Posted on Thursday, March 29th, 2007 | Bookmark on del.icio.us

Any ANI File Could Infect You!

by Jose Nazario

It’s been a busy day in the ASERT team office. Brand spanking new Windows vulnerability to shake up the past several days of minor notes and issues. Animated cursors, objects on web pages or embedded in emails, malicious files … malware downloaded and launched. Sound familiar? It should be, this feels like last year’s IE issues (WMF, createTextRange(), setSlice()) all over again. Here’s what we know:

  • this is a brand spanking new issue in the ANI file format. This is not MS05-002, despite what some detection products tell you. This is new, and this is a new attack vector. No patches yet, Microsoft is working on it.
  • Here’s a few sites that have been hosting the malicious ANI files:
    • wsfgfdgrtyhgfd.net
    • 85.255.113.4
    • uniq-soft.com
    • fdghewrtewrtyrew.biz
    • newasp.com.cn

    Block access to them if you can. Many more surely exist.

  • At this point (4PM US EDT, Thursday) we haven’t seen a tool to make your own ANI exploit for this vuln. Expect one soon.

ani_exploit

Mitigation is going to be difficult. If you’re worried about attachments getting in, you can’t just block .ani files, because this exploit works independent of the file extension. Configuring Outlook and Outlook Express to read your mail in plain text doesn’t help, O/OE will still parse the ANI and hit the exploit.

(Edited to add this paragraph on 30 March 2007) Some of you may be wondering what an ANI file is and what it’s good for. Simply put an animated cursor is the little Windows mouse cursor animations. Some people use custom ones in their own custom Windows themes, and even the spinning hourglass is an animated cursor done in the ANI format. The file format is described on this site, What is an animated cursor?, and you can begin to see how a file like that may be corrupted – you’ve got TLV sets everywhere in the file, so a mismanaged one can corrupt memory and run arbitrary code, which is what appears to be going on here.

Links around the net:

Share

Related Posts

Zemanta

This entry was posted on Thursday, March 29th, 2007 at 4:42 pm and is filed under Arbor Networks - DDoS Experts, Exploit Code, Interesting Research, Trojan Horses, Vulnerabilities. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

13 Responses | Add your own



Comment Post by: R. Kerns — March 29th, 2007 @ 9:40 pm EST  Reply

This reminds me of the vulnerability a few years ago where KBB, MLB and EBay as well as many smaller sites were affected by an exploit that took advantage of the way IE and Outlook/OE handled malicious jpegs. Strictly viewing the image was an issue and an undisclosed number of ppl were affected by it. Luckily for some reason thus far these attacks have not been well coordinated enough to do mass damage! Hopefully this will have a real workaround (not something to the effect of turn off this core function to stop this from occurring) and we can move on to waiting for the next problem child… To be honest I am waiting for an in the wild version of Billy Hoffman’s Jikto to appear which will be a real PITA.

Comment Post by: securegg.com — March 30th, 2007 @ 5:28 am EST  Reply

Any ANI File Could Infect You!…

It’s been a busy day in the ASERT team office. Brand spanking new Windows vulnerability to shake up the past several days of minor notes and issues. Animated cursors, objects on web pages or embedded in emails, malicious files … malware downloaded …

Comment Post by: Opera User — March 30th, 2007 @ 6:47 am EST  Reply

What about Opera? Affected or not?

Comment Post by: Robert Scroggins — March 30th, 2007 @ 9:24 am EST  Reply

Eeye has a temporary patch at http://research.eeye.com/html/alerts/zeroday/20070328.html. They say you should remove it when Microsoft comes out with theirs.

Regards,

Comment Post by: Tech Blog » Blog Archive » 0-day ANI vulnerability in Microsoft Windows (CVE-2007-0038) — March 30th, 2007 @ 11:10 am EST  Reply

[...] It seems like the vulnerability is already exploited in the wild: http://asert.arbornetworks.com/2007/03/any-ani-file-could-infect-you/ [...]

Comment Post by: Internet Security and Programming » Blog Archive » Any ANI File Could Infect You! — March 30th, 2007 @ 1:29 pm EST  Reply

[...] category News. You can read any responses through the RSS 2.0 feed. You can give a response, or trackback from your site. « State Agencies Coordinate Efforts To Combat Cybercrime And EducateStudents, Parents Hello from Black Hat Amsterdam » [...]

Comment Post by: Harry Waldron - My IT Forums Blog : ANI based Trojans - Exploit Windows Animated Cursor handling — March 30th, 2007 @ 3:04 pm EST  Reply

[...] ANI based Trojans – Exploit Windows Animated Cursor handling New trojans have surfaced that exploit a vulnerability in Windows animated cursor handling. This malware uses the ANI extension which has been rarely manipulated by malware in the past.  Corporate admins should add ANI to their email blocking lists.  Users should be cautious with all HTML based email (use plain text if possible),  They should also be careful to only visit trusted and mainstream websites.  The ANI malware can hide within HTML code. This vulnerability in Windows will lead to a crash of the security system so that other malware will be downloaded and installed on the infected system. Microsoft Security Advisory (935423)Vulnerability in Windows Animated Cursor Handlinghttp://www.microsoft.com/technet/security/advisory/935423.mspx Other Security Advisorieshttp://secunia.com/advisories/24659/http://www.frsirt.com/english/advisories/2007/1151http://www.avertlabs.com/research/blog/?p=230http://www.avertlabs.com/research/blog/?p=233http://asert.arbornetworks.com/2007/03/any-ani-file-could-infect-you/http://research.eeye.com/html/alerts/zeroday/20070328.htmlhttp://www.us-cert.gov/current/current_activity.html#WINANIhttp://www.kb.cert.org/vuls/id/191609 AV Vendorshttp://vil.nai.com/vil/content/v_141860.htmhttp://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FANICMOO%2EAXhttp://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FANICMOO%2EAVhttp://www.sophos.com/sl/va/security/analyses/trojanimoou.htmlhttp://www.f-secure.com/v-descs/exploit_w32_ani_c.shtml Published Friday, March 30, 2007 8:02 PM by hwaldron [...]

Comment Post by: .:Computer Defense:. » Double Your Pleasure, Double Your Fun. Two MS Tuesdays are Better than One! — April 1st, 2007 @ 11:33 pm EST  Reply

[...] So I just checked my email… (I try to go anti-computer on the weekends these days… at least for a little while while I unwind and relax) and there’s an email from Microsoft informing customers that they will be releasing a patch on Tuesday, April 3rd. Now I suppose it could be an April Fool’s day joke but I don’t think Microsoft would send out a full blown Advanced Notification for a prank… I’m guessing they are pressured by the release of third party patches for the ANI issue by eEye and ZERT. [...]

Comment Post by: Magically Delicious » The Microsoft .ANI Vulnerability — April 5th, 2007 @ 12:35 pm EST  Reply

[...] Arbor Networks sees it being exploited in the wild [...]

Comment Post by: R. Kerns — April 6th, 2007 @ 1:31 pm EST  Reply

Of course after some review of the discovered exploit code what do I see in reporting TODAY! Really find it funny as I am a World of Warcrack player as well…

From BBC reporting at http://news.bbc.co.uk/2/hi/technology/6526851.stm

“Analysis of that malicious software showed that it lay dormant on a victims machine until they ran World of Warcraft (WoW) at which point it captured login data and sent it to the hacking group. ” “Research by security firm Symantec suggests that the raw value of a WoW account is now higher than a credit card and its associated verification data.

One card can be sold for up to $6 (£3) suggests Symantec, but a WoW account will be worth at least $10. An account that has several high level characters associated with it could be worth far more as the gold and rare items can be sold for real cash. “

Comment Post by: Jacqui — April 10th, 2007 @ 10:31 am EST  Reply

Also this is being hosted on domains yata.com.au and spybiz4u.com and possibly a number of others for use in drive by downloads. I’ve just found your advisory after coming from an affected forum and confirmed the yata domain by searching for the .exe file on there via a remote program.

Comment Post by: Diane — May 6th, 2009 @ 9:07 am EST  Reply

It sounds like you’re creating problems yourself by trying to solve this issue instead of looking at why their is a problem in the first place.

Comment Post by: Philosophically Secure » Blog Archive » The Microsoft .ANI Vulnerability — September 4th, 2009 @ 2:06 pm EST  Reply

[...] Arbor Networks sees it being exploited in the wild [...]

Leave a Comment