VSE 8.0 Behavior Rules for WMF Exploit??

[addus5]

Anyone know of any Behavior rules that will successfully warn or block the WMF exploit? Ive got a call into mcafee to see if they reccommend anything. My first thoughts would be to warn if gdi32.dll trys to execute anything. If im correct gdi32.dll uses the escape call the executes the code. Im not sure if gdi32.dll needs to execute or just needs read access to function properly.

Ideas?

 

[VictorySabre]

I would have thought the McAfee DAT files would detect the WMF exploit files? If not the DAT files, wouldn't the Buffer Overflow Protection detect it?

If not, then please do post any Behavior Rules that would help stop the WMF exploit.

Thanks!

 

[addus5]

The DAT's detect some of the variants. The exploit doesnt use a Buffer Overflow. It uses an escape call in the GDI (

http://www.kb.cert.org/vuls/id/181038).

Mcafee says no to the behavior blocking but I dont buy it. I dont have a test lab but I emailed ISC and CERT to look into some more.

We are going to load a bullet into the gun by packaging the unofficial patch for deployment. If we see virus activity we will pull the trigger and deploy the patch and an Extra.DAT as needed.

 

[VictorySabre]

I have not tested and/or verified this, but according to McAfee's web site, Buffer Overflow Protection should detect it when the malicious file is opened in Internet Explorer or Windows Explorer.

http://vil.nai.com/vil/content/v_137760.htm

I don't know the full details of the WMF exploit so it may be possible that the Buffer Overflow protection doesn't cover all aspects of exploitation.