Spammers feast on ANI vulnerability

Microsoft moved to fix the critical .ANI vulnerability that affects roughly a dozen of its most popular products, including Vista, but spammers and malware brokers are already tapping into the flaw to infect unprotected machines.

Share

Microsoft moved to fix the critical .ANI vulnerability that affects roughly a dozen of its most popular products, including Vista, but spammers and malware brokers are already tapping into the flaw to infect unprotected machines.

Most enterprises should already be aware of the problem, and IT departments are likely scrambling to get Microsoft's security update in place, but attackers have likely been hammering away at the widespread vulnerability for months, according to security experts.

The IT community became aware of the .ANI glitch – which affects the manner in which roughly a dozen Microsoft Windows products handle malformed animated cursor files – as a wave of spam and malware attacks hit the internet after 1 April.

But, experts say the problem, which was first reported to Microsoft in December 2006, has likely been assailed for some time by attackers seeking to maintain a much lower profile.

Rated by Secunia as an extremely critical flaw – the security software maker's most severe vulnerability ranking – experts say that the .ANI glitch is currently being exploited in a wide variety of formats. It is likely to ensnare large numbers of PCs worldwide with malware, adware, and botnet programs.

Microsoft also issued fixes for seven other security vulnerabilities in addition to the .ANI problem in an ahead of schedule patch delivered on April 3.

Researchers at Websense reported the discovery of over 450 unique sites hosting ANI-based spyware threats, adding up to tens of thousands of URLs infected with the malware. Unprotected end users visiting those sites will be redirected and hit with a password-stealing spyware program labeled as "ad.exe" which most antivirus programs cannot catch, Websense reported.

Experts have also highlighted the rapid emergence of a new wave of attacks that are infecting end users who merely open emails or attachments laced with the viruses.

In one of the most popular iterations of the email-based threats, users are being sent spam messages that advertise links to URLs hosting lurid images of embattled pop singer Britney Spears.

Users targeted in the campaign receive email with the subject line "Hot Pictures of Britiney Speers" that has been written in HTML to help avoid filtering tools. After opening the infected spam email, people who then click on the links are redirected to malware sites that host JavaScript code believed to be controlled by servers used by Russian cyber-criminals.

Roger Thompson, chief technology officer at Exploit Prevention Labs, said that the attacks being served up by that group run the full gamut of threats, from botnet software to sophisticated root kits.

The expert said that the root kit, dubbed 200.exe, eventually calls out to an account on Microsoft's Hotmail servers to announce itself and seek out additional malware to download onto infected machines. Thompson said the spam attacks started in earnest on April 1.

Find your next job with computerworld UK jobs