.

ANI Zero Day Takes New Turns to the Uber-Nasty

<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Mon Apr 02, 2007 9:29 am

ANI Zero Day Takes New Turns to the Uber-Nasty

If you're reading this with Internet Explorer on a Windows machine, don't. The Windows animated cursor zero-day attack that was coming through on IE 6 and 7 running on fully patched Windows XP SP2 is now also hitting Windows 2000, Server 2003 and Vista. As F-Secure advises, better to use some other combination.

Proof-of-concept code for the attack was released after business hours on Friday, according to SANS.

Blocking .ani files won't help. SANS has picked up reports of the vulnerability being exploited in the wild with .ani files renamed as JPEGs.

Microsoft today posted security advisory 935423 about the exploit. Here's the full list of vulnerable systems:

Microsoft Windows 2000 Service Pack 4
Microsoft Windows XP Service Pack 2
Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium)
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition
Microsoft Windows Vista
The company still hasn't provided a patch. The vulnerability is a candidate for inclusion in the CVE (Common Vulnerabilities and Exposures) list, having been assigned the label CVE-2007-0038 (previously also CVE-2007-1765).
Although there currently is no official patch, a SANS handler has posted instructions on detecting and filtering out .ani file exploitation attempts. eEye provided a temporary patch, although the company recommends updating to Microsoft's patch when it's out.

According to Microsoft, using IE 7 in Protection Mode will protect users from the exploit. SANS is reporting that anti-virus detection is picking up on the exploit, with F-Secure, CA, Kaspersky, Trend, Sophos, McAfee and Microsoft detecting malicious ANI files.
Microsoft has also confirmed that Outlook 2007 users are protected, as the tool uses Word to display HTML messages. The company reports that users of Windows Mail on Vista are protected if they don't forward or reply to infected e-mail. Outlook Express users won't be protected when reading e-mail in plaintext, given that this mode won't show embedded .ani files.

McAfee's Avert Labs, which discovered the exploit earlier this week, has posted a video of the attack in action against Vista in which the system enters an endless crash-restart loop. McAfee said that the video doesn't reflect how the attack would look in the real world, where it would come through a Web browser.

Trend Micro has a diagram of how the malware is working here.

Microsoft has updated its MSRC blog to answer questions about the ANI attack that have been rolling in since it started spreading. The answers to those questions, in a nutshell:




Microsoft was first alerted to the Windows animated cursor vulnerability on Dec. 20 by a security researcher at Determina.

McAfee first alerted Microsoft to the attack on March 28.

Microsoft is feeding its partners information through the MSRA so they can update anti-virus and intrusion detection/protection systems.

The company is working on a patch now and plan to release it as part of its next Patch Tuesday.

Microsoft doesn't advise you use patches from a third party (like eEye), since Microsoft hasn't tested them.


Original story:
http://securitywatch.eweek.com/exploits ... nasty.html

Don
CISSP, MCSE, CSTA, Security+ SME
<<

mn_kthompson

User avatar

Jr. Member
Jr. Member

Posts: 58

Joined: Tue Sep 19, 2006 1:59 pm

Location: Mankato, MN

Post Mon Apr 02, 2007 9:34 am

Re: ANI Zero Day Takes New Turns to the Uber-Nasty

I don't understand the motivation for this.  I have read that there are some spam campaigns trying to lure people to websites that are hosting the malicious file.  The question that raises is, why?

If the malicious file causes the computer to go into a boot loop then I don't see how there is any money to be made, and I can see considerable risk that you might bring prosecution on yourself by trying to mess up peoples computers.  I know that once upon a time the general opinion was that people were hacking for reputation and bragging rights, but the conventional wisdom is that the motivation has shifted to profits, and I don't see where the profits are in this attack.
<<

heffnercj

EH-Net Columnist
EH-Net Columnist

Posts: 69

Joined: Thu Mar 15, 2007 2:45 pm

Post Mon Apr 02, 2007 9:41 am

Re: ANI Zero Day Takes New Turns to the Uber-Nasty

My question is: what has MS been doing since Dec 20? Ok, I'll admit they're a huge company, they probably have to do tons of testing and go through a lot of red tape before they can issue a patch. But this is a pretty serious flaw, and if third parties who don't have access to source code and all of the MS developers can release patches before MS does, I think there's a big disconnect somewhere. I also don't think that it's a coincidence that MS is finally releasing a patch now that the exploit is public.

And to answer your question kthompson, this exploit isn't just a DoS...you can perform remote code execution with it as well (check out the exploits/descriptions on milw0rm).
<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Mon Apr 02, 2007 10:14 am

Re: ANI Zero Day Takes New Turns to the Uber-Nasty

MS is planning an early release (by early they mean outside of the normal 2nd Tues schedule) of a patch tomorrow.

http://www.microsoft.com/technet/securi ... vance.mspx

Don
CISSP, MCSE, CSTA, Security+ SME
<<

LSOChris

Post Mon Apr 02, 2007 11:52 am

Re: ANI Zero Day Takes New Turns to the Uber-Nasty

mn_kthompson wrote:I don't understand the motivation for this.  I have read that there are some spam campaigns trying to lure people to websites that are hosting the malicious file.  The question that raises is, why?

If the malicious file causes the computer to go into a boot loop then I don't see how there is any money to be made, and I can see considerable risk that you might bring prosecution on yourself by trying to mess up peoples computers.  I know that once upon a time the general opinion was that people were hacking for reputation and bragging rights, but the conventional wisdom is that the motivation has shifted to profits, and I don't see where the profits are in this attack.


well with the metasploit ani exploit, you have a listening server serving up these bad ani filles, once a victim clicks on it, it will upload the the payload and you can do what you want from there. download a trojan, steal info, etc.

on a very cool note, on vista it wont give you system, but HD Moore hints that you can use the meterpreter payload and then call a rev2self to pull a system level shell from the exploit... w00t!
<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Mon Apr 02, 2007 1:56 pm

Re: ANI Zero Day Takes New Turns to the Uber-Nasty

CISSP, MCSE, CSTA, Security+ SME
<<

heffnercj

EH-Net Columnist
EH-Net Columnist

Posts: 69

Joined: Thu Mar 15, 2007 2:45 pm

Post Mon Apr 02, 2007 3:24 pm

Re: ANI Zero Day Takes New Turns to the Uber-Nasty

eEye patch bypass released:

http://milw0rm.com/exploits/3636

;)
<<

LSOChris

Post Mon Apr 02, 2007 4:38 pm

Re: ANI Zero Day Takes New Turns to the Uber-Nasty

w00t!
<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Tue Apr 03, 2007 1:31 pm

Re: ANI Zero Day Takes New Turns to the Uber-Nasty

Just did manual updates to get the patch, and below is the information from Windows Update:

Security Update for Windows XP (KB925902)
Date last published: 4/3/2007
Typical download size: 455 KB 
A security issue has been identified that could allow an attacker to compromise your Windows-based system and gain control over it. You can help protect your computer by installing this update from Microsoft. After you install this item, you may have to restart your computer.
System Requirements
Recommended CPU: Not specified.
Recommended memory: Not specified.
Recommended hard disk space: Not specified.
How to Uninstall
This software update can be removed via Add or Remove Programs in Control Panel.
Get help and support
http://support.microsoft.com
More information

http://go.microsoft.com/fwlink/?LinkId=84687


Interesting info from MS on this patch. The details above are vague at best. If you search the KB for the article, you can't find it. The "More Information" link goes nowhere. Hmmmmmmmmmmmm?

But you can find it here:

http://www.microsoft.com/technet/securi ... 7-017.mspx

Of course I had to hunt for it.

Don
CISSP, MCSE, CSTA, Security+ SME
<<

LSOChris

Post Tue Apr 03, 2007 2:48 pm

Re: ANI Zero Day Takes New Turns to the Uber-Nasty

hmmm back to that Mac thread....  ;D
<<

venom77

User avatar

Hero Member
Hero Member

Posts: 1905

Joined: Mon Dec 11, 2006 3:23 pm

Post Tue Apr 03, 2007 3:45 pm

Re: ANI Zero Day Takes New Turns to the Uber-Nasty

Yeah, you gotta love how they don't give you an explanation... "Beware, someone can take control of your computer, download this to stop them!" .. sounds like a pop-up to me :P

ChrisG wrote:hmmm back to that Mac thread....  ;D


Haha, yup :D

Return to Malware

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software