Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

ANI: It Gets Better

Published: 2007-03-31
Last Updated: 2007-04-02 13:05:05 UTC
by Kevin Liston (Version: 3)
0 comment(s)
UPDATE 1-04-2007 (pm)
We continue to receive reports of sites hosting the malware, possibly to get ready for the Monday work day in Europe and the US. 

The Zeroday Emergency Response Team (ZERT) has released a patch to address the vulnerability, located here.  
Please remember this is an unofficial patch and is supplied on a as-is basis. You will need to remove it when Microsoft releases their patch.


UPDATE 01-04-2007 (am)

Microsoft has updated their advisory on this issue.  The vulnerable systems list has been amended  to include windows 2003 SP2.  
"March 31, 2007: Advisory revised to add additional information regarding Windows 2003 Service Pack 2, Microsoft Windows Server 2003 with SP2 for Itanium-based Systems, and Microsoft Windows Server 2003 x64 Edition Service Pack 2 in the “Related Software” section."
Whilst not confirmed, keep in mind that systems no longer supported may also be vulnerable.

Tools
iDefense has discovered a browser based ANI generation kit  tool.  You enter the payload URL, the password and the tool creates a ZIP file with all the relevant scripts and files.

---------------------------------------------------------
McAfee is now reporting a spam campaign that includes an ANI exploit attempt:

"March 31, 2007. The .ANI File Format vulnerability has seen an increase in exploit attempts in-the-wild. McAfee Avert Labs has detected many Web sites linking to other sites that attempt to exploit this vulnerability. We have also observed a spam run that tries to lure its recipients to Web sites hosting code exploiting this vulnerability. Technical details and exploit code can now be easily obtained from these malicious Web sites. Following links in unsolicited e-mails and visiting unknown Web sites are strongly discouraged."

This will affect email clients on vulnerable Operating Systems that render HTML.  Exploit could occur when the malicious message is either opened, previewed, or forwarded.

Additionally...

If you open up a folder with Explorer (not Internet Explorer) that has a malicious .ANI file (file-extension matters in this case) it will exploit the system.  At least automated processes won't trigger execution (unlike WMF.) (US-CERT Advisory)
Keywords:
0 comment(s)

Chinese Internet Security Response Team Reports ANI Worm

Published: 2007-03-31
Last Updated: 2007-03-31 21:15:01 UTC
by Kevin Liston (Version: 1)
0 comment(s)
The Chinese Internet Security Response Team reports the detection of an worm-like payload installed using the ANI-exploit.  According to their report:

"It has the same behavior as Worm.Win32.Fujacks. It also can infects .HTML .ASPX .HTM .PHP .JSP .ASP and .EXE files, and inserts the malicious links which contained Windows Animated Cursor Handling zero-day vulnerability into .HTML .ASPX .HTM .PHP .JSP .ASP files. It also can send out Chinese spams which are include the same zero-day vulnerability link."

They recommend that the following domains be blocked to contain this particular variant:
2007ip.com
microfsot.com
Keywords:
0 comment(s)

April 1: DST phase 2 and April Fools' Day

Published: 2007-03-31
Last Updated: 2007-03-31 16:53:35 UTC
by Kevin Liston (Version: 1)
0 comment(s)
Remember all of those devices you manually set the clock on a few weeks ago?  You know, your Windows 2000 servers, etc.?
Hopefully you do, since tomorrow, all of your unpatched systems will "spring forward" per their original programming.

Tomorrow also denotes the celebration of April Fools' Day, often observed with practical jokes and hoaxes.  In the past, the handlers have observed this "holiday" with humorous posts.  I've been informed that we will not be participating this year because of heightened INFOCon.  Not everyone is going to follow that suggestion, so be aware of what your read tomorrow.
Keywords:
0 comment(s)

*ANI exploit code drives INFOCon to Yellow

Published: 2007-03-31
Last Updated: 2007-03-31 14:31:15 UTC
by Kevin Liston (Version: 1)
0 comment(s)
The ANI vulnerability has been been of recent concern.  I've been waiting for a few key events to be confirmed before adjusting the INFOCon.  We don't take these decisions lightly.

Rating systems such as Symantec's ThreatCon (currently at 2 of 4,)  FS/ISAC's Cyber Threat Advisory (currently at Guarded,) and our INFOCon (now at Yellow) all have their particular niche.  Symantec focuses on their AV and managed-security-service customers.  FS/ISAC focuses on financial institutions.  The Internet Storm Center's INFOCon intent is to "to reflect changes in malicious traffic and the possibility of disrupted connectivity."

In the initial stages of this event, we did not satisfy the criteria to raise the INFOCon level.  Now, we have a different landscape.

  • Exploit code has been publicly released which allows trivial modification to add any arbitrary payload.
  • The number of malicious sites reported is rising rapidly, limiting the efficacy of blacklisting.
  • The number of compromised sites pointing to malicious sites is also on the rise.
Recommendations:
  • Keep anti-virus up-to-date.  So far this is the most effective layer, particularly generic signatures that detect non-compliant ANI files.  Also, the secondary payloads downloaded by these exploits are often detectable (not always though.)
  • Content-filtering.  If your environment supports it, dropping ANI files (not based on file extention, but actual file-inspection) may be prudent until patches are deployed.  This will impact your myspace.com browsing experience though.
We intend to maintain INFOCon Yellow status and reassess every 24 hours. (~1400 UTC)
Keywords:
0 comment(s)
Diary Archives