Threat Level: green Handler on Duty: Daniel Wesemann

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

ANI: It Gets Better

Published: 2007-03-31
Last Updated: 2007-04-02 13:05:05 UTC
by Kevin Liston (Version: 3)
0 comment(s)
UPDATE 1-04-2007 (pm)
We continue to receive reports of sites hosting the malware, possibly to get ready for the Monday work day in Europe and the US. 

The Zeroday Emergency Response Team (ZERT) has released a patch to address the vulnerability, located here.  
Please remember this is an unofficial patch and is supplied on a as-is basis. You will need to remove it when Microsoft releases their patch.


UPDATE 01-04-2007 (am)

Microsoft has updated their advisory on this issue.  The vulnerable systems list has been amended  to include windows 2003 SP2.  
"March 31, 2007: Advisory revised to add additional information regarding Windows 2003 Service Pack 2, Microsoft Windows Server 2003 with SP2 for Itanium-based Systems, and Microsoft Windows Server 2003 x64 Edition Service Pack 2 in the “Related Software” section."
Whilst not confirmed, keep in mind that systems no longer supported may also be vulnerable.

Tools
iDefense has discovered a browser based ANI generation kit  tool.  You enter the payload URL, the password and the tool creates a ZIP file with all the relevant scripts and files.

---------------------------------------------------------
McAfee is now reporting a spam campaign that includes an ANI exploit attempt:

"March 31, 2007. The .ANI File Format vulnerability has seen an increase in exploit attempts in-the-wild. McAfee Avert Labs has detected many Web sites linking to other sites that attempt to exploit this vulnerability. We have also observed a spam run that tries to lure its recipients to Web sites hosting code exploiting this vulnerability. Technical details and exploit code can now be easily obtained from these malicious Web sites. Following links in unsolicited e-mails and visiting unknown Web sites are strongly discouraged."

This will affect email clients on vulnerable Operating Systems that render HTML.  Exploit could occur when the malicious message is either opened, previewed, or forwarded.

Additionally...

If you open up a folder with Explorer (not Internet Explorer) that has a malicious .ANI file (file-extension matters in this case) it will exploit the system.  At least automated processes won't trigger execution (unlike WMF.) (US-CERT Advisory)
Keywords:
0 comment(s)
Diary Archives