funsec mailing list archives

Previous By Date Next
Previous By Thread Next

FW: [Full-disclosure] WMF ..... Is it possible to do a "ForensicsAnalysis" before 27th Dec

From: "Todd Towles" <toddtowles () brookshires com>
Date: Fri, 13 Jan 2006 10:46:44 -0600
 This is funny just because....


-----Original Message-----
From: full-disclosure-bounces () lists grok org uk 
[mailto:full-disclosure-bounces () lists grok org uk] On Behalf 
Of Pejman GOHARI
Sent: Friday, January 13, 2006 10:43 AM
To: Full-Disclosure () lists grok org uk
Subject: [Full-disclosure] WMF ..... Is it possible to do a 
"ForensicsAnalysis" before 27th Dec

Hi,

One more mail about WMf, but ... My objective is to do a 
"Forensics Analysis" about this event (WMF Threat) and 
understand what exactly happened. Because something sounds 
strange ... for me! (And maybe only for me ;-) )

27th dec: A guy published just a mail to Bugtraq... to show his

exploit.

In reality it was more than a friendly demonstration: it was 
a very sophisticated malware, with a malicious bot deployment...

So first question: How long have the black hats used this 
exploit to deploy their bot ,spyware, keylogger...? Maybe the 
vulnerability has been wildly used, long before it was 
finally released...

After 27th dec, all the Security Experts, Certs, AV company 
sent an "Emergency" alert (and they did there job very well).
Just after ... an unofficial patch was proposed (helpful) and 
Microsoft announced an Official patch for the Patchday of the 
10th Jan!!!

Surprise.... The 5th jan: Microsoft published before the 
Patchday an Emergency patch. (NEVER had they done that in the past)

So comes a second question ... Why? Why The BIG Microsoft 
changes its process of Patchday? I can't imagine that 
Microsoft change its process of Patchday just for you and me 
... and for our PC at home! The Patchday is a Process for 
Professionals (Company)...  So why this Emergency?
When the Patch is released, we haven't seen a large scale 
attack (though numerous, the 300 of Websites exploiting 
variant of WMF exploit have all a limited scale and are 
detected by the major AV at
time)

Proposal 1: The exploit was used a long time before the 27th! 
And no body detected it before! So the alert comes too late? 
Did anybody do a Forensics (with all the systems, network 
logs) to detect if any attack has used at the past)?
We can imagine the Scenario of a black hat who used this 
vuln. to deploy his bots and ... now he would like to prevent 
other bad guys from doing the same and stealing some of his 
zombie machines !?

--------------------------------------------------------------
-------------|27th_dec|-----------|5thJan-Patch|--------------
--Now----
{ before 27th ... ? how many guy use this exploit ?}

Proposal 2: As someone said ... we just see the tip of 
Iceberg...? But ... what do you see that I can't?

Other Proposal ... Welcome!

& If "stupido question" then > /dev/null

Regards,
Pejman                                                __o
                                                        
_`\<,_ .......................................................(_)/ (_)

Attachment: ATT05316.txt
Description: ATT05316.txt

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: