Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
 ·Shaw
| Taking off the gloves, help me get punched out
OK IM me your meanest, nastiest, most low down scum sucking, butt kicking, evilest, vile, polluted, vicious, malicious windows metafile spewing site as I'm look to get infected or boot the infection attempt square in the nuts. Its time to get where the rubber meets the road and get to the truth of this latest event.
Anyone else have a bunch of victim systems they are willing to sacrifice to the malware gods, sign on and we will test these evil sites and see what happens to the various defense methods already claiming victory over this menace to the golf computer industry (sorry watched Caddy Shack again the other night, great movie).
We can sit around and bitch about this and speculate what works and what doesn't and how nasty this bad boy metafile attack is or we can go hunting and testing get down to the truth of the matter.
Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel |
|
CS Anon Style
@rr.com
 from:
dadkins 
catseyenu
| Go git 'em Fudd! 
Sparrow |
|
redxii
too big to fail
Premium,Mod
join:2001-02-26
Austin, TX
Host:
/dev/null
Broadband Tweaks
ISDN
Fiber Optic
AOL Broadband
| reply to Link Logger
I tested 8 unique. 7 wild, and 1 I made myself.
Hexblog 1.4 Fix: 8 of 8 ineffective. wmf_dcode still crashed explorer in gdi32.dll but didn't do anything
Leaked Fix: 8 of 8 ineffective. wmf_dcode still crashed explorer in gdi32.dll but didn't do anything
Ineffective means it just says "No preview available." Nothing happens.
--
Open Source -> Close Minded
Microsoft Windows 2000/XP Security: Some Assembly Required.
Excessive use of "$" as in "M$" may make you look like a fool. |
|
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB | So ineffective in your test is good then, meaning no infection.
Blake |
|
redxii
too big to fail
Premium,Mod
join:2001-02-26
Austin, TX | Ineffective = good |
|
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
·Shaw
| reply to Link Logger
Houston we have a problem, and as soon as I pick up my teeth with my broken arm and figure out a way to describe the carnage the score is Windows Metafile Exploit 1, me 0. The sequence of events was worthy to say the least and hopefully I caught them all.
Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel |
|
jig
join:2001-01-05
Hacienda Heights, CA | do tell? |
|
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
·Shaw
| reply to Link Logger
First the setup, Windows XP SP2 fully patched, with F-Secure trial antivirus with updated signature (due expire in a month, important). XP SP2 had the firewall enabled (also important latter on), and I had completed a full scan with F-Secure before the test and the system was clean. I was running as an admin level user (just because so many do). Now I have a whack of screen shots that I will place on my web site which shows the carnage as the user would see it and it wasn't pretty (think of an old hairy fat guy in a thong in you would pretty well have the picture as to how ugly this was). By the time this attack was over, it was over for my test system and the system's defenses were all pretty well toast, resulting in the system being wide open for future attacks of almost any kind (not to mention the keyloggers running on it).
Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel |
|
SpannerITWks
Premium
join:2005-04-22
1 edit | reply to Link Logger
Hi,
Yeah i'm up 4 it !
I've visited all the www's i could find and also all the tests i'm aware of, as posted in the Meta thread, and so far 100% success to me + 98SE.
If you provide the goods + info etc then i'll do it.
EDIT -
I'm sure mysec + others will join in too.
Spanner
--
I Only Know What I Know But I'm Learning all The Time -
Stay Safe -
Spanner intheWorks
/SpannerITWks |
|
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
·Shaw
| reply to Link Logger
OK here are the screen shots and such from this attack »www.linklogger.com/wmf_attack.htm its an ugly one. F-Secure was able to fight most of it off but the damage to the security center is concerning enough to make you want to nuke and pave this system.
Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel |
|
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
·Shaw
| reply to Link Logger
Can you please check your AntiVirus and see if it scans wmf, gif, doc, jpg, etc file types or if it scan all files, as it would be best if it scanned them all until we get the patch from Microsoft on this one.
Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel |
|
SpannerITWks
Premium
join:2005-04-22
1 edit | reply to Link Logger
Hi LinkLogger,
Well like i said i was up 4 it, Again !
I went to the www that you PM'd me and immediately AntiVir kicked in -
I disabled AV + DL'd the CABM8R7T-WMF file
Like some of the others it's 15.6kb file. Still with AV disabled i DC it -
OK'd SD + XnView launched with this -
Process Explorer + my FW + logs + everything else all showing normal behaviour.
Nothing else happened @ ALL ! I have BOClean running which would have jumped on it if it was active, and Winsonar would also have blocked ANY unknown EXE that tried to run too. This is an identical Live test to the ones i did yesterday + posted about earlier.
So in in the clear once more i'm pleased to report !
EDIT -
I have always set my AV etc to scan all files, makes sense i think.
Spanner
--
I Only Know What I Know But I'm Learning all The Time -
Stay Safe -
Spanner intheWorks
/SpannerITWks |
|
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB | Is your AV running with its default settings or have you modified them at any time?
Blake |
|
SpannerITWks
Premium
join:2005-04-22
| Never default ! I've customised them to Include everything except some folders with some FW + Security tests + Rootkit stuff in etc ! Otherwise my AV/AT keeps trying to eliminate them lol.
Spanner
--
I Only Know What I Know But I'm Learning all The Time -Stay Safe - Spanner intheWorks/SpannerITWks |
|
astirusty
Premium
join:2000-12-23
Henderson, NV
 ·AT&T Southwest
|  reply to Link Logger
said by Link Logger :Houston we have a problem, and as soon as I pick up my teeth with my broken arm and figure out a way to describe the carnage the score is Windows Metafile Exploit 1, me 0. The sequence of events was worthy to say the least and hopefully I caught them all. Blake:
Thanks for trying this and trying to separate fact from fiction. Also for being upfront enough to pass on the outcome. Hopefully your results will wake a few more people up before they get woke up the hard way. |
|
norwegian
Premium
join:2005-02-15
Outback
·WestNet Broadband
| said by astirusty :said by Link Logger :Houston we have a problem, and as soon as I pick up my teeth with my broken arm and figure out a way to describe the carnage the score is Windows Metafile Exploit 1, me 0. The sequence of events was worthy to say the least and hopefully I caught them all. Blake: Thanks for trying this and trying to separate fact from fiction. Also for being upfront enough to pass on the outcome. Hopefully your results will wake a few more people up before they get woke up the hard way. This sort of work should be more accessable to the general public so they can start to really understand the issue more, but then i guess if they even read it, some software company will want to sue you for publishing it freely |
|
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
·Shaw
| reply to astirusty
For the last couple of days I have tested a pile of sites with one of my systems and it has defected every attack thus far, but I wanted to see what would happen with a 'default' system and it wasn't good. Now the trick is to go back and try a couple more tests and see what the factors are to defending against this, so we can pass on the 'easy way' to protection with some facts and tests to back up the suggestions. So I'm getting ready to run a test using a non-admin level user and see how much of a difference that makes. I will spend a little more time looking at the default settings for the AV and see if it really does skip scanning wmf files by default.
Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel |
|
norwegian
Premium
join:2005-02-15
Outback
1 edit | you don't have RedXII1234 paying you for this test at all ??
Sounds like admins are in for a wakeup.
 |
|
dadkins
Can you do Blu?
Premium,MVM
join:2003-09-26
Hercules, CA
·Comcast
2 edits | reply to Link Logger
Bravo! I've done it myself on occasion, it's satisfying... in an odd way. 
Tear it up Link Logger!
@ Spanner, Yeah, most of the AVs out there have this covered already! Thanks for showing AntiVir getting "upset" at the file!
--
Think outside the Fox... Opera |
|
astirusty
Premium
join:2000-12-23
Henderson, NV
·AT&T Southwest
| reply to Link Logger
said by Link Logger : So I'm getting ready to run a test using a non-admin level user and see how much of a difference that makes. Great! I was just going to ask you if you could try this if you had not already. |
|
