RE: WMF ..... Is it possible to do a "ForensicsAnalysis" before 27th Dec

["Tim Saunders" <Tim.Saunders () aquilauk co uk>]

I believe I saw an attempt at an exploit on the 21st of December.

A website I visit regularly and would expect to be trust worthy opened a
background tab in Opera despite the built in pop up blocker (it does
happen occasionally). I notice because Opera asked be what application I
would like to open the application/x-msmetafile content with since I use
Linux rather than Windows. I closed the tab and though no more about it
until I saw the WMF vulnerability announcement.

By the 22nd the website no longer opened the popup. I suspect the site
had been compromised and silently fixed without the admins realising
what they were removing.

Tim

-----Original Message-----
From: full-disclosure-bounces () lists grok org uk
[mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Pejman
GOHARI
Sent: 13 January 2006 16:43
To: Full-Disclosure () lists grok org uk
Subject: [Full-disclosure] WMF ..... Is it possible to do a
"ForensicsAnalysis" before 27th Dec

Hi,

One more mail about WMf, but ... My objective is to do a "Forensics
Analysis" about this event (WMF Threat) and understand what exactly
happened. Because something sounds strange ... for me! (And maybe only
for me ;-) )

27th dec: A guy published just a mail to Bugtraq... to show his exploit.
In reality it was more than a friendly demonstration: it was a very
sophisticated malware, with a malicious bot deployment...

So first question: How long have the black hats used this exploit to
deploy their bot ,spyware, keylogger...? Maybe the vulnerability has
been wildly used, long before it was finally released...

After 27th dec, all the Security Experts, Certs, AV company sent an
"Emergency" alert (and they did there job very well).
Just after ... an unofficial patch was proposed (helpful) and Microsoft
announced an Official patch for the Patchday of the 10th Jan!!!

Surprise.... The 5th jan: Microsoft published before the Patchday an
Emergency patch. (NEVER had they done that in the past)

So comes a second question ... Why? Why The BIG Microsoft changes its
process of Patchday? I can't imagine that Microsoft change its process
of Patchday just for you and me ... and for our PC at home! The Patchday
is a Process for Professionals (Company)...  So why this Emergency?
When the Patch is released, we haven't seen a large scale attack
(though numerous, the 300 of Websites exploiting variant of WMF
exploit have all a limited scale and are detected by the major AV at
time)

Proposal 1: The exploit was used a long time before the 27th! And no
body detected it before! So the alert comes too late? Did anybody do a
Forensics (with all the systems, network logs) to detect if any attack
has used at the past)?
We can imagine the Scenario of a black hat who used this vuln. to
deploy his bots and ... now he would like to prevent other bad guys from
doing the same and stealing some of his zombie machines !?

------------------------------------------------------------------------
---|27th_dec|-----------|5thJan-Patch|----------------Now----
{ before 27th ... ? how many guy use this exploit ?}

Proposal 2: As someone said ... we just see the tip of Iceberg...? But
...
what do you see that I can't?

Other Proposal ... Welcome!

& If "stupido question" then > /dev/null

Regards,
Pejman                                                __o
                                                        _`\<,_
.......................................................(_)/ (_)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/