As a follow up to the previous post I thought it might be useful to give an example of how these multiple sets of information could be used.
Here’s the process:
1) Snort Alert about WMF NumObjects being 0
2) I’m unable to determine if the machine is patched
3) I look at network sessions leading up to and then after the WMF file was accessed, nothing I wouldn’t expect
4) Look at event logs on the affected host and conclude there was no abnormal activity on the host
At this point I’m pretty sure the alert was a false positive. But I’d like to know for sure. My plan of action then becomes to pull the pull the suspect file out of my full content collection system onto a *nix box. From there it can be easily sent to www.virustotal.com for a quick check, as well as manually analyzed by me.
Here’s some commands I ran and their respective results.
- file attach.wmz results in attach.wmz: gzip compressed data, from Win/32, max speed
- gzip –dvf –suffix .wmz attach.wmz replaces it with attach
- file attach results in attach: ms-windows metafont .wmf
- xxd attach provides the following output:
From here I was able to verify that the file did indeed have a (ZERO) in the NumberOfObjects field using the information provided at this site: http://wvware.sourceforge.net/caolan/ora-wmf.html
Didier Stevens kindly provided some assistance through the Security Catalyst Community by providing a template for the 010 Editor. The template along with my analysis of the file is coming…