Spammers feast on ANI vulnerability

Spammers are already tapping into the Microsoft ANI flaw to infect machines

Microsoft moved to fix the critical .ANI vulnerability that affects roughly a dozen of its most popular products, including Vista, but spammers and malware brokers are already tapping into the flaw to infect unprotected machines.

Most enterprises should already be aware of the problem, and IT departments are likely scrambling to get Microsoft's security update in place, but attackers have likely been hammering away at the widespread vulnerability for months, according to security experts.

The IT community became aware of the .ANI glitch -- which affects the manner in which roughly a dozen Microsoft Windows products handle malformed animated cursor files -- as a wave of spam and malware attacks hit the Internet after April 1.

However, experts say the problem -- which was first reported to Redmond, Wash.-based Microsoft in Dec. 2006 -- has likely been assailed for some time by attackers seeking to maintain a much lower profile.

Rated by Secunia as an extremely critical flaw -- the Copenhagen-based security software maker's most severe vulnerability ranking -- experts say that the .ANI glitch is currently being exploited in a wide variety of formats that are likely to ensnare a large number of PCs worldwide with malware, adware, and botnet programs.

Microsoft also issued fixes for seven other security vulnerabilities in addition to the .ANI problem in an ahead-of-schedule patch delivered on April 3.

Researchers at San Diego-based Websense reported the discovery of over 450 unique sites hosting .ANI-based spyware threats, adding up to tens of thousands of URLs infected with the malware. Unprotected end users visiting those sites will be redirected and hit with a password-stealing spyware program labeled as "ad.exe" which most anti-virus programs cannot catch, Websense reported.

Experts have also highlighted the rapid emergence of a new wave of attacks that are infecting end users who merely open e-mails or attachments laced with the viruses.

In one of the most popular iterations of the e-mail-based threats, users are being sent spam messages that advertise links to URLs hosting lurid images of embattled pop singer Britney Spears.

Users targeted in the campaign receive e-mail with the subject line "Hot Pictures of Britiney Speers" that has been written in HTML to help avoid filtering tools. After opening the infected spam e-mail, people who then click on the links are redirected to malware sites that host JavaScript code believed to be controlled by servers used by Russian cyber-criminals.

Roger Thompson, chief technology officer at Exploit Prevention Labs, based said that the attacks being served up by that group run the full gamut of threats, from botnet software to sophisticated root kits.

The expert said that the root kit, dubbed 200.exe, eventually calls out to an account on Microsoft's Hotmail servers to announce itself and seek out additional malware to download onto infected machines. Thompson said the spam attacks started in earnest on April 1.

"This spam ring has a nasty set of encrypted exploits, and it is clearly all Russian in origin, as the sites that are being used are written in Russian," he said. "They're also using a new [malware] encryption style that we only first saw about a month ago; they're rapidly adding new exploits to these encrypted attacks, and the .ANI-based stuff is just the latest."

Thompson said that many machines have already been infected using the attack, and that he believes many more will come under control of the malware before systems can be patched, including many corporate users.

"With the embedded HTML they will catch people; there's no need to download anything. These are thoughtful attackers and they are gaining command and control right over port 80, and straight through the firewall," he said. "If there's a patch that you've missed they're going to get you, and we believe this is all still gathering steam."

The expert said that the .ANI threats may have actually first been created by Chinese hackers attempting to steal people's passwords to the World of Warcraft online video game, with other attackers subsequently modifying the code for their own means.

Other experts said the attacks will likely result in new hordes of widespread botnets, which will allow attackers to piggyback even more spam and malware campaigns onto their existing threats.

Since the .ANI flaw is present on so many relevant Microsoft products, botnet herders will likely flock to take advantage of the flaw, said Max Cacares, director of product management at penetration testing specialists Core Security.

"One reason why spammers are interested is because a lot of the underground community takes advantage of botnets to relay their work, and this is great for building huge bontets since it works on every version of Windows that you care about," Cacares said. "With the potential to exploit it directly from Outlook, this is great for compromising a huge variety of users, and once it's made part of botnet, it also becomes a huge asset for all kinds of spammers."

Some researchers said they were surprised that there have not been more widespread attacks since the vulnerability was first made public so long ago.

"We actually haven't seen a huge proliferation yet," said David Frazer, director of technology services for anti-virus specialists F-Secure, based in Helsinki. "But with four patches issued from Microsoft between the original announcement and the release of all this code, one could say it might have been fixed sooner; fortuitously, we haven't seen as many infections as might have happened."

Matt Sergeant, senior anti-spam technologist at security software maker MessageLabs, said that Russian hackers are known to have been seeking new flaws that would allow them to deliver massive amounts of malware code in short periods of time.

"We're very much aware that Russian guys have been on the lookout for a new attack, their botnets have actually been diminishing since October 2006 since the Warezov virus," he said. "They're looking for anew angle to get in and with the security improvements in Vista, they're worried that they can't crack into stuff as easy as in past, but this proves that might not be the case."

The expert contends that the hackers are working furiously to find new avenues for attack, and predicted that many have shifted their efforts to the .ANI vulnerability over the last several days.

"These guys have teams of programmers working on this 24 hours a day, trying to find some way in, and when a major software vendors releases a patch, they move quickly," said Sergeant. "Especially on a Tuesday morning, most businesses are not ready to get a patch immediately installed; this is likely creating a huge opportunity for these guys to get stuff installed on people's computers and increase the size of their botnets."

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Matt Hines

Show Comments


James Cook University - Master of Data Science Online Course

Learn more >


Victorinox Werks Professional Executive 17 Laptop Case

Learn more >



Back To Business Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?