Full Disclosure mailing list archives
RE: WMF ..... Is it possible to do a "ForensicsAnalysis" before 27th Dec
From: "Tim Saunders" <Tim.Saunders () aquilauk co uk>
Date: Fri, 13 Jan 2006 17:30:20 -0000
I believe I saw an attempt at an exploit on the 21st of December. A website I visit regularly and would expect to be trust worthy opened a background tab in Opera despite the built in pop up blocker (it does happen occasionally). I notice because Opera asked be what application I would like to open the application/x-msmetafile content with since I use Linux rather than Windows. I closed the tab and though no more about it until I saw the WMF vulnerability announcement. By the 22nd the website no longer opened the popup. I suspect the site had been compromised and silently fixed without the admins realising what they were removing. Tim -----Original Message----- From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Pejman GOHARI Sent: 13 January 2006 16:43 To: Full-Disclosure () lists grok org uk Subject: [Full-disclosure] WMF ..... Is it possible to do a "ForensicsAnalysis" before 27th Dec Hi, One more mail about WMf, but ... My objective is to do a "Forensics Analysis" about this event (WMF Threat) and understand what exactly happened. Because something sounds strange ... for me! (And maybe only for me ;-) ) 27th dec: A guy published just a mail to Bugtraq... to show his exploit. In reality it was more than a friendly demonstration: it was a very sophisticated malware, with a malicious bot deployment... So first question: How long have the black hats used this exploit to deploy their bot ,spyware, keylogger...? Maybe the vulnerability has been wildly used, long before it was finally released... After 27th dec, all the Security Experts, Certs, AV company sent an "Emergency" alert (and they did there job very well). Just after ... an unofficial patch was proposed (helpful) and Microsoft announced an Official patch for the Patchday of the 10th Jan!!! Surprise.... The 5th jan: Microsoft published before the Patchday an Emergency patch. (NEVER had they done that in the past) So comes a second question ... Why? Why The BIG Microsoft changes its process of Patchday? I can't imagine that Microsoft change its process of Patchday just for you and me ... and for our PC at home! The Patchday is a Process for Professionals (Company)... So why this Emergency? When the Patch is released, we haven't seen a large scale attack (though numerous, the 300 of Websites exploiting variant of WMF exploit have all a limited scale and are detected by the major AV at time) Proposal 1: The exploit was used a long time before the 27th! And no body detected it before! So the alert comes too late? Did anybody do a Forensics (with all the systems, network logs) to detect if any attack has used at the past)? We can imagine the Scenario of a black hat who used this vuln. to deploy his bots and ... now he would like to prevent other bad guys from doing the same and stealing some of his zombie machines !? ------------------------------------------------------------------------ ---|27th_dec|-----------|5thJan-Patch|----------------Now---- { before 27th ... ? how many guy use this exploit ?} Proposal 2: As someone said ... we just see the tip of Iceberg...? But ... what do you see that I can't? Other Proposal ... Welcome! & If "stupido question" then > /dev/null Regards, Pejman __o _`\<,_ .......................................................(_)/ (_) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- RE: WMF ..... Is it possible to do a "ForensicsAnalysis" before 27th Dec Tim Saunders (Jan 13)