Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

WMF ..... Is it possible to do a "Forensics Analysis" before 27th Dec

From: Pejman GOHARI <pejman.gohari () gmail com>
Date: Fri, 13 Jan 2006 17:42:55 +0100
Hi,

One more mail about WMf, but ... My objective is to do a "Forensics
Analysis" about this event (WMF Threat) and understand what exactly
happened. Because something sounds strange ... for me! (And maybe only
for me ;-) )

27th dec: A guy published just a mail to Bugtraq… to show his exploit.
In reality it was more than a friendly demonstration: it was a very
sophisticated malware, with a malicious bot deployment…

So first question: How long have the black hats used this exploit to
deploy their bot ,spyware, keylogger...? Maybe the vulnerability has
been wildly used, long before it was finally released…

After 27th dec, all the Security Experts, Certs, AV company sent an
"Emergency" alert (and they did there job very well).
Just after … an unofficial patch was proposed (helpful) and Microsoft
announced an Official patch for the Patchday of the 10th Jan!!!

Surprise…. The 5th jan: Microsoft published before the Patchday an
Emergency patch. (NEVER had they done that in the past)

So comes a second question … Why? Why The BIG Microsoft changes its
process of Patchday? I can't imagine that Microsoft change its process
of Patchday just for you and me … and for our PC at home! The Patchday
is a Process for Professionals (Company)…  So why this Emergency?
When the Patch is released, we haven't seen a large scale attack
(though numerous, the 300 of Websites exploiting variant of WMF
exploit have all a limited scale and are detected by the major AV at
time)

Proposal 1: The exploit was used a long time before the 27th! And no
body detected it before! So the alert comes too late? Did anybody do a
Forensics (with all the systems, network logs) to detect if any attack
has used at the past)?
We can imagine the Scenario of a black hat who used this vuln. to
deploy his bots and … now he would like to prevent other bad guys from
doing the same and stealing some of his zombie machines !?

---------------------------------------------------------------------------|27th_dec|-----------|5thJan-Patch|----------------Now----
{ before 27th ... ? how many guy use this exploit ?}

Proposal 2: As someone said … we just see the tip of Iceberg…? But …
what do you see that I can't?

Other Proposal … Welcome!

& If "stupido question" then > /dev/null

Regards,
Pejman                                                __o
                                                        _`\<,_
.......................................................(_)/ (_)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: