DefenseWall HIPS Defeats MS .WMF Exploit
Posted 22 January 2006 - 11:27 AM
Using WinXP SP2 and DefenseWall HIPS, I typed the URL with the .wmf exploit file into my Internet Explorer bar (IE was running as untrusted) and pressed "Enter". The exploit began - I saw "Windows Pictures and Fax viewer" window and the DefenseWall icon became red. Many malware modules were running, some of them generated errors during their work because of the DefenseWall restrictions. Next I opened the "Trusted and Untrusted Processes Details" window and saw untrusted processes which I did not recognize. I closed all of them with the "big red button" and restarted my computer. After the reboot I found none of the malware processes running within my computer, So I started to search my hard disk for the new malware files. This is the list of malware modules:
F:\Documents and Settings\Ilya\Local Settings\Temp\a.exe
Naturally, all of them have been erased from my hard disk. According the log, malware modules tried to change my wallpaper, IE start and search pages, default URL's, WinXP Firewall settings, BHO, make themselves autostart and so on, which is typical of malware. All of these attempts failed. The only thing the exploit was able to do was to put nonsense onto my Desktop which I simply deleted.
The 'In-The-Wild' intrusion test passed - 100%!
Posted 28 January 2006 - 07:04 AM
Posted 28 January 2006 - 08:48 AM