By coincidence, I was checking my e-mail at the exact moment (7:31 p.m. EST, Dec. 27, 2005) when a new Microsoft Windows zero-day exploit (the WMF buffer overflow exploit) was announced in an anonymous e-mail to Bugtraq. Here’s the e-mail with the URL modified to prevent unknowledgeable readers from accidentally launching the malware:
Subject: Is this a new exploit?
Warning the following URL successfully exploited a fully patched windows xp system with a freshly updated norton anti virus.
The url runs a .wmf and executes the virus, f-secure will pick up the virus norton will not.
If the e-mail was true, it would be a rare Windows zero-day exploit, and dangerous because no patches or anti-virus software were available to protect against it. Malware writers could, and would, utilize it to spread malicious programs.
My first duty was to confirm the poster’s attestations. On my two test systems, I first ran the link in Mozilla Firefox to see whether the URL link included downloadable content. Sure enough, it did.
I downloaded the file, which Firefox did not automatically execute, to my malware testing directory. I confirmed the WMF file and its format and then explored the malicious Web site a bit, looking in vain for clues.
I then used both Internet Explorer 6 and 7 to load the same link on fully patched test systems. Both systems immediately downloaded the file, became victims to the exploit, and installed a separate Trojan file called apidm.exe into the %Windir% folder.
I uploaded the original malicious file to several Web sites that specialize in scanning suspected malware simultaneously with multiple anti-virus scanners to reveal whether the malware program was recognized by one or more anti-virus vendors. The sites I used were virusscan.jotti.org and virustotal.com.
Of the 30-plus anti-virus scanners used, none recognized the initial exploit, and only two recognized the secondary dropped Trojan. Within 40 minutes (8:10 p.m.) of the exploit being released into the wild, I had confirmed that this was indeed a new Windows zero-day exploit. I needed to notify as many security people and entities as possible.
But how do you do this, especially on a night during the holiday season?