This is becoming all too common on the Internet: you have something stolen so you go online to see if you can get a good deal and suddenly realize the seller is the same person who stole the thing from you in the first place.

Today’s news is interesting because the man looking to replace his camera thought it odd that the seller was in the same town. This highlights the rather old adage “innocent until proven guilty” with the emphasis on the fact that the dumber the crook, the less likely they will be able to duck and cover once confronted with some basic facts.

In the retail industry eBay is sometimes the first place you look when things go missing. It almost lets the criminals implicate themselves for you, rather than requiring any kind of messy investigation. In fact, you might say that people can be awfully careful, if not downright sneaky, about theft just about up to the point where they post their warez online. And suddenly they’re in a whole new world with little idea of how to keep up the ruse. I almost felt sorry for one guy who went to jail. He was virtually invisible in the real world but lit up like a christmas tree online and probably never realized the connection.

Paul Laudanski posted some sample rules on Bugtraq that will help Sunbelt Kerio and Snort filter for windows metafile headers:

alert ip any any -> any any (msg: “COMPANY-LOCAL WMF Exploit”; content:”01
00 09 00 00 03 52 1f 00 00 06 00 3d 00 00 00″; content:”00 26 06 0f 00 08
00 ff ff ff ff 01 00 00 00 03 00 00 00 00 00″; reference:
url,www.frsirt.com/exploits/20051228.ie_xp_pfv_metafile.pm.php;
sid:2005122802; classtype:attempted-user; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:”BLEEDING-EDGE EXPLOIT
WMF Escape Record Exploit”; flow:established,from_server; content:”01 00
09 00 00 03″; depth:500; content:”00 00″; distance:10; within:12;
content:”26 06 09 00″; within:5000; classtype:attempted-user;
reference:url,www.frsirt.com/english/advisories/2005/3086; sid:2002733;
rev:1;)

Nice work, especially now that “73 variants of malicious WMF files” are reported to be circulating.

Edited to add: Bleeding Snort actually says “Signatures have been submitted by Matt Lange, Frank Knobbe, and others for the new WMF bug”, so kudos should go their direction. Thanks guys! The actual sigs are being maintained here. Here’s the latest snapshot (Revision: 1.5, Fri Dec 30 14:40:46 2005 EST (7 hours, 27 minutes ago) by fknobbe:

#by mmlange
alert tcp any any -> $HOME_NET any (msg:”BLEEDING-EDGE CURRENT WMF Exploit”; flow:established; content:”|01 00 09 00 00 03 52 1f 00 00 06 00 3d 00 00 00|”; content:”|00 26 06 0f 00 08 00 ff ff ff ff 01 00 00 00 03 00 00 00 00 00|”; reference: url,www.frsirt.com/exploits/20051228.ie_xp_pfv_metafile.pm.php; classtype:attempted-user; sid:2002734; rev:1;)

# By Frank Knobbe, 2005-12-28. Additional work with Blake Harstein and Brandon Franklin.
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:”EXPLOIT WMF Escape Record Exploit”; flow:established,from_server; content:”|00 09 00 00 03|”; depth:800; content:”|00 00|”; distance:10; within:12; pcre:”/\x26[\x00-\xff]\x09\x00/”; classtype:attempted-user; reference:url,www.frsirt.com/english/advisories/2005/3086; sid:2002733; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:”EXPLOIT WMF Escape Record Exploit – Web Only”; flow:established,from_server; content:”HTTP”; depth:4; nocase; content:”|00 09 00 00 03|”; within:500; content:”|00 00|”; distance:10; within:12; pcre:”/\x26[\x00-\xff]\x09\x00/”; classtype:attempted-user; reference:url,www.frsirt.com/english/advisories/2005/3086; sid:2002741; rev:2;)