Antivirus vs. WMF exploit



There are a number of references out today to a December 31st article (on a study by av-test) about how well antivirus products were keeping up with the shifting signatures of the WMF exploits. There was a list of about 12 products that were at 100% detection. Unfortunately, the important point is that the original article was December 31st. I don’t know if there are new variations in the wild, but I DO know that the metasploit module has changed and currently seems to evade detection from Clamav. (Although clamav has caught up to the most recent batch of the exploit.)


The Kaspersky antivirus blog viruslist is talking about the new variations and the signature approaches they’ve used to try to detect other variations (some not seen in the wild) of the exploit.

It is painfully easy to create new copies of an exploit such as this. That is how I’ve tested it against Windows 98 and Windows XP virtual machines. Hopefully the antivirus companies will catch up and get good signatures to detect the exploit even with the newer obfustication techniques that have come out in the last day or so. The bottom line is, don’t rely on antivirus alone to protect against these exploits.

   Send article as PDF   

Similar Posts