RE: Re[2]: test this

["Peter Ferrie" <pferrie () symantec com>]

> TrendMicro has released pattern file = 3.135.00
> It appears to pick up all the trojans using the WMF exploit as of right
> now. Variants could affect this however.
 
If they're blindly detecting anything that contains the SetAbortProc, then they're detecting the legitimate use of a 
documented function.
 
> Is this buffer overflow pretty specific like the older GIF exploit? If I
> remember correctly, there were really only two ways to make the GIF
> exploit work, so the detection was pretty solid. Is this exploit
> similar? Or does it have some trick point that could be used to fool
> known sigs?
 
Perhaps you should read about it on Microsoft's site.
It's not a buffer overflow.  WMF files since at least Windows 3.0 days have been allowed to carry executable code in 
the form of their own SetAbortProc handler.  This is perfectly legitimate, though the design is a poor one.  The only 
thing that has changed is the code that is being executed.
 
8^) p.
 
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/