The purpose of this article is to show the effects of a Windows Metafile Attack
and why you don't want to run as an admin level user as it made the attack far
more serious then it should have been.
The Ground Work
The system used in this experiment was an Windows XP SP2 fully patched
system, running a fully updated demo version of F-Secure (similar results would
occur with pretty well any Anti Virus, I used F-Secure in this test as its an AV
that I think highly of). The test system was located behind a hardware
firewall on its own network so unsolicited network traffic would be blocked at
the firewall. I was logged in as an Admin level user, which resulted in
far more damage then what would have happened had I been logged in as non-Admin
user. A full system scan was completed before the experiment which showed
the system as being clean. We then opened the web browser to a known
infected Windows Meta File (.wmf) and the adventure began.
Result of the full system scan
Configuration of F-Secure Anti-Virus (default settings)
First hint of something going wrong after opening the Windows
Metafile in IE, by default I choose the safe option in every case so here I
Blocked the change. NOTE a non admin user wouldn't be able to access this
portions of the registry so F-Secure wouldn't have had to try to protect the
Despite the message F-Secure kept on fighting the attack, but
certainly I was concerned. Now I suspect that this attack had a list of
processes to go after and includes other AV and security software.
Continuing to shutdown system protection.
Installing nasties to start up on reboot.
Note Security Center was killed, again if I was logged in as a
non-Admin this wouldn't have happened as only an Admin level user could do this.
In short though this is bad.
The firewall was enabled before the test began, but again
since I was logged in as an admin level user the attack was able to shutdown
SP's internal firewall.
looking in the event logs I see some rather interesting items.
These are not good events and again, the attack wouldn't have
been able to do this if I wasn't logged in as an admin level user.
I then shutdown the system and restarted it, disconnected from
the network and did a full scan with F-Secure. The Security Center and XP
internal firewall were both still down, but the virus scan found 5 viruses
including the two I downloaded after I turned off the AV (I wanted to capture
the file for later analysis), but I would have a hard time trusting this system
and would do a full nuke and pave (meaning delete the partitions and rebuild it
from there) before using it for anything even remotely confidential. I
also checked for root kits but none were found.
A couple of things happened here. First by default the
Anti-Virus doesn't scan .wmf files, so you should ensure that your Anti-Virus
scans .wmf files, but windows metafiles are executed not by their extension, but
by a file header within the file, so I would recommend until Microsoft releases
the patch (and you have installed it), configuring your AV to scan ALL
files. This will slow down your system a bit, but will help keep it safe.
Second what greatly magnified the outcome of this attack was being logged in as
an admin level user. Had I been logged in as a non-Admin user then the
attack wouldn't have been able to shutdown security services, or installed the
nastiest which were to be started on reboot of the system.
Round Two - Revenge of the Admin
OK so from above you can see that it was messy loss in the first
round, but let's take a look at what happened in terms of what failed, rebuild
the system same as before and try again after making a couple of simple
adjustments. Note the Windows Metafile exploit wasn't reported above which
is strange given every one and their dog knows about this exploit (thank you out
of control spin doctors for making this out to be a plague of biblical
proportions which it is not). I had configured F-Secure to default
settings which means it scans per 'Normal' setting, so what files are scanned in
this setting or more importantly what files are not scanned.
So in the default setting of 'Normal' WMF files are NOT
scanned, this is bad as it would allow the exploit to run and hence why it
didn't pick up the metafile exploit above.
Now if we configure the scanner to 'High' it will scan all
And then if we try the same attack as above.
F-Secure picks off and kills the infected file and the attack
is stopped dead in its tracks before it can cause any damage.
So hopefully this demonstrates updating your AntiVirus might not
be enough to protect you from the windows metafile exploit as you might need to
change some of the settings in your AntiVirus. I have picked on F-Secure
here, but there are other AntiVirus products which have the same issue (and I
personally like F-Secure and use it on my systems here, but cranked up the
scanning level to all files when I first caught wind of the metafile exploit and
it has protected all my systems from this exploit). So now I can go to bed
and relax knowing my systems are safe.
This article is part of a
thread I started in BroadBandReports.com Security forum. If you
are even remotely interested in security or have any questions concerning
security then I highly recommend visiting the
forum on BBR as it is one of the best and most friendly security crews
on the internet.
Page last updated on
November 26, 2006