A tale of two animated cursor attacks

Summary:At the height of the animated cursor(.ani) attacks last week, there were two different groups using different motives to hit a different set of targets.

At the height of the animated cursor(.ani) attacks last week, there were two different groups using different motives to hit a different set of targets.

According to Websense Security Labs, the first set of attacks started in the China region and appear to be the work of groups within the Asia Pacific Region.

The attackers have compromised hundreds of machines and placed IFRAME's back to the main servers that host the exploit code. In most cases the payload and motivation of these attacks is to gather credentials for online games.

A few days later, a second set of attacks started up from a group in Eastern Europe known for using malware lures to launch identity theft attacks.

This group has been placing exploit code on sites for many years now and has a very resilient infrastructure. They have used WMF, VML, and several other exploits in there routines previously. As of now they have also added the ANI attacks to their arsenal. The payload and motivation is somewhat different however as they are more known to install rootkit's and crimeware which is designed to install form grabbing software and keyloggers in order to compromise end-user banking details. Also in the past they have installed fake anti-spyware software as a distraction and as a means to falsify someone into acquiring some anti-spyware software.

More than two weeks after the attacks were first spotted, there are still more than 2,000 unique sites that are hosting exploit code and/or are compromised and are pointing to machines that host exploit code, Websense said.

According to Andreas Marx of AV Test, there are more than 46,000 different URLs that together serve up almost 3,000 different corrupted animated cursor files.

Topics: Security

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.