16 replies to this topic

[AplusWebMaster]

FYI...

> http://www.websense....php?AlertID=762
March 29, 2007 ~ "Websense® Security Labs™ is currently monitoring an unpatched (0-day) vulnerability in Microsoft Windows. No user interaction is necessary for the exploit to be successful. A computer may become infected by simply visiting a malicious website. This vulnerability exists in the way animated cursors are processed, and is very similar to MS05-002 ( http://www.microsoft...n/MS05-002.mspx ) which was patched by Microsoft in early 2005. At this time, we are aware of 9 different sites hosting the new exploit. We will continue to monitor for any additional sites, as we expect the exploit's usage to increase. One of the sites involved is the same one which targeted Dolphin Stadium during the Super Bowl. It is likely that the same group is behind the current attack. Additional details on the vulnerability are available from Microsoft Security Advisory #935423: http://www.microsoft...ory/935423.mspx ."

> http://nvd.nist.gov/...e=CVE-2007-1765

> http://www.us-cert.gov/current/#WINANI

Edited by AplusWebMaster, 30 March 2007 - 02:16 PM.

[AplusWebMaster]

FYI...

- http://isc.sans.org/...ml?storyid=2539
Last Updated: 2007-03-30 10:40:08 UTC ~ "A short overview of how the different email clients (in the supported list of Microsoft) are reacting to the animated cursor vulnerability depending on the actions and settings of the email client. The surprising element is that read in plain text mode makes some of the clients more vulnerable and actually only offers real added value for Outlook 2003..."

(Chart available at the URL above.)

[AplusWebMaster]

FYI...

> http://isc.sans.org/...ml?storyid=2540
Last Updated: 2007-03-30 21:19:28 UTC ...(Version: -3-)
"...Domains/IPs currently being used in exploitation:
1.520sb.cn
220.71.76.189
222.73.220.45
55880.cn
81.177.26.26
85.255.113.4
bc0.cn
client.alexa.com
count12.51yes.com
count3.51yes.com
d.77276.com
fdghewrtewrtyrew.biz
i5460.net
jdnx.movie721.cn
newasp.com.cn
s103.cnzz.com
s113.cnzz.com
ttr.vod3369.cn
uniq-soft.com
wsfgfdgrtyhgfd.net
04080.com
33577.cn
baidu.com
h3210.com
hackings.cn
koreacms.co.kr
macrcmedia.com
macrcmedia.net
ncph.net
xxx.cn
ym52099.512j.com
jonnyasp.com ..."

Do NOT visit these URLs...

[AplusWebMaster]

FYI...

ANI Zero-Day Update
> http://www.websense....php?AlertID=763
March 31, 2007 ~ "Websense Security Labs™ is actively tracking more than 100 websites that are spreading the ANI "zero-day" exploit. Proof-of-concept (POC) attack code is also now available, and we expect additional attacks to surface. Currently the majority of the attacks appear to be downloading and installing generic password stealing code. Also, as represented in the below graphs, most sites are hosted in China. Interestingly the most popular domain space being used is .com. Due to the fact that POC code is now downloadable on the web, there is no patch from Microsoft, and the fact that some of the attackers we are tracking have infected hundreds of sites on the web, we believe that exploits will continue to surface and the numbers will get larger. Reports out of China also indicate that a worm is now propagating using the exploit code: http://www.cisrt.org...log/read.php?68 ..."

(Charts available at the Websense URL above.)

[AplusWebMaster]

More...

- http://isc.sans.org/...ml?storyid=2551
Last Updated: 2007-03-31 23:50:59 UTC ~ "McAfee is now reporting* a spam campaign that includes an ANI exploit attempt:
"March 31, 2007. The .ANI File Format vulnerability has seen an increase in exploit attempts in-the-wild. McAfee Avert Labs has detected many Web sites linking to other sites that attempt to exploit this vulnerability. We have also observed a spam run that tries to lure its recipients to Web sites hosting code exploiting this vulnerability. Technical details and exploit code can now be easily obtained from these malicious Web sites. Following links in unsolicited e-mails and visiting unknown Web sites are strongly discouraged."
This will affect email clients on vulnerable Operating Systems that render HTML. Exploit could occur when the malicious message is either opened, previewed, or forwarded.
Additionally... If you open up a folder with Explorer (not Internet Explorer) that has a malicious .ANI file (file-extension matters in this case) it will exploit the system. At least automated processes won't trigger execution (unlike WMF.) (US-CERT Advisory**)"

* http://www.mcafee.co...ter/default.asp

** http://www.kb.cert.org/vuls/id/191609
Date Last Updated: 03/31/2007

[AplusWebMaster]

Updates comin' on quickly...

- http://isc.sans.org/...ml?storyid=2551
Last Updated: 2007-04-01 02:50:31 UTC
"...UPDATE: Microsoft has updated their advisory* on this issue. The vulnerable systems list has been amended to include Windows 2003 SP2.
"March 31, 2007: Advisory revised to add additional information regarding Windows 2003 Service Pack 2, Microsoft Windows Server 2003 with SP2 for Itanium-based Systems, and Microsoft Windows Server 2003 x64 Edition Service Pack 2 in the “Related Software” section."
While not confirmed, keep in mind that systems no longer supported may also be vulnerable.
Tools
iDefense has discovered a browser based ANI generation kit tool. You enter the payload URL, the password and the tool creates a ZIP file with all the relevant scripts and files..."

[AplusWebMaster]

FYI... (for Firefox users)

Firefox / Firekeeper ANI vuln rule/add...
- http://blues.ath.cx/...31T19_09_36.txt
31.03.2007 19:09 ~ "Firekeeper can be used to detect sites making use of recently discovered MS ANI file critical vulnerability. Here is a rule proposed by Alexander Sotirov on bugtraq..."

(See the URL above for detail.)

> Firekeeper: http://firekeeper.mozdev.org/
"Firekeeper is an Intrusion Detection and Prevention System for Firefox. It is able to detect, block and warn the user about malicious sites. Firekeeper uses flexible rules similar to Snort ones to describe browser based attack attempts. Rules can also be used to effectively filter different kinds of unwanted content... This is an alpha release..."

[AplusWebMaster]

FYI...

ZERT2007-01 released (Stack buffer overflow in ANI Handling under Microsoft Windows 0Day).
- http://zert.isotf.or...ert-2007-01.htm
"...ANI Handling under Microsoft Windows 0Day...
A ZERT patch is available for Microsoft Windows 98, 2000, XP, Server 2003 and Vista..."

- http://isc.sans.org/...ml?storyid=2551
Last Updated: 2007-04-01 20:04:19 UTC ~ "The Zeroday Emergency Response Team (ZERT) has released a patch to address the vulnerability... There have been some reports regarding the stability of the patch. Please remember this is an unofficial patch and is supplied on an as-is basis. You will need to remove it when Microsoft releases their patch..."

.

Edited by AplusWebMaster, 01 April 2007 - 02:12 PM.

[AplusWebMaster]

FYI...

MS to Release Out-of-Schedule Patch for ANI Vuln
- http://isc.sans.org/...ml?storyid=2555
Last Updated: 2007-04-02 03:39:56 UTC
"...The Microsoft Security Response Center blog reports* that they "have been working around the clock to test this update and are currently planning to release the security update that addresses this (ANI) issue on Tuesday April 3, 2007."
This is further supported here: http://www.microsoft...in/advance.mspx ."

* http://preview.tinyurl.com/35tyyt
(MSRC)

.

[AplusWebMaster]

FYI...

Compromised sites using ANI exploit code
- http://www.websense.....php?BlogID=119
Apr 2 2007 3:15PM ~ "Websense's ThreatSeeker™ technology has discovered that a large set of websites have been compromised within the Asia Pacific Region and have embedded IFRAMES within them pointing to a site that is hosting the ANI exploit code. An IFRAME or "invisible frame" is an element which makes it possible to embed another HTML document inside the main document. From Wikipedia: http://en.wikipedia.org/wiki/Iframe.
Although we are tracking hundreds of other sites that are hosting ANI exploit files this alert pertains to one group of sites that are all connecting to the same host. Many of the sites appear to be running online blogs or message boards. Most sites have embedded IFRAME's on all pages leading to a main set of sites which are hosting the exploit code. The number of unique sites currently up and running for this one attack is greater than 50 and the number of pages is greater than 500. Assuming users connect to the sites they will be redirected to two unique locations which are hosting exploit code which in turn downloads and installs a file called "ad.exe". The file includes a generic password stealer and is not detected well by most Antivirus companies (MD5 0c9217553871d3eb5f20b553d91a098b)..."

(Screenshots available at the URL above.)

[AplusWebMaster]

FYI...

Malicious Code: Email Lures for ANI Zero-Day
- http://www.websense....php?AlertID=764
April 03, 2007 ~ "Websense Security Labs™ has discovered a large email spam run that includes links to sites that are hosting ANI exploit code. Users receive an email with the subject line "Hot Pictures of Britiney Speers" that is written in HTML and has anti-spam avoidance text within the HTML comments. Users who click on the links are redirected to one of several websites that we are tracking. The sites contain obfuscated JavaScript. The decoded JavaScript sends all users to the same website, which is hosting the exploit code. When users connect, a file is downloaded and installed without any end-user interaction. The file is called 200.exe with the MD5 of b017cae51e4498c309690b8936f2fa79. The binary file appears to be a new variant of a file infector with operating system hooks and spamming capabilities. A more complete analysis will soon appear on our blog. The main server that hosts the exploit code is hosted in Russia and has been used by groups that have installed rootkits, password stealing Trojans, and other nefarious code in the past..."

(Screenshots available at the URL above.)


> http://www.websense.....php?BlogID=120
Apr 3 2007 ~ "This is a follow-up to our post from yesterday (see: http://www.websense.....php?BlogID=119 ). We are now actively tracking more than 450 unique websites which have been compromised. Most of the sites have ALL pages infected within the site which add up to tens of thousands of pages with exploit code links on them. We are working with several groups to attempt to get these sites shutdown. As previously stated, users who visit one of the thousands of pages will be infected with a generic password stealer that will run without any user-interaction..."

[AplusWebMaster]

FYI...

MS07-017 patch released
- http://www.microsoft...n/ms07-apr.mspx
April 3, 2007
"...Summary...

...Critical (1)

Microsoft Security Bulletin MS07-017
Vulnerabilities in GDI Could Allow Remote Code Execution (925902)
- http://www.microsoft...n/ms07-017.mspx
Executive Summary: This update resolves vulnerabilities in GDI that could allow remote code execution.
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution ...

> http://update.micros...microsoftupdate

[AplusWebMaster]

FYI...

http://forums.tomcoy...a...st&p=365936
"...having problems with the patch..."

[AplusWebMaster]

FYI...

- http://www.pcworld.c.../printable.html
April 03, 2007 ~ "Contrary to other reports, Mozilla's Firefox 2.0 is vulnerable to attackers armed with the Windows animated (ANI) cursor exploit... Alexander Sotirov, the vulnerability researcher at Determina who discovered the ANI flaw last December and notified Microsoft of it later that month, yesterday posted a demonstration of an ANI exploit that hijacks a PC when Firefox users are conned into visiting a malicious site... "It turns out that Firefox uses the same vulnerable Windows component to process .ani files, which can be exploited in a way similar to Internet Explorer," Sotirov said... "

.

[AplusWebMaster]

FYI...

ASUS gets ANI'd
- http://www.securityfocus.com/brief/477
2007-04-06 ~ "...The Web site of motherboard maker ASUS reportedly* got hit by a group of online vandals, who added an iframe redirect to a malicious download site that attempts to infect visitors via the ANI flaw. Leveraging hacked, but legitimate, Web sites to propagate malicious code has become a major vector to compromise end users..."
* http://www.viruslist...logid=208187358