Link Logger Home ZyXel Banner Binary Visions
Netgear
 LinkSYS
Router

WMF Attack 		Link Logger for Windows
Home Home Product Info Product Info Download Download/Purchase Support Support  
Link Logger for Windows

NewsLatest News

Screen ShotsScreenshots

Customer CommentsFeedback

Common ScansScans

Additional ResourcesResources

Additional ResourcesMy Articles

My BlogMy Blog

Introduction


The purpose of this article is to show the effects of a Windows Metafile Attack and why you don't want to run as an admin level user as it made the attack far more serious then it should have been.

The Ground Work

The system used in this experiment was an Windows XP SP2 fully patched system, running a fully updated demo version of F-Secure (similar results would occur with pretty well any Anti Virus, I used F-Secure in this test as its an AV that I think highly of).  The test system was located behind a hardware firewall on its own network so unsolicited network traffic would be blocked at the firewall.  I was logged in as an Admin level user, which resulted in far more damage then what would have happened had I been logged in as non-Admin user.  A full system scan was completed before the experiment which showed the system as being clean.  We then opened the web browser to a known infected Windows Meta File (.wmf) and the adventure began.

Result of the full system scan

Configuration of F-Secure Anti-Virus (default settings)

 

First hint of something going wrong after opening the Windows Metafile in IE, by default I choose the safe option in every case so here I Blocked the change.  NOTE a non admin user wouldn't be able to access this portions of the registry so F-Secure wouldn't have had to try to protect the system.

 

Despite the message F-Secure kept on fighting the attack, but certainly I was concerned.  Now I suspect that this attack had a list of processes to go after and includes other AV and security software.

 

Nasty Keylogger.

 

Continuing to shutdown system protection.

 

Installing nasties to start up on reboot.

 

Another Keylogger.

 

Note Security Center was killed, again if I was logged in as a non-Admin this wouldn't have happened as only an Admin level user could do this. In short though this is bad.

The firewall was enabled before the test began, but again since I was logged in as an admin level user the attack was able to shutdown SP's internal firewall.

looking in the event logs I see some rather interesting items.

These are not good events and again, the attack wouldn't have been able to do this if I wasn't logged in as an admin level user.

 

I then shutdown the system and restarted it, disconnected from the network and did a full scan with F-Secure.  The Security Center and XP internal firewall were both still down, but the virus scan found 5 viruses including the two I downloaded after I turned off the AV (I wanted to capture the file for later analysis), but I would have a hard time trusting this system and would do a full nuke and pave (meaning delete the partitions and rebuild it from there) before using it for anything even remotely confidential.  I also checked for root kits but none were found.

 

Review

A couple of things happened here.  First by default the Anti-Virus doesn't scan .wmf files, so you should ensure that your Anti-Virus scans .wmf files, but windows metafiles are executed not by their extension, but by a file header within the file, so I would recommend until Microsoft releases the patch (and you have installed it), configuring your AV to scan ALL files.  This will slow down your system a bit, but will help keep it safe.  Second what greatly magnified the outcome of this attack was being logged in as an admin level user.  Had I been logged in as a non-Admin user then the attack wouldn't have been able to shutdown security services, or installed the nastiest which were to be started on reboot of the system.

 

Round Two - Revenge of the Admin

OK so from above you can see that it was messy loss in the first round, but let's take a look at what happened in terms of what failed, rebuild the system same as before and try again after making a couple of simple adjustments.  Note the Windows Metafile exploit wasn't reported above which is strange given every one and their dog knows about this exploit (thank you out of control spin doctors for making this out to be a plague of biblical proportions which it is not).  I had configured F-Secure to default settings which means it scans per 'Normal' setting, so what files are scanned in this setting or more importantly what files are not scanned.

So in the default setting of 'Normal' WMF files are NOT scanned, this is bad as it would allow the exploit to run and hence why it didn't pick up the metafile exploit above.

 

Now if we configure the scanner to 'High' it will scan all files

 

And then if we try the same attack as above.

F-Secure picks off and kills the infected file and the attack is stopped dead in its tracks before it can cause any damage.

 

So hopefully this demonstrates updating your AntiVirus might not be enough to protect you from the windows metafile exploit as you might need to change some of the settings in your AntiVirus.  I have picked on F-Secure here, but there are other AntiVirus products which have the same issue (and I personally like F-Secure and use it on my systems here, but cranked up the scanning level to all files when I first caught wind of the metafile exploit and it has protected all my systems from this exploit).  So now I can go to bed and relax knowing my systems are safe.

This article is part of a thread I started in BroadBandReports.com Security forum.  If you are even remotely interested in security or have any questions concerning security then I highly recommend visiting the security forum on BBR as it is one of the best and most friendly security crews on the internet.

Page last updated on November 26, 2006