2nd generation WMF exploit: status of the anti-virus products after one day.

Published: 2006-01-01
Last Updated: 2006-01-01 17:20:05 UTC
by Swa Frantzen (Version: 1)
0 comment(s)
Yesterday in a colaborative effort, we sent a true 0-day sample of the 2nd generation WMF exploit to virustotal. As expected, no detections were made. The payload in that sample was a very basic, commonly known and available payload. So the payload might get detected without the exploit being detected. But even there, we had no such luck then.

We sent in a similar sample today.

The results are not all that good:
eTrust-Vet 01.01.2006 Win32/Worfo
McAfee 4664 01.01.2006 Exploit-WMF
Symantec 8.0 01.01.2006 Backdoor.Trojan

All the others failed to detect the sample.

Do note that the Symantec detect is most likely on the payload. That payload isn't what any of the bad guys playing with this will insert. They will insert far nastier and far less off-the-shelf stuff than what we did.

So for now you still have the best chance with following the advice in this diary entry.

Swa Frantzen

0 comment(s)


Diary Archives