View Full Version : 0-Day vuln Exploit in the wild - Animated Cursor

2007-03-30, 09:13

> http://www.websense.com/securitylabs/alerts/alert.php?AlertID=762
March 29, 2007 ~ "WebsenseŽ Security Labs™ is currently monitoring an unpatched (0-day) vulnerability in Microsoft Windows. No user interaction is necessary for the exploit to be successful. A computer may become infected by simply visiting a malicious website. This vulnerability exists in the way animated cursors are processed, and is very similar to MS05-002 ( http://www.microsoft.com/technet/security/Bulletin/MS05-002.mspx ) which was patched by Microsoft in early 2005. At this time, we are aware of 9 different sites hosting the new exploit. We will continue to monitor for any additional sites, as we expect the exploit's usage to increase. One of the sites involved is the same one which targeted Dolphin Stadium during the Super Bowl. It is likely that the same group is behind the current attack. Additional details on the vulnerability are available from Microsoft Security Advisory #935423: http://www.microsoft.com/technet/security/advisory/935423.mspx ."

> http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1765


2007-03-30, 12:46

- http://isc.sans.org/diary.html?storyid=2539
Last Updated: 2007-03-30 10:40:08 UTC ~ "A short overview of how the different email clients (in the supported list of Microsoft) are reacting to the animated cursor vulnerability depending on the actions and settings of the email client. The surprising element is that read in plain text mode makes some of the clients more vulnerable and actually only offers real added value for Outlook 2003..."

(Chart available at the URL above.)


2007-03-31, 13:00

> http://isc.sans.org/diary.html?storyid=2540
Last Updated: 2007-03-30 21:19:28 UTC ...(Version: -3-)
"...Domains/IPs currently being used in exploitation:
jonnyasp.com ..."

Do NOT visit these URLs...

:fear: :fear: :fear:

2007-03-31, 20:31
BTW: I find no one else recommending that patch -except- eEye...



- http://isc.sans.org/diary.html?storyid=2542
Last Updated: 2007-03-31 14:31:15 UTC
"...Rating systems such as Symantec's ThreatCon* (currently at 2 of 4), FS/ISAC's Cyber Threat Advisory** (currently at Guarded), and our INFOCon (now at Yellow) all have their particular niche. Symantec focuses on their AV and managed-security-service customers. FS/ISAC focuses on financial institutions. The Internet Storm Center's INFOCon intent is to "to reflect changes in malicious traffic and the possibility of disrupted connectivity." In the initial stages of this event, we did not satisfy the criteria to raise the INFOCon level. Now, we have a different landscape.
> Exploit code has been publicly released which allows trivial modification to add any arbitrary payload.
> The number of malicious sites reported is rising rapidly, limiting the efficacy of blacklisting.
> The number of compromised sites pointing to malicious sites is also on the rise..."

* http://www.symantec.com/enterprise/security_response/index.jsp

** http://www.fsisac.com/


2007-04-01, 03:57

ANI Zero-Day Update
> http://www.websense.com/securitylabs/alerts/alert.php?AlertID=763
March 31, 2007 ~ "Websense Security Labs(TM) is actively tracking more than 100 websites that are spreading the ANI "zero-day" exploit. Proof-of-concept (POC) attack code is also now available, and we expect additional attacks to surface. Currently the majority of the attacks appear to be downloading and installing generic password stealing code. Also, as represented in the below graphs, most sites are hosted in China. Interestingly the most popular domain space being used is .com. Due to the fact that POC code is now downloadable on the web, there is no patch from Microsoft, and the fact that some of the attackers we are tracking have infected hundreds of sites on the web, we believe that exploits will continue to surface and the numbers will get larger. Reports out of China also indicate that a worm is now propagating using the exploit code: http://www.cisrt.org/enblog/read.php?68 ..."

(Charts available at the Websense URL above.)


2007-04-01, 04:29

- http://isc.sans.org/diary.html?storyid=2551
Last Updated: 2007-03-31 23:50:59 UTC ~ "McAfee is now reporting* a spam campaign that includes an ANI exploit attempt:
"March 31, 2007. The .ANI File Format vulnerability has seen an increase in exploit attempts in-the-wild. McAfee Avert Labs has detected many Web sites linking to other sites that attempt to exploit this vulnerability. We have also observed a spam run that tries to lure its recipients to Web sites hosting code exploiting this vulnerability. Technical details and exploit code can now be easily obtained from these malicious Web sites. Following links in unsolicited e-mails and visiting unknown Web sites are strongly discouraged."
This will affect email clients on vulnerable Operating Systems that render HTML. Exploit could occur when the malicious message is either opened, previewed, or forwarded.
Additionally... If you open up a folder with Explorer (not Internet Explorer) that has a malicious .ANI file (file-extension matters in this case) it will exploit the system. At least automated processes won't trigger execution (unlike WMF.) (US-CERT Advisory**)"

* http://www.mcafee.com/us/threat_center/default.asp

** http://www.kb.cert.org/vuls/id/191609
Date Last Updated: 03/31/2007


2007-04-01, 05:27
Updates comin' on quickly...

- http://isc.sans.org/diary.html?storyid=2551
Last Updated: 2007-04-01 02:50:31 UTC
"...UPDATE: Microsoft has updated their advisory* on this issue. The vulnerable systems list has been amended to include Windows 2003 SP2.
"March 31, 2007: Advisory revised to add additional information regarding Windows 2003 Service Pack 2, Microsoft Windows Server 2003 with SP2 for Itanium-based Systems, and Microsoft Windows Server 2003 x64 Edition Service Pack 2 in the “Related Software” section."
While not confirmed, keep in mind that systems no longer supported may also be vulnerable.
iDefense has discovered a browser based ANI generation kit tool. You enter the payload URL, the password and the tool creates a ZIP file with all the relevant scripts and files..."

* http://www.microsoft.com/technet/security/advisory/935423.mspx

:fear: :fear:

2007-04-01, 13:20
FYI... (for Firefox users)

Firefox / Firekeeper ANI vuln rule/add...
- http://blues.ath.cx/firekeeper/archives/2007-03.html#e2007-03-31T19_09_36.txt
31.03.2007 19:09 ~ "Firekeeper can be used to detect sites making use of recently discovered MS ANI file critical vulnerability. Here is a rule proposed by Alexander Sotirov on bugtraq..."

(See the URL above for detail.)

> Firekeeper: http://firekeeper.mozdev.org/
"Firekeeper is an Intrusion Detection and Prevention System for Firefox. It is able to detect, block and warn the user about malicious sites. Firekeeper uses flexible rules similar to Snort ones to describe browser based attack attempts. Rules can also be used to effectively filter different kinds of unwanted content... This is an alpha release..."


2007-04-01, 20:20

ZERT2007-01 - patch in testing
- http://zert.isotf.org/advisories/zert-2007-01.htm
"...ANI Handling under Microsoft Windows 0Day...
A ZERT patch... for Microsoft Windows 98, 2000, XP, Server 2003 and Vista..."

Note from same URL re: eEye patch...
"...Although eEye has released a third-party patch that will prevent the latest exploit from working, it doesn't fix the flawed copy routine. It simply requires that any cursors loaded must reside within the Windows directory (typically C:\WINDOWS\ or C:\WINNT\). This approach should successfully mitigate most "drive-by's," but might be bypassed by an attacker with access to this directory.
For this reason, ZERT is releasing a patch which addresses the core of the vulnerability, by ensuring that no more than 36 bytes of an "anih" chunk will be copied to the stack buffer, thus eliminating all potential exploit paths while maintaining compatibility with well-formatted animated cursor files..."


2007-04-01, 21:19

ZERT2007-01 released (Stack buffer overflow in ANI Handling under Microsoft Windows 0Day).
- http://zert.isotf.org/advisories/zert-2007-01.htm
"...ANI Handling under Microsoft Windows 0Day...
A ZERT patch is available for Microsoft Windows 98, 2000, XP, Server 2003 and Vista..."

- http://isc.sans.org/diary.html?storyid=2551
Last Updated: 2007-04-01 20:04:19 UTC ~ "The Zeroday Emergency Response Team (ZERT) has released a patch to address the vulnerability... There have been some reports regarding the stability of the patch. Please remember this is an unofficial patch and is supplied on an as-is basis. You will need to remove it when Microsoft releases their patch..."


2007-04-02, 11:32

MS to Release Out-of-Schedule Patch for ANI Vuln
- http://isc.sans.org/diary.html?storyid=2555
Last Updated: 2007-04-02 03:39:56 UTC
"...The Microsoft Security Response Center blog reports* that they "have been working around the clock to test this update and are currently planning to release the security update that addresses this (ANI) issue on Tuesday April 3, 2007."
This is further supported here: http://www.microsoft.com/technet/security/bulletin/advance.mspx ."

* http://preview.tinyurl.com/35tyyt


2007-04-03, 01:14

Compromised sites using ANI exploit code
- http://www.websense.com/securitylabs/blog/blog.php?BlogID=119
Apr 2 2007 3:15PM ~ "Websense's ThreatSeeker(tm) technology has discovered that a large set of websites have been compromised within the Asia Pacific Region and have embedded IFRAMES within them pointing to a site that is hosting the ANI exploit code. An IFRAME or "invisible frame" is an element which makes it possible to embed another HTML document inside the main document. From Wikipedia: http://en.wikipedia.org/wiki/Iframe.
Although we are tracking hundreds of other sites that are hosting ANI exploit files this alert pertains to one group of sites that are all connecting to the same host. Many of the sites appear to be running online blogs or message boards. Most sites have embedded IFRAME's on all pages leading to a main set of sites which are hosting the exploit code. The number of unique sites currently up and running for this one attack is greater than 50 and the number of pages is greater than 500. Assuming users connect to the sites they will be redirected to two unique locations which are hosting exploit code which in turn downloads and installs a file called "ad.exe". The file includes a generic password stealer and is not detected well by most Antivirus companies (MD5 0c9217553871d3eb5f20b553d91a098b)..."

(Screenshots available at the URL above.)


2007-04-03, 18:10

Malicious Code: Email Lures for ANI Zero-Day
- http://www.websense.com/securitylabs/alerts/alert.php?AlertID=764
April 03, 2007 ~ "Websense Security Labs(TM) has discovered a large email spam run that includes links to sites that are hosting ANI exploit code. Users receive an email with the subject line "Hot Pictures of Britiney Speers" that is written in HTML and has anti-spam avoidance text within the HTML comments. Users who click on the links are redirected to one of several websites that we are tracking. The sites contain obfuscated JavaScript. The decoded JavaScript sends all users to the same website, which is hosting the exploit code. When users connect, a file is downloaded and installed without any end-user interaction. The file is called 200.exe with the MD5 of b017cae51e4498c309690b8936f2fa79. The binary file appears to be a new variant of a file infector with operating system hooks and spamming capabilities. A more complete analysis will soon appear on our blog. The main server that hosts the exploit code is hosted in Russia and has been used by groups that have installed rootkits, password stealing Trojans, and other nefarious code in the past..."

(Screenshots available at the URL above.)

> http://www.websense.com/securitylabs/blog/blog.php?BlogID=120
Apr 3 2007 ~ "This is a follow-up to our post from yesterday (see: http://www.websense.com/securitylabs/blog/blog.php?BlogID=119 ). We are now actively tracking more than 450 unique websites which have been compromised. Most of the sites have ALL pages infected within the site which add up to tens of thousands of pages with exploit code links on them. We are working with several groups to attempt to get these sites shutdown. As previously stated, users who visit one of the thousands of pages will be infected with a generic password stealer that will run without any user-interaction..."

:fear: :fear:

2007-04-03, 19:25

MS07-017 patch released
- http://forums.spybot.info/showpost.php?p=78074&postcount=26


md usa spybot fan
2007-04-03, 19:41

Damn are you on top of this stuff. I checked for Windows updates a half-an-hour ago and there were none. Thanks for your concern and attention to breaking security issues.

Security Update for Windows XP (KB925902) requires a restart. See you in a few minutes.

md usa spybot fan

2007-04-03, 21:07
...on top of this stuff.
As opposed to the other choice, that's where we need to be.


2007-04-04, 04:51

MS07-017 / MS07-008 conflict (?) fix...
- http://forums.spybot.info/showpost.php?p=78131&postcount=27
"...having problems with the patch..."


2007-04-04, 14:34

- http://www.pcworld.com/printable/article/id,130368/printable.html
April 03, 2007 ~ "Contrary to other reports, Mozilla's Firefox 2.0 is vulnerable to attackers armed with the Windows animated (ANI) cursor exploit... Alexander Sotirov, the vulnerability researcher at Determina who discovered the ANI flaw last December and notified Microsoft of it later that month, yesterday posted a demonstration of an ANI exploit that hijacks a PC when Firefox users are conned into visiting a malicious site... "It turns out that Firefox uses the same vulnerable Windows component to process .ani files, which can be exploited in a way similar to Internet Explorer," Sotirov said... "


2007-04-06, 20:21

ASUS gets ANI'd
- http://www.securityfocus.com/brief/477
2007-04-06 ~ "...The Web site of motherboard maker ASUS reportedly* got hit by a group of online vandals, who added an iframe redirect to a malicious download site that attempts to infect visitors via the ANI flaw. Leveraging hacked, but legitimate, Web sites to propagate malicious code has become a major vector to compromise end users..."
* http://www.viruslist.com/en/weblog?weblogid=208187358


2007-04-09, 20:38

Compromised Web Servers Plotted
- http://www.websense.com/securitylabs/blog/blog.php?BlogID=122
Apr 9 2007 ~ "...Now... are more than 2000 unique sites that are hosting exploit code and/or are compromised and are pointing to machines that host exploit code. There are two main attacks that comprise of the majority of these sites. The first set we believe are one of the first groups to start using the zero-day exploits in the wild. These are attacks that started in the China region and appear to be created by groups within the Asia Pacific Region. The attackers have compromised hundreds of machines and placed IFRAME's back to the main servers that host the exploit code. In most cases the payload and motivation of these attacks is to gather credentials for online games such as lineage. Lineage is a very popular online game in Asia.
The second set of attacks started just a couple days ago appear to be from a group in Eastern Europe. This group has been placing exploit code on sites for many years now and has a very resilient infrastructure. They have used WMF, VML, and several other exploits in there routines previously. As of now they have also added the ANI attacks to their arsenal. The payload and motivation is somewhat different however as they are more known to install rootkit's and crimeware which is designed to install form grabbing software and keyloggers in order to compromise end-user banking details. Also in the past they have installed fake anti-spyware software as a distraction and as a means to falsify someone into acquiring some anti-spyware software.
The below map took all the websites we have classified that have been compromised by one of these two parties and plotted them on the map. Note: we plotted by country not by city! What you can see, with some minor exceptions, is that the first attacker set are going after servers, and presumably users in China, whereas the second attacker set are going after servers, and users in America..."

(Graphic available at the URL above.)


2007-04-17, 20:47

- http://isc.sans.org/diary.html?storyid=2648
Last Updated: 2007-04-17 18:10:04 UTC ~ "...Malware authors are playing cat 'n' mouse with antivirus signatures... An .ani file observed in the wild that was not detected as malicious by any popular antivirus tools. As with many other ANI attacks, this was presented as a CURSOR object in a DIV element on a compromised web site:
<DIV style="CURSOR: url(hxxp://xxx.xxx.xxx.xxx/mcs2001/chat/css.js)"></DIV>
<DIV style="CURSOR: url(hxxp://xxx.xxx.xxx/customer/image/css.js)"></DIV>
This latest variant was submitted to the A/V community for inclusion and the site owners contacted."