Spammers feast on ANI vulnerability

Spammers are already tapping into the Microsoft ANI flaw to infect machines

Microsoft moved to fix the critical .ANI vulnerability that affects roughly a dozen of its most popular products, including Vista, but spammers and malware brokers are already tapping into the flaw to infect unprotected machines.

Most enterprises should already be aware of the problem, and IT departments are likely scrambling to get Microsoft's security update in place, but attackers have likely been hammering away at the widespread vulnerability for months, according to security experts.

The IT community became aware of the .ANI glitch -- which affects the manner in which roughly a dozen Microsoft Windows products handle malformed animated cursor files -- as a wave of spam and malware attacks hit the Internet after April 1.

However, experts say the problem -- which was first reported to Redmond, Wash.-based Microsoft in Dec. 2006 -- has likely been assailed for some time by attackers seeking to maintain a much lower profile.

Rated by Secunia as an extremely critical flaw -- the Copenhagen-based security software maker's most severe vulnerability ranking -- experts say that the .ANI glitch is currently being exploited in a wide variety of formats that are likely to ensnare a large number of PCs worldwide with malware, adware, and botnet programs.

Microsoft also issued fixes for seven other security vulnerabilities in addition to the .ANI problem in an ahead-of-schedule patch delivered on April 3.

Researchers at San Diego-based Websense reported the discovery of over 450 unique sites hosting .ANI-based spyware threats, adding up to tens of thousands of URLs infected with the malware. Unprotected end users visiting those sites will be redirected and hit with a password-stealing spyware program labeled as "ad.exe" which most anti-virus programs cannot catch, Websense reported.

Experts have also highlighted the rapid emergence of a new wave of attacks that are infecting end users who merely open e-mails or attachments laced with the viruses.

In one of the most popular iterations of the e-mail-based threats, users are being sent spam messages that advertise links to URLs hosting lurid images of embattled pop singer Britney Spears.

Users targeted in the campaign receive e-mail with the subject line "Hot Pictures of Britiney Speers" that has been written in HTML to help avoid filtering tools. After opening the infected spam e-mail, people who then click on the links are redirected to malware sites that host JavaScript code believed to be controlled by servers used by Russian cyber-criminals.

Roger Thompson, chief technology officer at Exploit Prevention Labs, based said that the attacks being served up by that group run the full gamut of threats, from botnet software to sophisticated root kits.

The expert said that the root kit, dubbed 200.exe, eventually calls out to an account on Microsoft's Hotmail servers to announce itself and seek out additional malware to download onto infected machines. Thompson said the spam attacks started in earnest on April 1.

"This spam ring has a nasty set of encrypted exploits, and it is clearly all Russian in origin, as the sites that are being used are written in Russian," he said. "They're also using a new [malware] encryption style that we only first saw about a month ago; they're rapidly adding new exploits to these encrypted attacks, and the .ANI-based stuff is just the latest."

Thompson said that many machines have already been infected using the attack, and that he believes many more will come under control of the malware before systems can be patched, including many corporate users.

"With the embedded HTML they will catch people; there's no need to download anything. These are thoughtful attackers and they are gaining command and control right over port 80, and straight through the firewall," he said. "If there's a patch that you've missed they're going to get you, and we believe this is all still gathering steam."

The expert said that the .ANI threats may have actually first been created by Chinese hackers attempting to steal people's passwords to the World of Warcraft online video game, with other attackers subsequently modifying the code for their own means.

Other experts said the attacks will likely result in new hordes of widespread botnets, which will allow attackers to piggyback even more spam and malware campaigns onto their existing threats.

Since the .ANI flaw is present on so many relevant Microsoft products, botnet herders will likely flock to take advantage of the flaw, said Max Cacares, director of product management at penetration testing specialists Core Security.

"One reason why spammers are interested is because a lot of the underground community takes advantage of botnets to relay their work, and this is great for building huge bontets since it works on every version of Windows that you care about," Cacares said. "With the potential to exploit it directly from Outlook, this is great for compromising a huge variety of users, and once it's made part of botnet, it also becomes a huge asset for all kinds of spammers."

Some researchers said they were surprised that there have not been more widespread attacks since the vulnerability was first made public so long ago.

"We actually haven't seen a huge proliferation yet," said David Frazer, director of technology services for anti-virus specialists F-Secure, based in Helsinki. "But with four patches issued from Microsoft between the original announcement and the release of all this code, one could say it might have been fixed sooner; fortuitously, we haven't seen as many infections as might have happened."

Matt Sergeant, senior anti-spam technologist at security software maker MessageLabs, said that Russian hackers are known to have been seeking new flaws that would allow them to deliver massive amounts of malware code in short periods of time.

"We're very much aware that Russian guys have been on the lookout for a new attack, their botnets have actually been diminishing since October 2006 since the Warezov virus," he said. "They're looking for anew angle to get in and with the security improvements in Vista, they're worried that they can't crack into stuff as easy as in past, but this proves that might not be the case."

The expert contends that the hackers are working furiously to find new avenues for attack, and predicted that many have shifted their efforts to the .ANI vulnerability over the last several days.

"These guys have teams of programmers working on this 24 hours a day, trying to find some way in, and when a major software vendors releases a patch, they move quickly," said Sergeant. "Especially on a Tuesday morning, most businesses are not ready to get a patch immediately installed; this is likely creating a huge opportunity for these guys to get stuff installed on people's computers and increase the size of their botnets."

Join the Computerworld Australia group on Linkedin. The group is open to IT Directors, IT Managers, Infrastructure Managers, Network Managers, Security Managers, Communications Managers.

More about: F-Secure, MessageLabs, Microsoft, Tuesday Morning, Websense
Comments are now closed.
Related Whitepapers
Latest Stories
Community Comments
Whitepapers
All whitepapers

NBN Co hits 105Mbps in limited FTTN trial

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]
Sign up now to get free exclusive access to reports, research and invitation only events.

Computerworld newsletter

Join the most dedicated community for IT managers, leaders and professionals in Australia