Home page logo

fulldisclosure logo Full Disclosure mailing list archives

RE: WMF ..... Is it possible to do a "ForensicsAnalysis" before 27th Dec
From: "Tim Saunders" <Tim.Saunders () aquilauk co uk>
Date: Fri, 13 Jan 2006 17:30:20 -0000

I believe I saw an attempt at an exploit on the 21st of December.

A website I visit regularly and would expect to be trust worthy opened a
background tab in Opera despite the built in pop up blocker (it does
happen occasionally). I notice because Opera asked be what application I
would like to open the application/x-msmetafile content with since I use
Linux rather than Windows. I closed the tab and though no more about it
until I saw the WMF vulnerability announcement.

By the 22nd the website no longer opened the popup. I suspect the site
had been compromised and silently fixed without the admins realising
what they were removing.


-----Original Message-----
From: full-disclosure-bounces () lists grok org uk
[mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Pejman
Sent: 13 January 2006 16:43
To: Full-Disclosure () lists grok org uk
Subject: [Full-disclosure] WMF ..... Is it possible to do a
"ForensicsAnalysis" before 27th Dec


One more mail about WMf, but ... My objective is to do a "Forensics
Analysis" about this event (WMF Threat) and understand what exactly
happened. Because something sounds strange ... for me! (And maybe only
for me ;-) )

27th dec: A guy published just a mail to Bugtraq... to show his exploit.
In reality it was more than a friendly demonstration: it was a very
sophisticated malware, with a malicious bot deployment...

So first question: How long have the black hats used this exploit to
deploy their bot ,spyware, keylogger...? Maybe the vulnerability has
been wildly used, long before it was finally released...

After 27th dec, all the Security Experts, Certs, AV company sent an
"Emergency" alert (and they did there job very well).
Just after ... an unofficial patch was proposed (helpful) and Microsoft
announced an Official patch for the Patchday of the 10th Jan!!!

Surprise.... The 5th jan: Microsoft published before the Patchday an
Emergency patch. (NEVER had they done that in the past)

So comes a second question ... Why? Why The BIG Microsoft changes its
process of Patchday? I can't imagine that Microsoft change its process
of Patchday just for you and me ... and for our PC at home! The Patchday
is a Process for Professionals (Company)...  So why this Emergency?
When the Patch is released, we haven't seen a large scale attack
(though numerous, the 300 of Websites exploiting variant of WMF
exploit have all a limited scale and are detected by the major AV at

Proposal 1: The exploit was used a long time before the 27th! And no
body detected it before! So the alert comes too late? Did anybody do a
Forensics (with all the systems, network logs) to detect if any attack
has used at the past)?
We can imagine the Scenario of a black hat who used this vuln. to
deploy his bots and ... now he would like to prevent other bad guys from
doing the same and stealing some of his zombie machines !?

{ before 27th ... ? how many guy use this exploit ?}

Proposal 2: As someone said ... we just see the tip of Iceberg...? But
what do you see that I can't?

Other Proposal ... Welcome!

& If "stupido question" then > /dev/null

Pejman                                                __o
.......................................................(_)/ (_)
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • RE: WMF ..... Is it possible to do a "ForensicsAnalysis" before 27th Dec Tim Saunders (Jan 13)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]