New Exploit for Unpatched Windows Flaw

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Brian Krebs on Computer Security
Posted at 05:38 PM ET, 12/31/2005
New Exploit for Unpatched Windows Flaw

It appears we will be ringing in the new year with a new and improved
exploit that online miscreants can use to attack an unpatched
Microsoft Windows flaw and install spyware, viruses and other
dangerous digital intruders.

The latest bit of malware takes advantage of the same Windows Metafile
(files ending in .wmf) security hole that Security Fix warned about
earlier this week, the one where Windows users can get infected just
by clicking on a specially crafted link in an e-mail or visiting a Web
site that hosts the malicious code.

The part that's different about this attack is that it's designed to
generate slightly different program code each time the exploit is run
-- creating a new threat with a random file size, non-WMF file
extension (like .jpeg) and other variable tricks. The folks over at
the SANS Internet Storm Center have more detailed information about
the new exploit if you're interested.

This is a big deal because so far -- without a patch from Redmond to
remedy this problem -- the major antivirus vendors have been the first
lines of defense against this attack, and they have relied mainly on
adding new signatures to their software to detect the latest threats
each time a new one appears. But by changing the profile of the attack
slightly with each iteration, the new exploit's random attack code has
a far greater chance of slipping past software shields.

SANS said the random garbage added onto any attack code generated with
the new exploit could make it very hard for anti-virus companies to
develop signatures to detect the new threats.

Last week, I wrote about tests run by Andreas Marx of that
looked at the response time of various antivirus products to some of
the largest computer worm outbreaks of 2005. This morning, Marx sent
me an e-mail listing each of the products that now detect all 73 known
versions of the old WMF exploit: those products included AntiVir,
Avast!, BitDefender, ClamAV, Command, Dr Web, eSafe, eTrust-INO,
eTrust-VET, Ewido, F-Secure, Fortinet, Kaspersky, McAfee, Nod32,
Norman, Panda, Sophos, Symantec, Trend Micro, and VirusBuster.

But, Marx said, "It looks like that some of the 100% companies have
simply added detections for all of the files I've sent out, without
actually have a generic detection in place, but instead of this, 73
different signatures to detect all 73 different files. That's not

Not good indeed, given the morphing abilities of this new exploit. I
suspect the 2006 work year will begin a bit too soon for many network
and computer defense professionals out there.

By Brian Krebs /

         "Computers make it easier to do a lot of things, but most of the things
they make it easier to do don't need to be done."
               -- Andy Rooney
Usenet Zone Free Binaries Usenet Server
More than 140,000 groups
Unlimited download to open account

Site Timeline