.ANI attack update: Rootkits, 'Hot Britney pics' spam

.ANI attack update: Rootkits, 'Hot Britney pics' spam

Summary: The ongoing Windows animated cursor (.ani) flaw attack just keeps getting worse.


The ongoing Windows animated cursor (.ani) flaw attack just keeps getting worse.  

The latest reports indicate that an e-mail spam run promising hot photographs of Britney Spears is the latest lure to infect Windows users with backdoor Trojans and keystroke loggers.

An alert from Websense Security Labs offers the latest:

We are actively tracking more than 450 unique websites which have been compromised. Most of the sites have ALL pages infected within the site which add up to tens of thousands of pages with exploit code links on them.
[Users] who visit one of the thousands of pages will be infected with a generic password stealer that will run without any user-interaction.

Assuming users connect to the sites they will be redirected to two unique locations which are hosting exploit code which in turn downloads and installs a file called "ad.exe". The file includes a generic password stealer and is not detected well by most Antivirus companies.

Britney Spears spam run

Now comes word of an e-mail spam run, which is even more dangerous since, with the e-mail attack vector, the user does not have to click to visit a rigged Web site.  Simply opening an e-mail could trigger an infection. In this case, however, the user is being lured to malicious Web sites:

Users receive an email with the subject line "Hot Pictures of Britiney Speers" that is written in HTML and has anti-spam avoidance text within the HTML comments.

Users who click on the links are redirected to one of several websites that we are tracking. The sites contain obfuscated JavaScript. The decoded JavaScript sends all users to the same website, which is hosting the exploit code.

...The main server that hosts the exploit code is hosted in Russia and has been used by groups that have installed rootkits, password stealing Trojans, and other nefarious code in the past.

Roger Thompson, CTO at Exploit Prevention Labs, says a stealth rootkit is also being used in the spam attack:

It downloads a 36k progam called 200.exe. When run, 200.exe writes itself back out as Winlogon.exe, and adds itself to HKCU... CurrentVersion\Run to ensure it gets into the execution cycle on reboot.

When it runs, it emails out to a hotmail account, presumably to announce that the victim has been 0wned, and then calls out to a different server on port 80 every five minutes, presumably looking for commands. In other words, it's a bot / backdoor. Oh, and it's a rootkit.

If you haven't applied the MS07-017 patch yet, go do it now. Christopher Budd, on the MSRC blog, confirms that Patch Tuesday on April 10, 2007, is still very much on schedule.

Topics: Collaboration, Browser, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • And this all could have been avoided...

    In less then a few days this "no big deal" vulnerability has sure worked its way up the food chain into something that has some extreme potential. The patch is out now, finally, but I don't know any normal computer user that actually follows the latest exploits and what not. They are completely clueless and some would argue, well they should do the research, well not everyone has the time. Its sad that most won't even download the updates, or they will neglect the little bubble that pops up at the bottom of their screen and soon they will only be another boxed owned in the cycle. Spread the know, stop the ignorance.
    Brandon Dixon
    • Not everyone is completely clueless

      I know plenty of average computer users that have automatic updates turned on and they install automatically without much fuss.
  • Regarding the spam mail...

    You say "Simply opening a spam mail will trigger an infection." But then the quoted text says "Users who click on the links are redirected to one of several websites that we are tracking. The sites contain obfuscated JavaScript. The decoded JavaScript sends all users to the same website, which is hosting the exploit code."

    The quoted text implies that just opening the email won't infect you, but clicking the links is required.
    • The e-mail attack vector

      PB, you're right in that *this* spam attack simply lures the user to the malicious web site hosting. However, the e-mail attack vector for this vulnerability means that an attack can be embedded into any HTML e-mail. In any event, I've fixed the wording on that sentence to make it clear.

      Thanks for spotting that.

      Ryan Naraine
  • This is absurd

    This .ANI attack just keeps escalating. This is absolutely ridiculous. MS has known about this for months and did nothing until it started getting out of hand.
    How can anyone stick up for MS on this? There is absolutely no excuse for this. None. Nada. Zilch. Zippo. I could understand taking a few weeks, maybe even a month, to come up with a fix for this. But not several months like this.
    The fix for this .ANI flaw isn't even out for a full 24 hours and already there is another exploit for it? Sheesh. Although the Britney 'Speers' should be a dead giveaway I wonder how many people have already fallen prey to it?
    Also, Who in their right mind would want to look at naked pictures of her?
    • Of course it's absurd - but MS has a near monopoly ....

      ... and in spite of this the money will keep rolling in.So why should be they be too bothered? What's the rush?

      [i]"How can anyone stick up for MS on this?"[/i]

      Even George Ou's having a hard time defending MS on this one!

      [i]"... I wonder how many people have already fallen prey to it?"[/i]

      I got several of these in the mail :-)

      [i]"Who in their right mind would want to look at naked pictures of her?"[/i]


      (No - I *didn't* click on the picture)
    • MS did nothing? Patch was scheduled for April 10

      MS "did nothing" until it got "out of hand" ?

      At the moment the vulnerability was made public, the fix was already developed and was undergoing testing, for a scheduled release of April 10. (The dates on the files the patch contains is March 8th.)

      I'd hardly call that "doing nothing."
      • The fact that it can be pushed out the door....

        ... within a day of so of the exploit being revealed means that either

        a) It was easy to fix and could have been done earlier, or

        b) It has been ready to go for some time but was not considered important.
        • or c) The patch caused more problems than it fixed.

          MS pushed out the patch and it has caused problems.
      • The patch was dated March 8th huh?

        So it took them 2 1/2 months to come up with a patch and a month to release it? I call that doing nothing when you consider the scope of this vulnerability.
        Why can't you just admit that MS goofed up royally on this one?
        And yes it got out of hand. MS did not get the patch out until AFTER the fact. Whether it was scheduled that way or not.
  • What effect would this have had an Vista IE 7?

    I'm curious about what effect this would have had on a Vista system with IE 7 protected mode. The rootkit thing should have failed as IE 7 protected mode would have not allowed the registry entry I believe.
    • XP would make out fine

      if run with reduced rights. When not running as the administrator, attempting to rootkit the system would fail on any Win2K/XP/Vista box, unless you can pull some sort of privilege escalation (which I've never seen in malware)

      In protected mode, IE7 should help protect user files as well (which the others won't. If you can delete it, it can).
  • Britney Spears?

    Hot pictures of BS? Only gonna get those people who are stupid or haven't followed Britney's decline.

    Evolution in action.
    • I haven't followed Britney's decline...

      ....because I don't give a d*mn about Britney.

      Some, who don't know better, might have followed Britney's decline, but still wouldn't mind seeing nude photos. Who's to say when the photos originated?

      "Those people who are stupid" does include some percentage of Windows users, I'm sure, so the exploit still works.
      • If you can't resist seeing nude pics of Britney

        then Burn, Baby, Burn.

        Somehow karma must be involved. ;)
  • That's Why No_Axe Isn't Here This Morning

    He's clicking furiously on that Britney pic offer.
    • Where is no axe??

      he is with Lovey and Mikey... Patching the patches for the patches with patches
  • Please, please clarify

    You said:

    Now comes word of an e-mail spam run, which is even more dangerous since, with the e-mail attack vector, the user does not have to click to visit a rigged Web site

    Does this mean that if the Britney spam appeared in my inbox in preview mode, and my cursor passed over the picture, that my PC was infected? The link on "e-mail spam run" does NOT describe a no-click exploit, so I'm completely confused as to what you are referring to as a no-click exploite.
  • This is why this happens

    This is why this happens: Microsoft prpgrammers fail to validate files. It is TRULY that simple!

    In simple terms, when you open a file to read its contents, you generally need to set aside (allocate) a chunk of memory (called a "buffer") to store the relevant data that is contained within the file, which often times means that this chunk of memory is practically about as big as the file itself.

    But, many files have a "header" section at the beginning that tells the programmer what to expect. That may include information as to the size of a variable-length file. This is particularly true of files that have a variable size, such as JPG images, etc.

    Where the problem sets in is that a (poor) programmer may accept that what he is "told" the file size is, in the header section, is gospel, and then proceeds to set aside his chunk of memory, and then begin blindly reading in the file...

    ... BUT, a REALLY poor programmer doesn't check to see if the amount of information that he/she has read in has exceeded the buffer, and just keeps reading information in until the end of the file is reached and there is no more left to read.

    The unwanted consequence of this is that the data being read in is written WAY past the end of this set-aside buffer - a "buffer overun."

    This excess data is, that was read into memory WAY past the end of the set-aside buffer, in all probability, has written over a section of memory reserved for some other program running on the computer. When this other program gets its little slice of time to continue on where it left off 1/1000 of a second later (called "multitasking"), it actually executes code that was appended to the end of the malformed file.

    You're infected!

    What a GOOD programmer does is this: He/she first determines, if the file to be read is a variable-sized file, like a JPG image or an animated cursor, and just how big the file is.

    Then, that amount of memory is set aside as a temporary buffer to store it in as the file is read.

    Next, the file SHOULD be read one piece (byte/word) at a time, and checked to make sure if it is formatted to the correct specification... if it is not up to snuff, STOP and issue an error!

    BUT, at the same time, the programmer needs to keep track of just how much he/she is reading, and IF the file appears to be bigger than that which was specified in its header (ie, a "buffer overrun"), STOP and issue an error!

    Microsoft seems to fail on the latter point a LOT, allowing huge files with nefaious code appended to the end to be read and read and read... with dire consequences.

    CORRECT programming paradigms, as I learned in the late 70's and early 80's (I program in a language called "C" which makes is VERY easy to control these things, if you are willing to invest the extra 2-3 lines of very simple programming code to do this), makes it an unquestioned REQUIREMENT to validate files.

    Apparently, Microsoft programming supervisors find such things unnecessary or tedius, do not enforce it, and we see the results today, every day...

    I have yet to read ONE logical programming explanation why ANYBODY would not control a potential buffer overflow condition by simple byte/word counting. So, why does it happen over and over?

    This is not a simple, esoteric programming question... the consequence of blatantly bad programming such as this lead to thousands, if not millions, of compromised computers that act as spam relays, zombies, DoS attacks, and the horror of something stealing YOUR passwords, identification, etc, that makes your life a real nightmare and living hell.

    Fix it, Microsoft. Validate EVERY read in your operating systems. Just do it... the hell with enhancements -- we want stability and safe functioning. Your future sales will depend on it -- "chrome" like "Aero" will NOT carry you into the future!!
  • Let's get this PERFECTLY straight

    I want to make sure I get this perfectly straight, because my wife made an offhand reference to getting pornagraphic spam of Brittany Spears in her inbox just yesterday.

    You have to click on the link to be infected, right? It's not automatic just from the preview pane of Outlook.

    I'll let her know to start decontaminating the thing. What's disgusting is that she HAS the latest definitions of Norton on that machine.
    Bill Ward