Re: Taking off the gloves, help me get punched out in Security http://www.dslreports.com/forum/r15165697 en Sun, 06 Dec 2009 06:15:20 EDT Sun, 06 Dec 2009 06:15:20 EDT Re: Taking off the gloves, help me get punched out http://www.dslreports.com/forum/remark,15174515 Iridium : If I have a VMWare image running XP Pro can I get in on it? ]]> http://www.dslreports.com/forum/remark,15174515 Thu, 05 Jan 2006 06:17:40 EDT Re: Taking off the gloves, help me get punched out http://www.dslreports.com/forum/remark,15173701 jferello : Well I downloaded the test files and tried to view the directory they were in and my system locks up for about 30 seconds and the I get a message from DEP stating it has stopped the program. Then I get an error from Explorer.exe saying it needs to close, I close out and then it restarts explorer.exe and I come back to the desktop. Also, not once did my AV program ask me anything, also I scanned the ZIP file and it said all clean.

What does this mean? I never saw any processes for notepad at anytime, so does this mean I am safe?

System:
Windows XP Pro SP2 with all updates
Symantec Antivirus Corporate Edition v10.0.2.2000 with latest defs from today and set to scan all files.
--
I never thought something so simple would be so hard to find.......]]> http://www.dslreports.com/forum/remark,15173701 Thu, 05 Jan 2006 00:46:56 EDT Re: Taking off the gloves, help me get punched out http://www.dslreports.com/forum/remark,15172488 psloss :
said by norwegian See Profile :

Link Logger, you don't have an OEM copy sitting around do you ? psloss asked a question about %allusers%/startup, and the ability to add shortcuts from a limited user

--»Who else is having fun with OEM security defaults?

I was wondering, if you created a shortcut there that linked so that when the exploit came in, it could have access to this, and see if it made any difference, being that you are still limited.
It should be possible to reason that out: if a process running with limited user credentials was exploited via this vulnerability AND all limited users (or all users -- "Everyone") have write access to the "%ALLUSERSPROFILE%\Start Menu\Programs\Startup" directory, then an exploit with the logic that ZOverLord noted earlier could add itself there and would be escalated to admin the next time an admin logged into the system interactively. Although copying an "infected" WMF there would probably also work, it wouldn't be necessary to drop another WMF file in the startup folder.

The opportunity to do that kind of privilege escalation is not unique to the problems with WMF, but they present a big opportunity right now...

Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org ]]> http://www.dslreports.com/forum/remark,15172488 Wed, 04 Jan 2006 22:14:20 EDT Re: Taking off the gloves, help me get punched out http://www.dslreports.com/forum/remark,15171771 jbob : In testing ZOverLord's updated files My AV fails at this time. Using Symantec Client Security(Symantec Corp AV v10.0.2.2001) with todays defs set to scan All Files, none of the files are detected as hostile.
I have to deduct that either Symantec is behind on detection or smart enough to see this files are not a threat. ]]> http://www.dslreports.com/forum/remark,15171771 Wed, 04 Jan 2006 20:54:30 EDT Re: Taking off the gloves, help me get punched out http://www.dslreports.com/forum/remark,15171197 Link Logger :
said by pog See Profile :

Say... here's a question for everyone:

What happens with infected WMF's that are embedded in Word files (or other document types)? Is the code preserved? Does anything get launched in preview or on open of the .doc?
I would very much suspect that if scanning is set to all files that they would be detected. I'll see if I can whip up a test case later tonight.

Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel]]> http://www.dslreports.com/forum/remark,15171197 Wed, 04 Jan 2006 19:42:25 EDT Re: Taking off the gloves, help me get punched out http://www.dslreports.com/forum/remark,15170063 pog :
said by Tuulilapsi See Profile :

So the most desirable solution remains to keep evil (tm) wmf files off your system in the first place, ...
Gack! I create a lot of vector-based graphics that end up as WMF's... it was a very nice format! So sad to see it fall to the dark side. :o

Say... here's a question for everyone:

What happens with infected WMF's that are embedded in Word files (or other document types)? Is the code preserved? Does anything get launched in preview or on open of the .doc?]]> http://www.dslreports.com/forum/remark,15170063 Wed, 04 Jan 2006 17:13:07 EDT Re: Taking off the gloves, help me get punched out http://www.dslreports.com/forum/remark,15169852 norwegian : Link Logger, you don't have an OEM copy sitting around do you ? psloss asked a question about %allusers%/startup, and the ability to add shortcuts from a limited user

--»Who else is having fun with OEM security defaults?

I was wondering, if you created a shortcut there that linked so that when the exploit came in, it could have access to this, and see if it made any difference, being that you are still limited.]]> http://www.dslreports.com/forum/remark,15169852 Wed, 04 Jan 2006 16:47:24 EDT Re: Taking off the gloves, help me get punched out http://www.dslreports.com/forum/remark,15168741 Link Logger :
said by ZOverLord See Profile :

Blake I just renamed a copy to .emf, do you catch that?

Just curious, for testing, my A/V is off so I can't tell if it would be caught or not. I just took notepad.wmf made a copy and called it notepad.emf
If I have F-Secure on 'High' it kills it and deletes the file, if I have it on 'Normal' it runs the exploit. Its the problem of what files are scanned, so ensure the AV is scanning ALL files and the system will be protected.

Well since my systems are fully protected from this most recent security menace (F-Secure is on the HIGH setting such that it scans all files, check your AV to ensure that it is also scanning all files), my users can surf to their heart's content, and I can go to bed. Hopefully this thread had helped some people realize how their systems might have been vulnerable and how to ensure they are now protected.

Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel]]> http://www.dslreports.com/forum/remark,15168741 Wed, 04 Jan 2006 14:18:49 EDT Re: Taking off the gloves, help me get punched out http://www.dslreports.com/forum/remark,15168449 ZOverLord :
said by Link Logger See Profile :

I agree in an undefended system this exploit could be nasty as there are different execution criteria for it then say just a normal exe, but thankfully the file has a required format so there isn't many ways to hide the exploit within the file (otherwise it would execute as a metafile), so an AV has a good shot at killing it before it can execute if your AV is up to the task.

Blake
Blake I just renamed a copy to .emf, do you catch that?

Just curious, for testing, my A/V is off so I can't tell if it would be caught or not. I just took notepad.wmf made a copy and called it notepad.emf
--
Black, Grey and White Hats Unite here -> »testing.OnlyTheRightAnswers.com]]> http://www.dslreports.com/forum/remark,15168449 Wed, 04 Jan 2006 13:40:40 EDT Re: Taking off the gloves, help me get punched out http://www.dslreports.com/forum/remark,15168377 Link Logger : I agree in an undefended system this exploit could be nasty as there are different execution criteria for it then say just a normal exe, but thankfully the file has a required format so there isn't many ways to hide the exploit within the file (otherwise it would execute as a metafile), so an AV has a good shot at killing it before it can execute if your AV is up to the task.

Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel]]> http://www.dslreports.com/forum/remark,15168377 Wed, 04 Jan 2006 13:31:06 EDT Re: Taking off the gloves, help me get punched out http://www.dslreports.com/forum/remark,15168365 Tuulilapsi : So the most desirable solution remains to keep evil (tm) wmf files off your system in the first place, or at the very least avoid ever browsing the folders that could possibly contain such files (browser & mail software cache directories, I'm looking at you). This in mind, isn't using a browser like Opera that does not automagically open wmf files and a mail client in text only mode the simplest way to entirely avoid this exploit? I haven't paid this thing that much attention, so it may be that I'm entirely mistaken, so correct me if I'm wrong.
--
Want security? Run as limited user.]]> http://www.dslreports.com/forum/remark,15168365 Wed, 04 Jan 2006 13:29:39 EDT Re: Taking off the gloves, help me get punched out http://www.dslreports.com/forum/remark,15168305 ZOverLord :
said by Link Logger See Profile :

I'm doing some of that testing now. I've turned off F-Secure otherwise it nails the exploit, but the problem is Windows wants to help you out and show you what is in the file if possible, so the file explorer 'executes' the metafile for example in order to build a small view into the file, hence infection. In ZOverLord See Profile test cases even a non-admin can execute the exploit as notepad isn't a 'restricted' application. If the started application tried to say insert a startup into HKLM then it would fail as non-admin users don't have that privilege (to write there).

Blake
Blake, Please be aware, I could have created a version that CHECKS for user rights, and not done anything until the user who opened the folder or clicked on the file was ADMIN.

So, it's very very dangerous to view a folder with a .wmf file in it, and there is no view, detail or otherwise that would stop the launch.

Worse, imagine that each time it launched it checked to see if it already did this or that and if so do something else, it could contain many things and every time viewed in a folder or clicked on check to see what it has already done and do something it has not yet.

Not sure if your with me, there are SO MANY machinations you could do, and every time someone viewed a folder with one of these in it, it could test for what it already did, and then do something else it has not done yet :-(
--
Black, Grey and White Hats Unite here -> »testing.OnlyTheRightAnswers.com]]> http://www.dslreports.com/forum/remark,15168305 Wed, 04 Jan 2006 13:20:56 EDT Re: Taking off the gloves, help me get punched out http://www.dslreports.com/forum/remark,15168245 Link Logger : I'm doing some of that testing now. I've turned off F-Secure otherwise it nails the exploit, but the problem is Windows wants to help you out and show you what is in the file if possible, so the file explorer 'executes' the metafile for example in order to build a small view into the file, hence infection. In ZOverLord See Profile test cases even a non-admin can execute the exploit as notepad isn't a 'restricted' application. If the started application tried to say insert a startup into HKLM then it would fail as non-admin users don't have that privilege (to write there).

Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel]]> http://www.dslreports.com/forum/remark,15168245 Wed, 04 Jan 2006 13:12:45 EDT Re: Taking off the gloves, help me get punched out http://www.dslreports.com/forum/remark,15168191 ZOverLord : YES, an ADMIN could trigger this just by viewing the contents of a folder where one of these .wmf file is located.

So, even if a limited user actually was the one that placed it on the system, ANYONE who views the file in a folder, will cause it to execute. Which means if it was an ADMIN that time, it would do it with ADMIN privileges.

AND......you do NOT need to have that folder being displayed as THUMBNAILS, if can be in detail view and it will STILL happen :-(
--
Black, Grey and White Hats Unite here -> »testing.OnlyTheRightAnswers.com]]> http://www.dslreports.com/forum/remark,15168191 Wed, 04 Jan 2006 13:05:16 EDT Re: Taking off the gloves, help me get punched out http://www.dslreports.com/forum/remark,15168153 astirusty :
said by Link Logger See Profile :

In round two I made one simple adjustment and won the fight.
Blake, maybe after the testing/work you have done on the WMF exploit, you can clarify something I read on possible injection methods.

If a user is running as limited and manages to get a WMF image file exploit on to the system (past the AV apps) and the actual exploit is unable to run (as you have reported) -- Is it possible the administrator of the system could trigger the exploit while looking around the users directory? I am basing this off of ZOverLord See Profile discussion of just going to the folder the WMF file is located in.

PS: Thanks for all your efforts! :)]]> http://www.dslreports.com/forum/remark,15168153 Wed, 04 Jan 2006 13:01:09 EDT Re: Taking off the gloves, help me get punched out http://www.dslreports.com/forum/remark,15168099 Link Logger : I copied these from the other thread so they are current.

Blake]]> http://www.dslreports.com/forum/remark,15168099 Wed, 04 Jan 2006 12:54:57 EDT Re: Taking off the gloves, help me get punched out http://www.dslreports.com/forum/remark,15167876 ZOverLord : Just a Heads Up, I created some tests that launch Notepad, more info here:

»Windows MetaFiles still vulnerable

These were created so that we will have the most CURRENT examples. I am NOT sure if what people are testing with have been made from the latest 1.14 Metasploit release, so these are CURRENT!
--
Black, Grey and White Hats Unite here -> »testing.OnlyTheRightAnswers.com]]> http://www.dslreports.com/forum/remark,15167876 Wed, 04 Jan 2006 12:26:56 EDT Re: Taking off the gloves, help me get punched out http://www.dslreports.com/forum/remark,15167719 Link Logger : I tried all of ZOverLord See Profile files that were created with the latest version 1.14 of the exploit:

notepad.bmp
notepad.gif
notepad.jpeg
notepad.jpg
notepad.png
notepad.tiff
notepad.wmf

and F-Secure (after being set to scan all files, I can't stress that enough) picked off every one of them.

Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel]]> http://www.dslreports.com/forum/remark,15167719 Wed, 04 Jan 2006 12:07:19 EDT Re: Taking off the gloves, help me get punched out http://www.dslreports.com/forum/remark,15167681 jbob : Yep...Guess I should have read it a little closer as I did the second time. Good demo. A lot of work copying and pasting all the dialog boxes as well.

My question about AV apps ability to scan and recognize a renamed wmf file still is valid I think. Scanning based on header info might be a better choice perhaps expecially WMF based files.]]> http://www.dslreports.com/forum/remark,15167681 Wed, 04 Jan 2006 12:02:14 EDT Re: Taking off the gloves, help me get punched out http://www.dslreports.com/forum/remark,15167442 Link Logger : If you read round two you will see that in F-Secure default configuration it doesn't scan wmf files hence the exploit was free to do its thing and stuff got ugly from there on. In round two I made one simple adjustment and won the fight.

Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel]]> http://www.dslreports.com/forum/remark,15167442 Wed, 04 Jan 2006 11:28:57 EDT Re: Taking off the gloves, help me get punched out http://www.dslreports.com/forum/remark,15167273 jbob : As John2G mentioned it looked like your AV app WAS working in the first test so I assume you "Allowed" all the exploits to continue in the first round to see what would happen.

Waiting for round two results.]]> http://www.dslreports.com/forum/remark,15167273 Wed, 04 Jan 2006 11:00:21 EDT Re: Taking off the gloves, help me get punched out http://www.dslreports.com/forum/remark,15167246 Link Logger : Round two go to me as I knocked this bad boy on his butt and laid him out cold :D I'll update my wmf attack page with the required information and then we can go looking for bigger bad dogs then this puppy.

Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel]]> http://www.dslreports.com/forum/remark,15167246 Wed, 04 Jan 2006 10:56:35 EDT Re: Taking off the gloves, help me get punched out http://www.dslreports.com/forum/remark,15167232 SpannerITWks : I think it would a good idea to block both Headers + Extentions, if people are able to.

Spanner]]> http://www.dslreports.com/forum/remark,15167232 Wed, 04 Jan 2006 10:54:38 EDT Re: Taking off the gloves, help me get punched out http://www.dslreports.com/forum/remark,15167136 jbob : You bring up an interesting point, although it has been discussed adnauseum by now, however I don't think specifically in regards to AV apps. I have my AV set to scan all files. It has been reported that this new updated exploit might be able to fool many AV/IPS apps, initially at least. If so how? Perhaps the AV/IPS/AT vendors can simply be set to block/detect a WMF file based on header info(not by extension). Not sure it they can do this now. Then the user can simply block all WMF looking files before no matter the content.]]> http://www.dslreports.com/forum/remark,15167136 Wed, 04 Jan 2006 10:38:57 EDT Re: Taking off the gloves, help me get punched out http://www.dslreports.com/forum/remark,15167042 Link Logger : There appears to be two main factors here. First not all AV's are scanning wmf files (scanning all files would be best as a metafile is determined by a header within the file and not by its extension) and second running as non admin is always a good idea. If we can get all the AV guys onside then picking off this exploit becomes much easier. I would ask/recommend everyone take a look at what files your AV isn't scanning and take the appropriate steps to fix it if needed. The metafile exploit is what I call an enabler exploit in that its the key that unlocks the door and tends to get overlooked as everyone is staring at the beast that came through the door afterwards. Take away the key and the beast can't get in, simple.

Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel]]> http://www.dslreports.com/forum/remark,15167042 Wed, 04 Jan 2006 10:22:32 EDT Re: Taking off the gloves, help me get punched out http://www.dslreports.com/forum/remark,15166920 John2g : I don't want to be picky, but all your interesting link shows is how F-Secure handled various trojans. Any half decent AV or AT should be able to nail them. All that has changed with this new exploit is the method of delivery of the trojans. The exploit itself is too small to do any damage, as the maximum space allocated in RAM is 1.7K: all it is doing is install a downloader.
--
Better to remain silent and be thought a fool, than to speak and remove all doubt.]]> http://www.dslreports.com/forum/remark,15166920 Wed, 04 Jan 2006 10:02:55 EDT Re: Taking off the gloves, help me get punched out http://www.dslreports.com/forum/remark,15166762 deadi : Alrighty! Windows Onecare caught it, and quarantined. This is a updated XP Pro SP2 pc, updated Onecare. It would not allow it to run.
Click for full size
]]> http://www.dslreports.com/forum/remark,15166762 Wed, 04 Jan 2006 09:38:37 EDT Re: Taking off the gloves, help me get punched out http://www.dslreports.com/forum/remark,15166725 koma3504 : Im a few links Please. Im fixen to Wipe one But be a chance to test. TrendMIcro.

Thanks]]> http://www.dslreports.com/forum/remark,15166725 Wed, 04 Jan 2006 09:32:26 EDT Re: Taking off the gloves, help me get punched out http://www.dslreports.com/forum/remark,15166704 novaflare :
said by norwegian See Profile :

you don't have RedXII1234 paying you for this test at all ??
Sounds like admins are in for a wakeup.
;)
Why would i be in for a wake up? Ive done 2 things diffrent to protect my self used the unoffical patch and unregged the dll. I probably would not ever get infected via this route any ways as i dont surf the sites that would be the top users of the exploit.

Now this is one patch that I will install regardless of any potential risk of it hoseing my system. Simply put I use thumb nail and preview to find my textures etc for the 3d models I make.

It would take alot more than this to scare me in to cripling my self by running as a limited user.
--
DSLR security chat at us.ausirc.net chanel #dslr_sec lets pack this channel open source dns server for *nix and windows »powerdns.com]]> http://www.dslreports.com/forum/remark,15166704 Wed, 04 Jan 2006 09:26:49 EDT Re: Taking off the gloves, help me get punched out http://www.dslreports.com/forum/remark,15166694 Red Dragon : Ouch that is nasty I would want to nuke badly.]]> http://www.dslreports.com/forum/remark,15166694 Wed, 04 Jan 2006 09:25:01 EDT Re: Taking off the gloves, help me get punched out http://www.dslreports.com/forum/remark,15166692 3SGTE : Wouldn't it have been less work to try as non-admin first?
--
Everything in this post is pure BS! ]]> http://www.dslreports.com/forum/remark,15166692 Wed, 04 Jan 2006 09:24:58 EDT Re: Taking off the gloves, help me get punched out http://www.dslreports.com/forum/remark,15166690 dadkins : Just ATTEMPTED to download the file that Link Logger sent me... avast Home(FREE), at standard settings, didn't like it one bit! ;) Avast had it's hissy fit before any download dialog box appeared, and never did appear(avast killed it!).
Done with an IE based browser - SlimBrowser.
*NO* patch, *NO* unregistered .dll.
No worries!

NOTE: Yesterday's Update added WMF scanning to Default File Types. If set to "All File Types" you would have been protected anyways BEFORE the Update.

Happy Hunting!
I'm setting avast back up to MY settings now... just a wee bit higher!
--
Think outside the Fox... Opera

Default File Types		 
Click for full size
Normal settings
Click for full size
avast got pissed!
]]> http://www.dslreports.com/forum/remark,15166690 Wed, 04 Jan 2006 09:24:41 EDT Re: Taking off the gloves, help me get punched out http://www.dslreports.com/forum/remark,15166674 packetscan : Silly Wabbit]]> http://www.dslreports.com/forum/remark,15166674 Wed, 04 Jan 2006 09:21:56 EDT Re: Taking off the gloves, help me get punched out http://www.dslreports.com/forum/remark,15166581 astirusty :
said by Link Logger See Profile :

So I'm getting ready to run a test using a non-admin level user and see how much of a difference that makes.
Great! I was just going to ask you if you could try this if you had not already.]]> http://www.dslreports.com/forum/remark,15166581 Wed, 04 Jan 2006 09:03:10 EDT Re: Taking off the gloves, help me get punched out http://www.dslreports.com/forum/remark,15166442 dadkins : Bravo! I've done it myself on occasion, it's satisfying... in an odd way. :)

Tear it up Link Logger!

@ Spanner, Yeah, most of the AVs out there have this covered already! Thanks for showing AntiVir getting "upset" at the file! ;)
--
Think outside the Fox... Opera]]> http://www.dslreports.com/forum/remark,15166442 Wed, 04 Jan 2006 08:33:36 EDT Re: Taking off the gloves, help me get punched out http://www.dslreports.com/forum/remark,15166408 norwegian : you don't have RedXII1234 paying you for this test at all ??
Sounds like admins are in for a wakeup.
;)]]> http://www.dslreports.com/forum/remark,15166408 Wed, 04 Jan 2006 08:26:47 EDT Re: Taking off the gloves, help me get punched out http://www.dslreports.com/forum/remark,15166397 Link Logger : For the last couple of days I have tested a pile of sites with one of my systems and it has defected every attack thus far, but I wanted to see what would happen with a 'default' system and it wasn't good. Now the trick is to go back and try a couple more tests and see what the factors are to defending against this, so we can pass on the 'easy way' to protection with some facts and tests to back up the suggestions. So I'm getting ready to run a test using a non-admin level user and see how much of a difference that makes. I will spend a little more time looking at the default settings for the AV and see if it really does skip scanning wmf files by default.

Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel]]> http://www.dslreports.com/forum/remark,15166397 Wed, 04 Jan 2006 08:24:00 EDT Re: Taking off the gloves, help me get punched out http://www.dslreports.com/forum/remark,15166377 norwegian :
said by astirusty See Profile :

said by Link Logger See Profile :

Houston we have a problem, and as soon as I pick up my teeth with my broken arm and figure out a way to describe the carnage the score is Windows Metafile Exploit 1, me 0. The sequence of events was worthy to say the least and hopefully I caught them all.
Blake:
Thanks for trying this and trying to separate fact from fiction. Also for being upfront enough to pass on the outcome. Hopefully your results will wake a few more people up before they get woke up the hard way.
This sort of work should be more accessable to the general public so they can start to really understand the issue more, but then i guess if they even read it, some software company will want to sue you for publishing it freely]]> http://www.dslreports.com/forum/remark,15166377 Wed, 04 Jan 2006 08:20:48 EDT Re: Taking off the gloves, help me get punched out http://www.dslreports.com/forum/remark,15166361 astirusty :
said by Link Logger See Profile :

Houston we have a problem, and as soon as I pick up my teeth with my broken arm and figure out a way to describe the carnage the score is Windows Metafile Exploit 1, me 0. The sequence of events was worthy to say the least and hopefully I caught them all.
Blake:
Thanks for trying this and trying to separate fact from fiction. Also for being upfront enough to pass on the outcome. Hopefully your results will wake a few more people up before they get woke up the hard way.]]> http://www.dslreports.com/forum/remark,15166361 Wed, 04 Jan 2006 08:14:44 EDT Re: Taking off the gloves, help me get punched out http://www.dslreports.com/forum/remark,15166328 SpannerITWks : Never default ! I've customised them to Include everything except some folders with some FW + Security tests + Rootkit stuff in etc ! Otherwise my AV/AT keeps trying to eliminate them lol.

Spanner
--
I Only Know What I Know But I'm Learning all The Time - Stay Safe - Spanner intheWorks /SpannerITWks]]> http://www.dslreports.com/forum/remark,15166328 Wed, 04 Jan 2006 08:06:26 EDT Re: Taking off the gloves, help me get punched out http://www.dslreports.com/forum/remark,15166271 Link Logger : Is your AV running with its default settings or have you modified them at any time?

Blake]]> http://www.dslreports.com/forum/remark,15166271 Wed, 04 Jan 2006 07:50:26 EDT Re: Taking off the gloves, help me get punched out http://www.dslreports.com/forum/remark,15166230 SpannerITWks : Hi LinkLogger,

Well like i said i was up 4 it, Again !

I went to the www that you PM'd me and immediately AntiVir kicked in -



I disabled AV + DL'd the CABM8R7T-WMF file



Like some of the others it's 15.6kb file. Still with AV disabled i DC it -



OK'd SD + XnView launched with this -



Process Explorer + my FW + logs + everything else all showing normal behaviour.

Nothing else happened @ ALL ! I have BOClean running which would have jumped on it if it was active, and Winsonar would also have blocked ANY unknown EXE that tried to run too. This is an identical Live test to the ones i did yesterday + posted about earlier.

So in in the clear once more i'm pleased to report !

EDIT -

I have always set my AV etc to scan all files, makes sense i think.

Spanner
--
I Only Know What I Know But I'm Learning all The Time -

Stay Safe -

Spanner intheWorks
/SpannerITWks]]> http://www.dslreports.com/forum/remark,15166230 Wed, 04 Jan 2006 07:37:56 EDT Re: Taking off the gloves, help me get punched out http://www.dslreports.com/forum/remark,15166215 Link Logger : Can you please check your AntiVirus and see if it scans wmf, gif, doc, jpg, etc file types or if it scan all files, as it would be best if it scanned them all until we get the patch from Microsoft on this one.

Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel]]> http://www.dslreports.com/forum/remark,15166215 Wed, 04 Jan 2006 07:32:01 EDT Re: Taking off the gloves, help me get punched out http://www.dslreports.com/forum/remark,15165977 Link Logger : OK here are the screen shots and such from this attack »www.linklogger.com/wmf_attack.htm its an ugly one. F-Secure was able to fight most of it off but the damage to the security center is concerning enough to make you want to nuke and pave this system.

Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel]]> http://www.dslreports.com/forum/remark,15165977 Wed, 04 Jan 2006 05:58:43 EDT Re: Taking off the gloves, help me get punched out http://www.dslreports.com/forum/remark,15165935 SpannerITWks : Hi,

Yeah i'm up 4 it !

I've visited all the www's i could find and also all the tests i'm aware of, as posted in the Meta thread, and so far 100% success to me + 98SE.

If you provide the goods + info etc then i'll do it.

EDIT -

I'm sure mysec + others will join in too.

Spanner
--
I Only Know What I Know But I'm Learning all The Time -

Stay Safe -

Spanner intheWorks
/SpannerITWks]]> http://www.dslreports.com/forum/remark,15165935 Wed, 04 Jan 2006 05:20:20 EDT Re: Taking off the gloves, help me get punched out http://www.dslreports.com/forum/remark,15165802 Link Logger : First the setup, Windows XP SP2 fully patched, with F-Secure trial antivirus with updated signature (due expire in a month, important). XP SP2 had the firewall enabled (also important latter on), and I had completed a full scan with F-Secure before the test and the system was clean. I was running as an admin level user (just because so many do). Now I have a whack of screen shots that I will place on my web site which shows the carnage as the user would see it and it wasn't pretty (think of an old hairy fat guy in a thong in you would pretty well have the picture as to how ugly this was). By the time this attack was over, it was over for my test system and the system's defenses were all pretty well toast, resulting in the system being wide open for future attacks of almost any kind (not to mention the keyloggers running on it).

Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel]]> http://www.dslreports.com/forum/remark,15165802 Wed, 04 Jan 2006 03:50:20 EDT Re: Taking off the gloves, help me get punched out http://www.dslreports.com/forum/remark,15165698 jig : do tell?]]> http://www.dslreports.com/forum/remark,15165698 Wed, 04 Jan 2006 03:07:49 EDT Re: Taking off the gloves, help me get punched out http://www.dslreports.com/forum/remark,15165697 Link Logger : Houston we have a problem, and as soon as I pick up my teeth with my broken arm and figure out a way to describe the carnage the score is Windows Metafile Exploit 1, me 0. The sequence of events was worthy to say the least and hopefully I caught them all.

Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel]]> http://www.dslreports.com/forum/remark,15165697 Wed, 04 Jan 2006 03:07:04 EDT Re: Taking off the gloves, help me get punched out http://www.dslreports.com/forum/remark,15165272 redxii : Ineffective = good]]> http://www.dslreports.com/forum/remark,15165272 Wed, 04 Jan 2006 01:05:45 EDT Re: Taking off the gloves, help me get punched out http://www.dslreports.com/forum/remark,15165238 Link Logger : So ineffective in your test is good then, meaning no infection.

Blake]]> http://www.dslreports.com/forum/remark,15165238 Wed, 04 Jan 2006 00:59:44 EDT Re: Taking off the gloves, help me get punched out http://www.dslreports.com/forum/remark,15165189 redxii : I tested 8 unique. 7 wild, and 1 I made myself.

Hexblog 1.4 Fix: 8 of 8 ineffective. wmf_dcode still crashed explorer in gdi32.dll but didn't do anything

Leaked Fix: 8 of 8 ineffective. wmf_dcode still crashed explorer in gdi32.dll but didn't do anything

Ineffective means it just says "No preview available." Nothing happens.
--
Open Source -> Close Minded
Microsoft Windows 2000/XP Security: Some Assembly Required.
Excessive use of "$" as in "M$" may make you look like a fool.]]> http://www.dslreports.com/forum/remark,15165189 Wed, 04 Jan 2006 00:52:55 EDT Re: Taking off the gloves, help me get punched out http://www.dslreports.com/forum/remark,15165117 anon : Go git 'em Fudd! :D



Sparrow See Profile]]> http://www.dslreports.com/forum/remark,15165117 Wed, 04 Jan 2006 00:42:36 EDT Taking off the gloves, help me get punched out http://www.dslreports.com/forum/remark,15165063 Link Logger : OK IM me your meanest, nastiest, most low down scum sucking, butt kicking, evilest, vile, polluted, vicious, malicious windows metafile spewing site as I'm look to get infected or boot the infection attempt square in the nuts. Its time to get where the rubber meets the road and get to the truth of this latest event.

Anyone else have a bunch of victim systems they are willing to sacrifice to the malware gods, sign on and we will test these evil sites and see what happens to the various defense methods already claiming victory over this menace to the golf computer industry (sorry watched Caddy Shack again the other night, great movie).

We can sit around and bitch about this and speculate what works and what doesn't and how nasty this bad boy metafile attack is or we can go hunting and testing get down to the truth of the matter.

Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel]]> http://www.dslreports.com/forum/remark,15165063 Wed, 04 Jan 2006 00:30:00 EDT