Full Disclosure mailing list archives
WMF ..... Is it possible to do a "Forensics Analysis" before 27th Dec
From: Pejman GOHARI <pejman.gohari () gmail com>
Date: Fri, 13 Jan 2006 17:42:55 +0100
Hi, One more mail about WMf, but ... My objective is to do a "Forensics Analysis" about this event (WMF Threat) and understand what exactly happened. Because something sounds strange ... for me! (And maybe only for me ;-) ) 27th dec: A guy published just a mail to Bugtraq… to show his exploit. In reality it was more than a friendly demonstration: it was a very sophisticated malware, with a malicious bot deployment… So first question: How long have the black hats used this exploit to deploy their bot ,spyware, keylogger...? Maybe the vulnerability has been wildly used, long before it was finally released… After 27th dec, all the Security Experts, Certs, AV company sent an "Emergency" alert (and they did there job very well). Just after … an unofficial patch was proposed (helpful) and Microsoft announced an Official patch for the Patchday of the 10th Jan!!! Surprise…. The 5th jan: Microsoft published before the Patchday an Emergency patch. (NEVER had they done that in the past) So comes a second question … Why? Why The BIG Microsoft changes its process of Patchday? I can't imagine that Microsoft change its process of Patchday just for you and me … and for our PC at home! The Patchday is a Process for Professionals (Company)… So why this Emergency? When the Patch is released, we haven't seen a large scale attack (though numerous, the 300 of Websites exploiting variant of WMF exploit have all a limited scale and are detected by the major AV at time) Proposal 1: The exploit was used a long time before the 27th! And no body detected it before! So the alert comes too late? Did anybody do a Forensics (with all the systems, network logs) to detect if any attack has used at the past)? We can imagine the Scenario of a black hat who used this vuln. to deploy his bots and … now he would like to prevent other bad guys from doing the same and stealing some of his zombie machines !? ---------------------------------------------------------------------------|27th_dec|-----------|5thJan-Patch|----------------Now---- { before 27th ... ? how many guy use this exploit ?} Proposal 2: As someone said … we just see the tip of Iceberg…? But … what do you see that I can't? Other Proposal … Welcome! & If "stupido question" then > /dev/null Regards, Pejman __o _`\<,_ .......................................................(_)/ (_)
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- WMF ..... Is it possible to do a "Forensics Analysis" before 27th Dec Pejman GOHARI (Jan 13)