[ISN] Hackers Promise 'Nude Britney Spears' Pix To Plant .ANI Exploit

From: InfoSec News (alerts@private)
Date: Thu Apr 05 2007 - 07:43:57 PDT


http://www.informationweek.com/news/showArticle.jhtml?articleID=198800300

By Sharon Gaudin
InformationWeek
April 4, 2007

There are problems with the patch Microsoft released Tuesday for a 
critical .ANI vulnerability, and hackers have launched a new spam 
campaign to take advantage of the flaw by promising nude pictures of 
Britney Spears to lure users to malicious sites.

Deborah Hale, a handler with the Internet Storm Center, reported in the 
site's daily diary on Wednesday that researchers there are receiving 
reports of users having problems with the patch, which Microsoft pushed 
out a week earlier than its normal monthly Patch Tuesday release. 
Microsoft confirmed a problem with the patch and provided a hotfix, or a 
patch for the patch, when the patch was first released.

Hale noted that other issues have arisen, as well, and Microsoft is 
investigating them.

Microsoft reported that computers running Microsoft Windows XP with 
Service Pack 2, the Realtek HD Audio Control Panel may not start after 
the patch is installed. They also may receive an error message about an 
illegal system DLL relocation. The problem stems from files having 
conflicting base addresses, according to the Microsoft advisory.

A Microsoft spokesman said in an e-mail that Microsoft was first aware 
of the issues around the update for Windows XP SP2 during the testing 
process for the patch. He also said the number of customers affected by 
the glitch appears "limited" at this point, but the company is 
recommending that users appply the hotfix.

While IT managers and consumers deal with the patch, hackers are losing 
no time in continuing their onslaught of attacks against the 
vulnerability.

Sophos, a security company, reported Wednesday morning that attackers 
launched a new spam campaign aimed at luring users to malicious Web 
sites where their unpatched systems can be infected with malware.

The lure? The e-mails are promising users nude pictures of pop star 
Britney Spears if they follow the link to a Web site. Initially, the 
e-mails only contained text, but in the past day or so they've begun to 
contain an embedded image of a scantily clad Spears.

Sophos reported in an advisory that the malicious site contains the 
Iffy-A Trojan that points to another piece of malware, which contains 
the zero-day .ANI exploit. Sophos detects this Trojan as Animoo-L.

"The message is simple: You must patch your computers against this 
vulnerability now or risk infection," said Graham Cluley, senior 
technology consultant for Sophos, in a statement. "Hackers are 
exploiting people's tardiness in rolling out updates and looking to 
infect as many PCs as they can. Microsoft issued a patch for the problem 
yesterday, but the hackers will continue to take advantage of the 
critical security loophole for as long as they can."

Security researchers warned on Tuesday that despite the patch, attacks 
against the vulnerability would only escalate in the coming weeks and 
months.

The dramatic rise in malicious activity isn't going to die down because 
Microsoft issued a patch, said Craig Schmugar, a threat researcher with 
McAfee, in an interview earlier this week. "Getting the patch out early 
definitely was the right call to make," he said. "There's been a big 
uptick in exploit activity. It'll get worse. The release of a patch 
isn't the end of the issue. Now that rootkits are posted publicly, more 
and more hackers will find them and this will just get worse."

In just the past few days, analysts at Websense, a security company, 
have found more than 700 Web sites that are spreading the .ANI exploit. 
Researchers also have found an exploit being sent out in a spam 
campaign, and automated rootkits are popping up online to let even 
unsavvy hackers build their own exploit malware.

The .ANI vulnerability involves the way Windows handles animated cursor 
files and could enable a hacker to remotely take control of an infected 
system. The bug affects all the recent Windows releases, including its 
new Vista operating system. Internet Explorer is the main attack vector 
for the exploits.

Users are being infected after visiting a malicious Web page that has 
embedded malware designed to take advantage of the flaw. They also can 
be infected if they open a specially crafted e-mail message or if they 
open a malicious e-mail attachment sent by a hacker.


__________________________
Subscribe to InfoSec News
http://www.infosecnews.org



This archive was generated by hypermail 2.1.3 : Thu Apr 05 2007 - 07:53:45 PDT