Our friends over at Bleeding-Edge Snort http://www.bleedingsnort.com/ have posted a snort rule to block all infected Windows Metafiles (WMF). We have tested this with our Kerio Firewall product and it does indeed work and block all of this nasty stuff.

The following Bleeding-Edge Snort rules, when implemented into Sunbelt Kerio Personal Firewall, have been successful in blocking different variations of the WMF (Windows Metafile) exploit:

alert ip any any -> any any (msg: “COMPANY-LOCAL WMF Exploit”; content:”01 00 09 00 00 03 52 1f 00 00 06 00 3d 00 00 00″; content:”00 26 06 0f 00 08 00 ff ff ff ff 01 00 00 00 03 00 00 00 00 00″; reference: url,www.frsirt.com/exploits/20051228.ie_xp_pfv_metafile.pm.php; sid:2005122802; classtype:attempted-user; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:”BLEEDING-EDGE EXPLOIT WMF Escape Record Exploit”; flow:established,from_server; content:”01 00 09 00 00 03″; depth:500; content:”00 00″; distance:10; within:12; content:”26 06 09 00″; within:5000; classtype:attempted-user; reference:url,www.frsirt.com/english/advisories/2005/3086; sid:2002733; rev:1;)

UPDATE: Snort rules are updated regularly, so check here for the latest signatures.

You can add these rules into the “bad-traffic.rlk” file located at: C:\Program Files\Sunbelt Software\Personal Firewall 4\Config\IDSRules
NIPS (Network Intrusion Prevention System) must be enabled.

And you must restart the Sunbelt Kerio Firewall Service or reboot for these rules to take affect.

These rules work in the Free or Full version of Sunbelt Kerio Firewall.

Cheers,

Eric Sites
VP of Research & Development