SysChat is a free online computer support community. Ask questions, share resources, contribute knowledge and discuss technology. Join our growing community to access all features. Register Now!

SysChat » Software Support » Computer Security » New Exploit for Unpatched Windows Flaw

Computer Security

Discuss Computer Security- Viruses, Adware, Spyware, etc...

LinkBack Thread Tools
  #1 (permalink)  
Old 01-12-2006, 10:52 PM
thestudent thestudent is offline
Junior Member
Join Date: Jan 2006
Posts: 4
thestudent is on a distinguished road

Default New Exploit for Unpatched Windows Flaw

The latest bit of malware takes advantage of the same Windows Metafile (files ending in .wmf) security hole that Security Fix warned about earlier this week, the one where Windows users can get infected just by clicking on a specially crafted link in an e-mail or visiting a Web site that hosts the malicious code.

The part that's different about this attack is that it's designed to generate slightly different program code each time the exploit is run -- creating a new threat with a random file size, non-WMF file extension (like .jpeg) and other variable tricks. The folks over at the SANS Internet Storm Center have more detailed information about the new exploit if you're interested.

This is a big deal because so far -- without a patch from Redmond to remedy this problem -- the major antivirus vendors have been the first lines of defense against this attack, and they have relied mainly on adding new signatures to their software to detect the latest threats each time a new one appears. But by changing the profile of the attack slightly with each iteration, the new exploit's random attack code has a far greater chance of slipping past software shields.

SANS said the random garbage added onto any attack code generated with the new exploit could make it very hard for anti-virus companies to develop signatures to detect the new threats.

Last week, I wrote about tests run by Andreas Marx of that looked at the response time of various antivirus products to some of the largest computer worm outbreaks of 2005. This morning, Marx sent me an e-mail listing each of the products that now detect all 73 known versions of the old WMF exploit: those products included AntiVir, Avast!, BitDefender, ClamAV, Command, Dr Web, eSafe, eTrust-INO, eTrust-VET, Ewido, F-Secure, Fortinet, Kaspersky, McAfee, Nod32, Norman, Panda, Sophos, Symantec, Trend Micro, and VirusBuster.

But, Marx said, "It looks like that some of the 100% companies have simply added detections for all of the files I've sent out, without actually have a generic detection in place, but instead of this, 73 different signatures to detect all 73 different files. That's not good."

Not good indeed, given the morphing abilities of this new exploit. I suspect the 2006 work year will begin a bit too soon for many network and computer defense professionals out there.

Reply With Quote

Thread Tools

Similar Threads
Thread Thread Starter Forum Replies Last Post
Your Favorite Windows Operating System? slick4788 Operating Systems 34 03-21-2007 01:34 AM
Windows 95/98 Kaabi Operating Systems 18 01-07-2007 05:47 AM
Windows Media or RealOne pairbrother General Software 10 05-12-2006 01:54 PM
What's with XP, Vista and Longhorn? Where's windows Longhorn JustNewbie Operating Systems 5 01-18-2006 01:51 PM
Windows Longhorn. slick4788 Operating Systems 2 01-01-2006 11:01 PM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are on

» Ads

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54