on: January 02, 2006, 09:41:15 PM »
Hi guys,

Maybe these benign signatures are not recognized.
I checked with the DrWeb hyperlink-pre-scanner both hyperlinks, and both came up clear. Notice that Avast have already 73 signatures for various varieties of the exploit. Else on this forum you can read how to block *.wmf in Avast and you put sources of infection into a blocklist, see: http://forum.avast.com/index.php?topic=18295.0
Verzeihung Sgt.Schumann, Ich war nur wenig spaeter. D.

polonus
« Last Edit: January 02, 2006, 09:44:12 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Reiner

  • Jr. Member
  • **
  • Posts: 53
  • I'm a llama!
Re: WMF exploit problem
« Reply #6 on: January 02, 2006, 09:51:55 PM »
Hi,

if the demo-exploits on the heise web site are not discovered, I think it is very likely, that other, more threating exploits in the wild are not discovered either.

I doubt, that avast excludes "friendly" exploits which just demonstrate the possibilities. If a demonstration of an exploit is proven by such web sites like the heise web site, it just shows that other exploits may not be discovered by avast or other scanners. At work the mcafee scnner however discoverd the heise demonstration.

Reiner

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32613
  • malware fighter
Re: WMF exploit problem
« Reply #7 on: January 02, 2006, 09:56:16 PM »
Hallo Reiner,

Maybe if you did download this exploit demo, you could try and upload this to Jotti.de or to VirusTotal, just to see what virusscanners detect it, as you say that some do. Would be interesting to know, ;D

greetings,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Reiner

  • Jr. Member
  • **
  • Posts: 53
  • I'm a llama!
Re: WMF exploit problem
« Reply #8 on: January 02, 2006, 10:02:57 PM »
Hi Polonus,

just go to the heise web site, there you can download it. I did install in the meantime the (inoffical) path by Ilfak Guilfanov. This is tested by the Internet Storm Center (sans.org).

Reiner

Offline Technodrome

  • Jr. Member
  • **
  • Posts: 52
Re: WMF exploit problem
« Reply #9 on: January 02, 2006, 10:04:09 PM »
AntiVir   6.33.0.70   01.02.2006   no virus found
Avast   4.6.695.0   01.02.2006   no virus found
AVG   718   01.02.2006   no virus found
Avira   6.33.0.70   01.02.2006   no virus found
BitDefender   7.2   01.01.2006   Exploit.Win32.WMF-PFV
CAT-QuickHeal   8.00   01.02.2006   no virus found
ClamAV   devel-20051123   01.02.2006   Exploit.WMF.Gen-3
DrWeb   4.33   01.02.2006   no virus found
eTrust-Iris   7.1.194.0   01.01.2006   no virus found
eTrust-Vet   12.4.1.0   01.01.2006   Win32/Worfo
Ewido   3.5   01.02.2006   no virus found
Fortinet   2.54.0.0   01.02.2006   W32/WMF!exploit
F-Prot   3.16c   01.02.2006   no virus found
Ikarus   0.2.59.0   01.02.2006   no virus found
Kaspersky   4.0.2.24   01.02.2006   Exploit.Win32.IMG-WMF
McAfee   4665   01.02.2006   Exploit-WMF
NOD32v2   1.1349   01.02.2006   probably a variant of Win32/Exploit.WMF
Norman   5.70.10   12.31.2006   no virus found
Panda   9.0.0.4   01.02.2006   Exploit/WMF
Sophos   4.01.0   01.02.2006   no virus found
Symantec   8.0   01.02.2006   no virus found
TheHacker   5.9.2.067   01.02.2006   Exploit/WMF
UNA   1.83   01.02.2006   no virus found
VBA32   3.10.5   01.01.2006   no virus found


Most of these detections are possible with generic signatures. Hopefully Alwil team will release something similar.


tD
« Last Edit: January 02, 2006, 10:08:00 PM by Technodrome »

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67275
Re: WMF exploit problem
« Reply #10 on: January 03, 2006, 02:52:00 AM »
Most of these detections are possible with generic signatures. Hopefully Alwil team will release something similar.
Welcome back tECHNODROME  ;)
You're not being round for a while...  ::)
As far I find in these forums, Alwil team does not intend (in a short period) to implement heuristic (generic) scanning.
The best things in life are free.

Offline Technodrome

  • Jr. Member
  • **
  • Posts: 52
Re: WMF exploit problem
« Reply #11 on: January 03, 2006, 05:47:57 AM »
Quote
Welcome back tECHNODROME  ;)
You're not being round for a while...  ::)
As far I find in these forums, Alwil team does not intend (in a short period) to implement heuristic (generic) scanning.

How you been and happy New Year?

But they already use generic malware detection.  ;)



tD

Offline Reiner

  • Jr. Member
  • **
  • Posts: 53
  • I'm a llama!
Re: WMF exploit problem
« Reply #12 on: January 03, 2006, 08:17:17 AM »
Hi,

I don't know if it is a problem regarding heuristic scanning. I think it is more an issue how and in what way a virus/exploit code is detected.

Reiner

Offline curious!

  • Avast Evangelist
  • Poster
  • ***
  • Posts: 531
Re: WMF exploit problem
« Reply #13 on: January 03, 2006, 06:00:18 PM »
Happy New Year to all!

I can confirm that both the webshield and standard shield on my machine gives me a warning on said page.

The malware is named WMF Exploit.

I have to turn off the webshield to test the standard shield!  ;D

Good work Alwil!  :)

Hannibal Lecter

Offline Spiritsongs

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1757
  • Ad-aware orientated Support forum(s)
Re: WMF exploit problem
« Reply #14 on: January 03, 2006, 06:43:29 PM »
 :) The following was posted on the freedomlist.com
     antiSPYWARE forums yesterday :
"
There is one critical thing you need to do, however, and that is to install the temporary patch from Ilfak to protect your computer from the Microsoft Windows Media Format (WMF) Zero Day Exploit (See WMF FAQ  here ).

FIX DIRECT DOWNLOAD LINK:  http://www.hexblog.com/security/files/wmffix_hexblog13.exe 
Fix Described Here:  http://www.hexblog.com/2005/12/wmf_vuln.html 

VULNERABILITY CHECKER DIRECT DOWNLOAD LINK:  http://www.hexblog.com/security/files/wmf_checker_hexblog.exe 
Checker Described here:  http://www.hexblog.com/2006/01/wmf_vulnera....html#more 

The temporary patch can be uininstalled via Add/Remove programs after Microsoft provides a solution to this exploit. "

 
For the Best in what counts in Life :
www.tacf.org