0-Day vuln Exploit in the wild - Animated Cursor

[AplusWebMaster]

FYI...

> http://www.websense.com/securitylabs...hp?AlertID=762
March 29, 2007 ~ "Websense® Security Labs™ is currently monitoring an unpatched (0-day) vulnerability in Microsoft Windows. No user interaction is necessary for the exploit to be successful. A computer may become infected by simply visiting a malicious website. This vulnerability exists in the way animated cursors are processed, and is very similar to MS05-002 ( http://www.microsoft.com/technet/sec.../MS05-002.mspx ) which was patched by Microsoft in early 2005. At this time, we are aware of 9 different sites hosting the new exploit. We will continue to monitor for any additional sites, as we expect the exploit's usage to increase. One of the sites involved is the same one which targeted Dolphin Stadium during the Super Bowl. It is likely that the same group is behind the current attack. Additional details on the vulnerability are available from Microsoft Security Advisory #935423: http://www.microsoft.com/technet/sec...ry/935423.mspx ."

> http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1765

[AplusWebMaster]

FYI...

- http://isc.sans.org/diary.html?storyid=2539
Last Updated: 2007-03-30 10:40:08 UTC ~ "A short overview of how the different email clients (in the supported list of Microsoft) are reacting to the animated cursor vulnerability depending on the actions and settings of the email client. The surprising element is that read in plain text mode makes some of the clients more vulnerable and actually only offers real added value for Outlook 2003..."

(Chart available at the URL above.)

[AplusWebMaster]

FYI...

> http://isc.sans.org/diary.html?storyid=2540
Last Updated: 2007-03-30 21:19:28 UTC ...(Version: -3-)
"...Domains/IPs currently being used in exploitation:
1.520sb.cn
220.71.76.189
222.73.220.45
55880.cn
81.177.26.26
85.255.113.4
bc0.cn
client.alexa.com
count12.51yes.com
count3.51yes.com
d.77276.com
fdghewrtewrtyrew.biz
i5460.net
jdnx.movie721.cn
newasp.com.cn
s103.cnzz.com
s113.cnzz.com
ttr.vod3369.cn
uniq-soft.com
wsfgfdgrtyhgfd.net
04080.com
33577.cn
baidu.com
h3210.com
hackings.cn
koreacms.co.kr
macrcmedia.com
macrcmedia.net
ncph.net
xxx.cn
ym52099.512j.com
jonnyasp.com ..."

Do NOT visit these URLs...

[AplusWebMaster]

BTW: I find no one else recommending that patch -except- eEye...

-----------------

FYI...

- http://isc.sans.org/diary.html?storyid=2542
Last Updated: 2007-03-31 14:31:15 UTC
"...Rating systems such as Symantec's ThreatCon* (currently at 2 of 4), FS/ISAC's Cyber Threat Advisory** (currently at Guarded), and our INFOCon (now at Yellow) all have their particular niche. Symantec focuses on their AV and managed-security-service customers. FS/ISAC focuses on financial institutions. The Internet Storm Center's INFOCon intent is to "to reflect changes in malicious traffic and the possibility of disrupted connectivity." In the initial stages of this event, we did not satisfy the criteria to raise the INFOCon level. Now, we have a different landscape.
> Exploit code has been publicly released which allows trivial modification to add any arbitrary payload.
> The number of malicious sites reported is rising rapidly, limiting the efficacy of blacklisting.
> The number of compromised sites pointing to malicious sites is also on the rise..."

* http://www.symantec.com/enterprise/s...onse/index.jsp

** http://www.fsisac.com/

.

[AplusWebMaster]

FYI...

ANI Zero-Day Update
> http://www.websense.com/securitylabs...hp?AlertID=763
March 31, 2007 ~ "Websense Security Labs(TM) is actively tracking more than 100 websites that are spreading the ANI "zero-day" exploit. Proof-of-concept (POC) attack code is also now available, and we expect additional attacks to surface. Currently the majority of the attacks appear to be downloading and installing generic password stealing code. Also, as represented in the below graphs, most sites are hosted in China. Interestingly the most popular domain space being used is .com. Due to the fact that POC code is now downloadable on the web, there is no patch from Microsoft, and the fact that some of the attackers we are tracking have infected hundreds of sites on the web, we believe that exploits will continue to surface and the numbers will get larger. Reports out of China also indicate that a worm is now propagating using the exploit code: http://www.cisrt.org/enblog/read.php?68 ..."

(Charts available at the Websense URL above.)

[AplusWebMaster]

More...

- http://isc.sans.org/diary.html?storyid=2551
Last Updated: 2007-03-31 23:50:59 UTC ~ "McAfee is now reporting* a spam campaign that includes an ANI exploit attempt:
"March 31, 2007. The .ANI File Format vulnerability has seen an increase in exploit attempts in-the-wild. McAfee Avert Labs has detected many Web sites linking to other sites that attempt to exploit this vulnerability. We have also observed a spam run that tries to lure its recipients to Web sites hosting code exploiting this vulnerability. Technical details and exploit code can now be easily obtained from these malicious Web sites. Following links in unsolicited e-mails and visiting unknown Web sites are strongly discouraged."
This will affect email clients on vulnerable Operating Systems that render HTML. Exploit could occur when the malicious message is either opened, previewed, or forwarded.
Additionally... If you open up a folder with Explorer (not Internet Explorer) that has a malicious .ANI file (file-extension matters in this case) it will exploit the system. At least automated processes won't trigger execution (unlike WMF.) (US-CERT Advisory**)"

* http://www.mcafee.com/us/threat_center/default.asp

** http://www.kb.cert.org/vuls/id/191609
Date Last Updated: 03/31/2007

[AplusWebMaster]

Updates comin' on quickly...

- http://isc.sans.org/diary.html?storyid=2551
Last Updated: 2007-04-01 02:50:31 UTC
"...UPDATE: Microsoft has updated their advisory* on this issue. The vulnerable systems list has been amended to include Windows 2003 SP2.
"March 31, 2007: Advisory revised to add additional information regarding Windows 2003 Service Pack 2, Microsoft Windows Server 2003 with SP2 for Itanium-based Systems, and Microsoft Windows Server 2003 x64 Edition Service Pack 2 in the “Related Software” section."
While not confirmed, keep in mind that systems no longer supported may also be vulnerable.
Tools
iDefense has discovered a browser based ANI generation kit tool. You enter the payload URL, the password and the tool creates a ZIP file with all the relevant scripts and files..."

* http://www.microsoft.com/technet/sec...ry/935423.mspx

[AplusWebMaster]

FYI... (for Firefox users)

Firefox / Firekeeper ANI vuln rule/add...
- http://blues.ath.cx/firekeeper/archi...1T19_09_36.txt
31.03.2007 19:09 ~ "Firekeeper can be used to detect sites making use of recently discovered MS ANI file critical vulnerability. Here is a rule proposed by Alexander Sotirov on bugtraq..."

(See the URL above for detail.)

> Firekeeper: http://firekeeper.mozdev.org/
"Firekeeper is an Intrusion Detection and Prevention System for Firefox. It is able to detect, block and warn the user about malicious sites. Firekeeper uses flexible rules similar to Snort ones to describe browser based attack attempts. Rules can also be used to effectively filter different kinds of unwanted content... This is an alpha release..."

[AplusWebMaster]

FYI...

ZERT2007-01 - patch in testing
- http://zert.isotf.org/advisories/zert-2007-01.htm
"...ANI Handling under Microsoft Windows 0Day...
A ZERT patch... for Microsoft Windows 98, 2000, XP, Server 2003 and Vista..."

Note from same URL re: eEye patch...
"...Although eEye has released a third-party patch that will prevent the latest exploit from working, it doesn't fix the flawed copy routine. It simply requires that any cursors loaded must reside within the Windows directory (typically C:\WINDOWS\ or C:\WINNT\). This approach should successfully mitigate most "drive-by's," but might be bypassed by an attacker with access to this directory.
For this reason, ZERT is releasing a patch which addresses the core of the vulnerability, by ensuring that no more than 36 bytes of an "anih" chunk will be copied to the stack buffer, thus eliminating all potential exploit paths while maintaining compatibility with well-formatted animated cursor files..."

.

[AplusWebMaster]

FYI...

ZERT2007-01 released (Stack buffer overflow in ANI Handling under Microsoft Windows 0Day).
- http://zert.isotf.org/advisories/zert-2007-01.htm
"...ANI Handling under Microsoft Windows 0Day...
A ZERT patch is available for Microsoft Windows 98, 2000, XP, Server 2003 and Vista..."

- http://isc.sans.org/diary.html?storyid=2551
Last Updated: 2007-04-01 20:04:19 UTC ~ "The Zeroday Emergency Response Team (ZERT) has released a patch to address the vulnerability... There have been some reports regarding the stability of the patch. Please remember this is an unofficial patch and is supplied on an as-is basis. You will need to remove it when Microsoft releases their patch..."

.