It started as a simple warning on Securityfocus’ Bugtraq mailing list, on December 27th:
"Warning the following URL successfully exploited a fully patched windows xp system with a freshly updated norton anti virus.
unionseek.com/d/t1/wmf_exp.htm
The url runs a .wmf and executes the virus, f-secure will pick up the virus norton will not."
This was the message that initiated the "WMF Escapade" that brought millions to their knees. Questions about "triple dog dare" criticality aside, the escapade is one of the (very) few times an undercover exploit has been identified in the wild. It is fairly common in the if-I-tell-you-I’ll-have-to-kill-you security profession to suggest it is impossible to identify such exploits (according to at least one report, this identification of this vulnerability may have taken as long as a month after the exploit was created).
I spoke with "noemailpls" this evening and learned how he did it.
How did “noemailpls” do it? When did he do it? I’m trying to understand the whole “WMF Escapade”–for a paper for SANS–and would very much like to know. The escapade says a lot about our preparations for a serious outbreak of malware, which makes it important to know the timing of and means by which the vulnerability was discovered.