Detecting and filtering out windows animated cursor exploitation attempts

Published: 2007-03-30. Last Updated: 2007-03-30 21:19:28 UTC
by donald smith (Version: 3)
0 comment(s)
I recommend a defense in depth approach. Do not rely on just one level of detection or filtering use as many as feasible.

Antivirus:
Many commercial Antivirus products detect some or all of these exploits.
Make sure your Antivirus engine and signatures are up to date.
That will greatly increases your chances of blocking an exploit.

IDS rules:
There was a typo in the Bleeding Edge Snort rule it is corrected now.
Updated Bleeding Edge Snort IDS rule for the currently observed JPEG renamed ANIs is available here.

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:”BLEEDING-EDGE CURRENT EVENTS MS ANI exploit”; flow:established,from_server; content:”|54 53 49 4C 03 00 00 00 00 00 00 00 54 53 49 4C 04 00 00 00 02 02 02 02 61 6E 69 68 52|”; classtype:attempted-admin; reference:url,http://isc.sans.org/diary.html?storyid=2534; reference:url,http://www.avertlabs.com/research/blog/?p=233; reference:url,doc.bleedingthreats.net/2003519; sid:2003519; rev:1;)

From sourcefire this rule is in all VRT certified rulesets, including the free ruleset, and has been out since Jan 2005 latest version available here.

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft ANI file parsing overflow"; flow:established,from_server; content:"RIFF"; nocase; content:"anih"; nocase; byte_test:4,>,36,0,relative,little; reference:cve,2004-1049; classtype:attempted-user; sid:3079; rev:3;)

Several other commercial filtering products detects these exploit attempts.
Once again updated signatures and engines will increase your chances of detecting them.

Based on the similarities I have seen between exploits there is probably a tool that creates the ani exploits so domain blocking or blocking based on MD5s has have value but may be difficult to manage and maintain.
I would still recommend blocking the domains or MD5 being used on a router, firewall, dns where ever you can block them.
Some of these sites may be victims themselves but some of these have been serving up malware for a LONG time.
The bc0.cn site was used in the Dolphin's Superbowl infection.
Even if you do not block them you may wish to review your proxy logs for these.

Domains/IPs currently being used in exploitation:
1.520sb.cn
220.71.76.189
222.73.220.45
55880.cn
81.177.26.26
85.255.113.4
bc0.cn
client.alexa.com
count12.51yes.com
count3.51yes.com
d.77276.com
fdghewrtewrtyrew.biz
i5460.net
jdnx.movie721.cn
newasp.com.cn
s103.cnzz.com
s113.cnzz.com
ttr.vod3369.cn
uniq-soft.com
wsfgfdgrtyhgfd.net
www.04080.com
www.33577.cn
www.baidu.com
www.h3210.com
www.hackings.cn
www.koreacms.co.kr
www.macrcmedia.com
www.macrcmedia.net
www.ncph.net
www.xxx.cn
ym52099.512j.com
www.jonnyasp.com


MD5s for malware related to ANI exploitation:
6662903c99b5113b655654483ec5c0e8
5364153c076562946f3cc695a35fbf6b
73705f9a1d8530596be4be3b4cb5d16b
70982dc6ae9c4fe17997260455cda76e
4923d09707a071f7f4f7dea4814c16b9
1896b3ac193326b794da3ac766b2a2f0
894b21864bf7eb495f7bd718847b24e8
793ce59e19086c3076ca2c6ca8814dc7
744bc40fa377dad434584dc8f866d108
695d4a93454fb654689e1afb5a4ee600
629a6ba2ac575ee52a8856d856e9cf42
0222c40aecde4e0b89e5c3a6bc994f2b
88f053d01add25ff6389db21449a0190
088e93a6f4a77b4d8cc81c1adc047715
83b09c4e2555dd6275ee8cb73ad96a7a
68ec530dc46a0481d66faf27fe3c5c6c
68c675f8c4c8c3dd9527835efbaed5b1
62ed55db8277625b2e20ac43ebcd8d85
61f2bab66d112dedbe5fd753b215328f
28f431799ccf43d33239e3d5deeb7e5d
23ea608bcd1cfd319d707900d18dac20
22a7b86213cfbe53f0112a4c50a10264
8e12a8281a6c6ebdbd75c26a93e69437
8cffb9985b8550d6582f461dd90dd813
8b24d74d5a3fa86fa64d6ffc356c8152
7f4d923c14a85df003c94a99639a01f6
5b35f6b8126c15948533a6d14245d533
5a6ef31817acc798e1b22427a9273cc3
4db7f92300fed1d4567588b4026684f4
4cbb8e85812c4f07131a78b068f0eb9b
4b6a9734ebaa66c75bc8bd021b87e07d
4b2362d077261c7cd77d41ff6a527dbb
4aaa3259905846b90fbb33c040604f8f
2c7acfc5ff609a9c1f14c5b021f04617
2bebdbf7bb891653c74f089e9fbe9abc
1ca851d1f5b9a3b5c43dae971a1e3936
1b8682677af1feb67153666fad0de224
1b40e0e90ce5e7d1ff6c89e813da82a3
1a7637bb4a13d99132a97fcff50e406a
1a3880cd36e999dc1c47147095d95de2
fe461d468b00a8e29273719bfa2704f0
f6e573cf6ca3f938e2df112894ca7426
eb41d61264e4c65406565058a660a904
ea92cbea2ff4ab80aae7badffdb04dfc
e8956fcb0d85b3bf54dcf69c36294b7f
e3fcb903305f8ee5551ea66f5c096737
e1b65c759eeaeed48328017f1d449306
e0aa021e21dddbd6d8cecec71e9cf564
e00b3a3544b6204c5b8d31ed9672375c
d81e158318334879c7e1e64113f6d178
d75351ae3b70560dbbd0ef56965343a5
d41aeae4b1cdd8c42d1eb58526520150
d08f699eb6a19ad3477f22b9f3d5089d
ccb34851f859f7f1bb682a043a21d878
caf72b4024c878d13923823d2911af39
cadffee7afa59157fe4453c2b0159742
c0f68b7de2c102b17c39a54a4912cea4
ac39f0abcd0cd8d9fb39b0b086065294
abf523bb192825e9ecb3fb49e6049782
a7581135bfafb74bb838c572922aa875
a623e8bb1f1443fdebcdab3941536c83
a29595ae2c689049cdf0c5a2cdfeee90
5500e23bdcd55dfa59e5371eee815151
9b5ddaaad83d326198258064c9e6ea2d
8503418350b9e81642e2c86df5e2b577

Finally A big THANK YOU to all the people who submitted sites or binaries.
Keywords:
0 comment(s)

Comments


Diary Archives